Tuesday, March 1, 2011

The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware


So, what is a Botnet? 
•  A collection of compromised computers that can be sent orders 
•   Individual hosts in a Botnet are know as bots or zombies 
•  The administrator of the Botnet is often known as a “Bot Herder”  
•  A few examples of Botnets include: 
   Storm 
   Kraken 
   Conficker 


Botnet life cycle

•  Spread Phase 
–  SE Spam, Web drive bys, Network worm functionality, etc. 
•   Infection Phase 
    – Polymorphism 
    – Rootkitting 
         •  Trojan binaries 
         •  Library hooking 
•  Command and Control Phase 
•  Attack Phase 



How do hosts become part of a Botnet?

 Drive by malware installs via web browsers 
•  Automated or targeted network vulnerability attacks 
•  End users socially engineered to install them via phishing attacks, or confusing browser messages 
•  Other vectors… 


Botnet Source Code Families

•  Lots of source code is out there: 
    – Agobot 
    – Rxbot 
    – SDBot 
    – Spybot 
    – Others… 
     http://leetupload.com 
     Search for BotNet.Source.Codes.rar 


How are Botnets controlled?

•  Decentralized Command and Control Channels (C&C) 
•  Decentralization is important to make C&C harder to shutdown 
•  By using Command and Control Channels, “bot herders” can change what their Botnet is tasked to do, and update the Botnet’s nodes.


Economics of Bot Herding

•  So, why would some one want a Botnet? 
    – Distributed Denial Of Service (DDoS) 
         •  Personal vendettas 
         •  Protection money 
    – Spam (both email and web posts) 
    – Adware 
    – Click Fraud 
    – Harvested identities (Sniffers, Key Loggers, Etc.) 
•  They can also be rented out for tasks 
•  BBC show Click rents a Botnet: 
   http://www.tudou.com/programs/view/13Cx-LNrTfU/ 


Problems with detecting/removing

Main points from the article: 
•   Polymorphism 
•   Rootkitting 
•  Only periodic communications back to controller 
Others: 
•   Retaliation Denial of Service 
•   Distributed 
•   Fast Flux 
•   Encrypted channels 


Links for more research

•   The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware 
•   Shadow Server 
•   SANs Internet Storm Center 
•   Honeynet Project 
•   LAN of the Dead 



Based on article by: 
              Jaideep Chandrashekar, Steve Orrin, Carl Livadas, Eve M. Schooler 
              Available at: 
              http://download.intel.com/technology/itj/2009/v13i2/pdfs/ITJ9.2.9-Cloud.pdf









No comments:

Post a Comment