240 likes | 443 Views
Malware: Botnets and Worms. By Apurba Dhungana. Outline. - Introduction - History - LifeCycle - Security Threat - Prevention Techniques - Detection Techniques - Conclusion. Botnets. -It is collection of compromised system/computers That is taken by malicious software.
E N D
Malware: Botnets and Worms By Apurba Dhungana
Outline - Introduction - History - LifeCycle - Security Threat - Prevention Techniques - Detection Techniques - Conclusion
Botnets -It is collection of compromised system/computers That is taken by malicious software. - Bots are controlled by the bot herder by using one or more C&C server. - Bots is generally installed in on system through malware,worms,trojan horse or other back door. - Controlled by one person or group of people.
History - Originated as useful feature for carrying out repetitive task and time consuming operation. - First Bot program was eggdrop created by Jeff Fisher in 1993 was useful for Internet relay Chat. - Nowadays evolved for a malicious intent. - TFN,Trinoo,Stacheldraht(2000) started DDOS attacks.
History - Attacker create different way to control bot by Using P2P and IRC. - Spam Thru,Ago Bot, SD Bot, Bagle etc average spam email send by these bot per day ranges from million to more then ten billion message. - According to USToday 40 percent of the 800 million computer connected to the Internet are bot that used to send a spam, virus and mine personal data. - Botnet has become a buisness.
Botnet Lifecycle 1) Spread Phase 2) Infection Phase 3) Command and Control 4) Attack Phase
Botnet Lifecycle Figure 1: Life Cycle Of Botnet Source: Intel Corporation 2009
Botnet Command And Control(C&C) Techniques 1) Centeralized Command and Control Technique e.g Agobot,Rbot,SDbot,Zobot. 2) P2P Command and Control Technique e.g Phatbot,Sinit.
Security Threats From Botnet - Distributed Denial Of Service(DDos) Attack - Spamming - Phishing and Identity Theft - Click Fraud - Hosting Illegal Material - Identity Theft
Prevention Technique - High level of awareness about on line security and privacy. - System must be upto date by installation of OS updates and patches. - Do not use pirated software,games or other illegal material available online they may contain malicious code. - Use of Firewalls and antivirus/anti spyware program. - Use Of CAPTCH Test for website and otherservices to prevent against botnet.
Detection Technique - Use of Honeypot. - By monitoring the network. - Use IDS technique to watch DOS/Attacks traffic coming from a your network. -Examine the flow characteristic such bandwidth,duration and timing.
What is - Computer worm is a independent program that reproduce across a network by exploiting a security flaws. - Virus require some sort of user action to start propagation.
History - The term worm was applied to self replicating computer program by John Bruner sci fi novel “The shock wave rider”. - First worm was Morris Worm that was developed in 1988 by a Yale computer science student,it exploit the buffer overflow vulnerabilities. - Melissa (1999) est. damage $1.1 billion Using holes in microsoft outlook,once executed it will spread through 50 address in outlook address book. - I LOVE YOU (2000) est damage $ 8.75 billion
History Instead of sending a copy of worm to first 50 address in the host like melissa it used a every single address of the host to send.it overwrote a important files and download Trojan Horse that will steal information. Code Red (2001) est damage 2.6 billion Exploit the vulnerabilities in IIS,provide a command line control to who know the web server is compromised. Also launch DOS attacks. NIMDA(2001) est damage $645 million Advance feature and different means of propogation.First worm that has Email program,it do not depend upon Host email program to propagate.
Worms Life Cycle - Initialization Phase - Payload Activation Phase - Network Propagation Phase - Target acquisition - Network Reconnaissance - Attack - Dormant Phase
Initialization Phase - In the initialization phase worms install in victim machine copy the necessary files into memory and hard drive. - Worms also try to disable the antivirus or firewall. - Phase complete machine is infected.
Payload Activation Phase - It unleashes the attack towards the another target or host itself. - Common payload is DDOS attack.
Network Propagation Phase - It is phase where a worms concentrate on spreading to other machine. - Three sub phases - Target Acquisition - In worms create a list of systems to infect. - Have hitlist or PRNG. - I LOVE YOU use victim address book. - NetSky search for the webfiles on the - victim harddrive for email address. - Crucial phase for success of worm
- Network Reconnaissance Sub Phase - In this phase it find out vulnerable host Using list of IP address generated by Target acquisition phase. - Attack Sub-Phase - Worms try to take control of the identified host. - Successful attack will lead to intializatiton phase in target machine. - Dormant Phase - It is a period of time where worm become inactive may be temporary phase or end of worms life cycle.
Figure 2 Life Cycle Of worms Source:Internet Worms threats,attacks by Sean Lau
Security Threats from Worms - Distributed Denial Of Service Attack. - Install Rootkits or Backdoor programs - Data Damage - Compromising a computer system - Other malicious activities
Defense Mechanism User User Education(Social Engineering) Apply patches to prevent buffer overflow Identify Monitor and Protect Changing the configuration of software Application Transport Block ports that vulnerable Securing the point of communication Network Focus on packets transmitted in network Authorization Enforcement Facility DataLink Physical Cut the wire