Host and application security
1 / 12

Host and Application Security - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Host and Application Security. Lesson 17: Botnets. Almost done with Malware. Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets. Rootkit. Actually, a pretty loose definition

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentationdownload

Host and Application Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Host and application security

Host and Application Security

Lesson 17: Botnets

Almost done with malware

Almost done with Malware

  • Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets



  • Actually, a pretty loose definition

  • Can think of it as a piece of malware that is designed to allow an attacker privileged access to a computer

    • Rootkits usually allow access via the network

    • Rootkits usually are very stealthy, and provide ways an attacker can hide on the box



  • Really, a form of rootkit, but the emphasis is on remote control

The botnet lifecycle

The Botnet Lifecycle



  • Machines get recruited into botnets a large number of ways

  • Typically, web or email based exploit

  • This installs the bot on the machine

Command and control

Command and Control

  • This can be thought of as the “Achilles heel” of the botnet

  • A botnet needs remote control

  • Thus, if we can detect the network traffic, we can detect the botnet

  • However, the botherder makes a large effort to protect his (her) investment



  • Lots of uses:

    • DDoS attacks

    • Adware installation

    • Spyware installation

    • Spam

    • Click fraud

    • Spread to other machines

    • ID theft

C2 techniques

C2 Techniques

  • Simple: IRC

  • Complicated: Domain flux

    • Generate different candidate domain names every day

    • Bots “check in” with new domains every day

    • Not all domains need to be registered for this approach to work

C2 features

C2 features

  • Can break down into:

    • Topology: hub and spoke? P2P?

    • Rallying Mechanism: How new bots locate and join the botnet.

    • Communication Protocol: The underlying protocol used…

    • Control Mechanism: How new commands are sent. Callback? Polling?

    • Command Authentication Mechanism: How can we tell if a command is really from the botherder?

To do

To Do

  • Download and read “Your botnet is my botnet: Analysis of a Botnet Takeover”

  • Questions about this could be on the final…



  • Login