botnets
play

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( - PowerPoint PPT Presentation

Jan 13, 2024 •506 likes •895 views

Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur Maheshwari ( nupurm@email.arizona.edu ) Department of Computer Science University of Arizona April 22, 2012 What are Botnets? 1 Technical Overview 2

  1. Botnets Secret Puppetry With Computers Balaji Prasad T.K ( bpt@email.arizona.edu ) Nupur Maheshwari ( nupurm@email.arizona.edu ) Department of Computer Science University of Arizona April 22, 2012

  2. What are Botnets? 1 Technical Overview 2 Compare and Contrast 3 Detection and Prevention 4 Evolution and Conclusion 5

  3. Introduction A botnet is a network of zombie computers which are remotely controlled by a botmaster . Components: Botmaster Zombies Communication Channel Servers

  4. Botnet Overview

  5. Facts and Stats 83% of global spam 3 million botnets, 100 spams per minute Only 3 survived from 2010 Why no Linux Botnets?

  6. Bot Stories Wiki Leaks -Used Botnet for campaign http://news.techworld.com/security/3252663/ anonymous-uses-30000-pc-strong-botnet-in-wikileaks-campaign/ App Stores - Marketing

  7. Botnets Threat Landscape Have managed to bring down websites of biggies like cia.gov(US cental investigation agency), SOCA.gov (British serious organised crime agency)) etc Here is a list of what you can do:

  8. Historically (in)Famous StormBot: Conflicker: ZeusBot: Jan 2007 Nov 2009 July 2007 fighting-back RPC Request drive-by-downloads capabilities Buffer overflow and Phising scams Spam with Subject Affected: Bank of Affected: French Navy, - 230 dead as storm United Kingdom Ministry America, NASA, batters Europe Monster.com, ABC, of Defence, Manchester Affected: private City council’s system and Oracle, Play.com, computers in police network, German Cisco, Amazon, and BusinessWeek Europe and US army systems

  9. What are Botnets? 1 Technical Overview 2 Compare and Contrast 3 Detection and Prevention 4 Evolution and Conclusion 5

  10. How They Recruit

  11. How They Differ Virus Vs. Worm Vs. Botnet http://www.youtube.com/watch?v=XlSc8W5VaR8

  12. How They Propogate Scan the network Send spam mails Drive-by download Install malware

  13. How They Obfuscate Encryptation Mutation Encoded Peer List

  14. Botnet obfuscation mechanisms

  15. Use a Passcode

  16. Use a Passcode

  17. Use a Passcode

  18. Patch Up

  19. Command and Control IRC - Internet Relay Chat P2P - Peer-to-Peer Web Based

  20. Command and Control - IRC

  21. Command and Control - P2P P2P -based: IRC-based botnets have centralized master which is single point of failure In P2P based C&C Botmaster can use any of the nodes to pass commands or collect information from other nodes in the Botnet Web-based: Botnets evolved to use HTTP and HTTPS protocols for C&C - The bots talk to a web server acting as their master Distinct advantage to the adversary as HTTP ports are always enabled This C&C merges well with the normal traffic to provide obscurity

  22. What are Botnets? 1 Technical Overview 2 Compare and Contrast 3 Detection and Prevention 4 Evolution and Conclusion 5

  23. Anatomy of 2 High Profile Bots AgoBot Also known as Phatbot - oldest known bots IRC based bot with a huge arsenal of exploits Ability to launch DDoS attacks and harvest passwords through key logging and traffic sniffing SDBot Known since 2002-Hundreds of variants providing a wide range of capabilities Core code is very compact when compared to AgoBot with just 2000 lines of C code Extension of code to add a newer capability is very straightforward - also diffuses accountability of the creator.

  24. Botnet Control Mechanism AgoBot bot.execute & Makes the bot execute a specific .exe bot.sysinfo & Echo the bots system information bot.status Echo bot status information bot.nick & Changes the nickname of the bot bot.open & Opens a specified file bot.remove & Removes the bot from the host SDBot uses commands like Ping & Pong Join request to establish IRC connection Commands sent by the master include:KICK, NICK, PART. All other commands will be sent as part of the PRIVMSG,NOTICE or TOPIC IRC messages

  25. Host Control Mechanism AgoBot Secure the system Harvest commands Pctrl commands Inst commands SDBot Download Kill thread Sysinfo Execute Update

  26. Attack Mechanism AgoBot Scans for backdoors left by other worms Exploits RPC Buffer Overflow in windows Brute force SQL servers DDos SDBot Capabilities are relatively benign Creator can disown Extends to UDP and ICMP udp/ping < host to attack > < portno . ofpackets >< packetsize >

  27. Obfuscation and deception mechanism AgoBot Swapping consecutive bytes Rotate left / Rotate right Polymorphic encoding Looked for debuggers Installed virtual machines Kills antivirus processes Alters DNS servers of the AV/SW companies SDBot did not have any such capabilities.

  28. What are Botnets? 1 Technical Overview 2 Compare and Contrast 3 Detection and Prevention 4 Evolution and Conclusion 5

  29. Anomaly based detection Scanning involves sending TCP SYN and other control packets to find open ports Calculate TCP work weight - fraction of TCP packets that were control packets w = ( SYN n + ACK n + FIN n ) / TCP n Anomalous values caught. Won’t work with ”Idle scanning”

  30. What is Idle scanning?

  31. Idle scanning Detection we can form a Host Exposure Map which captures the host-port combinations of the connections in which the host generally involves. Data should be obtained by initially training the system and capturing the pattern. Any activity on the host which doesn’t fall in the Exposure Map can be reported.

  32. Detection by dialog co-realation The victimized host goes into specific states during interaction with master The dialog co-relation engine sits at the perimeter of the network and make use of the services of Intrusion Detection Systems(IDS)

  33. p2p Botnet Detection First process involves detection of hosts in the network that involve in p2p communication - Statistical Finger printing Separation of legitimate p2p hosts from the malicious ones - persistence pattern and interaction pattern Identify p2p Identify persistent Aggregate flows Analyse network Identify Botnets Filter for hosts hosts p2p hosts traffic Network Phase−1 Phase−2 Bots

  34. What are Botnets? 1 Technical Overview 2 Compare and Contrast 3 Detection and Prevention 4 Evolution and Conclusion 5

  35. Evolution of botnets

  36. Evolution of Botnets

  37. Conclusion Security begins from personal responsibility. Install security updates for OS, browser etc promptly Don’t visit untrusted links Avoid using peer-to-peer software Block JavaScript Watch your ports for unexpected inbound and outbound traffic. http://www.youtube.com/watch?v=SubxMZxhiKo

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive

Botnets CS 598: Advanced Internet Presented by: Imranul Hoque How to Study Botnets? Passive analysis Study spam e-mail, DNS queries by bot-infected machines, DNS blacklists, analyze network traffic, etc. Infiltration Todays

686 views • 15 slides
NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

NECST laboratory BOTNETS FUNDING ETC. . @syssecproject SysSec Project:

PHOENIX &amp; CERBERUS We haz botnets! #Honeynet2014 Stefano Schiavoni, Edoardo Colombo Federico Maggi Lorenzo Cavallaro Stefano Zanero Politecnico Di Milano &amp; Royal Hollway, University of London NECST laboratory BOTNETS FUNDING ETC.

1.28k views • 107 slides
BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines

BOTNETS GRAD SEC NOV 21 2017 TODAYS PAPERS BOTNETS Collection of compromised machines (bots) under unified control of an attacker (botmaster) Method of compromise decoupled from method of control Launch a worm/virus, etc.:

790 views • 16 slides
Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic

Detecting Botnets with Temporal Persistence Jaideep Chandrashekar Frederic Giroire Nina Taft Eve Schooler Mascotte project I3S (CNRS, Univ. of Nice) Intel Labs INRIA Sophia Antipolis Botnets: Why care? Botnet

888 views • 46 slides
Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

Studying Spamming Botnets Using BotLab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington Botnets: a Growing Threat Increasing awareness, but there is a dearth of hard facts especially

291 views • 15 slides
Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats

Bot BotNets Nets- Cy Cyber ber To Torr rriris irism Battling Battling the the threats threats of of interne internet Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets? Because Bot

379 views • 27 slides
Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al.

Spamming Botnets: Signatures and Characteris5cs Xie et al. Presented by Kyle Mar5n &lt;kyle.mar5n@knights.ucf.edu&gt; The Problems Botnets The Problems

823 views • 36 slides
Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north

707 views • 32 slides
Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets

Effective features for detecting Effective features for detecting IRC botnets IRC botnets Claudio Mazzariello, Carlo Sansone Carlo Sansone Claudio Mazzariello, Dipartimento di Informatica e Sistemistica Dipartimento di Informatica e

614 views • 19 slides
Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized

Botnets A collection of compromised machines Under control of a single person Organized using distributed system techniques Used to perform various forms of attacks Usually those requiring lots of power Lecture 12 Page 1 CS

753 views • 16 slides
Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

Malware: Viruses, Worms, Rootkits, Botnets Spring 2015

CSE 484 / CSE M 584: Computer Security and Privacy Malware: Viruses, Worms, Rootkits, Botnets Spring 2015 Franziska (Franzi) Roesner

403 views • 37 slides
AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot)

Table of Contents AN INSIDE LOOK AT Rationale BOTNETS Codebase Analysis (Agobot, SDBot, SpyBot, GT Bot) Architecture Paul Barford and Vinod Yagneswaran Remote Control Mechanisms Host Control Propagation Exploits and

158 views • 4 slides
Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson &amp;

Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson &amp;

Worms, Botnets and The Underground Economy CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 16,

445 views • 19 slides
Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI:

Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI:

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/333652427 Presentation: Scalable Detection of Botnets Based on DGA Presentation June 2019 DOI: 10.13140/RG.2.2.24134.32322 CITATIONS

561 views • 20 slides
A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le

A Practical Approach for Taking Down Avalanche Botnets Under Real-World Constraints Victor Le Pochat , Tim Van hamme, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyski NDSS 2020, 25 February 2020

244 views • 23 slides
RSMG 10 October 2019 ORR protects the interests of rail and road users, improving the safety,

RSMG 10 October 2019 ORR protects the interests of rail and road users, improving the safety,

ORR protects the interests of rail and road users, improving the safety, value and performance of railways and roads today and in the future RSMG 10 October 2019 ORR protects the interests of rail and road users, improving the safety, value and

676 views • 41 slides
A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics

A tour of machine learning ... guided by a complete amateur Thomas Dullien, Google Topics to cover 1. Logistic regression 2. Word embeddings 3. t-SNE 4. Deep Networks (and some transfer learning) 5. Hidden Markov Models for sequence

1k views • 60 slides
Compartmentalized Continuous Integration David Neto Devin Sundaram Senior MTS Senior MTS

Compartmentalized Continuous Integration David Neto Devin Sundaram Senior MTS Senior MTS

Compartmentalized Continuous Integration David Neto Devin Sundaram Senior MTS Senior MTS Altera Corp. THAT SPECIAL THING 2000 That special thing 2007 p4 vs. svn 2009 Collaboration++ THREE TAKEAWAYS Continuous Integration is tough

887 views • 57 slides
Computational Thinking Artificial Intelligence Computational Thinking www.ugrad.cs.ubc.ca/~cs100

Computational Thinking Artificial Intelligence Computational Thinking www.ugrad.cs.ubc.ca/~cs100

Computational Thinking Artificial Intelligence Computational Thinking www.ugrad.cs.ubc.ca/~cs100 Learning Goals CT Application: Students will be able to describe what AI is currently capable of CT Application: Students will be able

514 views • 26 slides
CSE 513 I ntroduction to Operating Systems Class 10 - Security J onat han Walpole Dept . of

CSE 513 I ntroduction to Operating Systems Class 10 - Security J onat han Walpole Dept . of

CSE 513 I ntroduction to Operating Systems Class 10 - Security J onat han Walpole Dept . of Comp. Sci. and Eng. Oregon Healt h and Science Universit y Overview I ntro to cryptography tools one-way f unct ions, public vs pr ivat e key

1.1k views • 90 slides
Funner LLVM development Nico Weber, @thakis Goma .cpp, .h .o

Funner LLVM development Nico Weber, @thakis Goma .cpp, .h .o

Funner LLVM development Nico Weber, @thakis Goma .cpp, .h .o https://chromium.googlesource.com/infra/goma/client/ cmake -GNinja -DLLVM_ENABLE_ASSERTIONS=ON -DCMAKE_BUILD_TYPE=Release -DLLVM_TARGETS_TO_BUILD=X86 ../llvm-rw/

682 views • 25 slides
MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan

Introduction System Architecture Evaluations References MetaCAPTCHA: A Metamorphic Throttling Service for the Web Akshay Dua, Thai Bui, Tien Le, Nhan Huynh, Wu-chang Feng { akshay, buithai, letien, nhhuyng, wuchang } @cs.pdx.edu Portland

913 views • 57 slides
Adherence, Avatars and Where to from here Kerry Y. Fang, Heidi Bjering, Athula Ginige Medication

Adherence, Avatars and Where to from here Kerry Y. Fang, Heidi Bjering, Athula Ginige Medication

Adherence, Avatars and Where to from here Kerry Y. Fang, Heidi Bjering, Athula Ginige Medication Adherence Non-adherence : One of the major causes of morbidity, mortality and health care costs (WHO) Factors affecting adherence : complex

345 views • 20 slides

More recommend