stegobot a covert social network botnet
play

Stegobot: a covert social-network botnet Shishir Nagaraja Network - PowerPoint PPT Presentation

Nov 02, 2023 •582 likes •747 views

Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems Security Group IIIT Delhi, India http://www.hatswitch.org/~sn275 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC) Botnets

  1. Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems Security Group IIIT Delhi, India http://www.hatswitch.org/~sn275 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  2. Botnets ● Primary vehicle in online crime, DDOS attacks and information theft ● Social malware attacks is an emerging trend: Dalai Lama got attacked in 2008, Google in 2009 and 800 or so others were targets in 2010 ● Botnets and anonymous communication networks have similar network properties: availability, resilience and undetectable C&C traffic. ● Standard threat model – global passive adversary IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  3. Designing a covert botnet ● Can we design a botnet using stego channels? ● New traffic links lower traffic analysis resistance ● New traffic patterns lower traffic analysis resistance ● Core idea: infect machines using social malware + use social image exchange behavior on OSN to create unobservable communication channels between infected machines Flickr 2011 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  4. Botnet topologies -- C&C traffic -- Attack traffic IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  5. Designing a covert botnet ● Can we design a botnet using stego channels? ● New traffic links lower traffic analysis resistance ● Core idea: infect machines using social malware + use social image exchange behavior on OSN to create unobservable communication channels between infected machines Flickr 2011 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  6. Attack vector (targeted malware) ● Hijack social trust -- steal an email with an attachment -- embed malware in the attachment -- send/resend the email to the target ● Initial break -- Social phish constructed with public information -- Once the attacker gains a foothold, neighbors within the social network of the victim are compromised IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  7. Sample subverted email designed to achieve a foothold IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  8. Stegobot architecture Communication channels -- YASS Routing mechanism – restricted flooding IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  9. Channel design ● Malware intercepts facebook image upload and embeds credit card information into it. FB sends notification to all neighbours. ● Image processing engine interference ● Facebook predictively caches images when neighbour visits victim page ● Channel efficiency is evaluated using the BER metric: #error bits / #total bits ● No interference: Stegobot doesn't upload or download the pictures IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  10. YASS parameters Q – compression; q -- redundancy IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  11. Stegobot architecture Communication channels -- YASS Routing mechanism – restricted flooding IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  12. Routing mechanism ● Dataset: Flickr social network; monthly image posting behavior of ~15000 nodes over 40 months ● Assumed 50% infection, sub-graph of 7200 extracted. ● Now we had to find out of you can build a routing network over this. ● Really simple and robust but non-optimal routing algorithm: restricted flooding with ttl = log N ● message queue: local message , fwd_message ● Routing efficiency averaged over randomly chosen botmaster nodes; each bot collects k image payload units of stolen information per month IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  13. Routing results At the bots (efficiency of clearing the local queue) IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  14. Routing b/w, efficiency, duplication Bandwidth -- #unique messages reaching the botmaster IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  15. Network bandwidth IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  16. Conclusions ● Building distributed systems over steganographic communication channels is fun! ● We have evaluated our proposed wicked system using real-world social behavior data. ● Even with a routing algorithm the botmaster can siphon off 82Mb per month (q=2) at the rate of 10kb per 700x700pixel image or 21.6Mb per month (q=8). ● Duplication rate of 50-80% indicates that with better routing algorithms much botnet bandwidth could at least be doubled or at best quadrupled. IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert Operations By: Joey Dreijer StealthWare Social Engineering Malware Social Engineering and Covert Operations Introduction Research Security

403 views • 21 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov , Plamen Petrov, Siavash Katebzadeh, Boris Grot University of Edinburgh This work is supported by ARM Center of Excellence at University of Edinburgh

564 views • 30 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
IOT SECURITY ERIK TEWS <E.TEWS@UTWENTEL.NL> THE INTERNET OF THINGS (cc)

IOT SECURITY ERIK TEWS <E.TEWS@UTWENTEL.NL> THE INTERNET OF THINGS (cc)

IOT SECURITY ERIK TEWS <E.TEWS@UTWENTEL.NL> THE INTERNET OF THINGS (cc) https://www.flickr.com/photos/wilgengebroed/8249565455/ Systems Security IoT Security 2 30.04.2018 A NEW WORLD (cc)

922 views • 47 slides
Governance Body In-Person Meeting January 24 25, 2018 The Task Force for Global Health

Governance Body In-Person Meeting January 24 25, 2018 The Task Force for Global Health

Governance Body In-Person Meeting January 24 25, 2018 The Task Force for Global Health (Decatur, GA) Warm-up 1. Stand up. 2. Find the person with the other half of your proverb. 3. Introduce yourselves: name and first rock concert. 4.

1.13k views • 95 slides
Action Item List 20 March 2001 Status 21 February 2001 AIRS Science Team meeting D1. Dave Tobin:

Action Item List 20 March 2001 Status 21 February 2001 AIRS Science Team meeting D1. Dave Tobin:

Action Item List 20 March 2001 Status 21 February 2001 AIRS Science Team meeting D1. Dave Tobin: check availability of the UW ground-track/slant path prediction program. Needs to be exportable to support AIRS ground campaigns.

399 views • 4 slides
Studying jerks on the Internet: A Data-Driven Approach Emiliano De Cristofaro (Thanks to Jeremy

Studying jerks on the Internet: A Data-Driven Approach Emiliano De Cristofaro (Thanks to Jeremy

Studying jerks on the Internet: A Data-Driven Approach Emiliano De Cristofaro (Thanks to Jeremy Blackburn and Savvas Zannettou for most of the slides) Outline 1. Hate on and raids from fringe communities like 4chan [ICWSM 2017] 2.

868 views • 57 slides
How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k )

How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k )

How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH Encryption 2 Gen ( 1 k ) K Secure Communiation Enc ( K , m ) c Dec (K, c ) m Alice Bob Eve Encryption 3 Gen ( 1 k ) K Secure Storage Enc (

1.42k views • 84 slides
Deployed Anonymity Networks: A brief history Nick Mathewson <nickm@freehaven.net> The

Deployed Anonymity Networks: A brief history Nick Mathewson <nickm@freehaven.net> The

Deployed Anonymity Networks: A brief history Nick Mathewson <nickm@freehaven.net> The Free Haven Project This presentation About me Introduction to anonymous communication High-latency networks Low-latency networks

792 views • 39 slides
Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net

Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net

Mixminion Designing a Type-III Anonymous Remailer Protocol Nick Mathewson nickm@freehaven.net Our Goals Fix holes in Mixmaster (Type-II) remailers Conservative design Working implementation; deployed network Our Adversary

447 views • 9 slides
Beyond I Fought The Law Educating Law Enforcement about Privacy Services Adam Shostack

Beyond I Fought The Law Educating Law Enforcement about Privacy Services Adam Shostack

Beyond I Fought The Law Educating Law Enforcement about Privacy Services Adam Shostack (Presented at PET2003) Motivation n 3 Years at Zero Knowledge Systems n Freedom Network didnt succeed n Problems was sales, not law enforcement n

653 views • 18 slides

More recommend