Speaker: Hom-Jay Hom

Date:2009/11/17

Botnet, and the CyberCriminal Underground

IEEE 2008

Hsin chun Chen

Clinton J. Mielke II

OutlineBotnats

SHADOW SERVER

Investigating The Botnat World

Further Work

Conclusion

112/04/20 2

Botnats (1/3)The earliest malware

damaging systemprinting taunting messages

Traditional computer virusesSelf-copy themselves.Trojan horses.

WormsScanning and infecting.

112/04/20 3

Infection

DDoS attacks

Spamming

Espionage

Proxies

Clickthrough Fraud

Botnats (2/3)

Botnats (3/3)The Underground Economy

Hidden social network of cybercriminals.

sell their servicesSpammersBot-herdersMalware authorsCriminals gather

Many botnets are actually rented to other criminal organizations

phish attacksstock market pump-and-dump

112/04/20 5

SHADOW SERVER (1/2)ShadowServer

Nonprofit group.

HoneypotsPassively collect malware.

Malware AnalysisPassive:AntiVirus engines.Active:Sandbox.Execute untrustworthy malicious code

112/04/20 6

SHADOW SERVER (2/2)Snooping

Newlydiscovered IRC networks Records all IRC traffic. The IRC logs are analyzedPattern-matching signature system,

112/04/20 7

Investigating The Botnat World (1/9)Dataset Processing

112/04/20 8

ID:

C&C ID

nickmane: IP:

Investigating The Botnat World (2/9)Classify known command strings

DDoS command.Infection event.Password-theft event.

Signature systemAnalyzed and classifiedProduced a compendium of what events

112/04/20 9

Investigating The Botnat World (3/9)1. Nickname Enumeration:

Random numeric IDDictionary

Signature systemBot command strings Produced a sanitized list

112/04/20 10

Investigating The Botnat World (4/9)2. Drone Counting

A simple approachstate tracked in a lookup tableA population counter

A more refined approachIRC eventSnoops channel.

112/04/20 11

Investigating The Botnat World (5/9)

112/04/20 12

600

400

200

白天

晚上Bot ,population

Time

Investigating The Botnat World (6/9)Key Players

The botnet herders by counting their controlled C&CDetect other’s botnet C&C channels Subvert their security mechanisms.

112/04/20 13

Investigating The Botnat World (7/9)Criminal Social Network

Analysis community structureAll pre-filtered ”human” nicknames

C&C channel.Any two nodes found collaborating

Weights were assigned to the edgesJaccard metric measuring

112/04/20 14

Investigating The Botnat World (8/9)Hierarchical agglomerative clustering algorithm

minimum similarity of 50%.957 nicknames.104 clusters

112/04/20 15

Investigating The Botnat World (9/9)Of the 104 clusters

C ： C&CD ： DDoSB ： Bot P ： Victim passwords

112/04/20 16

clusters

clusters

Further WorkMany herders will use close variations of a similar nicknames.

Profile behavioral characteristics of herders.

hierarchical clusteringBiclustering or hyperGraph nicknames and channels.

To better profile the DDoS attack motivationsDDoS targets must be individually scrutinized. IP addresses could be correlated with latitude and longitude

112/04/20 17

ConclusionRecent years to encompass world-influencing crimes

Tracking these miscreants and their botnets will become more and more challenging.

individuals to secure themselves

ShadowServer hopes to assist in whatever way we can to make the internet a safer place.

112/04/20 18

END

112/04/20 19