SlideShare a Scribd company logo

Rishi Hotbots

โ€ข
โ€ข
A
amiable_indian

Rishi - Identify Bot Contaminated Hosts by IRC Nickname Evaluation

Economy & FinanceTechnology
1 of 13
Rishi Identify Bot Contaminated Hosts by IRC Nickname Evaluation Jan Gรถbel Center for Computing and Communication RWTH Aachen Thorsten Holz Laboratory for Dependable Distributed Systems University of Mannheim Rishi HotBotsยด07
Outline What is Rishi? โ–ธ Rishi setup and design โ–ธ Nickname evaluation โ–ธ Results and limitations โ–ธ Discussion โ–ธ Rishi HotBotsยด07
What is Rishi? โ–ธ Basic idea: IRC-based bots need a distinct nickname โ€“ Can we detect similarity in IRC nicknames to detect bots? โ€“ Detection of communication channel between botherder and victim possible? โ–ธ Small Python script (~1700 lines) that passively monitors network traffic โ–ธ Analyses payload for the occurrence of known IRC commands โ€“ NICK, JOIN, USER, MODE, QUIT โ€“ Analysis function to computer score for given nickname โ–ธ Related work: โ€“ Binkley et al.: botnets use same IRC channel, offline analysis โ€“ Livadas et al. use machine learning techniques to detect C&C traffic Rishi HotBotsยด07
Rishi Setup Rishi HotBotsยด07
Rishi Design Rishi HotBotsยด07
Nickname Evaluation โ–ธ Check nickname against dynamic and static whitelists โ€“ similarity check based on n-gram analysis โ–ธ Check if nickname contains a known extension: โ€“ _away, ^working, ... โ€“ Substract extension and check nickname again โ–ธ Check nickname against dynamic and static blacklists โ€“ similarity check based on n-gram analysis โ–ธ Check for suspicious substrings and special characters in nickname โ€“ DEU, GBR, 2K, XP, r00t3d-, |, [, ], ... โ–ธ Check for suspicious pre-/suffix in nickname โ€“ _13, _12, l33t-, xyz-, ... Rishi HotBotsยด07
Nickname Evaluation โ–ธ Check number of digits in nickname โ€“ Every two digits add one point to final score โ–ธ Check if target IP address is a known C&C Server โ–ธ Check if target port is uncommon โ–ธ Check nickname against regular expressions โ€“ Evaluation of ~4K known bot nicks resulting in 52 REs โ–ธ โ–ธ Example: RBOT|DE-6182 2 points for suspicious substrings RBOT and DE โ€“ 2 points for occurrence of special character | and - โ€“ โ€“ 2 points for two occurrences of consecutive digits โ€“ 10 points for match against regular expression Rishi HotBotsยด07
Final Scores of Some Nicknames Rishi HotBotsยด07
Results I โ–ธ Detection of more than 300 bots within 3 months โ–ธ Comparison with Blast-o-Mat (see ;login: 31(6)) โ€“ Custom IDS system at RWTH Aachen university โ€ข Detection of scanning machines via SYN threshold โ€ข Detection of spam-sending machines via threshold โ€ข Usage of honeypots to detect suspicious activities โ–ธ Preliminary results for period of 14 days โ€“ Detection of 82 machines with Rishi 34 of these were also detected by Blast-o-Mat โ€“ โ€“ Remaining 48 machines undetected โ€“ Blast-o-Mat detected additional 20 hosts 5 false positives โ€“ Rishi HotBotsยด07
Results II โ–ธ Case study: detecting spam-bots โ€“ Bots that do not scan / propagate further (โ†’ rather stealth) โ€“ Presumably infected via drive-by downloads Detection of communication channel via Rishi โ€“ โ€“ Detected a couple of hours later due to spamming activity โ–ธ Case study: spotting botnet-tracking activity Several TOR nodes (one exit node) within university network โ€“ โ€“ Frequently observed within Rishi output โ€“ Definitely not bot-infected (Linux machine, known user) โ€“ Caused by botnet-tracking hosts that use TOR Rishi HotBotsยด07
Results III โ–ธ Case study: detecting modified IRC protocol โ€“ Rishi logged JOIN without any related info in connection object โ€“ Analysis revealed: bot with modified C&C protocol โ€ข NICK SENDN โ€ข USER SENDU โ€ข PRIVMSG SENDP โ€ข But: JOIN was not modified โ€“ We could detect incident since one protocol element was not changed Rishi HotBotsยด07
Limitations โ–ธ Detection of cleartext, IRC-based botnets โ€“ Most prevailing type of botnets nowadays, but this changes โ€“ Bots can use dictionary to create nicknames โ–ธ Ad-hoc computation of final score โ€“ Better evaluation needed, taking care of false positives / negatives โ–ธ Dependence on regular expressions โ€“ No automated learning yet โ€“ Inclusion of nepenthes / CWSandbox results? โ–ธ Monitoring at the central router โ€“ RWTH Aachen has 10 GBit Ethernet with spikes > 3 GBit/s Rishi HotBotsยด07
Conclusion โ–ธ Rishi is a simple, yet effective way to detect bots โ€“ Based on evaluation of nickname โ€“ Ad-hoc scoring function โ€“ Generates warning e-mail (next step: automated mitigation) โ–ธ Detected more than 300 bot-infected machines โ–ธ Orthogonal to other IDS-system used within university โ€“ Combination of both? Thanks a lot for your attention! Rishi HotBotsยด07

Recommended

Towards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationTowards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationIJERA Editor
ย 
Pre-Cal 40S Slides April 20, 2007
Pre-Cal 40S Slides April 20, 2007Pre-Cal 40S Slides April 20, 2007
Pre-Cal 40S Slides April 20, 2007Darren Kuropatwa
ย 
Desarrollo fetal
Desarrollo fetalDesarrollo fetal
Desarrollo fetalleosende
ย 
ARGAZKIAK
ARGAZKIAKARGAZKIAK
ARGAZKIAKpunkblog
ย 
Enciclopedias Colaborativas en catalan DiM Trams
Enciclopedias Colaborativas en catalan DiM TramsEnciclopedias Colaborativas en catalan DiM Trams
Enciclopedias Colaborativas en catalan DiM TramsMaria Dolores Garcia Fernandez
ย 
ยฟMe prestas unos ciclos? Hacia el supercomputador sigiloso
ยฟMe prestas unos ciclos? Hacia el supercomputador sigilosoยฟMe prestas unos ciclos? Hacia el supercomputador sigiloso
ยฟMe prestas unos ciclos? Hacia el supercomputador sigilosoFernando Tricas Garcรญa
ย 
group 3
group 3group 3
group 3daniphantom
ย 
็ฉบ
็ฉบ็ฉบ
็ฉบshenk
ย 

Recommended

Towards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationTowards botnet detection through features using network traffic classification
Towards botnet detection through features using network traffic classificationIJERA Editor
ย 
Pre-Cal 40S Slides April 20, 2007
Pre-Cal 40S Slides April 20, 2007Pre-Cal 40S Slides April 20, 2007
Pre-Cal 40S Slides April 20, 2007Darren Kuropatwa
ย 
Desarrollo fetal
Desarrollo fetalDesarrollo fetal
Desarrollo fetalleosende
ย 
ARGAZKIAK
ARGAZKIAKARGAZKIAK
ARGAZKIAKpunkblog
ย 
Enciclopedias Colaborativas en catalan DiM Trams
Enciclopedias Colaborativas en catalan DiM TramsEnciclopedias Colaborativas en catalan DiM Trams
Enciclopedias Colaborativas en catalan DiM TramsMaria Dolores Garcia Fernandez
ย 
ยฟMe prestas unos ciclos? Hacia el supercomputador sigiloso
ยฟMe prestas unos ciclos? Hacia el supercomputador sigilosoยฟMe prestas unos ciclos? Hacia el supercomputador sigiloso
ยฟMe prestas unos ciclos? Hacia el supercomputador sigilosoFernando Tricas Garcรญa
ย 
group 3
group 3group 3
group 3daniphantom
ย 
็ฉบ
็ฉบ็ฉบ
็ฉบshenk
ย 
Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
ย 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
ย 
A Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining ApproachesA Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining Approacheskim.mens
ย 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
ย 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
ย 
Defense against botnets
Defense against botnetsDefense against botnets
Defense against botnetsVaibhav Ahlawat
ย 
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionShmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionMichaelPortera2
ย 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
ย 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
ย 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
ย 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
ย 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
ย 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptxVuongPhm
ย 
Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ Integris Security LLC
ย 
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSSBen Stock
ย 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviewsSebastian Marek
ย 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
ย 
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…Positive Hack Days
ย 
Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020Cyrille Courtiere
ย 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
ย 
Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
ย 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
ย 

More Related Content

Similar to Rishi Hotbots

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012F _
ย 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
ย 
A Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining ApproachesA Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining Approacheskim.mens
ย 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringChris Gates
ย 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestDenim Group
ย 
Defense against botnets
Defense against botnetsDefense against botnets
Defense against botnetsVaibhav Ahlawat
ย 
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionShmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionMichaelPortera2
ย 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
ย 
Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
ย 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT DetectionThibault Debatty
ย 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Mario Heiderich
ย 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoConferencias FIST
ย 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptxVuongPhm
ย 
Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ Integris Security LLC
ย 
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSSBen Stock
ย 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviewsSebastian Marek
ย 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
ย 
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…Positive Hack Days
ย 
Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020Cyrille Courtiere
ย 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
ย 

Similar to Rishi Hotbots (20)

Hitbkl 2012
Hitbkl 2012Hitbkl 2012
Hitbkl 2012
ย 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
ย 
A Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining ApproachesA Survey Of Aspect Mining Approaches
A Survey Of Aspect Mining Approaches
ย 
Gates Toorcon X New School Information Gathering
Gates Toorcon X New School Information GatheringGates Toorcon X New School Information Gathering
Gates Toorcon X New School Information Gathering
ย 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech FestStatic Analysis Techniques For Testing Application Security - Houston Tech Fest
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
ย 
Defense against botnets
Defense against botnetsDefense against botnets
Defense against botnets
ย 
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character RecognitionShmoocon XV - Analyzing Shodan Images with Optical Character Recognition
Shmoocon XV - Analyzing Shodan Images with Optical Character Recognition
ย 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
ย 
Securing Rails
Securing RailsSecuring Rails
Securing Rails
ย 
Multi-Agent System for APT Detection
Multi-Agent System for APT DetectionMulti-Agent System for APT Detection
Multi-Agent System for APT Detection
ย 
Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8Generic Attack Detection - ph-Neutral 0x7d8
Generic Attack Detection - ph-Neutral 0x7d8
ย 
Analisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario MaliciosoAnalisis Estatico y de Comportamiento de un Binario Malicioso
Analisis Estatico y de Comportamiento de un Binario Malicioso
ย 
An Toan Thong Tin.pptx
An Toan Thong Tin.pptxAn Toan Thong Tin.pptx
An Toan Thong Tin.pptx
ย 
Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ Integris Security - Hacking With Glue โ„ 
Integris Security - Hacking With Glue โ„ 
ย 
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
25 Million Flows Later โ€“ Large-scale Detection of DOM-based XSS
ย 
Effective code reviews
Effective code reviewsEffective code reviews
Effective code reviews
ย 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
ย 
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ะะฐ ัั‚ั€ะฐะถะต ะฒะฐัˆะธั… ะดะตะฝะตะณ ะธ ะดะฐะฝะฝั‹ั…
ย 
Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020Klaxit - How to keep it clean, for years - Paris.RB 2020
Klaxit - How to keep it clean, for years - Paris.RB 2020
ย 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
ย 

More from amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commonsamiable_indian
ย 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art amiable_indian
ย 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentestersamiable_indian
ย 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
ย 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...amiable_indian
ย 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
ย 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
ย 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in Indiaamiable_indian
ย 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyamiable_indian
ย 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Codingamiable_indian
ย 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learnedamiable_indian
ย 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissectedamiable_indian
ย 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunityamiable_indian
ย 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writersamiable_indian
ย 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
ย 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentationamiable_indian
ย 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
ย 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization amiable_indian
ย 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Timeamiable_indian
ย 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics? amiable_indian
ย 

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
ย 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
ย 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
ย 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
ย 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
ย 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
ย 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
ย 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
ย 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
ย 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
ย 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
ย 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
ย 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
ย 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
ย 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
ย 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
ย 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
ย 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
ย 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
ย 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
ย 

Recently uploaded

Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )
Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )
Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )Pooja Nehwal
ย 
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...priyasharma62062
ย 
Cybersecurity Threats in Financial Services Protection.pptx
Cybersecurity Threats in Financial Services Protection.pptxCybersecurity Threats in Financial Services Protection.pptx
Cybersecurity Threats in Financial Services Protection.pptxLumiverse Solutions Pvt Ltd
ย 
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...priyasharma62062
ย 
Toronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdfToronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdfJinJiang6
ย 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesFalcon Invoice Discounting
ย 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
ย 
Technology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechnology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechFinland
ย 
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...priyasharma62062
ย 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...priyasharma62062
ย 
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...dipikadinghjn ( Why You Choose Us? ) Escorts
ย 
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...dipikadinghjn ( Why You Choose Us? ) Escorts
ย 
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...roshnidevijkn ( Why You Choose Us? ) Escorts
ย 
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7jayawati511
ย 
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...dipikadinghjn ( Why You Choose Us? ) Escorts
ย 
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Availabledollysharma2066
ย 
7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator OptionsVince Stanzione
ย 
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...priyasharma62062
ย 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaipriyasharma62062
ย 
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...jeffreytingson
ย 

Recently uploaded (20)

Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )
Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )
Vip Call US ๐Ÿ“ž 7738631006 โœ…Call Girls In Sakinaka ( Mumbai )
ย 
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
Mira Road Awesome 100% Independent Call Girls NUmber-9833754194-Dahisar Inter...
ย 
Cybersecurity Threats in Financial Services Protection.pptx
Cybersecurity Threats in Financial Services Protection.pptxCybersecurity Threats in Financial Services Protection.pptx
Cybersecurity Threats in Financial Services Protection.pptx
ย 
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...
Vasai-Virar High Profile Model Call Girls๐Ÿ“ž9833754194-Nalasopara Satisfy Call ...
ย 
Toronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdfToronto dominion bank investor presentation.pdf
Toronto dominion bank investor presentation.pdf
ย 
falcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunitiesfalcon-invoice-discounting-unlocking-prime-investment-opportunities
falcon-invoice-discounting-unlocking-prime-investment-opportunities
ย 
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Koregaon Park Call Me 7737669865 Budget Friendly No Advance Booking
ย 
Technology industry / Finnish economic outlook
Technology industry / Finnish economic outlookTechnology industry / Finnish economic outlook
Technology industry / Finnish economic outlook
ย 
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...
Airport Road Best Experience Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 Santacruz MOst Es...
ย 
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
Mira Road Memorable Call Grls Number-9833754194-Bhayandar Speciallty Call Gir...
ย 
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...
VIP Call Girl in Mumbai Central ๐Ÿ’ง 9920725232 ( Call Me ) Get A New Crush Ever...
ย 
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...
( Jasmin ) Top VIP Escorts Service Dindigul ๐Ÿ’ง 7737669865 ๐Ÿ’ง by Dindigul Call G...
ย 
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...
VIP Kalyan Call Girls ๐ŸŒ 9920725232 ๐ŸŒ Make Your Dreams Come True With Mumbai E...
ย 
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7
(Sexy Sheela) Call Girl Mumbai Call Now ๐Ÿ‘‰9920725232๐Ÿ‘ˆ Mumbai Escorts 24x7
ย 
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...
VIP Independent Call Girls in Taloja ๐ŸŒน 9920725232 ( Call Me ) Mumbai Escorts ...
ย 
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
8377087607, Door Step Call Girls In Kalkaji (Locanto) 24/7 Available
ย 
7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options7 tips trading Deriv Accumulator Options
7 tips trading Deriv Accumulator Options
ย 
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...
CBD Belapur Expensive Housewife Call Girls Number-๐Ÿ“ž๐Ÿ“ž9833754194 No 1 Vipp HIgh...
ย 
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbaiVasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
Vasai-Virar Fantastic Call Girls-9833754194-Call Girls MUmbai
ย 
Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...Business Principles, Tools, and Techniques in Participating in Various Types...
Business Principles, Tools, and Techniques in Participating in Various Types...
ย 

Rishi Hotbots

  • 1. Rishi Identify Bot Contaminated Hosts by IRC Nickname Evaluation Jan Gรถbel Center for Computing and Communication RWTH Aachen Thorsten Holz Laboratory for Dependable Distributed Systems University of Mannheim Rishi HotBotsยด07
  • 2. Outline What is Rishi? โ–ธ Rishi setup and design โ–ธ Nickname evaluation โ–ธ Results and limitations โ–ธ Discussion โ–ธ Rishi HotBotsยด07
  • 3. What is Rishi? โ–ธ Basic idea: IRC-based bots need a distinct nickname โ€“ Can we detect similarity in IRC nicknames to detect bots? โ€“ Detection of communication channel between botherder and victim possible? โ–ธ Small Python script (~1700 lines) that passively monitors network traffic โ–ธ Analyses payload for the occurrence of known IRC commands โ€“ NICK, JOIN, USER, MODE, QUIT โ€“ Analysis function to computer score for given nickname โ–ธ Related work: โ€“ Binkley et al.: botnets use same IRC channel, offline analysis โ€“ Livadas et al. use machine learning techniques to detect C&C traffic Rishi HotBotsยด07
  • 4. Rishi Setup Rishi HotBotsยด07
  • 5. Rishi Design Rishi HotBotsยด07
  • 6. Nickname Evaluation โ–ธ Check nickname against dynamic and static whitelists โ€“ similarity check based on n-gram analysis โ–ธ Check if nickname contains a known extension: โ€“ _away, ^working, ... โ€“ Substract extension and check nickname again โ–ธ Check nickname against dynamic and static blacklists โ€“ similarity check based on n-gram analysis โ–ธ Check for suspicious substrings and special characters in nickname โ€“ DEU, GBR, 2K, XP, r00t3d-, |, [, ], ... โ–ธ Check for suspicious pre-/suffix in nickname โ€“ _13, _12, l33t-, xyz-, ... Rishi HotBotsยด07
  • 7. Nickname Evaluation โ–ธ Check number of digits in nickname โ€“ Every two digits add one point to final score โ–ธ Check if target IP address is a known C&C Server โ–ธ Check if target port is uncommon โ–ธ Check nickname against regular expressions โ€“ Evaluation of ~4K known bot nicks resulting in 52 REs โ–ธ โ–ธ Example: RBOT|DE-6182 2 points for suspicious substrings RBOT and DE โ€“ 2 points for occurrence of special character | and - โ€“ โ€“ 2 points for two occurrences of consecutive digits โ€“ 10 points for match against regular expression Rishi HotBotsยด07
  • 8. Final Scores of Some Nicknames Rishi HotBotsยด07
  • 9. Results I โ–ธ Detection of more than 300 bots within 3 months โ–ธ Comparison with Blast-o-Mat (see ;login: 31(6)) โ€“ Custom IDS system at RWTH Aachen university โ€ข Detection of scanning machines via SYN threshold โ€ข Detection of spam-sending machines via threshold โ€ข Usage of honeypots to detect suspicious activities โ–ธ Preliminary results for period of 14 days โ€“ Detection of 82 machines with Rishi 34 of these were also detected by Blast-o-Mat โ€“ โ€“ Remaining 48 machines undetected โ€“ Blast-o-Mat detected additional 20 hosts 5 false positives โ€“ Rishi HotBotsยด07
  • 10. Results II โ–ธ Case study: detecting spam-bots โ€“ Bots that do not scan / propagate further (โ†’ rather stealth) โ€“ Presumably infected via drive-by downloads Detection of communication channel via Rishi โ€“ โ€“ Detected a couple of hours later due to spamming activity โ–ธ Case study: spotting botnet-tracking activity Several TOR nodes (one exit node) within university network โ€“ โ€“ Frequently observed within Rishi output โ€“ Definitely not bot-infected (Linux machine, known user) โ€“ Caused by botnet-tracking hosts that use TOR Rishi HotBotsยด07
  • 11. Results III โ–ธ Case study: detecting modified IRC protocol โ€“ Rishi logged JOIN without any related info in connection object โ€“ Analysis revealed: bot with modified C&C protocol โ€ข NICK SENDN โ€ข USER SENDU โ€ข PRIVMSG SENDP โ€ข But: JOIN was not modified โ€“ We could detect incident since one protocol element was not changed Rishi HotBotsยด07
  • 12. Limitations โ–ธ Detection of cleartext, IRC-based botnets โ€“ Most prevailing type of botnets nowadays, but this changes โ€“ Bots can use dictionary to create nicknames โ–ธ Ad-hoc computation of final score โ€“ Better evaluation needed, taking care of false positives / negatives โ–ธ Dependence on regular expressions โ€“ No automated learning yet โ€“ Inclusion of nepenthes / CWSandbox results? โ–ธ Monitoring at the central router โ€“ RWTH Aachen has 10 GBit Ethernet with spikes > 3 GBit/s Rishi HotBotsยด07
  • 13. Conclusion โ–ธ Rishi is a simple, yet effective way to detect bots โ€“ Based on evaluation of nickname โ€“ Ad-hoc scoring function โ€“ Generates warning e-mail (next step: automated mitigation) โ–ธ Detected more than 300 bot-infected machines โ–ธ Orthogonal to other IDS-system used within university โ€“ Combination of both? Thanks a lot for your attention! Rishi HotBotsยด07