Host and Application SecurityLesson 17: Botnets

Almost done with Malware Now that you’re done with traditional

malware, let’s look at an important class or two we’ve ignored: rootkits and botnets

Rootkit Actually, a pretty loose definition Can think of it as a piece of malware that is

designed to allow an attacker privileged access to a computer Rootkits usually allow access via the network Rootkits usually are very stealthy, and provide

ways an attacker can hide on the box

Botnet Really, a form of rootkit, but the emphasis is

on remote control

The Botnet Lifecycle

Recruitment Management Exploitation

Recruitment Machines get recruited into botnets a large

number of ways Typically, web or email based exploit This installs the bot on the machine

Command and Control This can be thought of as the “Achilles heel”

of the botnet A botnet needs remote control Thus, if we can detect the network traffic, we

can detect the botnet However, the botherder makes a large effort

to protect his (her) investment

Exploitation Lots of uses:

DDoS attacks Adware installation Spyware installation Spam Click fraud Spread to other machines ID theft …

C2 Techniques Simple: IRC Complicated: Domain flux

Generate different candidate domain names every day

Bots “check in” with new domains every day Not all domains need to be registered for this

approach to work

C2 features Can break down into:

Topology: hub and spoke? P2P? Rallying Mechanism: How new bots locate and join

the botnet. Communication Protocol: The underlying protocol

used… Control Mechanism: How new commands are sent.

Callback? Polling? Command Authentication Mechanism: How can we

tell if a command is really from the botherder?

To Do Download and read “Your botnet is my

botnet: Analysis of a Botnet Takeover” Questions about this could be on the final…

Questions?