Upload
fay-pearson
View
215
Download
2
Embed Size (px)
Citation preview
OutlineOutline
• Discuss Snort lab improvements• Spam as a vehicle behind cyber threats• Bots and botnets• What can be done
Lab ImprovementsLab Improvements
• Build more complex rules
• Provide more interaction with snort.conf file and installation
• Explain how snort works in real-world setting
• Make both labs snort-related
Why Spam is an IssueWhy Spam is an Issue
• Loss of employee production
• Money spent on hardware/software
• Dissemination of viruses, spyware, and phishing schemes
Spam- Distribution in the Spam- Distribution in the PastPast
• Open relay mail servers
• Open HTTP proxies
• Worms/mass mailers
Spam- A Better MethodSpam- A Better Method
• Find a way to automate the spamming process while remaining anonymous
What is a BotWhat is a Bot
• Short for robot. A computer program that performs a function such as forwarding e-mail, responding to newsgroup messages, or searching for information.
Source: http://www.computeruser.com/resources/dictionary
Common uses for a BotCommon uses for a Bot
• Web crawlers/search agents
• Interacting with online games
• Monitoring IRC channels
Only limited by imagination
Malicious BotsMalicious Bots
• Keylogging• Denial-of-Service Attacks• Identity Theft (hosting spoofed websites)• Spread malware
GENERATE SPAM!GENERATE SPAM!
Types of BotsTypes of Bots
• Internet Relay Chat (IRC)
• Hyper-Text Transfer Protocol (HTTP)
• P2P (Peer-to-Peer file sharing)
What is IRCWhat is IRC
• An online system that allows real-time communications
• Consists of an IRC server and an IRC client; the connection between the two is called a channel
• Members join chat rooms to discuss various topics (may be password protected)
• Can be used for file sharing
IRC BotsIRC Bots
• Program that interacts with an IRC server in an automated fashion
• Typically used to monitor a channel when an individual is away from the computer
• Can be modified by anyone with programming skills (C++, PERL, DELPHI )
• IRC has its own scripting language
From Bots to BotnetsFrom Bots to Botnets• An individual gains control of many bots that
reside on different users’ computers• Controlled by a “bot master” who uses a
command/control• The bots connect to the IRC server and wait for
commands from the bot master
Bot Master
Bot Bot Bot
HTTP BotsHTTP Bots
• Commonly used to generate spam• User typically visits website and downloads a trojan or
other piece of malware• Connection is made to a web server operated by a
bot master• More software is downloaded onto user’s computer
Methods to spamMethods to spam
• Use compromised computer as spam proxy
• Use compromised computer as mail relay
• Obtain email addresses from compromised computer (harvesting)
Difficult to Trace OriginDifficult to Trace Origin
• HTTP redirects• Path to actual site leads to IP’s across different
countries (bouncing)• Compromised proxies don’t log connections• Tank farms act like middlemen by pushing the
spam through proxies
Growing ConcernGrowing Concern
• "At the end of last year we knew of about 2,000 botnets. Towards the end of this year, we're looking at about 300,000,".
Source: Jesse Villa, Frontbridge Technologies http://www.pcworldmalta.com/specials/yearend04/goodandbad.htm.
Importance of ResearchImportance of Research
• Gathering intelligence regarding botnet activity
• Use tools such as honeypots, intrusion detection systems, packet sniffers
• Perform trends analysis on data, source information, log files (firewall and IDS)
How Industry can HelpHow Industry can Help
• Educate employees• Increase security measures• Develop security products
• Share information and resources