introduction to botnets instructors: ali shiravi, university of new brunswick natalia stakhanova,...
TRANSCRIPT
![Page 1: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/1.jpg)
Introduction to Botnets
Instructors:Ali Shiravi, University of New Brunswick
Natalia Stakhanova, University of South Alabama
Hanli Ren, University of New Brunswick
![Page 2: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/2.jpg)
Part 1: Intro to BotnetsWhat are they?
![Page 3: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/3.jpg)
In the news…
• July 29 2010 - Multi-Purpose Botnet Used in Major Check Counterfeiting Operation
• Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs taken out
• Aug 12 2010 - dd_ssh Botnet attacks SSH servers
• Aug 12 2010 - Zeus ‘Mumba’ Botnet Seizes Confidential Database sized 60GB
• Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts
3
![Page 4: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/4.jpg)
IntroductionAttacker
(Botmaster )
Zombies
• Malware is currently the major source of attacks and fraudulent activities on the Internet.
• Malware is used to infect computers.
• Botnet is a network of zombies, i.e. compromised computers under control of an attacker.
• Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker.
4
![Page 5: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/5.jpg)
Bot• Bot - a small program to remotely control a computer•
• Characterized by – Remote control & communication (C&C) channels to
command a victim• For ex., perform denial-of service attack, send spam
– The implemented remote commands• For ex., update bot binary to a new version
– The spreading mechanisms to propagate it further• For ex., port scanning, email
5
![Page 6: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/6.jpg)
http://en.wikipedia.org/wiki/Botnet6
![Page 7: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/7.jpg)
C&C channel
• Means of receiving and sending commands and information between the botmaster and the zombies.
• Typical protocols– IRC– HTTP– Overnet (Kademlia)
• Protocols imply (to an extend) a botnet’s communication topology.– The topology provides trades-off in terms of bandwidth,
affectivity, stealth, and so forth.
7
![Page 8: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/8.jpg)
Botnet Infection Stages - Centralized
8
![Page 9: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/9.jpg)
Part 2 – How does a botnet operate?
![Page 10: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/10.jpg)
10
Popular Botnets Propagation MethodsSpammed Messages
Social Networking Websites
Malicious Websites
Install MalwareBecome Bot
Removable Devices
Worm
![Page 11: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/11.jpg)
11
Shift in the way that malware is distributed
• Every 1.3 seconds a new web page is getting infected
• Every month almost 2 million web pages across 210,000 websites are infected with Malware
• Malware attacks have grown by 600% since 2008
![Page 12: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/12.jpg)
12
Spammed Messages
![Page 13: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/13.jpg)
13
Spammed Messages
Storm Botnet
![Page 14: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/14.jpg)
14
Step 1: Click Link
Step 2:Link to malicious website
Step 3:Download & Run Malware
Propagation Steps
![Page 15: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/15.jpg)
15
Sample subjects and attachments
Sample subjects:
• A killer at 11, he's free at 21 and kill again!
• British Muslims Genocide
• Naked teens attack home director.
• 230 dead as storm batters Europe.
• Re: Your text
• Radical Muslim drinking enemies's blood.
• Saddam Hussein alive!
• Fidel Castro dead.
• FBI vs. Facebook
Sample attachments:
Postcard.exeecard.jpgFullVideo.exeFull Story.exeVideo.exeRead More.exeFullClip.exeGreetingPostcard.exeMoreHere.exeFlashPostcard.exeGreetingCard.exeClickHere.exeReadMore.exeFlashPostcard.exeFullNews.exeNflStatTracker.exeArcadeWorld.exeLeft-right-brain-test.gif
![Page 16: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/16.jpg)
16
Social Networking Websitese.g. Koobface
![Page 17: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/17.jpg)
17
Social Networking WebsitesKoobface Downloader
http://us.trendmicro.com
![Page 18: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/18.jpg)
18
Koobface Spam MessagesA typical KOOBFACE infection starts with a spam sent through:• Facebook• Twitter• MySpace• Other social networking sites
http://us.trendmicro.com
![Page 19: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/19.jpg)
19
Koobface Spam Messages
http://us.trendmicro.com
![Page 20: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/20.jpg)
20
Koobface Spam Messages
http://us.trendmicro.com
![Page 21: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/21.jpg)
21
Koobface Spam Messages
http://us.trendmicro.com
![Page 22: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/22.jpg)
22
Koobface Malware Download
Clicking the link will redirect the user to a website designed to mimic YouTube (but is actually named YuoTube), which asks the user to install an executable (.EXE) file to be able to watch the video.
http://us.trendmicro.com
![Page 23: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/23.jpg)
23
Malicious Websitese.g. Gumblar Zeus
![Page 24: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/24.jpg)
24
Malicious Websites
http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html
![Page 25: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/25.jpg)
25
Gumblar Compromised Website
The malicious script embedded in the website.
http://www.van-manen.info/weblog/2010/02/gumblar-virus-infecteert-microsoft-website/
![Page 26: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/26.jpg)
26
Zeus Malware Download
![Page 27: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/27.jpg)
27
Zeus Compromised host
![Page 28: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/28.jpg)
Part 3 – How is a botnet organized?
![Page 29: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/29.jpg)
Traditional botnetAttacker
Zombies
Commands & controls
Attack
Victim
Your home
computer
Infect
Botnet topology mainly refers to the organization of C&C channels between zombies and an attacker.
29
![Page 30: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/30.jpg)
Topology• Based on C&C channels, there are two typical botnet topologies:
– Centralized– Decentralized (P2P)
• Traditional botnet metrics:– Resiliency
• A botnet ability to cope with a loss of members (zombies) or servers– Latency
• Reliability in message transmission– Enumeration
• An ability to accurately estimate a botnet size• Difficuly for security analysis
– Re-sale• A possibility to carve off sections of the botnet for lease or resale to other
operators.
30
![Page 31: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/31.jpg)
Centralized botnet• Communication between attacker
and zombies goes via centralized server– Classical communication method
IRC (Internet Relay Chat)Centralized server
31
![Page 32: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/32.jpg)
Centralized botnet topologies
• Centralized topology can be represented in different shapes.• The exact organization of botnet depends on the bot operator
– nothing prevents a bot operator to come up with a new topology.
• Often seen topologies:
HierarchicalMulti-serverStar
32
![Page 33: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/33.jpg)
Star topology• Communication is directly between a
single centralized server and ALL zombies.
• When new machine is infected, it is preconfigured to contact the server to announce its membership.
• Pros: Low latency – Each zombie is issued commands
directly from the server.
• Cons: Low resilience – Only server needs to be blocked to
neutralize the whole botnet
33
![Page 34: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/34.jpg)
Example
• Koobface– Old variant employed start architecture:
• Zombies connected to C&C server directly
34
![Page 35: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/35.jpg)
Multi-server topology• Similar to start topology• Instead of one server, multiple
servers are used to provide instructions to zombies.
Pros: • Better resilience
– No single point of failure • Geographical distribution of servers
– Communication speed up– More resistant to legal shut downs
Cons:• Requires advance planning
35
![Page 36: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/36.jpg)
Hierarchical topology
• Zombies are generally not aware of the server location
Pros: • Ease of re-sale
– A botnet operator can easily carve off sections of their botnet for lease or resale to other operators.
• Hard to enumerate– Hard to evaluate the size and complexity of
the botnet
Cons: • High latency
– makes some botnet attacks difficult.36
![Page 37: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/37.jpg)
Example - Gumblar• Gumblar’s architecture is not
well studied, fully built on zombies
• Website visitors are infected with the Windows executable, it grabs FTP credentials from the victim machines. The FTP account is then used to infect every webpage on new webserver.
37
![Page 38: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/38.jpg)
Decentralized botnet• P2P (peer-to-peer)
communication– zombies talking to each
other– no central server
Pros: Very high resilience Cons:
– High latency– Difficult for enumeration
38
![Page 39: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/39.jpg)
Hybrid topologies
• High resilience• Low latency
• Example, – Hierarchical P2P– Centralized P2P
Centralized Peer-to-peer
39
![Page 40: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/40.jpg)
Storm botnet
• A three-level self-organizing hierarchy:– master servers– proxy bots
• transfers traffic between workers and master servers.
– worker bots• responsible for sending
the spam, proxy bots
• Once a Storm binary is downloaded, an infected host might become a worker bot (if not reachable from the Internet) or a proxy
40
![Page 41: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/41.jpg)
Detection
• Complicated organization of botnets & variety of cover-up techniques make detection of botnets challenging
![Page 42: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/42.jpg)
Part 4 – How do they hide?
![Page 43: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/43.jpg)
43 /
15
Outline
![Page 44: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/44.jpg)
44
![Page 45: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/45.jpg)
45
EncryptionBotnet malware use encryption techniques to avoid being detected by signature-based Intrusion detection system
Matched
![Page 46: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/46.jpg)
46
Snort Example
Without encryption, Snort can successfully detect attack:
12/30-22:59:59.368544 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: 214 ..l....F...... EEEBEGEGFJCACACACACACACACACACAAA. ABACFPFPENFDECF CEPFHFDEFFPFPACAB..SMB%..............................&.......... .........&.V.........7.\MAILSLOT\BROWSE.......METALGODS......... ......U.DAFFY. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
alert udp $EXTERNAL_NET any -> 192.168.1.255 138 (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "MAILSLOT";)
[**] [1:0:0] SAMBA server identified on local subnet! [**] 01/06-02:21:23.465726 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:64503 IpLen:20 DgmLen:262 Len: 242
PacketWithout encryption
Snort Rule
Snort Alert
![Page 47: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/47.jpg)
47
Snort Example
Snort cannot detect attack from encrypted traffic:
12/30-22:59:59.368544 192.168.1.92:138 -> 192.168.1.255:138 UDP TTL:64 TOS:0x0 ID:33092 IpLen:20 DgmLen:234 Len: Li5sLi4uLkYuLi4uLi4gRUVFQkVHRUdGSkNBQ0FDQUNBQ0FDQUNBQ0FDQUNBQUEuIEFCQUNGUEZQRU5GREVDRiBDRkNBQ0FDQUNBQ0FDQUNBQ0FDQUVBGSEZERUZGUEZQQUNBQi4uU01CJS4uLi4uLi4uLi4uLg== =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
alert udp $EXTERNAL_NET any -> 192.168.1.255 138 (msg:"SAMBA server identified on local subnet!"; content: "SMB"; content: "MAILSLOT";)
Encrypted Packet
Snort Rule
![Page 48: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/48.jpg)
48
![Page 49: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/49.jpg)
49
Fast Flux
IP addresses that are rotated in seconds against the same domain.
For example:
[QUESTION] Website name:
www.lijg.ru
[ANSWER] IP Addresses:www.lijg.ru 68.124.161.76www.lijg.ru 69.14.27.151www.lijg.ru 70.251.45.186www.lijg.ru 71.12.89.105www.lijg.ru 71.235.251.99www.lijg.ru 75.11.10.101www.lijg.ru 75.75.104.133www.lijg.ru 97.104.40.246www.lijg.ru 173.16.99.131…………………
![Page 50: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/50.jpg)
50
Advantages for the attacker
Simplicity- Only one suitably powerful backend server (or mothership) host is
needed to serve the master content and DNS information.
Resilience- A layer of protection from ongoing investigative response or legal action
Extend the operational lifespan of the critical backend core servers that arehidden by the front-end nodes
![Page 51: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/51.jpg)
51
An Example of Fast Flux
http://old.honeynet.org/papers/ff/index.html
![Page 52: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/52.jpg)
52
![Page 53: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/53.jpg)
53
Rootkit
A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system
To hide what is taking place an attacker wants to:•Survive system restart•Hide processes•Hide services•Hide listening TCP/UDP ports•Hide kernel modules•Hide drivers
![Page 54: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/54.jpg)
54
How Rootkit Works
• Overwrite first few bytes of target function with a jump to rootkit code• Create “trampoline” function that first executes overwritten bytes from original function, then jumps back to original function• When function is called, rootkit code executes• Rootkit code calls trampoline, which executes original function
![Page 55: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/55.jpg)
55
Rootkit Usage Example – Hide process
Process list BEFOR the rootkit is launched. Process list AFTER the rootkit is launched.
![Page 56: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/56.jpg)
Part 5 – What do botnets do?
![Page 57: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/57.jpg)
Botnet Activities
The least damage caused by Botnets: Bandwidth Consumption
Other things:• DDOS attacks• Spam• Click Fraud• Data Theft• Phishing• Mistrustful services
57 / 4
![Page 58: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/58.jpg)
DDOS attacks
e.g. Google.com
ChinaBrazilRussia US
Attacker
58http://en.wikipedia.org/wiki/Denial-of-service_attack
![Page 59: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/59.jpg)
Click Fraud
• Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked.
• Famous Bots: ClickBot(100k), Bahama Botnet (200k)
59
![Page 60: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/60.jpg)
Click Fraud - FFSearcher
http://blog.trendmicro.com/click-fraud-takes-a-step-forward-with-troj_ffsearch/60
![Page 61: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/61.jpg)
Data Theft
• Accounts for a great deal of botnet activity.• Purpose: Harvesting user data
– Screen captures– Typed data– Files
• Anti-Spyware software– Highly controversial.– Has resulted in
Scareware.61
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
![Page 62: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/62.jpg)
Data Theft-Mumba Zeus Botnet
http://avg.typepad.com/files/revised-mumba-botnet-whitepaper_approved_yi_fv-2.pdf 62
![Page 63: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/63.jpg)
Phishing
• A deceptive email/website/etc. to harvest confidential information.
63http://library.thinkquest.org/06aug/00446/Phishing.html
![Page 64: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/64.jpg)
64http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
![Page 65: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/65.jpg)
Part 6 – How difficult is it to create a botnet?
![Page 66: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/66.jpg)
Botnet business is booming
• The primary reason for rapid botnet evolution is the underground market
• Botnet services has reached a professional level– Software, zombies or even botnet service can be purchased
– Customization & professional support – http://www.hackforums.net/showthread.php?tid=569629– http://www.hackforums.net/showthread.php?tid=507030&highlight=bot– http://www.hackforums.net/showthread.php?tid=611998– http://www.hackforums.net/showthread.php?tid=611678
66
![Page 67: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/67.jpg)
Reality
• To obtain a simple botnet or botnet services DOES NOT require – Great technical knowledge– Special hardware
… unless you’re planning to make it your primary source of income
67
![Page 68: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/68.jpg)
What is needed to create a simple botnet
1. A bot, i.e., a small program that can remotely perform certain functions
2. C&C server
3. A network of zombies
68
![Page 69: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/69.jpg)
Step 1: Creating a bot
• Where to find a bot:– Find a script on the Internet– Purchase a ready-to-go bot
• Prices vary from $5 to $1000 depending on the bot functionality
– Write yourself
69
![Page 70: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/70.jpg)
Step 2: C&C server
• C&C server is simply a powerful computer which will give you direct access to zombies, or if needed will store stolen data.
• For example, to install IRC server– Dedicated computer with installed software (fairly legal)– Buy a domain, since it should be set up as a web server – Hosting - to make the server accessible from the Internet,
it should be hosted by a hosting company
70
![Page 71: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/71.jpg)
Step 3: Creating zombies• Options:
– Purchase/rent a network of zombies– Compromise computers yourself
• Using software packages such as Mpack, Icepack and WebAttacker
• Using your brains
71
![Page 72: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/72.jpg)
Thank You!Thank You!
72
![Page 73: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/73.jpg)
Extra Slides
![Page 74: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/74.jpg)
Social Aspects of Botnets
• Malware in general is written by some, contributed by others and used by many more.
• Incentives– Challenge Seeking (C:H N:L)– Fame Seeking (C:A N:A)– Revenge Seeking (C:? N:L)– Gain Seeking
74
![Page 75: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/75.jpg)
Fight-back
• Centralized C&C– C&C migration– Random Domain Names– E.g. McColo takedown
• Peer-to-peer– New protocols
• SpamThru
75
http://gadgets.boingboing.net/2008/11/13/colo-shutdown-takes.html
![Page 76: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/76.jpg)
Botnet Detection
• Every interaction between two entities requires the flow of information.
• This can utilized to detect the interaction.• The problem is that this interaction is generally
obfuscated and mixed with others with similar behaviour.
• Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure.
76
![Page 77: Introduction to Botnets Instructors: Ali Shiravi, University of New Brunswick Natalia Stakhanova, University of South Alabama Hanli Ren, University of](https://reader035.vdocuments.net/reader035/viewer/2022062717/56649e445503460f94b3848d/html5/thumbnails/77.jpg)
References• The Gumblar system, http://www.securelist.com/en/weblog?
discuss=208187897&return=1• C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, S.
Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. 15th ACM Conference on Computer and Communications Security 2008, Alexandria, VA, USA.
• The Koobface botnet, http://us.trendmicro.com• Malicious websites,
http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html
• The fast flux techniques, http://old.honeynet.org/papers/ff/index.html
77