1 / 12

Host and Application Security

Host and Application Security. Lesson 17: Botnets. Almost done with Malware. Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets. Rootkit. Actually, a pretty loose definition

kurt
Download Presentation

Host and Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Host and Application Security Lesson 17: Botnets

  2. Almost done with Malware • Now that you’re done with traditional malware, let’s look at an important class or two we’ve ignored: rootkits and botnets

  3. Rootkit • Actually, a pretty loose definition • Can think of it as a piece of malware that is designed to allow an attacker privileged access to a computer • Rootkits usually allow access via the network • Rootkits usually are very stealthy, and provide ways an attacker can hide on the box

  4. Botnet • Really, a form of rootkit, but the emphasis is on remote control

  5. The Botnet Lifecycle

  6. Recruitment • Machines get recruited into botnets a large number of ways • Typically, web or email based exploit • This installs the bot on the machine

  7. Command and Control • This can be thought of as the “Achilles heel” of the botnet • A botnet needs remote control • Thus, if we can detect the network traffic, we can detect the botnet • However, the botherder makes a large effort to protect his (her) investment

  8. Exploitation • Lots of uses: • DDoS attacks • Adware installation • Spyware installation • Spam • Click fraud • Spread to other machines • ID theft • …

  9. C2 Techniques • Simple: IRC • Complicated: Domain flux • Generate different candidate domain names every day • Bots “check in” with new domains every day • Not all domains need to be registered for this approach to work

  10. C2 features • Can break down into: • Topology: hub and spoke? P2P? • Rallying Mechanism: How new bots locate and join the botnet. • Communication Protocol: The underlying protocol used… • Control Mechanism: How new commands are sent. Callback? Polling? • Command Authentication Mechanism: How can we tell if a command is really from the botherder?

  11. To Do • Download and read “Your botnet is my botnet: Analysis of a Botnet Takeover” • Questions about this could be on the final…

  12. Questions?

More Related