1 / 36

Dr. Steven Gianvecchio

Dr. Steven Gianvecchio. Bots, Zombies, and Botnets: Malicious Automated Programs in Online Games, Social Networks, and the Internet. Recent Headlines. Internet of Things botnet Includes TV and refrigerator Flashback hits Mac OS X 800K Macs infected Explosion of Android threats 6x growth

agnes
Download Presentation

Dr. Steven Gianvecchio

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Steven Gianvecchio Bots, Zombies, and Botnets: Malicious Automated Programs in Online Games, Social Networks, and the Internet

  2. Recent Headlines • Internet of Things botnet • Includes TV and refrigerator • Flashback hits Mac OS X • 800K Macs infected • Explosion of Android threats • 6x growth • LinkedIn, Dropbox, and other leaks • 6.5 million LinkedIn passwords hashes leaked • Java 0-days • 30% of computers vulnerable • Brazil DSL hacks • 4.5 million modems hacked

  3. Statistics • 99 billion spam emails/day • 68% of all email traffic • US banks flooded with >150Gbps of traffic • 37 million phishing attempts • Password theft up 3x • What connects all of these problems?

  4. Bots • What is a bot? • Short for “robot” • An automated program that operates an application normally used by humans • e.g., Web bot, Twitter bot • Bots are not always bad • e.g., Google uses bots to build its search results (these bots are also called spiders)

  5. Zombies!!! • What are zombies? • Computers infected with malicious bot software allowing them to be remotely controlled • Zombie (n) 2.a.3. “in West Indian voodoo, a supernatural power through which a corpse supposedly is brought to a state of trancelike animation and made to obey the commands of the person exercising the power” [Merriam-Webster] • Typically someone’s home or office computer (unknown to them)

  6. Botnets • What are botnets? • Botnets are networks of zombie- or bot-infected computers • Thousands or even millions of bots • 1-5% of Internet-connected computers [Arbor10] • Controlled by independent hackers or criminal organizations (or military)

  7. ZeroAccess botnet: • ~2-3 million infections • ~$100K/day in profits • through Click Fraud ZeroAccess botnet - Europe infections [Fsecure12]

  8. Botnet Lifecycle • 1. Propagation – computer is infected with malicious bot software • 2. Communication - bot “phones home”, i.e., contacts its controller and awaits orders • 3. Attack - bot responds to commands

  9. Botnet Propagation • The first step is “recruiting” bots • Infect computers and install bot software • Many infection methods • Infect as many computers as possible • Bigger is usually better • More bots = faster propagation (rate can be exponential)

  10. Botnet Propagation (cont.) Infection Methods From Security Intelligence Report ‘12 [Microsoft12]

  11. Botnet Communication • How bots receive commands • What if a node is lost? Centralized Peer-to-Peer X X

  12. Botnet Attacks • Spam (about 80% is from botnets) • Distributed Denial of Service, aka DDoS(floods host with traffic) • Click Fraud (fake traffic or “clicks”) • Phishing (steal passwords using fake sites) • Identity or Data Theft • Keylogging • Spying

  13. Financial Motivation $$ $ $$ $ $$$ $

  14. Bots vsHumans • The Turing Test • A human judge chats with two unknown participants: a human and computer • Judge guesses which is human

  15. Bots vs Humans • Human Interactive Proofs • Ideal Proof: hard for computers, easy for humans • e.g., CAPTCHA • Like Turing Test, but judge also a computer • CAPTCHAs are hard for humans and computers  (or maybe I’m a computer?) • Are they still effective?

  16. Bots vsHumans • Behavioral Detection • Humans • Biological • Highly complex (many systems within systems) • Bots • Automated (good at repeating things) • Limited complexity (does whatever is in the code) • Can we tell them apart?

  17. Bot Types • Types • Web • Email • Social Network • Online Game • And Others • Bots use these applications for propagation or communication, or target them for attack • Bots are modular • Could propagate via Email and communicate via Web

  18. Bots in Social Networks • Bots are on Twitter and Facebook • Friend or follow you • Send spam or phishing links (via Tweet or direct message) • Send links to malicious code (also via Tweet or direct message)

  19. Twitter Bot Analysis • Live Twitter bots • https://twitter.com/lizzycin • https://twitter.com/JustinQBarbee • https://twitter.com/bluelyndia • https://twitter.com/trekkerdeb • https://twitter.com/wingsaquino • …

  20. Twitter Bot Analysis (cont.) • Live Twitter bots • https://twitter.com/lizzycin - created 7-28-2013 • https://twitter.com/JustinQBarbee created 7-28-2013 • https://twitter.com/bluelyndia created 7-28-2013 • https://twitter.com/trekkerdeb created 7-28-2013 • https://twitter.com/wingsaquino created 7-28-2013 • Likely created by the same person?

  21. Bots in Online Games • Bots play games • Gambling • Online Poker • Gold farming • World of Warcraft • Guild Wars 2 • Rift Online • Star Wars: The Old Republic • … $$$ $$$

  22. Gold Farming Bots • Bot plays endlessly • Gathers gold 24 hours a day • Sells on virtual black market for real currency • Bot plays like a human • “Presses” keys (changes key state) • “Moves” mouse (changes mouse x, y coordinates) • “Views” screen (reads color values of pixels) • Can we tell them apart from how they play?

  23. Gold Farming Study • Setup • World of Warcraft • Collect user-input recordings • Log mouse and keyboard events • Compute statistics • 10 bots for 40 hours • 30 humans for 55 hours

  24. Gold Farming Bot Analysis • Bot vs Human • 82% of bot mouse movements are 1.0 move efficiency • i.e., a straight line • 14% of human movements are 1.0 move efficiency bot move efficiency human move efficiency

  25. Gold Farming Bot Analysis bot mouse speed • Bot vsHuman • Bot moves mouse at random speeds in different directions • Human moves faster on diagonals human mouse speed

  26. Click Fraud Bots • Advertisers often are paid per click • Bots can click things! • Advertiser pays botmaster for clicks • Thousands of bots click on the ads • Client pays advertiser (and gets ripped off) • ZeroAccess (mentioned earlier) makes about $100,000/day on Click Fraud • Click Fraud Study • Setup web page and collect clicks and mouse movements for bots and human users [Spider.io13]

  27. Click Fraud Bot Analysis • Bot vs Human • Bot clicks and mouse movements are randomly distributed • Human clicks and movements are focused on key areas

  28. Botnet Analysis • Focus on the Botnet Lifecycle • 1. Propagation / 2. Communication / 3. Attack • Detecting Botnet Propagation • Look for attempts to infect other machines • Exploits change regularly • Very hard • If we could reliably detect exploits, we wouldn’t have the botnet problem

  29. Botnet Analysis • Detecting Botnet Communication • Look for communication with command and control server • Bots often contact their controller at regular intervals, e.g., every 5 minutes • Clustering works well • Lots of computers doing the same thing • Identify the bots and command and control servers

  30. Botnet Analysis • Detecting Botnet Attacks • Look for bots attacking or targeting systems • Only identifies the bots involved in the attack • Lots of different techniques needed to detect attacks • Spam, DDoS, Click Fraud, Phishing, etc.

  31. HoneyNets • Setup a network of unpatched computers • Must be isolated from primary network • Get infected • Monitor the network • Collect logs • Learn about the bots

  32. Disrupting Botnets • Can monitor individual bots to discover their controller • Target the controller, not the bots • Take down or take over the botnet • Symantec recently disabled 500,000 bots from ZeroAccessusing this approach

  33. Conclusions • Bots are a major security problem • Botnets are the source of most cyber attacks • Can detect them in various ways • Bot vs human behavior • Also, propagation / communication / attack • Can disrupt them by taking down or taking over parts of the botnet

  34. Questions? • Interested students (or faculty) that want to get involved in bot, online game, or social network research can contact Dr. Gianvecchio, steven.gianvecchio@cnu.edu.

  35. References (1/2) • [Arbor10] “Analyzing and understanding botnets.” Jose Nazario. • [AFJ08] “Carpet bombing in cyberspace: Why America needs a military botnet.” Charles Williamson. • [Kaspersky13] “The evolution of phishing attacks: 2011-2013.” Kaspersky Labs. • [Pingdom13] “Internet 2012 in numbers.”Pingdom. • [ZDnet12] “10 Security stories that shaped 2012.” Ryan Naraine.

  36. References (2/2) • [Symantec13] “Grappling with the ZeroAccess botnet.” Ross Gibb and Vikram Thakur. • [Gianvecchio09] “Battle of Botcraft: Fighting Bots in Online Games using Human Observational Proofs.” Steven Gianvecchio, Zhenyu Wu, MengjunXie, and Haining Wang.

More Related