A presentation about Botnets

1. Botnets - Detection and Mitigation
Literature study presentation
By
Ajit Skanda Kumarawamy (1735764)
Faculty of Exact Sciences
VU Amsterdam
Under the guidance of
Dr.Corina Stratan
Faculty of Exact Sciences
VU Amsterdam

2. Topics
 Introduction
Study of botnet detection and mitigation
techniques
 Storm worm
 BotHunter
 BotSniffer
 RBSeeker
 Torpig Botnet Takeover
 Conclusion

3. Botnets – an introduction
 What is a bot?
 A computer that is running piece of malware
 Without knowledge of host/owner through external instructions
 Can be self-propogating
 What is a botnet?
 A co-ordinated group of bots under the control of a botmaster
 Act in a similar or co-related manner
 Used for fraudulant and abusive activities

4. Types of Botnets
 IRC based
 HTTP based
 P2P based

5. Attacks of botnets
 DDOS attacks
 Spamming
 Key logging and data/identity thefts
 Phishing and pharming
 Click fraud
 Distribution of other adware/spyware.

6. C&C and its role
 Command and Control – nerve centre of botnets
 Publish/push commands
 (Re)Organize botnets into subnets
 Methods of communication
Key component of botnet mitigation is to identify
C&C communication protocol

7. Methods for identifying botnets
 Signature based detection
Compare incoming and outgoing packets of data to a set of known
signatures of bot binaries
 Anomaly based detection
An analytical method for identifying and studying botnets rather
than a preventative process
Analyse the network traffic for any irregular behavior like TCP Syn
scanning

8. Steps for mitigation of botnets
The three generic steps for mitigation of botnets:
 Acquiring and analyzing a bot.
 Infiltrate the botnet.
Identify and takedown the C&C server/
botmaster.

9. Storm worm – a case study
Most virulent P2P bot out there in the wild
(Peacomm,Nuwar or Zhelatin)
 Uses the OVERNET and an own P2P network
Propogates using e-mails (attachment or
embedded link)
 Uses specific keys as rendezvous point/ mailbox
 Controller publishes commands at keys

10. Storm worm – analysis and
mitigation
Obtain bot binary using a spam trap and a client
honeypot
 Compute keys - two methods
 Use a Sybil attack to infiltrate the Stormnet
 Mitigate using Eclipsing content and polluting

11. BotHunter – Infection lifecycle
model

12. BotHunter - Architecture

13. BotSniffer – Spatial temporal
correlation and similarity

14. BotSniffer - Architecture

15. RBSeeker
 Used for detecting Redirection bots
 Spam source sub-system
 Netflow analysis sub-system
 Active DNS anomaly detection sub-system
 Correlation of aggregated data

16. Takeover of the Torpig Botnet
 Data harvesting bot - financial data
 Fast flux vs Domain flux
 Deterministic DGA and weak C&C
communication procedure
 Sinkholing .net and .com domains
 25/01/2009 – 04/02/2009
 8310 accounts with range of $83K - $8.3M

17. Conclusions
 Botnets provide services to interested parties
Botnet detection techniques should go hand in
hand
Co-operation between authorities, registrars,
ISPs
Lower layers of Botnet infrastructure should be
dismantled

18. Thank you