Sie sind auf Seite 1von 68

| 

 

A Presentation
For

O 


Craig A Schiller, CISSP-ISSMP, ISSAP


Portland State University
CISO
craigs@pdx.edu

Copyright Craig Schiller, 2010. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
j
  



2/15/2011 © 2009
2008 Craig A Schiller AOD - 2
   

2/15/2011 © 2009
2008 Craig A Schiller AOD - 3


‡ Botnet Overview
‡ Botnet Schemes
‡ How Do They Get In?
‡ What Can We Do?
‡ Concluding Thoughts

2/15/2011 © 2009 Craig A Schiller AOD - 4


‰ 
‰


2/15/2011 © 2009 Craig A Schiller AOD - 5


i
  | 
³Cut off the head of the snake and the body will follow´

Unless of course, your snake is a Hydra


2/15/2011 © 2009 Craig A Schiller AOD - 6
  | 

j


D 

        

  
       !""
       !""
       !""
       !""#
       !""$
       !""%
 &  
   
 '  

   ()&
D   **+ ,  
 -   , .  )  
D  
 '  

   
/    ()&
0,  1 $  2 
, 
2/15/2011 © 2009 Craig A Schiller AOD - 7
i


j‰

The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.

2/15/2011 © 2009 Craig A Schiller AOD - 8


‰ 
‰


Microsoft Senior Security Manager says Botnets are the biggest threat of 2007
Vincent Cerf, founder of the Internet, tells global finance conference that 1/4th of
all computers belong to botnets.
Norman Elton and Matt Keel from the College of William & Mary, in a 2005
presentation, called bot networks ³the single greatest threat facing humanity.´
John Macanan, in ³The Evolution of Malicious IRC Bots,´ says that Botnets are
³the most dangerous and widespread Win32 viral threat.

Microsoft reports that of the 5.7 million unique Windows systems from which
the MSRT removed malware, 62% were found to have a Trojan or bot client.

Ryan Narraine, a writer for e-week, said that botnets are ³the key hub for well
organized crime rings around the globe, using stolen bandwidth from drone
zombies to make money from nefarious Internet activity.´

2/15/2011 © 2009 Craig A Schiller AOD - 9


ù
‰

| 

ù  A Autonomous, malicious code, infects boot sector or files but


cannot spread itself to another computer. Spreads manually via
floppy disks, later by email or web download.
 A Autonomous, malicious code, spreads across the network
via email, via network vulnerabilities

Malicious code that poses as legitimate code to get the
user to execute it.
  
A Malicious code which poses as legitimate
code to gain access, then permits the operator to gain remote control
of the victim¶s computer
 
  A Malicious code which permits a victim¶s
computer to be controlled by an agent. The agent makes is easy for
the operator (called a bot herder) to manage and operate 



  
 of clients
  
 A Collectively all of the zombies controlled by
botherders
2/15/2011 © 2009 Craig A Schiller AOD - 10
‰ | | 

C&C
Traditional Botnet

IRC protocol

Bot Bot Bot Bot


«
100 to 100000 botnet clients
In the original use of the term ³Bot´, the bot client contained malicious code
that would retrieve and execute commands that were sent by the botherder.
2/15/2011 © 2009 Craig A Schiller AOD - 11
‰ | | 


C&C

Terminal Services
IRC protocol
VNC
Bot Bot RDP
Carbon copy
Remote BackOrifice
controlled SubSeven
clients

Now, many include the systems that execute commands of the botherder even if the
malicious code is not present. These systems are remotely controlled. They would
be considered bot clients if they were part of a ³net´ of remotely controlled clients,
even if the ³bot´ mechanism is somewhere else.
2/15/2011 © 2009 Craig A Schiller AOD - 12
  
 

[      


 

   
 
 


   
 ! 

 
 !



 " # 

2/15/2011 © 2009 Craig A Schiller AOD - 13


|  

     
    
bot.command Runs a command with system() mac.logout Logs the user out
bot.flushdns Flushes the bot¶s DNS cache ftp.update ftps and executes a file
bot.quit Quits the bot ftp.execute ftps and Updates the bot
bot.longuptime If uptime is more than 7 days, ftp.download Downloads a file from FTP
bot will respond http.visit Visits URL with specific referrer
bot.sysinfo Displays the system info http.update Executes a file from HTTP URL
bot.status Gives status http.execute Updates the bot from HTTP
bot.rndnick generate a new random nick http.download Downloads a file from HTTP
bot.remove Removes the bot rsl.logoff Logs the user off
bot.open Opens a file rsl.shutdown Shuts the computer down
bot.nick Changes the bot¶s nickname rsl.reboot Reboots the computer
bot.id Displays the current code ID pctrl.kill Kills a process
shell.disable Disable shell handler pctrl.list Lists all processes
shell.enable Enable shell handler ddos.httpflood Starts an HTTP flood
shell.handler Fallback handler for shell Redirect.stop Stops all redirects running
commands.list Lists all available commands redirect.https Starts an HTTP Secure proxy
plugin.unload Unloads a plug-in (not redirect.http Starts an HTTP proxy
supported yet) harvest.aol Makes the bot get AOL data
plugin.load Loads a plug-in harvest.emailshttp Get a list of e-mails via HTTP
inst.svcdel Deletes a service harvest.emails Get a list of e-mails
inst.svcadd Adds a service
mac.login Logs the user in Source: Joe Stewart, SecureWorks
2/15/2011 © 2009 Craig A Schiller AOD - 14
   |   

2/15/2011 © 2009 Craig A Schiller AOD - 15


‰    !
$

"Why should I take a regular job after graduating and


exert myself to earn just $2,000 a month, rather than
grab this chance to make money? It makes sense to get
as much as you can, as quickly as possible, rather than
wasting time working for someone else."
Russian hacker on a cyber-crime
credit card fraud forum

$$
.

2/15/2011 © 2009 Craig A Schiller AOD - 16


†|"#
 
$ % Some external services are used by
RBN and affiliates. Those services can be MX
relay or NS hosting.
% This is the core business of RBN. It is
used to offer Hosting for cybercrime. Inside this
part, we can identify the direct subsidiaries from
RBN : Nevacon and Akimon.

% This is the part used to host most of
RBN public websites, to register RBN domain
names« Hosting and registration is a really
strong partner for RBN. Incidentally, it could be
possible that those two blocks are under the
same company.
% This is the entity which aims at
providing the Internet access. It seems that
SBTel has obtained from Silvernet to access
Saint Petersburg Internet Exchange Point
(SPBIX).

11/21/07
Ref: Bizeul.org -

2/15/2011 © 2009 Craig A Schiller AOD - 17


†|"#
 
SILVERNET
CREDOLINK

RBN

OINVEST
SPB IX

DELTASYS
INFOBOX
DATAPOINT

11/21/07 Ref: Bizeul.org -


2/15/2011 © 2009 Craig A Schiller AOD - 18
†|"$i 

It is pleasing to report the last remaining peer routing Atrivo


(AS 27595 Atrivo/ Intercage), µPacific Internet Exchange¶ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.

2/15/2011 © 2009 Craig A Schiller AOD - 19


ë 

It is pleasing to report the last remaining peer routing Atrivo


(AS 27595 Atrivo/ Intercage), µPacific Internet Exchange¶ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.

2/15/2011 © 2009 Craig A Schiller AOD - 20


  #

50% Drop in Spam

2/15/2011 © 2009 Craig A Schiller AOD - 21




"If we do not, on a national scale, attack


organized criminals with weapons and
techniques as effective as their own,
    ."

Robert F. Kennedy, 1960

2/15/2011 © 2009 Craig A Schiller AOD - 22


|   

2/15/2011 © 2009 Craig A Schiller AOD - 23


| %  

Modular

Adaptive

Targetable

2/15/2011 © 2009 Craig A Schiller AOD - 24


|   

2/15/2011 © 2009 Craig A Schiller AOD - 25


 #ë 
| 
&  ''(

& %   ' "



  
(  ( )O *&+)
& % ,    


( 
 (   
 &-)
& *%  $ 
    
    ./ &0)
& /% 
&"  $    


  $ $  &/)
& 0%   &
&1,  
 

 

   !&   & )
& +% )
  )     
    2 &0)
& 3%  4  O   

( 
  &/5)
& 5%  66 
 O
    &*3)
& -% [    ( [ 
( "( ù  
 , (   


  

(  (   
7 &*)
& % 
   
   /   &)
2/15/2011 © 2009 Craig A Schiller AOD - 26
''( #)'ë
* 

, 

 $
)
 

 
ù

 66
 4

 
)  

2/15/2011 © 2009 Craig A Schiller AOD - 27


 

 ) "



  (   $      

 

   
 
 

   
 " ù

)    $ 

 
  
( 
     
(

 
  
   ( 
 

 
 

 $ (
 
  


 
 

        
  
  $  (
    
  [ 
 $ 
 $

*  &3)

2/15/2011 © 2009 Craig A Schiller AOD - 28


ë|

  
#

2/15/2011 © 2009 Craig A Schiller AOD - 29


i#

As of 3/9/2010 Baracuda reports that 88.74% of all email processed


by their spam appliances worldwide was spam.

1,497,376,877 spam emails out of 1,687,380,806 total emails

(http://www.barracudacentral.org/index.cgi?p=spam)

2/15/2011 © 2009 Craig A Schiller AOD - 30


| i#

2/15/2011 © 2009 Craig A Schiller AOD - 31


i#  #
Received: from 192.168.0.%RND_DIGIT
(203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG])
by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL)
(8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: "%FROM_NAME" <@%FROM_EMAIL>
X-Spam-Flag: YES
X-Scanned-By: milter-spamc/0.25.321 (localhost [0.0.0.0]); Thu, 01 Mar 2007
09:14:01 -0600
X-Scanned-By: milter-spamc/0.25.321 (miconsulting.com [66.34.157.130]);
Thu, 01 Mar 2007 09:14:01 -0600
X-Spam-Status: YES, hits=8.60 required=5.00
X-Spam-Level: xxxxxxxx
Subject: [SPAM]
Status: RO

%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME

%MESSAGE_BODY
2/15/2011 © 2009 Craig A Schiller AOD - 32
j # #i 
Making Dollars and Sense Now is The Time!

SymboL: PSCP
Current Price: $0.35
5 Day Target price: 1.75
Action: Aggresive Buy

Underbanked consumers are an opportunity investors can't afford


to miss, especially as new research reveals a closer look at the
breadth and potential of the market. According to a new study by
BearingPoint and Visa, approximately 84 million people are un-
and underbanked, representing $1.1 trillion in income. Assuming
these consumers spend 1% of their income to pay for financial
services, that amounts to $11 billion. And that is at 1%! Not bad
work if you can get it.
http://www.crummy.com/features/StockSpam/
2/15/2011 © 2009 Craig A Schiller AOD - 33
 ë  ë
‡ Blue Security, a security company that took on
Spammers agressively, underwent a Distributed Denial of
Service (DDoS) attack from zombie computers under control
of a Russian speaking spammer.
‡ This spammer (or spam gang), which we called
PharmaMaster, claimed to make ö*)   
 off of
spam.
‡ Unwilling to give up that income, he paid a hacker $2,000
an hour to perform the DDoS against Blue Security.
‡ It cost him over $1M dollars by the time all was said and
done
‡ It exhausted the funding of Blue Security and they were
forced to close shop.

2/15/2011 © 2009 Craig A Schiller AOD - 34


| ë  
Release Group
hires/uses botnet for
storage and
distribution

15% of Losses attributed


to College Students

2/15/2011 © 2009 Craig A Schiller AOD - 35


| 
+


2/15/2011 © 2009 Craig A Schiller AOD - 36


| 
+

Bot-driven fraud has become such a big
business that Google was recently sued by
class-action plaintiffs who claimed that bots,
not people, had clicked on their ads. The ads
were priced based on how many clicks they
received; apparently competitors had hired
bots to jack up the rate with an avalanche of
extra clicks.

Charged with negligence for failing to guard


against such abuses, Google settled for $90
million. ·     8(   

  /& $ +
2/15/2011 © 2009 Craig A Schiller AOD - 37
 
 
‡ We¶ve encrypted your files.
‡Pay me for the key to decrypt them.
‡ We¶re DDoSing your website.
‡Pay me to stop.
‡Pay me not to start.

In 2004, botnets attacked dozens of online gambling


sites. The bookmakers were told to pay between $10,000
and $50,000 to get their sites back online. (Wired, Nov
2006)

But, of course, ³Once you have paid him the Dane-


Dane-geld, you never get rid of the Dane.´
A.D. 980-
Dane--geld, by Rudyard Kipling ((A.D.
Dane 980-1016 )

2/15/2011 © 2009 Craig A Schiller AOD - 38


 ,
 , !  

‡ Keystroke logging attacks


‡ Harvesting credit cards, SSAN, keys,
passwords

[11:23] *** :newyork.ny.us.somewhere.org 322 Justlooking


#cards 73 : Welcome. WGeTz sell fulls, msg HIM. NEW ->
(Link: www.kentmintek.com/coolindex.html)
www.kentmintek.com/coolindex.html .
WGeTz needs ITALY WU DROP.

2/15/2011 © 2009 Craig A Schiller AOD - 39


 ,
 , !  

‡  
  
‡  
  

2/15/2011 © 2009 Craig A Schiller AOD - 40


j

Botnet Client
Hosts phishing
website

Botnet Client
Sends spam
2/15/2011 © 2009 Craig A Schiller AOD - 41
   

 3  4 ) 4
/ )
 5 4) 6  
 7  5 
# 7 4 
*8
D *8 4    3  
D *8 4    &
$ 7 5
*8
D  9 
D *8
4

% 7  
*8 0  2
! -
  6   6    6 
2/15/2011 © 2009 Craig A Schiller AOD - 42
ë  ë
"  
   $ $  
³I am Mr. Richard H. Mason President/CEO MM Group Handling.

We are a trading company that is into the hire, sales and service of Electrical
Trucks, Fork Trucks and associated materials handling equipments and diverse
range of battery for electric vehicles which can be readily adapted for customers
specific requirements to the America and selected locations in Europe.

We are searching for individuals or a company who can act as our


representative/payment agent in your country and earn 10% of every payment
made through you to us.´
¢    
    $    
      

&
*& )
   $ 

   
&
These funds are stolen from other accounts that have been compromised.
/& ) 
      
     


   $  9
   
 
:( typically using a
wire transfer service.
Source: Bank Safe Online
2/15/2011 © 2009 Craig A Schiller AOD - 43
| 
i


  

O  


[11:07] *** :newyork.ny.us.someplace.org 322 Justlooking
#Bot-Services 6 :(Lew|s-) Welcome. My BotNet is ready to
be used. You would like to profit from it? Leave a msg on
the channel, one @ will respond to you soon. Thank you!

· 

      



          
    

  
  
 
     
By Bernhard Warner, Reuters
³Fluid third-party exchange market (millions)
‡Going rate for Spam proxying 3 -10 cents/host/week
‡Seems small, but 25k botnet gets you ö/*
Raw bots, .01$+/host, Special orders ($50+)´
Geoffrey M Voelker, UC San Diego
2/15/2011 © 2009 Craig A Schiller AOD - 44
    



2/15/2011 © 2009 Craig A Schiller AOD - 45


 #-† ‰ !!. i 

 *  :    &


 
 & ;/<  


: 6  6
   )



:  &
# & ' , 4 4   
$  6  /7   * &
:
  6 

2/15/2011 © 2009 Craig A Schiller AOD - 46


!ë/$  #
0
  )



:  &
#1 platform for Command & Control Servers A
Unix

)  
   
 
  )  7
The Trojan comes disguised as a video-decoding plug-in that users are told
they must install to watch free porn clips. Instead, the software burrows into
the operating system and diverts some of the victim's future web surfing to
sites under the attacker's control. It's the professional attack on Macs that the
security community has long predicted, according to Dave Marcus, security
research manager at McAfee's Avert Lab, who said it was "written by people
who know how to write malware."

http://www.wired.com/politics/security/news/2007/11/mac_trojan

2/15/2011 © 2009 Craig A Schiller AOD - 47


*
#
 
  )



:  &

Firewalls are designed to let traffic in

2/15/2011 © 2009 Craig A Schiller AOD - 48


!!. 

  )



:  &

 
*&# permits applications to run without using their GUI
 7$&# adds an invisible user to the administrator group
User Mode rootkits
Kernel mode rootkits
2/15/2011 © 2009 Craig A Schiller AOD - 49
!!. 

  )



:  &

2/15/2011 © 2009 Craig A Schiller AOD - 50


/ùj

 i" ù

  )



:  &
net start >>starts
net stop "Symantec antivirus client"
net stop "Symantec AntiVirus"
net stop "Trend NT Realtime Service"
net stop "Symantec AntiVirus"
net stop "Norton antivirus client"
net stop "Norton antivirus"
net stop "etrust antivirus"

Best Bot left the A/V tray icon and a fake GUI

2/15/2011 © 2009 Craig A Schiller AOD - 51


/ùj

 i" ù

  )



:  &

2/15/2011 © 2009 Craig A Schiller AOD - 52


" ! #

Your space, network, & processing power
  )



:  &
‡ Child Pornography
‡ Bestiality
‡ Stolen movies, games, & software
Your access
‡ Student records
‡ SSAN
‡ University resources
‡ Your email
Your money
Your identity

2/15/2011 © 2009 Craig A Schiller AOD - 53


" ! #

  )



:  &

2/15/2011 © 2009 Craig A Schiller AOD - 54


j
1 

#

1. Ensure that all enterprise and local accounts have strong passwords. Configure
Domain security policy to enforce this and auto-lockout
2. Eliminate all generic accounts. Where possible make all non-user accounts services.
3. Eliminate or encapsulate all unencrypted authentication
4. Establish a perimeter and segregate valuable or dangerous network segments. Make
FW rules accountable and require change control
5. Establish standards for web app and other development to eliminate avoidable coding
vulnerabilities (e.g. use of mod-sec for apache websites)
6. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts
7. Install and operate IDS/IPS systems (like ourmon, snort, etc)
8. Google your own site - site:mysite.com viagra
9. Actively scan your site for vulnerabilities
10. Centralize and process logs, including workstation security and firewall logs.
11. Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence
about botnet infections.
12. Participate or join quasi-intelligence organizations and use their data in your detection
tools. Report new info. Phishing attacks to www.castlecops.com/PIRT. Botnet
clients/C&C to isotf.org.

2/15/2011 © 2009 Craig A Schiller AOD - 55


  ‰ 

Bot Detection is mostly behavioral


  )



:  &
A/V, Anti-Spam, Anti-Spyware
Host based
Security logs
RUBotted A Trend Micro
Enterprise Reporting
User Help Desk Tickets
Abuse notifications
Quasi-Intelligence Organizations
Monitoring & Analysis
Ourmon
Firewall & Router logs
IDS/IPS A Host and Network
Darknets, Honeypots
DNS
Server & Workstation Log analysis
Malware analysis (Sandbox)
2/15/2011
Forensics © 2009 Craig A Schiller AOD - 56
†#   
Internet

Botnet Sensors
Botnet Sensors

Security Researcher
Wormwatch mailing list

131.252.x.x NERO says bad

131.252.x.x Acting Bad

131.252.x.x talking to bad


McAfee 38.100.x.x McAfee says bad
Server

Network Team User Support Server Support


TAGs
Create Tracking Ticket Identify computer or user Identify ServIer or webpage owner Locate infected system

Block Network access Retrieve computer Identify compromised account Identify system owner

Identify location
User Reports
Backup all files Locate malware Re-image computer
Identify computer or user Perform quick forensics Determine attack vector

Re-image computer

Security Team
Identify computer or user

Review quick forensics

Perform deep forensics

Ensure appropriate resources are working the incident


2/15/2011 © 2009 Craig A Schiller
Identify useful intelligence markers
AOD - 57
X!
2 
X

-5 ;' Mailing lists


‡ Botnet

4 6  ‡ http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

 ‡ Phishing
‡ http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
'  ‡ Vendor
-*
-* ISC Storm Center
;=3

http://www.bleedingthreats.net/fwrules/

2/15/2011 © 2009 Craig A Schiller AOD - 58


ë
 %

2/15/2011 © 2009 Craig A Schiller AOD - 59


  0

2/15/2011 © 2009 Craig A Schiller AOD - 60


†  
1. Make certain that systems used in performing financial transactions are
protected by strict technical controls and receive periodic validation.
2. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.
3. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.
4. Routinely audit compliance with established technical controls and
policies.
5. WE STRONGLY RECOMMEND THAT all online banking operations
should be conducted on special-use computers that are used SOLELY for
banking transactions. No other use of the machine should be permitted -
no e-mail, no web browsing, no general-purpose business use - nothing
but institutional online banking transactions.

2/15/2011 © 2009 Craig A Schiller AOD - 61


ë

  

-- Application white-listing, e.g. on Windows, AppLocker[1][2], can offer significant


protection.
-- Systems used for online banking:
+ Should have the least amount of software installed as
necessary to facilitate their business functions.
+ Should have Javascript and ActiveX disabled or specifically
limited to trusted sites.
+ Should be subject to a change management process for
any work that's to be done on the machine. Multiple-party
approvals should be required.
+ Should be examined monthly and routinely patched by
professional institutional IT security staff. If the system
is not examined or patched by a specific date of a month,
business office folks should not use it until the IT
security staff bring it up to date.
-- Two-factor authentication should be used for banking access were available. While two-
factor authentication will not protect against all attacks it does provide protection against
many. Sites should press their banks to offer two-factor if they don't already.

2/15/2011 © 2009 Craig A Schiller AOD - 62


ë

  

Separate machine(s) used SOLELY for institutional online banking operations (and used for
all such operations) is STRONGLY RECOMMENDED. Useful technical and policy controls
include:
Referencing the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:
+ Don't make the machine part of a Windows domain. Administer
the machine using a local administrator account.
+ Shut the machine down when not in use.
+ Implement very aggressive firewall and possibly proxy
protections for the system. All non-banking traffic should
be denied.
+ Aggressively monitor traffic to and from the system
+ Place the machine on a separate VLAN, on a secure dedicated
hard-wired network connection.

2/15/2011 © 2009 Craig A Schiller AOD - 63


ë

  

+ No other use of the machine should be permitted - no e-mail,


no web browsing, no general-purpose business use - nothing but
online instructional banking transactions.
+ Physical access to the machine should be tightly controlled.
+ The system should have a permanent and obvious distinguishing
mark, e.g. spray paint it orange, to insure there can be no
mistaking that this is a special purpose machine.
+ Any other intentional use of the machine should be a cause
for disciplinary action.
-- While virtual machine solutions are technically an option to dedicated machines, in the
interest of keeping the solution simple, clean, usable, and understandable by non-technical
business office staff, we do not recommend virtual solutions.
-- And as always, "user privilege reduction" - the user should never conduct normal use of
the system under an admin-privileged account.
-- Other standard desktop hardening recommendations and practices apply, e.g. .

2/15/2011 © 2009 Craig A Schiller AOD - 64


  

| 
        
 

David Dagon, 2007

2/15/2011 © 2009 Craig A Schiller AOD - 65




‡ Botnet Overview
‡ Botnet Schemes
‡ How Do They Get In?
‡ What Can We Do?
‡ Concluding Thoughts

2/15/2011 © 2009 Craig A Schiller AOD - 66


i 
 

2/15/2011 © 2009 Craig A Schiller AOD - 67


X

Questions?

Craig A Schiller, CISSP-ISSMP, ISSAP


craigs@pdx.edu
Portland State University
CISO

2/15/2011 © 2009 Craig A Schiller AOD - 68