Host and Application Security Lesson 17: Botnets.
-
Upload
winfred-price -
Category
Documents
-
view
216 -
download
0
Transcript of Host and Application Security Lesson 17: Botnets.
![Page 1: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/1.jpg)
Host and Application SecurityLesson 17: Botnets
![Page 2: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/2.jpg)
Almost done with Malware Now that you’re done with traditional
malware, let’s look at an important class or two we’ve ignored: rootkits and botnets
![Page 3: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/3.jpg)
Rootkit Actually, a pretty loose definition Can think of it as a piece of malware that is
designed to allow an attacker privileged access to a computer Rootkits usually allow access via the network Rootkits usually are very stealthy, and provide
ways an attacker can hide on the box
![Page 4: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/4.jpg)
Botnet Really, a form of rootkit, but the emphasis is
on remote control
![Page 5: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/5.jpg)
The Botnet Lifecycle
Recruitment Management Exploitation
![Page 6: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/6.jpg)
Recruitment Machines get recruited into botnets a large
number of ways Typically, web or email based exploit This installs the bot on the machine
![Page 7: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/7.jpg)
Command and Control This can be thought of as the “Achilles heel”
of the botnet A botnet needs remote control Thus, if we can detect the network traffic, we
can detect the botnet However, the botherder makes a large effort
to protect his (her) investment
![Page 8: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/8.jpg)
Exploitation Lots of uses:
DDoS attacks Adware installation Spyware installation Spam Click fraud Spread to other machines ID theft …
![Page 9: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/9.jpg)
C2 Techniques Simple: IRC Complicated: Domain flux
Generate different candidate domain names every day
Bots “check in” with new domains every day Not all domains need to be registered for this
approach to work
![Page 10: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/10.jpg)
C2 features Can break down into:
Topology: hub and spoke? P2P? Rallying Mechanism: How new bots locate and join
the botnet. Communication Protocol: The underlying protocol
used… Control Mechanism: How new commands are sent.
Callback? Polling? Command Authentication Mechanism: How can we
tell if a command is really from the botherder?
![Page 11: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/11.jpg)
To Do Download and read “Your botnet is my
botnet: Analysis of a Botnet Takeover” Questions about this could be on the final…
![Page 12: Host and Application Security Lesson 17: Botnets.](https://reader035.fdocuments.us/reader035/viewer/2022081519/56649f205503460f94c39300/html5/thumbnails/12.jpg)
Questions?