Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Botnets Alex Lam March 2nd, 2010 Portland State University Cs347u
Contents • What is a botnet? • How are botnets created? • How are they controlled? • How are bots acquired? • What type of attacks are they responsible for? • Preventions of getting a bot.
Are botnets a treat to internet security? • According to Cisco (2007), “Botnets: The New Threat Landscape”, They are the primary threat on the internet today. • They have no limit to there size… • Used for large scale attacks such as digital vandalism (SPAM) or financial gain (click fraud).
What’s a bot? To understand botnets, we need to know what a bot is… • A bot is a malicious application, short for software robot. • An automated program that runs silently on an infected host (Drone). • Bot waits for command from creator (bot master) • Communication between the master and drone are through a IRC, such as IM.
What’s a botnet? • A network of bot infected computers. Consisting of hundreds or thousands of drones (zombie army). • Central control by a 3rd party. • Acting on a single purpose, depending on the motive of the bot master. • Often use for a large scale attack
How are botnets created?What is needed • Simply point/click software • Set up a C&C (Command & Control) • Need many bot infected computers (drones). The more bots in the zombie army, the more power/capiablity • High speed internet connection to communicate with the drones via IRC.
How are they controlled? Internet Relay Chat (Centralized) • Real time message eg. Text or chat • botnetsare controlled by an Internet relay Chat(IRC) system. • IRC operates on an open protocol (port) that use TCP. • IRC network can be expanded to other IRC network. • IM are easier to detected in the IRC • IRC networks are taking measures to block access to botnets, Bot master must find their own servers • Decentralized central control • Requires no open port • Messages are encrypted, making it difficult to detect. • Able to work behind firewalls • Similar to how email work, can be used anywhere. eXtensible Messaging and Presence Protocol (Decentralized)
Some interesting stats • With about 600 million system connected to the internet, about 150 million are infected by a bot software. • 1 out 4 computers connected to the internet are comprised by a bot.
Acquiring Bots • Bots are acquire like any other malicious program/software e.g. trojans and virus. • Piggybacked software installations • Drive-by downloads • Browser add-ons such as plug-in • Downloads from an untrusted site
Capability of a botnet (Malicious) • Botnets are flexible and are capable of many attack such as… • Distributed Denial of Service attacks (DOS) • SPAM • Click Fraud • Spyware AND many more!!!
DOS Attack • Digital vandalism • Target site becomes slowed or unavailable due to… • interruption of physical network mechanism. • use of computational resources, eg. bandwidth, disk space. • Overwhelm the target by sending many digital package. The target site wouldn’t be available to perform normal functions Even though targets are sites, routers and switches also fails.
Spam from botnet* • A spammer sends money/request to a bot master. • Botnet master generates spam details. • Spam details is sent to the zombie army. • Drones execute the command. • Spams are forward to SMPT servers. • Spam is delivered to in boxes • Info is sent back to the botmaster, if recipients open mail and compromise their computer. * Wikipedia/spam
Click Fraud • Online advertising pays affiliates for generating clicks per advertisings, also known as pay per clicks advertising (PPC). • What if… • Ad clicking were simulating • Manipulated by botnets
Spyware • An application installed on your computer without your consent, spyware can monitor your activities by… • screen shot capture • Network packet captures • keystroke logger • data theft
Cont. Spyware Keystroke Loggers • Keystroke logger are able to capture… • Passwords • Communications e.g. IM and emails • CC Info • Personal data (identity theft) • A program that is able to intercept a data package, route it to the interceptor and analyzed the data. • Also, this program can be use to see if competing botnets are with proximity. • Bot master can steal that certain bot to make it part of his/her botnet. Network packet Sniffer
Cont. spyware Screen Shot capture • Works just like keystroke logger • Capture image • Able to enable webcam and mic • Search protected storage credentails • Search for other valuable data such as passwords • Obtaining IM contacts and Email contacts (SPAM list) • Able to obtain files such as word and pptx Data theft
Storm botnet • First discover in January 2007 • One source says that the network consisting of 1 to 50 million drones by September 2007, another sources says between 250,000 to 1 million. • Is responsible of 8% of malware for Windows OS and 8% of spam. • Powerful enough to shut down a country’s internet. • Using only 10%-20% of its network.
Ways to Protect yourself from Botnets • Regularly update browser and anti-virus. • Switch browser and/or OS • Most botnets are written for the most commonly used browser such as IE. The same goes for OS. The safer ones are MAC’s, most botnets target Windows OS. • Hire a Web-filtering service • Service that informs user of a site of acting unusual and sites that are known for malicious activity and then blocks them from the user. • Deploy intrusion-detection and intrusion-prevention systems • IDS: An application that monitors network and/or system activities for malicious activities or policy violations. • IPS: Same as IDS, but the application filters the malicious package and allow the rest of the content to stream to the user.
Reference • http://www.networkworld.com/research/2007/070607-botnet-side1.html?page=1 • http://en.wikipedia.org/wiki/Storm_botnet • http://www.cert.org/homeusers/ddos.html • “Net Living Dead”, 2008, David Harley, pg13-16, www.eset.com • http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1030284,00.html • http://searchmidmarketsecurity.techtarget.com/sDefinition/0,,sid198_gci213422,00.html • http://www.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard_html/ • http://www.networkworld.com/research/2007/070607-botnet-side1.html?page=1 • http://www.med.miami.edu/hipaa/public/x385.xml • http://howto.wired.com/wiki/Build_your_own_botnet_with_open_source_software • http://web.pdx.edu/~fernan/cs347uppt_files/frame.htm