Botnets and Worms

Document Sample
Botnets and Worms Powered By Docstoc
					Malware: Botnets and Worms

     By Apurba Dhungana

- Introduction
- History
- LifeCycle
- Security Threat
- Prevention Techniques
- Detection Techniques
- Conclusion
-It is collection of compromised system/computers
That is taken by malicious software.

- Bots are controlled by the bot herder by using
one or more C&C server.

- Bots is generally installed in on system through
malware,worms,trojan horse or other back door.

- Controlled by one person or group of people.
- Originated as useful feature for carrying out
repetitive task and time consuming operation.

- First Bot program was eggdrop created by Jeff
Fisher in 1993 was useful for Internet relay Chat.

- Nowadays evolved for a malicious intent.

- TFN,Trinoo,Stacheldraht(2000) started      DDOS
- Attacker create different way to control bot by
  Using P2P and IRC.

- Spam Thru,Ago Bot, SD Bot, Bagle etc average
spam email send by these bot per day ranges
from million to more then ten billion message.

- According to USToday 40 percent of the 800
million computer connected to the Internet are bot
that used to send a spam, virus and mine
personal data.

- Botnet has become a buisness.
              Botnet Lifecycle
1) Spread Phase

2) Infection Phase

3) Command and Control

4) Attack Phase
                      Botnet Lifecycle

Figure 1: Life Cycle Of Botnet
Source: Intel Corporation 2009
 Botnet Command And Control(C&C)
1) Centeralized Command and Control Technique
            e.g Agobot,Rbot,SDbot,Zobot.

2) P2P Command and Control Technique
          e.g Phatbot,Sinit.
      Security Threats From Botnet
- Distributed Denial Of Service(DDos) Attack

- Spamming

- Phishing and Identity Theft

- Click Fraud

- Hosting Illegal Material

- Identity Theft
            Prevention Technique
- High level of awareness about on line security and

- System must be upto date by installation of OS updates
and patches.

- Do not use pirated software,games or other illegal
material available online they may contain malicious

- Use of Firewalls and antivirus/anti spyware program.

- Use Of CAPTCH Test for website and otherservices to
prevent against botnet.
           Detection Technique

- Use of Honeypot.

- By monitoring the network.

- Use IDS technique to watch DOS/Attacks traffic
coming from a your network.

-Examine    the     flow    characteristic   such
bandwidth,duration and timing.
                   What is
- Computer worm is a independent program that
reproduce across a network by exploiting a
security flaws.

- Virus require some sort of user action to start
- The term worm was applied to self replicating
computer program by John Bruner sci fi novel        “The
shock wave rider”.

- First worm was Morris Worm that was developed in
1988 by a Yale computer science student,it exploit the
buffer overflow vulnerabilities.

- Melissa (1999) est. damage $1.1 billion
   Using holes in microsoft outlook,once executed it will
spread through 50 address in outlook address book.

- I LOVE YOU (2000) est damage $ 8.75 billion

Instead of sending a copy of worm to first 50 address in
the host like melissa it used a every single address of the
host to overwrote a important files and download
Trojan Horse that will steal information.

Code Red (2001) est damage 2.6 billion
  Exploit the vulnerabilities in IIS,provide a command line
control to who know the web server is compromised. Also
launch DOS attacks.

NIMDA(2001) est damage $645 million
     Advance feature and different means of
propogation.First worm that has Email program,it do not
depend upon Host email program to propagate.
              Worms Life Cycle

- Initialization Phase

- Payload Activation Phase

- Network Propagation Phase
     - Target acquisition
     - Network Reconnaissance
     - Attack

- Dormant Phase
             Initialization Phase

- In the initialization phase worms install in victim
machine copy the necessary files into memory
and hard drive.

- Worms also try to disable the antivirus or firewall.

- Phase complete machine is infected.
      Payload Activation Phase

- It unleashes the attack towards the another
target or host itself.

- Common payload is DDOS attack.
      Network Propagation Phase
- It is phase where a worms concentrate on
spreading to other machine.

- Three sub phases
      - Target Acquisition
            - In worms create a list of systems to
            -    Have     hitlist     or    PRNG.
- I LOVE YOU use victim address book.
         - NetSky search for the webfiles on the
- victim harddrive for email address.
         - Crucial phase for success of worm
 - Network Reconnaissance Sub Phase
        - In this phase it find out vulnerable host
          Using list of IP address generated by
          Target acquisition phase.

 - Attack Sub-Phase
       - Worms try to take control of the identified
       - Successful attack will lead to intializatiton
phase in target machine.

 - Dormant Phase

      - It is a period of time where worm become
inactive may be temporary phase or end of worms
life cycle.
Figure 2 Life Cycle Of worms
Source:Internet Worms threats,attacks by Sean Lau
      Security Threats from Worms
- Distributed Denial Of Service Attack.

- Install Rootkits or Backdoor programs

- Data Damage

- Compromising a computer system

- Other malicious activities
              Defense Mechanism
                   User Education(Social Engineering)

                   Apply patches to prevent buffer overflow
                   Identify Monitor and Protect
Application        Changing the configuration of software

                   Block ports that vulnerable
Transport          Securing the point of communication

                   Focus on packets transmitted in
 Network           network
                   Authorization Enforcement Facility

 Physical          Cut the wire

Shared By: