260 research outputs found
Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit
A botnet is a network of compromised machines (bots), under the control of an
attacker. Many of these machines are infected without their owners' knowledge,
and botnets are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending on its
topology, a botnet can have zero or more command and control (C&C) servers,
which are centralized machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted bots.
In this paper, we present a comprehensive analysis of the command and control
infrastructure of one of the world's largest proprietary spamming botnets
between 2007 and 2012: Cutwail/Pushdo. We identify the key functionalities
needed by a spamming botnet to operate effectively. We then develop a number of
attacks against the command and control logic of Cutwail that target those
functionalities, and make the spamming operations of the botnet less effective.
This analysis was made possible by having access to the source code of the C&C
software, as well as setting up our own Cutwail C&C server, and by implementing
a clone of the Cutwail bot. With the help of this tool, we were able to
enumerate the number of bots currently registered with the C&C server,
impersonate an existing bot to report false information to the C&C server, and
manipulate spamming statistics of an arbitrary bot stored in the C&C database.
Furthermore, we were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our results may be used by law
enforcement and practitioners to develop better techniques to mitigate and
cripple other botnets, since many of findings are generic and are due to the
workflow of C&C communication in general
Master of puppets: analyzing and attacking a botnet for fun and profit
A botnet is a network of compromised machines (bots),
under the control of an attacker. Many of these machines
are infected without their owners’ knowledge, and botnets
are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending
on its topology, a botnet can have zero or more
command and control (C&C) servers, which are centralized
machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted
bots.
In this paper, we present a comprehensive analysis of
the command and control infrastructure of one of the
world’s largest proprietary spamming botnets between
2007 and 2012: Cutwail/Pushdo. We identify the key
functionalities needed by a spamming botnet to operate
effectively. We then develop a number of attacks against
the command and control logic of Cutwail that target
those functionalities, and make the spamming operations
of the botnet less effective. This analysis was made possible
by having access to the source code of the C&C software,
as well as setting up our own Cutwail C&C server,
and by implementing a clone of the Cutwail bot. With the
help of this tool, we were able to enumerate the number
of bots currently registered with the C&C server, impersonate
an existing bot to report false information to the
C&C server, and manipulate spamming statistics of an arbitrary
bot stored in the C&C database. Furthermore, we
were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our
results may be used by law enforcement and practitioners
to develop better techniques to mitigate and cripple other
botnets, since many of findings are generic and are due to
the workflow of C&C communication in general.First author draf
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
Analysis of Brute Force Attacks with Ylmf-pc Signature
Brute force techniques used in many fields of authentication process. Ftp servers, web servers and mail servers very often got threatened by attackers. Old technique for mail service brute force still working and it can be easily detected by special signature
Advances in modern botnet understanding and the accurate enumeration of infected hosts
Botnets remain a potent threat due to evolving modern architectures, inadequate remediation methods, and inaccurate measurement techniques. In response, this re- search exposes the architectures and operations of two advanced botnets, techniques to enumerate infected hosts, and pursues the scientific refinement of infected-host enu- meration data by recognizing network structures which distort measurement. This effort is motivated by the desire to reveal botnet behavior and trends for future mit- igation, methods to discover infected hosts for remediation in real time and threat assessment, and the need to reveal the inaccuracy in population size estimation when only counting IP addresses. Following an explanation of theoretical enumeration techniques, the architectures, deployment methodologies, and malicious output for the Storm and Waledac botnets are presented. Several tools developed to enumerate these botnets are then assessed in terms of performance and yield. Finally, this study documents methods that were developed to discover the boundaries and impact of NAT and DHCP blocks in network populations along with a footprint measurement based on relative entropy which better describes how uniformly infections communi- cate through their IP addresses. Population data from the Waledac botnet was used to evaluate these techniqu
- …