botnets
DESCRIPTION
Uses, Prevention, and Examples. Botnets. Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security world Network of compromised machines that can be remotely controlled. Background. Malware with control. Theoretical Structure. - PowerPoint PPT PresentationTRANSCRIPT
BotnetsUses, Prevention, and Examples
Background• Robot Network
• Programs communicating over a network to complete a task
• Adapted new meaning in the security world
• Network of compromised machines that can be remotely controlled
Theoretical Structure• Malware with control
Not Zombies, Servants
Spatial Distribution• Result of an unethical Internet Census that infected over 420,000
machines
Uses - for Fun and Profit of Course!
• Numbers
• Power
• Information
Numbers• Typically rented
• DDOS (10K – 120K (10-100 Gbps) for $200 per day)
• Spamming (SOCKS proxy)
• Web traffic Control (unique IP)o Page/Ad viewso Likeso Poll Manipulation
Power• Cheap super computers (sold, rented, or kept for use)
• Bitcoin/Dogecoin mining o BadLepricon distributed by Google
Playo GPU ‘idle’ at 180° F
o Storm Botnet (1mil – 50 mil machines), largest at time
Information• May as well
• Traffic sniffing, key loggers and other information theft
• Self propagation o Spreading over networko Detection of other botnets presenceo The enemy of my enemy is my competitor
o Happy Hacker, Zeu$ botnet master
For the Greater Good• What makes them bad can be used for good
o Hard to remove or disableo Good at hiding/quiet monitoringo Botnets with good intentions fighting
botnets • Phalanx, DDOS protection
o Nodes of botnet used as protective mailboxes
o Pass on information when requestedo Computational puzzle to gain access
Prevention• Defensive (users, owners)
• Offensive (security agencies, research)
Defensive• Treat just like malware
• Intrusion Detection System
• Main target of botnets don’t follow these
o Keeping updatedo Quality firewall, anti-viruso Other general security measures
o Removal, maybe clean install
Offensive• Agencies know people think of security last
• Research for IDS
o Development of “good” botnetso Gun buying programs, better unused o Tracking down botnet masters
o Examining bought/captured botnetso Honeypots
Exampleso Agoboto SDBoto Global Threat Bot (Fig. 1)
• Originally bots, now popular templates
Agobot - the multi-tool
• 500 know versions• Easy to use, little programming knowledge required• Simple to add commands / vulnerability scanners• Offers rootkit capabilities (process hiding)• If you want it there is a version that has it
• Advanced form of traffic sniffing
o Packet sniffers / key loggers o Self propagation o DDOS commands
o Stripped down lipcpap dll registered as system driver
o Utilizes libpcre dll to lookout for bot commands
SDBot – the cheaper multi-tool
• Written in very poor C but still widely used• Less sophisticated, smaller instruction set• Similar to Agobot in features
• Copies self to all mapped drives and shared network resources
• Can update itself which is cool • Bad form of traffic sniffing
o Processes hidingo Self replication
o Based on windows raw socket listining, listens to own traffic
Global Threat Bot - DDOS tool
• Distributed as a Trojan over Internet Relay Chat (IRC) networks
• Runs in stealth mode with the name mIRC Client
• Utilizes a number of mIRC bot scripts
• Once installed joins IRC channel and waits for commands
• Useful for launching DDOS attacks over IRC networks
Review• Botnets are malware with control (NO ZOMBIES)
• Numbers, Power, Information and maybe good uses
• Offensive and Defensive prevention
• 3 common examples
Links• http://www.wired.co.uk/news/archive/2013-05/16/internet-census• https://www.youtube.com/watch?v=2GdqoQJa6r4 - How to Steal a
Botnet• https://www.youtube.com/watch?v=A5-ewv3zvrM – How to Make
a Botnet• https://blog.damballa.com/archives/330 - DDOS pricing• The good stuff is just a search away, but be weary
Q&A