SlideShare una empresa de Scribd logo

Mcs2453 aniq mc101053-assignment1

Aniq Eastrarulkhair
Aniq Eastrarulkhair

Talking about botnet

Educación
1 de 34
Present By: Muhammad Aniq Eastrarulkhair Bin Mohmad Hairin
 What is Botnet  History of Botnet  Botnet Usage  How do they do it  How a Botnet is controlled  Why are Botnet is a Threat  Botnet Detection  Q&A
 The term ‘bot’ or ‘robot’ refer to a program that: -perform repetitive tasks OR -Acts as an ‘agent’ or user interface for controlling others program  Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems. Example google bot and game bot.
 Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.  The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.
 When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'.
 First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland  1989 - First bot - “GM”  -assist user to manage their own IRC Connections  May 1999 – Pretty park  Reported in June 1999 in Central Europe  Internet Worm – a password stealing trojan  1999 – Subseven  Remote controlled trojan
 2000 – GTbot (Global Threat)  New capabilities - port scanning, flooding and cloning  Support UDP and TCP socket connections  Support IRC Server to run malicious script  2002 – SDbot  Written by Russian Programmer by the name ‘SD’  40Kb – C++ Code  First to publish the code for hackers via website  Provided e-mail and chat for support  2002 – Agobot  Modular update  Spread through Kazaa, Grokser and etc
 2003 – Spybot or Milkit  Derived from SDbot  Come with spyware capabilities  Spread via file sharing applications and e-mail  2003 – Rbot  Backdoor trojan on IRC  Compromised Microsoft vulnerable share Port 139 and 445  Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide  2004 – PolyBot  Polymorphism capabilities  Based on Agobot
 2005 – MyBot  New version of SpyBot  Hybrid coding  Spread via file sharing applications and e-mail  2006 – P2P Based Bot  1st generation - “SpamThru”, “Nugache”  Basd on “Gnutella” file sharing  2nd Generation – “Peacomm’  Pure Distributed P2P  2007 – “Storm Botnet”  Truly pure P2P  No single point of failure  Provided high resilience, scalability and difficulty in tracking
 2010 – Stuxnet  spreads via Microsoft Windows, and targets Siemens industrial software and equipment  malware that spies on and subverts industrial systems  targeted five Iranian organizations - uranium enrichment infrastructure in Iran  September 2011 – Duqu  Duqu is a computer worm discovered on 1st September, 2011  Operation Duqu is the process of only using Duqu for unknown goals
 DDOS  Spam  Sniffing traffic  Keylogging  Installing Advertisement Addons and Browser Helper Objects (BHOs)  Manipulating online polls/games  Mass ID theft
 The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more 'commercialized', and it is thought that many botnets nowadays are in the hands of criminal syndicates.  To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet - all via a single client program.
 Using the client, the botherder can direct a single zombie to perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer's mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).  The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
 Of course, in real life, a botnet's organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.  Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
 These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive- by download, or distributing the bot via spam e-mail messages with infected attachments.  Once installed, the bot can take control of the system. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
 Botnets are considering a menace for three simple reasons: • To build them, attackers have to 'steal' a computer from its legitimate user • Botnet operations can directly impact large numbers of real-world organizations and individuals • Botnets appear to be increasing in size and capability
 Widespread Repercussions  Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.  With Greater Size Comes Greater Power  Generally, a botnet's potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
 An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.  Data Harvesting  Most people store highly sensitive personal information on their computers - personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud. Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions - all in a period of 10 days.
 Stolen Resources  Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:  Cyber attacks A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database.  Spam Generators Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day - an estimated 60 percent of which is botnet-generated.
 Malware Distributors Another "product" being distributed by botnets is malware - trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods.  Storage Space Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable "merchandise" the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.  Rental  Last but not least, botnet 'owners' can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can "make as much as $190,000 in one day" renting out "their" computers.
 Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet
Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections
 Example Systems: Snort and Bro  Sniff network packets, looks for specific patterns (called signatures)  If any pattern matches that of a malicious binary, then block that traffic and raise alert  These systems can efficiently detect virus/worms having known signatures  Can't detect any malware whose signature is unknown (i.e., zero day attack)
Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth
Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly
HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed
Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
Finally, take down the botnet HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously
Mcs2453 aniq mc101053-assignment1

Recomendados

A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
Alexander Decker
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
Rubal Sagwal
 
Botnet
Botnet Botnet
Botnet
PriyanKa Harjai
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
Botnet
BotnetBotnet
Botnet
lokenra
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Security
sumit saurav
 

Recomendados

A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
Alexander Decker
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
Rubal Sagwal
 
Botnet
Botnet Botnet
Botnet
PriyanKa Harjai
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
Botnet
BotnetBotnet
Botnet
lokenra
 
Botnets In Cyber Security
Botnets In Cyber SecurityBotnets In Cyber Security
Botnets In Cyber Security
sumit saurav
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
Botnets
BotnetsBotnets
Botnets
richashri3
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
Rangana lakmal
 
BOTNET
BOTNETBOTNET
BOTNET
Arjo Ghosh
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
Bhagath Singh Jayaprakasam
 
Social engineering
Social engineeringSocial engineering
Social engineering
lokenra
 
Information security
Information securityInformation security
Information security
JAMEEL AHMED KHOSO
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
IJERA Editor
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
yogendra singh chahar
 
C 7
C 7C 7
C 7
Les Davy
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
Zotronix
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
Mohd Harris Ahmad Jaal
 
Presentation1
Presentation1Presentation1
Presentation1
Rachel Lasotas
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
ReadWrite
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
Hicube Infosec
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security Threats
Umakant Mishra
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
Shyam Kumar Singh
 
Botnets
BotnetsBotnets
Botnets
Kavisha Miyan
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 

Más contenido relacionado

La actualidad más candente

Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
UltraUploader
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
Zotronix
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
ReadWrite
 

La actualidad más candente (20)

Botnets
BotnetsBotnets
Botnets
 
Botnets
BotnetsBotnets
Botnets
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
BOTNET
BOTNETBOTNET
BOTNET
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Information security
Information securityInformation security
Information security
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
 
C 7
C 7C 7
C 7
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9Fundamentals of Computing Chapter 9
Fundamentals of Computing Chapter 9
 
Presentation1
Presentation1Presentation1
Presentation1
 
5 network-security-threats
5 network-security-threats5 network-security-threats
5 network-security-threats
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
I.T Security Threats
I.T Security ThreatsI.T Security Threats
I.T Security Threats
 
SECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURESSECURITY THREATS AND SAFETY MEASURES
SECURITY THREATS AND SAFETY MEASURES
 

Similar a Mcs2453 aniq mc101053-assignment1

Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
Editor IJCATR
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
CSCJournals
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
idescitation
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
iosrjce
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdf
uzair
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
UltraUploader
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
google
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
smile790243
 

Similar a Mcs2453 aniq mc101053-assignment1 (20)

Botnets
BotnetsBotnets
Botnets
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
Guarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social NetworkGuarding Against Large-Scale Scrabble In Social Network
Guarding Against Large-Scale Scrabble In Social Network
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
BOTNETS
BOTNETSBOTNETS
BOTNETS
 
Detection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P BotnetsDetection of Botnets using Honeypots and P2P Botnets
Detection of Botnets using Honeypots and P2P Botnets
 
How spam change the world
How spam change the world How spam change the world
How spam change the world
 
A Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior AnalysisA Dynamic Botnet Detection Model based on Behavior Analysis
A Dynamic Botnet Detection Model based on Behavior Analysis
 
P01761113118
P01761113118P01761113118
P01761113118
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
Botnet
BotnetBotnet
Botnet
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdf
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)
 
L017326972
L017326972L017326972
L017326972
 
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
Face expressions, facial features, kinect sensor, face tracking SDK, neural n...
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Bots and malware
Bots and malwareBots and malware
Bots and malware
 

Último

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 

Último (20)

Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.ICT role in 21st century education and it's challenges.
ICT role in 21st century education and it's challenges.
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Plant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptxPlant propagation: Sexual and Asexual propapagation.pptx
Plant propagation: Sexual and Asexual propapagation.pptx
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 

Mcs2453 aniq mc101053-assignment1

  • 1. Present By: Muhammad Aniq Eastrarulkhair Bin Mohmad Hairin
  • 2.  What is Botnet  History of Botnet  Botnet Usage  How do they do it  How a Botnet is controlled  Why are Botnet is a Threat  Botnet Detection  Q&A
  • 3.  The term ‘bot’ or ‘robot’ refer to a program that: -perform repetitive tasks OR -Acts as an ‘agent’ or user interface for controlling others program  Bots can be very beneficial programs when they are designed to assist a human user, either by automating a simple task, or by simplifying a user's control over various programs or systems. Example google bot and game bot.
  • 4.  Unfortunately, bots can also be created to perform malicious tasks that compromise the system or any information stored on the machine.  The 'bot' in botnets definitely refers to the second type, as these bots are used by an attacker to 'hijack' and control a computer system.
  • 5.  When more than one computer has the same bot installed on it, the multiple infected machines form a network, which is under the direct control of the attacker. This network is a botnet – a network of 'enslaved' computer systems infected with malicious bot programs. A single machine in a botnet can be referred to as a 'bot', a 'zombie' or a 'zombie computer'.
  • 6.  First existence of botnet started in August 1988 when IRC invented at University of Oulu, Finland  1989 - First bot - “GM”  -assist user to manage their own IRC Connections  May 1999 – Pretty park  Reported in June 1999 in Central Europe  Internet Worm – a password stealing trojan  1999 – Subseven  Remote controlled trojan
  • 7.  2000 – GTbot (Global Threat)  New capabilities - port scanning, flooding and cloning  Support UDP and TCP socket connections  Support IRC Server to run malicious script  2002 – SDbot  Written by Russian Programmer by the name ‘SD’  40Kb – C++ Code  First to publish the code for hackers via website  Provided e-mail and chat for support  2002 – Agobot  Modular update  Spread through Kazaa, Grokser and etc
  • 8.  2003 – Spybot or Milkit  Derived from SDbot  Come with spyware capabilities  Spread via file sharing applications and e-mail  2003 – Rbot  Backdoor trojan on IRC  Compromised Microsoft vulnerable share Port 139 and 445  Based on MSRT Report in June 2006 by Microsoft - 1.9 million PCs affected worldwide  2004 – PolyBot  Polymorphism capabilities  Based on Agobot
  • 9.  2005 – MyBot  New version of SpyBot  Hybrid coding  Spread via file sharing applications and e-mail  2006 – P2P Based Bot  1st generation - “SpamThru”, “Nugache”  Basd on “Gnutella” file sharing  2nd Generation – “Peacomm’  Pure Distributed P2P  2007 – “Storm Botnet”  Truly pure P2P  No single point of failure  Provided high resilience, scalability and difficulty in tracking
  • 10.  2010 – Stuxnet  spreads via Microsoft Windows, and targets Siemens industrial software and equipment  malware that spies on and subverts industrial systems  targeted five Iranian organizations - uranium enrichment infrastructure in Iran  September 2011 – Duqu  Duqu is a computer worm discovered on 1st September, 2011  Operation Duqu is the process of only using Duqu for unknown goals
  • 11.  DDOS  Spam  Sniffing traffic  Keylogging  Installing Advertisement Addons and Browser Helper Objects (BHOs)  Manipulating online polls/games  Mass ID theft
  • 12.  The attacker giving directions to the botnet is usually referred to as the botherder or controller. Botnets used to be run by individuals, but in recent years, botnets have become more 'commercialized', and it is thought that many botnets nowadays are in the hands of criminal syndicates.  To control the botnet, the botherder uses an application known as a client program to issues commands to the bot programs installed on zombies. This is very similar to how a backdoor is controlled and allows the botherder to operate very efficiently, as they can easily give instructions to a single zombie, or multiple zombies, or even the entire botnet - all via a single client program.
  • 13.  Using the client, the botherder can direct a single zombie to perform a certain action. For example, it can be ordered to send all the e-mail addresses stored on its hard drive to a remote website, where it can be added to a spammer's mailing list. Alternatively, all the zombies in the botnet can be commanded to perform the same routine, such as sending requests to a specific website (basically, a Denial of Service or DoS attack).  The relationship between the zombies and the client controlling them is known as a command-and-control (C&C)infrastructure. The zombie or website or server that hosts the client is known as the C&C server. The following image is a simplified view of this infrastructure:
  • 14.
  • 15.  Of course, in real life, a botnet's organization can be far more complicated. Some botnets will use multiple C&C servers, using the redundancy as a type of protection; others will have only one C&C server, but will continually change the machine the client application is saved on, also for better security.  Botherders put in all these security measures for one simple reason: the C&C server is the nerve center of the entire botnet, and also its Achilles heel.
  • 16.  These malicious bots can arrive on a victim machine in many ways. The most common method involves dropping the bot in the payload of a Trojan or a similar malware. Other methods include infecting the computer via a drive- by download, or distributing the bot via spam e-mail messages with infected attachments.  Once installed, the bot can take control of the system. A remote attacker can then give commands to the infected computer via the bot and force it to perform malicious actions. In this context, a bot is very similar to a backdoor program, which is also forcibly planted on a computer and used by a remote attacker to direct the infected machine.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.  Botnets are considering a menace for three simple reasons: • To build them, attackers have to 'steal' a computer from its legitimate user • Botnet operations can directly impact large numbers of real-world organizations and individuals • Botnets appear to be increasing in size and capability
  • 22.  Widespread Repercussions  Once created, a botnet can be used to commit more malicious acts, such as stealing data, sending out spam and launching attacks. Even then, a botnet might be considered only a nuisance if its impact were limited to a few dozen, or even hundreds of infected machines. Unfortunately, botnets can perform actions that directly affect hundreds of thousands, or even millions of people.  With Greater Size Comes Greater Power  Generally, a botnet's potential threat increases with its size, as the increased resources gives the controllers more power or capacity for their activities. For example, a DoS attack from a massive botnet is even harder to defend against than a similar attack from a smaller one, simply because a bigger botnet can generate more attack code.
  • 23.  An attacker who controls a botnet can do a wide range of actions, both TO individual machines in the botnet and WITH the entire resources of the botnet.  Data Harvesting  Most people store highly sensitive personal information on their computers - personal identification, work-related materials, e-mail addresses of all contacts and so on. If all these details are stored on a computer in a botnet, then the bot herder is almost guaranteed access to it. Such information can be sold, often to criminals intent on perpetrating or facilitating fraud. Botnets also actively harvest information related to banking accounts. For example, during research into the activities of the Torpig botnet in 2007, researchers observed the theft of credentials for thousands of accounts belonging to hundreds of financial institutions - all in a period of 10 days.
  • 24.  Stolen Resources  Rather than purchase all the hardware and bandwidth necessary for their operations, botnet controllers can siphon the physical resources they need (processing power, storage space, bandwidth, etc) from their zombies. These resources can be put to various uses, such as:  Cyber attacks A botnet can be used to launch a Denial of Service (DoS) or Distributed Denial of Service (DDoS) attack against a target. The target can be any resource linked to the Internet, be it a major corporate website or a military database.  Spam Generators Probably the most common way a botnet is used is to send out massive quantities of spam e-mails. Botnets known to perform this activity include Srizi and Storm. To give an idea of the size of this activity, in 2008 about 153 billion spam messages were sent out every day - an estimated 60 percent of which is botnet-generated.
  • 25.  Malware Distributors Another "product" being distributed by botnets is malware - trojans, viruses, worms and other things of that ilk. These offerings may be attached to spam e-mails or sent out via vulnerability exploits, or other methods.  Storage Space Zombies in a botnet may also be used is as an illicit warehouse to store all the malicious or objectionable "merchandise" the botnet operators handle. The stored data may be everything from harvested personal details to pornographic images.  Rental  Last but not least, botnet 'owners' can rent use of the botnet to other users, almost always for malicious purposes. This is an increasingly lucrative activity for the botnet herders. According to Yuval Ben-Itzhak, Chief Technology Officer of computer security company Finjan, the botnet controllers can "make as much as $190,000 in one day" renting out "their" computers.
  • 26.  Host Based  Intrusion Detection Systems (IDS)  Anomaly Detection  IRC Nicknames  HoneyPot and HoneyNet
  • 27. Virus scanning Watching for Symptoms Modification of windows hosts file Random unexplained popups Machine slowness Antivirus not working Watching for Suspicious network traffic Since IRC is not commonly used, any IRC traffic is suspicious. Sniff these IRC traffic Check if the host is trying to communicate to any Command and Control (C&C) Center Through firewall logs, denied connections
  • 28.  Example Systems: Snort and Bro  Sniff network packets, looks for specific patterns (called signatures)  If any pattern matches that of a malicious binary, then block that traffic and raise alert  These systems can efficiently detect virus/worms having known signatures  Can't detect any malware whose signature is unknown (i.e., zero day attack)
  • 29. Normal traffic has some patterns Bandwidth/Port usage Byte-level characteristics (histograms) Protocol analysis – gather statistics about TCP/UDP src, dest address Start/end of flow, Byte count DNS lookup First learn normal traffic pattern Then detect any anomaly in that pattern Example systems: SNMP, NetFlow Problems: Poisoning Stealth
  • 30. Bots use weird nicknames But they have certain pattern (really!) If we can learn that pattern, we can detect bots & botnets Example nicknames: USA|016887436 or DE|028509327 Country | Random number (9 digit) RBOT|XP|48124 Bot type | Machine Type | Random number Problem: May be defeated by changing the nickname randomly
  • 31. HoneyPot is a vulnerable machine, ready to be attacked Example: unpatched windows 2000 or windows XP Once attacked, the malware is caught inside The malware is analyzed, its activity is monitored When it connects to the C&C server, the server’s identity is revealed
  • 32. Thus many information about the bot is obtained C&C server address, master commands Channel, Nickname, Password Now Do the following make a fake bot join the same IRC channel with the same nickname/password Monitor who else are in the channel, thus observer the botnet Collect statistics – how many bots Collect sensitive information – who is being attacked, when etc..
  • 33. Finally, take down the botnet HoneyNet: a network of honeypots (see the ‘HoneyNet Project’) Very effective, worked in many cases They also pose great security risk If not maintained properly - Hacker may use them to attack others Must be monitored cautiously