1 / 21

Know your Enemy: Tracking Botnets

Know your Enemy: Tracking Botnets. The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle. Motivation. To study the activities of BotNets and their owners. What a Botnet is Not. Introduction. What is a BotNet? What is a HoneyNet? Who are the victims?

lacey
Download Presentation

Know your Enemy: Tracking Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle

  2. Motivation • To study the activities of BotNets and their owners

  3. What a Botnet is Not

  4. Introduction • What is a BotNet? • What is a HoneyNet? • Who are the victims? • What vulnerabilities are used? • What can a BotNet be used for?

  5. HoneyNet

  6. BotNet

  7. Method • Setup • HoneyNet of 3 machines • Analysis • mwcollectd2 • drone

  8. Uses of Botnets • DDoS (Distributed Denial of Service) Attack • Spamming • Sniffing Traffic • Keylogging • Spreading Malware • Google AdSense Abuse • Attacking IRC Networks (similar to DDoS) • Manipulating online polls/games • Mass identity theft

  9. Types of Bots • Most common bots • Agobot / Phatbot / Forbot / XtremBot • SDBot / RBot / UrBot / UrXBot • GT-Bots • Less common bots • DSNX Bots • Q8 Bots • kaiten • Perl-based bots

  10. How Bots Work

  11. How Bots Work

  12. The Server • Unreal IRCd • ConferenceRoom

  13. HoneyNet

  14. Tracking Botnets • IRC login information is sniffed when bot on Honeypot connects • Using login information gathered we can connect to master IRC server

  15. Tracking Botnets -- Observing • Commands from master can be observed in channel • Custom IRC client is usually needed

  16. Custom IRC Client • drone

  17. Lessons Learned • Number of botnets • 100 botnets over 4 months • 35 “live” botnets as of paper’s publish date • Number of hosts • ~220,000 unique IP addresses joining at least one of the monitored channels • The number may be larger due to some hosts not showing joining clients into a channel

  18. Lessons Learned Cont. • Typical Size of Botnets • 100s – up to 50,000 hosts • Dimension of DDoS-attacks • 226 DDoS-attacks against 99 unique targets

  19. Strengths • Moderate learning curve • Paper is presented in ordinary language • Novel method of determining methods and attacks used by Botnet owners

  20. Weaknesses • Focuses only IRC-based bots • More data could have been provided

  21. Further Research • Vulnerability modules • Shellcode parsing modules • Fetch modules

More Related