botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...
-
Upload
hoangxuyen -
Category
Documents
-
view
223 -
download
0
Transcript of botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...
![Page 1: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/1.jpg)
![Page 3: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/3.jpg)
todayMalware & botnets / Uses / Command and Control / Size estimation
![Page 4: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/4.jpg)
Botnets
• Botnets:– CommandandControl(C&C)
– Zombiehosts(bots)
• C&Ctype:– centralized,peer-to-peer
• Infectionvector:– spam,scanning,worm(self-propagatingvirus)
• Usage:?
![Page 5: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/5.jpg)
Howtomakemoneyoffabotnet?
• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”
• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”
• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”
• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.
• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”
• Advertiseproducts
think-pair-share
![Page 6: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/6.jpg)
TorpigBotnet
• 2005-2009?
• 50k-180kbots
• 2008:"Mostadvancedpieceofcrimewareeverbuilt"
• Usedomainfluxtocontactcommandandcontrol(C&C)servers
• HijackedbyUCSantaBarbararesearchersandstudiedfor10days
[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]
![Page 7: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/7.jpg)
HowtojoinaTorpigbotnet
1: Clickondodgylinktovulnerablewebsite
2-4:DownloadMebrootmalware
5: MebrootdownloadsTorpigDLL(yourabot!)
6: UploadallyousensitivedatatoTorpigC&C
7: Profit!(notyours)
think-pair-shareWhataredefenses?
![Page 8: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/8.jpg)
DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers
• Probeeachone,usethefirstonethattalkstheC&Cprotocol
• Researchersranthealgorithmforwardseveralweeks
• Discoveredun-registereddomainsandregisteredthem
• SetuptheirownC&Cserver
• Yourbotnetismybotnet
![Page 9: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/9.jpg)
Stealingabotnet
• Researchersboughttwodomainsandhosting
• PutupC&Cservertocaptureallreportedinformationbybots
• ControlledTorpigbotnetfor10days
• Captured70GBsofstoleninformation
• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)
• C&Chijacktotake-downabotnetiscalledsinkholing
![Page 10: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/10.jpg)
Estimatingbotnetsize
TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize
![Page 11: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/11.jpg)
![Page 12: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/12.jpg)
StealingFinancialAccounts
In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)
![Page 13: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/13.jpg)
Ethics
● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.
● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.
Twoprinciplestoprotectvictims
![Page 14: botnets - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf · Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) ... [Your](https://reader031.fdocuments.us/reader031/viewer/2022021822/5b1e2b6d7f8b9a8c648b47ba/html5/thumbnails/14.jpg)
recapMalware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking