mod5 mod5 links ../mod5/assets/coursemap.swf courseMenuBtn Course menu Course menu. Select this button to access the course menu. MainMenuButtonClicked moduleMapBtn Lesson Map Lesson Map. Select this button to access the lesson map. CourseMapButtonClicked glossaryBtn Glossary Glossary. Select this button open the glossary. GlossaryButtonClicked resourcesBtn Resources Resources. Select this button open the resources. ResourcesButtonClicked exitBtn Exit Exit. Select this button to exit the course. ExitButtonClicked replayBtn Replay Replay. Select this button to replay the current screen. ReplayButtonClicked pauseBtn Pause Pause. Select this button to pause the course. PauseButtonClicked resumeBtn Resume Resume. Select this button to resume the course. ResumeButtonClicked previousPgBtn Previous Page Previous. Select this button to go to the previous screen. PreviousButtonClicked nextPgBtn Next Page Next. Select this button to go to the next screen. NextButtonClicked idsal5_01 1 Welcome to the lesson on bots and botnets. When you have completed this lesson, you will be able to describe how bots and botnets function and identify some of their capabilities. You will also be able to identify some botnet infection vectors and describe their relationship with the client-side attack surface. There are four topics in this lesson. After you have completed the Introduction, you will learn what bots and botnets are and why they are a serious problem. Then you will learn how a botnet is structured and its capabilities for exploiting client computers. Finally, you will learn about botnet infection vectors and how they relate to the client-side attack surface. For each screen you will hear a description. The description is cued by an audio tone. Listen to the description, and then select the play audio narration button to continue. Screen 1 of 13. Lesson title: Bots and Botnets. Topic title: Introduction. Screen title: Objectives and Topics. Four lesson learning objectives display in support of audio. Five topics display. The first topic is titled Introduction. The second topic is titled The Trouble with Botnets. The third topic is titled Botnet Architecture and Capabilities. The fourth topic is titled Botnet Vectors. The fifth and final topic is the Conclusion. A text box displays that states: References to open source or freeware in this training product are for training purposes only, and should not be considered endorsements of these products. Please check with your command, service or agency for guidance on the use of these products. idsal5_02 2 A botnet is a network of zombie-like computers that are infected with a malicious application called a bot. The hidden malicious code enables a real person to remotely control the botnet. The botnet strengthens and grows by bots infecting and controlling more and more computers. Botnets are a serious problem for several reasons. Bots can spread across continents, rapidly propagating the infection to computers around the world, making them extremely difficult to dismantle. Botnet creators have become very sophisticated in both design and infrastructure. Some experts believe that botnets are practically impenetrable or at least may take years to destroy. For example, starting in 2001, the Coreflood botnet infected over 2.3 million computers worldwide; and stole over 190 gigabytes of data. It took more than a decade before the botnet was taken down. For over ten years, Coreflood recorded user keystrokes to record passwords, and credit card and banking information. Millions of dollars were stolen from computer users in the United States. Another example is the Mariposa botnet. It controlled nearly 12 million zombie computers in about 100 countries. While it operated only from 2008 to 2009, Mariposa is perhaps the largest known botnet. One final example illustrates how widely and quickly botnets can spread. TDL-4 is the fourth generation of the TDL botnet. TDL-4 infected more than 4.5 million computers in just the first three months of 2011. According to a recent online article published by CNET, the experts at Kaspersky Lab believe this botnet is practically impenetrable. These are not isolated examples. The botnet problem is widespread and is likely to increase. Screen 2 of 13. Lesson title: Bots and Botnets. Topic title: The Trouble with Botnets. Screen title: Why Botnets are a Serious Problem. Text stem: Botnets; bullets in support of audio. Branching diagram displays with a malware symbol labeled Bot Herder at the top, pointing to the next level of four servers, labeled Bot Command and Control Drone and each server pointing to the next level of four computers for each server, some labeled Bot. Malware symbol is added to the four servers and the Bot laptops. Image of an attacker at a laptop is added to the Bot Herder malware symbol. More computers are labeled with Bot and the malware symbol is added until all are infected. Image of globe is displayed with people in front of infected computer on each continent. Dark colors are added to spots on the globe around the users along with lines joining their computers showing the spread of infection. Additional computer users are added to globe. Timeline showing 2001 through 2011 displays. Callout from 2001 displays with text stem: Coreflood; bullets in support of audio. Callout from 2008 displays with text stem: Mariposa; bullets in support of audio. Callout from 2011 displays with text stem: T D L 4; bullets in support of audio. Rollover 1 of 3. Rollover title: Coreflood. From 2001 to 2011, the Coreflood Trojan infected computers running the Windows operating system. It attempted to steal personal data such as banking passwords in an effort to steal money. It took a landmark FBI action to dismantle Coreflood, which marks the first time the U.S. Government sought and received permission to take control of malicious servers and intercept communications from infected systems. Source: Zetter, K., April 13, 2011. With Court Order, FBI Hijacks Coreflood Botnet, Sends Kill Signal. Wired. Rollover 2 of 3. Rollover title: Mariposa. Discovered in 2008, the Mariposa botnet was created using the Butterfly bot. The botnet infiltrated about 13 million personal, government, and corporate systems in 190 countries before it was dismantled in December 2009. Source: Thompson, M., February, 2010, . Mariposa Botnet Analysis. Defense Intelligence. Rollover 3 of 3. Rollover title: T D L 4. T D L 4 is a fourth generation variant of the T D S S rootkit, discovered in 2008. It can infect both 32 bit and 64 bit operating systems. T D L 4 encrypts communications between the botnet command and control centers and the infected computers. Note that a rootkit is a set of tools used by an attacker after gaining access to a host to conceal the attackers activities on the host and permit the attacker to maintain access. Source: Reisinger, D., June 30, 2011. T D L 4: The indestructible botnet? CNET News. idsal5_03 3 As more and more of our daily life becomes digitized, the raw material available for botnets continues to grow. Social networks and social media provide a new and open frontier for attackers to exploit. It's not unheard of for one social networking site to connect hundreds of millions of people at any one time. The continued popularity of social networking provides vast resources of vulnerable computers and personal information for attackers to exploit. And, lack of user awareness and susceptibility to social engineering attacks are huge vulnerabilities. Another source of victims for botnets is mobile technology such as smartphones and tablets. In fact, smartphone botnets already exist. According to the European Network and Information Security Agency smartphone botnets could be used to launch a traditional attack, like spam. Rather than simply using email-based spam the attackers could leverage Short Message Service, or SMS, for spamming purposes. An attacker could also attempt a DoS attack by using zombie phones to send text messages in hopes of overwhelming a cellular tower and preventing any call from being established. This opens up new vulnerabilities, especially during emergencies. Location data available through smartphones may also open up risks for tracking or tracing users for malicious purposes. Next, we'll look at how bots and botnets operate. Screen 3 of 13. Lesson title: Bots and Botnets. Screen title: How Botnets use Social Media and Networking. Icons for Live Journal, Second Life, Flicker, My Space, Facebook, Twitter, Linked In, Ning, Badoo, Blogger, Word Press, You Tube, Orkut, and Meetup display in a large rectangle. Silhouettes of people are added to the screen with lines connecting them in four rows with approximately twelve people per row. Text displays: Human Attack Surface equals lack of user awareness plus susceptibility to social engineering. Images of smart phone and tablet computer display. Text stem: potential capabilities of smart phone botnets; bullets in support of audio. Images of attacker at a laptop, a cell tower with a signal emanating and a woman on her phone next to a car display. A line connects the attacker to the cell tower. Call out from woman displays text: This line is busy. Smoke animates from car hood. Line animates from womans phone to the cell tower and a call out from the attacker shows a map with a marked. Rollover 1 of 1. Rollover title: S M S. Short Message Service. idsal5_04 4 Bots are a type of code commonly used for repetitive tasks and automated actions like sending large volumes of spam. Bots can also be used for more overtly malicious purposes. An attacker might deploy a bot to scan for vulnerabilities in systems connected to the Internet. Once a bot finds and infects a vulnerable computer, the computer becomes a zombie or drone, often simply called a "bot." The use of the word bot can be confusing. We will use the term bot when referring to "malicious code" and bot zombie or just zombie when referring to an infected computer. A network of zombies is called a botnet or zombie network. The botnet has a hierarchical structure that's controlled by one person or a group of people, called a bot herder or bot master. One of the bot herder's primary goals is to ensure that the botnet remains intact and is continually updated. Bots can automatically scan networks and find other vulnerable systems much faster than human beings could manually accomplish this task. The bots are fast, but not autonomous. They wait for orders from the bot herder. The bot herder sends the orders through a command and control, or C2, channel, made up of one or more malicious servers. The bot herder sends commands to the C2 server or servers, and the servers send those commands to the zombies. The bot herder does not communicate directly with the zombie computers. To accomplish malicious deeds, the bot herder doesn't need to create bots from scratch. There are commercial tools available, which a bot herder can buy and use to create a botnet. Next, we'll take a closer look at botnet architecture. Screen 4 of 13. Lesson title: Bots and Botnets. Screen title: How Bots and Botnets Operate. Branching diagram with a computer on the top level, four servers on the middle level, and eight laptop computers on the bottom level displays. Lines animate from servers to laptop computers. Text displays: Bots are code written to perform automated functions. Computer at the top of branching diagram is replaced with an attacker at a laptop. Heavy arrows animate from the attacker to the four servers and thinner arrows animate from the servers to the laptops. Malware symbol displays on screen of first laptop on the bottom row of diagram. Text displays: Bot Zombie or Drone is a computer infected with a bot enabling bot herder to remotely control computer. Attacker at the top of the diagram is highlighted and labeled Bot Herder. Additional infected laptops are added below the lowest layer of the diagram. Bot Herder is highlighted to show sending the command and Bot Command and Control Drone label is added to the servers at the second level of the diagram. Malware symbol is added to the servers and arrows animate from the herder to the servers. Lines animate from the servers to the zombies. Text displays: Commercial tools are available to create botnets. Rollover 1 of 1. Rollover title: Bot Zombie or Drone. A zombie or drone is a computer infected with a malicious bot. The bot enables a bot herder or master to remotely control the computer. idsal5_05 5 You know that a botnet uses centralized command and control, or C2, drones. The bot herder sends out commands to the C2 servers, which communicate with the multi-layered bot zombie computers. The multi-layered structure makes identifying the bot herder more difficult. However, not all botnet architectures are centralized. Some botnets use a decentralized botnet architecture, in which any zombie computer can be used as a C2 drone. The typical botnet process flow begins by a bot exploiting a vulnerability and infecting a computer. The bot may download malicious code from the Internet to the computer and executes the code locally without the user's knowledge. At this point, the computer becomes a zombie or drone. The zombie then connects to the C2 server drone. The server drone notifies the bot herder that the zombie is ready to take orders. The bot executes its malicious code to attack the kernel, the heart and the soul of the OS. Bots attempt to modify the kernel in order to gain access privileges to vital system functions. If successful, the bot has complete control over the computer. Screen 5 of 13. Lesson title: Bots and Botnets. Topic title: Botnet Architecture and Capabilities. Screen title: Botnets Architecture. Branching diagram from previous screen reprises with only two rows of laptops on the lowest level and with the Bot Herder at the top. Arrows animate from the Herder to the servers and lines animate from the servers to the Zombies. A rectangle is outlined around all of the zombies. Diagram fades but is still visible as silhouettes. Three laptops are enlarged and brought back into full focus with the label Decentralized Botnet. One laptop is replaced with a server showing a C 2 drone. Lines connect the C 2 drone to the other two laptops. Branching diagram from the beginning of the screen is reprised. Text stem: Botnet process; bullets in support of audio. Text stem: Bots often attempt to gain kernel level access in order to; bullets in support of audio. Rollover 1 of 1. Rollover title: C 2. Command and Control, or C 2. idsal5_06 6 Once a bot is installed on a computer, the bot waits for new orders from the bot herder via the C2 server. The bot herder can instruct a bot to automatically do any number of things. A bot can search the hard drive for sensitive information like financial accounting files, bank account and credit card information, electronic tax returns, login information, or spilled classified information. A bot can record keystrokes to obtain information such as login credentials for email and banking sites. A bot can also send spam email with a link to malicious code or launch a DoS attack. Bots are also used to poison search results for popular terms, as a means to continue the spread of the infection. Within a botnet, the zombie computers perform different functions. For example, a zombie can host malicious content or act as a DNS server, directing new victims to download malicious content from the computer hosting the content. Zombie computers may scan other computers or systems, pivoting from the zombie computer to attack even more systems on the same network as the zombie. A bot designer can create bots to perform advanced functions. An example is programming the bot to watch for trigger events. When a user types in certain words or performs some action on the system, the bot will create a rapid succession of screen shots to capture information on the screen or turn on the webcam or microphone to record a voice over IP or Skype conversation. A trigger event could be a domain name in the browser URL bar or the appearance of a certain image or text on the screen, such as a classified information label. While most bot actions are automated, a bot herder may take manual control of the bot if the herder sees something interesting. For example, if the bot herder learns that the zombie computer is part of a Department of Defense network or a DoD contractor's network, the attacker may take control of the bot to pivot from the zombie computer to attack systems on the same network as the zombie. Screen 6 of 13. Lesson title: Bots and Botnets. Screen title: What Can Bots and Botnets Do? Images of a Bot Herder, C 2 Drone, Zombie Computer, or Bot Drone, and D O D Server are displayed on the left side of the screen. Line animates from herder to C 2 drone showing orders and line animates from C 2 drone to the zombie. Text stem: Examples of bot capabilities; bullets in support of audio. Branching diagram from previous screen reprises with only three of the laptops as zombie computers. Text in callout from one zombie: hosts malicious content. Text in callout from second zombie: D N S Server. Lines connect D N S server to four other laptops. Text in callout from third zombie: Scan other computers and pivot to other internal systems. Line animates from third zombie to two more laptops. Text stem: Advanced bot capabilities; bullets in support of audio. Department of Defense seal displays on zombie computer and animates to the C 2 drone server, then to the herder. Malware animates from the herder to the C 2 drone server, to the zombie and finally to the D O D server. Rollover 1 of 5. Rollover title: D O S. Denial of service. Rollover 2 of 5. Rollover title: D N S. Domain Name System. Rollover 3 of 5. Rollover title: pivot. Pivoting is a technique attackers use to further compromise the network after gaining an initial foothold via one compromised system on that network. Rollover 4 of 5. Rollover title: U R L. Uniform Resource Locator. Rollover 5 of 5. Rollover title: DoD. Department of Defense. idsal5_07 7 Knowledge Check 1 600 550 A bot herder typically sends orders directly to zombie computers. True, for statement: A bot herder sends orders directly to zombie computers. False, for statement: A bot herder sends orders directly to zombie computers. Correct. The bot herder sends commands to the command and control (C2) servers. The servers communicate the orders to the zombie computers. Incorrect. The bot herder sends commands to the command and control (C2) servers. The servers communicate the orders to the zombie computers. A zombie computer can act as a DNS server. True, for statement: A zombie computer can act as a DNS server. False, for statement: A zombie computer can act as a DNS server. Correct. A zombie computer can act as a DNS server, directing new victims to download malicious content from the computer hosting the content. Incorrect. A zombie computer can act as a DNS server, directing new victims to download malicious content from the computer hosting the content. A bot can automatically turn on a webcam or microphone when it detects something of interest. True, for statement: A bot can automatically turn on a webcam or microphone when it detects something of interest. False, for statement: A bot can automatically turn on a webcam or microphone when it detects something of interest. Correct. A bot designer can program a bot to watch for trigger events, such as a user typing in certain words or performing some action on the system. A bot could take screen shots or turn on the webcam or microphone to capture what the user is doing. Incorrect. A bot designer can program a bot to watch for trigger events, such as a user typing in certain words or performing some action on the system. A bot could take screen shots or turn on the webcam or microphone to capture what the user is doing. A bot master can manually pivot to attack other systems of interest in the zombie computer’s network. True, for statement: A bot master can manually pivot to attack other systems of interest in the zombie computer’s network. False, for statement: A bot master can manually pivot to attack other systems of interest in the zombie computer’s network. Correct. If a bot herder discovers an interesting system, such as part of a DoD contractor’s network, he or she can take manual control of the zombie computer and pivot to attack the other systems. Incorrect. If a bot herder discovers an interesting system, such as part of a DoD contractor’s network, he or she can take manual control of the zombie computer and pivot to attack the other systems. Now, check your knowledge of botnet architecture and potential capabilities. Screen 7 of 13. Lesson title: Bots and Botnets. Screen title: Knowledge Check. There are four statements and two possible answer columns; the True column and the False column. Use your keyboard to cycle through the list of options. idsal5_08 8 The client-side attack surface comprises the client machine as well as all devices that communicate with the client. This includes routers, client-server services like SMTP and FTP servers, and peripheral and wireless devices, among others, that communicate with the client machine. Infection vectors are the methods used to deliver malicious code to the victim computer. The most common botnet infection vectors are exploiting browsers, email and email attachments, operating system vulnerabilities, files downloaded and/or executed from the Internet, and other infected computers. More advanced botnet vectors include mobile devices that connect to the Internet. Examples are a wi-fi connector for a video game console, and wireless communication devices and networks, like cell phones and voice over IP. While exploiting technology is important for a bot herder's success, underlying most infection vectors is the attempt to deceive or trick users. A bot herder can combine user deception with other exploits to create a complex infection vector. Next, we'll examine Storm Worm as an example of a complex infection vector. Screen 8 of 13. Lesson title: Bots and Botnets. Topic title: Botnet Vectors. Screen title: Infection Vectors. Images of attacker at laptop labeled Untrusted, router labeled Boundary Router, Firewall labeled External Firewall, S M T P Server labeled D M Z, Firewall labeled Internal Firewall and a Trusted user at a laptop display two animated lines connecting all from left to right and right to left showing flow of information. Malware icons display on line from Untrusted to Trusted user. Entire image is labeled Client Side Attack Surface. Image of an additional server labeled F T P Server displays next to the S M T P Server. Images of a cell phone and printer display above the trusted user. All images are removed. Image on an infected desktop computer displays. Text stem: Botnet infection vectors; bullet in support of audio. Text stem: Common vectors; bullets in support of audio. Images of a flash drive, a laptop, a video game console and a smart phone display. idsal5_09 9 To emphasize the danger of botnets, let's examine Storm Worm. It's one of the largest, most damaging botnets yet discovered. Storm Worm was detected in 2007. Since then, it has infected so many computers that the exact size is unknown. Estimates range from at least 1 million to upwards of 10 million infected computers in the botnet. One thing that most experts agree on is that the worm that created the Storm botnet used a combination of infection vectors. These vectors include Microsoft Windows exploits, such as OS kernel attacks, and emails linked to current events such as weather disasters. In fact, the name Storm Worm is based on the original email sent by the botnet regarding a 2007 European wind storm. Other Storm Worm emails referred to NFL season news, Valentine's Day, the Olympics, hurricanes, and other historic type events. Various user deception tricks were employed to encourage users to visit fake websites and download malicious executables. Once infected, client machines would become part of the Storm botnet and execute whatever commands the bot herders wanted. Storm Worm hosted malware on thousands of malicious Web and DNS servers globally. Let's walk through a scenario of how the Storm Worm entered the client machine. A user receives an email saying World War III has already begun. In the email, there's a link to a news website. The user selects the link and is brought to the "daily dot news" web page, which shows a picture of a video with a mushroom cloud and some information about the supposed invasion. While the user reads the engaging text on the bottom of the page, a series of automated attacks are launched at the client's browser. If the browser is unpatched, the browser is compromised. If the browser is patched well enough, the browser is not compromised. In the event the browser can't be compromised, the attacker has a back-up plan that is put into action when the user selects the embedded link to view the video. But there is no actual video. Selecting the link downloads the Storm Worm executable. On the day this Storm Worm campaign was released, 91 percent of all virus scanners did not have a signature for this executable. Only nine percent of the antivirus software detected the file as malicious. In other words, the majority of users who launched the video had their computers compromised with whatever privileges the user had. If the user had administrative rights, the machine was fully compromised. If the user had normal user rights, then the machine was only partially compromised. If the machine was partially compromised, there was an additional exploit that would escalate access privileges so the worm could gain full control of the machine. Next, we'll look at what happens once the Storm bot establishes a foothold in the client machine. Screen 9 of 13. Lesson title: Bots and Botnets. Screen title: Storm Worm. Image of globe reprises with five users at infected computers. Text stem: Storm Worm; bullets in support of audio. Callout from Multiple Infection Vectors displays with text stem: M S Windows P C exploits; bullets in support of text. Area around the four users is darkened. A server is added next to each user. Diagram depicting how the storm worm entered the client machine displays along a horizontal line as follows: six icons from left to right; first, a server labeled Bot Herder, second, a cloud labeled Untrusted with a server labeled Daily Dot News beneath it, third a router labeled Boundary Router, fourth a firewall labeled External Firewall. From the external firewall, a dotted line extends downward to text D M Z and from the D M Z a dotted line extends to the left to a server labeled S M T P Server. The fifth icon along the line is a cloud labeled Trusted with a dotted line extending downward to a server labeled Internal Portal. The final icon on the horizontal line is a user at a laptop labeled Storm Bot Client. Email displays on screen with text in support of audio. Link in email is highlighted. Line from the user along the horizontal line animates to the untrusted daily dot news server. Web page displays showing explosion. Multiple icons representing attacks overlay the web page. The icons glow to show the browser is compromised. Video is selected on web page. Horizontal line animates in red showing the download of Iran occupation executable. Callout from user with text: 9 out of 10 computers compromised by users who selected the video link! Callout from user with text: Worm gained user level privileges but could escalate to take control of the system. Rollover 1 of 1. Rollover title. Multiple Infection Vectors. Storm Worm used Microsoft (MS) Windows exploits such as OS kernel attacks and emails linked to current events. Examples of current event emails sent: 2007 windstorm in Europe, National Football League, or N F L news, Valentine's Day, The Olympics, Hurricanes, Historic events, Source: RaD X 1 oh 1: Basic Network Intrusion Detection course materials. idsal5_10 10 Once the Storm bot is installed on the client machine, the bot "phones home" to the bot herder for instructions. This outbound traffic is often not filtered, since the connection is client-initiated from inside the firewall. When phoning home, the bot tells the bot herder the location and capabilities of the compromised client. It then waits to be told what to download next. Typically the bot herder orders the bot to reach out, through the Internet, to another zombie computer and download malicious code called a Stage 2 executable. The bot herder's order is also not often filtered by the firewall because it enters through the connection that was initiated internally by the zombie client computer. The bot downloads the Stage 2, or second stage, executable as a packed, or compressed, file. Packing compresses the file and destroys the patterns or strings that can signal malicious code. So detecting the malicious executable is challenging. Some strings may be visible in packet captures, but file compression makes it difficult to identify patterns associated with botnet traffic. Some bots use encryption algorithms to further challenge detection. Next, we'll look at one way you might detect bot activity in network traffic. Screen 10 of 13. Lesson title: Bots and Botnets. Screen title: Storm Worm Stage 2 Download. Diagram depicting how the storm worm entered the client machine is reprised from the last screen. The user at a laptop is replaced with an infection symbol and a thick red arrow animates along the horizontal line from the storm bot client to the bot herder server with text: Storm bot phones home for commands. Text stem: Storm Worm Process; bullets in support of audio. Arrow animates downward from the bot herder to a compromised computer labeled Zombie. Rollover 1 of 1. Rollover title: Stage 2 Executable. The Stage 2 or second stage download occurs after the initial compromise. The initial compromise typically yields code execution capability and then downloads the second stage, which provides more robust and malicious capabilities. idsal5_11 11 When you view packets that contain executables in a text or hex editor, it's common to find strings referencing dynamic link libraries, or DLLs. An example is "KERNEL32.dll." Almost all programs will load this DLL, but this string will usually remain even after the binary is packed. KERNEL32.dll is needed so the exploit can interface with devices, memory, CPU, and other resources controlled by the kernel. KERNEL32.dll also conveniently provides access to the LoadLibrary Application Programming Interface, or API. The "LoadLibrary" API is useful for executing malicious code, injecting malicious code into DLLs, and providing access to DLLs. "LoadLibrary" is among the most commonly referenced APIs by bots and malicious code. There are other interesting DLL and API references in this packet capture that would be useful for further analysis of the code to ascertain the capabilities of this malware. Bot and malware detection and analysis is all about context. While malicious code may make use of the DLLs and APIs pointed out here, as well as others, so do legitimate applications. For example, a Java update may download a packed executable that accesses the KERNEL32.dll; but if the download comes from a known malicious actor to an internal host you should be suspicious. Analysis of the types of DLL and API calls associated with the malicious traffic can provide clues to the functionality of the code such as obfuscation or data exfiltration. Be alert if you see the KERNEL32.dll string and certain API calls, especially if the executable was downloaded from an untrusted site. The presence of KERNEL32.dll could mean a bot is attempting to alter the kernel. Screen 11 of 13. Lesson title: Bots and Botnets. Screen title: Detecting Bots. Image of packet capture computer code displays with callout from highlighted string of code: "Kernel 32 dot D L L" with text: Executables commonly contain dynamic link library, or D L L strings. Text in callout changes to: Kernel 32 dot D L L tells the bot where it sits in memory. Code Load Library A is highlighted. Text displays in support of audio in callout from Load Library A code string. Five strings of code are highlighted showing interesting D L L and A P I references as follows: First, W S 2 underscore 3 2 dot D L L. Second, Get Proc Address. Third, Virtual Protect. Fourth, Virtual Alloc, and finally Virtual Free. Text displays in support of audio regarding analysis of calls. Rollover 1 of 2. Rollover title A P I. Application Programming Interface, or A P I. Rollover 2 of 2. Rollover title: D L L. Dynamic Link Library. idsal5_12 12 Knowledge Check 1 500 550 Which statement best explains why it is difficult to detect botnet network traffic? The OS kernel of the zombie computer is under complete control of the bot herder, and can cover the botnet’s tracks. Malicious, packed, and sometimes encrypted botnet code passes unfiltered through the firewall to the zombie computer on an internally initiated connection. Packing or compressing malicious code completely destroys all the patterns and strings that identify it as botnet traffic. Correct. The main reason botnet traffic is difficult to detect is that it travels on connections that are internally initiated by the client machine. While file packing does destroy most patterns and strings, some strings are visible in packet captures. Incorrect. The main reason botnet traffic is difficult to detect is that it travels on connections that are internally initiated by the client machine. While file packing does destroy most patterns and strings, some strings are visible in packet captures. Now, check your knowledge of the challenges of identifying botnet network traffic. Screen 12 of 13. Lesson title: Bots and Botnets. Screen title: Knowledge Check. This is a multiple choice question. User you keyboard to cycle through the list of options. idsal5_13 13 Congratulations! You have completed the Bots and Botnets lesson. You should now be able to describe how bots and botnets function and identify some of their capabilities. You should also be able to identify some botnet infection vectors and describe their relationship with the client-side attack surface. Screen 13 of 13. Lesson title: Bots and Botnets. Topic title: Conclusion. Screen title: Summary and Conclusion. Four lesson objectives are listed with checkmarks as follows: One, describe the relationship between bots and botnets. Two, identify potential bot and botnet capabilities. Three, identify botnet infection vectors, and four, describe the relationship between botnet vectors and the client side attack surface.