1 / 18

Your Botnet is My Botnet : Analysis of a Botnet Takeover

Your Botnet is My Botnet : Analysis of a Botnet Takeover. Report: 鄭志欣. Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009. Abstract.

marilu
Download Presentation

Your Botnet is My Botnet : Analysis of a Botnet Takeover

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Your Botnet is My Botnet: Analysis of a Botnet Takeover Report:鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009. Machine Learning and Bioinformatics Lab

  2. Abstract Date Collect : 2009/1/25 ~ 2009/2/5 180’000 infections 70GB data USD$ 83,000 ~ 8,300,000 (bank account and credit card) Machine Learning and Bioinformatics Lab

  3. Outline Introduction Botnet Analysis Threats and data analysis Conclusion Machine Learning and Bioinformatics Lab

  4. Introduction • The main purpose of this paper is to analyze the Torpig botnet’s operations. • Botnet size. • The personal information is stolen by botnets. Machine Learning and Bioinformatics Lab

  5. The Torpig network infrastructure Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux. Machine Learning and Bioinformatics Lab

  6. Botnet Analysis Data Collection and Format Submission Header Botnet Size vs. IP Count Machine Learning and Bioinformatics Lab

  7. Data Collection and Format Date : 70GB (10 day) Protocol : HTTP POST requests Submission Header VS. Request body Machine Learning and Bioinformatics Lab

  8. Submission Header gh5 Machine Learning and Bioinformatics Lab Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig

  9. Request body Machine Learning and Bioinformatics Lab

  10. Botnet Size vs. IP Count Counting Bots by Submission Header Fields (nid , os , cn , bld , ver) decide to unique bot Delete Probers and Researcher 18200 hosts Machine Learning and Bioinformatics Lab

  11. 705 Bots / hour 4690 Bots / hour Machine Learning and Bioinformatics Lab

  12. Machine Learning and Bioinformatics Lab

  13. DHCP (ISPs recycles IPs) Machine Learning and Bioinformatics Lab

  14. Threats and data analysis Financial Data Stealing Password Analysis Machine Learning and Bioinformatics Lab

  15. Accounts at financial institutions stole by Torpig In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217). Machine Learning and Bioinformatics Lab

  16. Using John the Ripper tool Machine Learning and Bioinformatics Lab

  17. Conclusion we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results. Machine Learning and Bioinformatics Lab

  18. Machine Learning and Bioinformatics Lab

More Related