Scribd
Upload
15 views

Botnets: Abhishek Debchoudhury Jason Holmes

Botmasters control botnets and may rent them out for criminal purposes, while different command and control structures like star, hierarchical and peer-to-peer topologies impact how botnets can be detected and defended against.

Uploaded by

penumudi233
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
15 views

Botnets: Abhishek Debchoudhury Jason Holmes

Botmasters control botnets and may rent them out for criminal purposes, while different command and control structures like star, hierarchical and peer-to-peer topologies impact how botnets can be detected and defended against.

Uploaded by

penumudi233
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 20

Botnets

Abhishek Debchoudhury

Jason Holmes
What is a botnet?

A network of computers running software that


runs autonomously.

In a security context we are interested in botnets


in which the computers have been compromised
and are under the control of a malicious
adversary.
What are botnets used for?

Spam
o ~85% of email is spam
DDoS attacks
Identity theft
o Cost in 2006: $15.6 billion
Phishing attacks
o 4500 active sites at any given time, 1 million
previously active sites
What are botnets used for?

Hosting pirated software


Hosting and distributing malware
Click fraud
o ~14% of all advertisement clicks are fraudulent
Packet sniffing
What's a botmaster?

Person(s) controlling the botnet


o Business person
Often paid by customers
Willing to rent out botnet
o Glory Hound
Brags about size of botnet
Willing to talk to researchers
o Script kiddies
Inexperienced
Command Topologies

Star
o Bots tied to centralized C&C server.
Multi-Server
o Same as star but with multiple C&C servers
Hierarchical
o Parent bot control child bots
Random
o Full P2P support
Topology Tradeoffs

Control vs. Survivability


More Control
o Easier to get botnet to do your bidding
o Easier to shut down
Survivability
o Harder to shut down
o Less control
Communication Methods

HTTP
o Easy for attacker to blend in
IRC
o Harder to hide since IRC is much less used
than HTTP
Custom
o Makes use of new application protocols
Propagation Methods

Scanning
o 0-day attacks
o Worm-like behavior
Infected e-mail attachments
Drive-by-downloads
Trojan horses
Infection Procedure
History and Notable Botnets

1999 - Sub7
2000 - GTbot a bot based on mIRC
2002 - SDbot small c++ binary with widely available source
code
2002 - Agobot staged attacked with modular payload
2003 - Sinit first peer-to-peer botnet
2004 - Bagle and Bobax first spamming botnets
2007 - Storm botnet
2009 - Waledac botnet
2009 - Zeus botnet
Defense

Three main issues:


1. How to find them
2. Decide how to fight them (defense vs offense)
3. How to negate the threat
Detection: Analyze Network Traffic

Temporal
o Same repeated traffic pattern from node
Spatial
o Nodes in same subnet likely infected
Detection: Packet Analysis

Using statistical analysis on network traffic


flows
Classify packets based on payload signature
and destination port
o Looking for clusters of similar data packets
o n-gram byte distribution
IRC botnet traffic it is not very diverse
compared to traffic generated by humans
Strategy

Active: attack the source


Shut down C&C server
Re-route DNS
Pushback
Passive: defend at the target
Filters
Human attestation
Collective defense
Defense - Change DNS routing

Defender figures out domain that attacker is using and takes


control

Pros:
Central point of attack
Severs botmaster's ability to communicate with the botnet
Cons:
Not all bot nets have C&C server
C&C domain changes often
o > 97% turn over per week
Defense -Black Lists

Defender creates list of attackers.


Used primarily as spam fighting technique

Pros:
Allows for broad knowledge sharing
Easy to maintain/understand

Cons:
List has to be continually updated
Innocent service providers get blocked
Defense -Human Attestation

Defender requests that client prove his humanity.


Requires the client to have a trusted attester
o Accomplished through the use of a Trusted
Platform Module
Several methods for an attester to determine that
the actions were initiated by a human
o Through the use of secure input devices which
cryptographically sign their output
o CAPTCHA or secure prompt
o Analyze keystrokes and mouse movement
Defense - Collective defense
We must all hang together or assuredly we shall all hang
separately.
-- Benjamin Franklin
Key contentions
o Most end users don't know/care about security
o The best way to secure the internet is through a
collective effort without relying on end users
o Compromised hardware must be quarantined until
healthy
Authenticate healthiness before network access
o Public Health Model for Internet
Allow everyone but identify suspicious behavior
o Japan's Cyber Clean Center
o Finnish national Computer Emergency Response Team
Thanks

You might also like