Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Published byGrace Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings."— Presentation transcript:

1 Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings of the 16th ACM conference on Computer and communications security,2009 Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings of the 16th ACM conference on Computer and communications security,2009 Presented by Rajesh Avula 3/7/2016 Your Botnet is My Botnet: Analysis of a Botnet Takeover

2 Outline  Introduction  Domain flux  Taking control of the Botnet  Botnet analysis  Threats and data analysis  Conclusion  Introduction  Domain flux  Taking control of the Botnet  Botnet analysis  Threats and data analysis  Conclusion

3 Introduction  The main purpose of this paper is to analyze the Torpig botnet’s operations.  Botnet size.  The personal information is stolen by botnets.  The main purpose of this paper is to analyze the Torpig botnet’s operations.  Botnet size.  The personal information is stolen by botnets. 3

4 Introduction (cont.)  What is botnet? A Botnet is a collection of software agents, or robots that run autonomously and automatically. The term is most commonly associated with malicious software.  Main motivation: recognition and financial gain.  Bot controller can ‘rent’ services of the botnet to third parties (Botnet as service)  What is botnet? A Botnet is a collection of software agents, or robots that run autonomously and automatically. The term is most commonly associated with malicious software.  Main motivation: recognition and financial gain.  Bot controller can ‘rent’ services of the botnet to third parties (Botnet as service)

5 Introduction (cont.)  Botnets are the primary means for cyber-criminals to carry out their nefarious tasks, such as  sending spam mails,  launching denial-of-service attacks  stealing personal data such as mail accounts or bank credentials.  Botnets are the primary means for cyber-criminals to carry out their nefarious tasks, such as  sending spam mails,  launching denial-of-service attacks  stealing personal data such as mail accounts or bank credentials.

6 Introduction (cont.)  Once infected with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster.  Malware was developed for fun, to the current situation, where malware is spread for financial profit.  Once infected with a bot, the victim host will join a botnet, which is a network of compromised machines that are under the control of a malicious entity, typically referred to as the botmaster.  Malware was developed for fun, to the current situation, where malware is spread for financial profit.

7 Introduction (cont.)  One approach to study botnets is to perform passive analysis of secondary effects that are caused by the activity of compromised machines.  Collected spam mails that were likely sent by bots  Similar measurements focused on DNS queries or DNS blacklist queries  analyzed network traffic (netflow data) at the tier-1 ISP level for cues that are characteristic for certain botnets  One approach to study botnets is to perform passive analysis of secondary effects that are caused by the activity of compromised machines.  Collected spam mails that were likely sent by bots  Similar measurements focused on DNS queries or DNS blacklist queries  analyzed network traffic (netflow data) at the tier-1 ISP level for cues that are characteristic for certain botnets

8 Introduction (cont.)  Active approach to study botnets is via infiltration.  Using an actual malware sample or a client simulating a bot, researchers join a botnet to perform analysis from the inside.  To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware sample.  For some botnets that rely on a central IRC-based C&C server, joining a botnet can also reveal the IP addresses of other clients (bots) that are concurrently logged into the IRC channel  Active approach to study botnets is via infiltration.  Using an actual malware sample or a client simulating a bot, researchers join a botnet to perform analysis from the inside.  To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware sample.  For some botnets that rely on a central IRC-based C&C server, joining a botnet can also reveal the IP addresses of other clients (bots) that are concurrently logged into the IRC channel

9 Introduction (cont.)  Attackers have unfortunately adapted, and most current botnets use stripped-down IRC or HTTP servers as their centralized command and control (C&C)channels.  With such C&C infrastructures, it is no longer possible to make reliable statements about other bots by joining as a client.  One way to take the control of botnet is to directly seize the physical machines that host the C&C infrastructure.  Attackers have unfortunately adapted, and most current botnets use stripped-down IRC or HTTP servers as their centralized command and control (C&C)channels.  With such C&C infrastructures, it is no longer possible to make reliable statements about other bots by joining as a client.  One way to take the control of botnet is to directly seize the physical machines that host the C&C infrastructure.

10 Introduction (cont.)  Therefore, by collaborating with domain registrars, it is possible to change the mapping of a botnet domain to point to a machine controlled by the defender.  Several recent botnets, including Torpig, use the concept of domain flux.  With domain flux, each bot periodically (and independently) generates a list of domains that it contacts.  The first host that sends a reply that identifies it as a valid C&C server is considered genuine, until the next period of domain generation is started.  Therefore, by collaborating with domain registrars, it is possible to change the mapping of a botnet domain to point to a machine controlled by the defender.  Several recent botnets, including Torpig, use the concept of domain flux.  With domain flux, each bot periodically (and independently) generates a list of domains that it contacts.  The first host that sends a reply that identifies it as a valid C&C server is considered genuine, until the next period of domain generation is started.

11 IP flux  Botnet authors have identified several ways to make these schemes more flexible and robust by using IP fast-flux techniques.  With fast-flux, the bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently.  However, fast-flux uses only a single domain name, which constitutes a single point of failure.  Botnet authors have identified several ways to make these schemes more flexible and robust by using IP fast-flux techniques.  With fast-flux, the bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently.  However, fast-flux uses only a single domain name, which constitutes a single point of failure.

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

Download ppt "Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Botnet Behavior and Detection Strategies Brad Wilder.

Botnet Behavior and Detection Strategies Brad Wilder.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.

BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
ECrime Research Richard Clayton Luxembourg 11 th May 2010.

ECrime Research Richard Clayton Luxembourg 11 th May 2010.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.

Bayesian Bot Detection Based on DNS Traffic Similarity Ricardo Villamarín-Salomón, José Carlos Brustoloni Department of Computer Science University of.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Similar presentations

Ads by Google