Presentation is loading. Please wait.

Presentation is loading. Please wait.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Published byReginald Harper Modified over 8 years ago

Similar presentations

Presentation on theme: "2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈."— Presentation transcript:

1 2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈

2 Outline Introduction Miner botnet Topology Command and control protocol Analysis of Botnet Monitoring the miner botnet Conclusion 2/19

3 3/19

4 Botnets Centralised Botnets Type of botnet, all computers are connected to a single C&C. The C&C waits for new bots to connect, registers them in its database, tracks their status and sends them commands selected by the botnet owner from a list of bot commands 4/19 C&C Bot

5 Botnets P2P (peer-to-peer) botnets Bots connect to several infected machines on a bot network rather than to a command and control center. Commands are transferred from bot to bot 5/19

6 The topology of the Miner botnet 6/19

7 Command and control protocol The structure of the P2P communication protocol is shared by all tiers. The port used is fixed to 8080. A query with the “.txt” extension serves as a status request and returns general information The communication protocol itself is not encrypted or obfuscated The only mechanism of protection applied is a signature scheme for executable updates. 7/19

8 Command and control protocol

9 Infrastructure loader2.exe The first module to be executed on a freshly infected system is a loader that nests as a service called “srvsysdriver32” and then proceeds by performing an online connectivity test As soon as a successful connection, the loader continues by acquiring updated IP address lists of botnet peers with the commands “ip_list” and “ip_list_2”. 9/19 If the type equals the ID of the distribution module and the reachability test was positive, the node becomes a P2P bot, or else the victim becomes a worker bot.

10 Infrastructure wdistrib.exe The distribution module is the fundamental component of the flexible infrastructure of the Miner botnet When executed, hard-coded master C&C servers are contacted This level decides whether a centralised or decentralised mechanism is used for distribution of malicious binaries. In either case, an IP address list of distribution servers is obtained. 10/19

11 Infrastructure loader_rezerv.exe This is a network-based downloader with the ability to install arbitrary executable files on a victim’s computer. Upon connection, it can be commanded to download a file identified by a download ID from a given URL, together with the protection signature of the file 11/19

12 Bitcoin-related Modules btc_server.exe It serves as a proxy for the worker bots towards a selection of Bitcoin mining pools, clusters of miners that cooperate in order to increase their chance of gaining Bitcoins It downloads one of the Bitcoin clients These clients are used to backup the Bitcoin wallet containing earned Bitcoins. The wallet is posted every twenty minutes to a master C&C server. 12/19

13 Bitcoin-related Modules client_8.exe This Bitcoin mining module is executed on bots of both tier 3 and tier 4.After nesting as service “srvbtcclient”, a connection to the botnet is established and multiple operations are started in parallel. Finally, every five hours a status update about the mining operation is sent to a master C&C server. 13/19

14 DDos-relate Module ddhttp.exe The core module for DDoS attacks web servers via the HTTP protocol. It installs itself as a system service called “ddservice” If the target list is acquired successfully, a status report with the unique system identifier and module version number is sent to the contact point every 10 minutes. The attack then proceeds to request all the identified link targets to create even more load on the server. 14/19

15 Ddos-relate Module udp.exe The core module for DDoS attacks web servers via the UDP protocol. A UDP attack can be initiated by sending a large number of UDP packets to random port in the range of 10 to 65000. 15/19

16 Social network related iecheck12.exe It creates a web server on ports 80/tcp and 443/tcp that acts as a proxy and intercepts requests to Facebook or Vkontakte. When someone logs in from the infected computer, the credentials are stored in the registry. Next, the credentials are abused in order to initiate communications based on the downloaded spam templates with individuals from the victim’s friend list. resetr.exe In order to reduce the chance of being detected or removed from the system, this utility disables and deletes the services responsible for Windows Update functionality 16/19

17 MONITORING THE MINER BOTNET The focus of our operation was to get insights into the population and activity of the Miner botnet. The general methodology applied is recursive enumeration, also known as crawling. Starting with a set of bootstrap nodes, each of the nodes is queried for IP addresses of its known peers. 17/19

18 DAILY POPULATION OF THE MINER BOTNET 18/19

19 Conclusion In this paper, it have provided an overview of the Miner botnet. They presented their statistical data on its population and activities, gathered during four months of tracking efforts They use of advanced concepts like a P2P infrastructure. 19/19

20

Download ppt "2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈."

Similar presentations

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Web Server Administration

Web Server Administration
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.

SMS Mobile Botnet Detection Using A Multi-Agent System Abdullah Alzahrani, Natalia Stakhanova, and Ali A. Ghorbani Faculty of Computer Science, University.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University

KaZaA: Behind the Scenes Shreeram Sahasrabudhe Lehigh University
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
Hands-on Networking Fundamentals

Hands-on Networking Fundamentals
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

Similar presentations

Ads by Google