1
00:00:00,880 --> 00:00:02,610
<v ->Botnets and zombies.</v>

2
00:00:02,610 --> 00:00:04,650
What happens to your computer if it becomes

3
00:00:04,650 --> 00:00:06,200
the victim of a botnet?

4
00:00:06,200 --> 00:00:07,600
Well, let's say that your computer

5
00:00:07,600 --> 00:00:09,580
has picked up some kind of malware

6
00:00:09,580 --> 00:00:11,930
and that malware, its purpose

7
00:00:11,930 --> 00:00:14,570
is to change your computer into its victim,

8
00:00:14,570 --> 00:00:16,880
into what we call a zombie.

9
00:00:16,880 --> 00:00:20,300
That's right, a zombie becomes part of the botnet

10
00:00:20,300 --> 00:00:22,110
and a botnet is simply a collection

11
00:00:22,110 --> 00:00:25,910
of compromised computers under the control of a master node.

12
00:00:25,910 --> 00:00:27,828
So, what does this really look like?

13
00:00:27,828 --> 00:00:30,213
Well, if your computer becomes a zombie,

14
00:00:30,213 --> 00:00:33,120
it becomes under the control of some attacker

15
00:00:33,120 --> 00:00:34,623
and that attacker has what they call

16
00:00:34,623 --> 00:00:37,860
the command and control node or C2 node.

17
00:00:37,860 --> 00:00:39,870
That command and control node controls

18
00:00:39,870 --> 00:00:42,830
not just your computer but hundreds or thousands

19
00:00:42,830 --> 00:00:45,240
or hundreds of thousands of other computers

20
00:00:45,240 --> 00:00:47,132
that are part of their botnet.

21
00:00:47,132 --> 00:00:49,453
What kind of things can these zombies do?

22
00:00:49,453 --> 00:00:51,940
Well, they might be used as a pivot point

23
00:00:51,940 --> 00:00:53,807
so that when they get a new victim,

24
00:00:53,807 --> 00:00:55,810
or if they're attacking a server,

25
00:00:55,810 --> 00:00:58,150
they can access it through your computer

26
00:00:58,150 --> 00:00:59,890
and it looks like you're doing the attack

27
00:00:59,890 --> 00:01:01,970
instead of the master node.

28
00:01:01,970 --> 00:01:03,780
They'll jump from their command and control node

29
00:01:03,780 --> 00:01:04,980
into one of the zombies

30
00:01:04,980 --> 00:01:06,393
and from the zombie over to the victim

31
00:01:06,393 --> 00:01:08,308
and they might go out and use those zombies

32
00:01:08,308 --> 00:01:11,620
to host files that are illegal, like child pornography

33
00:01:11,620 --> 00:01:12,870
so they don't get caught with them

34
00:01:12,870 --> 00:01:15,120
and all sorts of things like that.

35
00:01:15,120 --> 00:01:17,010
They may use them to spam other people

36
00:01:17,010 --> 00:01:19,850
and send out phishing campaigns and other malware

37
00:01:19,850 --> 00:01:22,289
or, most commonly, they can use this botnet

38
00:01:22,289 --> 00:01:26,766
to conduct a DDoS, a distributed denial-of-service attack.

39
00:01:26,766 --> 00:01:29,582
What exactly is a distributed denial-of-service attack?

40
00:01:29,582 --> 00:01:32,810
Well, a distributed denial-of-service attack occurs

41
00:01:32,810 --> 00:01:35,381
when many machines target a single victim

42
00:01:35,381 --> 00:01:38,230
and attack them at the exact same time.

43
00:01:38,230 --> 00:01:39,910
So let's assume that I'm the bad guy

44
00:01:39,910 --> 00:01:42,850
and I control a botnet of 100,000 machines

45
00:01:42,850 --> 00:01:45,510
and I want to go and take down somebody's website,

46
00:01:45,510 --> 00:01:48,933
I can make all 100,000 of my victims, my zombies,

47
00:01:48,933 --> 00:01:50,960
target that victim's server

48
00:01:50,960 --> 00:01:53,260
and make the request simultaneously.

49
00:01:53,260 --> 00:01:54,710
That type of load could end up

50
00:01:54,710 --> 00:01:56,610
forcing the web server offline,

51
00:01:56,610 --> 00:01:58,670
causing it to crash and not be able

52
00:01:58,670 --> 00:02:00,730
to serve its real customers.

53
00:02:00,730 --> 00:02:02,400
That is denying it the ability

54
00:02:02,400 --> 00:02:05,020
to do its normal functions or its service.

55
00:02:05,020 --> 00:02:07,230
That makes it a denial of service

56
00:02:07,230 --> 00:02:09,095
and a distributed denial-of-service is just that,

57
00:02:09,095 --> 00:02:12,090
it's the most common use of botnets

58
00:02:12,090 --> 00:02:14,220
and it's been that way for a long time

59
00:02:14,220 --> 00:02:16,470
but these days attackers aren't just

60
00:02:16,470 --> 00:02:18,280
doing it for fun and games.

61
00:02:18,280 --> 00:02:20,170
Instead they want to make money

62
00:02:20,170 --> 00:02:22,090
and so they're using zombies to do things

63
00:02:22,090 --> 00:02:24,820
that are processor intensive like bitcoin mining

64
00:02:24,820 --> 00:02:27,600
or other cryptomining on their behalf.

65
00:02:27,600 --> 00:02:29,530
That's right, when you have a botnet

66
00:02:29,530 --> 00:02:31,360
with lots and lots of zombies,

67
00:02:31,360 --> 00:02:34,210
you have a lot of processing power at your disposal

68
00:02:34,210 --> 00:02:35,430
because each of those machines

69
00:02:35,430 --> 00:02:37,230
can give you some of its resources

70
00:02:37,230 --> 00:02:40,090
and then they can work in a distributive manner.

71
00:02:40,090 --> 00:02:41,620
So, I can set them off

72
00:02:41,620 --> 00:02:43,490
and let them start mining coins for me

73
00:02:43,490 --> 00:02:44,990
and they'll return those coins back

74
00:02:44,990 --> 00:02:47,912
to my command and control node where I can profit from them.

75
00:02:47,912 --> 00:02:50,170
Botnets are great to be used

76
00:02:50,170 --> 00:02:52,410
for anything that is processor intensive.

77
00:02:52,410 --> 00:02:54,370
So that can be things like cryptomining.

78
00:02:54,370 --> 00:02:56,450
That can be things like breaking encryption.

79
00:02:56,450 --> 00:02:59,110
And again, if your computer becomes part of this network

80
00:02:59,110 --> 00:03:01,540
and it becomes a zombie, it doesn't even know

81
00:03:01,540 --> 00:03:02,687
it's doing a lot of these things

82
00:03:02,687 --> 00:03:04,200
and you might not even know

83
00:03:04,200 --> 00:03:05,800
that it's doing these things either.

84
00:03:05,800 --> 00:03:08,427
Instead you just see your machine is slowing down.

85
00:03:08,427 --> 00:03:10,520
Because the attackers don't take up

86
00:03:10,520 --> 00:03:12,000
all of your computing power,

87
00:03:12,000 --> 00:03:14,655
they might just take 10% or 20% of your power,

88
00:03:14,655 --> 00:03:17,490
it might take you a long time to figure it out

89
00:03:17,490 --> 00:03:19,560
but with only 10 or 20% of the power,

90
00:03:19,560 --> 00:03:21,910
across hundreds of thousands of computers,

91
00:03:21,910 --> 00:03:24,310
they have a ton of power at their disposal

92
00:03:24,310 --> 00:03:25,521
for either nefarious things like

93
00:03:25,521 --> 00:03:27,567
distributed denial-of-service attacks

94
00:03:27,567 --> 00:03:30,984
or money making things like cryptomining.