2. Outline
What are Botnets?
Botnet Terminology
Botnet Life-cycle
Types of attacks
Botnets in Network Security
Botnet Detection
Preventing Botnet Infection
Conclusion
References
3. What are Botnets?
A Botnet is a network of compromised computers called
Zombie Computers or Bots, under the control of a remote
attacker.
Bots began as a useful tool. They were originally developed as
a virtual individual that could sit on a IRC channel & monitor
network traffic.
They are significant contributors to the malicious & criminal
activities on the Internet today and far importantly an
underground network whose size & scope is not fully known.
5. Bot Herder
Bot herders(aka Bot Masters)are the hackers who use
automated techniques to scan specific network ranges and
find vulnerable systems, on which they can install their
bot program.
To create an army of Zombies over internet, attacker
typically infect machines of home users, network
maintained by universities or small enterprises, etc.
7. Bots
Bots (also called Zombie Computers)are the
computers that contribute to the botnet network.
They run using a hidden channel to communicate
to their C&C server.
They can auto scan their environments and
propagate themselves taking advantage of
vulnerabilities &weak passwords.
8. Bots(contd.)
Generally the more vulnerabilities a bot can scan,
the more valuable it becomes to the botnet
controller community. The process of stealing
computing resources as a result of a system being
joined to a botnet is called Scrumping.
Gammima (gaming password stealer), Conficker
(fake antivirus) and Zeus (information stealer), are
among what are believed to be the largest botnets,
according to security firm Damballa.
9. IRC Server
Internet Relay Chat (IRC) is a form of real-time
Internet text messaging (chat).
The server listens to connections from IRC clients
enabling people to talk to each other via the Internet.
Most IRC servers do not require users to register an
account but a user will have to set a nickname before
being connected.
Most IRC networks lack any strong authentication, and a
number of tools to provide anonymity on IRC networks
are available.
IRC provides a simple, low-latency, widely available, and
anonymous command and control channel for botnet
communication.
10. Command & Control Server
C&C infrastructure allows a bot agent to receive
new instructions, malicious capabilities, update
existing infections or to instruct the infected
computer to carry out specific task as dictated by
the remote controller.
The criminal actively controlling botnets must
ensure that their C&C infrastructure is sufficiently
robust to manage tens-of-thousands of globally
scattered bots as well as resist attempts to hijack or
shutdown the botnet.
16. Types of attacks
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Adware
Spyware (keylogging, information harvesting)
Click Fraud
17. Botnets In Network Security
Internet users are getting infected by bots.
Many times corporate and end users are trapped in botnet
attacks.
Today 16-25% of the computers connected to the internet are
members of a botnet.
According to Damballa’s Technical report, 83.1% of global
spam in March,2011 was sent by Botnets.
Computer security experts estimate that most Spam is sent by
home computers that are controlled remotely & millions of
these computers are part of Botnets.
18. Contd.
2010 was a big year for internet crimes with
botnets & targeted attacks becoming headlines on
almost weekly basis. Botnets such as Mariposa,
Confiker, Koobface have become household
names.
The public disclosure of electronic attacks on
international organizations such as Google, Adobe
& many others referred to as “Operation Aurora”
revealed that sophisticated & advanced malware
are now every day inclusions of the criminal
toolkits.
19. Most Wanted Botnets
Zeus- Compromised U.S. 3.6 million computers.
Koobface- Compromised U.S. 2.9 million
computers.
TidServ- Compromised U.S. 1.5 million
computers.
Trojan.Fakeavalert- Compromised U.S. 1.4 million
computers.
TR/Dldr.Agent.JKH- Compromised U.S. 1.2 million
computers.
20. Botnet Detection
The two approaches for botnet detection are based
on::
Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
21. Botnet Detection: Honeynets
Honeynets
Windows Honeypot
A honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of Information
Systems.
Generally it consists of a computer, data, or a network site that
appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a
resource of value to attackers.
22. Contd.
Once an intruder breaks into the victim host, the
machine or a network administrator can examine the
intrusion methods used by the intruder.
Two or more honeypots on a network form a
Honeynet.
One practical application of this is the Spamtrap - a
honeypot that controls spam by masquerading as a type
of system abused by spammers.
23. Advantages
With the help of honeynets we are able to learn some
key information (e.g. IP address of the server or
nickname of the bot) that enable us to
observe botnets. We can extract the sensitive
information about bots in a semi-automated fashion with
the help of a classical Honeywall.
We are able to monitor the typical commands issued by
attackers and sometimes we can even capture their
communication. This helps us in learning more about the
motives of attackers and their tactics.
24. Botnet Detection: Traffic Monitoring
It helps us to understand what’s there on the network.
Signature based: Detection of known botnets.
Anomaly based: One study found that bots on IRC were
idle most of the time and would respond faster than a human
upon receiving a command.
Detect botnet using following anomalies-
High network latency
High volume of traffic
Unusual system behaviour
Vulnerable systems
DNS based: Analysis of DNS traffic generated by botnets.
26. Preventing Botnet Infections
Use a Firewall
Patch regularly and promptly
Use Antivirus (AV) software
Use Anti-Bots
Deploy an Intrusion Detection System (IDS)
Deploy an Intrusion Prevention System (IPS)
27. Conclusion
Botnets pose a significant and growing threat against cyber
security. Even if we use well known techniques, botnets
continue to dominate the cyber threat landscape. As network
security has become integral part of our life, botnets have
become the most serious threat to it. Staying ahead of threat
will require advanced knowledge of building out new anti bot
campaigns. It is very important to detect botnet attack and find
the solution for it.
28. References
Adam J. Aviv, Andreas Haeberlen. Challenges in
Experimenting with Botnet Detection Systems.2011.
March 2011 Intelligence Report. Symantec. Cloud.
Paul Bacher, Thorsten Holz, Markus Kotter, Georg
Wicherski. Know your Enemy: Tracking Botnets.
Technical Report, The Honeynet Project. Aug 2008.