host and application security
Skip this Video
Download Presentation
Host and Application Security

Loading in 2 Seconds...

play fullscreen
1 / 12

Host and Application Security - PowerPoint PPT Presentation

  • Uploaded on

Host and Application Security. Lesson 17: Botnets. Almost done with Malware. Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets. Rootkit. Actually, a pretty loose definition

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Host and Application Security' - kurt

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
almost done with malware
Almost done with Malware
  • Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets
  • Actually, a pretty loose definition
  • Can think of it as a piece of malware that is designed to allow an attacker privileged access to a computer
    • Rootkits usually allow access via the network
    • Rootkits usually are very stealthy, and provide ways an attacker can hide on the box
  • Really, a form of rootkit, but the emphasis is on remote control
  • Machines get recruited into botnets a large number of ways
  • Typically, web or email based exploit
  • This installs the bot on the machine
command and control
Command and Control
  • This can be thought of as the “Achilles heel” of the botnet
  • A botnet needs remote control
  • Thus, if we can detect the network traffic, we can detect the botnet
  • However, the botherder makes a large effort to protect his (her) investment
  • Lots of uses:
    • DDoS attacks
    • Adware installation
    • Spyware installation
    • Spam
    • Click fraud
    • Spread to other machines
    • ID theft
c2 techniques
C2 Techniques
  • Simple: IRC
  • Complicated: Domain flux
    • Generate different candidate domain names every day
    • Bots “check in” with new domains every day
    • Not all domains need to be registered for this approach to work
c2 features
C2 features
  • Can break down into:
    • Topology: hub and spoke? P2P?
    • Rallying Mechanism: How new bots locate and join the botnet.
    • Communication Protocol: The underlying protocol used…
    • Control Mechanism: How new commands are sent. Callback? Polling?
    • Command Authentication Mechanism: How can we tell if a command is really from the botherder?
to do
To Do
  • Download and read “Your botnet is my botnet: Analysis of a Botnet Takeover”
  • Questions about this could be on the final…