Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Published byRudolf Szalai Modified over 6 years ago

Similar presentations

Presentation on theme: "Your Botnet is My Botnet: Analysis of a Botnet Takeover"— Presentation transcript:

1 Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presentation by Sabrina Wilkes-Morris

2 Introduction What is a Botnet? It is a network of machines controlled by a “Bot Master”. This network of machines are usually infected by malware and they are used to infect or gain control of other computers on the network.

3 Malicious code or malware has become one of the most prevalent means of attacking computers on the network. One hacker can take over and gain control of a computer or network.

4 Rootkit A rootkit is malicious software that is executed when a system boots up. They are very difficult to detect and they allow the installation of hidden files, processes and hidden user accounts.

5 Once computers are under the control of a botnet, they can be directed to execute commands, scripts and have stolen information sent back to a “Bot Master”. The Bot Master catalogs and saves the information for future use.

6 A botnet can gain control of hundreds or even thousands of computers on a network. Once computers are under the control of a botnet, they can be directed to execute commands or scripts and have stolen information sent back to a “Bot Master”. The Bot Master catalogs and saves the information for future use.

7 Background on Torpig Torpig is a Trojan style malware that infects a computer. Once it has been installed on a computer, it steals sensitive information and sends the information to the controller. Torpig works together with Mebroot (a rootkit) to replace the master boot record on a computer.

8 Browser Hijacking Man in the Browser phishing attack

9 Domain Flux Torpig Daily Domain Generation Algorithm

10 Sinkhole Preparation The authors describe how they take over the Botnet They registered domains that a bot would set up service on They purchased service from two hosting providers (.com and .net domains) and set up an apache server Wait for their network to receive requests from botnets Collected over 70GB of stolen data in 10 days

11 Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR). Mebroot injects these modules into a number of applications such as web browsers , FTP clients , clients , instant messengers and system programs. After the injection, Torpig can inspect all the data. Torpig contacts the Torpig C&C server to upload the data stolen .This communication with the server is also over HTTP.

12 Mebroot provides functionality to manage, install, uninstall, and activate modules.
Immediately after the initial reboot, Mebroot contacts the Mebroot C&C server to obtain malicious modules. These modules are saved in encrypted form in the system32 directory. After the initial update, Mebroot contacts its C&C server periodically, in two-hour intervals.

13 The C&C server makes a reply to a bot in two ways
acknowledge the data ( okn response) The C&C server can send a configuration file to the bot (an okc response). The configuration file is concealed using a simple XOR-11 encoding The configuration file contains new information on updated domains and encryption.

14 Data Collection by Torpig

15 Data Collection Bots use the HTTP POST request to communicate. The URL contains the hexadecimal representation of the bot identifier and its header information.

16 URL Request by Torpig

17 Domain Generation algorithm
Every minute the malware connects to the GMT-time-based server address (.com) sample date = Jan 3, 2012, at 2:30 PM, the malware would connect to com. Every time an attacker wants to communicate with their malware, they choose a strike-time and a register the domain corresponding to that strike-time 24 hours before the time is hit.

18 Botnet Size and IP Count
Due to DHCP and NAT, counting infected bots using IP addresses was not completely accurate. 1,247,642 Unique IP addresses were observed over a period of 10 days to have contacted their web server. The median size of Torpig’s population was 49,272

19 Botnet Size IRC Botnets
Mr. Rajab queried the DNS server caches to get an estimate of bots that resolved the name of a C&C server P2P Botnets Mr. Kanich measured the size of the storm network by probing the hash table. They determined this was not the best way to determine size due to many discriminating factors such as application ID’s and the way they were generated.

20 Botnet Growth

21 Botnet Growth

22 Botnet Growth

23 Top 10 Botnet Growth by Country

24 New Infections 9,336 bots for 2,753 IP addresses of infected machines

25 Financial Accounts Stolen by Torpig

26 Financial Data Symantec reported that the price of credit cards were between $ $25 . Bank account information was from $10 - $1,000. Which means that Torpig could make between $83K and $8.3 M

27 Financial Data Stealing
Torpig is crafted to obtain information that can be used in the underground market. Bank accounts, credit card numbers and other financial data is of extreme importance to Torpig. 38% of all credentials stolen by Torpig were from the password manager of browsers. Credit card data was also a valuable target for Torpig.

28 Proxies Torpig opens two ports on the local machine the SOCKS proxy and the HTTP proxy. Proxies could be used to send spam or to allow anonymous navigation

29 Threat Analysis

30 Denial of Service Cable and DSL hosts account for 65% of the infected hosts There is a tremendous amount of bandwidth being used by the bot master Corporate networks accounted for 22% of the infected hosts Botnet sizes such as these could cause massive denials-of-service

31 Password Analysis The Sophos poll revealed that 676 Internet users did not use strong passwords. The Torpig bot validated the poll by comparing the user credentials stolen using the bot. Torpig stole 297,962 user credentials sent by 52,540 machines. 28% of the victims reused their credentials to access 368,501 web sites. 56,000 passwords were recovered in less than 65 minutes

32 Password strength Single mode Brute force mode - incremental
Almost 80,000 Passwords cracked in 90 minutes by John the Ripper password cracker tool.

33 Botnet size based on IP count is overestimated
Conclusions Botnet size based on IP count is overestimated Victims of botnets have machines that are poorly maintained and passwords that are easy to guess Interacting with registrars, victims institutions and law enforcement is a complicated process

34 Questions?

Download ppt "Your Botnet is My Botnet: Analysis of a Botnet Takeover"

Similar presentations

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.

BRETT STONE-GROSS, MARCO COVA, LORENZO CAVALLARO, BOB GILBERT, MARTIN SZYDLOWSKI, RICHARD KEMMERER, CHRISTOPHER KRUEGEL, AND GIOVANNI VIGNA PRESENTATION.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.

 Collection of connected programs communicating with similar programs to perform tasks  Legal  IRC bots to moderate/administer channels  Origin of.
Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni.

Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.

Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.

Similar presentations

Ads by Google