1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Slides:

Advertisements

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Advertisements

Botnets ECE 4112 Lab 10 Group 19.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Introduction to Security Computer Networks Computer Networks Term B10.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

Threats To A Computer Network

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Sravanthi Vattikuti Sri Harsha Devabhaktuni

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Botnets An Introduction Into the World of Botnets Tyler Hudak

BOTNET Kumar Mukherjee Mike Ladd Nazia Raoof Rajesh Radhakrishnan Bret Walker.

Introduction to Honeypot, Botnet, and Security Measurement

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

BotNet Detection Techniques By Shreyas Sali

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON (2006) Jonathan Brant CAP 6135 – Spring 2010 Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose,

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Final Introduction ---- Web Security, DDoS, others

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose & Andreas Terzis IMC’06.

1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Botnets: Infrastructure and Attacks Slides courtesy of Nick Feamster as taught as Georgia Tech/CS6262.

Understanding the Network-Level Behavior of Spammers Author: Anirudh Ramachandran, Nick Feamster SIGCOMM ’ 06, September 11-16, 2006, Pisa, Italy Presenter:

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

Understanding the network level behavior of spammers Published by :Anirudh Ramachandran, Nick Feamster Published in :ACMSIGCOMM 2006 Presented by: Bharat.

Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.

Chien-Chung Shen Bot and Botnet Chien-Chung Shen

Understand Malware LESSON Security Fundamentals.

Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

By Alex Mayak.  What is spyware?  History of spyware.  What effect does spyware have on your computer?  What spreads spyware?

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Botnets A collection of compromised machines

Botnets A collection of compromised machines

Internet Worm propagation

“A Multifaceted Approach to Understanding the Botnet Phenomenon”

Presentation transcript:

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev

2 What is Botnet ? Botnets is used to define networks of infectedend-hosts, called bots, that are under the control of a human operator commonly known as a bot master. Command and control channels are used to disseminate the commands to the bots IRC (Internet Relay Chat Protocols) is the main vehicle

3 IRC Concept – RFC 1459 IRC is an open protocol that uses TCPprotocolTCP green – normal clients blue - bots orange - bouncers

4 IRC Concept – RFC 1459 Example 1: A message between clients 1 and 2 is only seen by server A, which sends it straight to client 2. Example 2: A message between clients 1 and 3 is seen by servers A & B, and client 3. No other clients or servers are allowed see the message. Example 3: A message between clients 2 and 4 is seen by servers A, B, C & D and client 4 only.

5 How to Analyze Botnets? Develop a scalable and robust infrastructure to capture and concurrently track multiple Botnets Must be benign – not used to infect others outside the testing environment Analysis of measurements, structural and behavioral aspect of Botnets IRC tracking, DNS Cache probing (minimal)

6 Birth of a Bot Bots are born from program binaries that infect your PC Self-replicating worms viruses Shellcode (scripts)

7 Data collection methodology Phase 1: Malware collection – Collect as many different binaries (bots) Phase 2: Binary analysis via gray-box testing – Analyze the sophistication of each bot Phase 3: Longitudinal tracking of IRC botnets through IRC and DNS trackers – Monitor the pervasiveness of each bot

8 Overview data collection

9 Malware Collection Unpatched Windows XP are run which is base copy Nepenthes mimics the replies generated by vulnerable services in order to collect the first stage exploit Honeynets used to catches exploits missed by nepenthes Infected honeypot compared with base to identify Botnet binary

10 Binary Analysis via graybox testing Network fingerprint (DNS, IPs, Ports, scan) IRC (PASS, NICK, USER, MODE, JOIN) Learn the Botnet Dialect

11 Longitudinal Tracking of Botnets The IRC tracker (also called a drone) filters traffic and acts as a Bot to trick the IRC room to iteratively probe to find the footprint of particular Botnets – Uses DNS Probing – Acts as a spy DNS Tracking – 800,000 Name Servers

12 Botnet Scanning Worm-like – Immediately start scanning the IP space looking for new victims after infection : 34 / 192 Variable scanning Botnets – Scan when issued some command by botmaster

13 Botnet Scanning

14 Botnet Growth

15 Botnet Growth

16 Botnet Phenomenon

17 Botnet Phenomenon Traffic Problem – 70% of the sources during peak periods sent shell exploits similar to those sent by the botnet spreaders. – 90% of all the traffic during a particular peak targeted ports used by botnet spreaders – the amount of botnet-related traffic is certainly greater than 27%.

18 Botnet Statistics 60% were IRC bots – 70% of all the bots connect to a single IRC server 57,000 Active Bots per day for the first 6 months of 2006 ( Symantec ) 4.7 million distinct computers being actively used in Botnets Most Botnets are managed by a single server ( up to 15,000 bots ) Mocbot seized control of more than 7,700 machines within 24 hours

19 Botnet Characteristics Diverse set of operating systems. Anti-virus programs can detect and fix most bots

20 What is it that You say… You Do Here? Log keystrokes for identity theft Installing Advertisement Addons Distributed Denial-of-Service Attacks Spamming Sniffing Traffic Keylogging Spreading new malware Google AdSense abuse Attacking IRC Chat Networks Manipulating online polls/games Mass identity theft

21 Bot Capabilities DDoS: Flooding attack and DDoS extortion Scanning Exploitation Download and Installation Click Fraud Server Services- Bot Hosting e.g. phishing Gateway and Proxy Functions:-HTTP proxy Spyware,Keylogging, data theft and packet capture

22 Conclusion “the fight against botnets is a "war" that can only be won if all parties - regulators, governments, telecoms firms, computer users and hardware and software makers - work together. “ Botnets pose one of the most SEVERE threats to the Internet – Are responsible for most of the unwanted traffic – Generators of SPAM Ref

23 Conclusion Business Implications – DDOS – bring e-commerce to a halt – Wasting of money on SPAM filtering – Wasting of corporate time and $$

24 Strengths of the paper All aspects of a botnet analyzed No prior analysis of bots Ability to model various types of bots Ability to learn bot dialect and communicate with them.

25 Botnet Questions ?