Botnets: Infrastructure and Attacks Slides courtesy of Nick Feamster as taught as Georgia Tech/CS6262.

Slides:

Advertisements

Similar presentations

Botnets: Infrastructure and Attacks Nick Feamster CS 6262 Spring 2009.

Advertisements

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

Trojan Horse Program Presented by : Lori Agrawal.

Introduction to Security Computer Networks Computer Networks Term B10.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

Threats To A Computer Network

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Phishing – Read Behind The Lines Veljko Pejović

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Application-Level Attacks, Network-Level Defenses Nick Feamster CS 7260 April 9, 2007.

Defenses, Application-Level Attacks, etc. Nick Feamster CS 7260 April 4, 2007.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Trojan Horse Implementation and Prevention By Pallavi Dharmadhikari Sirisha Bollineni VijayaLakshmi Jothiram Vasanthi Madala.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

Attacks on Computer Systems

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Unit 2 - Hardware Computer Security.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

Hacker Zombie Computer Reflectors Target.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

COMP 2903 A27 – Why Spyware Poses Multiple Threats to Security Danny Silver JSOCS, Acadia University.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Understanding the Network-Level Behavior of Spammers Best Student Paper, ACM Sigcomm 2006 Anirudh Ramachandran and Nick Feamster Ye Wang (sando)

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

 A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. It is deliberately.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Security at NCAR David Mitchell February 20th, 2007.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation.

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Created by the E-PoliceSlide 122 February, 2012 Dangers of s By Michael Kuc.

SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Botnets A collection of compromised machines

Botnets A collection of compromised machines

Internet Worm propagation

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Presentation transcript:

Botnets: Infrastructure and Attacks Slides courtesy of Nick Feamster as taught as Georgia Tech/CS6262

Botnets Bots: Autonomous programs performing tasks Plenty of “benign” bots –e.g., weatherbug Botnets: group of bots –Typically carries malicious connotation –Large numbers of infected machines –Machines “enlisted” with infection vectors like worms (last lecture) Available for simultaneous control by a master Size: up to 350,000 nodes (from today’s paper)

Botnet History: How we got here Early 1990s: IRC bots –eggdrop: automated management of IRC channels : DDoS tools –Trinoo, TFN2k, Stacheldraht : Trojans –BackOrifice, BackOrifice2k, SubSeven : Worms –Code Red, Blaster, Sasser Put these pieces together and add a controller… Fast spreading capabilities pose big threat

Putting it together 1.Miscreant (botherd) launches worm, virus, or other mechanism to infect Windows machine. 2.Infected machines contact botnet controller via IRC. 3.Spammer (sponsor) pays miscreant for use of botnet. 4.Spammer uses botnet to send spam s.

Botnet Detection and Tracking Network Intrusion Detection Systems (e.g., Snort) –Signature: alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Honeynets: gather information –Run unpatched version of Windows –Usually infected within 10 minutes –Capture binary determine scanning patterns, etc. –Capture network traffic Locate identity of command and control, other bots, etc.

“Rallying” the Botnet Easy to combine worm, backdoor functionality Problem: how to learn about successfully infected machines? Options – –Hard-coded address

Botnet Application: Phishing Social-engineering schemes –Spoofed s direct users to counterfeit web sites –Trick recipients into divulging financial, personal data Anti-Phishing Working Group Report (Oct. 2005) –15,820 phishing messages 4367 unique phishing sites identified. –96 brand names were hijacked. –Average time a site stayed on-line was 5.5 days. “Phishing attacks use both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials.” -- Anti-spam working group Question: What does phishing have to do with botnets?

Which web sites are being phished? Financial services by far the most targeted sites Source: Anti-phishing working group report, Dec New trend: Keystroke logging…

Phishing: Detection and Research Idea: Phishing generates sudden uptick of password re-use at a brand-new IP address Distribution of password harvesting across bots can help. etrade.com Rogue Phisher H(pwd)

Botnet Application: Click Fraud Pay-per-click advertising –Publishers display links from advertisers –Advertising networks act as middlemen Sometimes the same as publishers (e.g., Google) Click fraud: botnets used to click on pay-per- click ads Motivation –Competition between advertisers –Revenue generation by bogus content provider

Open Research Questions Botnet membership detection –Existing techniques Require special privileges Disable the botnet operation –Under various datasets (packet traces, various numbers of vantage points, etc.) Click fraud detection Phishing detection

Botnet Detection and Tracking Network Intrusion Detection Systems (e.g., Snort) –Signature: alert tcp any any -> any any (msg:"Agobot/Phatbot Infection Successful"; flow:established; content:"221 Honeynets: gather information –Run unpatched version of Windows –Usually infected within 10 minutes –Capture binary determine scanning patterns, etc. –Capture network traffic Locate identity of command and control, other bots, etc.

Detection: In-Protocol Snooping on IRC Servers (e.g., CipherTrust ZombieMeter) –> 170k new zombies per day –15% from China Managed network sensing and anti-virus detection –Sinkholes detect scans, infected machines, etc. Drawback: Cannot detect botnet structure

Using DNS Traffic to Find Controllers Different types of queries may reveal info – Repetitive A queries may indicate bot/controller – MX queries may indicate spam bot – PTR queries may indicate a server Usually 3 level: hostname.subdomain.TLD Names and subdomains that just look rogue – (e.g., irc.big-bot.de)

DNS Monitoring Command-and-control hijack –Advantages: accurate estimation of bot population –Disadvantages: bot is rendered useless; can’t monitor activity from command and control Complete TCP three-way handshakes –Can distinguish distinct infections –Can distinguish infected bots from port scans, etc.

New Trend: Social Engineering Bots frequently spread through AOL IM –A bot-infected computer is told to spread through AOL IM –It contacts all of the logged in buddies and sends them a link to a malicious web site –People get a link from a friend, click on it, and say “sure, open it” when asked

Early Botnets: AgoBot (2003) Drops a copy of itself as svchost.exe or syschk.exe Propagates via Grokster, Kazaa, etc. Also via Windows file shares

Botnet Operation General –Assign a new random nickname to the bot –Cause the bot to display its status –Cause the bot to display system information –Cause the bot to quit IRC and terminate itself –Change the nickname of the bot –Completely remove the bot from the system –Display the bot version or ID –Display the information about the bot –Make the bot execute a.EXE file IRC Commands –Cause the bot to display network information –Disconnect the bot from IRC –Make the bot change IRC modes –Make the bot change the server Cvars –Make the bot join an IRC channel –Make the bot part an IRC channel –Make the bot quit from IRC –Make the bot reconnect to IRC Redirection –Redirect a TCP port to another host –Redirect GRE traffic that results to proxy PPTP VPN connections DDoS Attacks –Redirect a TCP port to another host –Redirect GRE traffic that results to proxy PPTP VPN connections Information theft –Steal CD keys of popular games Program termination

PhatBot (2004) Direct descendent of AgoBot More features –Harvesting of addresses via Web and local machine –Steal AOL logins/passwords –Sniff network traffic for passwords Control vector is peer-to-peer (not IRC)

Peer-to-Peer Control Good –distributed C&C –possible better anonymity Bad –more information about network structure directly available to good guys IDS, –overhead, –typical p2p problems like partitioning, join/leave, etc