Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.iti.uiuc.edu Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign June 2006.

Published byChristopher Palmer Modified over 8 years ago

Similar presentations

Presentation on theme: "Www.iti.uiuc.edu Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign June 2006."— Presentation transcript:

1 www.iti.uiuc.edu Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign June 2006

2 2 Introduction Assumptions Paradigm shifts in eCommerce Growth and changes in malware Future trends of botnets Fundamental flaws in our current system Remediation of the core vulnerabilities Cost justification

3 3 Assumptions Focus on financial transactions; DDoS is painful but small in damage possibilities and exposes botnet once DDoS begins. Consumer doesn’t directly pay for fraud loses. Banks and merchants do. Consumers, as a rule, aren’t qualified or motivated to sufficiently harden their own machines. Corporations have other means of protection available to them, focus effort on consumers.

4 4 Paradigm Shifts in eCommerce ~1993 – Web browsers and Web servers invented –(instant information access) ~1995 – eBay, Amazon begin era of eCommerce –(money transactions over internet) ~2003 – Spyware, Phishing, Identity theft –(“Hackers” in it for money) All had “reactive” responses to paradigm shifts, adapted current/old technologies to new needs. We’ve not had a fundamental examination of how we do business online. We are playing the information security game on the hackers terms, not ours.

5 5 Growth and Change in Malware Development In the beginning there were viruses… 2003 saw the beginning of spyware, phishing, botnets, etc. as an outgrowth of spamming outfits, not hacking outfits. (“Spamford Wallace” fined $4m for spyware operations) 1 Slow development in botnet technology (2 years to start to see real use of encryption). Spyware, Phishing, Botnets still growing despite the increase of money being spent to remediate the problem.

6 6 Growth in Phishing, Malware Number of trojans intercepted by Kaspersky Labs. 2 About 10-15k new bot machines per day. Dropped to 5k after SP2 release for only a few months. 3 Only 4-6 days until exploit released, yet 40-60 days for patch. 4 Money being involved means more players developing the malware and trying to deploy it. Why do they keep growing? Because it keeps working. We haven’t eliminated the real problem.

7 7 Botnets and Theft Zotob/Mytob/Rbot creators developed software to maintain control of computers for financial gain. –Authors forwarded credit card information stolen to a credit card fraud ring. Oct. 2005, botnet with 1.5 million hosts found and shut down. 5 –Hackers were caught trying a DDoS extortion scheme, however software also has a keylogger. Financial information likely also compromised. Most botnet software includes keyloggers that will steal financial information and send either via IRC or e-mail.

8 8 Future Trends of Botnets Botnet operators want to remain online and in control of machines as long as possible. –More encryption –More mimicking of “normal” traffic –Can still detect by looking for “bad IPs” –Possible detection by outbound connection monitoring (PrivacyGuard, etc)

9 9 Future Botnet Evolution? Future paradigm shift? Using allowable and ordinary communication to hide botnet control messages. –Using gmail as a botnet control protocol Known good IP space XML makes it easy to develop bots to interact with it (i.e. read messages with RSS) **Can use SSL** Will be invisible to network inspection Use for economic warfare?

10 10 Fundamental Flaws in our Current System Financial information (i.e. CC numbers) are entered in the clear on untrustworthy machines. Financial transactions generally only require one-factor authentication. We have a weak and de facto national ID system, only a 9-digit number needed to assume someone’s identity. Anti-Virus/Spyware assumes all software is safe until proven otherwise. ~20% of malware is not detected. 6 We must wait until exploitation to make signatures.

11 11 Remediation Financial & Identity information should be encrypted before it gets to the PC. (i.e. Smart Cards) Anti-Virus/Spyware should go to a “deny all” default policy, develop a “trusted” software model. (i.e. “signed software”) Develop free consensus-based hardening scripts for consumer PCs, let ISPs, banks, etc, distribute. Stronger automatic updating. Develop ways to remotely validate a machine is “safe” before allowing a transaction.

12 12 Remediation (2) Should not exclude continuing other host-based and network-based detection schemes. Needs to be convenient and “free” for user. Creates a defense-in-depth environment of PCs. Hackers will have a harder time undermining several layers of protection instead of having to just undermine one non-effective one. It will be “expensive” to do all of these, but its worth the cost.

13 13 Cost Justification Estimated $24 billion USD (.2% GDP) assets already at risk from stolen identities of US consumers (low-balled estimate) 7 Real vulnerability is more like: $110 billion (.9% GDP) 8 If stolen identities were used for economic warfare instead of simple theft, damage would be much higher (run on the bank, dramatic loss of confidence in eCommerce…) Changes the security dynamics and forces hackers to adapt to us.

14 14 Conclusion The core vulnerabilities with eCommerce have not yet been adequately addressed (insecure PCs, one-factor auth, use of old technologies and methods…) Fraud and identity theft will continue to be primary drivers of botnet growth and development until those problems are addressed. If left unchecked, botnets will become harder to near- impossible to detect on the network. Proactive steps will put the “bad guys” on defense, great return on security investment. Get “institutional players” and money out of the botnet business. Apply defense-in-depth to consumer PCs.

15 15 References 1.The Register, May 5 th, 2006. (http://www.theregister.co.uk/2006/05/05/ftc_spyware_lawsuits/)http://www.theregister.co.uk/2006/05/05/ftc_spyware_lawsuits/ 2. Viruslist, “Malware Evolution: 2005”, February 8 th, 2006. (http://www.viruslist.com/en/analysis?pubid=178949694)http://www.viruslist.com/en/analysis?pubid=178949694 3.Symantec, March 5 th, 2005 (http://www.symantec.com/small_business/library/article.jsp?aid=symantec_res earch)http://www.symantec.com/small_business/library/article.jsp?aid=symantec_res earch 4. Ullrich, J. “The Disappearing Patch Window”. (http://isc.sans.org/presentations/MITSecCampISCPresentation.pdf)http://isc.sans.org/presentations/MITSecCampISCPresentation.pdf 5.Internet Storm Center, October 10 th, 2005. (http://isc.sans.org/diary.php?storyid=778)http://isc.sans.org/diary.php?storyid=778 6. Internet News (citing Gartner) June 13 th, 2006 (http://www.internetnews.com/security/article.php/3613236)http://www.internetnews.com/security/article.php/3613236 7.Bambenek, J. (http://handlers.dshield.org/jbambenek/keylogger.html)http://handlers.dshield.org/jbambenek/keylogger.html 8.Unpublished study by John Bambenek and Agnieszka Klus

Download ppt "Www.iti.uiuc.edu Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign June 2006."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.

The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.

Malicious Attacks By: Albert, Alex, Andon, Ben, Robert.
Threats To A Computer Network

Threats To A Computer Network
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.

COMPUTER CRIME AND TYPES OF CRIME Prepared by: NURUL FATIHAH BT ANAS.
Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.

Internet safety Viruses A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your.
Internet Safety CSA 105 1.0 September 21, 2010. Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

Similar presentations

Ads by Google