Chien-Chung Shen cshen@cis.udel.edu Bot and Botnet Chien-Chung Shen cshen@cis.udel.edu.

Slides:

Advertisements

Similar presentations

Unit 1: Module 1 Objective 10 identify tools used in the entry, retrieval, processing, storage, presentation, transmission and dissemination of information;

Advertisements

MASK. Agenda Introduction –IRC prelude –What is IRC? –How does IRC work? Architecture –Client/Server –IRC commands –3 major types of communication on.

Internet Threats Denial Of Service Attacks “The wonderful thing about the Internet is that you’re connected to everyone else. The terrible thing about.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

Bots and Botnets CS-431 Dick Steflik. DDoS ● One of the most common ways to mount a Distributed Denial of Service attacks is done via networks of zombie.

Chat applications and IRC Presented by Tyler Maciolek.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Lesson 19 Internet Basics.

Computer Networks IGCSE ICT Section 4.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

2009/9/151 Rishi : Identify Bot Contaminated Hosts By IRC Nickname Evaluation Reporter : Fong-Ruei, Li Machine Learning and Bioinformatics Lab In Proceedings.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

CLIENT A client is an application or system that accesses a service made available by a server. applicationserver.

Botnets An Introduction Into the World of Botnets Tyler Hudak

Introduction to Honeypot, Botnet, and Security Measurement

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

? INTERNET WHAT, WHY, HOW. DEFINITION The Internet is a massive public spiderweb of computer connections. It connects personal computers, laptops, tablets,

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

8 1 ADVANCED COMMUNICATION TOOLS Using Chat, Virtual Worlds, and Newsgroups New Perspectives on THE INTERNET.

--Harish Reddy Vemula Distributed Denial of Service.

An Overview of the Internet: The Internet: Then and Now How the Internet Works Major Features of the Internet.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

IT internet security. The Internet The Internet - a physical collection of many networks worldwide which is referred to in two ways: The internet (lowercase.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

BOTNETS Presented By : Ramesh kumar Ramesh kumar 08EBKIT049 08EBKIT049 A BIGGEST THREAT TO INERNET.

Johannes Hassmund (2009), Project Report for Information Security Course, Linkoping University, Sweden. Speaker : Hung-Jen Chiang Studying IDS signatures.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

Studying Spamming Botnets Using Botlab 台灣科技大學資工所楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.

NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.

Published: Internet Measurement Conference (IMC) 2006 Presented by Wei-Cheng Xiao 2015/11/221.

SMTP / MIME Florin Zidaru.

Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 14 How Internet Chat and IM Work.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 22 PHILLIPA GILL - STONY BROOK U.

Authors: Yazan Boshmaf, Lldar Muslukhov, Konstantin Beznosov, Matei Ripeanu University of British Columbia Annual Computer Security Applications Conference.

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

Traffic Analysis and Risk Assessment of a Medium-Sized ISP Alan W. Rateliff, II Florida Internet Service Provider Approximately 2000 ADSL users Connections.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

Speaker:Chiang Hong-Ren An Investigation and Implementation of Botnet Detection Schemes.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

Part 2.  Transmission methods used  Bandwidth:  The speed at which Data can be carried.

Netprog: Chat1 Chat Issues and Ideas for Service Design Refs: RFC 1459 (IRC)

INTERNET AND . WHAT IS INTERNET The Internet can be defined as the wired or wireless mode of communication through which one can receive, transmit.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

BASIC CONCEPTS ON INTERNET &

The Internet & World Wide Web

Speaker : YUN–KUAN,CHANG Date : 2009/11/17

HISTORY OF COMPUTERS AND TECHNOLOGY

Some Common Terms The Internet is a network of computers spanning the globe. It is also called the World Wide Web. World Wide Web It is a collection of.

CS222 Web Programming Course Outline

Chat Refs: RFC 1459 (IRC).

Presentation transcript:

Chien-Chung Shen cshen@cis.udel.edu Bot and Botnet Chien-Chung Shen cshen@cis.udel.edu

Bots Typically, viruses and worms are equipped with a certain fixed behavior. Any time they migrate to a new host, they try to engage in that same behavior A bot is usually equipped with a larger repertoire of behaviors. Additionally, a bot maintains, directly or indirectly, a communication link with a human handler, known as a bot-master The specific exploits that a bot engages in at any given time on any specific host depend on what commands it receives from bot-master Bot does the bidding of the bot master A bot-master can harness the power of several bots working together to bring about a result that could be more damaging than what can be accomplished by a single working all by itself bots working together could mount a Distributed DoS attack more difficult to squelch spam if it is spewing out simultaneously from several bots at random locations in a network Rustock botnet (en.wikipedia.org/wiki/Rustock_botnet)

Botnets A collection of bots working together for the same bot-master constitutes a botnet Bot must have communication capabilities that allow it to receive commands and, in some cases, to return results to bot master Command and control (C&C) structure Modes of C&C server Push: C&C Server acts like a broadcast server to broadcast the same message to all bots (IRC server) Pull: bots send a request to the C&C server every once in a while for the latest commands (HTTPD server)

C&C of Botnet Why IRC or HTTP? Why C&C server? botnet exploit is more likely to go undetected if communication between bots and C&C server uses standard protocols as opposed to some custom designed protocol with standard protocols, it becomes much more difficult for packet sniffer and protocol analyzer to detect anomaly Why C&C server? indirection allows the communications between the human and the C&C server to be infrequent, making it that much harder to discover the human handler.

IRC Protocol IRC: Internet Relay Chat With regard to participating hosts, an IRC overlay can be thought of as spanning tree over underlying TCP/IP network of servers the entire network looks like a single logical chat server to all the clients means that all of the individual servers must stay synchronized in real time with regard to the state of all the servers and of all the users in the network. It is this instant server-to-server synchronization that sets the IRC protocol apart from a run-of-the-mill chat server or, even, a social networking site

IRC Protocol Each user in an IRC network is identified by a nickname that is commonly referred to as just “nick” for that user The concept of a channel is fundamental to how the users organize themselves into different groups in an IRC network. By definition, a channel is simply a set of users Local channel: local to each specific server &localSchool => {a, b, c} Global channel: global to all the servers #movies => {a, b, x, y, z}

IRC Protocol All messages, including those used for command and control, in an IRC network conform to the following syntax 1. an optional ’:’-prefixed string, followed by 2. a valid IRC command in ASCII, followed by 3. the arguments to the command Sample commands CONNECT <target server> [<port> [<remote server>]] INFO [<server>] JOIN <channel>{,<channel>} [<key>{,<key>}] With regard to the use of IRC in botnets, channels can be made secret and users made invisible Sending text to others PRIVMSG #botnetUnderground :Hello Bots! Are you ready to wage war? Writing an IRC bot in Python http://wiki.shellium.org/w/Writing_an_IRC_bot_in_Python

Freenode IRC Network If you are a fan of open source software in general, you should become familiar with the Freenode IRC network http://en.wikipedia.org/wiki/Freenode All of Ubuntu’s IRC channels are based on the Freenode servers All of Wikipedia’s IRC channels (http://en.wikipedia.org/wiki/Wikipedia:IRC) are also on the Freenode network The freenode network (irc.freenode.net) has "chat rooms" dedicated to Wikipedia 24 hours a day, in which Wikipedians can engage in real-time discussions with each other. Many Wikipedians have chatting open in one window and hop back and forth between it and other windows in which they are working on Wikipedia