botnet tracking
play

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose - PowerPoint PPT Presentation

Nov 09, 2022 •454 likes •879 views

Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario About Arbor Networks Founded in 2000 ~150 employees worldwide Peakflow product lines Peakflow SP for service providers Peakflow X for enterprises

  1. Botnet Tracking: Tools, Techniques, and Lessons Learned Dr. Jose Nazario

  2. About Arbor Networks • Founded in 2000 • ~150 employees worldwide • Peakflow product lines – Peakflow SP for service providers – Peakflow X for enterprises • Anomaly detection products – Primarily NetFlow-based data collection • The global DDoS response leader arbornetworks.com Page 2 Company Confidential

  3. Botnets • Pressing problem for network operators • ISPs - number 1 pressing issue • Enterprises – Unknown threat scale – Big concern to many arbornetworks.com Page 3 Company Confidential

  4. Bots in the Malware Taxonomy • Bots exhibit worm characteristics – Use network exploits to propagate • Bots exhibit backdoor characteristics – Start up a network listener service, inbound connections • FTP server, web server, etc – Connect outbound to receive connections • Bots utilize rootkits – Rootkits hide their presence • Bots have spyware components – Keystroke loggers for information theft • Bots are extensible and may download additional software • A botnet herder may load adware and/or spyware on a compromised system arbornetworks.com Page 4 Company Confidential

  5. Botnets in the Internet Underground • Bots are distributed computing and resources • Help build a buffer between criminals and victims • Botnets have aggregate storage and bandwidth • Excellent for illicit activities – Spam (increasingly pump and dump) – DDoS – Warez, stolen media arbornetworks.com Page 5 Company Confidential

  6. Know Your Goals • Malware Collection – Popular with AV, security companies • Attack Traceback – Our primary goal • Attacker Profiling and Assessment – Small, specialized field arbornetworks.com Page 6 Company Confidential

  7. Botnet Tracking Requirements • Origins – Can’t do this from your desktop! • Targets – Botnet server, passwords, bot characteristics, etc • Malware – Have to know what a bot would do • Client – Have to have a botnet client to participate arbornetworks.com Page 7 Company Confidential

  8. Secondary Requirements • Distant origins – Don’t want it to tie back to you • Multiple origins – Don’t want to be too obvious • Familiarity with attacker underground – Exploits, vulnerabilities, underground economy • Language skills – Be able to read and write foreign languages arbornetworks.com Page 8 Company Confidential

  9. How to Actively Monitor Botnets Sacrificial Lambs Custom Clients • Multiple nets at once • One binary at a time – Repeat for every new bot • Easy to customize • High risk of • May look “different” (and participating in an hence suspicious) attack This is what we’ll use • Lower risk of looking “out of place” arbornetworks.com Page 9 Company Confidential

  10. Botnet Tracking Client Requirements • Secure • Scalable • Flexible • Easy to retarget • Records everything it sees • Stealthy arbornetworks.com Page 10 Company Confidential

  11. Project Bladerunner • Botnet infiltration – Active monitoring – Multiple networks at once • Uses Python and irclib module • Also wrote a Kaiten tracking tool – Kaiten affects Linux systems • Focused only on IRC-based botnets arbornetworks.com Page 11 Company Confidential

  12. About Bladerunner • Mimics a basic bot • Understands "login", "join" • Chooses to be quiet rather than misspeak • Logs everything arbornetworks.com Page 12 Company Confidential

  13. Why a Custom Bot? • Time consuming to defang a bot • Only needed very basic functionality • Knew code very well • Little risks (DDoS, installations, etc) • Bladerunner was about 300 LoC arbornetworks.com Page 13 Company Confidential

  14. Which Botnets? • Need to know host, nickname format, and passwords – Blacklists, AV writeups insufficient • Captured malware – In house analysis • Norman Sandbox digest – Back when it was free • Link sharing – Strong research community arbornetworks.com Page 14 Company Confidential

  15. Botnets and DDoS • About half of all botnets we tracked performed DDoS attacks – Most attacks are not against a significant target – Most attacks are not crippling to the endpoint • Did observe a set of high profile attacks in the spring of 2006 – Against a series of anti-spam and anti-DDoS companies • DDoS nets use different bots than spyware or adware bots – Not all bots have DDoS capabilities – Type of bot used can often indicate intent of herder arbornetworks.com Page 15 Company Confidential

  16. Botnet Tracking as DDoS Traceback • Looked at DosTracker archive – Arbor project to analyze global DDoS provalence – Over 20,000 DDoS attacks measured between Sept 2006 and January 2007 • Looked at Shadowserver botnet tracking logs of DDoS attacks – Over 21,000 attacks in this timeframe – Over 400 unique IRC servers • Attack intersection results – 2% of all DDoS attacks measured by Arbor had clear botnet cause – 13% of all DDoS attacks recorded by botnet tracking showed up in Arbor monitors arbornetworks.com Page 16 Company Confidential

  17. Our Current Position in Botnet Response • (Community position) • Collection – Nepenthes or other honeypots • Communication – Whitestar list, DA, NSP-SEC, Shadowserver, etc • Analysis – Sandboxing (Norman dominates) • Tracking – Shadowserver, some private tracking arbornetworks.com Page 17 Company Confidential

  18. Where the Botherders Are • Source code is widely available – GPL licensed, using CVS! – GUI-based configuration, no coding skills needed – Bug fixing • Compare SpyBot in 2004 and 2006 • Lots of little bugs fixed: string bounds checks, etc • Multiple types of bots – SpyBot, SDBot, Reptile, Agobot, Rbot, RxBot, Kaiten, etc … – Lots of overlapping capabilities, not all support DDoS – Which codebase you use depends on your intentions • Proliferation of spyware, adware provides money arbornetworks.com Page 18 Company Confidential

  19. Where the Botherders Aren’t • IRC – Too many snoops on IRC – Too easy to break into – Lots its “elite” factor some time ago – Growing number of HTTP, IM, and other bots • Web Forums (eg Ryan 1918) – They know these are monitored arbornetworks.com Page 19 Company Confidential

  20. We’ve Peaked! • This combination reached its peak in early 2006 • Good guys – Lots of basic RE analysts – Armed with tools like sandboxes – Lots of collection networks (ie Nepenthes) – Rapidly caught, analyzed, and tracked botnets • Bad guys – Explosion in bots and botnets launched – Only a few botnet groups were actively thwarting attacks – HTTP and P2P bots were not very popular yet (still IRC heavy) – Lots of botnets were very visible • This confluence meant we peaked arbornetworks.com Page 20 Company Confidential

  21. The Revolt by Botnet Operators • More and more bots are defeating the basic techniques • Sandboxes are being defeated – Increased use of debugger checks – Delays in revealing useful information – Poisoning data – Inject fake bots to detect people who mine Norman for data • Honeypots and honeynets – Detected or ignored • IRC tools – Fingerprinted and blocked, or simply ignored • It’s all downhill from here! arbornetworks.com Page 21 Company Confidential

  22. The Botnet Herder Ability Curve Write their own Can barely use IRC communication protocols DDoS as a pissing Thwart or slow RE match analysts High impact, high Lured by adware profile DDoS dollars Very well groomed botnets Limits of current efficient reaction arbornetworks.com Page 22 Company Confidential

  23. Non-Technical Challenges • Acting on the data – Takedown, blackhole, etc – Becoming facilitated with commercial solutions • Speed - getting usable data quickly – Trustworthiness of the data is key • Reaction – This is a reactive cycle – Need proactive mechanisms arbornetworks.com Page 23 Company Confidential

  24. Getting Botnets Taken Down • Getting the information in the right hands – Thousands of botnets a week, only so much operators can do – Cannot blindly block • Focus is on active, high profile DDoS networks • Coordination is a pain in the neck – DNS registrar – DNS server network(s) – C&C host network(s) • Botnet operators can easily stay a few steps ahead • Complement is egress filtering for victims arbornetworks.com Page 24 Company Confidential

  25. Technical Challenges • Encrypted communications channels • Defeating rapid analysis techniques • New or custom command languages – HTTP, peer to peer arbornetworks.com Page 25 Company Confidential

  26. Encrypted Channels • Encryption – Windows “Somelender” bots - homegrown Caesar cipher (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :=GoU6jyt7xCuvfRamp+NOAeNFFF/q/h9EHT/H6DV5fxcD7RoX9Pt5a/o2AST9N+j4Y4jf (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :=rvyJWDmfvujXJ4XDKp5 (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :=+rhlS+/trmwFfUNtERLa Decrypts to: (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :40% ddos tcp 65.77.140.140 6667 900 -s -f -i -2 (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :* kill dos (66.186.35.22:8080) :ckodg!j@tyrant PRIVMSG ## :* kill ddos arbornetworks.com Page 26 Company Confidential

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway,

Phoenix: DGA-based Botnet Tracking and Intelligence DIMVA 2014 July 11, 2014 Royal Holloway, University of London, UK Stefano Schiavoni Politecnico di Milano, Italy and Google, UK @sschiav, sschiavoni@google.com Federico Maggi ,

1.39k views • 60 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location

Tracking by learning Arnold W.M. Smeulders Tracking Online tracking is to determine the location of one target in video starting from a bounding box in the first frame. When conceived as an instant learning problem, the task is to discriminate

651 views • 39 slides
Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter

Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter

Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter Fonash (DHS) Vice Chair WG 7 Objectives Working Group 7 Botnet Remediation Description: This Working Group will review the efforts

126 views • 9 slides
zwick@sysc.pdx.edu http://www.sysc.pdx.edu/Faculty/Zwick ABSTRACT VARIABLE-BASED

zwick@sysc.pdx.edu http://www.sysc.pdx.edu/Faculty/Zwick ABSTRACT VARIABLE-BASED

COMPLEXITY REDUCTION IN STATE-BASED MODELING Martin Zwick Systems Science Ph.D. Program, Portland State University, OR zwick@sysc.pdx.edu http://www.sysc.pdx.edu/Faculty/Zwick ABSTRACT VARIABLE-BASED RECONSTRUCTABILITY ANALYSIS Variables

285 views • 17 slides
Going Native Getting your content discovered What is NATIVE Advertising? With many different

Going Native Getting your content discovered What is NATIVE Advertising? With many different

Going Native Getting your content discovered What is NATIVE Advertising? With many different definitions in the industry this is still a Native advertising is a form of fuzzy concept but Zane Furtado, Acquire Online Programmatic advertising

750 views • 15 slides
Automated Vehicles Yuko Sano Director for Intelligent Transport Systems, Commissioner Generals

Automated Vehicles Yuko Sano Director for Intelligent Transport Systems, Commissioner Generals

Governance of the Safety of Automated Vehicles Guidelines for Testing of Automated Vehicles Yuko Sano Director for Intelligent Transport Systems, Commissioner Generals Secretariat, National Police Agency, Japan Introduction 1. Current

650 views • 12 slides
Agenda Item 5 Agenda Item 5 Attachment MEDIA TERMS Term Description The number of people who

Agenda Item 5 Agenda Item 5 Attachment MEDIA TERMS Term Description The number of people who

Agenda Item 5 Agenda Item 5 Attachment MEDIA TERMS Term Description The number of people who saw your ads at least once. Reach is different Reach from impressions, which may include multiple views of your ads by the same people. The number

176 views • 14 slides
KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing

7/17/2020 KACo Cybersecurity Training KACo Cybersecurity Training Cybersecurity Threats Phishing Attacks Malware/Ransomware Hacking Imposter Scams 1 7/17/2020 KACo Cybersecurity Training BEWARE OF Phishing Phishing attacks

248 views • 6 slides
Luminous: Bringing Big(ger) Data to the Fight Norm Ritchie Drew Bagley ICANN Helsinki June,

Luminous: Bringing Big(ger) Data to the Fight Norm Ritchie Drew Bagley ICANN Helsinki June,

Luminous: Bringing Big(ger) Data to the Fight Norm Ritchie Drew Bagley ICANN Helsinki June, 2016 Secure Domain Foundation Non-profit Founded in 2014 Proactive mitigation of malicious domains used for cybercrime A clearinghouse

198 views • 18 slides
CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

3/29/2012 CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College of India I N T R O D U C T I O N What is Cyber-safety Consequences Threats of Inaction Cyber-safety? Cyber-safety Cyber-safety at

215 views • 7 slides
INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC

Leading a Secured Digital Life. INFORMATION SECURITY AWARENESS Information Security Education & Awareness Team C-DAC Hyderabad keeping yourself and your family safe in a tech driven world Free No : 1 1800 0 425 6 6235 Toll F

264 views • 24 slides

More recommend