your botnet is my botnet : analysis of a botnet takeover
DESCRIPTION
Your Botnet is My Botnet : Analysis of a Botnet Takeover. Report: 鄭志欣. Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009. Abstract. - PowerPoint PPT PresentationTRANSCRIPT
Report:鄭志欣
Conference:Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009.
112/04/20 1Machine Learning and Bioinformatics Lab
Date Collect : 2009/1/25 ~ 2009/2/5
180’000 infections
70GB data
USD$ 83,000 ~ 8,300,000 (bank account and credit card)
112/04/20 2Machine Learning and Bioinformatics Lab
Introduction Botnet Analysis Threats and data analysis Conclusion
112/04/20Machine Learning and Bioinformatics Lab 3
The main purpose of this paper is to analyze the Torpig botnet’s operations.• Botnet size.• The personal information is stolen by
botnets.
112/04/20Machine Learning and Bioinformatics Lab 4
Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux.
112/04/20Machine Learning and Bioinformatics Lab 5
Data Collection and Format
Submission Header
Botnet Size vs. IP Count
112/04/20Machine Learning and Bioinformatics Lab 6
Date : 70GB (10 day)
Protocol : HTTP POST requests
Submission Header VS. Request body
112/04/20Machine Learning and Bioinformatics Lab 7
112/04/20Machine Learning and Bioinformatics Lab 8
Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig
gh5
112/04/20Machine Learning and Bioinformatics Lab 9
Counting Bots by Submission Header Fields
(nid , os , cn , bld , ver) decide to unique bot
Delete Probers and Researcher
18200 hosts
112/04/20Machine Learning and Bioinformatics Lab 10
112/04/20Machine Learning and Bioinformatics Lab 11
4690 Bots / hour
705 Bots / hour
112/04/20Machine Learning and Bioinformatics Lab 12
DHCP (ISPs recycles IPs)
112/04/20Machine Learning and Bioinformatics Lab 13
Financial Data Stealing
Password Analysis
112/04/20Machine Learning and Bioinformatics Lab 14
In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).
112/04/20Machine Learning and Bioinformatics Lab 15
112/04/20Machine Learning and Bioinformatics Lab 16
we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results.
112/04/20Machine Learning and Bioinformatics Lab 17
112/04/20Machine Learning and Bioinformatics Lab 18