Malware: Botnets and Worms
By Apurba Dhungana
- Security Threat
- Prevention Techniques
- Detection Techniques
-It is collection of compromised system/computers
That is taken by malicious software.
- Bots are controlled by the bot herder by using
one or more C&C server.
- Bots is generally installed in on system through
malware,worms,trojan horse or other back door.
- Controlled by one person or group of people.
- Originated as useful feature for carrying out
repetitive task and time consuming operation.
- First Bot program was eggdrop created by Jeff
Fisher in 1993 was useful for Internet relay Chat.
- Nowadays evolved for a malicious intent.
- TFN,Trinoo,Stacheldraht(2000) started DDOS
- Attacker create different way to control bot by
Using P2P and IRC.
- Spam Thru,Ago Bot, SD Bot, Bagle etc average
spam email send by these bot per day ranges
from million to more then ten billion message.
- According to USToday 40 percent of the 800
million computer connected to the Internet are bot
that used to send a spam, virus and mine
- Botnet has become a buisness.
1) Spread Phase
2) Infection Phase
3) Command and Control
4) Attack Phase
Figure 1: Life Cycle Of Botnet
Source: Intel Corporation 2009
Botnet Command And Control(C&C)
1) Centeralized Command and Control Technique
2) P2P Command and Control Technique
Security Threats From Botnet
- Distributed Denial Of Service(DDos) Attack
- Phishing and Identity Theft
- Click Fraud
- Hosting Illegal Material
- Identity Theft
- High level of awareness about on line security and
- System must be upto date by installation of OS updates
- Do not use pirated software,games or other illegal
material available online they may contain malicious
- Use of Firewalls and antivirus/anti spyware program.
- Use Of CAPTCH Test for website and otherservices to
prevent against botnet.
- Use of Honeypot.
- By monitoring the network.
- Use IDS technique to watch DOS/Attacks traffic
coming from a your network.
-Examine the flow characteristic such
bandwidth,duration and timing.
- Computer worm is a independent program that
reproduce across a network by exploiting a
- Virus require some sort of user action to start
- The term worm was applied to self replicating
computer program by John Bruner sci fi novel “The
shock wave rider”.
- First worm was Morris Worm that was developed in
1988 by a Yale computer science student,it exploit the
buffer overflow vulnerabilities.
- Melissa (1999) est. damage $1.1 billion
Using holes in microsoft outlook,once executed it will
spread through 50 address in outlook address book.
- I LOVE YOU (2000) est damage $ 8.75 billion
Instead of sending a copy of worm to first 50 address in
the host like melissa it used a every single address of the
host to send.it overwrote a important files and download
Trojan Horse that will steal information.
Code Red (2001) est damage 2.6 billion
Exploit the vulnerabilities in IIS,provide a command line
control to who know the web server is compromised. Also
launch DOS attacks.
NIMDA(2001) est damage $645 million
Advance feature and different means of
propogation.First worm that has Email program,it do not
depend upon Host email program to propagate.
Worms Life Cycle
- Initialization Phase
- Payload Activation Phase
- Network Propagation Phase
- Target acquisition
- Network Reconnaissance
- Dormant Phase
- In the initialization phase worms install in victim
machine copy the necessary files into memory
and hard drive.
- Worms also try to disable the antivirus or firewall.
- Phase complete machine is infected.
Payload Activation Phase
- It unleashes the attack towards the another
target or host itself.
- Common payload is DDOS attack.
Network Propagation Phase
- It is phase where a worms concentrate on
spreading to other machine.
- Three sub phases
- Target Acquisition
- In worms create a list of systems to
- Have hitlist or PRNG.
- I LOVE YOU use victim address book.
- NetSky search for the webfiles on the
- victim harddrive for email address.
- Crucial phase for success of worm
- Network Reconnaissance Sub Phase
- In this phase it find out vulnerable host
Using list of IP address generated by
Target acquisition phase.
- Attack Sub-Phase
- Worms try to take control of the identified
- Successful attack will lead to intializatiton
phase in target machine.
- Dormant Phase
- It is a period of time where worm become
inactive may be temporary phase or end of worms
Figure 2 Life Cycle Of worms
Source:Internet Worms threats,attacks by Sean Lau
Security Threats from Worms
- Distributed Denial Of Service Attack.
- Install Rootkits or Backdoor programs
- Data Damage
- Compromising a computer system
- Other malicious activities
User Education(Social Engineering)
Apply patches to prevent buffer overflow
Identify Monitor and Protect
Application Changing the configuration of software
Block ports that vulnerable
Transport Securing the point of communication
Focus on packets transmitted in
Authorization Enforcement Facility
Physical Cut the wire