paper review about botnet
-
Upload
raymond0820 -
Category
Internet
-
view
27 -
download
0
Transcript of paper review about botnet
1
Paper ReviewAn Empirical Study of HTTP-based Financial
Botnets
Raymond
2
Outline• Introduction• Methodology and Emulation Environment• Comparative Analysis of Various Bots • Analytical Observations• Challenges• Solution and Conclusion
3
Introduction
4
Botnet• A botnet is a collection of infected machines
(bots) controlled by a bot herder through a C&C server
C&Cserver
malware
malware
malware
Bot herder
5
Financial Botnets• This breed of botnets is designed and deployed to
conduct financial crimes such as online fraud, money laundering, and identity theft by infecting a large number of end-user systems across the globe.
6
232 devices are infected per minute
• An RSA study further disclosed that every minute on the Internet approximately 232 computers are being infected with malware globally.
7
Spread bots 1/3• There are several ways to spread bots but
phishing and drive-by download attacks are the two most prominent ones
8
Spread bots 1/3
Phishing• attack are executed through emails embedded
with malicious links that are distributed to a large set of users.
• This attack exploits the users’ gullibility using social engineering tricks.
• Upon clicking a web link, the user’s browser is redirected to a malicious domain which serves malware.
9
Spread bots 1/3 drive-by download
• an attacker compromises a high-traffic website and injects code that points to a malicious domain.
10
Spread bots 2/3 • On visiting a malicious domain, a Browser Exploit
Pack (BEP), an automated framework consisting several exploits, fingerprints the browsers environment, and if found vulnerable, an appropriate exploit is served to compromise the machine.
11
Spread bots 3/3
12
Botnets have Become Bigger and Better
Statistic shows the total number of bots present in the various families of botnets when taken down by FBI in different takedown operations.
13
Top 4 Financial Botnets
• A Kaspersky study [9] found that the top 4 financial botnets are Zeus (variants), SpyEye, Carberp and Citadel.
14
Top 4 Financial Botnets
• Carberp botnet caused approximately close to $250 million in losses
• Citadel botnet caused $500 million losses to companies and organizations across the globe.
• Earlier versions of Zeus and SpyEye botnets collectively stole $100 million from target organizations
15
Methodology and Emulation
Environment
16
Test Step• 1.we used an infiltration technique where we
joined the botnet environment to better understand its behavior
• 2.We conducted several tests using active and passive approaches for investigating infections:o Continuous monitoring and traffic analysiso Reverse engineering and behavior analysiso Penetration testing
17
anti anti-VM bot• do something made the VMware machines
behave like a standard operating systemo ex:
• VMWare support tools were not installed• kernel debugging was turned off• the Media Access Control (MAC) address was modified• Desktop Management Information (DMI) related to Basic Input
Output System (BIOS) and certain components of operating system (VM) were modified
18
19
Comparative Analysis of Various Bots
20
Protocol
21
Anti-sandbox
22
Exploitation
Mutex object can be used to determine whether the system is already infected or not, and detecting the presence of virtual machines, traffic analyzers, Anti-Viruses(AV) in the system.
the PDEF+ component is designed to check the effectiveness of bots in bypassing anti-virus systems running on the client side
23
Spreading
24
Remote Manage
25
Defensive Mechanisms
Socks Proxybot herders can restrict source direct access to the C&C panels offer vertify method, if bot match, it allow the bot to download configuration file limit source of incoming http request
Domain Generation Algorithmsgenerate pseudorandom domain names, Advantage is that use DGAs to strengthen their C&C communication channels so that fingerprinting of C&C servers becomes more difficult
26
Module
• This design shows that the bots can be extended by building additional plugins that can be incorporated directly to execute extended code in the infected system. o For example,
• the malware author can design a new plugin for a specific bot and use the C&C panel to update the bot by sending an updated configuration having a new plugin listed in it. When the bot gets updated, the new pluginsimply executes.
27
Data Exfiltration
28
Data Exfiltration
• Man-in-the-Browser Attackso MitB is capable of manipulating the communication flow of various
browser componentso most common MitB attack techniques based on hooking used by bots:
• Form-grabbing• WebInjects• WebFakes.
29
Man-in-the-Browser Attacks
30
DDoS
31
Best Botnet
32
Analytical Observations
33
Analytical Observations
• Malware authors are developing more sophisticated botnet designs by reusing and modifying existing botnet source codes.
34
Analytical Observations
• Communication channels of HTTP-based financial botnets are secured using gates
35
Analytical Observations
• Use of DGAs as a C&C communication mechanism has increased in last few years and we expect this trend to continue in the future
36
Analytical Observations
• the bots primarily target browsers to steal sensitive information pertaining to critical websites. Almost every HTTP-based botnet performs browser hooking to carry out nefarious tasks.
37
Analytical Observations
• distribution using automated exploit frameworks called browser exploit packs which exploit a specific vulnerability in browser components and download bots onto the user systems without their knowledge
38
Analytical Observations
• well-defined development APIs and plugin architecture frameworks which can be used to extend the functionalities of bots.
39
Analytical Observations
• use Windows built-in cryptographic APIs with custom encryption routines to avoid detection and further complicate any analysis.
40
Challenges
41
Challenges• HTTPS is an end-to-end security solution that
protects from Man-in-the-Middle (MitM) attack but it does not provide any protection against MitB attacks
42
Challenges• TFA does not protect from MitB attacks
o TFA raises the bar with respect to the ease of use of stolen authentication data, but TFA neither prevents the theft nor eliminates the data’s value.
43
Challenges• Developing signatures for IPS/IDS for bot
detections fail to stop unknown malware (financial botnets) running in the wild. The thriving botnet ecosystem is proof of that
44
Solution and Conclusion
45
SolutionsTo defend against WebInject attacks
• One solution is to build an HTML/JavaScript-based webpage verification system that detects modifications that have happened when webpages are rendered in the browser.
46
SolutionsTo foil Form-grabbing attacks
• data is encrypted before it is exfiltrated by the bot from the infected system.
47
Solutionsto overcome malware detection VM
• building next-generation complete emulated environments by simulating the physical hardware including CPU, memory, etc.
48
Solutionsto protect enterprises against unknown
attacks
• data mining and machine learning can play a vital role ,but such solutions are still not able to cope with existing and emerging threats.
49
SolutionsOther
• understanding how one bot detects the presence of other boto ex:o if mutex names are used by SpyEye to detect Zeus bots, the same
patterns can be fed to end-user security solutions (anti-virus engines) to detect and eradicate the bots
50
SolutionsThe most important way
• Technology alone cannot protect users from all types of malicious attacks.
• Improved user education which instructs the user to understand the importance of safe surfing habits, best and secure ways to perform online banking, avoid visiting the destinations which they are not sure of, etc.
51
Q & A