Dissecting Distributed Malware Networks

Slides:



Advertisements
Similar presentations
Decision Group Forensics Investigation Toolkit (FIT) Layer 7 Content Reconstruction Tool.
Advertisements

1 NS-2 Tutorial COMP R2 University of Manitoba March 4, 2009.
F4-analyzing Network-based evidence for a windows intrusion Dr. John P. Abraham Professor UTPA.
COEN 252 Computer Forensics Using TCPDump / Windump for package analysis.
March Wireshark CA Plugin EPICS Meeting 2008, Shanghai, China. 1 Wireshark CA Plug-in EPICS Channel Access Dissector Kazuro Furukawa, KEK Ron Rechenmacher,
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
1 TCP Traffic Analysis in cooperation with Motorola Todd DeSantis and David Loose Advisor: Professor Mark Claypool Co-Advisor: Professor Robert Kinicki.
Practical Networking. Introduction  Interfaces, network connections  Netstat tool  Tcpdump: Popular network debugging tool  Used to intercept and.
CAP6135: Malware and Software Vulnerability Analysis Network Traffic Monitoring Using Wireshark Cliff Zou Spring 2013.
Network Forensics Networking Basics Collecting Network-Based Evidence (NBE) Collection of Packets using Tools Windows Intrusion UNIX Intrusion.
Hands-on: Capturing an Image with AccessData FTK Imager
Wireshark Presented By: Hiral Chhaya, Anvita Priyam.
1 Ethereal.  Freeware sniffing tool.  Captures live network traffic.  The user interface separates it from other sniffers.
Forensic and Investigative Accounting
Penetration Testing Security Analysis and Advanced Tools: Snort.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Step-by-Step Intrusion Detection using TCPdump SHADOW.
What is FORENSICS? Why do we need Network Forensics?
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Network Security: Lab#4-2 Packet Sniffers J. H. Wang Dec. 2, 2013.
--Harish Reddy Vemula Distributed Denial of Service.
Scapy. Introduction  It’s a packet manipulation tool.  It can forge or decode packets of a wide number of protocols, send them on the wire, capture.
1 TAC2000/ LABORATORY 117 Analyzing SIP Call Flows Dr. Quincy Wu National Chiao Tung University
© 2010 Cisco Systems, Inc. All rights reserved. 1 CREATE Re-Tooling Exploring Protocols with Wireshark March 12, 2011 CREATE CATC and Ohlone College.
Network Management Protocols and Applications Cliff Leach Mike Looney Danny Mar Monty Maughon.
Packet Capture and Analysis: An Introduction to Wireshark 1.
1 HoneyNets. 2 Introduction Definition of a Honeynet Concept of Data Capture and Data Control Generation I vs. Generation II Honeynets Description of.
Practice 4 – traffic filtering, traffic analysis
Sniffer, tcpdump, Ethereal, ntop
Network Analyzer :- Introduction to Wireshark. What is Wireshark ? Ethereal Formerly known as Ethereal GUINetwork Protocol Analyzer Wireshark is a GUI.
Guide to Computer Forensics and Investigations, Second Edition Chapter 12 Network Forensics.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
POSTECH 1/39 CSED702D: Internet Traffic Monitoring and Analysis James Won-Ki Hong Department of Computer Science and Engineering POSTECH, Korea
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
COMP2322 Lab 1 Introduction to Wireshark Weichao Li Jan. 22, 2016.
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
Forensics Investigation Toolkit (FIT) Offline Raw Data Files Parsing and Reconstruction Tools (Windows) Decision Group
Network Analyzer :- Introduction to Ethereal Computer Networking (Graduate Class)
Lesson 9: SOFTWARE ICT Fundamentals 2nd Semester SY
Traffic Analysis– Traffic Forensic Example
CompTIA Security+ Study Guide (SY0-401)
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Click to edit Master subtitle style
Top 5 Open Source Firewall Software for Linux User
Lab 2: Packet Capture & Traffic Analysis with Wireshark
資料通訊與網路 教授: 吳照輝 助教: 鄺福全.
A Quick Guide to Ethereal/Wireshark
COMP2322 Lab 1 Wireshark Steven Lee Jan. 25, 2017.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Traffic Analysis with Ethereal
CompTIA Security+ Study Guide (SY0-401)
Honeypots and Honeynets
What if you hit back? Counter-intelligence and Counter-attack
Introduction to Packet Sniffing using Ethereal
Lecture 4 Communication Network Protocols
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Functions of an operating system
Traffic Analysis– Traffic Forensic Example
Network Analyzer :- Introduction to Wireshark
Module 8: Securing Network Traffic by Using IPSec and Certificates
TCP Protocol Analysis Access UMKC Home Page.
Network Analyzer :- Introduction to Wireshark
Linux and TCP/IP Networking
FTP AND COMMAND PROCESSING IN FTP
COEN 252 Computer Forensics
Web Application Development Using PHP
Presentation transcript:

Dissecting Distributed Malware Networks Honeynet Project - project@honeynet.org Dissecting Distributed Malware Networks Dave Dittrich University of Washington <dittrich @ cac.washington.edu> 11/14/2018

Honeynet Project - project@honeynet.org Overview Honeynet Project - project@honeynet.org Introduction Why this talk? Review of DDoS Response Strategy Tools Network Forensics Host Forensics Attack scenario (tactics) Conclusion 11/14/2018

Honeynet Project - project@honeynet.org Why this talk? Honeynet Project - project@honeynet.org This is not a new problem D{DoS|warez|BNC|scanning} very much alive (Power, knight.exe, GTbot, X-DCC) Bandwidth vs. Access vs. Security Broadband, DSL, .edu = = MESS! Chaos is the norm 11/14/2018

Honeynet Project - project@honeynet.org Why this talk? Honeynet Project - project@honeynet.org Some networking tools aren’t keeping up with attack tools 11/14/2018

Honeynet Project - project@honeynet.org Why this talk? Honeynet Project - project@honeynet.org To improve the state of network analysis These networks CAN be taken down, iff response is disciplined, coordinated, and efficient http://www.cert.org/reports/dsit_workshop.pdf 11/14/2018

Honeynet Project - project@honeynet.org Review of DDoS Honeynet Project - project@honeynet.org 11/14/2018 http://www.adelphi.edu/~spock/lisa2000-shaft.pdf

Honeynet Project - project@honeynet.org Review of DDoS Honeynet Project - project@honeynet.org 11/14/2018

Strategies Analyze attack traffic (find agents) Analyze command/control traffic (find agents & handlers, identify victims & attackers, etc.) Identify signatures of tool (find artifacts, define cleanup procedures) Pass along intelligence to other sites (take down entire network, not just 1%) RESPECT PRIVACY RIGHTS!!! Remember for future reference! (They’re BA-ACK!) 11/14/2018

Preparation Assemble tools Negotiate procedures Practice Execute Coordinate Communicate 11/14/2018

Tools 11/14/2018

Data Collection Tools libpcap/tcpdump Support scripts Snort, Ethereal also useful (these are not covered here) 11/14/2018

Standard packet capture interface Common dump format libpcap / tcpdump Standard packet capture interface Common dump format Basic packet decoding features Filters packets various ways http://www.tcpdump.org/ 11/14/2018

tcpdump examples # tcpdump –s 64 –w dos-04282002.dump # tcpdump –r dos-04282002.dump ip proto 255 # tcpdump –s 0 –w irc-04282002.dump \ tcp port 6667 or tcp port 7000 # tcpdump –r irc-04282002.dump \ -w suspect-irc.dump “(ip host 192.168.0.1 \ and port 1234) or ip net 10.1.1.0/24” http://www.eas.asu.edu/~ieeecs/pages/springCalendar_99/resource/intro.ppt 11/14/2018

Data Analysis Tools tcpslice tcpdstat tcptrace ngrep ipgrep Graphing utilities 11/14/2018

Slices tcpdump files by start/end time Shows start/end times tcpslice Slices tcpdump files by start/end time Shows start/end times Merges tcpdump files ftp://ftp.ee.lbl.gov/tcpslice.tar.gz 11/14/2018

tcpslice example 11/14/2018

tcpdstat Traffic Statistics Protocol breakdown My simple mods More protocols Peak flow rate Compile on Linux http://staff.washington.edu/dittrich/misc/core02/tcpdstat-uw.tgz 11/14/2018

tcpdstat example 11/14/2018

tcpdstat example (cont) 11/14/2018

tcptrace Reports on streams Produces flow graphs Reconstructs streams http://jarok.cs.ohiou.edu/software/tcptrace/tcptrace.html 11/14/2018

tcptrace example 11/14/2018

tcptrace example 11/14/2018

Identifies strings in network traffic ngrep Identifies strings in network traffic Supports RE and byte arrays (hex) Only clear text (of course) http://www.packetfactory.net/ngrep/ 11/14/2018

ngrep example 11/14/2018

Host Analysis Tools Foundstone’s Fport Anti Virus software (if used properly) @Stake’s TASK Farmer/Venema’s TCT 11/14/2018

…and processes that hold them Windows tool (use “lsof” on Unix) FPort Shows open ports …and processes that hold them Windows tool (use “lsof” on Unix) http://www.foundstone.com/knowledge/proddesc/fport.html 11/14/2018

FPort example 11/14/2018

Anti-Virus Software Disable auto-delete before scan Use latest virus signature files Not 100% reliable analyses 11/14/2018

Anti-Virus Software 11/14/2018

Anti-Virus Software 11/14/2018

Graphical interface (autopsy) Direct file system processing TASK Graphical interface (autopsy) Direct file system processing Supports FAT16/FAT32 (NTFS in development) http://www.atstake.com/research/tools/task/ 11/14/2018

Image Windows FAT16/FAT32, mount on Linux The Coroner’s Toolkit Not just for Unix Image Windows FAT16/FAT32, mount on Linux Perform MAC time analysis http://project.honeynet.org/challenge/ http://staff.washington.edu/dittrich/misc/forensics/ 11/14/2018

TCT (mactime) example 11/14/2018

Attack scenario (Tactics) 11/14/2018

Responding to an Attack Honeynet Project - project@honeynet.org Responding to an Attack How it starts 11/14/2018

Using tcpdump to analyze attack traffic 11/14/2018

Use tcpdstat to analyze attack traffic 11/14/2018

First Attack 11/14/2018

Statistics of first attack 11/14/2018

More Attacks 11/14/2018

More Attacks 11/14/2018

Using ngrep to find control traffic 11/14/2018

Using Fport to correlate ports and programs 11/14/2018

Feedback from system owner 11/14/2018

Identification of attack tool 11/14/2018

Find analysis/code 11/14/2018

Identify keys to control 11/14/2018

Identify commands in source 11/14/2018

Use tcptrace to isolate TCP stream 11/14/2018

Identify attack victims 11/14/2018

What’s this? 11/14/2018

Top IRC channels 11/14/2018

XDCC traffic report 11/14/2018

XDCC traffic report (cont) 11/14/2018

Review what you know Attacks from: 128.95.X.154, 128.95.X.181… Traffic mostly Protocol 255, IRC, “other” Lots of FTP traffic (“warez”) Firedaemon/knight.c/GTbot installed IRC ports/channels known (“warez” bots) 11/14/2018

Communication/Cooperation 11/14/2018

Communication/Cooperation 11/14/2018

This was moderately complex Conclusion This was moderately complex Encryption makes things much harder (Eggdrop w/Blowfish, burneye, etc.) Today its guerilla warfare (on both sides) Discipline and skill wins Products from Arbor or Niksun help 11/14/2018

Honeynet Project - project@honeynet.org Questions? Website: http://staff.washington.edu/dittrich/ (add misc/ddos/ for DDoS page, misc/core02/ for files) Email: dittrich@cac.washington.edu 11/14/2018

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.