Download Introduction (cont.)

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts

Distributed firewall wikipedia , lookup

Certificate authority wikipedia , lookup

Denial-of-service attack wikipedia , lookup

IDN homograph attack wikipedia , lookup

Mobile security wikipedia , lookup

Malware wikipedia , lookup

Storm botnet wikipedia , lookup

Transcript 
Your Botnet is My Botnet: Analysis of a
Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard
Kemmerer, Christopher Kruegel, and Giovanni Vigna
Proceedings of the 16th ACM conference on Computer and communications security ,2009
Presented by Rajesh Avula
3/7/2016
Outline
 Introduction
 Domain flux
 Taking control of the Botnet
 Botnet analysis
 Threats and data analysis
 Conclusion
Introduction
 The main purpose of this paper is to analyze the Torpig botnet’s
operations.
 Botnet size.
 The personal information is stolen by botnets.
3
Introduction (cont.)
 What is botnet?
A Botnet is a collection of software agents, or robots that run
autonomously and automatically. The term is most commonly
associated with malicious software.
 Main motivation: recognition and financial gain.
 Bot controller can ‘rent’ services of the botnet to third parties
(Botnet as service)
Introduction (cont.)
 Botnets are the primary means for cyber-criminals to carry out
their nefarious tasks, such as
 sending spam mails ,
 launching denial-of-service attacks
 stealing personal data such as mail accounts or bank credentials .
Introduction (cont.)
 Once infected with a bot, the victim host will join a botnet,
which is a network of compromised machines that are under
the control of a malicious entity, typically referred to as the
botmaster.
 Malware was developed for fun, to the current situation, where
malware is spread for financial profit.
Introduction (cont.)
 One approach to study botnets is to perform passive analysis
of secondary effects that are caused by the activity of
compromised machines.
 Collected spam mails that were likely sent by bots
 Similar measurements focused on DNS queries or DNS blacklist
queries
 analyzed network traffic (netflow data) at the tier-1 ISP level for
cues that are characteristic for certain botnets
Introduction (cont.)
 Active approach to study botnets is via infiltration.
 Using an actual malware sample or a client simulating a bot,
researchers join a botnet to perform analysis from the inside.
 To achieve this, honeypots, honey clients, or spam traps are used
to obtain a copy of a malware sample.
 For some botnets that rely on a central IRC-based C&C server,
joining a botnet can also reveal the IP addresses of other clients
(bots) that are concurrently logged into the IRC channel
Introduction (cont.)
 Attackers have unfortunately adapted, and most current
botnets use stripped-down IRC or HTTP servers as their
centralized command and control (C&C)channels.
 With such C&C infrastructures, it is no longer possible to make
reliable statements about other bots by joining as a client.
 One way to take the control of botnet is to directly seize the
physical machines that host the C&C infrastructure .
Introduction (cont.)
 Therefore, by collaborating with domain registrars , it is possible to
change the mapping of a botnet domain to point to a machine
controlled by the defender .
 Several recent botnets, including Torpig, use the concept of domain
flux.
 With domain flux, each bot periodically (and independently)
generates a list of domains that it contacts.
 The first host that sends a reply that identifies it as a valid C&C server
is considered genuine, until the next period of domain generation is
started.
IP flux
 Botnet authors have identified several ways to make these
schemes more flexible and robust by using IP fast-flux
techniques .
 With fast-flux, the bots would query a certain domain that is
mapped onto a set of IP addresses, which change frequently.
 However, fast-flux uses only a single domain name, which
constitutes a single point of failure.
Related documents
Motivation behind botnets
Motivation behind botnets
botnet_detection
botnet_detection
Document
Document
Slides - TAMU Computer Science Faculty Pages
Slides - TAMU Computer Science Faculty Pages
Offense
Offense
Defense
Defense
botnet
botnet
presentation source
presentation source
paper - acsac
paper - acsac
CNCERT/CC Annual Report 2008
CNCERT/CC Annual Report 2008
Games and the Impossibility of Realizable Ideal Functionality
Games and the Impossibility of Realizable Ideal Functionality
All About Malwares (Malicious Codes)
All About Malwares (Malicious Codes)
PDF - International Journal of Application or Innovation in
PDF - International Journal of Application or Innovation in
BotNet Detection: Enhancing Analysis by Using Data Mining
BotNet Detection: Enhancing Analysis by Using Data Mining
IOSR Journal of Computer Engineering (IOSR-JCE)
IOSR Journal of Computer Engineering (IOSR-JCE)
Cross-Analysis of Botnet Victims: New Insights and Implications
Cross-Analysis of Botnet Victims: New Insights and Implications
Tracking and Mitigation of Malicious Remote Control
Tracking and Mitigation of Malicious Remote Control