BotnetsUses, Prevention, and Examples

Background• Robot Network

• Programs communicating over a network to complete a task

• Adapted new meaning in the security world

• Network of compromised machines that can be remotely controlled

Theoretical Structure• Malware with control

Not Zombies, Servants

Spatial Distribution• Result of an unethical Internet Census that infected over 420,000

machines

Uses - for Fun and Profit of

Course!

• Numbers

• Power

• Information

Numbers• Typically rented

• DDOS (10K – 120K (10-100 Gbps) for $200 per day)

• Spamming (SOCKS proxy)

• Web traffic Control (unique IP)

o Page/Ad viewso Likeso Poll Manipulation

Power• Cheap super computers (sold, rented, or kept for use)

• Bitcoin/Dogecoin mining

o BadLepricon distributed by Google Play

o GPU ‘idle’ at 180° F

o Storm Botnet (1mil – 50 mil machines), largest at time

Information• May as well

• Traffic sniffing, key loggers and other information theft

• Self propagation o Spreading over networko Detection of other botnets presenceo The enemy of my enemy is my competitor

o Happy Hacker, Zeu$ botnet master

For the Greater Good• What makes them bad can be used for good

o Hard to remove or disableo Good at hiding/quiet monitoringo Botnets with good intentions fighting

botnets

• Phalanx, DDOS protection

o Nodes of botnet used as protective mailboxes

o Pass on information when requestedo Computational puzzle to gain access

Prevention• Defensive (users, owners)

• Offensive (security agencies, research)

Defensive• Treat just like malware

• Intrusion Detection System

• Main target of botnets don’t follow these

o Keeping updatedo Quality firewall, anti-viruso Other general security measures

o Removal, maybe clean install

Offensive• Agencies know people think of security last

• Research for IDS

o Development of “good” botnetso Gun buying programs, better unused o Tracking down botnet masters

o Examining bought/captured botnetso Honeypots

Exampleso Agoboto SDBoto Global Threat Bot (Fig. 1)

• Originally bots, now popular templates

Agobot - the multi-tool

• 500 know versions• Easy to use, little programming knowledge required• Simple to add commands / vulnerability scanners• Offers rootkit capabilities (process hiding)• If you want it there is a version that has it

• Advanced form of traffic sniffing

o Packet sniffers / key loggers o Self propagation o DDOS commands

o Stripped down lipcpap dll registered as system driver

o Utilizes libpcre dll to lookout for bot commands

SDBot – the cheaper multi-tool

• Written in very poor C but still widely used• Less sophisticated, smaller instruction set• Similar to Agobot in features

• Copies self to all mapped drives and shared network resources

• Can update itself which is cool • Bad form of traffic sniffing

o Processes hidingo Self replication

o Based on windows raw socket listining, listens to own traffic

Global Threat Bot - DDOS tool

• Distributed as a Trojan over Internet Relay Chat (IRC) networks

• Runs in stealth mode with the name mIRC Client

• Utilizes a number of mIRC bot scripts

• Once installed joins IRC channel and waits for commands

• Useful for launching DDOS attacks over IRC networks

Review• Botnets are malware with control (NO ZOMBIES)

• Numbers, Power, Information and maybe good uses

• Offensive and Defensive prevention

• 3 common examples

Links• http://www.wired.co.uk/news/archive/2013-05/16/internet-census• https://www.youtube.com/watch?v=2GdqoQJa6r4 - How to Steal a

Botnet• https://www.youtube.com/watch?v=A5-ewv3zvrM – How to Make

a Botnet• https://blog.damballa.com/archives/330 - DDOS pricing• The good stuff is just a search away, but be weary

Q&A