botnets - what, how and why by utsav mittal @ owasp delhi july, 2014 monthly meeting
DESCRIPTION
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting in Adobe Systems, NoidaTRANSCRIPT
![Page 1: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/1.jpg)
#BOTNETUtsav MittalFounder and Principal Consultant at Xiarch Pvt Ltd
![Page 2: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/2.jpg)
![Page 3: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/3.jpg)
![Page 4: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/4.jpg)
![Page 5: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/5.jpg)
![Page 6: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/6.jpg)
![Page 7: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/7.jpg)
![Page 8: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/8.jpg)
![Page 9: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/9.jpg)
![Page 10: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/10.jpg)
![Page 11: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/11.jpg)
WHAT IS BOTNET ?
• Network of Infected Host.
• Botnet is a network of compromised computers (#zombies) under the control of remote attacker (#botmaster).
• Controller of botnet is able to direct the activities of these compromised system.
#Bot Terminology
> Bot Herder (#botmaster)
> Bot
> Bot Client
> IRC / HTTP based Server
> Command & Control Channel (C&C)
![Page 12: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/12.jpg)
WHAT DOES IT LOOK LIKE WHEN YOU CONNECT
Look like regular IRC C&C !
![Page 13: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/13.jpg)
WHAT DOES IT LOOK LIKE WHEN YOU CONNECT
Bot Connected !
![Page 14: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/14.jpg)
IRC COMMANDS – THAT A HIJACKER WOULD USE
![Page 15: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/15.jpg)
HISTORY OF BOTNET
• Sub7 & Pretty Park (a Tr0jan & a W0rm) infected machine connecting to an internet relay chat (IRC) channel to listen for malicious commands.
• in 2002 Agobot introduced the concept of staged attack.
• [+] install a back door, the second try to take out anti-virus software and third blocked access to security vendor websites.
• Rbot also appeared in 2003 – a family of bots which used compression and encryption algorithms to evade detection.
![Page 16: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/16.jpg)
BOTBOT
Botnet Architecture
BOTMASTER
BOT
C&C C&C
Recruiting
Recruiting
Recruiting
![Page 17: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/17.jpg)
ATTACKING BEHAVIORS
• Infecting new hosts• Social engineering and distribution of malicious emails or other electronic
communications (i.e. Instant Messaging)
• Example - Email sent with botnet disguised as a harmless attachment.
• Stealing personal information• Keylogger and Network sniffer technology used on compromised systems to spy on
users and compile personal information
• Phishing and spam proxy• Aggregated computing power and proxy capability make allow spammers to impact
larger groups without being traced.
• Distributed Denial of Service (DDoS)• Impair or eliminate availability of a network to extort or disrupt business
• CPU Abusing• Uses Victim CPU to perform bitcoin mining or brute force hash reversing and password
attacks eg.ZeroAccess ,Skynet
![Page 18: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/18.jpg)
ATTACK VECTOR
• USB Drives
• FILES
• BUGGY SOFTWARES
• OPEN PORTS
• Others . .
![Page 19: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/19.jpg)
BOTNET COMMUNICATION METHODS
• HTTP
• IRC
• P2P
• Others . .
![Page 20: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/20.jpg)
CURRENT BOTNET
• What is Tor ?
Tor is short for The Onion Router and was initially a worldwide network of servers developed with the U.S. Navy that enabled people to browse the internet anonymously.
![Page 21: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/21.jpg)
TOR BASED BOTNET
![Page 22: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/22.jpg)
ANDROID TOR BASED BOTNET
![Page 23: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/23.jpg)
HTTP COINER BOTNET
![Page 24: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/24.jpg)
BITCOIN MINING BOTNET
![Page 25: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/25.jpg)
FBI — Botnets Infecting 18 Computers per Second.
![Page 26: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/26.jpg)
BROWSER BASED BOTNET
• Abuse HTML5 to DDoS
• + Jeremiah Grossman and Matt Johansen showed that it is possible to initiate a massive distributed denial of service (DDoS) attack via a browser-based botnet.
• + This abuse of HTML5 can lead to spamming, bitcoin generation, phishing, internal network reconnaissance, proxy network usage, and spreading of worm via XSS attacks or SQL injections.
![Page 27: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/27.jpg)
HOW ?
Attackers need only to invest on fake online ads which are inexpensive. Because networks serving ads on websites allow the execution of JavaScript, the attackers craft the JavaScript to make hundreds or thousands of users connect to a targeted site simultaneously, which may be enough to make the victim site inaccessible.
dDOS !
![Page 28: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/28.jpg)
ABUSES OF HTML5 +
1. Spamming
2. Bitcoin generation
3. Phishing
4. Internal network reconnaissance,
5. Proxy network usage
6. Spreading of worm via XSS attacks or SQL injections.
![Page 29: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/29.jpg)
BENEFITS ~
• No malware to detect.
• No trace , few alarms.
• Very very easy
• Everyone browser is vulnerable (by default)
![Page 30: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/30.jpg)
DISTRIBUTION OF “JAVASCRIPT MALWARE”
• HTML Injection on popular Website and Forums (blog , war3z)
• Man in Middle Attack
• EMAIL Spam (HTML)
• Third Part web Widgets
![Page 31: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/31.jpg)
![Page 32: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/32.jpg)
"The most reliable , cost effective method to inject evil code is to buy an ad “
~Douglas Crockford
![Page 33: Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly Meeting](https://reader033.vdocuments.us/reader033/viewer/2022051610/5489b78db4795984178b55f9/html5/thumbnails/33.jpg)
Thank You