120 likes | 256 Views
Host and Application Security. Lesson 17: Botnets. Almost done with Malware. Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets. Rootkit. Actually, a pretty loose definition
E N D
Host and Application Security Lesson 17: Botnets
Almost done with Malware • Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets
Rootkit • Actually, a pretty loose definition • Can think of it as a piece of malware that is designed to allow an attacker privileged access to a computer • Rootkits usually allow access via the network • Rootkits usually are very stealthy, and provide ways an attacker can hide on the box
Botnet • Really, a form of rootkit, but the emphasis is on remote control
Recruitment • Machines get recruited into botnets a large number of ways • Typically, web or email based exploit • This installs the bot on the machine
Command and Control • This can be thought of as the “Achilles heel” of the botnet • A botnet needs remote control • Thus, if we can detect the network traffic, we can detect the botnet • However, the botherder makes a large effort to protect his (her) investment
Exploitation • Lots of uses: • DDoS attacks • Adware installation • Spyware installation • Spam • Click fraud • Spread to other machines • ID theft • …
C2 Techniques • Simple: IRC • Complicated: Domain flux • Generate different candidate domain names every day • Bots “check in” with new domains every day • Not all domains need to be registered for this approach to work
C2 features • Can break down into: • Topology: hub and spoke? P2P? • Rallying Mechanism: How new bots locate and join the botnet. • Communication Protocol: The underlying protocol used… • Control Mechanism: How new commands are sent. Callback? Polling? • Command Authentication Mechanism: How can we tell if a command is really from the botherder?
To Do • Download and read “Your botnet is my botnet: Analysis of a Botnet Takeover” • Questions about this could be on the final…