427 Botnet fm qxd

Leicester, England; Zarox Souchi of Toronto;Youri van den Berg of Deventer,
the Netherlands; and Anton Zagar of Trbovlje, Slovenia.
Operation Cyberslam:
Jay Echouafni, Jeanson James Ancheta
The first U.S. criminal case involving a botnet went to trial in November
2005. Jeanson James Ancheta (aka Resili3nt), age 21, of Downey, California,
was convicted and sentenced to five years in jail for conspiring to violate the
Computer Fraud Abuse Act, conspiring to violate the CAN-SPAM Act,
causing damage to computers used by the federal government in national
defense, and accessing protected computers without authorization to commit
fraud. He was also ordered to pay $57,000 in restitution.
Ancheta’s botnet consisted of thousands of zombies. He would sell the use
of his zombies to other users, who would launch DDoS (see Figure 1.2) or
send spam.
Figure 1.2
A Simple Botnet Overview
www.syngress.com
18
Chapter 1 • Botnets: A Call to Action
427_Bot_01.qxd 1/8/07 11:53 AM Page 18

Notes from the Underground…
A Simple Botnet
Figure 1.2 depicts a simple botnet being commanded to launch a DDoS
attack against a competitor or other individual. The numbered steps
illustrate a timeline from a new botclient joining the botnet and then
participating in the DDoS attack. Steps 2-5 repeat ad infinitum with
step 4 changing to whatever attack was commanded in step 2. 
1. When a new botclient has been created (compromised), one
of its first duties is to rally back to the C&C server. It does
this by joining a specified IRC Channel and waiting for com-
mands to be posted there.
2. The botherder posts a command to the C&C server, possibly
in response to a paying customer’s request. In this case, the
customer has requested that the botherder prevent a com-
petitor’s Web site from getting any orders for several days.
The botherder sends a command to the C&C server, speci-
fying the target, the time and type of attack, and which of
the botclients are to participate.
3. The botclients monitor the C&C server on the specified
channel. When the botherder sends the command, the bot-
clients see that it has been posted and schedule the
requested activity. 
4. At the appointed time, all of the selected botclients begin
sending network traffic to the target. With enough traffic,
the target Web site is unable to process both the attack
traffic and the legitimate traffic and soon attempts to pro-
cess only attack traffic.
5. In step 5, optionally the botclients report back to the C&C
server any results or that they have completed the task and
are ready for new commands.

Download 6,98 Mb.

Do'stlaringiz bilan baham: