Beruflich Dokumente
Kultur Dokumente
What is BOTNET ?
Introduction
Botnet is a network of zombies, i.e. compromised computers under control of an attacker. Malware is computers used to infect
Zombies
Attacker (Botmaster )
Malware is currently the major source of attacks and fraudulent activities on the Internet.
Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker.
IRC Server can be on a public network or installed on one of the compromised hosts Bots listen to the channel for instructions from the operator and perform the task
http://en.wikipedia.org/wiki/Botnet
C&C channel
Means of receiving and sending commands and information between the botmaster and the zombies. Typical protocols
IRC HTTP Overnet (Kademlia)
extend)
botnets
of
The topology provides trades-off in terms bandwidth, affectivity, stealth, and so forth.
Worm
Botnet Detection
Every interaction between two entities requires the flow of information. This can utilized to detect the interaction. The problem is that this interaction is generally obfuscated and mixed with others with similar behaviour. Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure.
3-ways of hiding
Botnets Activities
DDOS attacks
Attacker
Brazil
China Russia US
e.g. Google.com
http://en.wikipedia.org/wiki/Denial-of-service_attack
Click Fraud
Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k), Bahama Botnet (200k)
Data Theft
Accounts for a great deal of botnet activity. Purpose: Harvesting user data
Screen
Anti-Spyware software
Highly
controversial.
http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf
Phishing
http://library.thinkquest.org/06aug/00446/Phishing.html
Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device
Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages Shall be punishable with imprisonment for a term which may extend to three years and with fine.
Punishment for identity theft Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
Punishment for violation of privacy Violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees Punishment for cyber terrorism Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life
PAST CASES
In the news
Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs taken out
Aug 12 2010 - dd_ssh Botnet attacks SSH servers Aug 12 2010 - Zeus Mumba Botnet Seizes Confidential Database sized 60GB
Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. The original attack was probably seeded by a combination of infected email attachments and drive-by downloads
Security experts have uncovered a Zeus v3 Trojan botnet that specifically targets customers of an unnamed UK bank The trojan also is reported to remain undetected by traditional anti-virus software and is activated when the users log-in to their online banking accounts The trojan managed to steal around 675,000 from 3,000 customers
OPERATION--B49
Microsoft moved the battle against spamdistributing botnets from cyberspace to the court room, winning a temporary restraining order for shutting down nearly 300 domains. Microsoft was able to essentially decapitate the botnet-severing the compromised bots from the brains of the operation. Microsoft didn't seek to criminally charge the botnet developer, or sue for damages in civil court.
References
The Gumblar system, http://www.securelist.com/en/weblog?discuss=208187897&return=1 C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. 15th ACM Conference on Computer and Communications Security 2008, Alexandria, VA, USA.
http://us.trendmicro.com
http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html