
After the CyberSecurity Operations course you will be able to analyse and explain the actions of a botnet.
A botnet consists of a group of "zombie" computers that run robots (or bots) and a master control mechanism that provides direction and control for the zombies. The originator of a botnet uses the master control mechanism on a command-and-control server to control the zombie computers remotely using IRC or other means.
A botnet typically operates as follows:
A botnet operator infects computers by sending them malicious bots. A malicious bot is self-propagating malware that is designed to infect a host and connect back to the command-and-control server. In addition to its worm-like ability to self-propagate, a bot can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host.
Bots have all the advantages of worms, but are generally much more versatile in their infection vector, and are often modified within hours of publication of a new exploit. Bots have been known to exploit back doors that are opened by worms and viruses, which allows the bots to access networks that have good perimeter control. Bots can infect networks in a way that escapes immediate detection.
The bot on the newly infected host logs in to the command-and-control server and awaits for the commands. Often, the CnC traffic is sent using either IRC, P2P, DNS, HTTP, and HTTPS. When using HTTPS, the CnC traffic will be encrypted using TLS or SSL, making it harder to detect.
Instructions are sent from the CnC server to each bot (zombie) in the botnet to execute actions. When the zombies receive the instructions, they begin generating malicious traffic that is aimed at the victim. Zombies mostly run a covert channel to communicate with the command-and-control server that the attacker controls.
Recent Comments