Defense Against the Dark Bots

Presenter: Craig Schiller - CISO Portland State University
author of "Botnets: The Killer Web App"


Date: Thursday, September 24th 2009
Location: MSU-Bozeman Campus, SUB 233
Time: 8am - 5pm
Price: $45 - Light breakfast, lunch, and refreshments included.
Seating: Limited

Parking: Parking Kiosk is at 7th Ave and Grant Street. $5 to park in the Visitor Lot. Or, purchase a $2.50 daily hangtag which can be used at any lot signed as "SB Parking".

See http://www.montana.edu/police/visitors.shtml for maps and more information about visitor parking.

How do you find an intelligent, malicious chameleon that doesn't want to be found? All major anti-virus vendors have made announcements to the effect that signature based detection does not work against many botnet related malware applications. If traditional detection methods don't work then what does? Craig Schiller, primary author of "Botnets: The Killer Web App", the first published book on the subject of Botnets, will present the full day, "Defense Against the Dark Bots" seminar. In this session you will examine real Bot Command and Control code, learn Botnet fundamentals, identify new intelligence sites, explore detection methods and analyze bot clients in a virtual sandbox. We will also talk about who's behind most of the botnet activity.

Session 1 - The Threat
Session 1 will provide and overview of botnet technology. We will cover how a typical botclient works and a brief history of bots. To improve our chances of recognizing and detecting bots we will describe common schemes operated by bot herders. Attendees will learn how bots differ from your father's worms and viruses. We will discuss the motivation behind those that design create, and operate botnets. We will examine the life cycle of the typical botnet client.

Session 2 - Know the Enemy
In session 2 we turn our focus to the enemy behind the bot. We will answer the question, Who is behind the design, development and operation of Botnet technology? This session will dig deeper into the technology of bots and in particular the technology used to protect the bots and the botherders. We will examine fast flux DNS, dynamic DNS and other concealment and obfuscation techniques. Attendees will examine botnet communication technology to improve their ability to detect them in the field. Finally we will describe current botnet detection technology.

Session 3 - Know Yourself
Session 3 focuses on actions we can take to prevent infections, protect systems from bots, collect intelligence about bots, and recover from their infestations. What steps can I take to prevent some botnets from infecting my systems? The nature of bots makes the profiles and signatures of many anti-malware products less effective. Behavior is the key to detecting and reacting to bots. Since behavior is dynamic we must gather information constantly to recognize the signs of bot-like behavior. Similarly, user and enterprise-level behavior can increase or decrease the susceptibility to bot attacks. Session 3 will debunk the 5 reasons users believe they don't have to worry about bots. The session will cover enterprise-wide policies and practices that will make your systems less attractive to botherders. Attendees will learn existing sources of intelligence data for their own use and how to find and validate new sources. Attendees will return to their organizations equipped with new tools to educate their peers and begin their own defense against the dark bots