Scribd
Upload
28 views

Botnets: Abhishek Debchoudhury Jason Holmes

Botmasters control botnets and may rent them out for criminal purposes, while different command and control structures like star, hierarchical and peer-to-peer topologies impact how botnets can be detected and defended against.

Uploaded by

penumudi233
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
28 views

Botnets: Abhishek Debchoudhury Jason Holmes

Botmasters control botnets and may rent them out for criminal purposes, while different command and control structures like star, hierarchical and peer-to-peer topologies impact how botnets can be detected and defended against.

Uploaded by

penumudi233
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 20

Botnets

Abhishek Debchoudhury

Jason Holmes
What is a botnet?

A network of computers running software that


runs autonomously.

In a security context we are interested in botnets


in which the computers have been compromised
and are under the control of a malicious
adversary.
What are botnets used for?

Spam
o ~85% of email is spam
DDoS attacks
Identity theft
o Cost in 2006: $15.6 billion
Phishing attacks
o 4500 active sites at any given time, 1 million
previously active sites
What are botnets used for?

Hosting pirated software


Hosting and distributing malware
Click fraud
o ~14% of all advertisement clicks are fraudulent
Packet sniffing
What's a botmaster?

Person(s) controlling the botnet


o Business person
Often paid by customers
Willing to rent out botnet
o Glory Hound
Brags about size of botnet
Willing to talk to researchers
o Script kiddies
Inexperienced
Command Topologies

Star
o Bots tied to centralized C&C server.
Multi-Server
o Same as star but with multiple C&C servers
Hierarchical
o Parent bot control child bots
Random
o Full P2P support
Topology Tradeoffs

Control vs. Survivability


More Control
o Easier to get botnet to do your bidding
o Easier to shut down
Survivability
o Harder to shut down
o Less control
Communication Methods

HTTP
o Easy for attacker to blend in
IRC
o Harder to hide since IRC is much less used
than HTTP
Custom
o Makes use of new application protocols
Propagation Methods

Scanning
o 0-day attacks
o Worm-like behavior
Infected e-mail attachments
Drive-by-downloads
Trojan horses
Infection Procedure
History and Notable Botnets

1999 - Sub7
2000 - GTbot a bot based on mIRC
2002 - SDbot small c++ binary with widely available source
code
2002 - Agobot staged attacked with modular payload
2003 - Sinit first peer-to-peer botnet
2004 - Bagle and Bobax first spamming botnets
2007 - Storm botnet
2009 - Waledac botnet
2009 - Zeus botnet
Defense

Three main issues:


1. How to find them
2. Decide how to fight them (defense vs offense)
3. How to negate the threat
Detection: Analyze Network Traffic

Temporal
o Same repeated traffic pattern from node
Spatial
o Nodes in same subnet likely infected
Detection: Packet Analysis

Using statistical analysis on network traffic


flows
Classify packets based on payload signature
and destination port
o Looking for clusters of similar data packets
o n-gram byte distribution
IRC botnet traffic it is not very diverse
compared to traffic generated by humans
Strategy

Active: attack the source


Shut down C&C server
Re-route DNS
Pushback
Passive: defend at the target
Filters
Human attestation
Collective defense
Defense - Change DNS routing

Defender figures out domain that attacker is using and takes


control

Pros:
Central point of attack
Severs botmaster's ability to communicate with the botnet
Cons:
Not all bot nets have C&C server
C&C domain changes often
o > 97% turn over per week
Defense -Black Lists

Defender creates list of attackers.


Used primarily as spam fighting technique

Pros:
Allows for broad knowledge sharing
Easy to maintain/understand

Cons:
List has to be continually updated
Innocent service providers get blocked
Defense -Human Attestation

Defender requests that client prove his humanity.


Requires the client to have a trusted attester
o Accomplished through the use of a Trusted
Platform Module
Several methods for an attester to determine that
the actions were initiated by a human
o Through the use of secure input devices which
cryptographically sign their output
o CAPTCHA or secure prompt
o Analyze keystrokes and mouse movement
Defense - Collective defense
We must all hang together or assuredly we shall all hang
separately.
-- Benjamin Franklin
Key contentions
o Most end users don't know/care about security
o The best way to secure the internet is through a
collective effort without relying on end users
o Compromised hardware must be quarantined until
healthy
Authenticate healthiness before network access
o Public Health Model for Internet
Allow everyone but identify suspicious behavior
o Japan's Cyber Clean Center
o Finnish national Computer Emergency Response Team
Thanks

You might also like