Presentation about botnets in SIGINT'10, Koln
SIGINT’10 took place between the 22nd and the 24th of May in Koln, Germany. The videos are also available and hosted by ccc.
I just saw the presentation made by Thorsten Holz and called ‘Botnets in 2010 - Status Quo and Future Threats’.
As a quick resume, it does a quick introduction to the botnets and its arquitecture and then talks about Storm Worm and Waledac.
Storm Worm
- Not centralized C & C thanks to p2p
- Fast flux domains
- Uses infected computers with public IP addresses to proxy the content back to the backend: spam pages or with exploit packs. It is hard to track and offers high availability.
- The nated machines are user to send spam and dos attacks.
- Template based spamming. The template is sent to the bots that then send the spam.
- Mitigation: join the network and disrupt the communication channel between the bots (Stormfucker in 25c3 CCC)
Waledac
- Successor of Storm Worm and perhaps created by the same group
- Uses HTTP to tunnel trafic (major change) between the nated machines and the repeaters
- multi-tier architecture (‘hybrid’ p2p), like storm worm
- Static backend servers that host the content
- Fast flux domains for C&C
- Template based spamming.
- The mitigation effort was called ‘Operation b49’ and took down the botnet in February 2010.
The video can be found here.