![Page 1: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/1.jpg)
Fi hti i tFi hti i t B t tB t tFighting against Fighting against BotnetBotnet
MaXMaXMaXMaX( [email protected] )( [email protected] )
www.CodeEngn.com2010 4th CodeEngn ReverseEngineering Conference
![Page 2: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/2.jpg)
AgendaAgenda
• Introduction to Botnet.
• Botnet History.
• Recent Botnet Trends.
• Botnet Life Cycle.
• Botnet Communication.
• Use of Botnets.
• Botnet Economics.
• Botnet Analysis.
• Botnet detection and responseBotnet detection and response.
• Demonstration.
![Page 3: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/3.jpg)
Introduction to Introduction to BotnetBotnet
BotBot( Zombie, Robot )( Zombie, Robot ) :
Bot
In an automated way to perform functions for the program.
BotBot ClientClient :
Infected machine.
BotnetBotnet : BotnetBots connected to a particular channel.( IRC, HTTP, P2P, WEB, I.M )
- Controlled by Botmaster or Botherder.
C&C 1
Botmaster
Botherder
BotmasterBotmaster or or BotherderBotherder :
Can control the group remotely.
C&C-1
C&C-2
C&C(Command and Control ) C&C(Command and Control ) :
- Communication channel for Command and Control.
![Page 4: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/4.jpg)
Introduction to Introduction to BotnetBotnet
Like it!
BotnetJ iJoin
…Bot Update
Botmaster BotBot Update
0-Day
![Page 5: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/5.jpg)
BotnetBotnet HistoryHistory
![Page 6: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/6.jpg)
BotnetBotnet HistoryHistory
1988 Invention of IRC
1989 Greg Lindahl ( GMBot/Hunt the Wumpus - IRCBot )
1993 Eggdrop ( IRC Bot )
1999 Remote Control Trojan ( PrettyPark, SubSeven, NetBus )
2000 GTBot ( Based on the mIRC )
2002 SDBot, AgoBot, Gaobot ( Backdoor , Kill-AV, Hidden, Downloader, Payload )
2003 SpyBot, Rbot ( Keylogging, Spyware, Weak Password, Packing )
2004 PolyBot( Polymorphic )
2005 MyDoom ( mass email worm with BOT IRC and C&C ), Zeus
2007 StormWorm
2008 Waledac, Conficker
2009 Mariposa
![Page 7: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/7.jpg)
Recent Recent BotnetBotnet TrendsTrends
![Page 8: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/8.jpg)
BotnetBotnet Life CycleLife Cycle
Rallying /Rallying / Listen /Listen / Command :Command :ExploitationExploitation
Rallying /Rallying /Secure Secure BotnetBotnet
Listen / Listen / PayloadPayload
Command : Command : Erase Erase
•• Malicious Code.Malicious Code.•• UnpatchedUnpatched VulnerabilitiesVulnerabilities
•• Join Join BotnetBotnet•• Kill AntiKill Anti VirusVirus
•• BotnetBotnet command.command.•• PayloadPayload
•• Erase Evidence.Erase Evidence.•• BotBot•• UnpatchedUnpatched Vulnerabilities.Vulnerabilities.
•• Backdoor.Backdoor.•• Worm.Worm.•• Remote Access Trojans.Remote Access Trojans.•• Password Guessing.Password Guessing.
•• Kill AntiKill Anti--VirusVirus•• HiddenHidden•• DownloaderDownloader•• RootkitRootkit
•• PayloadPayload•• UpdateUpdate
•• BotBot
![Page 9: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/9.jpg)
BotnetBotnet CommunicationCommunication (Infection Channel)(Infection Channel)
• E-MailE Mail• Instant Messenger• Social NetworkSocial Network• Downloader ( Malicious Site )• P2PP2P• File shareing
![Page 10: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/10.jpg)
BotnetBotnet CommunicationCommunication (Topology)(Topology)
Star Multi-Server Hierarchical
RandomFast-flux
Random
![Page 11: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/11.jpg)
BotnetBotnet CommunicationCommunication (Protocols)(Protocols)
IRC HTTP
P2P I.M…
![Page 12: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/12.jpg)
Use of Use of BotnetBotnet
• PhishingPhishing
• Spam
• DDoS
• Click FraudClick Fraud
• Adware/Spyware Install
• Information theft
• Keystroke Logging• Keystroke Logging
• Stealing information or files
![Page 13: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/13.jpg)
BotnetBotnet EconomicsEconomics
$1~$500/
Identity collectorWebSite
WebSite DeveloperOrWebSite Hacker
$200~2000/Site
Account&Credit card
Shop mall
$200~2000/Site
Malware Writer Malware Distributor. Victim UserVictim User Shop mall Information
$300~$3500/Malware$25~50/Update
Botnet Owner Payment Service$10/Million
$200/H Resellers$200/Hour
Spammers
![Page 14: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/14.jpg)
BotnetBotnet AnalysisAnalysis
![Page 15: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/15.jpg)
BotnetBotnet AnalysisAnalysis
SpamBotSpamBot WormWorm DownloaderDownloader Data StealerData Stealer
•• MegaMega--DD•• RustockRustock•• Waledac•• SrizbiSrizbi
•• Storm WormStorm Worm•• ConfickerConficker•• StrationStration•• KoobfaceKoobface
•• BredolabBredolab •• ZeusZeus
•• SrizbiSrizbi•• CutwailCutwail•• KrakenKraken•• GrumGrum•• XarvesterXarvester•• BagleBagle
•• KoobfaceKoobface
BagleBagle•• MaazbenMaazben•• LethicLethic
![Page 16: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/16.jpg)
BotnetBotnet Analysis / Analysis / KoobfaceKoobface
![Page 17: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/17.jpg)
BotnetBotnet Analysis / Analysis / BredolabBredolab
1St Bredolab : MS07-017 ( GDI Local Elevation of Privilege Vulnerability ) / CVE-2006-57582nd Bredolab : MS08-025 ( Windows Kernel Usermode Callback Local Privilege Escalation Vulnerability ) / CVE-2008-10843rd Bredolab : Flo Allo s local sers ith the SeDeb gPri ilegge pri ilege to e ec te arbitar code as kernel / CVE 2004 23393rd Bredolab : Flow Allows local users with the SeDebugPrivilegge privilege to execute arbitary code as kernel / CVE-2004-2339
![Page 18: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/18.jpg)
BotnetBotnet Analysis / ZeusAnalysis / Zeus
NameServerZeus C&C
![Page 19: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/19.jpg)
BotnetBotnet detection and responsedetection and response
• Anti-VirusAnti Virus
• IDSIDS
• IPSIPS
• F/WF/W
• C&C Down.C&C Down.
• ~-….….
![Page 20: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/20.jpg)
BotnetBotnet AnalysisAnalysis
![Page 21: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/21.jpg)
BotnetBotnet AnalysisAnalysis
![Page 22: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/22.jpg)
![Page 23: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/23.jpg)
![Page 24: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/24.jpg)
![Page 25: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/25.jpg)
[1] B C i i T l i U d di h i i i f b C d d C l G Oll[1] Botnet Communication Topologies, Understanding the intricacies of botnet Command-and-Control , Gunter Ollmann,VP of Research, Damballa, Inc.
[2] Spam declines after hosting company shut-down, by Robert Vamosi[3] Botnets, the killer web app, Craig A.Schiller, Jim Binkley, Dvidd Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross[4] The economics of botnets, Yuri Namestnikov[4] The economics of botnets, Yuri Namestnikov[5] Botnet Communications and Detection, HKCERT[6] Cyber Attack Trend and Botnet, S.C.Leung[7] FastFlux&Zeus, Roman hussy[8] Botnet Mitigation Methods, Kris Seeburn[9] B A k T d S S S CERT I[9] Botnets Attacks Trends, S.S.Sarma, CERT-In[10] Botnet and Mass DDoS Attack, Heejo Lee, Hyunsang Choi, Korea University[11] A Taxonomy of Botnet Structures, David Dagon, Guofei Gu, Christopher P. Lee, Wenke Lee, Georgia Institute of Techonology[12] Bashing Botnets, Conficker Kills and other Service Improvements, Tom Le[13] Botnet Detection and Response Technology, Mi Joo Kim[13] Botnet Detection and Response Technology, Mi Joo Kim[14] Modeling Botnet Propagation Using Time Zones, David Dagon, Ciff Zou, Wenke Lee, Georgia Institute of Techonology[15] Botnet Detection and Response, The Network is the infection, David Dagon, Georgia Institute of Techonology[16] Web 2.0 Botnet Evolution KOOBFACE Revisited, Jonell Baltazar, TrendMicro[17] The Business of Cybercrime / A complex Business Model, TrendMicro[18] Th R l F f KOOBFACE Th L W b 2 0 B E l i d J ll B l J C R Fl T dMi[18] The Real Face of KOOBFACE : The Largest Web 2.0 Botnet Explained, Jonell Baltazar, Joey Costoya, RyanFlores, TrendMicro[19] Cutwail Botnet, Alice Decker, David Sancho, Louciif Kharouni, Max Goncharov, Robert McArdle, TrendMicro[20] Infiltrating WALEDAC Botnet’s Covert Operations, Jonell Baltazar, Joey Costoya, RyanFlores, TrendMicro[21] BREDOLAB’s Sudden Rise in Prominence, David Sancho, TrendMicro[22] Walowdac – Analysis of a Peer-to-Peer Botnet, Ben Stock, Jan Gobel, Markus Engelberth, Felix C. Freiling, Thorsten Holz[22] Walowdac Analysis of a Peer to Peer Botnet, Ben Stock, Jan Gobel, Markus Engelberth, Felix C. Freiling, Thorsten Holz
![Page 26: [2010 CodeEngn Conference 04] Max - Fighting against Botnet](https://reader033.vdocument.in/reader033/viewer/2022052504/554a052cb4c905e56c8b5543/html5/thumbnails/26.jpg)
Q&A?Q&A?
Thank you!Thank you!
www.CodeEngn.com2010 4th CodeEngn ReverseEngineering Conference