Presentation is loading. Please wait.

Presentation is loading. Please wait.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Published byScott French Modified over 8 years ago

Similar presentations

Presentation on theme: "Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11."— Presentation transcript:

1 Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11

2 Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/12

3 IRC-based Botnet Pros Large base of knowledge and source codes for bot development Centralized C&C, efficient communication Cons Centralized mechanism, easy to be conquered 2016/10/13

4 Motivation and Goals Motivation A peer-to-peer structure for botnet communication is beginning to appear. More attackers will move to the P 2 P botnet because it is difficult to be incapacitated. Goals To increase the understanding of P 2 P botnets and hope to help detect, mitigate, and eliminate P 2 P botnets in the future 2016/10/14

5 Contributions Providing an overview and historical perspective of botnets Presenting a case study of a Trojan.Peacomm bot 2016/10/15

6 Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/16

7 History 2016/10/17

8 Goals of Botnets The three primary goals of botnets Information dispersion Spam, DoS attacks, dispersion of false information Information harvesting identity, password, credit card number, friend list Information processing CPU, memory resources 2016/10/18

9 Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/19

10 Trojan.Peacomm Use the Overnet protocol, which implements a distributed hash table on Kademlia The initial bot Appears as an attachment “FullVideo.exe” in malicious emails Targets Windows systems Add “wincom 32.sys” to the system and inject it into services.exe Turn off the ICF/ICS service, open some ports 2016/10/110

11 Overnet A common 128 -bit numeric space is used. Node IDs are within the numeric space. Values are mapped into the numeric space with keys. (key, value) pairs are stored on the closest nodes, which is calculated by an XOR function. List of nodes is kept for each bucket in the numeric space. 2016/10/111

12 The Five Steps in Communication 1. Connect to Overnet Bootstrap onto the P 2 P network based on a hard- coded node list with 146 nodes in wincom32.ini 2. Download secondary injection URL Use keys to search for and download a value, which is an encrypted URL The keys are generated from the date and a random number [ 0…31 ] using a built-in algorithm 3. Decrypt secondary injection URL 4. Download secondary injection from a web server or other peers 5. Execute secondary injection 2016/10/112

13 Secondary Injections Include Rootkit components Email spamming components Email address harvester Email propagation components DDoS tools Update itself periodically by searching through the P 2 P network These primitives provide a C&C mechanism. 2016/10/113

14 Network Trace Analysis The Overnet packet include 10,105 unique IPs. The bot in the experiement contacts about 4200 hosts. 2016/10/114

15 Findings of The Key Search A node is asked to search for its own ID hash ( h 1 ) periodically to know the closest nodes. The command latency is not high (i.e., 3~6 seconds). The search results come from 4 responders, but their infection statuses are uncertain. It is difficult to detect other infected hosts in Overnet just from the trace data. 2016/10/115

16 Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/116

17 Related Work The zombie roundup: Understanding, detecting, and disrupting botnets. USENIX SRUTI, 2005 Points out the potential threat posed by P 2 P-based botnets Identifies some fundamental techniques for botnet analysis An inside look at botnets. Advances in Information Security, 2006 Gives an overview of some famous botnets, such as Agobot Highlights the sophistication and diverse capabilities of botnets 2016/10/117

18 Outline Introduction Background and history Case study: Trojan.Peacomm Related Work Conclusions and future work 2016/10/118

19 Conclusions and Future Work There is a recent trend in increased development of P 2 P botnets because of the difficulty to detect and eliminate them. An overview and a case study of the P 2 P botnet is presented. The future work includes P 2 P botnet detection and analysis of P 2 P botnet resilience. 2016/10/119

Download ppt "Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11."

Similar presentations

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.

Kademlia: A Peer-to-peer Information System Based on the XOR Metric Petar Mayamounkov David Mazières A few slides are taken from the authors’ original.
Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.

Botnets. Botnet Threat Botnets are a major threat to the Internet because: Consist of a large pool of compromised computers that are organized by a master.
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.

Taxonomy of Botnets Team Mag Five Valerie Buitron Jaime Calahorrano Derek Chow Julia Marsh Mark Zogbaum.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.

Borrowed from Brent ByungHoon Kang, GMU. A Network of Compromised Computers on the Internet IP locations of the Waledac botnet. Borrowed from Brent ByungHoon.
563.8.2 Spam Sonia Jahid University of Illinois Fall 2007.

Spam Sonia Jahid University of Illinois Fall 2007.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.

Similar presentations

Ads by Google