Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Wormulator: Simulator for Rapidly Spreading Malware

This project addresses the need for an application level simulator to simulate Internet-wide phenomenon such as flash worms, botnets, Distributed Denial-of-Service attacks, etc. There are many network simulators intended for parallel and distributed simulation, but most are designed to simulate low level communication protocols such as TCP/IP. The desire to simulate rapidly spreading malware for research and teaching purposes lead us to explore the Spamulator, which was designed to simulate spam email on an Internet-wide scale. The Spamulator was developed by a team at the University of Calgary. It is a lightweight, application level simulator, which implements limited set of features of the Internet. In this project, the Spamulator is enhanced with the User Datagram Protocol (UDP) to simulate UDP worms. The modified version of the Spamulator is called the Wormulator. Wormulator tracks instantaneous network traffic, identifies and signals congestion throughout the network. The Wormulator is further enhanced with the use of POSIX threads instead of forking processes to create a distributed network of simulated servers. The resulting tool is called the “Enhanced Wormulator”. Finally, a random scanning UDP worm with behavior similar to the well known SQL Slammer worm is modeled to validate the results of our simulation. Results and data gathered from the simulation exhibit a qualitative resemblance to the realworld SQL Slammer worm. “Enhanced Wormulator”, which uses POSIX thread instead of forking a process, had a catalytic effect on the scalability factor of the simulation. The simulation was run on a network of 30,000 server nodes. Hence, we conclude that rapidly spreading malware can be effectively simulated using the Wormulator

Review on Botnet Threat Detection in P2P

Botnets are nothing but the malicious codes such as viruses which are used for attacking the computers. These are act as threats and are very harmful. Due to distributed nature of botnets, it is hard to detect them in peer-to-peer networks. So we require the smarter technique to detect such threats. The automatic detection of botnet traffic is of high importance for service providers and large campus network monitoring. This paper gives the review on the various techniques used to detect such botnets. DOI: 10.17762/ijritcc2321-8169.15026

Botnet detection : a numerical and heuristic analysis

Dissertação de mestrado em Engenharia de InformáticaInternet security has been targeted in innumerous ways throughout the ages and Internet cyber criminality has been changing its ways since the old days where attacks were greatly motivated by recognition and glory. A new era of cyber criminals are on the move. Real armies of robots (bots) swarm the internet perpetrating precise, objective and coordinated attacks on individuals and organizations. Many of these bots are now coordinated by real cybercrime organizations in an almost open-source driven development resulting in the fast proliferation of many bot variants with refined capabilities and increased detection complexity. One example of such open-source development could be found during the year 2011 in the Russian criminal underground. The release of the Zeus botnet framework source-code led to the development of, at least, a new and improved botnet framework: Ice IX. Concerning attack tools, the combination of many well-known techniques has been making botnets an untraceable, effective, dynamic and powerful mean to perpetrate all kinds of malicious activities such as Distributed Denial of Service (DDoS) attacks, espionage, email spam, malware spreading, data theft, click and identity frauds, among others. Economical and reputation damages are difficult to quantify but the scale is widening. It’s up to one’s own imagination to figure out how much was lost in April of 2007 when Estonia suffered a well-known distributed attack on its internet country-wide infrastructure. Among the techniques available to mitigate the botnet threat, detection plays an important role. Despite recent year’s evolution in botnet detection technology, a definitive solution is far from being found. New constantly appearing bot and worm developments in areas such as host infection, deployment, maintenance, control and dissimulation of bots are permanently changing the detection vectors thought and developed. In that way, research and implementation of anomaly-based botnet detection systems are fundamental to pinpoint and track all the continuously changing polymorphic botnets variants, which are impossible to identify by simple signature-based systems

A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks

In recent years, Botnets have been adopted as a popular method to carry and spread many malicious codes on the Internet. These malicious codes pave the way to execute many fraudulent activities including spam mail, distributed denial-of-service attacks and click fraud. While many Botnets are set up using centralized communication architecture, the peer-to-peer (P2P) Botnets can adopt a decentralized architecture using an overlay network for exchanging command and control data making their detection even more difficult. This work presents a method of P2P Bot detection based on an adaptive multilayer feed-forward neural network in cooperation with decision trees. A classification and regression tree is applied as a feature selection technique to select relevant features. With these features, a multilayer feed-forward neural network training model is created using a resilient back-propagation learning algorithm. A comparison of feature set selection based on the decision tree, principal component analysis and the ReliefF algorithm indicated that the neural network model with features selection based on decision tree has a better identification accuracy along with lower rates of false positives. The usefulness of the proposed approach is demonstrated by conducting experiments on real network traffic datasets. In these experiments, an average detection rate of 99.08 % with false positive rate of 0.75 % was observed

CARD: Concealed and remote discovery of IoT devices in victims\u27 home networks

Smart devices are becoming more common in the standard households. They range from lights to refrigerators and their functionality and applications continues to grow with consumer demand. This increase in networked, complex devices has also brought an increase in vulnerabilities in the average consumer\u27s home. There now exists an Internet of Things (IoT) ecosystem that creates new attack vectors for adversaries to spread malware, build botnets, and participate in other malicious activities. We will overview some of these new attack vectors as well as go over a framework that would allow an adversary to target a user\u27s home network and any other networks that user may join --Abstract, page iii

Assessing and augmenting SCADA cyber security: a survey of techniques

SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

Development of a multi-layered botmaster based analysis framework

Botnets are networks of compromised machines called bots that come together to form the tool of choice for hackers in the exploitation and destruction of computer networks. Most malicious botnets have the ability to be rented out to a broad range of potential customers, with each customer having an attack agenda different from the other. The result is a botnet that is under the control of multiple botmasters, each of which implement their own attacks and transactions at different times in the botnet. In order to fight botnets, details about their structure, users, and their users motives need to be discovered. Since current botnets require the information about the initial bootstrapping of a bot to a botnet, the monitoring of botnets are possible. Botnet monitoring is used to discover the details of a botnet, but current botnet monitoring projects mainly identify the magnitude of the botnet problem and tend to overt some fundamental problems, such as the diversified sources of the attacks. To understand the use of botnets in more detail, the botmasters that command the botnets need to be studied. In this thesis we focus on identifying the threat of botnets based on each individual botmaster. We present a multi-layered analysis framework which identifies the transactions of each botmaster and then we correlate the transactions with the physical evolution of the botnet. With these characteristics we discover what role each botmaster plays in the overall botnet operation. We demonstrate our results in our system: MasterBlaster, which discovers the level of interaction between each botmaster and the botnet. Our system has been evaluated in real network traces. Our results show that investigating the roles of each botmaster in a botnet should be essential and demonstrates its potential benefit for identifying and conducting additional research on analyzing botmaster interactions. We believe our work will pave the way for more fine-grained analysis of botnets which will lead to better protection capabilities and more rapid attribution of cyber crimes committed using botnets