BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Slides:

Advertisements

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Advertisements

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

Introduction to Security Computer Networks Computer Networks Term B10.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

Computer Security and Penetration Testing

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

BotNet Detection Techniques By Shreyas Sali

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Internet Security facilities for secure communication.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Jeong, Hyun-Cheol. 2 Contents DDoS Attacks in Korea 1 1 Countermeasures against DDoS Attacks in Korea Countermeasures against DDoS Attacks in.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Final Introduction ---- Web Security, DDoS, others

--Harish Reddy Vemula Distributed Denial of Service.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II.

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.

NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

DoS/DDoS attack and defense

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Botnets A collection of compromised machines

A lustrum of malware network communication: Evolution & insights

Instructor Materials Chapter 7 Network Security

Filtering Spoofed Packets

Botnets A collection of compromised machines

Risk of the Internet At Home

CS4622 Team 4 Worms, DoS, and Smurf Attacks

Forensics Week 12.

DDoS Attack and Its Defense

Presentation transcript:

BOTNETS & TARGETED MALWARE Fernando Uribe

INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing in Cyber security.

WHAT IS A BOT?  Bot, Standing for Robot, is the name given to malware which I installed on vulnerable devices and used to receive commands.  Once a vulnerable machine is infected with a bot, it can also be called a “Zombie”; since the bot lies dormant

WHAT IS A BOTNET?  When one has multiple zombie machines under a single controller, it’s known as a botnet.  Botnets can be used for good, like web crawling or search engine indexing.  Majority of the time botnets are used for Distributed denial of service attack.  DDOS is when a target is being attack by multiple zombie machines simultaneously.  Usually bots are controlled through an IRC channel via a command and control program.  People whom operate bonnets are usually called bot herder

HOW DO BOTNETS GET CREATED?  There are several phases to this:  Setup of command and control  Release bot to infect  Have zombie propagate  Bots connect to C&C ready to receive instructions  Command is given to attack target  Bots attack said target

SETUP OF COMMAND AND CONTROL  Attackers may use various tools, one example is poison ivy, or they may create their own.

RELEASE BOT TO INFECT  This could be done via social engineering, phishing, fake websites.

PROPAGATE  Depending on the bot, this could occur in similar ways of worm infection or malware installation.

CONNECT TO C&C  Think “ET phone home!” the bots try to connect to the programmed irc channel and report status

COMMAND SENT  The command is for a coordinated and automated attack of a target.

ATTACK ORDERED  Once the bots receive the command, they start the attack till told otherwise.  Usually a DDOS

RECOGNIZING DOS  Few ways to recognize a possible DDOS attack  Websites unavailable  Specific site not available  Network access bogged down  Increase of spam received in large amounts

DETECTING DDOS  Ways to Detect :  Activity Profiling  Changepoint Detection  Wavelet-Based signal analysis

ACTIVITY PROFILING  This is the average packet rate for network flow  It’s made up continuous packets with like fields  An attack if identified when activity level increases

CHANGEPOINT DETECTION  Points out the change traffic during attack  Identifies difference in actual vs. expected traffic  Can also be use to identify scanning activities within your network

WAVE SIGNAL ANALYSIS  Analyzes input signal when it comes to spectral components  They give you concurrent time and how often description  By analyzing the spectral data one can determine the presence of an anomaly  So they help you get the time when anomalies may have occurred

ONCE WE KNOW WE MITIGATE ATTACK  2 examples of methods to mitigate a DDOS:  Load Balancing  Throttling

DEFENDING AGAINST BOTNETS  RFC 3704 filtering  Black hole filtering  Cisco IPS Source ip reputation filtering  DDOS prevention offering from ISP or DDOS service

RFC 3704 FILTERING  Also knows as Ingress filtering for multihomed networks  You're basically filtering out address space originating from internet that is using private IP addresses  Remember that private IP are not routable on public networks

BLACK HOLE FILTERING  Drops packets at routing level  Normally, hen a packet did not reach its destination it sends a request to resend, which would continue the attack.  Simply drops packet, but does not inform source

CISCO IPS SOURCE IP REPUTATION FILTERING  Used by cisco IPS  Database that deems whether an ip or service are to be a possible threat

DDOS PREVENTION FROM ISP  Helps prevent ip spoofing at the isp level  Uses DHCP snooping to make sure host use ip addresses assigned to them  Creates a white list in a way, of what ip address can access your network

TARGETED MALWARE  Different method for malware attacks, where an individual or entity are specifically targeted.  Usually malware uses a “artillery” approach, to hit and infect as many as possible.  Main objectives could be to obtain access to sensitive information, or disruption.

HOW IT WORKS  Attackers use all the tricks in the book fake s, malware filled websites.  They research their victims, to be able to extract information  With the information gathered, a greater social engineering attack Can be successfully completed  Since the attacks are targeted to a smaller audience, it sometimes slip through the cracks due to them not getting reported

EXAMPLES OF TARGETED MALWARE  Stuxnet worm  Specifically targets industrial control systems  Hotord Trojan and Ginwui4  Both used in corporate espionage

DETECT AND MITIGATE  Some methods of detecting and mitigating malware:  Heuristics  Multi-layered pattern scanning  Traffic-origin scanning  Behavior observation

THANK YOU