introduction to malware & botnet...pc-write trojan: malware authors disguised one of the...
TRANSCRIPT
![Page 1: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/1.jpg)
Introduction to Malware & Botnet
Assoc. Prof. Dr. Selvakumar Manickam
![Page 2: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/2.jpg)
ARPANET, 1977
![Page 3: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/3.jpg)
To a global, always on network
![Page 4: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/4.jpg)
What is Cybercrime?
Using the Internet to commit a crime
• Identity Theft
• Hacking
• Malware, Botnet, etc.
• Facilitation of traditional criminal activity using the Internet
• Stalking
• Stealing information
• Pornography, human trafficking, etc.
![Page 5: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/5.jpg)
Appeal
▪ The Internet encourages anonymity and is distributed in nature
▪Many countries have very few laws addressing cybercrime
▪ Love Bug Virus
▪ VB script that spread via email and corrupted many different file types
▪ FBI traced the virus to the Philippines
▪ The increasing growth of e-commerce and social media
![Page 6: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/6.jpg)
![Page 7: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/7.jpg)
The Early Years
1971
Creeper: An experiment
designed to test how a program
might move between
computers.
1974
Wabbit: A self-replicating
program that made multiple copies of itself on a computer
until it bogs down the
system to such an extent that
system performance is
reduced and eventually
crashes.
1982
Elk Cloner: Written
by a 15-year-old, Elk Cloner is
one of the earliest
widespread, self-replicating
viruses to affect personal
computers.
1986
Brain Boot Sector Virus:
Generally regarded as the
first virus to infect MS-DOS
computers.
1986
PC-Write Trojan:
Malware authors
disguised one of the earliest Trojans as a
popular shareware
program called “PC-Writer.”
Once on a system, it would
erase all of a user’s files.
1988
Morris Worm: This
worm infected a substantial
percentage of computers connected
to ARPANET.
1991
Michelangelo Virus: It was so named because
the virus was designed to
erase information from hard
drives on March 6th, the
birthday of the famed
Renaissance artist.
1999
Melissa Virus: Generally
acknowledged as the first
mass-emailed virus, Melissa
utilized Outlook address books from infected machines, and mailed itself to 50 people at a
time.
![Page 8: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/8.jpg)
Toolkits and Astonishing Rates of Infection
2000
ILOVEYOU Worm: Spreading by way of an email sent with the seemingly benign subject line, “ILOVEYOU,”. The worm spread globally and cost more than $5.5 billion in damages.
2001
Anna Kournikova Virus: Emails spread this nasty virus that purported to contain pictures of the very attractive female tennis player, but in fact hid the malicious malware.
2003
SQL Slammer Worm: One of the fastest spreading worms of all time, SQL Slammer infected nearly 75,000 computers in ten minutes.
2004
CabirVirus: Although this virus caused little if any damage, it is noteworthy because it is widely acknowledged as the first mobile phone virus.
2005
KoobfaceVirus: One of the first instances of malware to infect PCs and then propagate to social networking sites.
2008
ConfickerWorm: A combination of the words “configure” and “ficker”, this sophisticated worm caused some of the worst damage seen since Slammer appeared in 2003.
![Page 9: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/9.jpg)
State Sponsored,
Sophisticated and
Profitable
• 2010 – Stuxnet Worm: Shortly after its release, security analysts openly speculated that this malicious code was designed with the express purpose of attacking Iran’s nuclear program and included the ability to impact hardware as well as software.
• 2011 — Zeus Trojan: Although first detected in 2007, the author of the Zeus Trojan released the source code to the public in 2011, giving the malware new life.
• 2013 – Cryptolocker: One of many early ransomware programs, Cryptolocker had a significant impact globally and helped fuel the ransomware era.
• 2014 – Backoff: Malware designed to compromise Point-of-Sale (POS) systems to steal credit card data.
• 2016 – Cerber: One of the heavy-hitters in the ransomware sphere. It’s also one of the most prolific crypto-malware threats.
• 2017 – WannaCry Ransomware: Exploiting a vulnerability first uncovered by the National Security Agency, the WannaCry Ransomware brought major computer systems in Russia, China, the UK, and the US to their knees.
![Page 10: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/10.jpg)
![Page 11: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/11.jpg)
![Page 12: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/12.jpg)
The 7 DeadlySocial Engineering Vices
Curiosity Courtesy Gullibility
Greed Thoughtlessness Shyness
Apathy
![Page 13: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/13.jpg)
THE ESSENCE OF SOCIAL
ENGINEERING
• THE BAD GUYS ALWAYS FOLLOW THE PATH OF LEAST RESISTANCE AND MOST PROFIT
![Page 14: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/14.jpg)
![Page 15: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/15.jpg)
Spyware
Like the name explains, spyware is a common type of malware which monitors the activities performed by a computer user on his or her PC.
The main intention of a spyware is to collect the private information of the computer user.
Spyware may be accidentally downloaded by users while downloading any free software from the internet.
Apart from transmitting private information, spyware can also change your computer settings and throw pop up ads.
![Page 16: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/16.jpg)
Trojan Horse
Trojan horse is a malware which appears to be a legitimate file.
Once it infects a PC, it has the ability to grant remote access of the user’s computer.
Trojan not only compromises security but it can also make your PC slow and non-functional.
![Page 17: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/17.jpg)
Virus
A computer virus is a quite popular term, which every PC users might
have come across.
A virus can enter your PC via an external hard drive or while
downloading any software or email attachment.
Computer virus destroys data and can use you PC to circulate spams.
![Page 18: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/18.jpg)
Worm
A type of virus, worms can enter your system through an email attachment
It’s a self-replicating virus and can spread very quickly via a computer network.
![Page 19: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/19.jpg)
Scareware
Scareware as the name suggests scares PC users that their computer is infected by hundreds of virus, which needs immediate purchase of any particular software.
The warning can be in the form of a pop up, clicking on which the user will land to a website where he or she will be prompted to buy the unnecessary software.
![Page 20: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/20.jpg)
Adware
Adware targets internet users showing them different
In general, no personal data is stolen by an adware but it can slow down your PC to a great extent.
Due to the huge amount of ads appearing in the form of pop ups, you will find it very difficult to perform the day-to-day activities in your PC.
![Page 21: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/21.jpg)
Ransom-ware
The most dangerous of all, Ransomware is a type of malware which encrypts the files stored in the target’s computer and demands a fee or ransom to decrypt the same.
The encryption is extremely strong and in most cases, it cannot be unlocked without paying the ransom.
The threat of ransomware is increasing day by day and hence a strong defense system needs to be developed including healthy browsing habits.
![Page 22: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/22.jpg)
Bot
Bots are software programs created to automatically perform specific operations.
While some bots are created for relatively harmless purposes (video gaming, internet auctions, online contests, etc), it is becoming increasingly common to see bots being used maliciously.
Bots can be used in botnets (collections of computers to be controlled by third parties) for DDoS attacks, as spambots that render advertisements on websites, as web spiders that scrape server data, and for distributing malware disguised as popular search items on download sites.
Websites can guard against bots with CAPTCHA tests that verify users as human.
![Page 23: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/23.jpg)
Botnet Threat
• Botnets are a major threat to the Internet because:
• Consist of a large pool of compromised computers that are organized by a master.
• a.k.a., Zombie Armies
• Carry out sophisticated attacks to disrupt, gather sensitive data, or increase armies
• Armies are in the 1000’s to aggregate computing power
• Communication network allows bots to evolve on a compromised host
![Page 24: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/24.jpg)
Evolution of Botnets
• Motivation change in computer hacking
• Vandalism → Financial gains
• Almost $100 billion loss in 2018.
![Page 25: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/25.jpg)
eCrime Market Operation
25
![Page 26: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/26.jpg)
Sensitive Data and Market Significance
26
![Page 27: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/27.jpg)
![Page 28: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/28.jpg)
Crime Annual Revenues
Illegal online markets $860 Billion
Trade secret, IP theft $500 Billion
Data Trading $160 Billion
Crime-ware/CaaS $1.6 Billion
Ransomware $1 Billion
Total Cybercrime Revenues $1.5 Trillion
![Page 29: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/29.jpg)
Botnet Architecture
![Page 30: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/30.jpg)
Botnet Taxonomy
A taxonomy model is necessary to develop the intelligence to identify, detect, and mitigate the risk of an attack.
⚫ Attacking Behavior
⚫ C&C Models
⚫ Rally Mechanisms
⚫ Communication Protocols
⚫ Observable botnet activities
⚫ Evasion Techniques
![Page 31: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/31.jpg)
Attacking Behaviors
• Social engineering and distribution of malicious emails or other electronic communications (i.e. Instant Messaging)
• Example - Email sent with botnet diguised as a harmless attachment.
Infecting new hosts
• Keylogger and Network sniffer technology used on compromised systems to spy on users and compile personal information
Stealing personal information
• Aggregated computing power and proxy capability make allow spammers to impact larger groups without being traced.
Phishing and spam proxy
• Impair or eliminate availability of a network to extort or disrupt business
Distributed Denial of Service (DDoS)
![Page 32: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/32.jpg)
Command and Control (C&C)
• Essential for operation and support of botnet
• 3 Styles – Centralized, P2P and Randomized
• Weakest link of the botnet because:
• Elimination of botmaster takes out the botnet
• High level of activity by botmaster makes them easier to detect than their bots
![Page 33: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/33.jpg)
C&C Centralized
Model
• Simple to deploy, cheap, short latency for large scale attacks
• Easiest to eliminate
![Page 34: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/34.jpg)
C&C Centralized Model Example
3 Steps of Authentication
• Bot to IRC Server
• IRC Server to Bot
• Botmaster to Bot
![Page 35: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/35.jpg)
Peer to Peer Model
• Resilient to failures, hard to discover, hard to defend.
• Hard to launch large scale attacks because P2P technologies are currently only capable of supporting very small groups (< 50 peers)
![Page 36: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/36.jpg)
P2P Botnet Example: Storm
The Overnet network Storm uses is extremely dynamic. Peers come and go and can change OIDs frequently. In order to stay “well connected” peers must periodically search for themselves to find nearby peers:
![Page 37: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/37.jpg)
![Page 38: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/38.jpg)
Overnet Message Passing:
Overnet has three basic message types to facilitate proper function of the network:
Connect: A peer uses connect messages to report their OID to other peers and to receive a list of peers somewhat close to the peer.
Search: A peer uses search messages to find resources and other nodes based on OID.
Publicize: A peer uses publicize messages to report ownership of network resources (OIDs) so that other peers can find the resource later.
![Page 39: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/39.jpg)
Random Mechanisms
• Theoretical architecture: Evan Cooke, et al describe the model
• Easy implementation and resilient to discovery and destruction
• Scalability limitations make it impractical for large scale attacks.
• Bots sleep and are not activated until Bot Master is ready to attack
![Page 40: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/40.jpg)
Rallying Mechanisms
• Hard-coded IP address
• The bot communicates using C&C ip addresses that are hard-coded in it’s binary files.
• Easy to defend against, as ip addresses are easily detectable and blocked, which makes the bot useless.
![Page 41: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/41.jpg)
Rallying Mechanisms
• Dynamic DNS Domain Name
• Hard-coded C&C domains assigned by dynamical DNS providers.
• Detection harder when botmaster randomly changes the location
• Easier to resume attack with new, unblocked Domain Name
• If connection fails the bot performs DNS queries to obtain the new C&C address for redirection.
![Page 42: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/42.jpg)
Rallying Mechanisms
• Distributed DNS Service
• Hardest to detect & destroy. Newest mechanism. Sophisticated.
• Botnets run own DNS service out of reach of authorities
• Bots use the DNS addresses to resolve the C&C servers
• Use high port numbers to avoid detection by security devices and gateways
![Page 43: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/43.jpg)
Communication Protocols
• In most cases botnets use well defined and accepted Communication Protocols. Understanding the communication protocols used helps to:
• Determine the origins of a botnet attack and the software being used
• Allow researchers to decode conversations happening between the bots and the masters
• There are two main Communication Protocols used for bot attacks:
• IRC
• HTTP
![Page 44: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/44.jpg)
IRC Protocol
• IRC Botnets are the predominant version
• IRC mainly designed for one to many conversations but can also handle one to one
• Most corporate networks due not allow any IRC traffic so any IRC requests can determine and external or internal bot
• Outbound IRC requests means an already infected computer on the network
• Inbound IRC requests mean that a network computer is being recruited
![Page 45: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/45.jpg)
HTTP Protocol
• Due to prevalence of HTTP usage it is harder to track a botnet that uses HTTP Protocols
• Using HTTP can allow a botnet to skirt the firewall restrictions that hamper IRC botnets
• Detecting HTTP botnets is harder but not impossible since the header fields and the payload do not match usual transmissions
• Some new options emerging are IM and P2P protocols and expect growth here in the future
![Page 46: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/46.jpg)
HTTP Botnet Example: Fast-flux
Networks
• Commonly used scheme
• Used to control botnets with hundreds or even thousands of nodes
![Page 47: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/47.jpg)
Observable Behaviors
• Three categories of observable Botnet behaviors:
• Network-based
• Host-based
• Global Correlated
![Page 48: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/48.jpg)
Network-Based
• Network patterns can be used to detect Botnets• IRC & HTTP are the most common forms
of Botnet communications• Detectable by identifying abnormal traffic
patterns.• IRC communications in unwanted areas• IRC conversations that human’s can not
understand
• DNS domain names• DNS queries to locate C&C server• Hosts query improper domain names• IP address associated with a domain name
keeps changing periodically
• Traffic• Bursty at times, and idle the rest of the
time• Abnormally fast responses compared to a
human• Attacks (eg: Denial of Service) - Large
amounts of invalid TCP SYN Packets with invalid source IP addresses
![Page 49: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/49.jpg)
Host-Based
Botnet behavior can be observed on the host machine.
• Exhibit virus like activities
• When executed, Botnets run a sequence of routines.
• Modifying registries
• Modifying system files
• Creating unknown network connections
• Disabling Antivirus programs
![Page 50: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/50.jpg)
Global Correlated
• Global characteristics are tied to the fundamentals Botnets
• Not likely to change unless Botnets are completely redesigned and re-implemented
• Most valuable way to detect Botnets
• Behavior the same regardless if the Botnets are communicating via IRC or HTTP
• Global DNS queries increase due to assignment of new C&C servers
• Network Flow disruptions
![Page 51: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/51.jpg)
Evasion Techniques
• Sophistication of Botnets allow them to evade
• AV Engines
• Signature base intrusion detection systems (IDS)
• Anomaly-based detection systems
• Techniques
• Executable packers
• Rootkits
• Protocols
![Page 52: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/52.jpg)
Evasion Techniques
• Moving away from IRC
• Taking control of
• HTTP
• VoIP
• IPv6
• ICMP
• Skype protocols
![Page 53: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/53.jpg)
Evasion Techniques
• Skype, the best botnet ever??
• Very popular, 9M+ users, average 4M+ connected
• Very good firewall ”punching” capabilities
• Obfuscated and persistent network flow
• Provides network API
• Skype provides network connectivity and obfuscation
• Skype is resilient by design
• Just need nickname(s) for communications
• Things are easy
• Exploit Skype
• Install bot as Skype plugin
• Generate plugin authorization token and execute
![Page 54: Introduction to Malware & Botnet...PC-Write Trojan: Malware authors disguised one of the earliest Trojans as a popular shareware program called “PC-Writer.” Once on a system, it](https://reader036.vdocument.in/reader036/viewer/2022071517/613ac37f0051793c8c0139ea/html5/thumbnails/54.jpg)
Beating Evasion Techniques
• Prevention
• Find C&C servers and destroying them
• Most effective method for prevention and cure:
• Combining traditional detection mechanisms with those based on anomaly network behavior