Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Slides:

Advertisements

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Advertisements

CSC 774 Advanced Network Security

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Spam Sonia Jahid University of Illinois Fall 2007.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

APT29 HAMMERTOSS Jayakrishnan M.

BotNet Detection Techniques By Shreyas Sali

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention.

An Improved Kademlia Protocol In a VoIP System Xiao Wu ， Cuiyun Fu and Huiyou Chang Department of Computer Science, Zhongshan University, Guangzhou, China.

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

An analysis of Skype protocol Presented by: Abdul Haleem.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Walowdac:Analysis of a Peer-to-Peer Botnet 林佳宜 NTOU CSIE 11/19/

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

Sybil attacks as a mitigation strategy against the Storm botnet Authors:Carlton R. Davis, Jos´e M. Fernandez, Stephen Neville†, John McHugh Presenter:

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

INTERNET TECHNOLOGIES Week 10 Peer to Peer Paradigm 1.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Botnets Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from.

Anonym activities: white- and blackhat applications Márk Jelasity.

Botnets A collection of compromised machines

A lustrum of malware network communication: Evolution & insights

Instructor Materials Chapter 7 Network Security

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

VIRUS HOAX + BOTS. VIRUS HOAX + BOTS Group Members Aneeqa Ikram Fatima Ishaque Tufail Rana Anwar Amjad.

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

De-anonymizing the Internet Using Unreliable IDs

Botnets A collection of compromised machines

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Internet Worm propagation

Chap 10 Malicious Software.

Presentation by Theodore Mao CS294-4: Peer-to-peer Systems

Chap 10 Malicious Software.

Data Mining & Machine Learning Lab

Operating System Concepts

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Consistent Hashing and Distributed Hash Table

Kademlia: A Peer-to-peer Information System Based on the XOR Metric

Presentation transcript:

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11

Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/12

IRC-based Botnet Pros Large base of knowledge and source codes for bot development Centralized C&C, efficient communication Cons Centralized mechanism, easy to be conquered 2016/10/13

Motivation and Goals Motivation A peer-to-peer structure for botnet communication is beginning to appear. More attackers will move to the P 2 P botnet because it is difficult to be incapacitated. Goals To increase the understanding of P 2 P botnets and hope to help detect, mitigate, and eliminate P 2 P botnets in the future 2016/10/14

Contributions Providing an overview and historical perspective of botnets Presenting a case study of a Trojan.Peacomm bot 2016/10/15

Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/16

History 2016/10/17

Goals of Botnets The three primary goals of botnets Information dispersion Spam, DoS attacks, dispersion of false information Information harvesting identity, password, credit card number, friend list Information processing CPU, memory resources 2016/10/18

Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/19

Trojan.Peacomm Use the Overnet protocol, which implements a distributed hash table on Kademlia The initial bot Appears as an attachment “FullVideo.exe” in malicious s Targets Windows systems Add “wincom 32.sys” to the system and inject it into services.exe Turn off the ICF/ICS service, open some ports 2016/10/110

Overnet A common 128 -bit numeric space is used. Node IDs are within the numeric space. Values are mapped into the numeric space with keys. (key, value) pairs are stored on the closest nodes, which is calculated by an XOR function. List of nodes is kept for each bucket in the numeric space. 2016/10/111

The Five Steps in Communication 1. Connect to Overnet Bootstrap onto the P 2 P network based on a hard- coded node list with 146 nodes in wincom32.ini 2. Download secondary injection URL Use keys to search for and download a value, which is an encrypted URL The keys are generated from the date and a random number [ 0…31 ] using a built-in algorithm 3. Decrypt secondary injection URL 4. Download secondary injection from a web server or other peers 5. Execute secondary injection 2016/10/112

Secondary Injections Include Rootkit components spamming components address harvester propagation components DDoS tools Update itself periodically by searching through the P 2 P network These primitives provide a C&C mechanism. 2016/10/113

Network Trace Analysis The Overnet packet include 10,105 unique IPs. The bot in the experiement contacts about 4200 hosts. 2016/10/114

Findings of The Key Search A node is asked to search for its own ID hash ( h 1 ) periodically to know the closest nodes. The command latency is not high (i.e., 3~6 seconds). The search results come from 4 responders, but their infection statuses are uncertain. It is difficult to detect other infected hosts in Overnet just from the trace data. 2016/10/115

Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/116

Related Work The zombie roundup: Understanding, detecting, and disrupting botnets. USENIX SRUTI, 2005 Points out the potential threat posed by P 2 P-based botnets Identifies some fundamental techniques for botnet analysis An inside look at botnets. Advances in Information Security, 2006 Gives an overview of some famous botnets, such as Agobot Highlights the sophistication and diverse capabilities of botnets 2016/10/117

Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/118

Conclusions and Future Work There is a recent trend in increased development of P 2 P botnets because of the difficulty to detect and eliminate them. An overview and a case study of the P 2 P botnet is presented. The future work includes P 2 P botnet detection and analysis of P 2 P botnet resilience. 2016/10/119