Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Thank you to IT Training at Indiana University Computer Malware.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

LittleOrange Internet Security an Endpoint Security Appliance.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Botnets An Introduction Into the World of Botnets Tyler Hudak

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

BotNet Detection Techniques By Shreyas Sali

Chapter 9: Cooperation in Intrusion Detection Networks Authors: Carol Fung and Raouf Boutaba Editors: M. S. Obaidat and S. Misra Jon Wiley & Sons publishing.

Internet Security facilities for secure communication.

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Network problems Last week, we talked about 3 disadvantages of networks. What are they?

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Host and Application Security Lesson 17: Botnets.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Polytechnic University Introduction1 CS 393/682: Network Security Professor Keith W. Ross.

Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation.

Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Botnets Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Presented by : Matthew Sulkosky COSC 316 (Host Security) BOTNETS A.K.A ZOMBIE COMPUTING.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Botnets A collection of compromised machines

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Instructor Materials Chapter 7 Network Security

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets A collection of compromised machines

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Presentation transcript:

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar, Steve Orrin, Carl Livadas, Eve M. Schooler Available at: This presentation by: Adrian Crenshaw

Background A little information to get you up to speed on botnets

So, what is a Botnet? A collection of compromised computers that can be sent orders Individual hosts in a Botnet are know as bots or zombies The administrator of the Botnet is often known as a “Bot Herder” A few examples of Botnets include: Storm Kraken Conficker

Botnet life cycle (As outlined by the article) Spread Phase –SE Spam, Web drive bys, Network worm functionality, etc. Infection Phase –Polymorphism –Rootkitting Trojan binaries Library hooking Command and Control Phase Attack Phase

How do hosts become part of a Botnet? Drive by malware installs via web browsers Automated or targeted network vulnerability attacks End users socially engineered to install them via phishing attacks, or confusing browser messages Other vectors…

Botnet Source Code Families Lots of source code is out there: –Agobot –Rxbot –SDBot –Spybot –Others… Search for BotNet.Source.Codes.rar

How are Botnets controlled? Decentralized Command and Control Channels (C&C) Decentralization is important to make C&C harder to shutdown By using Command and Control Channels, “bot herders” can change what their Botnet is tasked to do, and update the Botnet’s nodes

Illustration of C&C Image Source: Intel Technology Journal; Jun2009, Vol. 13 Issue 2, p

Illustration of C&C: Another take bot Herder IRC Server bot IRC Server

Illustration of C&C: Yet another take bot Herder Middle Layer bot

Illustration of C&C: Blind drop bot Herder Middle Layer bot Could be a web site, forum posting, image, etc

Economics of Bot Herding So, why would some one want a Botnet? –Distributed Denial Of Service (DDoS) Personal vendettas Protection money –Spam (both and web posts) –Adware –Click Fraud –Harvested identities (Sniffers, Key Loggers, Etc.) They can also be rented out for tasks BBC show Click rents a Botnet:

Problems with detecting/removing a Bot installation Main points from the article: Polymorphism Rootkitting Only periodic communications back to controller Others: Retaliation Denial of Service Distributed Fast Flux Encrypted channels

Article’s proposal: Canary Detector Made with three main strategies (paraphrased): 1.Establish a baseline for the network. 2.Use end-host detection algorithm to determine botnet C&C channel, based on destinations that are regularly contacted. 3.Aggregate information across nodes on the network to find commonality.

Canary Detector: Atoms Uses the tuple: –destIP/dstService = Host being contacted –destPort = Port number –proto = UDP or TCP Examples: –(google.com, 80, tcp) –( , 53, udp) –(ftp.nai.com, 21:>1024, tcp) –(mail.cisco.com,135:>1024,tcp)

Canary Detector: Persistence Look for “temporal heavy hitters” –Not so concerned about amount of traffic –Concerned about regularity Starting with a small tracking window (w) time, track if an Atom was contacted or not Set an observational time window (W), for example W=10w in duration The authors also use multiple time scales 1 through 5

Canary Detector: Commonality How common is a destination Atom amongst network nodes? The more common the Atom, the more important it is

Canary Detector: Whitelists Ignore “safe” Atoms to easy computation 1.Observe traffic during training period to see common, regularly contacted Atoms (Windows update servers might be an example) 2.Set nodes to ignore, adjust as needed. 3.Whitelists are established at both the host and network level.

Canary Detector: Alarm Types p-alarms (persistence): When a destination Atom not contained in the host’s whitelist becomes persistent. More for local use, whitelist or flag. c-alarms (commonality): When a destination atom is observed at a large number of end-hosts in the same window and is identified as common. More for network use, whitelist or flag.

Using the information Article defines thresholds for persistence and commonality (p* and c*) for when to take note Suspicious alarms can be acted upon –Nullrouting –Investigation –Cleanup

Tested against real bots SDBot: Controlled over IRC, but easy to spot because of connecting to irc.undernet.org. Scans ports scans on ports 135, 139, 445, 2097 looking to spread. Zapchast: Five IRC service atoms (about 13 distinct IPs). Mostly NetBIOs attack traffic. Storm: P2P based. The traces were two orders of magnitude larger than the other botnets tested.

Graph of botnet Atom persistence SDBot (Triange) Zapchast (Dimonds) Storm (Blue Dots) –Note that they only graphed 100 atoms Image Source: THE DARK CLOUD: UNDERSTANDING AND DEFENDING AGAINST BOTNETS AND STEALTHY MALWARE Intel Technology Journal, Jun2009, Vol. 13 Issue 2, p , 18p, 3 charts, 3 diagrams Diagram; found on p144

Links for more research The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Shadow Server SANs Internet Storm Center Honeynet Project LAN of the Dead

Conclusions/Questions How difficult is it to choose good thresholds for persistence/commonality? What if Botnets varied their call back times? System overhead? Whitelisting of services that have become blind drops? Audience questions?