Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit

A botnet is a network of compromised machines (bots), under the control of an attacker. Many of these machines are infected without their owners' knowledge, and botnets are the driving force behind several misuses and criminal activities on the Internet (for example spam emails). Depending on its topology, a botnet can have zero or more command and control (C&C) servers, which are centralized machines controlled by the cybercriminal that issue commands and receive reports back from the co-opted bots. In this paper, we present a comprehensive analysis of the command and control infrastructure of one of the world's largest proprietary spamming botnets between 2007 and 2012: Cutwail/Pushdo. We identify the key functionalities needed by a spamming botnet to operate effectively. We then develop a number of attacks against the command and control logic of Cutwail that target those functionalities, and make the spamming operations of the botnet less effective. This analysis was made possible by having access to the source code of the C&C software, as well as setting up our own Cutwail C&C server, and by implementing a clone of the Cutwail bot. With the help of this tool, we were able to enumerate the number of bots currently registered with the C&C server, impersonate an existing bot to report false information to the C&C server, and manipulate spamming statistics of an arbitrary bot stored in the C&C database. Furthermore, we were able to make the control server inaccessible by conducting a distributed denial of service (DDoS) attack. Our results may be used by law enforcement and practitioners to develop better techniques to mitigate and cripple other botnets, since many of findings are generic and are due to the workflow of C&C communication in general

4. GI FG SIDAR Graduierten-Workshop über Reaktive Sicherheit

Die Veranstaltung SPRING der Fachgruppe SIDAR der Gesellschaft für Informatik e.V. bieten insbesondere Nachwuchswissenschaftlern auf dem Gebiet der Reaktiven Sicherheit die Möglichkeit, themenbezogen Kontakte über ihre eigene Universität hinaus zu knüpfen. Wir laden Diplomanden und Doktoranden ein, ihre Beiträge bei SPRING zu präsentieren. Die Vorträge können ein breites Spektrum abdecken, von noch laufenden Projekten, die ggf. erstmals einem breiteren Publikum vorgestellt werden, bis zu abgeschlossenen Forschungsarbeiten, die zeitnah auch auf Konferenzen präsentiert wurden bzw. werden sollen oder einen Schwerpunkt der eigenen Diplomarbeit oder Dissertation bilden. Die eingereichten Abstracts werden gesammelt und als technischer Bericht zitierfähig und recherchierbar veröffentlicht

Flow-Based Approach on Bro Intrusion Detection

Packet-based or Deep Packet Inspection (DPI) intrusion detection systems (IDSs) face challenges when coping with high volume of traffic. Processing every payload on the wire degrades the performance of intrusion detection. This paper aims to develop a model for reducing the amount of data to be processed by intrusion detection using flow-based approach. We investigated the detection accuracy of this approach via implementation of this model using Bro IDS. Bro was used to generate malicious features from several recent labeled datasets. Then, the model made use the machine learning classification algorithms for attribute evaluation and Bro policy scripts for detecting malicious flows. Based on our experiments, the findings showed that flow-based detection was able to identify the presence of all malicious activities. This verifies the capability of this approach to detect malicious flows with high accuracy. However, this approach generated a significant number of false positive alarms. This indicates that for detection purpose, it is difficult to make a complete behavior of the malicious activities from only limited data and flow-level

Flow-based approach on bro intrusion detection

Packet-based or Deep Packet Inspection (DPI) intrusion detection systems (IDSs) face challenges when coping with high volume of traffic. Processing every payload on the wire degrades the performance of intrusion detection. This paper aims to develop a model for reducing the amount of data to be processed by intrusion detection using flow-based approach. We investigated the detection accuracy of this approach via implementation of this model using Bro IDS. Bro was used to generate malicious features from several recent labeled datasets. Then, the model made use the machine learning classification algorithms for attribute evaluation and Bro policy scripts for detecting malicious flows. Based on our experiments, the findings showed that flow-based detection was able to identify the presence of all malicious activities. This verifies the capability of this approach to detect malicious flows with high accuracy. However, this approach generated a significant number of false positive alarms. This indicates that for detection purpose, it is difficult to make a complete behavior of the malicious activities from only limited data and flow-level