#BOTNETUtsav MittalFounder and Principal Consultant at Xiarch Pvt Ltd

WHAT IS BOTNET ?

• Network of Infected Host.

• Botnet is a network of compromised computers (#zombies) under the control of remote attacker (#botmaster).

• Controller of botnet is able to direct the activities of these compromised system.

#Bot Terminology

> Bot Herder (#botmaster)

> Bot

> Bot Client

> IRC / HTTP based Server

> Command & Control Channel (C&C)

WHAT DOES IT LOOK LIKE WHEN YOU CONNECT

Look like regular IRC C&C !

WHAT DOES IT LOOK LIKE WHEN YOU CONNECT

Bot Connected !

IRC COMMANDS – THAT A HIJACKER WOULD USE

HISTORY OF BOTNET

• Sub7 & Pretty Park (a Tr0jan & a W0rm) infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands.

• in 2002 Agobot introduced the concept of staged attack.

• [+] install a back door, the second try to take out anti-virus software and third blocked access to security vendor websites.

• Rbot also appeared in 2003 – a family of bots which used compression and encryption algorithms to evade detection.

BOTBOT

Botnet Architecture

BOTMASTER

BOT

C&C C&C

Recruiting

Recruiting

Recruiting

ATTACKING BEHAVIORS

• Infecting new hosts• Social engineering and distribution of malicious emails or other electronic

communications (i.e. Instant Messaging)

• Example - Email sent with botnet disguised as a harmless attachment.

• Stealing personal information• Keylogger and Network sniffer technology used on compromised systems to spy on

users and compile personal information

• Phishing and spam proxy• Aggregated computing power and proxy capability make allow spammers to impact

larger groups without being traced.

• Distributed Denial of Service (DDoS)• Impair or eliminate availability of a network to extort or disrupt business

• CPU Abusing• Uses Victim CPU to perform bitcoin mining or brute force hash reversing and password

attacks eg.ZeroAccess ,Skynet

ATTACK VECTOR

• USB Drives

• EMAIL

• FILES

• BUGGY SOFTWARES

• OPEN PORTS

• Others . .

BOTNET COMMUNICATION METHODS

• HTTP

• IRC

• P2P

• Others . .

CURRENT BOTNET

• What is Tor ?

Tor is short for The Onion Router and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously.

TOR BASED BOTNET

ANDROID TOR BASED BOTNET

HTTP COINER BOTNET

BITCOIN MINING BOTNET

FBI — Botnets Infecting 18 Computers per Second.

BROWSER BASED BOTNET

• Abuse HTML5 to DDoS

• + Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet.

• + This abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.

HOW ?

Attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible.

dDOS !

ABUSES OF HTML5 +

1. Spamming

2. Bitcoin generation

3. Phishing

4. Internal network reconnaissance,

5. Proxy network usage

6. Spreading of worm via XSS attacks or SQL injections.

BENEFITS ~

• No malware to detect.

• No trace , few alarms.

• Very very easy

• Everyone browser is vulnerable (by default)

DISTRIBUTION OF “JAVASCRIPT MALWARE”

• HTML Injection on popular Website and Forums (blog , war3z)

• Man in Middle Attack

• EMAIL Spam (HTML)

• Third Part web Widgets

"The most reliable , cost effective method to inject evil code is to buy an ad “

~Douglas Crockford

Thank You