• Home

  • Documents

  • botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...
14

botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Embed Size (px)

Citation preview

Page 1: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your
Page 2: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

cs642

botnets

adam everspaugh [email protected]

computer security

Page 3: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

todayMalware & botnets / Uses / Command and Control / Size estimation

Page 4: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Botnets

• Botnets:– CommandandControl(C&C)

– Zombiehosts(bots)

• C&Ctype:– centralized,peer-to-peer

• Infectionvector:– spam,scanning,worm(self-propagatingvirus)

• Usage:?

Page 5: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Howtomakemoneyoffabotnet?

• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”

• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”

• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”

• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.

• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”

• Advertiseproducts

think-pair-share

Page 6: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

TorpigBotnet

• 2005-2009?

• 50k-180kbots

• 2008:"Mostadvancedpieceofcrimewareeverbuilt"

• Usedomainfluxtocontactcommandandcontrol(C&C)servers

• HijackedbyUCSantaBarbararesearchersandstudiedfor10days

[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]

Page 7: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

HowtojoinaTorpigbotnet

1: Clickondodgylinktovulnerablewebsite

2-4:DownloadMebrootmalware

5: MebrootdownloadsTorpigDLL(yourabot!)

6: UploadallyousensitivedatatoTorpigC&C

7: Profit!(notyours)

think-pair-shareWhataredefenses?

Page 8: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers

• Probeeachone,usethefirstonethattalkstheC&Cprotocol

• Researchersranthealgorithmforwardseveralweeks

• Discoveredun-registereddomainsandregisteredthem

• SetuptheirownC&Cserver

• Yourbotnetismybotnet

Page 9: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Stealingabotnet

• Researchersboughttwodomainsandhosting

• PutupC&Cservertocaptureallreportedinformationbybots

• ControlledTorpigbotnetfor10days

• Captured70GBsofstoleninformation

• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)

• C&Chijacktotake-downabotnetiscalledsinkholing

Page 10: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Estimatingbotnetsize

TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize

Page 11: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your
Page 12: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

StealingFinancialAccounts

In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)

Page 13: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

Ethics

● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.

● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.

Twoprinciplestoprotectvictims

Page 14: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your

recapMalware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking


Black Market Botnets

Black Market Botnets

Documents
Botnets, Cybercrime, and Cyberterrorism

Botnets, Cybercrime, and Cyberterrorism

Documents
monografia botnets

monografia botnets

Documents
BACKDOORS BOTNETS, ROOTKITS Y

BACKDOORS BOTNETS, ROOTKITS Y

Documents
Detecting Botnets and Malware

Detecting Botnets and Malware

Documents
Malware: Botnets and Worms

Malware: Botnets and Worms

Documents
Botnets y Redes Zombies

Botnets y Redes Zombies

Documents
Botnets 101

Botnets 101

Documents
Some Botnets Will Never Become Old-fashionedgo.zingbox.com/rs/562-ZPO-907/images/Some-Botnets...Some Botnets Will Never Become Old-fashioned Asher Davila – Zingbox Security Researcher

Some Botnets Will Never Become Old-fashionedgo.zingbox.com/rs/562-ZPO-907/images/Some-Botnets...Some Botnets Will Never Become Old-fashioned Asher Davila – Zingbox Security Researcher

Documents
Botnets, malware and network attacks

Botnets, malware and network attacks

Technology
Army of Botnets

Army of Botnets

Documents
Botnets And Alife

Botnets And Alife

Technology
Bots and Botnets plus

Bots and Botnets plus

Documents
Botnets & DDoS Introduction

Botnets & DDoS Introduction

Technology
Colloque cyber 2010 les botnets

Colloque cyber 2010 les botnets

Technology
Fast Identi cation of Structured P2P Botnets using ... · Fast Identi cation of Structured P2P Botnets using Community Detection Algorithms ... method on CHORD Botnets embedded in

Fast Identi cation of Structured P2P Botnets using ... · Fast Identi cation of Structured P2P Botnets using Community Detection Algorithms ... method on CHORD Botnets embedded in

Documents
Botnets An Introduction Into the World of Botnets Tyler Hudak tyler@hudakville.com

Botnets An Introduction Into the World of Botnets Tyler Hudak [email protected]

Documents
Taming botnets

Taming botnets

Technology
Modeling and Measuring Botnets

Modeling and Measuring Botnets

Documents
Malware: Worms and Botnets

Malware: Worms and Botnets

Documents
Ce hv6 module 63 botnets

Ce hv6 module 63 botnets

Technology
Peer-to-Peer Botnets

Peer-to-Peer Botnets

Documents
Botnets Malware Spyware

Botnets Malware Spyware

Documents
Worms & Botnets - EECS Instructional Support Group Home Pageinst.eecs.berkeley.edu/~cs161/sp11/slides/4.21.worms-botnets.pdf · –copy itself across open network shares –modify

Worms & Botnets - EECS Instructional Support Group Home Pageinst.eecs.berkeley.edu/~cs161/sp11/slides/4.21.worms-botnets.pdf · –copy itself across open network shares –modify

Documents
BotNets & Targeted Malware

BotNets & Targeted Malware

Documents
Resilient Botnets - KAIST

Resilient Botnets - KAIST

Documents
Introduction to Botnets - CCDCOE · referred to as a botnet or zombie network. ... After the Takedown . Introduction to Botnets Introduction to Botnets Organization

Introduction to Botnets - CCDCOE · referred to as a botnet or zombie network. ... After the Takedown . Introduction to Botnets Introduction to Botnets Organization

Documents
Cymru Botnets 101 - APNICarchive.apnic.net/meetings/26/program/security-training/botnets-101... · • Botnets are highly dynamic – Making them hard to detect, locate, and shut

Cymru Botnets 101 - APNICarchive.apnic.net/meetings/26/program/security-training/botnets-101... · • Botnets are highly dynamic – Making them hard to detect, locate, and shut

Documents
Seguridad en Redes: Botnets

Seguridad en Redes: Botnets

Documents
Defense against botnets

Defense against botnets

Documents