1 / 13

A Multifaceted Approach to Understanding the Botnet Phenomenon

A Multifaceted Approach to Understanding the Botnet Phenomenon. Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet Measurement Conference, IMC'06, Brazil, October 2006 Presenter : Richard Bares. What Is A Botnet?.

Download Presentation

A Multifaceted Approach to Understanding the Botnet Phenomenon

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet Measurement Conference, IMC'06, Brazil, October 2006 Presenter : Richard Bares

  2. What Is A Botnet? • Botnet is used to define Networks of infected end-hosts, called bots, that are under the control of a human operator commonly known • Botnets like other malware use software vulnerabilities to infect or recruit other machines

  3. What Makes A Botnet Different From Other Malware? • Their defining characteristic is the use of a command and control channels. • These channels include • IRC Internet Relay Chat • P2P Peer to Peer • HTTP

  4. How A Botnet Works

  5. How To Find Out More about Botnets? • Malware collection of Binary code • Binary analysis via grey-box testing • Longitudinal tracking of IRC Botnets Through IRC and DNS tracking

  6. What kind of system is needed?

  7. Malware Collection • Use of a modified Nepethes Platform • Mimics replies of vulnerable services • Used to collect data on Botnets using known exploits • HoneyPot Made of up VMware • To collect data Botnets using unknown exploits

  8. Binary Analysis • Creation of a Network Fingerprint • Monitored VMware Windows XP • Collect IP’s, DNS, Ports, and scans • Extraction of IRC-related features • Used UnrealIRC daemon • Monitored infected VMware to find IRC channel passwords • Learns botnet dialect and commands

  9. Tracking of Botnets • IRC Tracker • Modified IRC Client that mimics an infected PC • Responses to C&C while connecting data • DNS Tracker • Monitors major DNS Severs • Keeps track of requests for Domain names found in Botnet code

  10. Botnet Structure • 318 Botnet Observed, 60% of those IRC • 70% of IRC Botnets connected to one server • 30% of IRC Botnets connected to multiple servers • IRC severs connected together • Allowing for large number of bots to be controlled

  11. Botnet Software Taxonomy • Turns off anti-virus/firewalls • Installs TCP Identification software • Installs System Security Monitor • Installs Registry Monitor • Support for multiple exploits • Code allows for updates from Botmaster and add new exploits to Botnet code

  12. Contributions • Expanded knowledge of Botnet • Formulated way to Tracked and Estimated growth and size of Botnet • Formulated way to capture Botnet code • Examined common Botnet code

  13. Weaknesses • Did not cover HTTP or P2P Botnets even though both of these make up 30% of the Botnets they observed • Would need considerable amount of research to find ways to track these Botnets

More Related