What are bots/ botnets?
Bots: A bot is piece of malicious software with remote control capabilities
Botnet: A network of computers infected with a bot. The bot is controlled by C&C (Command and Control) Infrastructure. The attacker, which controls the botnet is called herder. The infected computer is called a zombie or drone.
What are attacks mounted with the help of botnets?
-Distributing spam and phishing emails
-Mounting distributed denial of service (DDoS) attacks
-Conducting data theft with the help of spyware like key
loggers, webcam recording capabilities…
-Conducting click-fraud
-Spreading new malware
What is the life-cycle of a bot from a herder point of view?
-Creation: Development of the botnet software often reusing existing code
Infection: via Software vulnerabilities, drive-by-downloads,
Trojan horses, email attachments,…
Rallying: Bots start up for the first time and attempt to contact the C&C server(s)
- Centralized: join IRC channel, connect to HTTP server
- Decentralized: bootstrapping protocol to detect other peers in the P2P
network
Waiting: Bots wait for commands from the botmaster through C&C
infrastructure
Executing: Bots execute commands received through the C&C
infrastructure
-E.g. scanning for new victims, downloading updates, sending DoS floods,….
What is the life-cycle of a bot from a defense point of view?
-Detection
-Capturring
-Analysis
-Tear Down
What are the C&C techniques?
Centralized:
- IRC (Internet Relay Chat)
- HTTP
Decentralized:
- P2P (Usually hybrid)
How is a centralized botnet taken down?
-Locate C&C Server and take them down:
- Analyze network traffic of bots
-Make C&C Server unreachable
- Block DNS/ IP range
-**Find out which devices in your network are infected
-Use Sinkhole with DNS entry and see who connects
How is the IP of a C&C Server hidden?
Domain Generating Algorithms (DGAs):
- Use a seed to generate domain names and query them
- Most domains are not registered, but some are
Fast Flux in DNS
- Multiple IP addresses on a single DNS record, cahnged quickly
- No one server to take down
How is a P2P botnet taken down?
- More difficult then centralized Botnets, no simple solution
- Ultimately requires desinfection off all infected nodes
- If commands are not signed correctly: Command bots with cleanup tool
How to track down botnet herders?
- No general method, dependend on C&C type
- Put network taps on C&C Server
- Social engineering: Pretend to be potential buyer
Roles in organzied crime with Botnets
- Exploit Developers: Looks for exploits to infect computers
- Malware Programmers: Develop C&C server and bot client
- Botnet Herders: Operates the botnet and rents/ sells control
- Bot Users: Uses botnet to mount an actual attack
How is money made from Botnets?
Stealing Information
- Selling bank account
- Selling identity information
Ransomware
DDOS
What was the Mirai Botnet and how did it work?
- IoT Botnet with centralized C&C
- Infected DVRs, routers, IP cameras etc. with misconfigured ports or default credentials
- Used to DDOS e.g. OVH.com
What is Stuxnet and how did it work?
- Targeted attack against SCADA networks, likely by intelligence organization
- Worm with C&C Server for updates
- Used 3 zero day exploits to infect Windows machines and looks for SCADA software
