Wednesday, October 20, 2010

Presentation about botnets in SIGINT'10, Koln

SIGINT'10 took place between the 22nd and the 24th of May in Koln, Germany. The videos are also available and hosted by ccc.

I just saw the presentation made by Thorsten Holz and called 'Botnets in 2010 - Status Quo and Future Threats'.

As a quick resume, it does a quick introduction to the botnets and its arquitecture and then talks about Storm Worm and Waledac.

Storm Worm
  • Not centralized C & C thanks to p2p
  • Fast flux domains
  • Uses infected computers with public IP addresses to proxy the content back to the backend: spam pages or with exploit packs. It is hard to track  and offers high availability.
  • The nated machines are user to send spam and dos attacks.
  • Template based spamming. The template is sent to the bots that then send the spam.
  • Mitigation: join the network and disrupt the communication channel between the bots (Stormfucker in 25c3 CCC)
Waledac
  • Successor of Storm Worm and perhaps created by the same group
  • Uses HTTP to tunnel trafic (major change) between the nated machines and the repeaters
  • multi-tier architecture ('hybrid' p2p), like storm worm
  • Static backend servers that host the content
  • Fast flux domains for C&C
  • Template based spamming.
  • The mitigation effort was called 'Operation b49' and took down the botnet in February 2010.



The video can be found here.

No comments:

Post a Comment