uncovering and visualizing botnet infrastructure and
play

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR - PowerPoint PPT Presentation

May 08, 2023 •357 likes •1.51k views

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER) Security Research Analyst @ Cisco Umbrella (formerly OpenDNS) in San Francisco since 2015 Previously a System Administrator for 12 years JOSH

  4. DGA Archive provides regex lookups to find similar patterns

  5. Hash Samples uploaded by community, honeypots and malware authors

  6. FEEDS

  7. hfjrlydjpponowxnlq.com

  8. isctdtaulbpoprun.pw

  9. lkvxmbtxsbiqp.com

  10. UNCOVERING INFRASTRUCTURE

  11. IOCS

  12. IOCs SEEN THROUGHOUT THE BOT LIFECYCLE DOMAIN NAMES C&C communications DGAs - resolving and NX domains 
 IP ADDRESSES Hosting IPs 
 NAMSERVERS, EMAIL REGISTRANT WHOIS Information 
 HASHES OF MALICIOUS BINARIES Dropped by RATS Contained in Spam Dropped by compromised websites or malvertising

  13. CLEANING THE DATA

  14. Process data and organize

  15. Process data and organize Still A Pain To Look At

  16. Visually map hash to domain

  17. Visually map TTL to domain

  18. Clean data for useful visuals That doesn’t look right

  19. MONGO DB We sent data to mongo for historical lookups

  20. CLEANING DATA ‣ 175 IPs related to botnet C&C servers over a 1 month period

  21. UNCOVERING BEHAVIOR

  22. Looking at a list of IP’s isn’t immediately useful

  23. CLEANING DATA ‣ Relationships between other indicators can develop intelligence on attack and botnet infrastructure

  24. ▸ Which behavior features would be interesting? ▸ lat/lon ▸ how many clients are visiting? ▸ the first seen date of a particular ioc ▸ connected infrastructure : ips, asns, domains, namerserver

  25. CLEANING DATA ‣ Some are not connected and need cleaned out 127.0.0.1 8.8.8.8 255* Get rid of data that doesn’t help

  26. This domain points to a reserved IP

  28. CLEANING DATA ‣ Some IPs are usually compromised webservers used to proxy/hide the C&C communications

  29. Using Necurs as an example NECURS BOTNET

  30. NECURS BOTNET INSIDE STORY ‣ Infection Method ‣ Spam with malicious attachments ‣ Malvertising ‣ Exploit Kits ‣ Malicious links in emails

  31. NECURS BOTNET INSIDE STORY ‣ Prominent Malware ‣ Ransomware ‣ Banking Trojans

  32. NECURS BOTNET INSIDE STORY Noteworthy DDoS ability Uses 2 DGAs in effort to keep communications secret

  33. CO-OCCURRING DGAS AND HOSTING IPS

  34. We’ll show some examples using the OpenSource tool: OpenGraphiti (and networkx/ symanticnet python libs)

  35. View of OpenGraphiti output

  36. Co-occuring dga domains: IP’s and email registrants

  37. Another view

  38. Co-occuring dga domains: IP Location data

  39. ATTACK CAMPAIGNS

  40. Using Globeimposter as an example GLOBEIMPOSTER

  41. HAILSTORM SPAM BOT SENDS GLOBEIMPOSTER ▸ dategs[.]ru/js/tasok11[.]exe - from a hailstorm spam bot - 182.56.129.116 - Passive DNS

  42. Timeline of Domain use

  43. HAILSTORM SPAM BOT SENDS GLOBEIMPOSTER ▸ 420855ef0326743f46da71127620be22089152c 9029ba450d4f4679b8a8a122d - globeimposter

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data - Visualizing trajectories - Visualizing time Tasks Locations (0D, Points) Areas (2D) Distribution Comparison Sensity Max/min values

961 views • 48 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

Thesis Proposal VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL VOCABULARY FOR UNCERTAINTY How can the design of information visualizations commonly found in news media coverage incorporate

591 views • 20 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012 Outline The graph visualization problem Algorithms & challenges for visualizing large graphs Visualizing cluster relationships as maps

1.06k views • 76 slides
Empirical Methods in Natural Language Processing Lecture 6 Tagging (II): Transformation-Based

Empirical Methods in Natural Language Processing Lecture 6 Tagging (II): Transformation-Based

Empirical Methods in Natural Language Processing Lecture 6 Tagging (II): Transformation-Based Learning and Maximum Entropy Models Philipp Koehn 24 January 2008 PK EMNLP 24 January 2008 1 Tagging as supervised learning Tagging is a

326 views • 9 slides
CSCI 4152/6509 Natural Language Processing Lab 6: Python NLTK Tutorial 2 Lab Instructor: Dijana

CSCI 4152/6509 Natural Language Processing Lab 6: Python NLTK Tutorial 2 Lab Instructor: Dijana

CSCI 4152/6509 Natural Language Processing Lab 6: Python NLTK Tutorial 2 Lab Instructor: Dijana Kosmajac, Tukai Pain Faculty of Computer Science Dalhousie University 26/28-Feb-2020 (6) CSCI 4152/6509 1 Lab Overview Part-of-speech (POS)

615 views • 24 slides
Natural Language Processing with Python CS372: Spring, 20 15 Lecture 12 Categorizing and

Natural Language Processing with Python CS372: Spring, 20 15 Lecture 12 Categorizing and

Natural Language Processing with Python CS372: Spring, 20 15 Lecture 12 Categorizing and Tagging Words Jong C. Park Department of Computer Science Korea Advanced Institute of Science and Technology CATEGORIZING AND TAGGING WORDS Using a

688 views • 34 slides
The Tagging Task Part-of-Speech Tagging Input: the lead paint is unsafe Output: the/Det lead/N

The Tagging Task Part-of-Speech Tagging Input: the lead paint is unsafe Output: the/Det lead/N

The Tagging Task Part-of-Speech Tagging Input: the lead paint is unsafe Output: the/Det lead/N paint/N is/V unsafe/Adj Uses: text-to-speech (how do we pronounce lead?) can write regexps like (Det) Adj* N+ over the output A

400 views • 8 slides
HO HOW W TO GET O GET PUBLISHED PUBLISHED ? I will stop my role of editor in chief of

HO HOW W TO GET O GET PUBLISHED PUBLISHED ? I will stop my role of editor in chief of

HO HOW W TO GET O GET PUBLISHED PUBLISHED ? I will stop my role of editor in chief of EUROPEAN GERIATRIC MEDICINE published by Elsevier on 2017, December 31st HO HOW W TO GET O GET PUBLISHED PUBLISHED ? Authors challenges How to write

259 views • 11 slides
Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection

Using a VMware Network Infrastructure to Collect Traffic Traces for Intrusion Detection Evaluation by Frederic Massicotte, Mathieu Couture and Annie De Montigny Leboeuf http://www.crc.ca/networksystems_security/ {frederic.massicotte,

409 views • 8 slides
Evalua&ng Path Queries over Route Collec&ons Panagio&s

Evalua&ng Path Queries over Route Collec&ons Panagio&s

Evalua&ng Path Queries over Route Collec&ons Panagio&s Bouros NTUA, Greece (supervised by Y. Vassiliou) Outline Introduc&on Route

348 views • 34 slides
Tax axono onomy my of f ge generativ erative e mo models dels Prof. Leal-Taix and Prof.

Tax axono onomy my of f ge generativ erative e mo models dels Prof. Leal-Taix and Prof.

Tax axono onomy my of f ge generativ erative e mo models dels Prof. Leal-Taix and Prof. Niessner Figure from Ian Goodfellow, Tutorial on Generative Adversarial /networks, 2017 1 Tax axono onomy my of f ge generativ erative e mo

1.26k views • 88 slides

More recommend