130 likes | 193 Views
The Taxonomy of BotNets Evolution of Malware. Presented by: AVATAR Rajesh Augustine, Marek Jakubik, Jonathon Raclaw, & Rao Pathangi. Definitions: What is a BotNet?.
E N D
The Taxonomy of BotNetsEvolution of Malware Presented by: AVATAR Rajesh Augustine, Marek Jakubik, Jonathon Raclaw, & Rao Pathangi
Definitions: What is a BotNet? According to the Merriam-Webster Dictionary, a Computer Virus is described as “a computer program that is usually hidden within another seemingly innocuous program and that produces copies of itself and inserts them into other programs and usually performs a malicious action (as destroying data)” Source: http://www.merriam-webster.com/dictionary/virus According to the article a Bot is described as “a compromised end-host, or a computer… a malicious executable that compromises, [and] controls a computer host.”
History The Creeper Virus was the first self replicating virus, written by Bob Thomas in 1971. http://en.wikipedia.org/wiki/Creeper_virus Just as computers have grown and evolved during the last 38 years, as too have computer viruses. Now they communicate with each other via the internet, giving commands and following orders.
So what is new? The primary difference, which signifies a unified attack by a so called ‘BotNet’ is a mechanism to coordinate the attack by the infected systems. The article calls these systems ‘Command and Control (C&C)’ The evolution of computer viruses, has seen a new next step. A need to command and control them remotely. Hackers are no longer content with having their system attack on a particular date; April 1st, Friday the 13th, Hitler’s Birthday, etc.
An Analogy Bots and BotNets are just the latest evolution of malware. They are not to be taken lightly. Let’s compare: The original Viruses 35+ years ago to Gunpowder. A combination of sulfur, charcoal and potassium nitrate, which when introduced to a spark or flame explodes. Then the original Worms can be compared to Nitroglycerine. A simple and elegant compound that is very volatile, and explodes easily. Bots and BotNets can be compared to Dynamite, a mature combination of both gunpowder and nitroglycerine. Just as Bots and BotNets are a combination of viruses and worms. Dynamite is stable, not easily triggered, and when it is…
Analogy Continued The resolve is surgical strike, with total destruction. A kin not too far from a BotMaster’s attack with a well placed and well executed BotNet Strike.
Example 1 – Command & Control The article talks about three strict types of command and control (centralized, P2P and random) but the Command and Control as witnessed in the news story in the Wall Street Journal and PRI (http://www.theworld.org/node/25621\) suggests a new type of command and control where the bots are distributed through the grid systems upon surveillance. The important point being that each different bot is recruited to do certain malicious activities. So the location of the bot in the system would be critical. The botmaster knows ahead of time the keys to turn in time of crisis to take control of the grid.
Example 2 – Financial Fallacy Article talks about the financial gains by using Botnets, article doesn't give any specific examples or instances of the financial gains, where as other articles and sources provide these information. I would say that there is not enough study done by Trend Micro to find out this information instead this article seems like having a marketing intent.
Example 3 – Asymmetric Vulnerability The recent WSJ incident highlights the new and upcoming trend in warfare where the concept of "asymmetric vulnerability" is exploited. The like for like concept is used in wars. City for city, warhead for warhead but if a network is penetrated and taken hostage, there is no parallel elsewhere for the sophisticated systems in the US.
Example 4 – Infrastructure Attack The Wall Street Journal has reported that the electricity grid in the United States has been infiltrated by "cyperspies," in an attempt to map the infrastructure, leaving behind software that could pose potential threats in times of crisis. Quoting anonymous "current and former" national security officials, the report claims that the spies, hailing from countries unknown have not attempted to do any damage, but that they could, and that these types of intrusions are on the rise. The best method to implement this attack at this level would be a BotNet. Source: http://www.theworld.org/node/25621
Summary Leading: This document was written to instill fear into customers, to encourage them to buy TrendMicro’s product. Dated: This document was written in 2006, so there are many assumptions which have not proven true. Tech Shift: The scenarios offered by TrendMicro are a small step in the actual direction. Actual application are far worse.
From T-Bone and Tonic • More evolutions in the taxonomy of botnets. • 2007, the Storm botnet compromised an estimated 5,000,000 computers at the height of its infection. • One of the most disturbing behaviors of this botnet was its self-defense capabilities. • Launch DDoS attacks against the machines that attempted to probe the botnet • In some cases researchers could not even publish their findings • 2009 Waledac, Storms successor, sending out spam with infected Valentine’s day emails.
From Jero Jewo • Recent propagation of botnet software via social networks