your botnet is my botnet : analysis of a botnet takeover
DESCRIPTION
Your Botnet is My Botnet : Analysis of a Botnet Takeover. Report: 鄭志欣. Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009. Abstract. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/1.jpg)
Report:鄭志欣
Conference:Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009.
112/04/20 1Machine Learning and Bioinformatics Lab
![Page 2: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/2.jpg)
Date Collect : 2009/1/25 ~ 2009/2/5
180’000 infections
70GB data
USD$ 83,000 ~ 8,300,000 (bank account and credit card)
112/04/20 2Machine Learning and Bioinformatics Lab
![Page 3: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/3.jpg)
Introduction Botnet Analysis Threats and data analysis Conclusion
112/04/20Machine Learning and Bioinformatics Lab 3
![Page 4: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/4.jpg)
The main purpose of this paper is to analyze the Torpig botnet’s operations.• Botnet size.• The personal information is stolen by
botnets.
112/04/20Machine Learning and Bioinformatics Lab 4
![Page 5: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/5.jpg)
Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux.
112/04/20Machine Learning and Bioinformatics Lab 5
![Page 6: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/6.jpg)
Data Collection and Format
Submission Header
Botnet Size vs. IP Count
112/04/20Machine Learning and Bioinformatics Lab 6
![Page 7: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/7.jpg)
Date : 70GB (10 day)
Protocol : HTTP POST requests
Submission Header VS. Request body
112/04/20Machine Learning and Bioinformatics Lab 7
![Page 8: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/8.jpg)
112/04/20Machine Learning and Bioinformatics Lab 8
Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig
gh5
![Page 9: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/9.jpg)
112/04/20Machine Learning and Bioinformatics Lab 9
![Page 10: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/10.jpg)
Counting Bots by Submission Header Fields
(nid , os , cn , bld , ver) decide to unique bot
Delete Probers and Researcher
18200 hosts
112/04/20Machine Learning and Bioinformatics Lab 10
![Page 11: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/11.jpg)
112/04/20Machine Learning and Bioinformatics Lab 11
4690 Bots / hour
705 Bots / hour
![Page 12: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/12.jpg)
112/04/20Machine Learning and Bioinformatics Lab 12
![Page 13: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/13.jpg)
DHCP (ISPs recycles IPs)
112/04/20Machine Learning and Bioinformatics Lab 13
![Page 14: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/14.jpg)
Financial Data Stealing
Password Analysis
112/04/20Machine Learning and Bioinformatics Lab 14
![Page 15: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/15.jpg)
In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).
112/04/20Machine Learning and Bioinformatics Lab 15
![Page 16: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/16.jpg)
112/04/20Machine Learning and Bioinformatics Lab 16
![Page 17: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/17.jpg)
we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results.
112/04/20Machine Learning and Bioinformatics Lab 17
![Page 18: Your Botnet is My Botnet : Analysis of a Botnet Takeover](https://reader036.vdocuments.net/reader036/viewer/2022081721/56813ade550346895da32a50/html5/thumbnails/18.jpg)
112/04/20Machine Learning and Bioinformatics Lab 18