Nishant Agrawal, profile picture
Uploaded byNishant Agrawal
PPT, PDF1,759 views

Fight fire with fire draft

The document discusses the challenges of defending against internet threats, particularly malware and botnets, highlighting the asymmetric nature of the battle between attackers and defenders. It proposes a general-purpose antidote that re-engineers existing malware to detect, infiltrate, and sanitize infected systems, while also reviewing various botnet architectures and their resilience. The authors argue for the necessity of developing more complex and active defensive tools to combat increasingly sophisticated malware and its spread.

Embed presentation

Download to read offline
Fight Fire with Fire: the ultimate active deFense Prepared by Nishant Agrawal Poonam Jha Aakruti Shah 1
Introduction • Internet threats are difficult to defend. • Malware defensive tools use more of ‘Botnets’ • Fighting malware is asymmetric,favouring attackers. • P2P botnets are used as its more resilent • Using re-engineering existing malware, defenders can build antidotes to eradicate spreading functions. • Antidote can be used to monitor on-site activity of the malwares. • Malware families such as Hlux, Sality, Zeus would be most effective approach.
Related work • Rossow (2013) analysis of resilience of botnets by using 3 types of attacks i. Enumeration-gathering information about the topology of the network ii. Sinkholing-mechanism to force bots to non-existing /fake bot peers iii. Partitioning-split the botnet in disjoint, partially unreachable sub-networks. •. Analysis has been conducted on Storm, Waledec, Zeus ,Sality malware families. •. Holz et al (2008) discusses Storm Botnets which exploits Social Engineering and spreads by e- mails. Storm uses Kademlia structured P2P protocol using encrypted messages. •. Stock et al (2009) analyses Waledec which is more decentralized. It is re-engineered to infiltrate the botnet. •. Bureau (2011) discussed the Hlux (Kehlios) botnet which is a successor of Waledac. It uses strong encryption routines and is based on unstructured P2P protocol.
Continue…. • Ormerod et al.(2010) has analysed the first version of Zeus botnet which was based on centralised architecture. • Andriesse and Bos(2013) have analysed the newer P2P version(Gameover) which is based on unstructured P2P protocol and uses strong cryptographic algorithms. • Falliere(2011) has analysed the Sality downloader botnet which is Version 4 which uses hard encoded repository servers URLs and missing verification of executables to install. • Frei.et al (2008), Duebender and Frei(2009) discusses the early patch application for browsers. • Tang et al.(2012) discusses mobile applications. • Khouzani et.al(2012) analyses the importance of patching policies to stem the malware. • Griffin et.al(2009) discusses signature matching for local malware techniques. • Coskun et al.(2010) uses peer traffic for malware analysis.
Approach-Flowchart
Approach taken by the Authors • 2 fundamental basis of this approach: i. It is not limited to the re-engineering of the targeted malware. Here general purpose antidote is created to start the detection phase to infiltrate the infection. ii. It must be the last resort for the defender. The threshold for decision is application dependent as its based on the type of malware targeted. •. Preliminary phase and re-engineering: Its initial phase where active or passive methods are used to obtain malware binary by using reverse engineering activity. Here defenders acquires a deep understanding of the malware protocols and functionalities. Next step is re-engineer the malware by disabling the components and introducing new functionalities to infiltrate and sanitise. •. Spreading: Here the defender has to consider how the targeted malware spreads. It uses 2 aspects:
Approach taken by the Authors i. Exploitation vector: Malware spreads quickly like epidemics for human viruses. It uses the below techniques Use the same In this defender uses the same spreading tools antidote as malware to improve the effectiveness to hit an infected host. Take the advantage of vulnerability in the malware software: In this defender sanitizes infected machine. Taking the advantage of vulnerability in the victim’s host. In this, known vulnerabilities or zero- day vulnerabilities are used by the antidote. Using black-market services: In this defender acts as undercover and buys the downloader. Enumeration and sink holing , If the defender knows enumerating, it can be addressed by the antidote.
Continue… i. Infiltration: If the victim is detected, antidote can be used to infiltrate the malware by overtaking the process, observing and fixing infected files. Here the defender overtakes a running malware binary on the victim’s host and mimic its behavior. •. Detection and Eradicating: Here the general purpose antidote is used to detect and verify a known malware family. Here the antidote is deployed after the initial information gathering about the host and is further checked and depends on the target. •. Patching and Update: In this antidote fixes the known bugs and exploits vulnerabilities by forcing updates and patches application on the victim’s machine to stop an epidemic. Antidotes leverages silent updates, improves the resilience of the victim’s host against the new attacks. Social engineering are difficult to sanitise Antidote can use countermeasures such as blacklisting is known bad-domains and e-mail addresses.
Case-study Approach Applications • 3 Resilient botnets are discussed in the Case study: 1) Zeus P2P & Sality P2P: It leverages the drive by download-by means of browser vulnerabilities or other security flaws. This malware is automatically installed when user drives by infectious website, technique to infect new machines. It uses social engineering to spread. To keep the protocol from further spreading, the antidote can follow the behavior of the on-site malware to remain in the malicious network and acquire information about the infected hosts. 2) Hlux: It exploits a well known Windows vulnerability issue. It has more chances to hit an already infected host. Here the malware doesn’t fix the issue after installing itself on the victim.
Limitations Requires lots of reverse engineering especially for access. Even though techniques exist that are able to detect a malware, encryption are still difficult to defeat Current available techniques are not 100% accurate.
Conclusions • Defenders need to develop more complex tools to oppose and track down the attackers • Active offensive security tools should be used to fight back malware and infections • Improvement of Sality and Zeus P2P should be used to turn a malware binary into antidote
Other Cases Referred • Ability to take over command and control functions of the Storm botnet (was being used to engage in illegal activities worldwide) 1. Botmaster: A Botmaster is a person who controls and commands botnet to do some illegal activities 2. Botclients: A Bot is a victim computer that installed the botnet program by various malware spreading mechanisms. 3. C&C communication protocols: they are protocol that botnets use for communication between botmaster and botclients 4. C&C servers: This component is the coordinator servers between botmaster and botclients.
Botnet life cycle work flow
Continue… • Initial infection : sending email with malware attachments or URL links that leads to a browser exploit • Secondary injection : initiate after the first phase completed , user opens email attachments, the infected computer will download bot binaries from remote servers and automatically install to an exploit machine • Connection: Sometime the connection phase is called “Rallying”. Although the victim machines turn to bots through different mechanisms, finally the new bot clients must connect to the C&C server to register or send some information of zombie machines.
Continue…. • Malicious commands: After connecting to C&C servers, bot clients wait for commands which send by botmaster. If they receive the commands, they will execute and perform the malicious activities to attack the target machines • Maintenance and update: Changing the pattern of malicious activities from time period to random, or change C&C servers addresses
Botnet Architectures
Centralized botnet • To avoid being detected easily and hide their malicious activities from firewall, most of the new centralized botnet are designed by using the HTTP protocol. • They are complexity to classify and detection, since the normal http traffic and botnet http traffic are very similar. • This model is simple to implement, management and control, but there is a single point of failure problem because of C&C server. If they are detected or destroyed, the whole bot clients will be useless or inefficient.
Distributed model
Continue… • This model is designed to solve a single point of failure issue of centralized model. The peer to peer structure is applied in this model of botnets which is more flexible • The concept is the botmaster send commands to more bot clients, and then they deliver the commands to other bots, and each bot clients can act as client and server in the same time thus P2P botnets are more difficult to disable, destroy and shut them down. • Disadvantage of this model is difficult and complex to implement.
Other Papers Referred 1. Trends and challenges of Botnet Architecture and Detection Techniques -- Ritthichai Limarunothai and Mohd Amin Munlin • They explained botnet mechanism along with its components and its life-cycle • Apart from that they also gave botnet detection techniques • Mainly there are two techniques: 1. Honeynet based 2. Intrusion Detection System (IDS) • More advanced techniques are under IDS • Anomaly based One of the best technique to detect unknown botnet attacks compared to other techniques via two steps:
Other Papers Referred • First is training phase in which normal traffic profile is created • Second is anomaly detection phase wherein normal traffic profile is compared with current traffic to find out anomalies. • It identifies new botnets which are unknown. • Data mining based • Anomaly technique can not detect and differentiate between legitimate and benign traffic • Use of data mining based detection technique such as machine learning (ML) is an efficient approach and easily identify botnet traffic. • Combination of anomaly based and data mining based technique would remove their weaknesses and increase their performance.
Questionnaire What is the problem and/or purpose of the research study? • Due to (increasing malware epidemics on internet) / (to wide spread of malicious software on internet), the research proposes to study different malware families, to analyse and evaluate spreading of botnet and its resilience and to develop more intrusive approaches to disrupt them. What significance of the problem, if any, has the investigator identified? • Investigator feels that fighting malware is an asymmetric fight between attackers and defenders. He/she feels that defender should fight with more active and defensive techniques to reduce the threat.
Continue… • Does the paper present a theoretical model? • Yes. The investigator has developed a structured technique General- Purpose Antidote to fight against a botnet. • What concepts are included in the review? • Rossow (2013) Analyses the flexibility of botnets Holz et al. (2008) study e- mails that trick the u ser in installing the malicious software. Holz et al. (2008) present the weakness of protocol, namely, the lack of authentication, used to disrupt the botnet. Stock et al. (2009) analyze this new malware. propagation mechanism is the same, but the architecture changes, in favor of a more decentralized one.
• What are the limitations that discussed in the paper? • The approach discussed by the researcher to fight against malware requires lot of reengineering. He/she feels that detection of malware is simple but to defeat is even more difficult. Currently available techniques do not even show 100 percent accuracy in detection. • What recommendations for future research are stated or implied ? • Attackers can easily develop simple and compact codes to obtain their illegal intents. So defenders have to develop significantly more complex tools to oppose and track down these attackers. Moreover, attackers are improving their malicious software and architectures to be significantly more resilient to take down attempts. For this reasons, in the future, defenders will need active defense and offensive security tools to fight back malware and infections
• Are there other studies with similar findings? Yes. Ritthichai limarunothai and mohd.Amin munlin (2015) , Joseph and Shishir (2016) etc has similar studies. • What are the key results? The use of active defence by the defenders to moderate malware. how botnet works and give an idea to develop the efficient botnet detection system. behavior of real Intel enterprise end-host background traffic and contrast it to real botnet C&C channel activity • Are the results interpreted in the context of the problem/purpose, hypothesis, and theoretical framework/literature reviewed? Yes result are interpreted in the context of the problem and theoretical framework/literature
References • Deibert, R., & Crete-Nishihata, M. (2011). Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5), 531-537. • Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the Storm Worm botnet. ZD Net. • E. Pilli, P. Sharma, S. Tiwari, A Bijalwan, “ Botnet Detection Framework,” International Journal of Computer Applications, Vol. 93, May 2014 • M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” Internet Measurement Conference, pp. 41– 52, 2006 • M. Yang, G. Ren, J. Zhang,“ Talk about botnets,” The community communications conference, pp. 629-633, 2006. [4] R. S. Abdullah , M. F. Abdollah, Z. A. Muhamad Noh, M. Z.
Continue… • Limarunothai, R., & Munlin, M. (2015). Trends and Challenges of Botnet Architectures and Detection Techniques. Journal of Information Science & Technology • Mas'ud, S. R. Selamat,R. Yusof, “Revealing the Criterion on Botnet Detection Technique,” IJCSI International Journal of Computer Science, Vol. 10, pp. 208- 215, March 2013 • Rossow, C. (2013), “Using malware analysis to evaluate botnet resilience”, PhD thesis, VU Amsterdam • Stock, B., Goebel, J., Engelberth, M., Freiling, F.C. and Holz, T. (2009), “Walowdac – analysis of a peer-to-peer Botnet”, EC2ND ’09, IEEE, Washington, DC
Fight fire with fire draft

More Related Content

PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
PPT
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
PDF
Classifying IoT malware delivery patterns for attack detection
byFabrizio Farinacci
 
PDF
Project in malware analysis:C2C
byFabrizio Farinacci
 
PPT
NetWitness
byTechBiz Forense Digital
 
PDF
Broadband network virus detection system based on bypass monitor
byUltraUploader
 
PPTX
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 
Malware Classification and Analysis
byPrashant Chopra
 
Exploits Attack on Windows Vulnerabilities
byAmit Kumbhar
 
Software Security (Vulnerabilities) And Physical Security
byNicholas Davis
 
Classifying IoT malware delivery patterns for attack detection
byFabrizio Farinacci
 
Project in malware analysis:C2C
byFabrizio Farinacci
 
NetWitness
byTechBiz Forense Digital
 
Broadband network virus detection system based on bypass monitor
byUltraUploader
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
byMatthew J McMahon
 

What's hot

PPTX
Virus and its CounterMeasures -- Pruthvi Monarch
byPruthvi Monarch
 
PPTX
Attack on computer
byRabail khan
 
PPTX
Defend Your Company Against Ransomware
byKevo Meehan
 
PPTX
Security and ethics
byArgie242424
 
PPT
list of Deception as well as detection techniques for maleware
byAJAY VISHKARMA
 
PPTX
Network defenses
byPrachi Gulihar
 
PPTX
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
PPTX
Cyber intrusion
byKishor Datta Gupta
 
PPT
intruders types ,detection & prevention
byCentral University Of Kashmir
 
PPT
Malware and Modern Propagation Techniques
byJoseph Bugeja
 
PPTX
Web application security part 01
byPrachi Gulihar
 
PDF
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
byIJERA Editor
 
PDF
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
byYasser Mohammed
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
PDF
Ddos- distributed denial of service
bylaxmi chandolia
 
PDF
Virus detection based on virus throttle technology
byAhmed Muzammil
 
PPTX
AktaionPPTv5_JZedits
byRod Soto
 
PDF
An email worm vaccine architecture
byUltraUploader
 
DOCX
Malware detection
byssuser1eca7d
 
PDF
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
byDr. Ramchandra Mangrulkar
 
Virus and its CounterMeasures -- Pruthvi Monarch
byPruthvi Monarch
 
Attack on computer
byRabail khan
 
Defend Your Company Against Ransomware
byKevo Meehan
 
Security and ethics
byArgie242424
 
list of Deception as well as detection techniques for maleware
byAJAY VISHKARMA
 
Network defenses
byPrachi Gulihar
 
Ethical Hacking n VAPT presentation by Suvrat jain
bySuvrat Jain
 
Cyber intrusion
byKishor Datta Gupta
 
intruders types ,detection & prevention
byCentral University Of Kashmir
 
Malware and Modern Propagation Techniques
byJoseph Bugeja
 
Web application security part 01
byPrachi Gulihar
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
byIJERA Editor
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
byYasser Mohammed
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Ddos- distributed denial of service
bylaxmi chandolia
 
Virus detection based on virus throttle technology
byAhmed Muzammil
 
AktaionPPTv5_JZedits
byRod Soto
 
An email worm vaccine architecture
byUltraUploader
 
Malware detection
byssuser1eca7d
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
byDr. Ramchandra Mangrulkar
 

Similar to Fight fire with fire draft

PDF
Botnet Attacks How They Work and How to Defend Against Them.pdf
byuzair
 
PDF
Tracing Back The Botmaster
byIJERA Editor
 
PPT
Botnets
byrichashri3
 
PDF
Watchtowers of the Internet - Source Boston 2012
byStephan Chenette
 
PDF
Modern Malware and Threats
byMarketingArrowECS_CZ
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
PDF
Modern malware and threats
byMartin Holovský
 
PPTX
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 
PPTX
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
PDF
Untitled document.pdf
bygoogle
 
PDF
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
byEditor IJCATR
 
PDF
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
byIRJET Journal
 
PDF
about botnets
byAlain Bindele
 
PPTX
Botnet Architecture
byBhagath Singh Jayaprakasam
 
PDF
A review botnet detection and suppression in clouds
byAlexander Decker
 
PDF
The Modern Malware Review March 2013
by- Mark - Fullbright
 
PDF
Modern cyber threats_and_how_to_combat_them_panel
byRamsés Gallego
 
PPTX
Rapid malware defenses
byRahul Amabadkar
 
PDF
Botnetsand applications
byUltraUploader
 
PDF
HITB2013AMS Defenting the enterprise, a russian way!
byF _
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
byuzair
 
Tracing Back The Botmaster
byIJERA Editor
 
Botnets
byrichashri3
 
Watchtowers of the Internet - Source Boston 2012
byStephan Chenette
 
Modern Malware and Threats
byMarketingArrowECS_CZ
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
Modern malware and threats
byMartin Holovský
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
Untitled document.pdf
bygoogle
 
Malware Hunter: Building an Intrusion Detection System (IDS) to Neutralize Bo...
byEditor IJCATR
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
byIRJET Journal
 
about botnets
byAlain Bindele
 
Botnet Architecture
byBhagath Singh Jayaprakasam
 
A review botnet detection and suppression in clouds
byAlexander Decker
 
The Modern Malware Review March 2013
by- Mark - Fullbright
 
Modern cyber threats_and_how_to_combat_them_panel
byRamsés Gallego
 
Rapid malware defenses
byRahul Amabadkar
 
Botnetsand applications
byUltraUploader
 
HITB2013AMS Defenting the enterprise, a russian way!
byF _
 

More from Nishant Agrawal

PPTX
Purchasing management
byNishant Agrawal
 
PPTX
A Not for Profit Medical Research Center
byNishant Agrawal
 
PPTX
Facility Location Planning
byNishant Agrawal
 
PPT
Production Planning and Control
byNishant Agrawal
 
PPTX
Material resource planning
byNishant Agrawal
 
PPTX
Production and Operations Management
byNishant Agrawal
 
PPTX
Plant Layout
byNishant Agrawal
 
PPTX
Material handling
byNishant Agrawal
 
PPTX
Nokia Beginning to End Story
byNishant Agrawal
 
PPTX
The Consumer Research Process
byNishant Agrawal
 
PPT
Setting Product Strategy
byNishant Agrawal
 
PPTX
Scheduling
byNishant Agrawal
 
PPT
Analyzing Consumer Markets
byNishant Agrawal
 
PPTX
Inventory management
byNishant Agrawal
 
PPT
Identifying Market Segments and Targets
byNishant Agrawal
 
PPTX
Green Supply Chain in Automobile Industry
byNishant Agrawal
 
PPTX
It Happened in India
byNishant Agrawal
 
PPT
Market segmentation
byNishant Agrawal
 
PPT
Analyzing Business Markets
byNishant Agrawal
 
PPT
Crafting the Brand Positioning
byNishant Agrawal
 
Purchasing management
byNishant Agrawal
 
A Not for Profit Medical Research Center
byNishant Agrawal
 
Facility Location Planning
byNishant Agrawal
 
Production Planning and Control
byNishant Agrawal
 
Material resource planning
byNishant Agrawal
 
Production and Operations Management
byNishant Agrawal
 
Plant Layout
byNishant Agrawal
 
Material handling
byNishant Agrawal
 
Nokia Beginning to End Story
byNishant Agrawal
 
The Consumer Research Process
byNishant Agrawal
 
Setting Product Strategy
byNishant Agrawal
 
Scheduling
byNishant Agrawal
 
Analyzing Consumer Markets
byNishant Agrawal
 
Inventory management
byNishant Agrawal
 
Identifying Market Segments and Targets
byNishant Agrawal
 
Green Supply Chain in Automobile Industry
byNishant Agrawal
 
It Happened in India
byNishant Agrawal
 
Market segmentation
byNishant Agrawal
 
Analyzing Business Markets
byNishant Agrawal
 
Crafting the Brand Positioning
byNishant Agrawal
 

Recently uploaded

PPTX
PixelX : Think Design Experience powerpoint presentation
byVinaySiddha
 
PDF
The Industrialisation of Deception: An Analysis of the 2024 Cybercrime Landscape
bykrutivyas2005
 
PPTX
Digital Equity and inclusivity: Librarians connecting the unconnected rural ...
byCONUL Conference
 
PPTX
AI Literacy at UCD Library. Dr Marta Bustillo & Sandra Dunkin, University Col...
byCONUL Conference
 
PPTX
Aligning Ireland’s Open Repository Network by Strengthening Shared Standards ...
byCONUL Conference
 
PPTX
605456209-week-6-ppt-pagbasa.pptxpowerpointpresentation
byDecerrieMerabite
 
PPTX
What’s a Milestone in a Sales Order in Odoo 18
byCeline George
 
PDF
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
PDF
India Cybercrime Threats & Response 2025: Digital Arrests, 1930 Helpline & Ze...
bySanjay Rathod
 
PPTX
Shaping Tomorrow: The Next Chapter for Irish Research Libraries
byCONUL Conference
 
PPTX
Cardiovascular System or The Details of Heart.pptx
byAshish Umale
 
PPTX
Empowering Equality: The Athena Swan Journey at Maynooth University Library. ...
byCONUL Conference
 
PPTX
Well on our way – Rolling out a wellbeing programme at the Radcliffe Science ...
byCONUL Conference
 
PPTX
English 8 Q3 Wk6.pptx prewriting opinion editorial article
byjacquelyncastre03
 
PPTX
To Stand in Another’s Shoes: Using Archives, History and Performance to Enhan...
byCONUL Conference
 
PDF
The Scientific Research Lifecycle From Concept to Publication.pdf
byMuhammad Fahad Bashir
 
PPTX
CHAPTER NO. 05 BIOLOGICAL SOURCE,CHEMICAL CONSTITUENTS AND THERAPEUTIC EFFICA...
byGanu Gavade
 
PDF
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
byNguyen Thanh Tu Collection
 
PDF
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
PPTX
Non aqueous titration First Year B. Pharm.pptx
byMs. Ashatai Patil
 
PixelX : Think Design Experience powerpoint presentation
byVinaySiddha
 
The Industrialisation of Deception: An Analysis of the 2024 Cybercrime Landscape
bykrutivyas2005
 
Digital Equity and inclusivity: Librarians connecting the unconnected rural ...
byCONUL Conference
 
AI Literacy at UCD Library. Dr Marta Bustillo & Sandra Dunkin, University Col...
byCONUL Conference
 
Aligning Ireland’s Open Repository Network by Strengthening Shared Standards ...
byCONUL Conference
 
605456209-week-6-ppt-pagbasa.pptxpowerpointpresentation
byDecerrieMerabite
 
What’s a Milestone in a Sales Order in Odoo 18
byCeline George
 
• Reinforcing the Human Firewall: Moving From Awareness to Applied Skill
byAdityarajsinh Gohil
 
India Cybercrime Threats & Response 2025: Digital Arrests, 1930 Helpline & Ze...
bySanjay Rathod
 
Shaping Tomorrow: The Next Chapter for Irish Research Libraries
byCONUL Conference
 
Cardiovascular System or The Details of Heart.pptx
byAshish Umale
 
Empowering Equality: The Athena Swan Journey at Maynooth University Library. ...
byCONUL Conference
 
Well on our way – Rolling out a wellbeing programme at the Radcliffe Science ...
byCONUL Conference
 
English 8 Q3 Wk6.pptx prewriting opinion editorial article
byjacquelyncastre03
 
To Stand in Another’s Shoes: Using Archives, History and Performance to Enhan...
byCONUL Conference
 
The Scientific Research Lifecycle From Concept to Publication.pdf
byMuhammad Fahad Bashir
 
CHAPTER NO. 05 BIOLOGICAL SOURCE,CHEMICAL CONSTITUENTS AND THERAPEUTIC EFFICA...
byGanu Gavade
 
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
byNguyen Thanh Tu Collection
 
BÀI TẬP BỔ TRỢ 4 KỸ NĂNG TIẾNG ANH 9 GLOBAL SUCCESS - CẢ NĂM - BÁM SÁT FORM Đ...
byNguyen Thanh Tu Collection
 
Non aqueous titration First Year B. Pharm.pptx
byMs. Ashatai Patil
 

Fight fire with fire draft

  • 1.
    Fight Fire withFire: the ultimate active deFense Prepared by Nishant Agrawal Poonam Jha Aakruti Shah 1
  • 2.
    Introduction • Internet threatsare difficult to defend. • Malware defensive tools use more of ‘Botnets’ • Fighting malware is asymmetric,favouring attackers. • P2P botnets are used as its more resilent • Using re-engineering existing malware, defenders can build antidotes to eradicate spreading functions. • Antidote can be used to monitor on-site activity of the malwares. • Malware families such as Hlux, Sality, Zeus would be most effective approach.
  • 3.
    Related work • Rossow(2013) analysis of resilience of botnets by using 3 types of attacks i. Enumeration-gathering information about the topology of the network ii. Sinkholing-mechanism to force bots to non-existing /fake bot peers iii. Partitioning-split the botnet in disjoint, partially unreachable sub-networks. •. Analysis has been conducted on Storm, Waledec, Zeus ,Sality malware families. •. Holz et al (2008) discusses Storm Botnets which exploits Social Engineering and spreads by e- mails. Storm uses Kademlia structured P2P protocol using encrypted messages. •. Stock et al (2009) analyses Waledec which is more decentralized. It is re-engineered to infiltrate the botnet. •. Bureau (2011) discussed the Hlux (Kehlios) botnet which is a successor of Waledac. It uses strong encryption routines and is based on unstructured P2P protocol.
  • 4.
    Continue…. • Ormerod etal.(2010) has analysed the first version of Zeus botnet which was based on centralised architecture. • Andriesse and Bos(2013) have analysed the newer P2P version(Gameover) which is based on unstructured P2P protocol and uses strong cryptographic algorithms. • Falliere(2011) has analysed the Sality downloader botnet which is Version 4 which uses hard encoded repository servers URLs and missing verification of executables to install. • Frei.et al (2008), Duebender and Frei(2009) discusses the early patch application for browsers. • Tang et al.(2012) discusses mobile applications. • Khouzani et.al(2012) analyses the importance of patching policies to stem the malware. • Griffin et.al(2009) discusses signature matching for local malware techniques. • Coskun et al.(2010) uses peer traffic for malware analysis.
  • 5.
  • 6.
    Approach taken bythe Authors • 2 fundamental basis of this approach: i. It is not limited to the re-engineering of the targeted malware. Here general purpose antidote is created to start the detection phase to infiltrate the infection. ii. It must be the last resort for the defender. The threshold for decision is application dependent as its based on the type of malware targeted. •. Preliminary phase and re-engineering: Its initial phase where active or passive methods are used to obtain malware binary by using reverse engineering activity. Here defenders acquires a deep understanding of the malware protocols and functionalities. Next step is re-engineer the malware by disabling the components and introducing new functionalities to infiltrate and sanitise. •. Spreading: Here the defender has to consider how the targeted malware spreads. It uses 2 aspects:
  • 7.
    Approach taken bythe Authors i. Exploitation vector: Malware spreads quickly like epidemics for human viruses. It uses the below techniques Use the same In this defender uses the same spreading tools antidote as malware to improve the effectiveness to hit an infected host. Take the advantage of vulnerability in the malware software: In this defender sanitizes infected machine. Taking the advantage of vulnerability in the victim’s host. In this, known vulnerabilities or zero- day vulnerabilities are used by the antidote. Using black-market services: In this defender acts as undercover and buys the downloader. Enumeration and sink holing , If the defender knows enumerating, it can be addressed by the antidote.
  • 8.
    Continue… i. Infiltration: Ifthe victim is detected, antidote can be used to infiltrate the malware by overtaking the process, observing and fixing infected files. Here the defender overtakes a running malware binary on the victim’s host and mimic its behavior. •. Detection and Eradicating: Here the general purpose antidote is used to detect and verify a known malware family. Here the antidote is deployed after the initial information gathering about the host and is further checked and depends on the target. •. Patching and Update: In this antidote fixes the known bugs and exploits vulnerabilities by forcing updates and patches application on the victim’s machine to stop an epidemic. Antidotes leverages silent updates, improves the resilience of the victim’s host against the new attacks. Social engineering are difficult to sanitise Antidote can use countermeasures such as blacklisting is known bad-domains and e-mail addresses.
  • 9.
    Case-study Approach Applications •3 Resilient botnets are discussed in the Case study: 1) Zeus P2P & Sality P2P: It leverages the drive by download-by means of browser vulnerabilities or other security flaws. This malware is automatically installed when user drives by infectious website, technique to infect new machines. It uses social engineering to spread. To keep the protocol from further spreading, the antidote can follow the behavior of the on-site malware to remain in the malicious network and acquire information about the infected hosts. 2) Hlux: It exploits a well known Windows vulnerability issue. It has more chances to hit an already infected host. Here the malware doesn’t fix the issue after installing itself on the victim.
  • 10.
    Limitations Requires lots ofreverse engineering especially for access. Even though techniques exist that are able to detect a malware, encryption are still difficult to defeat Current available techniques are not 100% accurate.
  • 11.
    Conclusions • Defenders needto develop more complex tools to oppose and track down the attackers • Active offensive security tools should be used to fight back malware and infections • Improvement of Sality and Zeus P2P should be used to turn a malware binary into antidote
  • 12.
    Other Cases Referred •Ability to take over command and control functions of the Storm botnet (was being used to engage in illegal activities worldwide) 1. Botmaster: A Botmaster is a person who controls and commands botnet to do some illegal activities 2. Botclients: A Bot is a victim computer that installed the botnet program by various malware spreading mechanisms. 3. C&C communication protocols: they are protocol that botnets use for communication between botmaster and botclients 4. C&C servers: This component is the coordinator servers between botmaster and botclients.
  • 13.
  • 14.
    Continue… • Initial infection: sending email with malware attachments or URL links that leads to a browser exploit • Secondary injection : initiate after the first phase completed , user opens email attachments, the infected computer will download bot binaries from remote servers and automatically install to an exploit machine • Connection: Sometime the connection phase is called “Rallying”. Although the victim machines turn to bots through different mechanisms, finally the new bot clients must connect to the C&C server to register or send some information of zombie machines.
  • 15.
    Continue…. • Malicious commands:After connecting to C&C servers, bot clients wait for commands which send by botmaster. If they receive the commands, they will execute and perform the malicious activities to attack the target machines • Maintenance and update: Changing the pattern of malicious activities from time period to random, or change C&C servers addresses
  • 16.
  • 17.
    Centralized botnet • Toavoid being detected easily and hide their malicious activities from firewall, most of the new centralized botnet are designed by using the HTTP protocol. • They are complexity to classify and detection, since the normal http traffic and botnet http traffic are very similar. • This model is simple to implement, management and control, but there is a single point of failure problem because of C&C server. If they are detected or destroyed, the whole bot clients will be useless or inefficient.
  • 18.
  • 19.
    Continue… • This modelis designed to solve a single point of failure issue of centralized model. The peer to peer structure is applied in this model of botnets which is more flexible • The concept is the botmaster send commands to more bot clients, and then they deliver the commands to other bots, and each bot clients can act as client and server in the same time thus P2P botnets are more difficult to disable, destroy and shut them down. • Disadvantage of this model is difficult and complex to implement.
  • 20.
    Other Papers Referred 1.Trends and challenges of Botnet Architecture and Detection Techniques -- Ritthichai Limarunothai and Mohd Amin Munlin • They explained botnet mechanism along with its components and its life-cycle • Apart from that they also gave botnet detection techniques • Mainly there are two techniques: 1. Honeynet based 2. Intrusion Detection System (IDS) • More advanced techniques are under IDS • Anomaly based One of the best technique to detect unknown botnet attacks compared to other techniques via two steps:
  • 21.
    Other Papers Referred •First is training phase in which normal traffic profile is created • Second is anomaly detection phase wherein normal traffic profile is compared with current traffic to find out anomalies. • It identifies new botnets which are unknown. • Data mining based • Anomaly technique can not detect and differentiate between legitimate and benign traffic • Use of data mining based detection technique such as machine learning (ML) is an efficient approach and easily identify botnet traffic. • Combination of anomaly based and data mining based technique would remove their weaknesses and increase their performance.
  • 22.
    Questionnaire What is theproblem and/or purpose of the research study? • Due to (increasing malware epidemics on internet) / (to wide spread of malicious software on internet), the research proposes to study different malware families, to analyse and evaluate spreading of botnet and its resilience and to develop more intrusive approaches to disrupt them. What significance of the problem, if any, has the investigator identified? • Investigator feels that fighting malware is an asymmetric fight between attackers and defenders. He/she feels that defender should fight with more active and defensive techniques to reduce the threat.
  • 23.
    Continue… • Does thepaper present a theoretical model? • Yes. The investigator has developed a structured technique General- Purpose Antidote to fight against a botnet. • What concepts are included in the review? • Rossow (2013) Analyses the flexibility of botnets Holz et al. (2008) study e- mails that trick the u ser in installing the malicious software. Holz et al. (2008) present the weakness of protocol, namely, the lack of authentication, used to disrupt the botnet. Stock et al. (2009) analyze this new malware. propagation mechanism is the same, but the architecture changes, in favor of a more decentralized one.
  • 24.
    • What arethe limitations that discussed in the paper? • The approach discussed by the researcher to fight against malware requires lot of reengineering. He/she feels that detection of malware is simple but to defeat is even more difficult. Currently available techniques do not even show 100 percent accuracy in detection. • What recommendations for future research are stated or implied ? • Attackers can easily develop simple and compact codes to obtain their illegal intents. So defenders have to develop significantly more complex tools to oppose and track down these attackers. Moreover, attackers are improving their malicious software and architectures to be significantly more resilient to take down attempts. For this reasons, in the future, defenders will need active defense and offensive security tools to fight back malware and infections
  • 25.
    • Are thereother studies with similar findings? Yes. Ritthichai limarunothai and mohd.Amin munlin (2015) , Joseph and Shishir (2016) etc has similar studies. • What are the key results? The use of active defence by the defenders to moderate malware. how botnet works and give an idea to develop the efficient botnet detection system. behavior of real Intel enterprise end-host background traffic and contrast it to real botnet C&C channel activity • Are the results interpreted in the context of the problem/purpose, hypothesis, and theoretical framework/literature reviewed? Yes result are interpreted in the context of the problem and theoretical framework/literature
  • 26.
    References • Deibert, R.,& Crete-Nishihata, M. (2011). Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5), 531-537. • Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the Storm Worm botnet. ZD Net. • E. Pilli, P. Sharma, S. Tiwari, A Bijalwan, “ Botnet Detection Framework,” International Journal of Computer Applications, Vol. 93, May 2014 • M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” Internet Measurement Conference, pp. 41– 52, 2006 • M. Yang, G. Ren, J. Zhang,“ Talk about botnets,” The community communications conference, pp. 629-633, 2006. [4] R. S. Abdullah , M. F. Abdollah, Z. A. Muhamad Noh, M. Z.
  • 27.
    Continue… • Limarunothai, R.,& Munlin, M. (2015). Trends and Challenges of Botnet Architectures and Detection Techniques. Journal of Information Science & Technology • Mas'ud, S. R. Selamat,R. Yusof, “Revealing the Criterion on Botnet Detection Technique,” IJCSI International Journal of Computer Science, Vol. 10, pp. 208- 215, March 2013 • Rossow, C. (2013), “Using malware analysis to evaluate botnet resilience”, PhD thesis, VU Amsterdam • Stock, B., Goebel, J., Engelberth, M., Freiling, F.C. and Holz, T. (2009), “Walowdac – analysis of a peer-to-peer Botnet”, EC2ND ’09, IEEE, Washington, DC