1 / 18

Botnet Research Survey

Botnet Research Survey. Zhaosheng Zhu. et al July 28-August 01 2008. Speaker: Hom-Jay Hom Date:2009/10/20. Outline. Introduction Understanding Botnet Detecting and Tracking Botnet Defenses Against Botnet Conclusion and Possible Future Work. Introduction(1/2).

dana-holman
Download Presentation

Botnet Research Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnet Research Survey Zhaosheng Zhu.et al July 28-August 01 2008 Speaker:Hom-Jay Hom Date:2009/10/20

  2. Outline • Introduction • Understanding Botnet • Detecting and Tracking Botnet • Defenses Against Botnet • Conclusion and Possible Future Work

  3. Introduction(1/2) • Botnet is a term for a collection of software robots, or bots. • They run on groups of zombie computers controlled remotely by attackers. • A typical bot can be created and maintained in four phases.

  4. Introduction(2/2) 1. Initial Infection: • vulnerability , web pages , email , USB autorun 2. Secondary Injection: • infected hosts download and run the bot code, • The download can be via be ftp, http and P2P. 3. Malicious Activities: • The bot communicates to its controller (spam , DDoS) • IRC or HTTP or DNS-based and P2P protocol 4. Maintenance and Upgrade: • continuously upgrades

  5. Understanding Botnet • Most current research focuses on understanding botnets. There are mainly three types area: • Bot Anatomy: • analysis mainly focuses on its network-level • use of binary analysis tools. • Wide-area Measurement Study: • through tracking botnets to reveal different aspects • such as botnet size, traffic generated. • Botnet Modeling and Future Botnet Prediction:

  6. Bot Anatomy IRC Bot • it analyzed the source code for four bots. • Agobot,SDBot, SpyBot and GT bot, ( IRC-based bots ) • only Agobot is a fully-developed bot. • Agobot has provided the following five features.

  7. AgoBot five features • Exploits: • exploit OS vulnerabilities and back doors. • Delivery: • Shell on the remote host to download bot binary encoded. • Deception: • If it detected VMWare it stopped running. • Function: • steal system information and monitorlocal network traffic. • Recruiting: • BotmasterRecruits horizontal and vertical scannings.

  8. HTTP Bot • Analyzed the HTTP-based spam bot module • The command and control (C&C) is http-based. • The communication channel is encrypted. • IDA Pro Tool is used to analyze the binary and find the encryption key.

  9. P2P-based • The author claims that centralized control of botnets offers a single point of failure for the botnet. • So mare stable architectures, like P2P-based architecture.

  10. Fast-flux Networks(1/2) • The fast-flux networks are increasingly used as botnets. • phishing websites. • These websites are valuable assets. • hide their IP addresses. • let a user first connect to a compromised computer. • which serves as a proxy. • To forward the user requests to a real server and the response from the server to the user.

  11. Fast-flux Networks(2/2) • New type of techniques called Fast-flux service networks. • round-robin IP addresses. • very short Time-To-Live.

  12. Wide-area Measurement Study • a honeynet-based botnet detection system as well as some findings on botnets across the Internet • The systems are composed of three module: • malware collection: • nepenthes and unpatched WindowsXPin a virtualized environment. • Graybox testing: • learn botnet ”dialect”. • Botnets tracking: • an IRC tracker lurk in IRC channel and record commands.

  13. Botnet Modeling and Future Botnet Prediction • It creates a diurnal propagation model based on the fact that computers that are offline are not infectious. • we still have no idea how close these models are to the botnets in the real world.

  14. Detecting and Tracking Botnet • honeynet based • first, there are several tools available to collect malware, but no tool for tracking the botnet. • Secondly,the tracking tool needs to understand the botnet’s ”jargon” in order to be accepted by the botmaster. • Moreover, the increasing use of anti-analysis techniques used by the blackhat circle. • makes the development of the tool even more challenging.

  15. Traffic monitoring • Identify botmasters based on transport layer • The core idea is based on the attack and control chain of the botnet. • The major steps are listed as follows: • Identify bots based on their attack activities. • Analyze the flows of these bots to find candidate controller connections. • Analyze the candidate controller connections to locate the botmaster.

  16. Defenses Against Botnet • Enterprise Solutions • Trend Micro provided Botnet Identification Service • provide the customers the real-time botnet C&C botmaster address list.

  17. Conclusion and Possible FutureWork • HTTP/P2P Botnet • The existing works are anatomy of some samples. • Fast-flux Network • Who do them serve? • What’s the structure of its network? • Is it the same as a typical IRC botnet or not? • Is their botmaster also fast-fluxed? • The binary analysis of its code will be extremely helpful.

  18. END

More Related