Dr. Steven Gianvecchio

 Internet of Things botnet  Includes TV and refrigerator  Flashback hits Mac OS X  800K Macs infected  Explosion of Android threats  6x growth  LinkedIn, Dropbox, and other leaks  6.5 million LinkedIn passwords hashes leaked  Java 0-days  30% of computers vulnerable  Brazil DSL hacks  4.5 million modems hacked

 99 billion spam s/day  68% of all traffic  US banks flooded with >150Gbps of traffic  37 million phishing attempts  Password theft up 3x  What connects all of these problems?

 What is a bot?  Short for “robot”  An automated program that operates an application normally used by humans ▪ e.g., Web bot, Twitter bot  Bots are not always bad ▪ e.g., Google uses bots to build its search results (these bots are also called spiders)

 What are zombies?  Computers infected with malicious bot software allowing them to be remotely controlled ▪ Zombie (n) 2.a.3. “in West Indian voodoo, a supernatural power through which a corpse supposedly is brought to a state of trancelike animation and made to obey the commands of the person exercising the power” [Merriam-Webster]  Typically someone’s home or office computer (unknown to them)

 What are botnets?  Botnets are networks of zombie- or bot-infected computers ▪ Thousands or even millions of bots ▪ 1-5% of Internet-connected computers [Arbor10] ▪ Controlled by independent hackers or criminal organizations (or military)

ZeroAccess botnet - Europe infections [Fsecure12] ZeroAccess botnet: ~2-3 million infections ~$100K/day in profits through Click Fraud

 1. Propagation – computer is infected with malicious bot software  2. Communication - bot “phones home”, i.e., contacts its controller and awaits orders  3. Attack - bot responds to commands

 The first step is “recruiting” bots  Infect computers and install bot software ▪ Many infection methods  Infect as many computers as possible ▪ Bigger is usually better ▪ More bots = faster propagation (rate can be exponential)

From Security Intelligence Report ‘12 [Microsoft12] Infection Methods

 How bots receive commands  What if a node is lost? Centralized Peer-to-Peer

 Spam (about 80% is from botnets)  Distributed Denial of Service, aka DDoS (floods host with traffic)  Click Fraud (fake traffic or “clicks”)  Phishing (steal passwords using fake sites)  Identity or Data Theft  Keylogging  Spying

 The Turing Test  A human judge chats with two unknown participants: a human and computer  Judge guesses which is human

 Human Interactive Proofs  Ideal Proof: hard for computers, easy for humans  e.g., CAPTCHA ▪ Like Turing Test, but judge also a computer  CAPTCHAs are hard for humans and computers  (or maybe I’m a computer?)  Are they still effective?

 Behavioral Detection  Humans ▪ Biological ▪ Highly complex (many systems within systems)  Bots ▪ Automated (good at repeating things) ▪ Limited complexity (does whatever is in the code)  Can we tell them apart?

 Types  Web   Social Network  Online Game  And Others  Bots use these applications for propagation or communication, or target them for attack  Bots are modular  Could propagate via and communicate via Web

 Bots are on Twitter and Facebook  Friend or follow you  Send spam or phishing links (via Tweet or direct message)  Send links to malicious code (also via Tweet or direct message)

 Live Twitter bots       …

 Live Twitter bots  - created  created  created  created  created  Likely created by the same person?

 Bots play games  Gambling ▪ Online Poker  Gold farming ▪ World of Warcraft ▪ Guild Wars 2 ▪ Rift Online ▪ Star Wars: The Old Republic ▪ …

 Bot plays endlessly  Gathers gold 24 hours a day  Sells on virtual black market for real currency  Bot plays like a human  “Presses” keys (changes key state)  “Moves” mouse (changes mouse x, y coordinates)  “Views” screen (reads color values of pixels)  Can we tell them apart from how they play?

 Setup  World of Warcraft  Collect user-input recordings ▪ Log mouse and keyboard events ▪ Compute statistics ▪ 10 bots for 40 hours ▪ 30 humans for 55 hours

 Bot vs Human  82% of bot mouse movements are 1.0 move efficiency ▪ i.e., a straight line  14% of human movements are 1.0 move efficiency bot move efficiency human move efficiency

 Bot vs Human  Bot moves mouse at random speeds in different directions  Human moves faster on diagonals bot mouse speed human mouse speed

 Advertisers often are paid per click  Bots can click things!  Advertiser pays botmaster for clicks  Thousands of bots click on the ads  Client pays advertiser (and gets ripped off)  ZeroAccess (mentioned earlier) makes about $100,000/day on Click Fraud  Click Fraud Study  Setup web page and collect clicks and mouse movements for bots and human users [Spider.io13]

 Bot vs Human  Bot clicks and mouse movements are randomly distributed  Human clicks and movements are focused on key areas

 Focus on the Botnet Lifecycle  1. Propagation / 2. Communication / 3. Attack  Detecting Botnet Propagation  Look for attempts to infect other machines  Exploits change regularly  Very hard ▪ If we could reliably detect exploits, we wouldn’t have the botnet problem

 Detecting Botnet Communication  Look for communication with command and control server ▪ Bots often contact their controller at regular intervals, e.g., every 5 minutes  Clustering works well ▪ Lots of computers doing the same thing  Identify the bots and command and control servers

 Detecting Botnet Attacks  Look for bots attacking or targeting systems  Only identifies the bots involved in the attack  Lots of different techniques needed to detect attacks ▪ Spam, DDoS, Click Fraud, Phishing, etc.

 Setup a network of unpatched computers  Must be isolated from primary network  Get infected  Monitor the network  Collect logs  Learn about the bots

 Can monitor individual bots to discover their controller  Target the controller, not the bots  Take down or take over the botnet  Symantec recently disabled 500,000 bots from ZeroAccess using this approach

 Bots are a major security problem  Botnets are the source of most cyber attacks  Can detect them in various ways  Bot vs human behavior  Also, propagation / communication / attack  Can disrupt them by taking down or taking over parts of the botnet

 Interested students (or faculty) that want to get involved in bot, online game, or social network research can contact Dr. Gianvecchio,

 [Arbor10] “Analyzing and understanding botnets.” Jose Nazario.  [AFJ08] “Carpet bombing in cyberspace: Why America needs a military botnet.” Charles Williamson.  [Kaspersky13] “The evolution of phishing attacks: ” Kaspersky Labs.  [Pingdom13] “Internet 2012 in numbers.” Pingdom.  [ZDnet12] “10 Security stories that shaped 2012.” Ryan Naraine.

 [Symantec13] “Grappling with the ZeroAccess botnet.” Ross Gibb and Vikram Thakur.  [Gianvecchio09] “Battle of Botcraft: Fighting Bots in Online Games using Human Observational Proofs.” Steven Gianvecchio, Zhenyu Wu, Mengjun Xie, and Haining Wang.