Presentation is loading. Please wait.

Presentation is loading. Please wait.

Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)

Published byCornelia Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)"— Presentation transcript:

1 Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)

2 Enough Data? Research paper states: Research paper states: 800,000 DNS domains examined 800,000 DNS domains examined 85,000 servers botnet-infected 85,000 servers botnet-infected 65 IRC server domain names 65 IRC server domain names Is above data statistically significant? Is above data statistically significant? 450,000,000 hosts via DNS (isc.org) 450,000,000 hosts via DNS (isc.org) Over 150,000,000 domain names exist Over 150,000,000 domain names exist 47,700,000.com domains (1% probed) 47,700,000.com domains (1% probed)

3 Realtime Tracking Source: Shadowserver.org

4 Longitudinal Tracking Research paper states: Research paper states: 65 IRC server domain names 65 IRC server domain names 85,000 servers infected by bots 85,000 servers infected by bots Type-II botnets only Type-II botnets only Shadowserver.org tracking (2+ years): Shadowserver.org tracking (2+ years): 1800 active botnets daily 1800 active botnets daily 3,000,000 active bots daily 3,000,000 active bots daily Updates every 15 minutes Updates every 15 minutes

5 Where’s the 40%? Research paper exclusively WinTel Research paper exclusively WinTel Easier to obtain bot binaries? Easier to obtain bot binaries? Most internet servers are Linux-based Most internet servers are Linux-based Hard to ignore the majority Hard to ignore the majority Worm or Trojan backdoors exploited Worm or Trojan backdoors exploited Defenses are already weakened Defenses are already weakened

6 Botnet size Footprint vs. effective size Footprint vs. effective size The paper complains that the footprint is much larger than the effective size. The paper complains that the footprint is much larger than the effective size. So? Bots are trying to stay off DNSBL (black lists) and be more stealthy. So? Bots are trying to stay off DNSBL (black lists) and be more stealthy. Sections of footprint may be rented out Sections of footprint may be rented out

7 Botmaster concerns Source: swatit.org

8 C&C Stealth Botmasters want to remain hidden Botmasters want to remain hidden IRC-based isn’t the only way IRC-based isn’t the only way Peer-to-peer systems hide IP source addr Peer-to-peer systems hide IP source addr Virtualization of C&C Virtualization of C&C Dynamic web servers Dynamic web servers Network creation/reconfiguration Network creation/reconfiguration Come and go quickly Come and go quickly Difficult to trace Difficult to trace Works for honeypots, why not botnets? Works for honeypots, why not botnets?

9 Bot Clones

10 Bot Planning

11 Gray-box testing Only binary bot behavior studied Only binary bot behavior studied Results limited by mimicing IRC state Results limited by mimicing IRC state Research emphasized automation over thoroughness Research emphasized automation over thoroughness Source code or disassembly reveals more Source code or disassembly reveals more Behavior may be different in honeynet Behavior may be different in honeynet

12 Agobot C&C Command Description: bot.about Displays information (e.g., version) about the bot code bot.die Terminates the bot bot.dns Resolves IP/hostname via DNS bot.execute Makes the bot execute a specific.exe bot.id Displays the ID of the current bot code bot.nick Changes the nickname of the bot bot.open Opens a specified file bot.remove Removes the bot from the host bot.removeallbut Removes the bot if ID does not match bot.rndnick Makes the bot generate a new random nickname bot.status Echo bot status information bot.sysinfo Echo the bot’s system information bot.longuptime If uptime > 7 days then bot will respond bot.highspeed If speed> 5000 then bot will respond bot.quit Quits the bot bot.flushdns Flushes the bot’s DNS cache bot.secure Delete specified shares and disable DCOM bot.unsecure Enable specified shares and enables DCOM bot.command Executes a specified command with system() Variable Description: bot ftrans port Set bot - file transfer port bot ftrans port ftp Set bot - file transfer port for FTP si chanpass IRC server information - channel password si mainchan IRC server information - main channel si nickprefix IRC server information - nickname prefix si port IRC server information - server port si server IRC server information - server address si servpass IRC server information - server password si usessl IRC server information - use SSL ? si nick IRC server information - nickname bot version Bot - version bot filename Bot - runtime filename bot id Bot - current ID bot prefix Bot - command prefix bot timeo Bot - timeout for receiving (in milliseconds) bot seclogin Bot - enable login only by channel messages bot compnick Bot - use the computer name as a nickname bot randnick Bot - random nicknames of letters and numbers bot meltserver Bot - melt the original server file bot topiccmd Bot - execute topic commands do speedtest Bot - do speed test on startup do avkill Bot - enable anti-virus kill do stealth Bot - enable stealth operation as valname Autostart - value name as enabled Autostart - enabled as service Autostart - start as service as service name Autostart - short service name scan maxthreads Scanner - maximum number of threads scan maxsockets Scanner - Maximum number of sockets ddos maxthreads DDoS - maximum number of threads redir maxthreads Redirect - maximum number of threads identd enabled IdentD - enable the server cdkey windows Return windows product keys on cdkey.get scaninfo chan Scanner - output channel scaninfo level Info level 1 (less) - (3) more spam aol channel AOL spam - channel name spam aol enabled AOL spam - enabled ? sniffer enabled Sniffer - enabled ? sniffer channel Sniffer - output channel vuln channel Vulnerability daemon sniffer channel inst polymorph Installer - polymorphoic on install ?

13 Botnet evolution Polymorphic bot code Polymorphic bot code Gmail as control protocol Gmail as control protocol SSL usage SSL usage Invisible to network inspection Invisible to network inspection XML/RSS messages XML/RSS messages Exploit IPv6 flaws Exploit IPv6 flaws

14

Download ppt "Offense: Brute Force A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis)"

Similar presentations

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Botnets ECE 4112 Lab 10 Group 19.

Botnets ECE 4112 Lab 10 Group 19.
1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.

1 MA Rajab, J Zarfoss, F Monrose, A Terzis - Proceedings of the First USENIX Workshop on Hot Topics in Understanding Botnets My Botnet is Bigger than Yours.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.

1 Botnets A Multifaceted Approach to Understanding the Botnet Phenomenon (Rajab/Zarfoss/Monrose/Terzis) Ryan Hannan Rohit Bhat Alan Mui Irfan Siddiqui.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.

A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Similar presentations

Ads by Google