The document discusses the history and evolution of botnets from the early 1990s to present day. It describes how early IRC bots in the 1990s evolved into modern botnets that use techniques like peer-to-peer networking, encryption, and polymorphism. Major botnets are highlighted from the early 2000s like Sobig and Agobot through the late 2000s like Storm, Srizbi, and Cutwail. The document provides an overview of the convergence of technologies that led to modern botnets and their use for criminal purposes like fraud, identity theft, and spamming.
Reproducibility of computational workflows is automated using continuous anal...Kento Aoyama
The document summarizes a proposed method called "Continuous Analysis" that aims to improve reproducibility in computational research. Continuous Analysis combines continuous integration (CI) practices with computational research to automatically verify reproducibility. It proposes using Docker containers to capture computational environments and CI tools like Drone to automatically rebuild images and rerun analyses on code changes, flagging any differences in results. An experiment applying Continuous Analysis to two genomic analyses demonstrated it could more easily detect changes between versions.
LXC containers allow running isolated Linux systems within a single Linux host using kernel namespaces and cgroups. Namespaces partition kernel resources like processes, networking, users and filesystems to isolate containers. Cgroups limit and account for resource usage like CPU and memory. AUFS provides a union filesystem that allows containers to use a read-only root filesystem image while also having read-write layers for changes. Together these technologies provide lightweight virtualization that is faster and more resource efficient than virtual machines.
The document discusses the state of Zope 3, including its history from initial development to present day. It describes how Zope 3 was split into many reusable packages, the challenges this posed around dependencies and versioning, and how tools like buildout and the Known Good Set (KGS) helped address these challenges. It provides statistics on package usage and contributors. Finally, it outlines plans to produce a Zope 3.4 release based on the stable KGS.
Containers for Science and High-Performance ComputingDmitry Spodarets
Within this talk, we will explore how Singularity liberates non-privileged users and host resources (such as interconnects, resource managers, file systems, accelerators, etc.) allowing users to take full control to set-up and run in their native environments. This talk explores how Singularity combines software packaging models with minimalistic containers to create very lightweight application bundles which can be simply executed and contained completely within their environment or be used to interact directly with the host file systems at native speeds. A Singularity application bundle can be as simple as containing a single binary application or as complicated as containing an entire workflow and is as flexible as you will need.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
The document discusses using Puppet to manage configurations across multiple FreeBSD servers. It begins with an introduction to FreeBSD and why the presenter chose to use Puppet. A demonstration is then provided showing how to install Puppet on FreeBSD and use it to configure Apache and other applications consistently across servers. The presentation concludes by noting how Puppet works well for both Linux and FreeBSD administrators.
Akshaya Home Farms is a concept to grow vegetables on farms and supply directly to customers, eliminating middlemen. The company is owned by Suresh Iyer, who has experience in farming and business. The vision is to supply high quality farm fresh vegetables to homes with good customer service. The plan is to expand operations across several cities in India and grow to 15,000 customers within 18-24 months. Alliance partners can sign up to use the brand and software to operate similar businesses in their cities. Partners will receive support in areas like farming, packing, and delivery operations. With 1000 customers, estimated annual revenue is 1.68 crores with 30% gross and 15% net margins.
The document contains 12 exercises related to peer-to-peer systems. The exercises cover topics like indexing in peer-to-peer applications, guarantees expected from conventional servers versus peer-to-peer systems, trust and availability in personal computers, using hashes to identify objects, anonymity in peer-to-peer networks, routing algorithms, performance of peer-to-peer protocols, and search strategies for unstructured peer-to-peer systems. The exercises refer to concepts explained in the textbook "Distributed Systems: Concepts and Design" and aim to test the reader's understanding of these concepts.
Reproducibility of computational workflows is automated using continuous anal...Kento Aoyama
The document summarizes a proposed method called "Continuous Analysis" that aims to improve reproducibility in computational research. Continuous Analysis combines continuous integration (CI) practices with computational research to automatically verify reproducibility. It proposes using Docker containers to capture computational environments and CI tools like Drone to automatically rebuild images and rerun analyses on code changes, flagging any differences in results. An experiment applying Continuous Analysis to two genomic analyses demonstrated it could more easily detect changes between versions.
LXC containers allow running isolated Linux systems within a single Linux host using kernel namespaces and cgroups. Namespaces partition kernel resources like processes, networking, users and filesystems to isolate containers. Cgroups limit and account for resource usage like CPU and memory. AUFS provides a union filesystem that allows containers to use a read-only root filesystem image while also having read-write layers for changes. Together these technologies provide lightweight virtualization that is faster and more resource efficient than virtual machines.
The document discusses the state of Zope 3, including its history from initial development to present day. It describes how Zope 3 was split into many reusable packages, the challenges this posed around dependencies and versioning, and how tools like buildout and the Known Good Set (KGS) helped address these challenges. It provides statistics on package usage and contributors. Finally, it outlines plans to produce a Zope 3.4 release based on the stable KGS.
Containers for Science and High-Performance ComputingDmitry Spodarets
Within this talk, we will explore how Singularity liberates non-privileged users and host resources (such as interconnects, resource managers, file systems, accelerators, etc.) allowing users to take full control to set-up and run in their native environments. This talk explores how Singularity combines software packaging models with minimalistic containers to create very lightweight application bundles which can be simply executed and contained completely within their environment or be used to interact directly with the host file systems at native speeds. A Singularity application bundle can be as simple as containing a single binary application or as complicated as containing an entire workflow and is as flexible as you will need.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
The document discusses using Puppet to manage configurations across multiple FreeBSD servers. It begins with an introduction to FreeBSD and why the presenter chose to use Puppet. A demonstration is then provided showing how to install Puppet on FreeBSD and use it to configure Apache and other applications consistently across servers. The presentation concludes by noting how Puppet works well for both Linux and FreeBSD administrators.
Akshaya Home Farms is a concept to grow vegetables on farms and supply directly to customers, eliminating middlemen. The company is owned by Suresh Iyer, who has experience in farming and business. The vision is to supply high quality farm fresh vegetables to homes with good customer service. The plan is to expand operations across several cities in India and grow to 15,000 customers within 18-24 months. Alliance partners can sign up to use the brand and software to operate similar businesses in their cities. Partners will receive support in areas like farming, packing, and delivery operations. With 1000 customers, estimated annual revenue is 1.68 crores with 30% gross and 15% net margins.
The document contains 12 exercises related to peer-to-peer systems. The exercises cover topics like indexing in peer-to-peer applications, guarantees expected from conventional servers versus peer-to-peer systems, trust and availability in personal computers, using hashes to identify objects, anonymity in peer-to-peer networks, routing algorithms, performance of peer-to-peer protocols, and search strategies for unstructured peer-to-peer systems. The exercises refer to concepts explained in the textbook "Distributed Systems: Concepts and Design" and aim to test the reader's understanding of these concepts.
The document discusses aspects of autonomic computing applied to peer-to-peer (P2P) systems to manage quality of service. It describes using a monitoring mechanism called SkyEye.KOM to gather statistics on P2P systems in a scalable and self-organizing way. Based on the monitoring data, the system can analyze for deviations from preset quality levels, plan adaptations like changing routing table sizes, and execute adaptations to reach and maintain quality goals. Simulations showed the approach enables P2P systems to precisely reach and hold preset quality intervals through self-configuration.
The document proposes a Dynamic Search Algorithm (DSA) that takes advantage of different search algorithms like flooding and random walk. DSA switches between these algorithms based on the context to provide efficient searching in unstructured peer-to-peer networks. It was designed to address the key challenge of efficient searching in such networks. The algorithm's operation involves initially sending query messages to neighbors like flooding, and then switching to random walk where each receiving node passes the query to one neighbor. Performance is evaluated based on metrics like success rate, search time, and efficiency.
This document discusses peer-to-peer (P2P) systems. It introduces the rationale for P2P, which is to leverage edge resources and scale without centralized servers. It describes three generations of P2P systems: centralized file sharing (Gen I), decentralized file sharing (Gen II), and P2P middleware (Gen III). It then discusses various P2P architectures like pure, hybrid, and mediated P2P. The rest of the document focuses on distributed hash tables (DHTs), covering concepts like GUID routing, content routing, bootstrapping, and specific DHT implementations like Pastry and Chord.
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...Kalman Graffi
The phenomenon of online social networks reaches millions of users in the Internet nowadays. In these, users present themselves, their interests and their social links which they use to interact with other users. We present in this paper LifeSocial.KOM, a p2p-based platform for secure online social networks which provides the functionality of common online social networks in a totally distributed and secure manner. It is plugin-based, thus extendible in its functionality, providing secure communication and access-controlled storage as well as monitored quality of service, addressing the needs of both, users and system providers. The platform operates solely on the resources of the users, eliminating the concentration of crucial operational costs for one provider. In a testbed evaluation, we show the feasibility of the approach and point out the potential of the p2p paradigm in the field of online social networks.
Infinispan, a distributed in-memory key/value data grid and cacheSebastian Andrasoni
This document provides an introduction to distributed in-memory data grids and caches, including Infinispan. It discusses hash tables, distributed hash tables, consistent hashing, and the Chord lookup protocol. It then describes data grids and Infinispan's architecture, which uses consistent hashing to distribute data across clusters and allows for high availability even when nodes fail or partitions occur. The document also briefly discusses Infinispan's features like transactions, querying, map-reduce, and more.
This document provides an introduction to peer-to-peer (P2P) computer networks. It discusses how P2P networks rely on the computing power and bandwidth of participants rather than centralized servers. The document then covers several examples of P2P networks including Gnutella and Kademlia, and discusses techniques like distributed hash tables, queries, and node joining/leaving.
Performance evaluation methods for P2P overlaysKnut-Helge Vik
This document discusses methods for evaluating the performance of peer-to-peer (P2P) overlay networks. It begins with an introduction to P2P networks and overlays, distinguishing between unstructured and structured overlays. It then discusses performance evaluation approaches, including simulation models, analytical models, and measurement-based techniques. Simulation models can be event-driven, static/Monte Carlo, or trace-driven. Analytical models apply queuing theory and complexity analysis. Measurement involves either live traffic observation or controlled experimentation. The document argues that combining different evaluation methods provides more robust performance assessments of P2P overlays.
Managing warehouse operations. How to manage and run warehouse operations by ...Omar Youssef
The document provides information about warehouse operations and goals. It discusses maximizing the effective use of space, equipment, labor and information. It outlines warehouse functions like receiving, storing, order picking and shipping. It also describes operational processes, inventory terms and costs, and opportunities to improve warehouse distribution. Controls are discussed around safety, fire prevention, theft and storing hazardous materials. Equipment and tools are also mentioned.
The document discusses botnets, which are collections of compromised machines controlled by a single entity. It describes the evolution and current state of botnets, how they are used for criminal activities like spam, fraud and denial of service attacks. It also outlines prevention, detection and response mechanisms to defend against botnets, and predicts that the arms race between botnet operators and defenders will continue as each side develops new techniques.
This document discusses using BitTorrent on iOS. It provides an overview of BitTorrent, including its history, usage statistics, and technical details. It then discusses challenges with using BitTorrent on iOS and potential solutions, including using the libtorrent C++ library. It covers how to build and configure libtorrent for iOS, and how to interface it with Swift. It also describes how to implement an event loop to fetch torrent updates and progress. Some caveats mentioned are the need for fine-tuning to avoid heavy battery usage and lack of background session support on iOS.
The document discusses the Storm worm, which first emerged in 2007 and uses a peer-to-peer network and rootkit technology to spread and avoid detection. It spreads through email and phishing websites. As it has evolved, Storm can send spam, conduct DDoS attacks, and download files. It uses a decentralized P2P architecture and encrypts traffic between bots using XOR encryption, making it difficult to trace. The rootkit technology allows it to hide processes, files, ports, and services to avoid detection by anti-virus software. Analysis of Storm's P2P network revealed over 5,796 infected hosts communicating within 21 minutes.
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
This document summarizes a research study analyzing the takeover of the Torpig botnet. The researchers were able to gain control of the botnet for 10 days by reverse engineering its domain generation algorithm and command and control infrastructure. During this time, they observed over 180,000 infected systems and the theft of thousands of financial accounts and credit cards. The study provided insights into how botnets operate and profit from stolen data.
This document discusses botnets and their applications. It begins with an overview of botnets, how they are controlled through command and control servers, and how rootkits can help conceal botnet activity. It then explores how botnets can be used for spam, phishing, click fraud, identity theft, and distributed denial-of-service attacks. Detection and mitigation techniques are also summarized, including network intrusion detection, honeynets, DNS monitoring, and modeling botnet propagation across timezones. Recent botnets like AgoBot, PhatBot, and Bobax are also examined in the context of spam distribution. Open research questions around botnet membership detection, click fraud detection, and phishing detection are presented.
Observations from the APNIC Community Honeynet Project, presentation by Adli ...APNIC
Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.
38th TWNIC OPM: Observations and mitigation of Mozi botnet APNIC
APNIC Senior Internet Security Specialist, Adli Wahid, presented on the Mozi botnet, what was observed and how it was mitigated at the 38th TWNIC OPM, held on 1 December 2022 in Taipei.
This document provides an overview of botnets, including:
- What botnets are, how they originated and some examples from history
- How botnets are controlled through command-and-control servers
- The main threats posed by botnets like DDoS attacks, spam, and data theft
- Methods for botnet detection including host-based intrusion detection systems
The document discusses botnets, which are networks of compromised computers that are controlled remotely without the owners' knowledge. It defines different types of malware (viruses, worms, Trojans) and explains how botnets have characteristics of each. Botnets are used to perform malicious activities like DDoS attacks, spamming, and data theft. The document outlines botnet lifecycles and characteristics like topology and resilience techniques. It also discusses countermeasures like detection methods, takedown of command and control servers, and offensive strategies to disrupt botnets.
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.
The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them.
The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.
1. Bots are malware infected computers controlled by attackers to form botnets.
2. Botnets are used to conduct DDoS attacks, spamming, identity theft and distribute other malware.
3. Botnets are controlled through command and control channels like IRC or HTTP and can consist of thousands of compromised computers forming a large network.
The document discusses aspects of autonomic computing applied to peer-to-peer (P2P) systems to manage quality of service. It describes using a monitoring mechanism called SkyEye.KOM to gather statistics on P2P systems in a scalable and self-organizing way. Based on the monitoring data, the system can analyze for deviations from preset quality levels, plan adaptations like changing routing table sizes, and execute adaptations to reach and maintain quality goals. Simulations showed the approach enables P2P systems to precisely reach and hold preset quality intervals through self-configuration.
The document proposes a Dynamic Search Algorithm (DSA) that takes advantage of different search algorithms like flooding and random walk. DSA switches between these algorithms based on the context to provide efficient searching in unstructured peer-to-peer networks. It was designed to address the key challenge of efficient searching in such networks. The algorithm's operation involves initially sending query messages to neighbors like flooding, and then switching to random walk where each receiving node passes the query to one neighbor. Performance is evaluated based on metrics like success rate, search time, and efficiency.
This document discusses peer-to-peer (P2P) systems. It introduces the rationale for P2P, which is to leverage edge resources and scale without centralized servers. It describes three generations of P2P systems: centralized file sharing (Gen I), decentralized file sharing (Gen II), and P2P middleware (Gen III). It then discusses various P2P architectures like pure, hybrid, and mediated P2P. The rest of the document focuses on distributed hash tables (DHTs), covering concepts like GUID routing, content routing, bootstrapping, and specific DHT implementations like Pastry and Chord.
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...Kalman Graffi
The phenomenon of online social networks reaches millions of users in the Internet nowadays. In these, users present themselves, their interests and their social links which they use to interact with other users. We present in this paper LifeSocial.KOM, a p2p-based platform for secure online social networks which provides the functionality of common online social networks in a totally distributed and secure manner. It is plugin-based, thus extendible in its functionality, providing secure communication and access-controlled storage as well as monitored quality of service, addressing the needs of both, users and system providers. The platform operates solely on the resources of the users, eliminating the concentration of crucial operational costs for one provider. In a testbed evaluation, we show the feasibility of the approach and point out the potential of the p2p paradigm in the field of online social networks.
Infinispan, a distributed in-memory key/value data grid and cacheSebastian Andrasoni
This document provides an introduction to distributed in-memory data grids and caches, including Infinispan. It discusses hash tables, distributed hash tables, consistent hashing, and the Chord lookup protocol. It then describes data grids and Infinispan's architecture, which uses consistent hashing to distribute data across clusters and allows for high availability even when nodes fail or partitions occur. The document also briefly discusses Infinispan's features like transactions, querying, map-reduce, and more.
This document provides an introduction to peer-to-peer (P2P) computer networks. It discusses how P2P networks rely on the computing power and bandwidth of participants rather than centralized servers. The document then covers several examples of P2P networks including Gnutella and Kademlia, and discusses techniques like distributed hash tables, queries, and node joining/leaving.
Performance evaluation methods for P2P overlaysKnut-Helge Vik
This document discusses methods for evaluating the performance of peer-to-peer (P2P) overlay networks. It begins with an introduction to P2P networks and overlays, distinguishing between unstructured and structured overlays. It then discusses performance evaluation approaches, including simulation models, analytical models, and measurement-based techniques. Simulation models can be event-driven, static/Monte Carlo, or trace-driven. Analytical models apply queuing theory and complexity analysis. Measurement involves either live traffic observation or controlled experimentation. The document argues that combining different evaluation methods provides more robust performance assessments of P2P overlays.
Managing warehouse operations. How to manage and run warehouse operations by ...Omar Youssef
The document provides information about warehouse operations and goals. It discusses maximizing the effective use of space, equipment, labor and information. It outlines warehouse functions like receiving, storing, order picking and shipping. It also describes operational processes, inventory terms and costs, and opportunities to improve warehouse distribution. Controls are discussed around safety, fire prevention, theft and storing hazardous materials. Equipment and tools are also mentioned.
The document discusses botnets, which are collections of compromised machines controlled by a single entity. It describes the evolution and current state of botnets, how they are used for criminal activities like spam, fraud and denial of service attacks. It also outlines prevention, detection and response mechanisms to defend against botnets, and predicts that the arms race between botnet operators and defenders will continue as each side develops new techniques.
This document discusses using BitTorrent on iOS. It provides an overview of BitTorrent, including its history, usage statistics, and technical details. It then discusses challenges with using BitTorrent on iOS and potential solutions, including using the libtorrent C++ library. It covers how to build and configure libtorrent for iOS, and how to interface it with Swift. It also describes how to implement an event loop to fetch torrent updates and progress. Some caveats mentioned are the need for fine-tuning to avoid heavy battery usage and lack of background session support on iOS.
The document discusses the Storm worm, which first emerged in 2007 and uses a peer-to-peer network and rootkit technology to spread and avoid detection. It spreads through email and phishing websites. As it has evolved, Storm can send spam, conduct DDoS attacks, and download files. It uses a decentralized P2P architecture and encrypts traffic between bots using XOR encryption, making it difficult to trace. The rootkit technology allows it to hide processes, files, ports, and services to avoid detection by anti-virus software. Analysis of Storm's P2P network revealed over 5,796 infected hosts communicating within 21 minutes.
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
This document summarizes a research study analyzing the takeover of the Torpig botnet. The researchers were able to gain control of the botnet for 10 days by reverse engineering its domain generation algorithm and command and control infrastructure. During this time, they observed over 180,000 infected systems and the theft of thousands of financial accounts and credit cards. The study provided insights into how botnets operate and profit from stolen data.
This document discusses botnets and their applications. It begins with an overview of botnets, how they are controlled through command and control servers, and how rootkits can help conceal botnet activity. It then explores how botnets can be used for spam, phishing, click fraud, identity theft, and distributed denial-of-service attacks. Detection and mitigation techniques are also summarized, including network intrusion detection, honeynets, DNS monitoring, and modeling botnet propagation across timezones. Recent botnets like AgoBot, PhatBot, and Bobax are also examined in the context of spam distribution. Open research questions around botnet membership detection, click fraud detection, and phishing detection are presented.
Observations from the APNIC Community Honeynet Project, presentation by Adli ...APNIC
Observations from the APNIC Community Honeynet Project, presentation by Adli Wahid for the CNCERT International Partnership Conference 2022, delivered on 14 December 2022.
38th TWNIC OPM: Observations and mitigation of Mozi botnet APNIC
APNIC Senior Internet Security Specialist, Adli Wahid, presented on the Mozi botnet, what was observed and how it was mitigated at the 38th TWNIC OPM, held on 1 December 2022 in Taipei.
This document provides an overview of botnets, including:
- What botnets are, how they originated and some examples from history
- How botnets are controlled through command-and-control servers
- The main threats posed by botnets like DDoS attacks, spam, and data theft
- Methods for botnet detection including host-based intrusion detection systems
The document discusses botnets, which are networks of compromised computers that are controlled remotely without the owners' knowledge. It defines different types of malware (viruses, worms, Trojans) and explains how botnets have characteristics of each. Botnets are used to perform malicious activities like DDoS attacks, spamming, and data theft. The document outlines botnet lifecycles and characteristics like topology and resilience techniques. It also discusses countermeasures like detection methods, takedown of command and control servers, and offensive strategies to disrupt botnets.
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.
The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them.
The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.
1. Bots are malware infected computers controlled by attackers to form botnets.
2. Botnets are used to conduct DDoS attacks, spamming, identity theft and distribute other malware.
3. Botnets are controlled through command and control channels like IRC or HTTP and can consist of thousands of compromised computers forming a large network.
Bots are malicious programs that attackers install on compromised systems to remotely control them. They implement remote control mechanisms like IRC or P2P and can perform DDoS attacks or update other bots. They also have spreading mechanisms to propagate to other systems using exploits. Recent bots like Agobot and SDBot families are commonly used in large botnets for criminal purposes. They have advanced features that make analysis difficult. New variants appear frequently as attackers integrate new exploits or evasion techniques.
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
This document outlines the evolution of botnets and their threats. It discusses how botnets have moved from centralized command and control structures to using exploit kits and scripts for distribution. The document is divided into two parts, with part one covering traditional botnet landscapes and how they have evolved to use techniques like exploit kits, social engineering, and drive-by downloads to more efficiently infect computers and spread malware. Part two will focus specifically on web exploit kits, examining what they are, how they work, case studies, and how they generate revenue. The document provides an overview of the changing botnet ecosystem.
Botnets are networks of private computers infected with malicious software and controlled without the owners' knowledge. They are commonly used to launch distributed denial-of-service (DDoS) attacks and crack password files using brute force. An attacker first establishes command and control servers, then spreads bots to vulnerable devices using protocols like IRC and HTTP. Large botnets of thousands of devices allow password files to be cracked much faster than by a single computer. Common bot attacks include DDoS, spyware, click fraud, and password cracking. Users can help prevent infection by using antivirus software, firewalls, and keeping systems up to date.
This document describes a talk about microservices using three monkeys (the Sucker, the Cheater, and the Grudger) as an example. Each monkey is represented as a microservice with its own REST API. The monkeys collaborate to remove bugs, with the Grudger counteracting anti-social behaviors. The monkeys' lives progress in ticks notified by the Simulator microservice. The document discusses architectural approaches for the monkey microservices, including Docker containers, immutable deployment, service discovery with Consul, and continuous delivery with Terraform and Go CD. It also outlines areas for future exploration like fault tolerance, auto-scaling, and monitoring.
The document discusses botnets, which are networks of compromised computers or "zombies" that are controlled remotely by a botnet operator, usually through IRC channels. Botnets are used to carry out distributed denial of service attacks and other criminal activities. The document draws parallels between the evolution of botnets and Thomas Ray's artificial life simulation, suggesting botnets will continue to evolve new capabilities. It also examines the motivations and profiles of different types of botnet operators, from amateur "script kiddies" to more sophisticated international criminal gangs.
The Honeynet Project is a non-profit organization that aims to improve internet security by learning about computer attacks. It deploys honeypots - computers designed to be hacked - to capture data on threats. The organization shares its research findings openly. It also operates a Honeynet Research Alliance of groups around the world collaborating on honeypot technologies and research.
Your Botnet is My Botnet: Analysis of a Botnet TakeoverAhmed EL-KOSAIRY
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Botnets are the primary means for cyber-criminals to carry out their malicious tasks
• sending spam mails
• launching denial-of-service attacks
• stealing personal data such as mail accounts or bank credentials.
This document outlines a proposed net art project called "digital demise" that aims to track and document the destruction caused by hackers on a server. The project will monitor hackers' actions on the server, retrieve the data, and use it to dynamically generate graphic content on a separate website. It discusses the technical components, influences, aesthetics, planning, testing, and potential shortcomings of the project.
Similar to Criminals in the Cloud: Past, Present, and Future (20)
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
5. What is a botnet?
Two general purposes of using botnets:
• Provide layers of separation/insulation between criminal
actors and criminal acts.
• Provide a cloud computing platform for a wide variety of
functions.
Neither requires that there be anything of interest on victim
computers.
5
7. Botnet Ecosphere
Social context: Botnets are created by human agents to
achieve some purpose.
Usually:
1. Create botnet.
2. ???
3. Profit!
• What’s step 2?
• Do all of these steps need to be done by the same people?
• Who are these people?
7
8. Botnet Ecosphere
Some roles for division of criminal labor:
• Exploit/exploit pack developer
• Botherder/admin (manages botnet)
• Seller (drives traffic to exploit sites, paid per infection)
• Spammer (sender)
• Sponsor (spam ad buyer)
• Phisher
• Carder (trades in card data/makes counterfeits)
• Casher (takes out cash)
• Reshippers/mules (stolen good/cash laundering--
WFH/GTJ)
8
9. Botnet Evolution: Overview
The convergence of DDoS tools, IRC
bots, P2P software, worms, and SaaS =
modern botnets
• Early 1990s: IRC channel bots (e.g., eggdrop, mIRCscripts,
ComBot, etc.).
• Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood
Network, Stacheldraht, Shaft, etc.). Peer-to-peer file sharing tools.
• 2000: Merger of DDoStools, worms, and rootkits (e.g.,
Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K).
• 2002: IRC-controlled bots implementing DDoS attacks.
• 2003: IRC-controlled bots spread with worms and viruses,
fully implementing DDoS, spyware, malware distribution
activity. First P2P bots (Sinit, WASTE).
• (Dave Dittrich, “Invasion Force,” Information Security, March 2005,
p. 30)
• 2003-present: Botnets used as a criminal tool for extortion,
fraud, identity theft, computer crime, spam, and phishing.
9
10. Botnet Evolution: History
• Dec. 1993: Eggdrop bot - Non-malicious, occasionally
abused (Supported linking multiple bots by 1999)
• April 1998: GTbot variants - Based on mIRC, malicious
bots
• 1999: Sub7 trojan - Pretty Park worm, IRC listeners
• May 1999: Napster - Non-malicious file sharing, hybrid
P2P & client-server
• March 2000: Gnutella - Non-malicious file sharing,
decentralized P2P
• April 2002: SDbot variants - Malicious bot with IRC
client. Code made widely available. 10
11. Botnet Evolution: History
Aug 2002-Sep 2003: Sobig variants - Botnet used by Ruslan Ibragimov’s
send-safe spam operation
11
12. Botnet Evolution: History
• Oct 2002: Agobot variants - (500+ by 2008), malicious
bot w/modular design
• Apr 2003: SpyBot variants - Derived from Agobot
• May 2003: Nullsoft WASTE - Encrypted P2P network.
Removed from distribution by AOL
• Sep 2003: Sinit - P2P trojan, found peers via crafted DNS
packets to random IPs, exchanged peer lists when found
• Nov 2003: Kademlia - P2P distributed hash table
12
13. Botnet Evolution: History
Feb 14, 2004: FBI takedown of
Foonet and “DDoS Mafia.”
DDoS tool of choice: Agobot
Creator: Axel “Ago” Gembe of
Germany, was indicted in 2008.
13
14. Botnet Evolution: History
Mar 2004: Phatbot - P2P bot using WASTE
bot.command runs a command with system() rsl.logoff logs the user off
bot.unsecure enable shares / enable dcom rsl.shutdown shuts the computer down
bot.secure delete shares / disable dcom rsl.reboot reboots the computer
bot.flushdns flushes the bots dns cache pctrl.kill kills a process
bot.quit quits the bot pctrl.list lists all processes
bot.longuptime If uptime > 7 days then bot will respond scan.stop signal stop to child threads
bot.sysinfo displays the system info scan.start signal start to child threads
bot.status gives status scan.disable disables a scanner module
ot.rndnick makes the bot generate a new random nick scan.enable enables a scanner module
bot.removeallbut removes the bot if id does not match scan.clearnetranges clears all netranges registered with the scanner
bot.remove removes the bot scan.resetnetranges resets netranges to the localhost
bot.open opens a file (whatever) scan.listnetranges lists all netranges registered with the scanner
bot.nick changes the nickname of the bot scan.delnetrange deletes a netrange from the scanner
bot.id displays the id of the current code scan.addnetrange adds a netrange to the scanner
bot.execute makes the bot execute a .exe ddos.phatwonk starts phatwonk flood
bot.dns resolves ip/hostname by dns ddos.phaticmp starts phaticmp flood
bot.die terminates the bot ddos.phatsyn starts phatsyn flood
bot.about displays the info the author wants you to see ddos.stop stops all floods
shell.disable Disable shell handler ddos.httpflood starts a HTTP flood
shell.enable Enable shell handler ddos.synflood starts an SYN flood
shell.handler FallBack handler for shell ddos.udpflood starts a UDP flood
commands.list Lists all available commands redirect.stop stops all redirects running
plugin.unload unloads a plugin (not supported yet) redirect.socks starts a socks4 proxy
plugin.load loads a plugin redirect.https starts a https proxy
cvar.saveconfig saves config to a file redirect.http starts a http proxy
cvar.loadconfig loads config from a file redirect.gre starts a gre redirect
cvar.set sets the content of a cvar redirect.tcp starts a tcp port redirect
cvar.get gets the content of a cvar harvest.aol makes the bot get aol stuff
cvar.list prints a list of all cvars harvest.cdkeys makes the bot get a list of cdkeys
inst.svcdel deletes a service from scm harvest.emailshttp makes the bot get a list of emails via http
inst.svcadd adds a service to scm harvest.emails makes the bot get a list of emails
inst.asdel deletes an autostart entry waste.server changes the server the bot connects to
inst.asadd adds an autostart entry waste.reconnect reconnects to the server
logic.ifuptime exec command if uptime is bigger than specified waste.raw sends a raw message to the waste server
mac.login logs the user in waste.quit
mac.logout logs the user out waste.privmsg sends a privmsg
ftp.update executes a file from a ftp url waste.part makes the bot part a channel
ftp.execute updates the bot from a ftp url waste.netinfo prints netinfo
ftp.download downloads a file from ftp waste.mode lets the bot perform a mode change
http.visit visits an url with a specified referrer waste.join makes the bot join a channel
http.update executes a file from a http url waste.gethost prints netinfo when host matches
http.execute updates the bot from a http url waste.getedu prints netinfo when the bot is .edu
http.download downloads a file from http waste.action lets the bot perform an action
waste.disconnect disconnects the bot from waste
14
15. Botnet Evolution: History
• 2003: Rbot - Uses encryption to evade detection
• 2004: Polybot - Adds polymorphism
• Mar 2006: SpamThru - P2P bot
• Apr 2006: Nugache - P2P bot, distributed via trojaned
downloads on freeware sites. Author arrested Sep 2007.
• 2006-2011: Rustock - Major spammer. Atrivo takedown Sep
2008, McColo takedown Nov 11, 2008.
• Jan 2007-late 2008: Storm/Peacomm trojan - P2P; massive
spammer. RBN connection? 20% of spam in 2008.
• 2007: Srizbi - Used Mpack, Reactor Mailer, bypassed host
firewall. Similar to Rustock. Was largest botnet for a time.
15
McColo.
16. Botnet Evolution: History
• 2007: Cutwail trojan - Rootkit, DDoS and spam bot. 1.5M-2M
bots. C&C taken down when ISP 3FN was taken down by the
FTC on June 4, 2009.
• 2007-2012: Zeus - financial info stealer, variants of software sold
for $500-$15K. Still prevalent. Configs stored in AWS EC2, use of
Google, Twitter, Facebook.
• 2008-2009: Torpig/Anserin - Financial info stealer. Includes
Mebroot rootkit. UCSB researchers temporarily controlled for 10
days in 2009.
• Nov. 2008: Conficker worm - Variants A-E, end action of A-D was
to update to subsequent versions; disabled Windows update and
AV. Variant E (Apr 2009) installed Waledac spambot and
SpyProtect scareware. Massive propagation (10.5M+).
On May 3, 2009, variant E deleted itself and left C.
16
17. Botnet Evolution: History
Dec 2008: Koobface - Social network C&C, had Mac version.
Click fraud, scareware sales. Gang exposed in NY Times.
17
18. Botnet Evolution: History
• 2009: Grum/Tedroo -Spammer, generated 26% of spam in March 2010.
• Mar 2009: Coreflood - Info stealer, taken down Apr 2011 (FBI w/ISC).
• Apr 2009: Waledac - Spammer. 1% of spam volume. Microsoft
takedown of C&C domains Feb. 2010, spam domains Sep. 2010.
• May 2009: Bredolab trojan - Botnet. 30M bots, 143 C&C seized by
Dutch police Oct. 25, 2010, Armenian suspect arrested.
• 2009: Aurora - Google attacked.
• 2009: Mariposa (Spain) - Info stealer, spam, DDoS. Taken down by
Spanish police (w/Panda Security), Dec 23. 8-12M bots.
• Apr 2010: Storm 2 - Minus P2P
18
19. Botnet Evolution: History
2011: DNSChanger - Esthost/Rove Digital, redirected 6
million people to malicious websites, 4M bots. Nov 8: 100
servers seized in U.S., 6 Estonians arrested.
19
20. Botnet Evolution: History
2011: Kelihos/Hlux/Waledac 2.0 - P2P botnet similar to
Waledac. 3-tier design: controllers, routers, workers.
Spam, MacDefender scareware. Taken down Sep 26,
2011 by Microsoft.
20
22. Botnet Evolution: Present Day
Feb 2012: Flashback trojan - Exploits Java flaw. Mac
botnet of 817,879 bots at peak. Deletes itself if
ClamXav is installed.
Feb 2012: SabPub trojan, used for spearphishing.
22
25. Defense
Filter
• Outbound traffic
• Web content filtering
• Application control
• Identity awareness
• Intrusion prevention
• Data leak prevention
• Web application firewall
25
26. Defense
Monitor
• Signs of bots often show up in
web and DNS requests
• Monitor user login activity; 30%
of breaches use stolen
credentials
• Log and alert/review
• You need an incident response
plan
26
28. Offense
• Track
• Takeover
• Takedown
• Arrest & Prosecute
FBI: Microsoft Digital Crimes Unit:
May 22, 2001: Operation Cyber Loss – 62 arrests Feb 22, 2010: Operation b49, Waledac C&C takedown
May 16, 2002: Operation E-Con – 50 arrests (w/Shadowserver, Symantec)
Nov 20, 2003: Operation Cyber Sweep – 125 Oct 27, 2010: Operation b49, Waledac spam
arrests takedown
Feb 14, 2004: Operation Cyber Slam – Foonet Mar 16, 2011: Operation b107, Rustock takedown
DDoS (w/FireEye)
May 20, 2004: Operation SLAM-Spam - 50 targets Sep 26, 2011: Operation b79, Kelihos/Waledac 2.0
Jun 13, 2007: Operation Bot Roast – 3 arrests takedown; civil suit vs. Dominique Alexander Piatti.
Nov 29, 2007: Operation Bot Roast II – 3 Mar 23, 2012: Operation b71, Zeus takedown (w/F-
indictments Secure)
Sep 30, 2010: Operation Trident Beach – 5 Ukraine
arrests, Zeus partial takedown Crowdstrike:
Apr 2011: Coreflood takedown (w/ISC) Mar 29, 2012: Kelihos v2 takedown
Nov 8, 2011: Operation Ghost Click – 6 Estonians (w/SecureWorks, Honeynet Project, Kaspersky)
arrested for DNSChanger. (w/Trend Micro)
28
29. Offense: Track & Takeover
• Sinkholing
– Domain-based (w/cooperation of domain
registrar) – most common
– Route-based (w/cooperation of ISPs/NSPs)
• C&C tracking/takeover
– More common to monitor C&C servers to
identify bots & attackers than to takeover
29
30. Future
• Macs as targets
• Social networks as delivery mechanism
• Mobile as target
• More indirect attacks (CAs, RSA, Sophos)
• Competing legal agendas:
– Global Online Freedom Act (GOFA) HR
3605
– Cyber Intelligence Sharing and
Protection Act (CISPA) HR 2523
• A decline in the use of large botnets except
as “stepping stones”
30
31. Q&A
Any questions?
Jim Lippard
Sr. Product Manager, Security
EarthLink Business
jlippard@corp.earthlink.com
Twitter: @lippard
31
Editor's Notes
This talk is botnet-focused; other types of malware and criminal activity are not covered or only touched upon, such as use of exploit packs, the details of carding and phishing, and actions by hacktivists and state-supported actors.
“Lippard dubs bot software ‘the Swiss army knife of crime on the Internet.’” Joaquim P. Menezes, NetworkWorld, July 26, 2007: http://www.networkworld.com/news/2007/072507-why-were-losing-the-botnet.html (quoted from May 2006 interview on the Security Catalyst podcast)“Networks of compromised computers controlled by a central server, better known as botnets, are a Swiss Army knife of tools for online criminals.” Robert Lemos, “Breaking the Botnet Code,” Technology Review, November 11, 2009: http://www.technologyreview.com/computing/23924/“’Botnets are the Swiss Army knife of attack tools,’ said Marc Fossi, manager of research and development for Symantec Corp.'s security response team.” Gregg Keizer, “Botnets ‘the Swiss Army knife of attack tools’”, Computerworld, April 7, 2010: http://www.computerworld.com/s/article/9174560/Botnets_the_Swiss_Army_knife_of_attack_tools_“Botnets are the Swiss Army Knife of Internet criminals, according to Minister of Economic Affairs Maxime Verhagen.” Dutch Daily News, Jan. 14, 2011: http://www.dutchdailynews.com/botnet-computers/“‘Botnets are the Swiss Army knife of our criminals’, Picko said.” June 24, 2011: http://en.eco.de/association/202_9230.htmPublic domain photo from http://en.wikipedia.org/wiki/File:Swiss_army_knife_open_20050612.jpgVictorinox Swiss Army knife, photo taken in Sweden. This is a Mountaineer model.12 June 2005 (2005-06-12)Photo taken by Jonas Bergsten using a Canon PowerShot G3.
Images used with permission from Ben Woelk, “Avoiding the Botnet Snare,” Rochester Institute of Technology’s ITS eNews, 2007.http://www.rit.edu/its/news/archive/07feb/botnet.html
Image from Wikipedia, https://en.wikipedia.org/wiki/File:Botnet.svg, by user Tom-b, and is available under a Creative Commons Attribution-Share Alike 3.0 Unported license. 1. Infection (trojan horse in this case), 2. Control, 3. Third party spammer purchases service (part of the social network to be discussed next), 4. Spam is sent out by the bots.Many options:Infection: Trojan horse, drive-by-download, worm, social engineering, etc. Primarily web or worm delivery, web delivery often driven by email, IM, social networking, search results, etc. Lots of room for creativity.Control: Most common channels: HTTP, HTTPS, IRC.Commands: Again, virtually no limits, but driven by goals—spam, click fraud, DDoS, identity/financial theft, extortion, encrypting files, etc. Common functions include keystroke logging, proxying spam or other types of connections, collecting credentials, engaging in DDoS, and propagating further.
Step 2 depends in part on the organizational structure of the social network behind the botnet, and whether the botnet is rented out, sold, or used in house. Similarly, step 1 is often divided amongst different players; slide 5’s components can be done by different players and even more steps can be added.Step 2: Open proxies, sell for spam. Build own spam service and sell it. Lease the bots. Sell the botnet. Encrypt end user files and demand ransom for return. Install keyloggers, intercept traffic to financial sites, sell credentials and financial information. Install scareware, sell bogus AV software. Generate clicks to web advertising sites that pay affiliate fees. DDoS competitors.Step 3 can be other things, of course—status, revenge, distraction, lulz, which then motivates other Step 2s like rigging online polls, adjusting popularity of links and websites, stealing and publishing information online.Who are these people: 83% of breaches in Verizon DBIR 2012 are by organized criminal groups (p. 20). Larger enterprises tend to also see apparent state-sponsored or supported breaches (APT, which likely steer away from botnets), smaller are often targets of opportunity, apparently due to weaker controls (e.g., more breaches from default credentials on remote access).
Exploit packs are an interesting topic in their own right, see:Team Cymru, “A Criminal Perspective on Exploit Packs,” 2011: http://www.team-cymru.com/ReadingRoom/Whitepapers/2011/Criminal-Perspective-On-Exploit-Packs.pdfCriminal network roles are also discussed in Phil Williams, “Transnational Criminal Networks,” in John Arquilla and David Ronfeldt, Networks and Netwars: The Future of Terror, Crime, and Militancy, 2001, RAND, pp. 61-97, and especially pp. 82-84. Williams identifies Organizers, Insulators, Communicators, Guardians, Extenders, Monitors, and Crossovers.Example cash mule/launderer: Ronnie Cutshall: http://voices.washingtonpost.com/securityfix/2009/11/fdic_uptick_in_money_mule_scam.html
This slide is little changed from talks given in 2005. Main changes since then are more P2P, Macs as bots, and arrests and takedowns.Sources: Dave Dittrich, “Evolution: Rise of the bots,” Information Security, March 2005, p. 30.http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1068914,00.htmlJulian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon, "Peer-to-Peer Botnets: Overview and Case Study,“ Hotbots '07: Proceedings of the first conference on hot topics in understanding botnets:http://static.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard_html/
Most of these are derived from Grizzard et al., op cit., up through Storm/Peacomm in 2007.Rik Ferguson points to Sub7 and Pretty Park as pregenitors of IRC bots and puts GTbots later than Grizzard:http://www.businesscomputingworld.co.uk/the-history-of-the-botnet-part-i/
Dittrich (op cit).Agobot variant count: Kleber Cariello de Oliveira, “Botconomics” – Mastering the Underground Economy of Botnets. LACNIC May, 2008. http://www.slideshare.net/Annie05/botconomics-presentationWASTE: A reference to Thomas Pynchon’s The Crying of Lot 49: https://en.wikipedia.org/wiki/WASTEKademlia’s distributed hash table algorithm was later used by Limewire to augment Gnutella and by BitTorrent. It is subject to Sybil attacks/pseudospoofing: https://en.wikipedia.org/wiki/Sybil_attack
Saad “Jay” Echouafni, CEO of Orbit Communication Corp., hired Paul Ashley, owner of Foonet, to DDoS his main business rivals in satellite TV resale, for $1,000, and skipped the country on $750K bail. He’s never been caught. The rivals, WeaKnees.com and RapidSatellite.com, were taken down by SYN flood attacks.Paul Ashley of Foonet turned informer to get Echouafni on tape. This takedown was part of the FBI’s “Operation Cyberslam.”Kevin Poulsen, “FBI busts alleged DDoS Mafia,” Security Focus, August 26, 2004: http://www.securityfocus.com/news/9411Kevin Poulsen, “Hackers Admit to Waves of Attacks,” Wired, September 8, 2005:http://www.wired.com/politics/security/news/2005/09/68800?currentPage=allGembe indicted: Lucian Constantin, “European Botnet Runners Indicted in the Foonet DDoS Case,” Softpedia, October 4, 2008: http://news.softpedia.com/news/European-Botnet-Runners-Indicted-in-the-FooNet-DDoS-Case-94919.shtmlAlso see: https://en.wikipedia.org/wiki/Rizon
Phatbot command list from LURHQ, now part of SecureWorks.
Polybot, Rbot: Ferguson “History of the Botnet, Part I,” op cit.Nugache: David Dittrich and Sven Dietrich, “P2P as botnet command and control: a deeper insight,” Proceedings of the 2008 3rd International Conference on Malicious and Unwanted Software (Malware), October 2008:http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdfNugache/Storm: Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, “Analysis of the Storm and Nugache Trojans,” USENIX ;login:v. 32, no. 6, December 2007, pp. 18-27: http://staff.washington.edu/dittrich/misc/stover.pdfAtrivo: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.htmlAtrivo, McColo probably had Esthost connections as well—see Nov 8, 2011.McColo shut down Nov. 11, 2008 by Global Crossing and Hurricane Electric, reducing global spam by 75% (temporarily):http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.htmlStorm: http://en.wikipedia.org/wiki/Storm_botnetOn Russian Business Network, see Joseph Menn, Fatal System Error, 2010, PublicAffairs.
Cutwail: Ferguson, history of the botnet part II: http://countermeasures.trendmicro.eu/the-history-of-the-botnet-part-ii/Takedown: Brian Krebs, “The Fallout from the 3FN takedown,” June 9, 2009: http://voices.washingtonpost.com/securityfix/2009/06/the_fallout_from_the_3fn_taked.htmlZeus: http://www.antisource.com/article.php/zeus-botnet-summaryUse of Amazon Web Services Elastic Compute Cloud, Google, Facebook, and Twitter: Ferguson, “history of the botnet, part III”: http://countermeasures.trendmicro.eu/the-history-of-the-botnet-part-iii/Operation Trident Beach, initial Zeus takedown Sep 30, 2010: Dan Goodin, “5 botnet kingpins busted in $70m fraud ring,” 1 Oct 2010: http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/5 arrests in Ukraine.Torpig: http://www.cs.ucsb.edu/~seclab/projects/torpig/index.htmlhttp://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdfConficker C details: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3aWin32%2fConficker.CConficker E details: http://blog.priveonlabs.com/sec_blog.php?title=conficker_e_we_hardly_knew_ye&more=1&c=1&tb=1&pb=1
Koobface gang tracked down to St. Petersburg, Russia, exposed in the New York Times after investigation by Jan Drömer, independent researcher,and Dirk Kollberg, SophosLabs, in “The Koobface malware gang - exposed!”: http://nakedsecurity.sophos.com/koobface/“Web Gang Operating in the Open,” New York Times, 17 January 2012: http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?_r=1“Anton Korotchenko, who uses the online nickname “KrotReal”; StanislavAvdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltyshev, or “Floppy.””
Coreflood takedown: http://www.wired.com/threatlevel/2011/04/coreflood/http://threatpost.com/en_us/blogs/coreflood-takedown-raises-questions-about-offensive-actions-against-botnets-042911Waledac takedown, Operation b49: http://www.theregister.co.uk/2010/03/16/waledac_takedown_success/Aurora: http://www.damballa.com/research/aurora/Mariposa takedown December 23, 2009: http://www.computerworld.com/s/article/9164838/Spanish_police_take_down_massive_Mariposa_botnetBredolab takedown, October 25, 2010: http://blogs.technet.com/b/mmpc/archive/2010/10/26/bredolab-takedown-another-win-for-collaboration.aspx
Image from http://blog.trendmicro.com/trojan-on-the-loose-an-in-depth-analysis-of-police-trojan/Operation Ghost Clickhttp://www.darkreading.com/advanced-threats/167901091/security/client-security/231902809/teaming-up-to-take-down-threats.htmlhttp://venturebeat.com/2011/11/09/fbi-operation-ghost-click/http://blog.trendmicro.com/esthost-taken-down-biggest-cybercriminal-takedown-in-history/
Kelihos: https://threatpost.com/en_us/blogs/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911 (source of image)Controllers host nginx web servers, don’t show up in peer lists on workers.Routers add an insulation layer to protect the controllers and include proxy capability.
Official website, www.darkshellnew.com.“Darkshell DDoS Botnet Evolves with Variants,” April 5, 2012, McAfee Labs:http://blogs.mcafee.com/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants
Flashback: http://news.drweb.com/show/?i=2341&lng=en&c=9Peak infection (by UUID): http://news.drweb.com/show/?i=2386&lng=en&c=14Rich Mogull, “What you need to know about the Flashback trojan,” April 6, 2012, MacWorld:http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.htmlEstimated number of infections as of 10 April 2012: 655,700.SabPubtrojan: http://news.cnet.com/8301-1009_3-57414516-83/new-mac-os-x-trojan-unearthed-call-it-sabpub/Second variant using infected Word documents (via CVE-2009-0563) appeared in April.
Patch: Most breaches are still from a small number of vulnerabilities, including older ones.30% of breaches use stolen login credentials—Verizon DBIR 2012, p. 26. People getting better about Windows patching—but don’t forget applications, esp. Adobe & Java.
ClamXav, which uses the ClamAVenginer from SourceFIRE, is free.Mac security/hardening guides:https://isc.sans.edu/diary.html?storyid=12616
Next-generation firewall, anyone? Gets you most of the above in one package (WAF sold separately).
Monitoring and Incident Response plan: There are two kinds of companies, those which know that they’ve been breached and those that don’t. You will be breached if you haven’t been already, and most companies only hear about it after the fact from a third party. Better to be in the former category and be able to recognize a breach when it occurs and respond.Log & review: How about doing some crowdsourcing on login misuse, by sending login notifications to the mobile device of the user?
To FBI, USSS, or ic3.gov.Collaborate: Share as much information where possible about breaches, at least within secure settings (e.g., industry Information Sharing and Analysis Centers (ISACs): http://www.isaccouncil.org/)SEC guidance requires breach disclosure now if such incidents are “among the most significant factors that make an investment in the company speculative or risky” (http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm), and companies with mature security programs are disclosing in detail (e.g., Verisign, RSA). It’s time to build a culture where we’re open about security breaches and those who disclose are not stigmatized for the disclosure (as opposed to for having terrible security). Failure to disclose and very late disclosure should be seen as a negative sign, while timely disclosure should be seen as a positive sign.And these things can lead to….
The law finally catching up:Roger A. Grimes, “If you do the cyber crime, expect to do the time,” InfoWorld, April 3, 2012:http://www.infoworld.com/d/security/if-you-do-the-cyber-crime-expect-do-the-time-190042Tracking: Brian Krebs, various security researchers, Microsoft Digital Crimes Unit, Team Cymru, SecureWorks, Damballa, Sophos, Symantec, Crowdstrike.Takeover, Takedown: Microsoft, Crowdstrike.Arrest & Prosecute: FBI, USSS, national police agencies, Interpol.FBI Operations:Operation Cyber Loss, May 22, 2001.http://www.fbi.gov/news/pressrel/press-releases/internet-fraud-investigation-operation-cyber-loss Arrests 62 fraudsters.Operation E-Con, May 16, 2002http://www.justice.gov/opa/pr/2003/May/03_crm_302.htm 50 arrested, 48 charged, 12 guilty pleas Operation Cyber Sweep, November 20, 2003http://www.justice.gov/opa/pr/2003/November/03_crm_638.htm 125 arrestsOperation SLAM-Spam, May 20, 2004 (IC3/industry)http://www.fbi.gov/news/testimony/anti-spam-initiatives-on-the-web Identified 100 spammers, targeted 50.Operation Bot Roast, June 13, 2007http://www.fbi.gov/news/stories/2007/june/botnet_061307 Robert Alan Soloway, James C. Brewer, Jason Michael Downey Operation Bot Roast II, November 29, 2007http://www.fbi.gov/news/stories/2007/november/botnet_112907 3 indictmentsOperation Ghost Click, November 9, 2011http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911 six Estonians arrestedPrivate operations: Microsoft/Shadowserver/Symantec Operation b49, Waledac C&C takedown, February 22, 2010 Microsoft Waledac spam takedown, October 27, 2010 Microsoft/FireEyeRustock takedown, Operation b107, March 16, 2011http://www.eweek.com/c/a/Windows/Microsoft-Claims-Rustock-Botnet-Takedown-825397/ 1.1M-1.7M infected machines, hardcoded IPs for C&C Microsoft/Kaspersky Kelihos (Waledac 2.0) takedown, September 26, 2011 Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet. 41,000 computershttp://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx Microsoft/F-Secure, etc. Zeus takedown Operation b71, RICO statutes, March 23, 2012 13 million Zeus infections, 3 million in U.S. Zeus sold for $700 to $15K for latest, source code leaked May 2011, see Wikipedia http://www.secureworks.com/research/threats/zeus/?threat=zeus Crowdstrike/Honeynet Project/SecureWorks/Kaspersky Kelihos v2 takedown, March 29, 2012
Shadowserversinkholing (2008): http://www.darkreading.com/security/security-management/211201241/index.htmlTrend Micro report on lessons from sinkholing: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__sinkholing-botnets.pdfRoute-based blackholing (or nullrouting)/sinkholing/filtering:https://tools.ietf.org/rfc/rfc3882.txthttps://tools.ietf.org/html/rfc5635https://tools.ietf.org/html/draft-ietf-idr-flow-spec-09Honeynet Project Code of Conduct: https://honeynet.org/codeofconductMenlo Report: Ethical Principles Guiding Information and Communication Technology Research: http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf
Social networks as delivery mechanism: http://www.itworld.com/it-managementstrategy/264648/social-spam-taking-over-internetTwitter sues top 5 spammers (April 5, 2012): https://mashable.com/2012/04/05/twitter-sues-spammers/Mobile: iOS safer due to developer accountability (Dan Guido research): https://threatpost.com/en_us/blogs/accountability-not-code-quality-makes-ios-safer-android-042012Indirect:CAs: Comodo hacked Mar. 2011, DigiNotar hacked Sep. 2011: http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.arsGlobalSign hacked Sep. 2011: http://threatpost.com/en_us/blogs/comodo-hacker-claims-credit-diginotar-attack-090611RSA, hacked March 2011: http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/Sophos partner portal hacked, Apr 6, 2012: http://www.cio.com/article/703694/Sophos_Takes_Down_Partner_Portal_After_Signs_of_HackingGOFA opposes use of surveillance and content filtering by governments to promote “Internet freedom.”CISPA has been criticized on civil liberties grounds, for allowing disclosure of information to the NSA or DOD CyberCommand.The U.S. is a bit conflicted on what “Internet freedom” means or requires (see, e.g., EvgenyMorozov, The Net Delusion: The Dark Side of Internet Freedom, 2011, PublicAffairs). As the Arizona legislature passes a bill (HB 2549) to expand telephone harassment & stalking statutes to cover online speech, the federal government is condemning censorship by authoritarian governments—but also seeking to expand its own ability to monitor.As botnets become a target for takedown, and if targets of opportunity show any progress in becoming more secure, the methods of choice for state-sponsored actors will filter down to other groups (and surely already have to some extent).