PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Slides:

Advertisements

Similar presentations

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

F3 Collecting Network Based Evidence (NBE)

Botnets ECE 4112 Lab 10 Group 19.

System and Network Security Practices COEN 351 E-Commerce Security.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Intrusion Detection Systems and Practices

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Web server security Dr Jim Briggs WEBP security1.

Lesson 19: Configuring Windows Firewall

Maintaining and Updating Windows Server 2008

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

COEN 252: Computer Forensics Router Investigation.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Incident Response Updated 03/20/2015

Monitoring botnets from within Students: Yevgeni Sabin, Alexander Chigirintsev Supervisor: Amichai Shulman Technion - Israel Institute of Technology COMPUTER.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Botnets An Introduction Into the World of Botnets Tyler Hudak

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

Attacks on Computer Systems

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

BotNet Detection Techniques By Shreyas Sali

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

What is FORENSICS? Why do we need Network Forensics?

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Module 14: Configuring Server Security Compliance

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

--Harish Reddy Vemula Distributed Denial of Service.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Network problems Last week, we talked about 3 disadvantages of networks. What are they?

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.

HONEYPOTS PRESENTATION TEAM: TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan.

Linux Networking and Security

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Microsoft Management Seminar Series SMS 2003 Change Management.

Network Sniffer Anuj Shah Advisor: Dr. Chung-E Wang Department of Computer Science.

Retina Network Security Scanner

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Role Of Network IDS in Network Perimeter Defense.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Maintaining and Updating Windows Server 2008 Lesson 8.

Jenny Knackmuß, Thomas Möller, Wilfried Pommerien & Reiner Creutzburg Brandenburg University of Applied Sciences, IT- and Media Forensics Lab, P.O.Box.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Secure Software Confidentiality Integrity Data Security Authentication

Lesson Objectives Aims You should be able to:

Traffic Analysis with Ethereal

Information Security Session October 24, 2005

Test 3 review FTP & Cybersecurity

Presentation transcript:

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman

Background Botnets, large networks of compromised computers, form the main source of application layer attacks against web servers as of today. A Botnet is a network built by individually infecting (or “recruiting”) computers via various methods, such as infected websites, downloaded malicious code or abusive use of server-side application vulnerabilities.

Aims and goals One of the important aspects of investigating this phenomenon is to be able to understand the traffic that a bot generates upon command from the botnet commander. Isolating bot traffic from regular traffic will allow a computer security researcher to develop software for identifying an already infected computer and to block this abusive traffic.

Objectives  Publish a website application with easy and known vulnerabilities, that will also be maintained and filled with false but real-looking content.  Join Botnets (if not by accident, then by force).  Accumulate and analyze incoming and outgoing traffic over time. Isolate and classify bot traffic.  Produce a detailed report of the traffic recorded: volume, duration, targets, type of abusive activities, and so on.  Recognize and generalize patterns of traffic.

Accomplishments  Collected long term IRC traffic from various botnets for analysis.  Analyzed IRC botnet traffic characteristics and botnet capabilities.  Researched many sources of malicious PHP code.  Produced a detailed report on the analyzed traffic and code.  Created a set of tools for the automation of infection and research of PHP IRC botnet code.  Published a detailed guide on how to research further scripts and use the tools provided.

Methodology  Publish a website application on “sandbox” machine.  Use provided lists of suspicious URLs to try and recognize active botnets  Use a different machine to collect IRC traffic on the botnets found.  Analyze the traffic logs collected.  Produced a detailed and informative report on each botnet.

Setup Machines on Amazon EC2: Isolated “sandbox” machine running a web server: Windows 2008 R2. Wordpress with a blog full of content. Security policy allows only web and IRC traffic. Wireshark running at all times to log packets. mIRC for monitoring chat room activity on the relevant rooms and server. Machine is saved as a snapshot for restore if needed. Separate machine for monitoring.

Set of automation tools  While working, we’ve noticed that most of the time is spent on meticulous and rigorous tasks for inspecting URLs and looking for active botnets.  This led us to try and automate some of the process, and resulted in a set of tools that reduces most of the overhead that URL inspection requires.

Tool #1: URL downloader  Targets the repetitive task of checking the validity of a list of suspicious URLs, and downloading them for further use.  Algorithm:  Try different variations on each URL with a few frequent suffixes.  Number each script that was successfully downloaded and add the.php extension.

Tool #2: IRC traffic sniffer  Targets the time consuming task of running a suspicious script and checking whether it actuates an active botnet.  Algorithm: For each PHP file in a specified folder:  Start a Internet Explorer process.  Copy the PHP file to a provided runnable web published folder.  Start a background job for collecting all TCP packets.  Run the PHP file in the Internet Explorer process for a limited amount of time (timeout parameter provided).  Kill the Internet Explorer and other PHP processes.  Stop collecting packets.  Analyze the packets and look for the following IRC commands: PASS, for password of the destination server (destination IP and TCP port on the packet). JOIN #, for joining an IRC channel and the channel password.  Print and add the sniffed info to a file that is named according to the PHP file for further use.

Tool #2: IRC traffic sniffer

Results & Conclusions  Most of the activity on the active botnets involves scanning for vulnerable websites and trying to infect them.  All vulnerabilities that are used are well known and documented bugs in WordPress extensions.  Although they are known, a great number of scanning results appear to be vulnerable – users doesn’t care for updates enough.  Real attacks were rare in the data collected  A notable DoS attack – UDP flood was seen.  Passing of Credit Card numbers and identities were noted a few times.

Some Visual Demonstrations

UDP flood

Complex network of bots and managers

Timeline example

Backdoor example

Future work  The final report contains a full guide on how to inspect and analyze IRC botnets:  Complete methodology guide.  A list of further investigation directions.  A user manual for the automation tools.  All of the following provide a big opportunity for future teams to get started very quickly and skip the initial non-productive phases.

Summary  Our research shows that there is a whole underground culture of Indonesian sourced botnets that is very much alive and active.  Most of the activity on these botnets is expanding its army of bots, creating a large enough net of abused servers that can be lucrative for their manager.  PHP code allows endless possibilities for hijacking and abusing webservers.

The End.