290 likes | 405 Views
Botnets. By Maha Gazzaz & Chirag Patel CSCI 3278/6638 Operating Systems Fairleigh Dickinson University. Introduction Botnet is the name of grouping of computers executing a computer application directed and influenced just by the possessor or the source of software.
E N D
Botnets By Maha Gazzaz & Chirag Patel CSCI 3278/6638 Operating Systems Fairleigh Dickinson University
Introduction • Botnet is the name of grouping of computers executing a computer application directed and influenced just by the possessor or the source of software. • The term "botnet" can be used to refer to any group of bots, such as IRC bots, it refer to a collection of compromised computers called Zombie computers running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control infrastructure (Wikipedia). • The term revolves around the illegitimate grouping of computers afflicted with some malicious robot software, known as the bot. • Bot is taken from the term "robot" and is an automatic procedure that interacts with further network services. • Bots usually mechanize tasks and give information or services that would be carried out by a human being otherwise .
Introduction (cont.) • Botnet can be utilized for either beneficial or malicious intention. • bots can take in the capacity to log keystrokes, collect passwords, seize and scrutinize packets, collect monetary information, initiate DoS attacks, transmit spam, and start backdoors on the affected host. Bots contain all the benefits of worms, but are normally much more adaptable in their infectivity vector, and are often adapted within a short time of publication of a fresh use. • The size of the botnet ranging from around ten thousands zombies in case of a larger one, and only a thousand drones in case of a smaller one. • The operation occurs without the knowledge r permission of the owners of the zombie or drone computers. • The slave computers are usually controlled through Internet Relay Chat or IRC.
History of Botnets • The phenomenon was popularized in the late 90s as a handy element of IRC. • It allow the operators to script automatic responses to actions that were being carried on in IRC channels, like flooding or spamming channels. • Those who were affected started to generate programs that would harm the IRC server. • These attacks were given the name of Denial of Service Attacks and Distributed Denial of Service attacks (DOS and DDOS). • These attacks used to be initiated from the very IRC servers. • The inventors started to design their bots like worms, viruses and trojans; these bots were controlled in the very IRC.
Contemporary Botnets • It is estimated that bots affect around 5 percent of all users who log on to the internet at a given time. • Bots are usually written in C, C++, Delphi, and Perl. • Bots have gained popularity amid all age groups and all types of occupations. • Bots are also available for open and free download and usage. • It is hard to precisely guess the number of botnets that are at present running on the web. • IRC servers are characteristically installed and run on hacked computers. • A lot of users who enter the hacking society start developing bots because they are comparatively easy to generate and grow. • There are many kinds of malicious bots that have by now infected many machines and are still infecting the web.
Kinds of Bots • There are many kinds of bots but the most popular are AgoBot, SDBot, Spybot, and GT Bot. • Bots characteristically vary from 1000 lines of code to 25000 lines of code. • The bigger the program is in code, the greater is the chance of it being detected and the more difficult it is to implement on a machine. • The Agobotwas created in early 2000. • A tailored version is known as Phatbot and it is amongst one of the best currently in service, 23,000 lines of code. • created in C and C++. • The usability depends on what the creator of the bot desires. • Characteristic functions: abilities to perform DOS attacks, harvest Paypal passwords, devices such as back doors, disabling access to anti-virus sites.
Kinds of Bots (cont.) • The SDbotwas also created in early 2000. • An uncomplicated bot and varies normally from 1,500 to 3,000 lines of code. • Written in C. • SDBot mainly acts as a command and control arrangement. • It can be simply updated and is mainly used for scanning, DOS attacks, and sniffing. • This bot can also be customized, with the capability to be updated and adapted by an IRC channel. • The SpyBotappeared in 2003. • Varies from 2,500 to 3,500 lines of code. • This bot is probably an adaptation of the SDBot as it shares much of the same essential functions. • Scan and carry out flood attacks. • It doesn’t have the capability to be adapted as some of the other bots have usability to do so.
Kinds of Bots (cont.) • The GT Bot was created in the late 90s. • There were many adapted GT Bots found across the web in the late 90s . • It was inadequate in its scripting capabilities and had fundamental usability for command and control. • It was quite simple to adapt and change as it often came with coaching on how to adapt. • Characteristic functions of the bot comprised port scanning, DOS attacks, and exploits for RPC and NetBIOS services. • All the above-mentioned bots paved the way for the new generation bots encountered in present times. Present day bots can be adapted and effortlessly updated.
Examples of Botnets • Trojans are executable programs. • In Windows, executable programs possess file extensions like "exe", "vbs", "com", "bat", etc. • Trojan filenames include: "dmsetup.exe" and “LOVE-LETTER-FOR-YOU.TXT.vbs”. • Trojans can multiply in the appearance of anything people find attractive, such as a free game, movie, song, etc. • Sufferers downloaded the trojan from a WWW or FTP files, got it via peer-to-peer file exchange using IRC/instant messaging ,or email attachment. • Trojans frequently do injure mutely. • The most dangerous type of Trojans is the backdoors. • This is also the most frequently encountered type. • These are distant management devices that open affected machines to outside control through a LAN or the web. • They work in the same manner as legitimate distant management programs often used by system operators, hence the difficulty in detecting them.
Examples of Botnets (cont.) • The mere distinction between a legitimate control device and a backdoor is that backdoors are installed and initiated without the information or permission of the user of the victim device. • Once the backdoor is initiated, it watches the local system without the user's information. • Backdoor activities can comprise of sending or receiving, launching or deleting, executing files, data deletion and automatic rebooting of the victim’s device. • Backdoors are utilized by virus writers to identify and download secret information, implement malicious code or to waste data. • Backdoors possess one particularly dangerous sub-category: alternatives that can spread like worms.
Examples of Botnets (cont.) • The PSW Trojans appropriate passwords, usually system passwords from prey devices. • They look for system files which have secret information like passwords and Web access numbers and then pass this information to an email address which is coded in the very Trojan. It is subsequently recovered by the operator of the illegitimate program. • The kind of information stolen by PSW Trojans is system information like disk size, memory and other details, IP address, and passwords for different utilities in use of the owner of the prey device. • The Trojan clickers forwards prey machines to specific websites or other Web resources. • Clickers send the essential commands to the browser or substitute system files wherever normal Internet URLs are kept in memory. • Clickers usually increase the probability of clicking of a particular site for advertisement. They also muster up DOS attacks on a particular site. • They also redirect the prey machines to some particular location where there’s more probability of an attack.
Examples of Botnets (cont.) • Trojan downloaders. This category of Trojans downloads and sets up new malware or adware on the prey device. • It either initiates the new malware or records it to allow autorun along with the local operating system prerequisites. • RBot symbolizes the big family of backdoors - hacker's remote access instruments. • These instruments permit to control sufferer’s computers distantly by sending specific commands using IRC channels, these backdoors can pinch data, extend to local network and to computers susceptible to exploits. • More than 4 million computers have been cleansed of the Rbot by its Malicious Software Removal Tool (MSRT) ever since January 2005 . • Microsoft has declared that 2,000 modifications of Rbot make it to the list every month. • Rbot presents a major threat in Information security in present times.
Examples of Botnets (cont.) • Bobax is also a semi-automatic dispersion trojan. • Alike in concept to bots like Agobot, the trojan can multiply unattended, but only when furnished the command to do so by its creator. • Its main function is to generate a huge automated spamming complex. • Dissimilar to proxy trojans which necessitate the spammer to connect and send each individual piece of mail, Bobax sends the mail utilizing a pattern and a list of email addresses. • This has the advantage of shedding almost all the bandwidth obligations of spamming onto the trojaned machines, permitting the spammer to operate with least. • A trojan proxy, Bobax when commanded to scan it scans IP addresses. • It utilizes HTTP to get the executable from a webserver for download, which snoops on a certain port on the attacker host. • The data is stored into a dropper file known as 'svc.exe’.
Examples of Botnets (cont.) • The dropper sends a DLL to the provisional directory with a haphazard name. • The DLL is initiated by sending it to Explorer with a method known as DLL Injection. Since the code runs as a thread in Explorer it's not noticeable as a distinct process. • Bobax utilizes a certain vulnerability in a Windows security component called as the Local Security Authority Subsystem Service. • The LSASS fault is there in all new versions of Windows, but Bobax is programmed to aim only at the XP operating system. • Once installed on a system, Bobax makes contact with a Web site and seeks instructions on how to go about subsequently, like sending spam or executing other programs.
Rootkits • Rootkits are sets of programs that allow administrator access into a computer or network of computers. • Parts of rootkits include a backdoor agent (remote access on a hidden port), keylogger, and other malicious software found within a bot. • Rootkits can be used to hide files, services, and processes from detection by antivirus software. • A computer’s Internet Protocol uses ports in order to send and receive packets of information on the Internet. • An attacker can use these very same ports (but hidden ones) in order to sneak back in. Because rootkits can contain a backdoor, they can permit an attacker to return at a later time while avoiding detection (an open port is an invitation to trouble). • Public rootkits are those that have already been detected and are removable by antivirus software. There are still private rootkits that have yet to be discovered or released in the open.
Rootkits (cont.) In the Windows Task Manager shown here, a rootkit would be able to hide malicious programs like spyware or malware like “bot.exe”, and you wouldn’t even be able to detect it.
Implementation of Botnets • The easiest way for a not to infect a computer is through social engineering. • Social engineering is achieved through manipulation or deception, maybe through an enticing popup advertisement. • Clicking on the pop-up advertisement on the right may redirect you to a legitimate casino website … or it can upload some unwanted programs onto your computer (you never know). • Other common means of social engineering can be through the use of email (spam), instant messaging scams, or phishing websites (sites that may ask for personal information like credit card numbers).
Phishing • Phishing comes from the word “fish” as in fishing. • A phisher pretends to be some other organization or person in an attempt to lure the phishee into giving some information.
Spam • Botnets can be used to log email addresses found anywhere on websites. • For example, the @ symbol is commonly searched for by botnets since it is usually accompanied by the rest of a user’s email address. • John.Doe@yahoo.com • Spam can then be sent and found on a user’s email account. • The contents of a spam email itself could contain links that lead to malicious programs for download. THIS ONE NOT THIS ONE
Instant Messaging Scams • Botnets can also be used to send a random instant message to user like the one on the right. • In the picture, the bank’s logo is actually authentic. But the link provided below would redirect a person to a different place. • The link itself may initiate several downloads of unwanted programs onto the computer. Picture taken from: http://www.microsoft.com/protect/yourself/phishing/identify.mspx
Hijacking • Not all bots are bad. In fact, the original purpose of a bot was to make life easier for users by automating tasks. • But if a “bad” bot hijacks one of these “good” bots, then the potential of an attack on others is great (since the “good” bot is now a “bad” bot). • The average person does not know how a bot works or how it is made; they probably just know how it is used (so bot programs are obtained from somewhere else). • For example, a person may download a bot for user on his/her IRC channel (although, there is really no knowing if that bot is “good” or “bad”). • A very experienced bot manager that knows a lot about a bot’s functions can easily make one that can control other bots. • The bots can then be used to contaminate the computers of users of an Internet Relay Chat channel.
Distributed Denial of Service (DDoS) Attacks • Distributed Denial of Service attacks refers to the sending of a large number of packets to a single computer in order to make it unbalanced, possibly resulting in a crash. • Since botnets can be found in large numbers, this kind of attack can be easily performed.
Anonymity while running bots • A proxy is a gateway that is used to relay requests made by a user through a server. • Proxies, though, are commonly used as the gateway between you (the user) and (let’s say) the Internet. • Proxies are also used to hide information such as an IP address. My ComputerIP (real one): 192.168.0.123 Proxy Server My Computer (again)New IP (not the real one): 206.121.2.142 • Proxies are therefore used for privacy and protection.
So proxies are a good thing, right? • WRONG!!! • Well …if it is used for its true original purpose, proxy servers are good. • But when a proxy server is being controlled by a bad person, it will serve the same functions as a malicious botnet. • Proxy servers are gateways that can link you to the Internet. • Even though information sent to proxies are kept anonymous, it is still stored on servers, which can be illegally accessed.
Why do evil people use botnets? • One …because they are evil. • Two …they can make a profit. • Stealing credit card information • Hijacking Paypal accounts • Other types of fraud • Three …they want to declare war on someone. • Do you hate Microsoft? Well …apparently, there are quite a large number of programs which are designed to specifically attack their software. • Even evil people can attack each other through DDoS attacks. • Four …well … • Some evil people have nothing else better to do and think it might be fun.
Tracking Botnets • A common trend in spotting botnets is to use a honeynet. • A honeynet is a system that is put in place with many security flaws. • Honeynets are a lure for a botnet’s attack, except that honeynets are being monitored by experts for study purposes. • For example, an unprotected computer gets attacked by botnets. But information found on the attacked computer can be used in turn to catch the botnet (sort of like an anti-botnet botnet). • Maybe with enough information, not only will botnets be tracked and deleted, but maybe it could lead to the operators themselves.
Protection against Botnets • Antivirus software • Useful in removing known viruses including previously discovered botnets. • Heuristic algorithms can be used to detect slight adaptations of botnets. • Updates • Programmers are constantly finding flaws or exploits in their programs. • Usually, they make patches and updates available to fix the problems. • Sometimes the fix just might prevent a botnet attack. • Software removal programs (antivirus/antispyware) are constantly being updated with new definitions of viruses, which may include botnets. • Firewalls • It is an extra layer of protection between your computer and the Internet. • Unused ports (which can be potentially used by botnets) will be hidden
Protection against Botnets (cont.) • Close programs • If you’re not using an application that connects you to the internet, make sure it is closed. Otherwise, someone else might be using it when you’re not. • Shut down your computer. Some people with broadband connection may leave it on because it’s more convenient, but it poses a risk. • Be careful what you click • Watch out for spam, pop-up advertisements, and the like. • This is generally a good rule of thumb: If it is too good to be true, then it’s not.
Conclusion • Botnets are a relatively new threat and are always around. • Knowledge on botnets is therefore somewhat limited, and it is also exactly why it is important to gain more knowledge on it: for prevention. • Despite the growing knowledge and understanding of botnets, innovation of botnets have had a proportional rate of growth. • Botnets are a real threat. Make sure you know how to prevent yourself from falling for their tricks, and some ways you can protect yourself. Thank you. The End.