ACDC  General  Overview  Michel  van  Eeten,  TU  Del7  (Work  Package  Leader)  

Quick  Facts  ACDC  –  Advanced  Cyber  Defence  Centre    •  Project  type:  European  Pilot  Project  under  CIP-­‐PSP  programme    •  Project  duraMon:  30  months  (Feb  2013  -­‐  Jul  2015)    •  Project  Volume:  15,5M  EUR,  co-­‐funded  by  the  European  Commission.      •  28  Partners  from  14  European  Countries  •  Project  Lead:  eco  e.V.  -­‐  AssociaMon  of  the  German  Internet  Industry  •  Unique  consorMum  unites:    

•  CERTs    •  Internet  Service  Providers    •  AnMvirus  and  IT-­‐Security  Companies    •  Academia  and  Research    •  Industry  (CriMcal  Infrastructure  Providers,  Financial  InsMtuMons)    •  Law  Enforcement    

 

ACDC  General  Overview   2  

Project  Goals  •  Cross-­‐border  fight  against  Botnets  (and  other  threats)    •  End-­‐to-­‐End  approach  against  Botnets    •  1  Central  Database  (Centralized  Data  Clearing  House)    •  1  Community  Portal    •  8  NaMonal  AnM-­‐Botnet-­‐Support  Centre  •  5  Experiments  as  a  Proof  of  Concept    •  Open  ACDC  Community  for  external  Stakeholders  and  Partners    •  Sustainability  Plan  for  ConMnuaMon  of  the  Project  •  PrevenMon  strategies  &  Awareness  raising  to  End-­‐users      •  Free  MiMgaMon  tools  and  service  for  End-­‐users  across  Europe    

ACDC  General  Overview   3  

ACDC  –  a  service  approach  Detec1on  

Spam  campaign  

Stolen  credenMals   Drive-­‐by-­‐download  

DDoS  traffic  detected  

Centralised  reports  of  botnet  behaviour  

Support  –  no1fying  affected  customer  

 Mi1ga1on  –  helping  affected  customer    

Security  vendor   HosMng  provider  

Mobile  network  provider  

Bank  of  customer  

Standardized  report  findings  

Centralised  Data  Clearing  House  

Redirect  to  boBree.eu  

Internet  Service  Providers  

ACDC  –  central  Data  Clearing  House    

Central  Data  Clearing  House  

Sensor  

Sensor  

Concentrator  

Concentrator  Sensor  

Sensor   Sensor   Sensor  Sensor  

Sensor  

ACDC  NaMonal  Support  Centres  

Anonymisa1on  

Law  Enforcement    Agencies  

Research  

Industry  

Detec1on   Suppor1ng  

ACDC  –  Central  Data  Clearing  House    

Central  Data  Clearing  House  

Sensor  

Sensor  

Concentrator  

Concentrator  Sensor  

Sensor   Sensor   Sensor  Sensor  

Sensor  

Detec1on  ü  Sensors  delivering  data    

directly  or  through  concentrators  

ü  Sensors  can  request  addiMonal  feeds  to  work  with  

ü  Data  input  in  any  format  ü  Data  output  in  JSON  or  

YAML  ü  Central  Clearing  House  

facility  correlates  data  ü  Data  flagging  for  special  

purposes  q  Experiments,    q  Research  or  q  InvesMgaMons  

ACDC  Community  Portal  

ACDC  General  Overview   7  

•  Entry  point  to  ACDC  •  Handling  of  Data  Sharing  Policies  •  Connects  users  to  soluMons  •  Inter-­‐connecMng  stakeholders  to  fight  

botnets  •  Plahorm  to  create  and  deploy  

soluMons    •  Open  Knowledge  Exchange  Plahorm    •  Open  RegistraMon  to  intl.  stakeholders  

https://communityportal.acdc-project.eu

(NaMonal)  Support  Centres  

ACDC  General  Overview   8  

•  Bohree.eu  as  central  point  of  entry    •  8  NaMonal  End-­‐User  Support  Centres  

•  DE,  BE,  IT,  ES,  RO,  PT,  HR,  FR  •  Three  columns  of  support    

•  Prevent    •  Clean    •  Inform    

•  Free  miMgaMon  tools  like    •  EU-­‐Cleaner  by  Avira    •  Check-­‐and-­‐Secure.com  

•  Twijer,  Blogs,  Forum,  Email-­‐Support      

Does  it  really  help?  

ACDC  General  Overview   9  

•  Similar  intervenMons  are  being  tried  everywhere:    •  naMonal  support  centers    •  data  clearing  houses  •  ISP  customer  noMficaMons  •  global  C&C  takedowns  

•  Resources  are  limited  in  Mme  and  magnitude  •  Which  of  these  measures  are  most  effecMve?  

•  This  requires  robust  compara1ve  botnet  metrics  and  careful  staMsMcal  analysis  

•  Metrics  also  inform  all  stakeholders  how  well  (or  poorly)  network  operators  are  performing  in  miMgaMng  botnet  threats  

•  Metrics  incenMvize  miMgaMon  and  reward  the  efforts  of  good  ISPs    

Global  takedown  of  Zeus  C&C  

18

Figure 12 - Entrance of new Zeus attackers (botnet keys) per month

Looking at the country of the attacked domains also confirms the pattern. Figure 13 shows the overlap between the targeted countries across four years (2009-2012). Out of the total 92 attacked countries, seven were only attacked in 2009, and seventeen only in 2012. This shift in the variety of the attacked countries, despite the overall stability in the size of the attacks, points to a trial and error process with finite resources and players; i.e., the attacks are not spreading like mushrooms.

Figure 13 - Venn diagram of location of attacked domains accross the years

8 Attack code development

8.1 Descriptive analysis Our dataset contains 1,146,860 target URLs with associated inject codes. These inject codes are by new means all unique. In fact, on average each inject is repeated 27 times. Figure 14 shows the number of times a specific piece of code is used in different configuration files. Note that virtually all injected code is reused two or more times among the different configuration files.

Zeus source code leakage

QuesMons?    

ACDC  General  Overview   11  

ACDC  Main  contact:    Peter  Meyer,  eco  e.V.  (peter.meyer@eco.de)    Project  Coordinator  –  ACDC    

Project  Website:      hjps://acdc-­‐project.eu    Community  Portal:      hjps://communityportal.acdc-­‐project.eu    Support  Centres:    hjps://bohree.eu    Twijer:      hjps://twijer.com/AnMBotnet    Facebook:    hjps://www.facebook.com/bohree.eu