1 / 27

BotNets & Targeted Malware

BotNets & Targeted Malware. Fernando Uribe. Fernando Uribe Email:furibe.mia@gmail.com IT trainer and Consultant for over 15 years specializing in Cyber security. Introduction.

coby
Download Presentation

BotNets & Targeted Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BotNets & Targeted Malware Fernando Uribe

  2. Fernando Uribe • Email:furibe.mia@gmail.com • IT trainer and Consultant for over 15 years specializing in Cyber security. Introduction

  3. Bot, Standing for Robot, is the name given to malware which I installed on vulnerable devices and used to receive commands. • Once a vulnerable machine is infected with a bot, it can also be called a “Zombie”; since the bot lies dormant What is a Bot?

  4. When one has multiple zombie machines under a single controller, it’s known as a botnet. • Botnets can be used for good, like web crawling or search engine indexing. • Majority of the time botnets are used for Distributed denial of service attack. • DDOS is when a target is being attack by multiple zombie machines simultaneously. • Usually bots are controlled through an IRC channel via a command and control program. • People whom operate bonnets are usually called bot herder What is a botnet?

  5. There are several phases to this: • Setup of command and control • Release bot to infect • Have zombie propagate • Bots connect to C&C ready to receive instructions • Command is given to attack target • Bots attack said target How do botnets get created?

  6. Attackers may use various tools, one example is poison ivy, or they may create their own. Setup of Command and control

  7. This could be done via social engineering, phishing, fake websites. Release bot to infect

  8. Depending on the bot, this could occur in similar ways of worm infection or malware installation. Propagate

  9. Think “ET phone home!” the bots try to connect to the programmed irc channel and report status Connect to C&C

  10. The command is for a coordinated and automated attack of a target. Command sent

  11. Once the bots receive the command, they start the attack till told otherwise. • Usually a DDOS Attack ordered

  12. Few ways to recognize a possible DDOS attack • Websites unavailable • Specific site not available • Network access bogged down • Increase of spam received in large amounts Recognizing DOS

  13. Ways to Detect : • Activity Profiling • Changepoint Detection • Wavelet-Based signal analysis Detecting DDOS

  14. This is the average packet rate for network flow • It’s made up continuous packets with like fields • An attack if identified when activity level increases Activity profiling

  15. Points out the change traffic during attack • Identifies difference in actual vs. expected traffic • Can also be use to identify scanning activities within your network Changepoint Detection

  16. Analyzes input signal when it comes to spectral components • They give you concurrent time and how often description • By analyzing the spectral data one can determine the presence of an anomaly • So they help you get the time when anomalies may have occurred Wave signal analysis

  17. 2 examples of methods to mitigate a DDOS: • Load Balancing • Throttling Once we know we Mitigate attack

  18. RFC 3704 filtering • Black hole filtering • Cisco IPS Source ip reputation filtering • DDOS prevention offering from ISP or DDOS service Defending against botnets

  19. Also knows as Ingress filtering for multihomed networks • You're basically filtering out address space originating from internet that is using private IP addresses • Remember that private IP are not routable on public networks RFC 3704 filtering

  20. Drops packets at routing level • Normally, hen a packet did not reach its destination it sends a request to resend, which would continue the attack. • Simply drops packet, but does not inform source Black hole filtering

  21. Used by cisco IPS • Database that deems whether an ip or service are to be a possible threat CISCO IPS source IP reputation filtering

  22. Helps prevent ip spoofing at the isp level • Uses DHCP snooping to make sure host use ip addresses assigned to them • Creates a white list in a way, of what ip address can access your network DDOS Prevention From ISP

  23. Different method for malware attacks, where an individual or entity are specifically targeted. • Usually malware uses a “artillery” approach, to hit and infect as many as possible. • Main objectives could be to obtain access to sensitive information, or disruption. Targeted malware

  24. Attackers use all the tricks in the book fake emails, malware filled websites. • They research their victims, to be able to extract information • With the information gathered, a greater social engineering attack Can be successfully completed • Since the attacks are targeted to a smaller audience, it sometimes slip through the cracks due to them not getting reported How it works

  25. Stuxnet worm • Specifically targets industrial control systems • Hotord Trojan and Ginwui4 • Both used in corporate espionage Examples of targeted malware

  26. Some methods of detecting and mitigating malware: • Heuristics • Multi-layered pattern scanning • Traffic-origin scanning • Behavior observation Detect and mitigate

  27. Thank you

More Related