INTRODUCTION TO BOTNETS

What is BOTNET ?

Introduction

Botnet is a network of zombies, i.e. compromised computers under control of an attacker. Malware is computers used to infect
Zombies

Attacker (Botmaster )

Malware is currently the major source of attacks and fraudulent activities on the Internet.

Bot is a program loaded on zombie computer that provides remote control mechanisms to an attacker.

How An Attack Works ?

Attacker spreads a trojan horse to infect several hosts

hosts

become zombies and connect to IRC server on a specific channel

channel

may be encrypted or open

IRC Server can be on a public network or installed on one of the compromised hosts Bots listen to the channel for instructions from the operator and perform the task

http://en.wikipedia.org/wiki/Botnet

C&C channel

Means of receiving and sending commands and information between the botmaster and the zombies. Typical protocols
IRC HTTP Overnet (Kademlia)

Protocols imply (to an communication topology.

extend)

botnets
of

The topology provides trades-off in terms bandwidth, affectivity, stealth, and so forth.

Popular Botnets Propagation Methods

Spammed Messages

Social Networking Websites

Install Malware Become Bot

Worm

Removable Devices Malicious Websites

HOW ARE BOTNETS DETECTED?

Botnet Detection

Every interaction between two entities requires the flow of information. This can utilized to detect the interaction. The problem is that this interaction is generally obfuscated and mixed with others with similar behaviour. Traditionally work in botnet detection has been categorized by either detection methodology (behavioural/signature) or C&C infrastructure.

HOW DO THEY HIDE?

3-ways of hiding

WHAT DOES BOTNETS DO?

Botnets Activities

DDOS attacks Click Fraud Data Theft Phishing

The least damage caused by

Botnets is Bandwidth Consumption

DDOS attacks
Attacker

Brazil

China Russia US

e.g. Google.com
http://en.wikipedia.org/wiki/Denial-of-service_attack

Click Fraud

Pay per Click (PPC) is an Internet advertising model used on websites in which advertisers pay their host only when an ad is clicked. Famous Bots: ClickBot(100k), Bahama Botnet (200k)

Data Theft

Accounts for a great deal of botnet activity. Purpose: Harvesting user data
Screen

captures Typed data Files

Anti-Spyware software
Highly

controversial.

http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

Phishing

A deceptive email/website/etc. to harvest confidential information.

http://library.thinkquest.org/06aug/00446/Phishing.html

IT ACTS AGAINST BOTNET

IT Act Section 66A

Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred, or ill will, persistently makes by making use of such computer resource or a communication device

Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages Shall be punishable with imprisonment for a term which may extend to three years and with fine.

IT Act Section 66C

Punishment for identity theft Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.

IT Act Section 66E and 66F

Punishment for violation of privacy Violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees Punishment for cyber terrorism Whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life

PAST CASES

In the news

July 29 2010 - Multi-Purpose Botnet Used in Major Check Counterfeiting Operation

Aug 4 2010 - Zeus v2 Botnet that owned 100,000 UK PCs taken out
Aug 12 2010 - dd_ssh Botnet attacks SSH servers Aug 12 2010 - Zeus Mumba Botnet Seizes Confidential Database sized 60GB

Aug 12 2010 - Zeus v3 botnet raid on UK bank accounts

ZEUS 2- Aug 4 2010

Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers. The original attack was probably seeded by a combination of infected email attachments and drive-by downloads

ZEUS 3- Aug 12 2010

Security experts have uncovered a Zeus v3 Trojan botnet that specifically targets customers of an unnamed UK bank The trojan also is reported to remain undetected by traditional anti-virus software and is activated when the users log-in to their online banking accounts The trojan managed to steal around 675,000 from 3,000 customers

OPERATION--B49

Microsofts fight against BOTNETS

Microsoft moved the battle against spamdistributing botnets from cyberspace to the court room, winning a temporary restraining order for shutting down nearly 300 domains. Microsoft was able to essentially decapitate the botnet-severing the compromised bots from the brains of the operation. Microsoft didn't seek to criminally charge the botnet developer, or sue for damages in civil court.

References

The Gumblar system, http://www.securelist.com/en/weblog?discuss=208187897&return=1 C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, S. Savage. Spamalytics: An Empirical Analysis of Spam Marketing Conversion. 15th ACM Conference on Computer and Communications Security 2008, Alexandria, VA, USA.

The Koobface botnet,

Malicious websites,

http://us.trendmicro.com

http://www.ipa.go.jp/security/english/virus/press/201001/E_PR201001.html

The fast flux techniques, http://old.honeynet.org/papers/ff/index.html