1. Botnets - Detection and Mitigation
Literature study presentation
By
Ajit Skanda Kumarawamy (1735764)
Faculty of Exact Sciences
VU Amsterdam
Under the guidance of
Dr.Corina Stratan
Faculty of Exact Sciences
VU Amsterdam
3. Botnets – an introduction
What is a bot?
A computer that is running piece of malware
Without knowledge of host/owner through external instructions
Can be self-propogating
What is a botnet?
A co-ordinated group of bots under the control of a botmaster
Act in a similar or co-related manner
Used for fraudulant and abusive activities
5. Attacks of botnets
DDOS attacks
Spamming
Key logging and data/identity thefts
Phishing and pharming
Click fraud
Distribution of other adware/spyware.
6. C&C and its role
Command and Control – nerve centre of botnets
Publish/push commands
(Re)Organize botnets into subnets
Methods of communication
Key component of botnet mitigation is to identify
C&C communication protocol
7. Methods for identifying botnets
Signature based detection
Compare incoming and outgoing packets of data to a set of known
signatures of bot binaries
Anomaly based detection
An analytical method for identifying and studying botnets rather
than a preventative process
Analyse the network traffic for any irregular behavior like TCP Syn
scanning
8. Steps for mitigation of botnets
The three generic steps for mitigation of botnets:
Acquiring and analyzing a bot.
Infiltrate the botnet.
Identify and takedown the C&C server/
botmaster.
9. Storm worm – a case study
Most virulent P2P bot out there in the wild
(Peacomm,Nuwar or Zhelatin)
Uses the OVERNET and an own P2P network
Propogates using e-mails (attachment or
embedded link)
Uses specific keys as rendezvous point/ mailbox
Controller publishes commands at keys
10. Storm worm – analysis and
mitigation
Obtain bot binary using a spam trap and a client
honeypot
Compute keys - two methods
Use a Sybil attack to infiltrate the Stormnet
Mitigate using Eclipsing content and polluting
15. RBSeeker
Used for detecting Redirection bots
Spam source sub-system
Netflow analysis sub-system
Active DNS anomaly detection sub-system
Correlation of aggregated data
16. Takeover of the Torpig Botnet
Data harvesting bot - financial data
Fast flux vs Domain flux
Deterministic DGA and weak C&C
communication procedure
Sinkholing .net and .com domains
25/01/2009 – 04/02/2009
8310 accounts with range of $83K - $8.3M
17. Conclusions
Botnets provide services to interested parties
Botnet detection techniques should go hand in
hand
Co-operation between authorities, registrars,
ISPs
Lower layers of Botnet infrastructure should be
dismantled