SlideShare una empresa de Scribd logo

Taming botnets

F
f00d

Presentation from PHDays 2012 conference on botnet detection. highlevel but fun :)

Tecnología
1 de 55
Descargar para leer sin conexión
Taming Botnets Life cycle and detection of bot infections through network traffic analysis
agenda ● Introduction ● Bots and botnets: short walk-through ● Taming botnets: Detection and Evasion ● Our approach ● Case studies ● Conclusion ● Disclaimer: We steal our images From google image :)
Introduction ● Why we are doing this research? ● Objectives ● Our data sources ● Our environment bunch of code in node.js and python. Customized sandboxing platform (cuckoo based). Data indexed in solr
Introduction: bots ● “bot”: a software program, installed on target machine(s) for the purpose of utilizing that machine computational/network resources or collect information ● A typical bot is controlled by external party therefore needs to be able to utilize a communication channel in order to receive commands and pass information ● Bots typically are used for malicious purposes ;-)
Introduction: bots (lifecycle) ● Installation (infection) phase: often by means of a software exploit or a social engineering technique (fake antivirus, fake software update) ● Post-infection phase: communication (C&C, peer etc)
Introduction ● Our basic assumption is that a bot needs to be able to communicate back in order to be useful. ● Our analysis is primarily “blackbox” by observing network traffic of a large network infrastructure in order to identify possible infections and “communication” links ● We also utilize sandboxing techniques to observe behavior (mainly from the network side) ● We do not attempt to reverse engineer (manually or automatically) botnet software
Botnets ● Infection vectors → often targetting enduser machines (clients) in large number of occurrences by exploiting a software vulnerability in browser or related components ● C&C communication: ● Remember IRC bots? :) ● over HTTP (most common) ● Proprietary protocol ● Centralized or P2P infrastructure
Botnets: lifecycle ● C&C Hosting itself is another interesting research area ;-)
So how do you get bots on your machine? :)
How do you get bots on your machine? ;-) ● Compromised servers: most widespread, often through silly vulns (i.e. wordpress!), but also high profile web sites are affected, or domains taken over (DNS poisoning and more) ● Placing a javascript iframe on compromised high-traffic machine is way more profitable than defacing (hacktivism is only for hippies? ;)
How do you get bots (pt 2) ● SEO poisoning/manipulation.
How you get bots (pt 3) ● Advertisements and malvertisements: whole new ecosystem: OpenX is a huge security hole ;)
Anyways ● Once infected, the bot talks back... Lets look at some real-life cases. (data is very recently, mostly past few months).
Old-school bots (still active. For real! May/2012: IRC bots still real :-D ;-))
Carberp ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains: normal, just registered/DynDNS ● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week. ● C&C domains usually generated, but some special cases below ;-). ● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect. ● Typical bot activity: Mass HTTP Post
Domain URL Referrer Payload Size beatshine.is- /g/18418362672595167.js www.*****press.ru javascript 9414 saved.org activatedreplacing. /index.php? www.*****press.ru html 45443 is-very-evil.org 28d9000e56c2a63080ff89c 6f5357591 activatedreplacing. //images/r/785cee8be7f1da application/x 4135 is-very-evil.org 9a9d60820cbf8b1840.jar -jar activatedreplacing. /server_privileges.php? application/e 155529 is-very-evil.org 91370f5f009a815950578cb xecutable 539f28b58=3
Activity and update
Another attack atempt and update URLs Time Domain URL IP 10/Apr/2012: nod32-matrosov-pideri.org //images/785cee8be7f1da9a9d6 62.122.79.42 10:29:09 0820cbf8b1840.jar 10/Apr/2012: nod32-matrosov-pideri.org /expl0it/At00micArray.class 62.122.79.42 10:29:10 10/Apr/2012: nod32-matrosov-pideri.org / 62.122.79.42 10:29:11 expl0it/At00micArray/class.class 02/May/2012: rgn7er8yafh89cehuighv.org / 91.228.134.210 08:42:59 bxlkizmfgtlfwcdmljmrjlunqkvsslfir u.tpl 02/May/2012: avast-pidersiy-gandon.com /crypt/files/crypted/config.bin 62.122.79.52 08:42:59 02/May/2012: rgn7er8yafh89cehuighv.org /aDHfNt8w43yYGM.tiff 91.228.134.210 08:43:00
Detection during infection and by postinfection activity ● Infection: executable transfer from just registered, example lifenews-sport.org or Dyn-DNS domains, like uphchtxmji.homelinux.com ● Updates: executable transfer from just registered or DynDNS domain ● Postinfection activity: Mass HTTP Post to generated domains like n87e0wfoghoucjfe0id.org, URL ends with different extensions
Netprotocol.exe ● Bot Infection was: Drive-By-FTP, now: Drive-By-FTP, Drive-By-HTTP ● Payload and intermediate malware domains:Normal, Obfuscated ● Distributed via: compromised web-sites ● C&C domains usually generated, many domains in .be zone. ● C&C and Malware domains located on the different AS. Bot updates payload via HTTP ● Typical bot activity: HTTP Post, payload updates via HTTP.
Domain URL Referrer Payload Size 3645455029 /1/s.html Infected site html 997 Java.com /js/deployJava.js 3645455029 javascript 4923 3645455029 /1/exp.jar application/x 18046 -jar 3645455029 /file1.dat application/e 138352 xecutable
Attack analysis - Script from www. Java.com used during attack. - Applet exp.jar loaded by FTP - FTP Server IP address obfuscated to avoid detection
Interesting modifications GET http://java.com/ru/download /windows_ie.jsp?host=java.com%26 returnPage=ftp://217.73.58.181/1/s.html%26 locale=ru HTTP/1.1 Key feature example Date/Time 2012-04-20 11:11:49 MSD Tag Name FTP_Pass Target IP Address 217.73.63.202 Target Object Name 21 :password Java1.6.0_30@ :user anonymous
Activity example Date/Time 2012-04-29 Date/Time 2012-04-29 02:05:48 MSD 02:06:08 MSD Tag Name HTTP_Post Tag Name HTTP_Post Target IP Address Target IP Address 217.73.60.107 208.73.210.29 :server :server rugtif.be eksyghskgsbakrys.com ● :URL :URL /check_system.php /check_system.php Domain registered: 2012-04-21
Onhost deteciton and activity Payload: usually netprotocol.exe. Located in UsersUSER_NAMEAppDataRoaming, which periodically downloads other malware Further payload loaded via HTTP http://64.191.65.99/view_img.php?c=4& k=a4422297a462ec0f01b83bc96068e064
Detection By AV Sample from May 09 2012 Detect ratio 1/42 ● (demos, recoreded as videos)
Detection during infection and by postinfection activity ● Infection: .jar and .dat file downloaded by FTP, server name = obfuscated IP Addres, example ftp://3645456330/6/e.jar Java version in FTP password, example Java1.6.0_29@ ● Updates: executable transfer from some Internet host, example GET http://184.82.0.35/f/kwe.exe ● Postinfection activity: Mass HTTP Post to normal and generated domains with URL: check_system.php 09:04:46 POST http://hander.be/check_system.php 09:05:06 POST http://aratecti.be/check_system.php 09:06:48 POST http://hander.be/check_system.php 09:07:11 POST http://aratecti.be/check_system.php
Noproblemslove.com, whoismistergreen.com, etc... ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains:Normal /DynDNS ● Distributed via: Compromised web-sites. ● C&C domains: normal. ● C&C and Malware domains located on the different AS. Sophisticated attack scheme. Timeout before activity. ● Typical bot activity: Mass HTTP Post
Noproblemslove.com, whoismistergreen.com, etc...
Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012) Domain Name IP www.google-analylics.com 184.82.149.179 google-anatylics.com 184.82.149.178 www.google-analitycs.com 184.82.149.180 webmaster-google.ru 184.82.149.178 paged2.googlesyndlcation.com 184.82.149.179 googlefilter.ru 184.82.149.179 rambler-analytics.ru 184.82.149.179 site-yandex.net 184.82.149.180 paged2.googlesyndlcation.com 184.82.149.179 www.yandex-analytics.ru 184.82.149.178 googles.4pu.com 184.82.149.178 googleapis.www1.biz 184.82.149.178 syn1-adriver.ru 184.82.149.178
HOSTER RANGE AND AS www.google-analylics.com looks good, BUT Google, Rambler and Yandex together on 184.82.149.176/29 ? hoster range and autonomous system (AS) are useful, when you analyze suspicious events.
What happens next?
Other domains but owner is the same
What's common whoismistergreen.com noproblemslove.com IP-адрес: 213.5.68.105 213.5.68.105 Create: 2011-07-26 Created: 2011-12-07 Registrant Name: JOHN Registrant Contact: ABRAHAM Whois Privacy Protection Service Address: ul. Dubois 119 Whois Agent City: Lodz gmvjcxkxhs@whoisservices.cn patr1ckjane.com noproblemsbro.com IP Was 176.65.166.28 176.65.166.28 IP Now 213.5.68.105 Created: 2011-12-07 Registrant Contact: Create: 2011-07-21 Whois Privacy Protection Service Registrant Name: patrick jane Whois Agent Address: ul. Dubois 119 gmvjcxkxhs@whoisservices.cn City: Lodz
Detection during infection and by postinfection activity ● Infection: executable transfer from just registered, or Dyn-DNS domains, like fx58.ddns.us ● Updates: application/octet-stream bulk data load from C&C ● Postinfection activity: Mass HTTP Post to seem-normal domains,i.e: noproblemslove.com, whoismistergreen.com, etc...
Detection
Detection ● What we are building ;)
Cross-correlation data sources ● WHOIS (including team cymru whois) ● Our own DNS index, also talking to ISC about possibilities of data swaps ● Sandbox farm (mainly to detect compromised websites automagically and study behavior) ● Public “malicious IP address” databases. ● Public reputation (I.e ToS) databases. ● (still work in progress)
Detection ● Manual and Automated ● Automated detection is largely based on analysis of network traffic: ● Anomaly detection ● Pattern based-analysis ● Signatures (snort!) ● Traffic profiling (DNS traffic profiling, HTTP traffic profiling etc)
Detection ● Detecting malicious botnet activity is very popular in academia (interesting problem). ● In our research we do not claim extreme novelty but rather will demonstrate our experience and a few practical solutions that seem to work :-)
Detection: loooots of papers!~
Detection: intreresting bits ● Botnet detection evolved from pattern based approach (hardcoded bot CMD patterns and capture then with snort) to a complex field of generic detection of automated “call-back” communication channels..
Detection ● Different “callback” methods, as seen in the wild, possess interesting properties, such as: ● Large number of failed DNS requests ● Large number of DNS requests for IP addresses, which are offline ● Connection attempts to mostly dead IP addresses ● Traffic pattern (differs from regular browsing)
Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
Detection ● Detecting botnet activities by analyzing DNS traffic ● Analyzing DNS names (dictionary-comparison, alpha numeric characters, detection of “generated” domain names (similarities/patterns) ● Analyzing failed DNS queries ● DNS “ranking” (based on whois information)
Detection: rcode: 3 (Non-existing domains) 12 10 8 Column 1 6 Column 2 Column 3 4 2 0 Row 1 Row 2 Row 3 Row 4
Rcode:2 domains Detection: rcode:2 (server failure) (failed servers)
Detection ● WHOIS cross-correlation – easily automated.
Detection ● Further step: cross-correlation to domain names which have the same WHOIS attributes ● Sandboxing (we use modified version of cuckoosandbox, with user event simulation, not perfect but works) ● Challenges: – Simulate complex user behavior (mouse movements) – Simulate complex user browsing pattern (visiting X with search engine (image?) as referer)
Detection flow
Detection (visualization) ● Parallel coordinates (also see recent talk by Alexandre Dulaunoy from CIRCL.LU and Sebastien Tricaud from Picviz Labs at cansectwest)
Detection ● (demos, lets look at some videos :)
Conclusions ● Detection is still trivial, but keep your methods “private” ;-) ● Detecting 'advanced' botnets (name your favourite traffic profiling evasion method!) is out of question here. Unless this becomes wide- spread ● Cat and mouse game is still fun! ;-)
Tips and recommendations ● For infected machines: boot from clean media and periodically do OFFLINE AV checking ● Monitor network traffic for any unusual activity ● Default-deny firewall policies + block any active executable content
questions ● Contact us at: ● fygrave@gmail.com ● vladimir.b.kropotov@gmail.com http://github.com/fygrave/dnslyzer for some code

Recomendados

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 

Recomendados

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ..."Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
 
Finding target for hacking on internet is now easier
Finding target for hacking on internet is now easierFinding target for hacking on internet is now easier
Finding target for hacking on internet is now easierDavid Thomas
 
Docker security
Docker securityDocker security
Docker securityJanos Suto
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Open shift
Open shiftOpen shift
Open shiftmarcolof
 
Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016Yann Jajkiewicz
 
Builder and BuildKit
Builder and BuildKitBuilder and BuildKit
Builder and BuildKitMoby Project
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
Ulp pha customer service training presentation gift
Ulp pha customer service training presentation giftUlp pha customer service training presentation gift
Ulp pha customer service training presentation giftSalethia Kennedy
 
Water-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsidWater-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsidlonsid
 
La patria
La patriaLa patria
La patriaCristian Valencia Agudelo
 
Welfare 2reforms6
Welfare 2reforms6Welfare 2reforms6
Welfare 2reforms6Shubhaan Bhandari
 
Our Projects
Our ProjectsOur Projects
Our ProjectsHangar
 
Mommy wars
Mommy warsMommy wars
Mommy warsSalethia Kennedy
 
Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven Hartsgedragen Bewustzijn
 
Urdu Tutor for Beginners
Urdu Tutor for BeginnersUrdu Tutor for Beginners
Urdu Tutor for BeginnersSaad Manzoor
 
Dobbins power point
Dobbins power pointDobbins power point
Dobbins power pointdobbins913636
 
TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'leavesoflanguage
 
MA THOR Twin UAS
MA THOR Twin UASMA THOR Twin UAS
MA THOR Twin UASUnmanned Vehicle University
 
Spring gourmet-dinner
Spring gourmet-dinnerSpring gourmet-dinner
Spring gourmet-dinnerBigAl72
 
Freello | Mobile Marketing 4 Media
Freello | Mobile Marketing 4 MediaFreello | Mobile Marketing 4 Media
Freello | Mobile Marketing 4 MediaFrancesco Pieragostini
 
Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014Lancaster University
 

Más contenido relacionado

La actualidad más candente

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]RootedCON
 
Open shift
Open shiftOpen shift
Open shiftmarcolof
 
Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016Yann Jajkiewicz
 
Builder and BuildKit
Builder and BuildKitBuilder and BuildKit
Builder and BuildKitMoby Project
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 

La actualidad más candente (8)

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
 
Open shift
Open shiftOpen shift
Open shift
 
Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016Meetup - retour sur la DrupalCon Dublin 2016
Meetup - retour sur la DrupalCon Dublin 2016
 
Builder and BuildKit
Builder and BuildKitBuilder and BuildKit
Builder and BuildKit
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 

Destacado

Ulp pha customer service training presentation gift
Ulp pha customer service training presentation giftUlp pha customer service training presentation gift
Ulp pha customer service training presentation giftSalethia Kennedy
 
Water-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsidWater-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsidlonsid
 
Our Projects
Our ProjectsOur Projects
Our ProjectsHangar
 
Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven Hartsgedragen Bewustzijn
 
Urdu Tutor for Beginners
Urdu Tutor for BeginnersUrdu Tutor for Beginners
Urdu Tutor for BeginnersSaad Manzoor
 
TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'leavesoflanguage
 
Spring gourmet-dinner
Spring gourmet-dinnerSpring gourmet-dinner
Spring gourmet-dinnerBigAl72
 
Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014Lancaster University
 
Butler Final Project
Butler Final ProjectButler Final Project
Butler Final Projectjfbutler11
 
February 2015 UK Commercial Bulletin
February 2015 UK Commercial BulletinFebruary 2015 UK Commercial Bulletin
February 2015 UK Commercial BulletinHML Ltd
 
Tizen web app について調べたよ
Tizen web app について調べたよTizen web app について調べたよ
Tizen web app について調べたよNaruto TAKAHASHI
 

Destacado (20)

Ulp pha customer service training presentation gift
Ulp pha customer service training presentation giftUlp pha customer service training presentation gift
Ulp pha customer service training presentation gift
 
Water-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsidWater-dispenser-water-cooler-main-products-of-lonsid
Water-dispenser-water-cooler-main-products-of-lonsid
 
La patria
La patriaLa patria
La patria
 
Welfare 2reforms6
Welfare 2reforms6Welfare 2reforms6
Welfare 2reforms6
 
Our Projects
Our ProjectsOur Projects
Our Projects
 
Mommy wars
Mommy warsMommy wars
Mommy wars
 
Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven Inspirerende tips voor meer kwaliteit in je leven
Inspirerende tips voor meer kwaliteit in je leven
 
Urdu Tutor for Beginners
Urdu Tutor for BeginnersUrdu Tutor for Beginners
Urdu Tutor for Beginners
 
Dobbins power point
Dobbins power pointDobbins power point
Dobbins power point
 
TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'TEDxTableMountain - 'The case for the maximum wage'
TEDxTableMountain - 'The case for the maximum wage'
 
MA THOR Twin UAS
MA THOR Twin UASMA THOR Twin UAS
MA THOR Twin UAS
 
Spring gourmet-dinner
Spring gourmet-dinnerSpring gourmet-dinner
Spring gourmet-dinner
 
Freello | Mobile Marketing 4 Media
Freello | Mobile Marketing 4 MediaFreello | Mobile Marketing 4 Media
Freello | Mobile Marketing 4 Media
 
Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014Freshwater Matters from the FBA September2014
Freshwater Matters from the FBA September2014
 
Terapi
TerapiTerapi
Terapi
 
Butler Final Project
Butler Final ProjectButler Final Project
Butler Final Project
 
February 2015 UK Commercial Bulletin
February 2015 UK Commercial BulletinFebruary 2015 UK Commercial Bulletin
February 2015 UK Commercial Bulletin
 
Freello mobile-marketing-4-brands
Freello mobile-marketing-4-brandsFreello mobile-marketing-4-brands
Freello mobile-marketing-4-brands
 
Sena
SenaSena
Sena
 
Tizen web app について調べたよ
Tizen web app について調べたよTizen web app について調べたよ
Tizen web app について調べたよ
 

Similar a Taming botnets

Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...DefconRussia
 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by DesignDavid Prinzing
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise F _
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other Fiends
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other FiendsStanford Drupal Camp 2015 - Repelling Bots, DDOS, and other Fiends
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other FiendsSuzanne Aldrich
 
Testing with Codeception
Testing with CodeceptionTesting with Codeception
Testing with CodeceptionJeremy Coates
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick StackGianluca Arbezzano
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScalePatrick Chanezon
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios
 
Naive application development
Naive application developmentNaive application development
Naive application developmentShaka Huang
 
Diagnosing WordPress: What to do when things go wrong
Diagnosing WordPress: What to do when things go wrongDiagnosing WordPress: What to do when things go wrong
Diagnosing WordPress: What to do when things go wrongWordCamp Sydney
 
When third parties stop being polite... and start getting real
When third parties stop being polite... and start getting realWhen third parties stop being polite... and start getting real
When third parties stop being polite... and start getting realCharles Vazac
 

Similar a Taming botnets (20)

gofortution
gofortutiongofortution
gofortution
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
Yarochkin, kropotov, chetvertakov tracking surreptitious malware distributi...
 
High Availability by Design
High Availability by DesignHigh Availability by Design
High Availability by Design
 
Phd III - defending enterprise
Phd III - defending enterprise Phd III - defending enterprise
Phd III - defending enterprise
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other Fiends
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other FiendsStanford Drupal Camp 2015 - Repelling Bots, DDOS, and other Fiends
Stanford Drupal Camp 2015 - Repelling Bots, DDOS, and other Fiends
 
Introduction to python scrapping
Introduction to python scrappingIntroduction to python scrapping
Introduction to python scrapping
 
Testing with Codeception
Testing with CodeceptionTesting with Codeception
Testing with Codeception
 
Time Series Database and Tick Stack
Time Series Database and Tick StackTime Series Database and Tick Stack
Time Series Database and Tick Stack
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and ScaleGDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
GDD Japan 2009 - Designing OpenSocial Apps For Speed and Scale
 
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
Nagios Conference 2014 - Spenser Reinhardt - Detecting Security Breaches With...
 
Naive application development
Naive application developmentNaive application development
Naive application development
 
Diagnosing WordPress: What to do when things go wrong
Diagnosing WordPress: What to do when things go wrongDiagnosing WordPress: What to do when things go wrong
Diagnosing WordPress: What to do when things go wrong
 
When third parties stop being polite... and start getting real
When third parties stop being polite... and start getting realWhen third parties stop being polite... and start getting real
When third parties stop being polite... and start getting real
 

Último

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 

Último (20)

2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 

Taming botnets

  • 1. Taming Botnets Life cycle and detection of bot infections through network traffic analysis
  • 2. agenda ● Introduction ● Bots and botnets: short walk-through ● Taming botnets: Detection and Evasion ● Our approach ● Case studies ● Conclusion ● Disclaimer: We steal our images From google image :)
  • 3. Introduction ● Why we are doing this research? ● Objectives ● Our data sources ● Our environment bunch of code in node.js and python. Customized sandboxing platform (cuckoo based). Data indexed in solr
  • 4. Introduction: bots ● “bot”: a software program, installed on target machine(s) for the purpose of utilizing that machine computational/network resources or collect information ● A typical bot is controlled by external party therefore needs to be able to utilize a communication channel in order to receive commands and pass information ● Bots typically are used for malicious purposes ;-)
  • 5. Introduction: bots (lifecycle) ● Installation (infection) phase: often by means of a software exploit or a social engineering technique (fake antivirus, fake software update) ● Post-infection phase: communication (C&C, peer etc)
  • 6. Introduction ● Our basic assumption is that a bot needs to be able to communicate back in order to be useful. ● Our analysis is primarily “blackbox” by observing network traffic of a large network infrastructure in order to identify possible infections and “communication” links ● We also utilize sandboxing techniques to observe behavior (mainly from the network side) ● We do not attempt to reverse engineer (manually or automatically) botnet software
  • 7. Botnets ● Infection vectors → often targetting enduser machines (clients) in large number of occurrences by exploiting a software vulnerability in browser or related components ● C&C communication: ● Remember IRC bots? :) ● over HTTP (most common) ● Proprietary protocol ● Centralized or P2P infrastructure
  • 8. Botnets: lifecycle ● C&C Hosting itself is another interesting research area ;-)
  • 9. So how do you get bots on your machine? :)
  • 10. How do you get bots on your machine? ;-) ● Compromised servers: most widespread, often through silly vulns (i.e. wordpress!), but also high profile web sites are affected, or domains taken over (DNS poisoning and more) ● Placing a javascript iframe on compromised high-traffic machine is way more profitable than defacing (hacktivism is only for hippies? ;)
  • 11. How do you get bots (pt 2) ● SEO poisoning/manipulation.
  • 12. How you get bots (pt 3) ● Advertisements and malvertisements: whole new ecosystem: OpenX is a huge security hole ;)
  • 13. Anyways ● Once infected, the bot talks back... Lets look at some real-life cases. (data is very recently, mostly past few months).
  • 14. Old-school bots (still active. For real! May/2012: IRC bots still real :-D ;-))
  • 15. Carberp ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains: normal, just registered/DynDNS ● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week. ● C&C domains usually generated, but some special cases below ;-). ● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect. ● Typical bot activity: Mass HTTP Post
  • 16. Domain URL Referrer Payload Size beatshine.is- /g/18418362672595167.js www.*****press.ru javascript 9414 saved.org activatedreplacing. /index.php? www.*****press.ru html 45443 is-very-evil.org 28d9000e56c2a63080ff89c 6f5357591 activatedreplacing. //images/r/785cee8be7f1da application/x 4135 is-very-evil.org 9a9d60820cbf8b1840.jar -jar activatedreplacing. /server_privileges.php? application/e 155529 is-very-evil.org 91370f5f009a815950578cb xecutable 539f28b58=3
  • 18. Another attack atempt and update URLs Time Domain URL IP 10/Apr/2012: nod32-matrosov-pideri.org //images/785cee8be7f1da9a9d6 62.122.79.42 10:29:09 0820cbf8b1840.jar 10/Apr/2012: nod32-matrosov-pideri.org /expl0it/At00micArray.class 62.122.79.42 10:29:10 10/Apr/2012: nod32-matrosov-pideri.org / 62.122.79.42 10:29:11 expl0it/At00micArray/class.class 02/May/2012: rgn7er8yafh89cehuighv.org / 91.228.134.210 08:42:59 bxlkizmfgtlfwcdmljmrjlunqkvsslfir u.tpl 02/May/2012: avast-pidersiy-gandon.com /crypt/files/crypted/config.bin 62.122.79.52 08:42:59 02/May/2012: rgn7er8yafh89cehuighv.org /aDHfNt8w43yYGM.tiff 91.228.134.210 08:43:00
  • 19. Detection during infection and by postinfection activity ● Infection: executable transfer from just registered, example lifenews-sport.org or Dyn-DNS domains, like uphchtxmji.homelinux.com ● Updates: executable transfer from just registered or DynDNS domain ● Postinfection activity: Mass HTTP Post to generated domains like n87e0wfoghoucjfe0id.org, URL ends with different extensions
  • 20. Netprotocol.exe ● Bot Infection was: Drive-By-FTP, now: Drive-By-FTP, Drive-By-HTTP ● Payload and intermediate malware domains:Normal, Obfuscated ● Distributed via: compromised web-sites ● C&C domains usually generated, many domains in .be zone. ● C&C and Malware domains located on the different AS. Bot updates payload via HTTP ● Typical bot activity: HTTP Post, payload updates via HTTP.
  • 21. Domain URL Referrer Payload Size 3645455029 /1/s.html Infected site html 997 Java.com /js/deployJava.js 3645455029 javascript 4923 3645455029 /1/exp.jar application/x 18046 -jar 3645455029 /file1.dat application/e 138352 xecutable
  • 22. Attack analysis - Script from www. Java.com used during attack. - Applet exp.jar loaded by FTP - FTP Server IP address obfuscated to avoid detection
  • 23. Interesting modifications GET http://java.com/ru/download /windows_ie.jsp?host=java.com%26 returnPage=ftp://217.73.58.181/1/s.html%26 locale=ru HTTP/1.1 Key feature example Date/Time 2012-04-20 11:11:49 MSD Tag Name FTP_Pass Target IP Address 217.73.63.202 Target Object Name 21 :password Java1.6.0_30@ :user anonymous
  • 24. Activity example Date/Time 2012-04-29 Date/Time 2012-04-29 02:05:48 MSD 02:06:08 MSD Tag Name HTTP_Post Tag Name HTTP_Post Target IP Address Target IP Address 217.73.60.107 208.73.210.29 :server :server rugtif.be eksyghskgsbakrys.com ● :URL :URL /check_system.php /check_system.php Domain registered: 2012-04-21
  • 25. Onhost deteciton and activity Payload: usually netprotocol.exe. Located in UsersUSER_NAMEAppDataRoaming, which periodically downloads other malware Further payload loaded via HTTP http://64.191.65.99/view_img.php?c=4& k=a4422297a462ec0f01b83bc96068e064
  • 26. Detection By AV Sample from May 09 2012 Detect ratio 1/42 ● (demos, recoreded as videos)
  • 27. Detection during infection and by postinfection activity ● Infection: .jar and .dat file downloaded by FTP, server name = obfuscated IP Addres, example ftp://3645456330/6/e.jar Java version in FTP password, example Java1.6.0_29@ ● Updates: executable transfer from some Internet host, example GET http://184.82.0.35/f/kwe.exe ● Postinfection activity: Mass HTTP Post to normal and generated domains with URL: check_system.php 09:04:46 POST http://hander.be/check_system.php 09:05:06 POST http://aratecti.be/check_system.php 09:06:48 POST http://hander.be/check_system.php 09:07:11 POST http://aratecti.be/check_system.php
  • 28. Noproblemslove.com, whoismistergreen.com, etc... ● Bot Infection: Drive-By-HTTP ● Payload and intermediate malware domains:Normal /DynDNS ● Distributed via: Compromised web-sites. ● C&C domains: normal. ● C&C and Malware domains located on the different AS. Sophisticated attack scheme. Timeout before activity. ● Typical bot activity: Mass HTTP Post
  • 30. Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012) Domain Name IP www.google-analylics.com 184.82.149.179 google-anatylics.com 184.82.149.178 www.google-analitycs.com 184.82.149.180 webmaster-google.ru 184.82.149.178 paged2.googlesyndlcation.com 184.82.149.179 googlefilter.ru 184.82.149.179 rambler-analytics.ru 184.82.149.179 site-yandex.net 184.82.149.180 paged2.googlesyndlcation.com 184.82.149.179 www.yandex-analytics.ru 184.82.149.178 googles.4pu.com 184.82.149.178 googleapis.www1.biz 184.82.149.178 syn1-adriver.ru 184.82.149.178
  • 31. HOSTER RANGE AND AS www.google-analylics.com looks good, BUT Google, Rambler and Yandex together on 184.82.149.176/29 ? hoster range and autonomous system (AS) are useful, when you analyze suspicious events.
  • 33. Other domains but owner is the same
  • 34. What's common whoismistergreen.com noproblemslove.com IP-адрес: 213.5.68.105 213.5.68.105 Create: 2011-07-26 Created: 2011-12-07 Registrant Name: JOHN Registrant Contact: ABRAHAM Whois Privacy Protection Service Address: ul. Dubois 119 Whois Agent City: Lodz gmvjcxkxhs@whoisservices.cn patr1ckjane.com noproblemsbro.com IP Was 176.65.166.28 176.65.166.28 IP Now 213.5.68.105 Created: 2011-12-07 Registrant Contact: Create: 2011-07-21 Whois Privacy Protection Service Registrant Name: patrick jane Whois Agent Address: ul. Dubois 119 gmvjcxkxhs@whoisservices.cn City: Lodz
  • 35. Detection during infection and by postinfection activity ● Infection: executable transfer from just registered, or Dyn-DNS domains, like fx58.ddns.us ● Updates: application/octet-stream bulk data load from C&C ● Postinfection activity: Mass HTTP Post to seem-normal domains,i.e: noproblemslove.com, whoismistergreen.com, etc...
  • 37. Detection ● What we are building ;)
  • 38. Cross-correlation data sources ● WHOIS (including team cymru whois) ● Our own DNS index, also talking to ISC about possibilities of data swaps ● Sandbox farm (mainly to detect compromised websites automagically and study behavior) ● Public “malicious IP address” databases. ● Public reputation (I.e ToS) databases. ● (still work in progress)
  • 39. Detection ● Manual and Automated ● Automated detection is largely based on analysis of network traffic: ● Anomaly detection ● Pattern based-analysis ● Signatures (snort!) ● Traffic profiling (DNS traffic profiling, HTTP traffic profiling etc)
  • 40. Detection ● Detecting malicious botnet activity is very popular in academia (interesting problem). ● In our research we do not claim extreme novelty but rather will demonstrate our experience and a few practical solutions that seem to work :-)
  • 42. Detection: intreresting bits ● Botnet detection evolved from pattern based approach (hardcoded bot CMD patterns and capture then with snort) to a complex field of generic detection of automated “call-back” communication channels..
  • 43. Detection ● Different “callback” methods, as seen in the wild, possess interesting properties, such as: ● Large number of failed DNS requests ● Large number of DNS requests for IP addresses, which are offline ● Connection attempts to mostly dead IP addresses ● Traffic pattern (differs from regular browsing)
  • 44. Cat and mouse game ● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
  • 45. Detection ● Detecting botnet activities by analyzing DNS traffic ● Analyzing DNS names (dictionary-comparison, alpha numeric characters, detection of “generated” domain names (similarities/patterns) ● Analyzing failed DNS queries ● DNS “ranking” (based on whois information)
  • 46. Detection: rcode: 3 (Non-existing domains) 12 10 8 Column 1 6 Column 2 Column 3 4 2 0 Row 1 Row 2 Row 3 Row 4
  • 47. Rcode:2 domains Detection: rcode:2 (server failure) (failed servers)
  • 48. Detection ● WHOIS cross-correlation – easily automated.
  • 49. Detection ● Further step: cross-correlation to domain names which have the same WHOIS attributes ● Sandboxing (we use modified version of cuckoosandbox, with user event simulation, not perfect but works) ● Challenges: – Simulate complex user behavior (mouse movements) – Simulate complex user browsing pattern (visiting X with search engine (image?) as referer)
  • 51. Detection (visualization) ● Parallel coordinates (also see recent talk by Alexandre Dulaunoy from CIRCL.LU and Sebastien Tricaud from Picviz Labs at cansectwest)
  • 52. Detection ● (demos, lets look at some videos :)
  • 53. Conclusions ● Detection is still trivial, but keep your methods “private” ;-) ● Detecting 'advanced' botnets (name your favourite traffic profiling evasion method!) is out of question here. Unless this becomes wide- spread ● Cat and mouse game is still fun! ;-)
  • 54. Tips and recommendations ● For infected machines: boot from clean media and periodically do OFFLINE AV checking ● Monitor network traffic for any unusual activity ● Default-deny firewall policies + block any active executable content
  • 55. questions ● Contact us at: ● fygrave@gmail.com ● vladimir.b.kropotov@gmail.com http://github.com/fygrave/dnslyzer for some code