Presentation is loading. Please wait.

Presentation is loading. Please wait.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon."— Presentation transcript:

1 Borrowed from Brent ByungHoon Kang, GMU

2 A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon Kang, GMU

3  Networks of compromised machines under the control of hacker, “bot-master”  Used for a variety of malicious purposes: Sending Spam/Phishing Emails Launching Denial of Service attacks Hosting Servers (e.g., Malware download site) Proxying Services (e.g., FastFlux network) Information Harvesting (credit card, bank credentials, passwords, sensitive data.) Borrowed from Brent ByungHoon Kang, GMU

4 After resolving the IP address for the IRC server, bot-infected machines CONNECT to the server, JOIN a channel, then wait for commands. Borrowed from Brent ByungHoon Kang, GMU

5 The botmaster sends a command to the channel. This will tell the bots to perform an action. Borrowed from Brent ByungHoon Kang, GMU

6 The IRC server sends (broadcasts) the message to bots listening on the channel. Borrowed from Brent ByungHoon Kang, GMU

7 The bots perform the command. In this example: attacking / scanning CNN.COM. Borrowed from Brent ByungHoon Kang, GMU

8  Unfortunately, the detection, analysis and mitigation of botnets has proven to be quite challenging  Supported by a thriving underground economy ◦ Professional quality sophistication in creating malware codes ◦ Highly adaptive to existing mitigation efforts such as taking down of central control server. 8 Borrowed from Brent ByungHoon Kang, GMU

9  Traditional botnet communication ◦ Central IRC server for Command & Control (C&C) ◦ Single point of mitigation:  C&C Server can be taken down or blacklisted  Botnets with peer to peer C&C ◦ No single point of failure. ◦ E.g., Waldedac, Storm, and Nugache  Multi-layered Architecture to obfuscate and hide control servers in upper tiers. Borrowed from Brent ByungHoon Kang, GMU

10  Botmaster publishes commands under the key.  Bots are searching for this key periodically  Bots download the commands =>Asynchronous C&C Borrowed from Brent ByungHoon Kang, GMU

11  Each Supernode (server) publishes its location (IP address) under the key 1 and key 2  Subcontrollers search for key 1  Subnodes (workers) search for key 2 to open connection to the Supernodes => Synchronous C&C  Borrowed from Brent ByungHoon Kang, GMU

12  Virus Scanner at Local Host ◦ Polymorphic binaries against signature scanning ◦ Not installed even though it is almost free ◦ Rootkit  Network Intrusion Detection Systems ◦ Keeping states for network flows ◦ Deep packet inspection is expensive ◦ Deployed at LAN, and not scalable to ISP-level ◦ Requires Well-Trained Net-Security SysAdmin Borrowed from Brent ByungHoon Kang, GMU

13 13 Conficker infections are still increasing after one year!!! There are millions of computers on the Internet that do not have virus scanner nor IDS There are millions of computers on the Internet that do not have virus scanner nor IDS Borrowed from Brent ByungHoon Kang, GMU

14  Used for spam blocking, firewall configuration, DNS rewriting, and alerting sys-admins regarding local infections.  Fundamentally differs from existing Intrusion Detection System (IDS) approaches ◦ IDS protects local hosts within its perimeter (LAN) ◦ An enumerator would identify both local as well as remote infections  Identifying remote infections is crucial ◦ There are numerous computers on the Internet that are not under the protection of IDS-based systems. 14 Borrowed from Brent ByungHoon Kang, GMU

15  Need to know the method and protocols for how a bot communicates with its peers  Using sand-box technique ◦ Run bot binary in a controlled environment ◦ Network behaviors are captured/analyzed  Investigating the binary code itself ◦ Reversing the binary into high level codes ◦ C&C Protocol knowledge and operation details can be accurately obtained Borrowed from Brent ByungHoon Kang, GMU

16  Given network protocol knowledge, crawlers: 1.collect list of initial bootstrap peers into queue 2.choose a peer node from the queue 3.send to the node look-up or get-peer requests 4.add newly discovered peers to the queue 5.repeat 2-5 until no more peer to be contacted  Can’t enumerate a node behind NAT/Firewall  Would miss bot-infected hosts at home/office! Borrowed from Brent ByungHoon Kang, GMU

17  Given P2P protocol knowledge that bot uses  A collection of “routing-only” nodes that ◦ Act as peer in the P2P network, but ◦ Controlled by us, the defender  PPM nodes can observe the traffic from the peer infected hosts  PPM node can be contacted by the infected hosts behind NAT/Firewall Borrowed from Brent ByungHoon Kang, GMU

18 Crawler PPM Borrowed from Brent ByungHoon Kang, GMU

19 Borrowed from Brent ByungHoon Kang, GMU

20  DHCP  NATs  Non-uniform bot distribution  Churn  Most estimates put size of largest botnets at tens of millions of bots ◦ Actual size may be much smaller if we account for all of the above

21  Botnets use a lot of newly-created domains for phishing and malware delivery  Fast flux: changing name-to-IP mapping very quickly, using various IPs to thwart defense attempts to bring down botnet  Single-flux: changing name-to-IP mapping for individual machines, e.g., a Web server  Double-flux: changing name-to-IP mapping for DNS nameserver too  Proxies on compromised nodes fetch content from backend servers

22  Advantages for the attacker: ◦ Simplicity: only one back end server is needed to deliver content ◦ Layers of protection through disposable proxy nodes ◦ Very resilient to attempts for takedown

23  Look for domain names where mapping to IP changes often ◦ May be due to load balancing ◦ May have other (non-botnet) cause, e.g., adult content delivery ◦ Easy to fabricate domain names  Look for DNS records with short-lived domain names, with lots of A records, lots of NS records and diverse IP addresses (wrt AS and network access type)  Look for proxy nodes by poking them

24  They have been known to fight back ◦ DDoS IPs that poke them (even if low workers are scanned)  They have been known to fabricate data for honeynets ◦ Honeynet is a network of computers that sits in otherwise unused (dark) address space and is meant to be compromised by attackers

Download ppt "Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon."

Similar presentations

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.

1 Computer Networks: A Systems Approach, 5e Larry L. Peterson and Bruce S. Davie Chapter 8 Network Security Copyright © 2010, Elsevier Inc. All rights.
Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.

Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
Firewall Configuration Strategies

Firewall Configuration Strategies
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.

Worms 1. Viruses don’t break into your computer – they are invited by you – They cannot spread unless you run infected application or click on infected.
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Similar presentations

Ads by Google