BOTNETSBOTNETS

Presented By :

Ramesh kumarRamesh kumar 08EBKIT04908EBKIT049

A BIGGEST THREAT TO INERNETA BIGGEST THREAT TO INERNET

A Quick GlanceA Quick Glance IntroductionIntroduction HistoryHistory How do they work ?How do they work ? ProtocolsProtocols What are they used for ?What are they used for ? Types of BOTSTypes of BOTS PreventionPrevention ConclusionConclusion

INTRODUCTIONINTRODUCTION

Botnets are networks of computers taken Botnets are networks of computers taken hostage by malware that controls them and hostage by malware that controls them and makes them to act in other nefarious ways. makes them to act in other nefarious ways.

A "botnet" is a collection of computers that A "botnet" is a collection of computers that have been infected with remote-control have been infected with remote-control software. software.

Runs autonomously and automatically. Runs autonomously and automatically. User unawareUser unaware

HistoryHistory

Originally used in IRC as a way to Originally used in IRC as a way to allow automated tasks to be doneallow automated tasks to be done• Protect a channel, kick a user out of a Protect a channel, kick a user out of a

channel etc.channel etc.

Eventually evolved into a way to Eventually evolved into a way to automate malicious tasksautomate malicious tasks

Started with DoS/DDoS against Started with DoS/DDoS against serversservers• TFN, stacheldraht, trinoo (1999)TFN, stacheldraht, trinoo (1999)

How do they work?How do they work?

Worm/Trojan program that's usually transmitted through a spam.

2. Bot connects to IRC C&C channel

4. Repeat. Soon the botmaster has an army of bots to control from a single point

3. Botmaster sends commands through IRC C&C channel to bots

BotmasterVictim

IRC Server

PROTOCOLSPROTOCOLS

IRCIRC

HTTPHTTP

P2PP2P

Some Important pointsSome Important points

Size of Botnets:Size of Botnets:50,000 or more BOTS in a single botnet.50,000 or more BOTS in a single botnet.1000 new bots each day.1000 new bots each day.

IRC hides IP’S.IRC hides IP’S. Different botnets can be Different botnets can be

connected through IRCconnected through IRC Botnets can be rentedBotnets can be rented Botnet controller is always Botnet controller is always

unidentified.unidentified.

Malicious activitiesMalicious activities

Distributed Denial-of-Service (Distributed Denial-of-Service (DDoS) ) attacks.attacks.

SpammingSpamming SniffingSniffing KeyloggingKeylogging Spreading new malwareSpreading new malware Mass identity theft (Phishing)Mass identity theft (Phishing)

GOOD APPLICATIONSGOOD APPLICATIONS

Online games/PollingOnline games/Polling

Instant Messenger Instant Messenger

Search EnginesSearch Engines

EXAMPLEEXAMPLE

DDoS attack on an Asian e-commerce company in Nov. 2011

According to security company Prolexic it was the largest DDoS attacks in 2011

Prolexic refused to tell name of cpmpany because of a trust agreement with the company.

The 15,000 requests per second were performed by a botnet of 250,000 PCs in total, which together peaked at 45Gbps DDoS traffic.

TYPES OF BOTSTYPES OF BOTS Agobot:Agobot: Most sophisticated.Most sophisticated.

20,000 lines c/c++ code20,000 lines c/c++ code IRC based command/control.IRC based command/control.

Capable of many DoS attack types .Capable of many DoS attack types . Traffic sniffers/key logging. Traffic sniffers/key logging.

SDBotSDBot:: Simpler than Agobot, 2,000 lines C code.Simpler than Agobot, 2,000 lines C code.

Non-malicious at base.Non-malicious at base. Easily extended for malicious purposes.Easily extended for malicious purposes.

• ScanningScanning• DoS AttacksDoS Attacks• SniffersSniffers

SpyBot:SpyBot: <3,000 lines C code.<3,000 lines C code. Possibly evolved from SDBot .Possibly evolved from SDBot . Similar command/control engine. Similar command/control engine. No attempts to hide malicious purposes.No attempts to hide malicious purposes.

GT Bot:GT Bot:Functions based on mIRC scripting capabilities.Functions based on mIRC scripting capabilities.

HideWindow program hides bot on local system.HideWindow program hides bot on local system. Port scanning, DoS attacks, exploits for RPC .Port scanning, DoS attacks, exploits for RPC .

TYPES OF BOTSTYPES OF BOTS

PREVENTIONPREVENTION

Using anti-virus and anti-spyware software Using anti-virus and anti-spyware software and keeping it up to date. and keeping it up to date.

Setting your operating system software to Setting your operating system software to download and install security patches download and install security patches automatically. automatically.

Being cautious about opening any attachments Being cautious about opening any attachments or downloading files from emails you receive. or downloading files from emails you receive.

Using a firewall to protect your computer from Using a firewall to protect your computer from hacking attacks while it is connected to the hacking attacks while it is connected to the Internet. Internet.

Cont…

Disconnecting from the Internet when you're Disconnecting from the Internet when you're away from your computer. away from your computer.

Downloading free software only from sites Downloading free software only from sites you know and trust. you know and trust.

Taking action immediately if your computer is Taking action immediately if your computer is infected.infected.

PREVENTIONPREVENTION

CONCLUSIONCONCLUSION

Botnet a large army of networked Botnet a large army of networked computers.computers.

Used in many malicious activities.Used in many malicious activities. Works automatically and autonomously.Works automatically and autonomously. Hence biggest threat to INTERNET Hence biggest threat to INTERNET

THANK YOUTHANK YOU