1. Dr. Steven Gianvecchio

2.  Internet of Things botnet  Includes TV and refrigerator  Flashback hits Mac OS X  800K Macs infected  Explosion of Android threats  6x growth  LinkedIn, Dropbox, and other leaks  6.5 million LinkedIn passwords hashes leaked  Java 0-days  30% of computers vulnerable  Brazil DSL hacks  4.5 million modems hacked

3.  99 billion spam emails/day  68% of all email traffic  US banks flooded with >150Gbps of traffic  37 million phishing attempts  Password theft up 3x  What connects all of these problems?

4.  What is a bot?  Short for “robot”  An automated program that operates an application normally used by humans ▪ e.g., Web bot, Twitter bot  Bots are not always bad ▪ e.g., Google uses bots to build its search results (these bots are also called spiders)

5.  What are zombies?  Computers infected with malicious bot software allowing them to be remotely controlled ▪ Zombie (n) 2.a.3. “in West Indian voodoo, a supernatural power through which a corpse supposedly is brought to a state of trancelike animation and made to obey the commands of the person exercising the power” [Merriam-Webster]  Typically someone’s home or office computer (unknown to them)

6.  What are botnets?  Botnets are networks of zombie- or bot-infected computers ▪ Thousands or even millions of bots ▪ 1-5% of Internet-connected computers [Arbor10] ▪ Controlled by independent hackers or criminal organizations (or military)

7. ZeroAccess botnet - Europe infections [Fsecure12] ZeroAccess botnet: ~2-3 million infections ~$100K/day in profits through Click Fraud

8.  1. Propagation – computer is infected with malicious bot software  2. Communication - bot “phones home”, i.e., contacts its controller and awaits orders  3. Attack - bot responds to commands

9.  The first step is “recruiting” bots  Infect computers and install bot software ▪ Many infection methods  Infect as many computers as possible ▪ Bigger is usually better ▪ More bots = faster propagation (rate can be exponential)

10. From Security Intelligence Report ‘12 [Microsoft12] Infection Methods

11.  How bots receive commands  What if a node is lost? Centralized Peer-to-Peer

12.  Spam (about 80% is from botnets)  Distributed Denial of Service, aka DDoS (floods host with traffic)  Click Fraud (fake traffic or “clicks”)  Phishing (steal passwords using fake sites)  Identity or Data Theft  Keylogging  Spying

14.  The Turing Test  A human judge chats with two unknown participants: a human and computer  Judge guesses which is human

15.  Human Interactive Proofs  Ideal Proof: hard for computers, easy for humans  e.g., CAPTCHA ▪ Like Turing Test, but judge also a computer  CAPTCHAs are hard for humans and computers  (or maybe I’m a computer?)  Are they still effective?

16.  Behavioral Detection  Humans ▪ Biological ▪ Highly complex (many systems within systems)  Bots ▪ Automated (good at repeating things) ▪ Limited complexity (does whatever is in the code)  Can we tell them apart?

17.  Types  Web  Email  Social Network  Online Game  And Others  Bots use these applications for propagation or communication, or target them for attack  Bots are modular  Could propagate via Email and communicate via Web

18.  Bots are on Twitter and Facebook  Friend or follow you  Send spam or phishing links (via Tweet or direct message)  Send links to malicious code (also via Tweet or direct message)

19.  Live Twitter bots  https://twitter.com/lizzycin https://twitter.com/lizzycin  https://twitter.com/JustinQBarbee https://twitter.com/JustinQBarbee  https://twitter.com/bluelyndia https://twitter.com/bluelyndia  https://twitter.com/trekkerdeb https://twitter.com/trekkerdeb  https://twitter.com/wingsaquino https://twitter.com/wingsaquino  …

20.  Live Twitter bots  https://twitter.com/lizzycin - created 7-28-2013 https://twitter.com/lizzycin  https://twitter.com/JustinQBarbee created 7-28-2013 https://twitter.com/JustinQBarbee  https://twitter.com/bluelyndia created 7-28-2013 https://twitter.com/bluelyndia  https://twitter.com/trekkerdeb created 7-28-2013 https://twitter.com/trekkerdeb  https://twitter.com/wingsaquino created 7-28-2013 https://twitter.com/wingsaquino  Likely created by the same person?

21.  Bots play games  Gambling ▪ Online Poker  Gold farming ▪ World of Warcraft ▪ Guild Wars 2 ▪ Rift Online ▪ Star Wars: The Old Republic ▪ …

22.  Bot plays endlessly  Gathers gold 24 hours a day  Sells on virtual black market for real currency  Bot plays like a human  “Presses” keys (changes key state)  “Moves” mouse (changes mouse x, y coordinates)  “Views” screen (reads color values of pixels)  Can we tell them apart from how they play?

23.  Setup  World of Warcraft  Collect user-input recordings ▪ Log mouse and keyboard events ▪ Compute statistics ▪ 10 bots for 40 hours ▪ 30 humans for 55 hours

24.  Bot vs Human  82% of bot mouse movements are 1.0 move efficiency ▪ i.e., a straight line  14% of human movements are 1.0 move efficiency bot move efficiency human move efficiency

25.  Bot vs Human  Bot moves mouse at random speeds in different directions  Human moves faster on diagonals bot mouse speed human mouse speed

26.  Advertisers often are paid per click  Bots can click things!  Advertiser pays botmaster for clicks  Thousands of bots click on the ads  Client pays advertiser (and gets ripped off)  ZeroAccess (mentioned earlier) makes about $100,000/day on Click Fraud  Click Fraud Study  Setup web page and collect clicks and mouse movements for bots and human users [Spider.io13]

27.  Bot vs Human  Bot clicks and mouse movements are randomly distributed  Human clicks and movements are focused on key areas

28.  Focus on the Botnet Lifecycle  1. Propagation / 2. Communication / 3. Attack  Detecting Botnet Propagation  Look for attempts to infect other machines  Exploits change regularly  Very hard ▪ If we could reliably detect exploits, we wouldn’t have the botnet problem

29.  Detecting Botnet Communication  Look for communication with command and control server ▪ Bots often contact their controller at regular intervals, e.g., every 5 minutes  Clustering works well ▪ Lots of computers doing the same thing  Identify the bots and command and control servers

30.  Detecting Botnet Attacks  Look for bots attacking or targeting systems  Only identifies the bots involved in the attack  Lots of different techniques needed to detect attacks ▪ Spam, DDoS, Click Fraud, Phishing, etc.

31.  Setup a network of unpatched computers  Must be isolated from primary network  Get infected  Monitor the network  Collect logs  Learn about the bots

32.  Can monitor individual bots to discover their controller  Target the controller, not the bots  Take down or take over the botnet  Symantec recently disabled 500,000 bots from ZeroAccess using this approach

33.  Bots are a major security problem  Botnets are the source of most cyber attacks  Can detect them in various ways  Bot vs human behavior  Also, propagation / communication / attack  Can disrupt them by taking down or taking over parts of the botnet

34.  Interested students (or faculty) that want to get involved in bot, online game, or social network research can contact Dr. Gianvecchio, steven.gianvecchio@cnu.edu.

35.  [Arbor10] “Analyzing and understanding botnets.” Jose Nazario.  [AFJ08] “Carpet bombing in cyberspace: Why America needs a military botnet.” Charles Williamson.  [Kaspersky13] “The evolution of phishing attacks: 2011-2013.” Kaspersky Labs.  [Pingdom13] “Internet 2012 in numbers.” Pingdom.  [ZDnet12] “10 Security stories that shaped 2012.” Ryan Naraine.

36.  [Symantec13] “Grappling with the ZeroAccess botnet.” Ross Gibb and Vikram Thakur.  [Gianvecchio09] “Battle of Botcraft: Fighting Bots in Online Games using Human Observational Proofs.” Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang.