Monitoring botnets from within Students: Yevgeni Sabin, Alexander Chigirintsev Supervisor: Amichai Shulman Technion - Israel Institute of Technology COMPUTER.

Slides:



Advertisements
Similar presentations
Unit 1: Module 1 Objective 10 identify tools used in the entry, retrieval, processing, storage, presentation, transmission and dissemination of information;
Advertisements

CONNECTING REMOTE PC WITHOUT ANY SOFTWARE USING CHROME WEB BROWSER WITH ITS ADD-ON/EXTENSION FOR REMOTE ACCESS HASSLE FREE ACCESS USING A COMMON GMAIL.
Botnets ECE 4112 Lab 10 Group 19.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Trojan Horse Program Presented by : Lori Agrawal.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Browser Exploitation Framework (BeEF) Lab
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
1 The Botherd is Coming! Part II The Technical Response Justin Azoff University at Albany EDUCAUSE Live! June 21 st, 2006.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Web Design Terms and Concepts Ms. Scales. Q. What is a Server? A. A server is a computer that stores information many people can access. It runs special.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Instant Messaging Security Flaws By: Shadow404 Southern Poly University.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
BotNet Detection Techniques By Shreyas Sali
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
Security at NCAR David Mitchell February 20th, 2007.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
2 pt 3 pt 4 pt 5pt 1 pt 2 pt 3 pt 4 pt 5 pt 1 pt 2pt 3 pt 4pt 5 pt 1pt 2pt 3 pt 4 pt 5 pt 1 pt 2 pt 3 pt 4pt 5 pt 1pt Internet Hardware Computer Literate.
Networks.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
Host and Application Security Lesson 17: Botnets.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Chien-Chung Shen Bot and Botnet Chien-Chung Shen
(Electronic Mail) a message sent and received electronically via telecommunication links between computers.
0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
For more information on Rouge, visit:
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Group 18: Chris Hood Brett Poche
Backdoor Attacks.
Cloud based Open Source Backup/Restore Tool
Internet Worm propagation
Presentation transcript:

Monitoring botnets from within Students: Yevgeni Sabin, Alexander Chigirintsev Supervisor: Amichai Shulman Technion - Israel Institute of Technology COMPUTER SCIENCE DEPARTMENT Project in Computer Security (236349)

Background Botnet – a group of computers infected by malicious code, connected to the Internet and controlled by attacker via command and control center (IRC server). In our case infected machines are web servers.

Background RFI – remote file inclusion is a type of attack in which “dynamic file include” mechanism is exploited. Attacker includes malicious code, and takes control over the server. $url=$_SERVER['REQUEST_URI']; $file = parse_url($url, PHP_URL_QUERY); include $file

Methodology Setup:  Virtual Machine (VMware) on home PC:  OS: Windows XP SP3  Apache HTTP server + PHP 5.3  Mail Server  Simple vulnerable site  Wireshark

Methodology Links to malicious code were received from supervisor or found on the Internet. Each link were remotely included in our fake site. All network communication were recorded by network analyzer and analyzed later.

Infection process IRC Find a victim

IRC Command and Control Server

Finding vulnerable servers PRIVMSG #b0yz :!rfi /index.php?DOCUMEN_ROOT= "netcat_files“

Finding vulnerable servers PRIVMSG #b0yz :!rfi /index.php?DOCUMEN_ROOT= "netcat_files“ PRIVMSG #b0yz :.9,1[.15rfi.9].[AsK] 403 PRIVMSG #b0yz :.9,1[.15rfi.9].[SaPo] 1055 PRIVMSG #b0yz :.9,1[.15rfi.9].[oNeT] 52 PRIVMSG #b0yz :.9,1[.15rfi.9].[YahOo] 1222 PRIVMSG #b0yz PRIVMSG #b0yz PRIVMSG #b0yz

What infected machine can do? * COMMANDS: * *.user //login to the bot *.logout //logout of the bot *.die //kill the bot *.restart //restart the bot *.mail //send an *.dns //dns lookup *.download //download a file *.exec // uses exec() //execute a command *.sexec // uses shell_exec() //execute a command *.cmd // uses popen() //execute a command *.info //get system information *.php // uses eval() //execute php code *.tcpflood //tcpflood attack *.udpflood //udpflood attack *.raw //raw IRC command *.rndnick //change nickname *.pscan //port scan *.safe // test safe_mode (dvl) *.inbox // test inbox (dvl) *.conback // conect back (dvl) *.uname // return shell's uname using a php function (dvl) */ Sending spam DDoS attack Test for vulnerabilities Download and execude

Getting direct access to the server Example: MODE #preman +v [A]b0yz848 PRIVMSG #preman :.user setan PRIVMSG #preman :[.Auth.]: OK b0yz_JbX You Are Ready... My OwnER !!!!!!!!!!!!!!!!!!!! PRIVMSG #preman :.info PRIVMSG #preman :[.info.]: Windows NT MYSEREVE-E176B7 5.1 build 2600 (Windows XP Professional Service Pack 3) i586 (safe: off) PRIVMSG #preman :[.vuln.]: PRIVMSG #preman :.download mail.php PRIVMSG #preman :[.download.]: Arquivo. baixado para.mail.php.

Botnet example Botnet #rafflesia (by room name) Monitoring time: 5 days number of bots: ~150 Joins per day: ~60 Leaves per day: ~70 Number of bots on same system: ~3 Maximal bots on same system: 37 ( hetzner.de – VDS provider )

Botnet example ~150 participants scanners

Botnet example Botnet #rafflesia (by room name) Number of scanners: 6 Can look for ~15 vulnerabilities: – RFI, LFI, SQL injection, Word Press – osCommerce, Zen Cart® Ecommerce,e107 and more

Botnet example Botnet #rafflesia (by room name) Number of scanners: 6 Can look for ~15 vulnerabilities: – RFI, LFI, SQL injection, Word Press – osCommerce, Zen Cart® Ecommerce,e107 and more Search engines in use: 32 – GooGLe, ReDiff, Bing, ALtaViSTa, AsK, UoL, CluSty, GutSer, ExaLead, VirgiLio, WebDe, AoL, SaPo, DuCk, YauSe, BaiDu, KiPoT, GiBLa, YahOo, HotBot, LyCos, LyGo, BLacK, oNeT, SiZuka, WaLLa, DeMos, RoSe, SeZnaM, TisCali, NaVeR

Botnet example Botnet #rafflesia (by room name) Number of scanners: 6 Can look for ~15 vulnerabilities: – RFI, LFI, SQL injection, Word Press – osCommerce, Zen Cart® Ecommerce,e107 and more Search engines in use: 32 – GooGLe, ReDiff, Bing, ALtaViSTa, AsK, UoL, CluSty, GutSer, ExaLead, VirgiLio, WebDe, AoL, SaPo, DuCk, YauSe, BaiDu, KiPoT, GiBLa, YahOo, HotBot, LyCos, LyGo, BLacK, oNeT, SiZuka, WaLLa, DeMos, RoSe, SeZnaM, TisCali, NaVeR Scans per day: 48 Looked for vulnerabilities: Word Press (88%), RFI (12%) Vulnerable sites found per day: ~155

Botnet example Botnet #rafflesia (by room name) Vulnerable sites found per day: ~155

Compromised site example

Conclusions 1.Main usage of PHP botnets is searching and infecting vulnerable sites. PHP botnet gives good ready-to-use infrastructure for this purpose. 2.Almost no “traditional” activity of botnets were observed. Traditional attacks as DDoS is hard to make due to low number of participants. 3.Low variety of bots used (manly “pBot”). Most of their functionality is not used. 4.Known (old) vulnerabilities used to infect the systems – only sites that are not maintained well can be infected.

Further steps 1.Improve the honey pot – more realistic site, that holds interesting information for attacker. Small online store is very attractive for hackers. 2.Try to infect the system in the normal way the botnets do - thru the scanners (get to Google search results). 3.More observation time (few weeks)