So, what is a Botnet?
• A collection of compromised computers that can be sent orders
• Individual hosts in a Botnet are know as bots or zombies
• The administrator of the Botnet is often known as a “Bot Herder”
• A few examples of Botnets include:
Storm
Kraken
Conficker
Botnet life cycle
• Spread Phase
– SE Spam, Web drive bys, Network worm functionality, etc.
• Infection Phase
– Polymorphism
– Rootkitting
• Trojan binaries
• Library hooking
• Command and Control Phase
• Attack Phase
How do hosts become part of a Botnet?
• Drive by malware installs via web browsers
• Automated or targeted network vulnerability attacks
• End users socially engineered to install them via phishing attacks, or confusing browser messages
• Other vectors…
Botnet Source Code Families
• Lots of source code is out there:
– Agobot
– Rxbot
– SDBot
– Spybot
– Others…
http://leetupload.com
Search for BotNet.Source.Codes.rar
How are Botnets controlled?
• Decentralized Command and Control Channels (C&C)
• Decentralization is important to make C&C harder to shutdown
• By using Command and Control Channels, “bot herders” can change what their Botnet is tasked to do, and update the Botnet’s nodes.
Economics of Bot Herding
• So, why would some one want a Botnet?
– Distributed Denial Of Service (DDoS)
• Personal vendettas
• Protection money
– Spam (both email and web posts)
– Adware
– Click Fraud
– Harvested identities (Sniffers, Key Loggers, Etc.)
• They can also be rented out for tasks
• BBC show Click rents a Botnet:
http://www.tudou.com/programs/view/13Cx-LNrTfU/
Problems with detecting/removing
Main points from the article:
• Polymorphism
• Rootkitting
• Only periodic communications back to controller
Others:
• Retaliation Denial of Service
• Distributed
• Fast Flux
• Encrypted channels
Links for more research
• The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware
• Shadow Server
• SANs Internet Storm Center
• Honeynet Project
• LAN of the Dead
Based on article by:
Jaideep Chandrashekar, Steve Orrin, Carl Livadas, Eve M. Schooler
Available at:
http://download.intel.com/technology/itj/2009/v13i2/pdfs/ITJ9.2.9-Cloud.pdf
No comments:
Post a Comment