BotNets

Presented by:

Kavisha
B.Tech.(I.T.)-V semester

Banasthali University, Rajasthan

 Outline
What are Botnets?
Botnet Terminology
Botnet Life-cycle
Types of attacks
Botnets in Network Security
Botnet Detection
Preventing Botnet Infection
Conclusion
References
 What are Botnets?
A Botnet is a network of compromised computers called
Zombie Computers or Bots, under the control of a remote
attacker.

Bots began as a useful tool. They were originally developed as

a virtual individual that could sit on a IRC channel & monitor
network traffic.

They are significant contributors to the malicious & criminal

activities on the Internet today and far importantly an
underground network whose size & scope is not fully known.
 Botnet Terminology
Bot Herder(Bot Master)
Bots
IRC Server
Command & Control Server (C&C)
 Bot Herder
Bot herders(aka Bot Masters)are the hackers who use
automated techniques to scan specific network ranges and
find vulnerable systems, on which they can install their
bot program.
To create an army of Zombies over internet, attacker
typically infect machines of home users, network
maintained by universities or small enterprises, etc.
Bot Master
 Bots
Bots (also called Zombie Computers)are the
computers that contribute to the botnet network.
They run using a hidden channel to communicate
to their C&C server.
They can auto scan their environments and
propagate themselves taking advantage of
vulnerabilities &weak passwords.
Bots(contd.)
Generally the more vulnerabilities a bot can scan,
the more valuable it becomes to the botnet
controller community. The process of stealing
computing resources as a result of a system being
joined to a botnet is called Scrumping.
Gammima (gaming password stealer), Conficker
(fake antivirus) and Zeus (information stealer), are
among what are believed to be the largest botnets,
according to security firm Damballa.
 IRC Server
Internet Relay Chat (IRC) is a form of real-time Internet
text messaging (chat).
The server listens to connections from IRC clients enabling
people to talk to each other via the Internet.
Most IRC servers do not require users to register an account
but a user will have to set a nickname before being connected.
Most IRC networks lack any strong authentication, and a
number of tools to provide anonymity on IRC networks are
available.
IRC provides a simple, low-latency, widely available, and
anonymous command and control channel for botnet
communication.
 Command & Control Server
C&C infrastructure allows a bot agent to receive new
instructions, malicious capabilities, update existing
infections or to instruct the infected computer to carry
out specific task as dictated by the remote controller.
The criminal actively controlling botnets must ensure
that their C&C infrastructure is sufficiently robust to
manage tens-of-thousands of globally scattered bots
as well as resist attempts to hijack or shutdown the
botnet.
 IRC Server
IRC Channel

Bot Master
IRC Channel
C&C Traffic

Attack

Victim Bots
Botnet Life-cycle
Botnet Life-cycle (contd.)
Botnet Life-cycle (contd.)
Botnet Life-cycle (contd.)
 Types of attacks
Distributed Denial of Service (DDoS) attacks
Sending Spams
Phishing (fake websites)
Adware
Spyware (keylogging, information harvesting)
Click Fraud
 Botnets In Network Security
Internet users are getting infected by bots.
Many times corporate and end users are trapped in botnet
attacks.
Today 16-25% of the computers connected to the internet are
members of a botnet.
According to Damballas Technical report, 83.1% of global
spam in March,2011 was sent by Botnets.
Computer security experts estimate that most Spam is sent by
home computers that are controlled remotely & millions of
these computers are part of Botnets.
Contd.
2010 was a big year for internet crimes with botnets
& targeted attacks becoming headlines on almost
weekly basis. Botnets such as Mariposa, Confiker,
Koobface have become household names.
The public disclosure of electronic attacks on
international organizations such as Google, Adobe
& many others referred to as Operation Aurora
revealed that sophisticated & advanced malware are
now every day inclusions of the criminal toolkits.
 Most Wanted Botnets
Zeus- Compromised U.S. 3.6 million computers.
Koobface- Compromised U.S. 2.9 million
computers.
TidServ- Compromised U.S. 1.5 million
computers.
Trojan.Fakeavalert- Compromised U.S. 1.4 million
computers.
TR/Dldr.Agent.JKH- Compromised U.S. 1.2
million computers.
 Botnet Detection
The two approaches for botnet detection are based
on::
Setting up honeynets
Passive traffic monitoring
Signature based
Anomaly based
DNS based
Botnet Detection: Honeynets
Honeynets Windows Honeypot

A honeypot is a trap set to detect, deflect, or in some manner

counteract attempts at unauthorized use of Information
Systems.
Generally it consists of a computer, data, or a network site that
appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a
resource of value to attackers.
Contd.
Once an intruder breaks into the victim host, the
machine or a network administrator can examine the
intrusion methods used by the intruder.
Two or more honeypots on a network form a
Honeynet.
One practical application of this is the Spamtrap - a
honeypot that controls spam by masquerading as a type
of system abused by spammers.
 Advantages
With the help of honeynets we are able to learn some
key information (e.g. IP address of the server or
nickname of the bot) that enable us to
observe botnets. We can extract the sensitive
information about bots in a semi-automated fashion with
the help of a classical Honeywall.
We are able to monitor the typical commands issued by
attackers and sometimes we can even capture their
communication. This helps us in learning more about the
motives of attackers and their tactics.
Botnet Detection: Traffic Monitoring
It helps us to understand whats there on the network.
Signature based: Detection of known botnets.
Anomaly based: One study found that bots on IRC were
idle most of the time and would respond faster than a human
upon receiving a command.
Detect botnet using following anomalies-
High network latency
High volume of traffic

Unusual system behaviour

Vulnerable systems
DNS based: Analysis of DNS traffic generated by botnets.
 Botnet Detection up
Honeynets
Bot Sensor
Malicious Traffic

Authorize Inform bots IP

Bot Master Admin

 Preventing Botnet Infections
Use a Firewall
Patch regularly and promptly
Use Antivirus (AV) software
Use Anti-Bots
Deploy an Intrusion Detection System (IDS)
Deploy an Intrusion Prevention System (IPS)
 Conclusion
Botnets pose a significant and growing threat against cyber
security. Even if we use well known techniques, botnets
continue to dominate the cyber threat landscape. As network
security has become integral part of our life, botnets have
become the most serious threat to it. Staying ahead of threat
will require advanced knowledge of building out new anti bot
campaigns. It is very important to detect botnet attack and find
the solution for it.
 References
Adam J. Aviv, Andreas Haeberlen. Challenges in
Experimenting with Botnet Detection Systems.2011.
March 2011 Intelligence Report. Symantec. Cloud.
Paul Bacher, Thorsten Holz, Markus Kotter, Georg
Wicherski. Know your Enemy: Tracking Botnets.
Technical Report, The Honeynet Project. Aug 2008.
QUESTIONS