Presented By:Anup Satpathy
A botnet(also known as zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet.
A bot is a client program that runs in the background of a compromised host
DoS, ID Theft, Phishing, keylogging, SPAM
Spreading worms and viruses for Fun AND profit
Why is there so much spam?
Why are there so many worms and viruses?
What are the sources of denial of service attacks?
Why would anyone want to break into my computer?
Why don’t the people doing these things get arrested?
Fortify system against other malicious attacks
Disable anti-virus software
Stresses need to patch/protect systems prior to attack
Stronger protection boundaries required across applications in Operating Systems.
How they work
The larger the botnet, the more approval the herder can claim to have among the underground community. The bot herder will also ‘rent’ the services of the botnet out to third parties, usually for sending out spam messages, or for performing a denial of service attack against a remote target.
Some bot commands
Search for sensitive info on bot’d hosts
Enable keylogger and look for Paypal or eBay account info
Money is the main driver :
Most botnet-related abuse is driven by financial considerations:
Viruses and worms are used to compromise systems to use as bots.
Bots are used to send spam to sell products and services (often fraudulent), engage in extortion (denial of service against online gambling, credit card processors, etc.), send phishing emails to steal bank account access.
Most of the spam messages are passed with “Links” requesting users to follow. Clicking the link will denote the system as vulnerable by the Spammer which will be further be sold to other sponsors.
Access to bots as proxies is sold to spammers, often with a very commercial-looking front end web interface.
Bots can be used to sniff traffic, log keystrokes, collect usernames and passwords, spreading malware, manipulate online polls, etc.
An IRC based, command and control(C&C) network of compromised hosts (bots)
Owners of zombie computers are usually unaware their machine is compromised
Most spam is sent from zombie computers
Used as the bots in many Botnets
Used to mount large scale DDoS attacks
IRC(Internet Relay Chat)
Real time Internet Chat (synchronous conferencing)
Designed for group conferencing
Can do private one-to-one messaging
Communications are facilitated via channels
Channels can be global to all servers or local to a single server in the network.
Bots are a special type of IRC client and are often used for performing automated administrative tasks for the net.
treated as a regular user by the servers but could be a trojan horse installed on a user machine, this constitutes a zombie.
E.g. Google IRC Bot which translates into other languages in runtime environment.
One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie computers(Botnet) taking instructions from a central point.
DoS is an attempt to make a computer resource unavailable to its intended users.
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
How to identify whether your Computer is a Botnet :
If your computer runs slower than normal.
If network activity in task manager shows abnormal rate most of the time.
If your antivirus program shuts off by itself.
Run Process Explorer and examine all the process to see if any process is running that does not run on your computer normally.
IRC operators play central role in stopping botnet traffic
Traffic fingerprinting still useful for identification(CAPTCHA)
Improve local security policy authentication practices to prevent password guessing attacks.
Update all systems and verify that all systems have accepted and installed the patches.
Every windows host needs a strong and active virus checker which also must have a scope given towards Spyware and Adware.
Law enforcement may be invoked, especially if the incident is considered serious for legal and financial reasons.
All outbound mails have to go through the official mail servers to prevent botclients from Spamming directly through internet.
Develop your sources of internal intelligence.
Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, DoS attacks, spreading Spywares and creating more bots.
An effective response to botnets in order to reduce spam, phishing, and denial of service requires a combination of policies and procedures, technology, and legal responses from network providers, ISPs, organizations on the Internet, and law enforcement and a sharp awareness among users.
Future botnets may move away from IRC. Move to P2P communication.
All of these components need to respond and change as the threats continue to evolve triggering Cyberterrorism.
“Information Technology” journal, August 2005, published by EFY.
IEEE journal on" security and privacy”
EC-Council – CEH Version 6
Mr. Sukalyan Das – Entrepreneur (Bhubaneswar)