Host and application security
1 / 12

Host and Application Security - PowerPoint PPT Presentation

  • Uploaded on

Host and Application Security. Lesson 17: Botnets. Almost done with Malware. Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets. Rootkit. Actually, a pretty loose definition

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Host and Application Security' - kurt

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Host and application security

Host and Application Security

Lesson 17: Botnets

Almost done with malware
Almost done with Malware

  • Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets


  • Actually, a pretty loose definition

  • Can think of it as a piece of malware that is designed to allow an attacker privileged access to a computer

    • Rootkits usually allow access via the network

    • Rootkits usually are very stealthy, and provide ways an attacker can hide on the box


  • Really, a form of rootkit, but the emphasis is on remote control


  • Machines get recruited into botnets a large number of ways

  • Typically, web or email based exploit

  • This installs the bot on the machine

Command and control
Command and Control

  • This can be thought of as the “Achilles heel” of the botnet

  • A botnet needs remote control

  • Thus, if we can detect the network traffic, we can detect the botnet

  • However, the botherder makes a large effort to protect his (her) investment


  • Lots of uses:

    • DDoS attacks

    • Adware installation

    • Spyware installation

    • Spam

    • Click fraud

    • Spread to other machines

    • ID theft

C2 techniques
C2 Techniques

  • Simple: IRC

  • Complicated: Domain flux

    • Generate different candidate domain names every day

    • Bots “check in” with new domains every day

    • Not all domains need to be registered for this approach to work

C2 features
C2 features

  • Can break down into:

    • Topology: hub and spoke? P2P?

    • Rallying Mechanism: How new bots locate and join the botnet.

    • Communication Protocol: The underlying protocol used…

    • Control Mechanism: How new commands are sent. Callback? Polling?

    • Command Authentication Mechanism: How can we tell if a command is really from the botherder?

To do
To Do

  • Download and read “Your botnet is my botnet: Analysis of a Botnet Takeover”

  • Questions about this could be on the final…