Black Market Botnets Black Market Botnets Nathan Friess Friess - - PowerPoint PPT Presentation

black market botnets black market botnets
SMART_READER_LITE
LIVE PREVIEW

Black Market Botnets Black Market Botnets Nathan Friess Friess - - PowerPoint PPT Presentation

Aug 18, 2022 332 likes •570 views

Black Market Botnets Black Market Botnets Nathan Friess Friess Nathan John Aycock Aycock John Ryan Vogt Ryan Vogt Department of Computer Science Department of Computer Science University of Calgary University of Calgary Canada Canada

slide-1
SLIDE 1

Black Market Botnets Black Market Botnets

Nathan Nathan Friess Friess John John Aycock Aycock Ryan Vogt Ryan Vogt Department of Computer Science Department of Computer Science University of Calgary University of Calgary Canada Canada

slide-2
SLIDE 2

Botnets Botnets: Current Scenario : Current Scenario

  • Infect computers

Infect computers

  • Spam attachments/links, drive

Spam attachments/links, drive-

  • by downloads

by downloads

  • Control victim

Control victim

  • Spam

Spam botnets botnets

  • Gather data

Gather data

  • Key loggers, monitor network traffic

Key loggers, monitor network traffic

slide-3
SLIDE 3

“ “Interesting Interesting” ” Data Data

  • Identity: Passwords, PINs, SSN

Identity: Passwords, PINs, SSN

  • Financial: Credit Cards, Tax Returns

Financial: Credit Cards, Tax Returns

  • Corporate Secrets

Corporate Secrets

  • Design Documentation, Schematics

Design Documentation, Schematics

  • Financial Reports

Financial Reports

  • Personal Secrets

Personal Secrets

  • Latest gossip on celebrities

Latest gossip on celebrities

  • Illegal Files, Terrorist Plans

Illegal Files, Terrorist Plans

slide-4
SLIDE 4

Our Prediction Our Prediction

  • More types of data will be stolen and used

More types of data will be stolen and used for profit for profit

slide-5
SLIDE 5

Our Prediction Our Prediction

  • More types of data will be stolen and used

More types of data will be stolen and used for profit for profit

slide-6
SLIDE 6

The Business Case The Business Case

Celebrity Secrets Trade Secrets Love Letters ??? Volume Passwords Credit Cards Available Data

slide-7
SLIDE 7

Gozi Gozi: A First Step : A First Step

  • February 2007

February 2007

  • Monitor HTTP POST requests (even SSL)

Monitor HTTP POST requests (even SSL)

  • Upload POST data to central server

Upload POST data to central server

  • Customers search for data (based on web

Customers search for data (based on web site, form fields, etc.) and pay to download site, form fields, etc.) and pay to download

  • Doesn

Doesn’ ’t upload local files t upload local files

  • Limited searching capabilities

Limited searching capabilities

slide-8
SLIDE 8

Black Market Botnets Black Market Botnets

slide-9
SLIDE 9

Black Market Botnets Black Market Botnets

  • Basic Architecture
slide-10
SLIDE 10

Black Market Botnets Black Market Botnets

  • Basic Architecture
slide-11
SLIDE 11

Black Market Botnets Black Market Botnets

  • “Bunnies”

Basic Architecture

slide-12
SLIDE 12

Black Market Botnets Black Market Botnets

  • Basic Architecture
slide-13
SLIDE 13

Black Market Botnets Black Market Botnets

  • Advanced Architecture
slide-14
SLIDE 14

Black Market Botnets Black Market Botnets

  • Advanced Architecture
slide-15
SLIDE 15

Black Market Botnets Black Market Botnets

  • Advanced Architecture
slide-16
SLIDE 16

Black Market Botnets Black Market Botnets

  • Advanced Architecture
slide-17
SLIDE 17

Interesting Document Interesting Document Indicators Indicators

  • Document Types: .TAX

Document Types: .TAX

  • Financial Data: Spreadsheets

Financial Data: Spreadsheets

  • Specific Vocabulary:

Specific Vocabulary: Technical Terms, Poetry Technical Terms, Poetry

  • Activity: Recently Edited, Viewed

Activity: Recently Edited, Viewed

slide-18
SLIDE 18

Auction Infrastructure Auction Infrastructure

  • eBay

eBay

  • Hide document fragments

Hide document fragments using using steganography steganography

  • Legitimate cover for fund

Legitimate cover for fund transfer transfer

  • Don

Don’ ’t really need to ship a physical product t really need to ship a physical product

  • Existing model: drug trafficking

Existing model: drug trafficking

slide-19
SLIDE 19

Additional Markets Additional Markets

  • Victims pay

Victims pay botmaster botmaster to not publish to not publish documents: Bidding Wars documents: Bidding Wars

  • Pre

Pre-

  • seed

seed botnet botnet with customer queries with customer queries

  • Allow customers to write scripts to search

Allow customers to write scripts to search for specific data for specific data

slide-20
SLIDE 20

Defenses Defenses

  • Avoid being infected

Avoid being infected

  • Limit document exposure

Limit document exposure

  • Keep archived files offline

Keep archived files offline

  • Hide documents using

Hide documents using steganography steganography

slide-21
SLIDE 21

Defenses Defenses

  • Digital Rights Management

Digital Rights Management

  • Investigate leaks

Investigate leaks

  • Fingerprint documents, trace back to

Fingerprint documents, trace back to infected computer infected computer

  • Follow money trail, trace back to

Follow money trail, trace back to botmaster botmaster

  • Actively attack document gathering

Actively attack document gathering

  • Insert useless documents into

Insert useless documents into botnet botnet

slide-22
SLIDE 22

Conclusions Conclusions

  • Valuable data is available in

Valuable data is available in botnets botnets

  • It is already possible to connect data and

It is already possible to connect data and customers customers

  • A black market for data can exist, even if

A black market for data can exist, even if botmasters botmasters don don’ ’t know what is in demand t know what is in demand

slide-23
SLIDE 23

Black Market Botnets Black Market Botnets

Nathan Nathan Friess Friess John John Aycock Aycock Ryan Vogt Ryan Vogt Department of Computer Science Department of Computer Science University of Calgary University of Calgary Canada Canada