Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics.

Published byAlexander Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics."— Presentation transcript:

1 Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics

2 1 Topic: Botnets What do they look like How they behave Why should we care

3 Botnet quick overview

4 There’s always a C&C server in control Domain Generating Algorithm – DGA Malware sample needed Honeypot to monitor

5 Botnet quick overview How about an emerging botnet ? A botnet no one heard of yet … what then ?

6 Botnets: How do they behave A few possible approaches: Internet user behavior – buckets of users Network traffic patterns Fortunately they behave in a predictable manner

7 Internet user behavior Straight forward approach: -Anonymize user’s personal data (IP address) -(machine) learn about its usual internet behavior -Create buckets of behaviors -Throw users in buckets -Observe anomalies occuring -Ex.: A user that never visited a.ru site, is now doing different DNS requests that end up in timeout. Next day there are 100 users with the same behavior.

8 Network traffic patterns Spam bots and why they are special Spam botnets are the most common way of sending spam because they can easily be automated: 1. An outbreak of viruses and worms is sent in the wild, infecting systems and deploying a malicious application – the bot. 2. The bot registers with a command and control (C&C) server controlled by the botnet operator and is ready to receive and serve several commands, such as sending emails from via SMTP. 3. Spammers purchase email-sending services from the operator, providing them with templates and target address lists. 4. The operator instructs the compromised machines to send out spam messages.

9 Network traffic patterns client.write( buff5k ); [ ] ( ) ( )...

10 Network traffic patterns Typical example with consistent segment size.

11 Network traffic patterns Another typical example – MSS improves to multiples of the base value. Relay servers can be configured in numerous ways, but this pattern stands out.

12 Network traffic patterns The headers are clearly sent in a distinct writing sequence. The SMTP sequence for ending the data transmission is sent in its own segment Distinct FROM header

13 Takeaway There are interesting approaches for detecting botnets, besides sinkholes. -Analyzing user behavior with machine learning and event correlation engines -Network traffic patterns ssofronie@bitdefender.com

14

Download ppt "Botnet behavior and detection October 2014 - RONOG Silviu Sofronie – a Head of Forensics."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.

Understanding the Network- Level Behavior of Spammers Anirudh Ramachandran Nick Feamster Georgia Tech.
Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.

Spam Sinkholing Nick Feamster. Introduction Goal: Identify bots (and botnets) by observing second-order effects –Observe application behavior thats likely.
Basic Communication on the Internet:

Basic Communication on the Internet:
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.

Kindred Domains: Detecting and Clustering Botnet Domains Using DNS Traffic Matt Thomas Data Architect, Verisign Labs.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.

The problems associated with operating an effective anti-spam blocklist system in an increasingly hostile environment. Robert Gallagher September 2004.
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.

Chapter 29 Structure of Computer Names Domain Names Within an Organization The DNS Client-Server Model The DNS Server Hierarchy Resolving a Name Optimization.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Similar presentations

Ads by Google