AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju.

Slides:

Advertisements

Similar presentations

Botnets ECE 4112 Lab 10 Group 19.

Advertisements

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

System Security Scanning and Discovery Chapter 14.

Hacker, Cracker?! Are they the same? No!!! Hacker programmers intensely interested in the arcane and recondite workings of any computer operating system.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Botnets An Introduction Into the World of Botnets Tyler Hudak

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

A Framework for Hybrid Structure P2P Botnet Speakers:MA2G0207 bo rong,sue Source:IEEE.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

Honeypot and Intrusion Detection System

CAP6135: Malware and Software Vulnerability Analysis Botnets Cliff Zou Spring 2012.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

A N I NSIDE L OOK AT B OTNETS ARO-DHS S PECIAL W ORKSHOP ON M ALWARE D ETECTION, 2005 Written By: Paul Barford and Vinod Yegneswaran University of Wisconsin,

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Presented by: Dr. Munam Ali Shah

--Harish Reddy Vemula Distributed Denial of Service.

Overview What is a worm? What is a worm? Origin? Origin? How does it propagate? How does it propagate? How does it take up resources of an infected node?

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Nullcon Goa 2010http://nullcon.net Botnet Mitigation, Monitoring and Management - Harshad Patil.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

CHAPTER 3 Classes of Attack. INTRODUCTION Network attacks come from both inside and outside firewall. Kinds of attacks: 1. Denial-of-service 2. Information.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Peer to Peer Botnets by Mehedy Masud. Botnets ● Introduction ● History ● Taxonomy ● Overview ● Case studies ● New technique ● Detection and Prevention.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Omar Hemmali CAP 6135 Paul Barford Vinod Yegneswaran Computer Sciences Department University of Wisconsen, Madison.

An Inside Look at Botnets By Paul Barford and Vinod Yegneswaran In Series: Advances in Information Security, Springer, 2006 Presented by Jared Bott.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Open Malicious Source Symantec Security Response Kaoru Hayashi.

Understand Malware LESSON Security Fundamentals.

Know your Enemy: Tracking Botnets The Honeynet Project & Research Alliance Presented by: Jonathan Dowdle.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Botnets A collection of compromised machines

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Instructor Materials Chapter 7 Network Security

Secure Software Confidentiality Integrity Data Security Authentication

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets A collection of compromised machines

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

A Distributed DoS in Action

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

Acknowledgement This lecture uses some contents from the lecture notes from: Dr. Dawn Song: CS161: computer security Richard Wang – SophosLabs: The Development.

Test 3 review FTP & Cybersecurity

Presentation transcript:

AN INSIDE LOOK AT BOTNETS Barford, Paul and Yegneswaran Advances in Information Security, Springer, 2006 Kishore Padma Raju

INTRODUCTION Attacks for financial gain Proactive methods Understanding of malicious software readily available 4 IRC botnet codebases along 7 dimensions

ARCHITECTURE AGOBOT (Phatbot) – Found in october 2002 – Sophisticated and best written source code – 20,000 lines of c/c++ – High level components IRC based command and control mechanism Large collection of target exploits DOS attacks Harvest the local host

SDBOT – October 2002 – Simple code in C, 2000 lines – IRC based command and control system – Easy to extend and so many patches available(DOS attacks, information harvesting routines) – Motivation for patch dissemination is diffusion of accountability

SPYBOT – 3000 lines of C code – April 2003 – Evolved from SDBOT No diffusion accountability – Includes scanning capability and launching flooding attacks – Efficient

GTBOT(global threat)(Aristotles) – Based on functions of mIRC(writes event handlers for remote nodes) – Capabilities are Port scanning DOS attacks – Stored in file mirc.ini – Remote execution BNC(proxy system), psexec.exe Implications

BOTNET CONTROL MECHANISMS Communication Command language and control protocols Based onIRC Commands – Deny service – spam – Phish

Agobot – Command language contain Standad IRC and specific commands of this bot – Bot commands, perform specific function Bot.open Cvar.set Ddos_max_threads

Sdbot NICK_USER PONG USERHOST JOIN EST ACTIONRESETREJOIN NICK PING 302 KICK353 PART/QUIT PREVMSG/ NOTICE/ TOPIC 001/005

SPYBOT – Command language simple – Commands are login, passwords, disconnect, reconnect, uninstall, spy, loadclones,killclones GTBOT – Simplest – Varies across versions – Commands are !ver, !scan, !portscan, !clone.*,!update IMPLICATIONS – Now simple – Future, encrypted communication – Finger printing methods

HOST CONTROL MECHANISMS Manipulate victim host AGOBOT Commands to harvest sensitive information(harvest.cdkeys, harvest. s, registry, windowskeys) List and kill processes(pctrl.list, kill, killpid) Add or delete autostart entries(inst.asadd, asdel) SDBOT Remote execution commands and gather local information Patches Host control commands (download, killthread, update)

SPYBOT – Control commands for file manipulation, key logging, remote command execution – Commands are delete, execute, makedir, startkeylogger, stopkilllogger, reboot, update. GTBOT – Gathering local system information – Run or delete local files IMPLICATIONS – Underscore the need to patch – Stronger protection boundaries – Gathering sensitive information

PROPAGATION MECHANISMS Search for new host systems Horizontal and vertical scan AGOBOT – IP address within network ranges – Scan.addnetrange, scan.delnetrange, scan.enable SDBOT – Same as agobot – NETBIOS scanner Starting and end IP adresses

SPYBOT – Command interface Command Scan Example Scan netbios portscan.txt GTBOT – Horizontal and vertical scanning IMPLICATIONS – Simple scanning methods – Source code examination

EXPLOITS AND ATTACK MECHANISMS Attack known vulnerabilities on target systems AGOBOT – Broadening set of exploits – Generic DDOS module Enables seven types of service attacks Ddos.udpflood, synflood, httpflood, phatsyn, phaticmp,Phatwonk, targa3, stop. SDBOT – UDP and ICMP packets, flooding attacks – udp and ping

SPYBOT AND GTBOT – Same as sdbot IMPLICATIONS – Multiple exploits

MALWARE DELIVERY MECHANISMS GT/SD/SPY bots deliver exploit and encoded malware in single package Agobot – Exploit vulnerability and open a shell on remote host – Encoded binary is then sent using HTTP or FTP. IMPLICATIONS

OBFUSCATION MECHANISMS Hide the details Polymorphism AGOBOT – POLY_TYPE_XOR – POLY_TYPE_SWAP – POLY_TYPE_ROR – POLY_TYPE_ROL IMPLICATIONS

CONCLUSIONS Expanded the knowledge base for security research Lethal classes of internet threats Functional components of botnets

WEAKNESSES Study only IRC No Preventive mechanisms No dynamic profiling of botnet executables Insufficient analysis

IMPROVEMENTS Dynamic profiling can be executed using some tools Botnet monitoring mechanism can be explained Analysis for peer to peer infrastructure