Uploaded byharrykim_Suny
PPTX, PDF398 views

Botnet takeover

Botnets are networks of malware-infected machines controlled remotely. This document analyzes a takeover of the Torpig botnet. It describes how botnets use command and control channels like IRC to issue commands. The Mebroot rootkit was spread via drive-by downloads on websites and used to take over machines. The botnet authors registered domain names to use for command and control but researchers took over after observing the domain algorithm and were able to run the botnet for 10 days. Analyzing the botnet traffic showed the true size was much smaller than estimated by IP addresses alone. Better security practices and education are needed to address the cultural problems that enable these botnets.

Download to read offline
Analysis of a Botnet Takeover Harry Kim
Terminology Bot • An application that performs some action or set of actions on behalf of a remote controller Botnet •Networks of malware-infected machines controlled by an adversary Command and Control (C&C) Channel •Used to send commands to bots, and obtain results and status messages •IRC, HTTP, HTTPs, Peer to Peer
Botnet? Why it is important? •Root cause of security problem How to investigate? •Running Torpig Botnet
Torpig
Mebroot • It is used as a “platform” in Botnet • Rootkit distributed by Neosploit exploit kit • Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine •Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)
Phishing Attack
Botnet Takeover • Domain flux  Botnet authors have identified several ways to make these schemes more flexible an d robust against take-down actions, e.g., by using fast-flux techniques  However, fast-flux uses only a single domain name, which constitutes a single point of failure • Authors registered the .com and .net domains that were to be used by the bo tnet from January 25th, 2009 to February 15th, 2009. • However, on February 4th, 2009, the Mebroot controllers distributed a new Torpig binary that updated the domain algorithm – Worked for 10 days!
Botnet Data
Conclusion • First, a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results. • Cultural Problem?  The victims of botnets are often users with poorly maint ained machines that choose easily guessable passwords to protect access to sensitive sites.  Education or better Social Engineering? • Ethics and Law issues  interacting with registrars, hosting facilities, victim inst itutions, and law enforcement is a rather complicated pr ocess.

More Related Content

ODP
Getline
byKacper Wikieł
 
PPTX
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
byJishnu Pradeep
 
PPT
Your Botnet is My Botnet: Analysis of a Botnet Takeover
byAhmed EL-KOSAIRY
 
DOCX
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
bysmile790243
 
PPT
Botnets
byrichashri3
 
DOCX
Lab3code.c#include stdio.h#include stdlib.h#include.docx
bysmile790243
 
PDF
Botnets - Detection and Mitigation
byAjit Skanda Kumaraswamy
 
PPTX
Botnets
byKavisha Miyan
 
Getline
byKacper Wikieł
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
byJishnu Pradeep
 
Your Botnet is My Botnet: Analysis of a Botnet Takeover
byAhmed EL-KOSAIRY
 
lab3cdga.ziplab3code.c#include stdio.h#include std.docx
bysmile790243
 
Botnets
byrichashri3
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
bysmile790243
 
Botnets - Detection and Mitigation
byAjit Skanda Kumaraswamy
 
Botnets
byKavisha Miyan
 

Similar to Botnet takeover

PPTX
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
PPT
Botnet
byJoshin Gomez
 
PDF
about botnets
byAlain Bindele
 
PPTX
BOTLAB excersise
byAnthony Stamm
 
PPTX
Presentation Undergraduate Project
byCevdet Basaran
 
PPTX
An Evolving Era of Botnet Empires @ BSides Las Vegas
byAndrea Scarfo
 
PPTX
Botnets
byVishwadeep Badgujar
 
PPTX
Botnet Detection in Online-social Network
byRubal Sagwal
 
PDF
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
byJulia Yu-Chin Cheng
 
PPTX
Botnet
byprisonbreak4950
 
PPTX
unit cyber security BOTNETS Documents.pptx
byvishal2226it1214
 
PDF
BOTNET
byArjo Ghosh
 
PDF
BOTNETS
byArjo Ghosh
 
PDF
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
byGianluca Stringhini
 
PPTX
Introduction-to-Botnetsozbek tilida ppt.pptx
bymrabdulaziz247
 
PDF
Botnetsand applications
byUltraUploader
 
PPTX
Botnet
byPriyanKa Harjai
 
PPTX
Botnet.pptx
byChetanmalviya8
 
PPT
nullcon 2010 - Botnet mitigation, monitoring and management
byn|u - The Open Security Community
 
PDF
Cybersecurity -Terms.
byoffensoSEOwork
 
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
Botnet
byJoshin Gomez
 
about botnets
byAlain Bindele
 
BOTLAB excersise
byAnthony Stamm
 
Presentation Undergraduate Project
byCevdet Basaran
 
An Evolving Era of Botnet Empires @ BSides Las Vegas
byAndrea Scarfo
 
Botnets
byVishwadeep Badgujar
 
Botnet Detection in Online-social Network
byRubal Sagwal
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
byJulia Yu-Chin Cheng
 
Botnet
byprisonbreak4950
 
unit cyber security BOTNETS Documents.pptx
byvishal2226it1214
 
BOTNET
byArjo Ghosh
 
BOTNETS
byArjo Ghosh
 
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming ...
byGianluca Stringhini
 
Introduction-to-Botnetsozbek tilida ppt.pptx
bymrabdulaziz247
 
Botnetsand applications
byUltraUploader
 
Botnet
byPriyanKa Harjai
 
Botnet.pptx
byChetanmalviya8
 
nullcon 2010 - Botnet mitigation, monitoring and management
byn|u - The Open Security Community
 
Cybersecurity -Terms.
byoffensoSEOwork
 

Recently uploaded

PDF
VADY Invoice Intelligence — From Unstructured PDFs to Decision-Ready Business...
byNewFangledVision
 
PPTX
Which Tableau Alternative Offers Better Customization and Embeddability.pptx
byVarsha Nayak
 
PDF
Choosing Mobile App Development Services: A Clear Guide
byShiv Technolabs Pvt. Ltd.
 
PPTX
Foundations of Marketo Engage - Professional Exam Preparation - October 2025
bybbedford2
 
PDF
End-to-End Payroll Processing Checklist for Growing Businesses.pdf
byCRMLeaf
 
PDF
ICTlecture1 for 1st Semester Students of BS(CS)
bySirRafiLectures
 
PPTX
How John started to like TDD (instead of hating it) (Testcon, October'25)
byNacho Cougil
 
DOCX
Digital Dominance_ Why You Need a Top Web Design Agency in Dubai.docx
bydigpal3
 
DOCX
A A Comprehensive Guide on Unicode Text Converter
byJosh Bell
 
PPTX
Best Stepwise Approach to Scrape IMDb Data Effectively.pptx
byArcTechnolbs
 
PDF
SoftCorePC Full Updated Software Link Here
bySoftCore
 
PDF
What Writing 250+ Blog Posts Taught Me About Artificial Intelligence.pdf
byMarkus Eisele
 
PDF
VADY Enterprise AI Foresight — Explain What, Why & What-Next with Context-Awa...
byNewFangledVision
 
PPTX
Curated Help for T-Tests in IBM SPSS Statistics
byVersion 1 Analytics
 
PDF
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
PDF
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
PDF
Metrics, logs, traces, and mayhem: introducing an observability adventure gam...
byImma Valls Bernaus
 
PPTX
Soft(ware) Stories: Tecnologia, Identità e Giustizia di genere nel mondo digi...
byLetizia Jaccheri
 
PDF
Insurance Underwriting Software for Smarter Operations
byInsurance Tech Services
 
PDF
GMIS 2025 - CAHSI ML Workshop By Dr. Lynne Grewe
byugoti
 
VADY Invoice Intelligence — From Unstructured PDFs to Decision-Ready Business...
byNewFangledVision
 
Which Tableau Alternative Offers Better Customization and Embeddability.pptx
byVarsha Nayak
 
Choosing Mobile App Development Services: A Clear Guide
byShiv Technolabs Pvt. Ltd.
 
Foundations of Marketo Engage - Professional Exam Preparation - October 2025
bybbedford2
 
End-to-End Payroll Processing Checklist for Growing Businesses.pdf
byCRMLeaf
 
ICTlecture1 for 1st Semester Students of BS(CS)
bySirRafiLectures
 
How John started to like TDD (instead of hating it) (Testcon, October'25)
byNacho Cougil
 
Digital Dominance_ Why You Need a Top Web Design Agency in Dubai.docx
bydigpal3
 
A A Comprehensive Guide on Unicode Text Converter
byJosh Bell
 
Best Stepwise Approach to Scrape IMDb Data Effectively.pptx
byArcTechnolbs
 
SoftCorePC Full Updated Software Link Here
bySoftCore
 
What Writing 250+ Blog Posts Taught Me About Artificial Intelligence.pdf
byMarkus Eisele
 
VADY Enterprise AI Foresight — Explain What, Why & What-Next with Context-Awa...
byNewFangledVision
 
Curated Help for T-Tests in IBM SPSS Statistics
byVersion 1 Analytics
 
The 50+ First-Timer: My OpenTelemetry Contribution and How Your CNCF Journey...
byImma Valls Bernaus
 
Shift Left for Inclusion: Scalable Accessibility Testing with Cypress - Cypre...
byLudovico Besana
 
Metrics, logs, traces, and mayhem: introducing an observability adventure gam...
byImma Valls Bernaus
 
Soft(ware) Stories: Tecnologia, Identità e Giustizia di genere nel mondo digi...
byLetizia Jaccheri
 
Insurance Underwriting Software for Smarter Operations
byInsurance Tech Services
 
GMIS 2025 - CAHSI ML Workshop By Dr. Lynne Grewe
byugoti
 

Botnet takeover

  • 1.
    Analysis of aBotnet Takeover Harry Kim
  • 2.
    Terminology Bot •An application that performs some action or set of actions on behalf of a remote controller Botnet •Networks of malware-infected machines controlled by an adversary Command and Control (C&C) Channel •Used to send commands to bots, and obtain results and status messages •IRC, HTTP, HTTPs, Peer to Peer
  • 3.
    Botnet? Why itis important? •Root cause of security problem How to investigate? •Running Torpig Botnet
  • 4.
  • 5.
    Mebroot • Itis used as a “platform” in Botnet • Rootkit distributed by Neosploit exploit kit • Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine •Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)
  • 6.
  • 7.
    Botnet Takeover •Domain flux  Botnet authors have identified several ways to make these schemes more flexible an d robust against take-down actions, e.g., by using fast-flux techniques  However, fast-flux uses only a single domain name, which constitutes a single point of failure • Authors registered the .com and .net domains that were to be used by the bo tnet from January 25th, 2009 to February 15th, 2009. • However, on February 4th, 2009, the Mebroot controllers distributed a new Torpig binary that updated the domain algorithm – Worked for 10 days!
  • 8.
  • 9.
    Conclusion • First,a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results. • Cultural Problem?  The victims of botnets are often users with poorly maint ained machines that choose easily guessable passwords to protect access to sensitive sites.  Education or better Social Engineering? • Ethics and Law issues  interacting with registrars, hosting facilities, victim inst itutions, and law enforcement is a rather complicated pr ocess.