botnets
play

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot - PowerPoint PPT Presentation

Dec 26, 2022 •406 likes •1k views

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

  1. Botnets Leonidas Stylianou CS 682 23/04/2020

  2. Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet .

  3. Coordination of f bots with C&C server Bots query the C&C servers using Fast Flux Domain flux their IP address and DNS name. Bots query a certain domain that is Bots query multiple domains that Not flexible and robust to take- mapped onto a set of IP addresses are mapped onto a set of IP down actions. that change frequently. addresses that change frequently. Constitutes a single point of failure Taking down the C&C server is because it uses only a single harder because they relocate their domain. domain name.

  4. Usage of f botnets Send spam mails Launch DoS attacks Steal personal data

  5. Your Botnet is My Botnet: Analysis of a Botnet Takeover

  6. Overview A comprehensive analysis of the operations of the Torpig botnet. The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet. The victims of botnets are often users with poorly maintained machines.

  7. What is Torpig? Distributed to its victims as part of the Mebroot rootkit. Steals sensitive information from the victim’s host and relays it back to its controllers. Malware service accessible to third parties.

  8. Distribution of f Mebroot Victim requests The victim’s browser legitimate web site request JavaScript code where an attacker from the drive-by- injected http code. download server. If the exploit is JavaScript code successful, the executes multiple Mebroot rootkit is exploits against the downloaded from the browser and some of server and executed. tis components.

  9. Mebroot life cycle Overwrites the MBR and is always executed at boot time. Provides a generic platform that other modules can leverage to perform their malicious actions. Contacts the Mebroot C&C server to obtain malicious modules.

  10. Torpig Capabilities Trojan that is injected into a number of applications. Inspects all the data handled by these programmes. System Instant Web Email clients FTP clients programmes messengers browsers

  11. Communication in the Torpig Botnet Uploads the stolen data 1 since the previous reporting time to the Torpig C&C server over HTTP. (1) 2 Acknowledges the new data with “ okn ” response. (2)

  12. Communication in the Torpig Botnet Sends a configuration file to the bot with “ okc ” response. 2 How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks.

  13. Man in the Browser attacks with Torpig bot Generation of phishing sites Man in the Browser attack Infected machine visits one of the Victim visits the trigger page. domains in the configuration file (bank site). Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Torpig issues a request to an injection server. Injected content reproduces the style of the target web site and the address bar displays a pad lock. The injection server’s response specifies the trigger page, the Asks the user for sensitive information and injection URL, and a number of steals personal information. parameters.

  14. Coordination in Torpig Botnet: Domain Flux Each bot uses a domain Attempts to contact the C&C generation algorithm to compute server with a name in the domain a list of domain names. list in order until one succeeds.

  15. Torpigs’s Domain Generation Algorithm Step 1 • Seeded with the current date and a numerical parameter. Step 2(a) • Computes a “weekly” domain name that depends on the current week and year. • Attempts to resolve dw.(com,net,biz) and contacts the C&C server. Step 2(b) • Computes a “daily” domain that depends on the current day. • Attempts to resolve dd.(com,net,biz) and contacts the C&C server. Step 2(c) • Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server

  16. Coordination in Torpig Botnet: Domain Flux and resilience Control at least one of the domains that will be contacted by the bots. Use measures to prevent other groups from seizing domains that will be contacted by bots.

  17. Arms Race between botmasters and defenders B : The domain D : Reverse generation engineering the algorithm of the botnet protocol bots is modified could be time frequently. consuming. D : Economic factor is the B :Force defenders biggest challenge to register a because domain disproportionate names are not number of names. cheap.

  18. Taking control of f the Torpig botnet: Sinkholing Preparation Purchased two Registered them to Obtain control of the domains (.com and two different Torpig botnet for ten .net) that were to be registrars. days. used by the botnet. Set up Apache web During their control server to receive log of botnet, 8.7 GB of bot requests and Apache log files and recorded all network 69 GB of pcap data traffic. have been collected.

  19. Taking control of f the botnet: Data Collection Principles Operated the C&C servers based on established legal and ethical principles. Collecting enough Operated such that Worked with law information to enable any damage to victims enforcement remediation of was minimized. agencies. affected parties.

  20. Botnet Analysis: Data Collection and Format Submission header is encrypted with Torpig’s encryption algorithm. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Bot identifier is used as the symmetric key. Bots communicate with the Torpig C&C through HTTP POST requests. Consists of data items based on the information that was stolen. Body’s request contains the data stolen from the victim’s machine. Body is encrypted with Torpig’s encryption algorithm.

  21. Botnet Analysis: Data Collection and Format Submission Header Example ts : time stamp when the configuration file was updated. bld and ver : build and ip : IP address of the version number of bot. Torpig. hport and spor t: port numbers of the HTTP nid : bot identifier. and SOCKS proxies that Torpig opens on the infected machine. os and cn : operating system version and locale.

  22. Botnet Analysis: Data Collection and Format Data items sent to sinkholed botnet in Data Items 10 days Mailbox account : configuration information for email accounts. Email: email Windows password addresses. SMTP: source and Form data: content destination of HTML forms addresses of submitted by the emails. victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively.

  23. Botnet Size: Definitions Indicates the aggregated total Botnet’s footprint number of machines that have been compromised over time. Botnet Size Indicates the number of compromised hosts that are Botnet’s live population concurrently communicating with the C&C server.

  24. Botnet’s Footprint : : Counting Bots by “nid” field Description Evaluation • Torpig always sends the “ nid” 2079 cases have been found were the assumption field in the submission header. did not hold. • Depends on software or hardware characteristics of the 180 835 “nid” values have infected machine’s hard disk. been observed in 10 days. • Attempted to validate whether the “ nid ” is unique for each bot. Underestimates the botnet’s footprint.

  25. Botnet Footprint: : Counting Bots by Submission Header Fields Description Evaluation • Count unique tuples from the submission header that Torpig bot send. Botnet’s footprint have • “Nid, os, cn, bld and ver” fields been estimated to 182 have been considered whilst “ts, ip, sport and hport” have been 914 machines. discarded.

  26. Botnet’s Footprint: Identifying probers and researchers Description Evaluation • “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded. 40 bots have Final estimate been running 74 hosts have of botnet’s • Bots that use the GET HTTP on virtual been probers. footprint is machines 182 800 hosts . method are not considered.

  27. Botnet’s live population: Botnet Size Vs IP Count Botnet Size IP Count • 182 800 bots have contacted the C&C • 1 247 642 unique IP addresses server. contacted the C&C server. • Overestimates the actual size of the botnet’s footprint.

  28. Botnet’s live population: Botnet Size Vs IP Count Per hour Per day • Number of unique IP addresses • Number of unique IP addresses and bot IDs per hour provides a and bot IDs per day does not good estimation of the botnet’s provide a good estimation of the live population. botnet’s live population.

  29. Botnet Size vs IP IP Count: Observations Number of unique IPs per hour provides a good estimation of the botnet’s live population 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall. Difference between IP count and actual bot count can be attributed to DHCP and NAT effects.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX & CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano & Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur Maheshwari ( nupurm@email.arizona.edu ) Department of Computer Science University of Arizona April 22, 2012 What are Botnets? 1 Technical Overview 2

895 views • 37 slides
Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al. Presented by Kyle Mar5n <kyle.mar5n@knights.ucf.edu> The Problems Botnets The Problems

823 views • 36 slides
Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north

707 views • 32 slides
Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

614 views • 19 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides
Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson &

Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson &

Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 16,

445 views • 19 slides
Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI:

Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI:

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/333652427 Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI: 10.13140/RG.2.2.24134.32322 CITATIONS

561 views • 20 slides
SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it

SIP Operation in the Public Internet An Update on What Makes Running SIP a Challenge and What it Takes To Deal With It Jiri Kuthan, iptel.org sip:jiri@iptel.org Outline Status update: where iptel.orgs operational experience comes from

579 views • 25 slides
Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat

Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat

Faint Object Spectrograph Flat Fielding Charles D. (Tony) Keyes 1 I. Introduction The FOS flat field calibration continues to follow the philosophy outlined in the SV- epoch report (Anderson, 1992). The calibration is intended to account for

229 views • 6 slides
1 Agenda Background Information Multi-Channel vs. Omni-Channal Communiction Surveys

1 Agenda Background Information Multi-Channel vs. Omni-Channal Communiction Surveys

User Support 2.0 New Communication Channels in the IT-ServiceDesk at RWTH Aachen University Sarah Grzemski M.A. IT Center RWTH Aachen University 1 Agenda Background Information Multi-Channel vs. Omni-Channal Communiction

420 views • 21 slides
Graphical Convolution In Java by Erik S. Wheeler EE 4012 -- Senior Design Project Department of

Graphical Convolution In Java by Erik S. Wheeler EE 4012 -- Senior Design Project Department of

DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING Graphical Convolution In Java by Erik S. Wheeler EE 4012 -- Senior Design Project Department of Electrical and Computer Engineering Mississippi State University wheeler@ISIP .MsState.Edu

587 views • 13 slides
H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New

H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New

H3C S3600 Series Switches Agenda Market Trends S3600 Overview S3600 Key Features V1. V1.5 New New Feat Feature IRF IRF RPS10 S1000 00-A Featu ature S re Summar mary End-to-End Intelligent Solution Summary www.h3c.com.cn 2

502 views • 48 slides
Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation Application Ownership and Authority A Simple Security Model Integrity Considerations Resources for Security Officers Questions & Answers

1.06k views • 93 slides
Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager:

Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager:

FIC Amendment Act Wha hat t are the e the cha hanges? nges? Presented by: Dineo Mphahlele Executive Manager: Inspectorate FIC Amendment Act 1. Introduction 2. Risk-based approach 3. Risk Management and Compliance Programme(RMCP) 4. 7

608 views • 36 slides
SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2

SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2

F3 _ Doc_ 0 0 6 VER4 .0 Page 1 of 1 SECURITY POLICY Confidential Focal3 Softw are Pvt Ltd F3 _ Doc_ 0 0 6 VER4 .0 Page 2 of 2 Background Focal3 and its Customers provide Focal3 Agents with Confidential and Proprietary information

279 views • 13 slides

More recommend