botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...

botnets

adam everspaugh ace@cs.wisc.edu

computer security

todayMalware & botnets / Uses / Command and Control / Size estimation

Botnets

• Botnets:– CommandandControl(C&C)

– Zombiehosts(bots)

• C&Ctype:– centralized,peer-to-peer

• Infectionvector:– spam,scanning,worm(self-propagatingvirus)

• Usage:?

Howtomakemoneyoffabotnet?

• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”

• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”

• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”

• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.

• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”

• Advertiseproducts

think-pair-share

TorpigBotnet

• 2005-2009?

• 50k-180kbots

• 2008:"Mostadvancedpieceofcrimewareeverbuilt"

• Usedomainfluxtocontactcommandandcontrol(C&C)servers

• HijackedbyUCSantaBarbararesearchersandstudiedfor10days

[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]

HowtojoinaTorpigbotnet

1: Clickondodgylinktovulnerablewebsite

2-4:DownloadMebrootmalware

5: MebrootdownloadsTorpigDLL(yourabot!)

6: UploadallyousensitivedatatoTorpigC&C

7: Profit!(notyours)

think-pair-shareWhataredefenses?

DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers

• Probeeachone,usethefirstonethattalkstheC&Cprotocol

• Researchersranthealgorithmforwardseveralweeks

• Discoveredun-registereddomainsandregisteredthem

• SetuptheirownC&Cserver

• Yourbotnetismybotnet

Stealingabotnet

• Researchersboughttwodomainsandhosting

• PutupC&Cservertocaptureallreportedinformationbybots

• ControlledTorpigbotnetfor10days

• Captured70GBsofstoleninformation

• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)

• C&Chijacktotake-downabotnetiscalledsinkholing

Estimatingbotnetsize

TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize

StealingFinancialAccounts

In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)

Ethics

● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.

● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.

Twoprinciplestoprotectvictims

recapMalware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking

botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...

Documents

Sinkholing Botnets

Fast Identi cation of Structured P2P Botnets using ... · Fast Identi cation of Structured P2P Botnets using Community Detection Algorithms ... method on CHORD Botnets embedded in

Know your Enemy: Tracking Botnets

Intro to Botnets - Bilal ZIANE

Spamming Botnets: Signatures and Characteristics

Some Botnets Will Never Become Old-fashionedgo.zingbox.com/rs/562-ZPO-907/images/Some-Botnets...Some Botnets Will Never Become Old-fashioned Asher Davila – Zingbox Security Researcher

BladeRunner: Adventures in Tracking Botnets

Peer-to-Peer Botnets

Towards Incentivizing ISPs To Mitigate Botnets · Towards Incentivizing ISPs To Mitigate Botnets ... Moura Towards Incentivizing ISPs To Mitigate Botnets. ... botnet is my botnet:

Botnets Malware Spyware

SPAM/BOTNETS and Malware

Malware: Botnets and Worms

Detecting Botnets and Malware

Botnets 10 Tough Questions

Malware: Worms and Botnets

Defense against botnets

Modeling and Measuring Botnets

Cymru Botnets 101 - APNICarchive.apnic.net/meetings/26/program/security-training/botnets-101... · • Botnets are highly dynamic – Making them hard to detect, locate, and shut

Botnets An Introduction Into the World of Botnets Tyler Hudak tyler@hudakville.com

Taming botnets