botnets collective defense and project mars
play

Botnets, Collective Defense, and Project MARS Jeff Williams - PowerPoint PPT Presentation

Nov 07, 2022 •154 likes •468 views

Botnets, Collective Defense, and Project MARS Jeff Williams Principal Group Program Manager Microsoft Malware Protection Center The Basics A Picture of Health? Location 1Q2010 2Q10 3Q10 4Q10 Delta 4.2% United States 11,025,811

  1. Botnets, Collective Defense, and Project MARS Jeff Williams Principal Group Program Manager Microsoft Malware Protection Center

  2. The Basics

  3. A Picture of Health? Location 1Q2010 2Q10 3Q10 4Q10 Delta 4.2% ▲ United States 11,025,811 9,609,215 11,340,751 11,817,437 1 -2.1% ▼ 2 Brazil 2,026,578 2,354,709 2,985,999 2,922,695 -8.6% ▼ 3 China 2,168,810 1,943,154 2,059,052 1,882,460 12.1% ▲ 4 France 1,943,841 1,510,857 1,601,786 1,794,953 18.9% ▲ 5 United Kingdom 1,490,594 1,285,570 1,563,102 1,857,905 -3.9% ▼ 6 Spain 1,358,584 1,348,683 1,588,712 1,526,491 56.8% ▲ 7 Korea 962,624 1,015,173 1,070,163 1,678,368

  4. Case Study: Botnets

  5. The Maturity of Response Over Time • Some historic examples – Blaster – Slammer – Zotob – WinFixer – Cutwail – Intercage & McColo de-peerings – Mariposa • More Recent Examples – Bredolab – Waledac – Rustock – AFCore

  6. 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 0 January March May 2005 July September November Early Examples: Blaster January March May 2006 July September November January March MSBlast Detections May 2007 July September November January March May 2008 July September November January March May 2009 July September November January March May 2010 July September November January 2011 March May

  7. Early Examples (con’t) • Slammer – Vuln patched in July 2002 – Cross product vulnerability (SQL, MSDE) – Unthrottled (impacting response) – ISPs • Zotob – actor attribution – foreign laws

  8. Detections 100000 150000 200000 250000 300000 50000 0 Early Examples: WinFixer 2009 January 2009 February 2009 March 2009 April 2009 May 2009 June 2009 July 2009 August 2009 September 2009 October 2009 November 2009 December Detections WinFixer 2010 January 2010 February 2010 March 2010 April 2010 May 2010 June 2010 July 2010 August 2010 September 2010 October 2010 November 2010 December 2011 January 2011 February 2011 March 2011 April 2011 May Total

  9. De-Peering Security Fix Data • Atrivo/Intercage – Dropped offline – Re-peered – Dropped again • McColo de-peering SpamCop Data – Followed Intercage – 75% drop in spam – Srizbi connection – Rustock connection – Re-peered in 4 days

  10. Cutwail Data from Symantec Hosted Services

  11. Mariposa • Mariposa – Industry partnership with LE and Academia – Hoster participation in the investigation – Multiple arrests – C&C reactivation within 60 days Data from Trend Micro

  12. Feels quite a lot like this…

  13. Plays Well With Others • Operation Bot Roast – Industry/LE partnerships – Broad scale actor attribution – Prosecutions of Soloway, Brewer, Ancheta, Downey, Walker and Goldstein • Operation Bot Roast II – Additional indictments on DDoS, Fraud, Wiretap* and other charges – Discovery exposes $20+ million in economic losses

  14. Better Together

  15. Waledac- Operation b49

  16. Bredolab

  17. Rustock- Operation b107

  18. Afcore

  19. Defenses Against Cyber Threat OFFENSE IMPACT INDIVIDUAL COLLECTIVE ACTIVE DEFENSE DEFENSE DEFENSE ACTION

  20. Internet Health Model: Observing Symptoms USER INITIATES ACCESS INTERNET Financial Institute Notify ASSESS & REMEDY Firewall Security Anti-Malware On Updates

  21. Internet Health Model: Promoting Wellness USER INITIATES ACCESS INTERNET Financial Institute ASSESS & REMEDY Firewall Security Anti-Malware On Updates

  22. Building a Collective Defense The International Telecommunications Union’s Botnet Mitigation Tool Kit Japan’s Cyber Clean Center France’s Signal Spam Germany’s Anti-Botnet Advisory Center Microsoft Active Response for Security

  23. Helping our Common Customers Operation b49 Feb 2010 Operation b107 March 2011 Target: Waledac Target: Rustock Cleanup Goal: Build relationships Cleanup Goal: Disinfect systems and processes to reach customers before attackers regain control Enhancements: ISP Results ISP Reduction Expanded Partners • 1 97% • Removal Tools 2 96% 3 93% • Updated support site 4 78% 5 82% 6 66% Status Status ~22,000 infected IPs remaining 1.2m Unique IP addresses observed in ~70% reduction world wide first 7 days following the takedown

  24. ISP Based Remediation Efforts Vision: Improve and maintain the health of endpoints connected to the network to create confident customers and grow the information society. Reactive Preventative Observing Symptoms of Illness Demonstrating Health of Device D Service Provider gates access based on health of device Device C Level of Visibility Service Provider notifies user based on health of device. B Service Provider IP Address notifies user of compromise A Additional Factors: ISP notifies user of • Health Requirements • Opt-in vs. Mandatory compromise • Notify vs. Enforce • Type of Notification

  25. Rustock Progress Remediation phase Additional investigation • Directed engagement with ISPs and • Forensic analysis of C&C hard drives CERTs • Involved parties identified • Delivery of Tools – Hoster • Ongoing delivery of IP Data & Webmoney • Timestamps for infected systems • Notification • Legal agreements allowing for redistribution of the Microsoft Safety Additional collateral Scanner in a walled garden ISP Reduction Country Reduction 1 69% 1 81% 2 56% 2 69% 3 51% 3 68% 4 49% 4 67% 5 49% 5 66% 6 45% 6 64% 7 34% 7 56% 8 32% 8 54% 9 32% 9 54% 10 31% 10 53%

  26. We’re Not Done Yet…

  27. Call to Action • Solve hard problems in customer notification and remediation – Scam proof communications – Reliable cleaning tools • Create next generation collective defenses – Device health technologies to prevent infections – Definition and measurement of healthy devices • Share intelligence about infected nodes within an ASN with the ASN owner – Provide tools for remediation. • Leverage SNDS

  28. Whack-a-Mole 2.0

  29. One more thing…

  30. Resources http://support.microsoft.com/botnets http://www.microsoft.com/security/scanner/en-gb/default.aspx http://www.microsoft.com/av http://blogs.technet.com/mmpc http://www.microsoft.com/sir http://blogs.technet.com/ecostrat http://postmaster.live.com/snds

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives

Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives

Collective Views of the CDX Collective Views of the NSA/CSS Cyber Defense Exercise on Curricula and Learning Objectives William J. Adams Efstratios L. Gavas Tim Lacey . Leblanc Sylvain P United States Military Academy

445 views • 20 slides
Collective Decision-Making with Goals Arianna Novaro PhD Thesis Defense 12 th of November 2019

Collective Decision-Making with Goals Arianna Novaro PhD Thesis Defense 12 th of November 2019

Collective Decision-Making with Goals Arianna Novaro PhD Thesis Defense 12 th of November 2019 Supervised by Umberto Grandi Dominique Longin Emiliano Lorini Collective Decision-Making with Goals PhD Defense The Research (Fields) Behind the

565 views • 30 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a

Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a

Part 1: Observation of Mars Size of Mars Mars is too small to see as anything other than a point with the naked eye. Even at its largest, it is too small to resolve as a disk. This image shows the full Moon next to an image of Mars scaled

355 views • 24 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell

MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell

MARS detector technology and the SOLiD experiment A. Vacheret, A. Weber, Y. Shitov, P . Scovell University of Oxford Talk overview Introduction to the MARS technology MARS neutron portal project MARS antineutrino detector system

629 views • 34 slides
MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS

MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS

MARS DOES MARS HAVE MOONS? Mars Moons Phobos and Deimos THE DISCOVERY OF MARS MOONS Discovered by American astronomer Asaph Hall First found Deimos August 12 th 1877 then Phobos August 18 th 1877 GREEK NAMES Named after

363 views • 19 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Designing Robot Collectives by Kirstin Petersen July 2017 Collective Embodied Intelligence Lab

Designing Robot Collectives by Kirstin Petersen July 2017 Collective Embodied Intelligence Lab

Designing Robot Collectives by Kirstin Petersen July 2017 Collective Embodied Intelligence Lab Collective Embodied Motivatio ion Intelligence Lab Distance to Mars: 34-250M miles Jan anuary 200 2004 Travel time: 39-289 days Cost: $1B

543 views • 22 slides
ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to

ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to

ARCHITECTURES I. Mars Exploration II. Science Emphasis for the Moon and Mars III. The Moon to Stay and Mars Exploration IV. Space Resource Utilization RECOMMENDATIONS 1. Long range strategic plan 2. National Program Office 3. NASA

320 views • 30 slides
Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex

MARS Distinguisher and Subkey Recovery Recovery of the secret key Attack Analysis Conclusion Mars Attacks! Revisited. Differential Attack 12 Rounds of the MARS Core and Defeating the Complex MARS Key Schedule INDOCRYPT11 Michael Gorski,

1.16k views • 48 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern

The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern

The Future of Mars Exploration Dr. Anita Sengupta Research Professor, University of Southern California How do we land on Mars? Why Are We so Interested In Mars? Parameter Mars Earth Distance (AU) 1.4 1 The Terrestrial Planets Look Very

492 views • 47 slides
An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna

An analysis of Social Network-based Sybil defenses Bimal Viswanath Ansley Post Krishna Gummadi Alan Mislove MPI-SWS Northeastern University SIGCOMM 2010 1 Sybil attack Fundamental problem in distributed systems Attacker

519 views • 40 slides
SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L.

IEEE Symposium on Security & Privacy SAN FRANCISCO 21 ST MAY 2013 SoK: The Evolution of Sybil Defense via Social Networks Alessandro Epasto 1 joint work with L. Alvisi 2 , A. Clement 3 , S. Lattanzi 4 , A. Panconesi 1 Sapienza U.

855 views • 41 slides
Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng,

Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng,

Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen , Jian Jiang, Xiaofeng Zheng, Haixin Duan, Jinjin Liang, Kang Li, Tao Wan, Vern Paxson 1 Content Delivery Networks CDN is now an important Internet infrastructure, it is a

381 views • 22 slides
Jonathan Sacks Executive Director Wayne County Criminal Advocacy Program September 2015

Jonathan Sacks Executive Director Wayne County Criminal Advocacy Program September 2015

Jonathan Sacks Executive Director Wayne County Criminal Advocacy Program September 2015 Background Counties Studied: Alpena, Bay, Chippewa, Grand Traverse, Jackson, Marquette, Oakland, Ottawa, Shiawassee and Wayne In the year-long study of

406 views • 40 slides
Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1

Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1

Computer Science 161 Fall 2016 Popa and Weaver Network #5: Denial of Service and Firewalls (Most Slides stolen from Dave Wagner) 1 Theme of This Lecture: Why Twitter & Reddit Sucked Last Week Computer Science 161 Fall 2016

597 views • 46 slides
ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner

ROP is S(ll Dangerous: Breaking Modern Defenses David Wagner Nicholas Carlini Return Oriented Programming Basic ROP Mo(va(ons DEP Data

712 views • 11 slides
CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci

CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci

CSCI 8260 Spring 2016 Computer Network Attacks and Defenses Syllabus Prof. Roberto Perdisci perdisci@cs.uga.edu Who is this course for? l Open to graduate students only l Students who complete this course successfully will receive

492 views • 20 slides
Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc

Website Fingerprinting Defenses at the Application Layer Giovanni Cherubin 1 Jamie Hayes 2 Marc Juarez 3 1 Royal Holloway University of London 2 University College London 3 imec-COSIC KU Leuven 19th July 2017, PETS17, Minneapolis, MN, USA

735 views • 17 slides

More recommend