SlideShare a Scribd company logo

Richard Kemmerer Keynote icsm11

ICSM 2011
ICSM 2011

This document summarizes research on the Torpig botnet conducted by security researchers at UC Santa Barbara. The researchers were able to take control ("sinkhole") the botnet's command and control servers for about 10 days by registering domains the bots were programmed to contact. This allowed observation and data collection from over 180,000 infected machines. The data revealed theft of thousands of financial accounts and other personal information, as well as potential for large-scale denial of service attacks and privacy threats from compromised devices. Repatriating stolen information to financial institutions and working with law enforcement presented challenges.

TechnologyBusiness
1 of 30
Download to read offline
How to Steal a Botnet and What Can Happen When You Do Richard A. Kemmerer Security Group Department of Computer Science University of California, Santa Barbara kemm@cs.ucsb.edu ICSM 2011 September 27, 2011
Botnet Terminology UC Santa Barbara • Bot – an application that performs some action or set of actions on behalf of a remote controller – installed on a victim machine (zombie) – modular (plug in your functionality/exploit/payload) • Botnet – network of infected machines controlled by a malicious entity • Control channel – required to send commands to bots and obtain results and status messages – usually via IRC, HTTP, HTTPs, or Peer-to-Peer • Bot Herder – aka botmaster or controller – owns control channel, sends commands to botnet army – motivations are usually power or money 2
Torpig UC Santa Barbara • Trojan horse – distributed via the Mebroot “malware platform” – injects itself into 29 different applications as DLL – steals sensitive information (passwords, HTTP POST data) – HTTP injection for phishing – uses “encrypted” HTTP as C&C protocol – uses domain flux to locate C&C server • Mebroot – spreads via drive-by downloads – sophisticated rootkit (overwrites master boot record) 3
Torpig: Behind the scenes UC Santa Barbara s and Mebroot C&C mm Co orpig +t “Hacked” web servers STOLE N DAT A nlo ad Innocent victim ow o ot d M ebr Torpig C&C “Drive-By Download” server Injection server 4
Torpig HTML Injection UC Santa Barbara • Domains of interest (~300) stored in configuration file • When domain of interest visited – Torpig issues request to injection server – server specifies a trigger page on target domain and a URL on injection server to be visited when user visits trigger page • When user visits the trigger page – Torpig requests injection URL from injection server – Torpig injects the returned content into the user’s browser • Content is usually html phishing form that asks for sensitive data – reproduces look and style of target web site 5
Example Phishing Page UC Santa Barbara 6
Example Phishing Page UC Santa Barbara 7
Domain Flux UC Santa Barbara • Taking down a single bot has little effect on botmaster • C&C servers are vulnerable to take down – if you use a static IP address, people will block or remove host – if you use a DNS name, people will block or remove domain name • Domain flux – idea is to have bots periodically generate new C&C domain names – often, use local date (system time) as input – botmaster needs to register one of these domains and respond properly so that bots recognize valid C&C server – defenders must register all domains to take down botnet 8
Torpig Domain Flux UC Santa Barbara • Each bot has – same domain generation algorithm (DGA) – three fixed domains to be used if all else fails • DGA generates – weekly domain name (wd) – daily domain name (dd) • Every 20 minutes bot attempts to connect (in order) to – wd.com, wd.net, wd.biz – if all three fail, then dd.com, dd.net, dd.biz – if they also fail, then the three fixed domains • Criminals normally registered wd.com (and wd.net) 9
Sinkholing Torpig C&C Overview UC Santa Barbara • Reverse engineered name generation algorithm and C&C protocol • Observed that domains for 01/25 – 02/15 unregistered • Registered these domains ourselves • Unfortunately, Mebroot pushed new Torpig binary on 02/04 • We controlled the botnet for ~10 days • Data – 8.7 GB Apache logs – 69 GB pcap data (contains stolen information) 10
Sinkholing Torpig C&C UC Santa Barbara • Purchased hosting from two different hosting providers known to be unresponsive to complaints • Registered wd.com and wd.net with two different registrars – One was suspended 01/31 due to abuse complaint • Set up Apache web servers to receive bot requests • Recorded all network traffic • Automatically downloaded and removed data from our hosting providers • Enabled hosts a week early – immediately received data from 359 infected machines 11
Data Collection Principles UC Santa Barbara • Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized – always responded with okn message – never sent new/blank configuration file – removed data from servers regularly – stored data offline in encrypted form • Principle 2: the sinkholed botnet should collect enough information to enable notification and remediation of affected parties – worked with law enforcement (FBI and DoD Cybercrime units) – worked with bank security officers – worked with ISPs 12
Data Collection UC Santa Barbara • Bot connects to Torpig C&C every 20 minutes via HTTP POST • Sends a header – timestamp, IP address, proxy ports, OS version, locale, nid, Torpig build and version number • nid – 8 byte value, used for encrypting header and data – derived from hard disk information or volume serial number – serves as a convenient, unique identifier – allows one to detect VMware machines • Optional body data – stolen information (accounts, browser data, …) 13
Size Estimation UC Santa Barbara • Count number of infections – usually based on unique IP addresses – problematic: DHCP and NAT effects (we saw 1.2M unique IPs) – our count based on header information: ~180K hosts (nids) seen Average 4,690 new IPs Average 705 new nids 14
Size Estimation UC Santa Barbara • Cummulative number of infections – linear for unique IP addresses – decayed quickly for unique nids – more than 75% of unique nids were observed in first 48 hours 15
Threats UC Santa Barbara • Theft of financial data • Denial of service • Proxy servers • Privacy threats 16
Threats: Theft of Financial Information UC Santa Barbara • 8,310 unique accounts from 410 financial institutions – Top 10: PayPal (1,770), Poste Italiane, Capital One, E*Trade, Chase, Bank of America, UniCredit, Postbank, Scottrade, Wells Fargo – 38% of credentials stolen from browser’s password manager • 1,660 credit cards – Top 5: Visa (1,056), Mastercard, American Express, Maestro, Discover – US (49%), Italy (12%), Spain (8%) – typically, one CC per victim, but there are exceptions … 17
Value of the Financial Information UC Santa Barbara • Symantec [2008] estimates – Credit card value at $.10 to $25.00 – Bank account at $10.00 to $1,000.00 • Using Symantec estimates,10 days of Torpig data valued at $83K to $8.3M 18
Threats: Denial of Service UC Santa Barbara • More than 60,000 active hosts at any given time • Determine network speed from ip2location DB – cable and DSL make up 65% of infected hosts – used 435 kbps conservative upstream bandwidth – yields greater than 17 Gbps just from DSL/cable – corporate networks make up 22% of infected hosts • Potential for a massive DDOS attack 19
Threats: Proxy Servers UC Santa Barbara • Torpig opens SOCKS and HTTP proxy • 20% of infected machines are publicly reachable • Only 2.45% of those marked by Spamhaus blacklist • Could be abused for spamming 20
Threats: Privacy UC Santa Barbara • Web mail, web chat, and forum messages • Focused on 6,542 messages in English that were 250 characters or longer • Zeitgeist of the Torpig network – 14% are about jobs/resumes – 7% discuss money – 6% are sports fans – 5% prepare for exams and worry about grades – 4% partners/sex online • Online security is a concern, but think they are clean – 10% specifically mention security/malware 21
Password Analysis UC Santa Barbara • 297,962 unique credentials used on 368,501 web sites (domains) – mostly web mail (Google, live, Yahoo) and social networking sites (Facebook, MySpace, netlog.com) – 28% of the victims reused their password on multiple domains • Used John the Ripper to assess the strength of the passwords – 173,686 unique passwords – 56,000 in < 65 minutes using permutation, substitution, etc. – 14,000 in next 10 minutes using large wordlist (i.e., 40% cracked in less than 75 minutes) – another 30,000 in next 24 hours 22
Password Analysis UC Santa Barbara 23
What about? UC Santa Barbara • Criminal retribution • Law enforcement • Repatriating the data • Ethics, IRB, etc. 24
Criminal Retribution UC Santa Barbara • Big concern on January 25 – are the criminals going to come to get us? • More realistically - when will they DDOS our servers? • Biggest question – why did it take them 10 days to download a new DGA? 25
Law Enforcement UC Santa Barbara • We needed to inform law enforcement about this – who do we notify? – need someone knowledgeable so they don’t shut us down • How do we get a hold of law enforcement? – US CERT gives you a form to fill out – contacted David Dagon at Ga Tech and got FBI contact – contacted FBI cybercrime unit – also contacted DoD defense criminal investigative services • FBI was very good to work with and gave us lots of contacts for repatriation 26
Repatriating the Data UC Santa Barbara • 8,310 accounts from 410 financial institutions • 1,660 credit cards from various financial institutions • Need to mine the information from the raw data files • Cannot just cold call a bank and say I have information that you might want, send me your BINs • Need introductions from trusted individuals or groups • FBI and National Cyber-Forensics and Training Alliance (NCFTA) were very helpful – leads to individuals who could handle an entire country 27
Ethics UC Santa Barbara • Recall Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized • Collected sensitive data that potentially could threaten the privacy of victims • Should emails be viewed at all? • What about IRB approval? – not working with human subjects, why would we need it? – we didn’t plan on getting this kind of data – any data that can be used to identify an individual needs IRB 28
Conclusions UC Santa Barbara • Unique opportunity to understand – potential for profit and malicious activity of botnet’s creators – characteristics of botnet victims • Previous evaluations of botnet sizes based on distinct IPs may be grossly overestimated • Botnet victims are users with poorly maintained machines and choose easily guessable passwords to protect sensitive data • Interacting with registrars, hosting facilities, victim institutions, and law enforcement can be a complicated process • Papers: http://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf http://seclab.cs.ucsb.edu/media/uploads/papers/torpig_spmag11.pdf 29
Credits UC Santa Barbara • Brett Stone-Gross • Marco Cova • Lorenzo Cavallaro • Bob Gilbert • Martin Szydlowski • Richard Kemmerer • Chris Kruegel • Giovanni Vigna 30

Recommended

Postdoc Symposium - Abram Hindle
Postdoc Symposium - Abram HindlePostdoc Symposium - Abram Hindle
Postdoc Symposium - Abram Hindle
ICSM 2011
 
Metrics - You can't control the unfamiliar
Metrics - You can't control the unfamiliarMetrics - You can't control the unfamiliar
Metrics - You can't control the unfamiliar
ICSM 2011
 
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ICSM 2011
 
Industry - Evolution and migration - Incremental and Iterative Reengineering ...
Industry - Evolution and migration - Incremental and Iterative Reengineering ...Industry - Evolution and migration - Incremental and Iterative Reengineering ...
Industry - Evolution and migration - Incremental and Iterative Reengineering ...
ICSM 2011
 
Natural Language Analysis - Mining Java Class Naming Conventions
Natural Language Analysis - Mining Java Class Naming ConventionsNatural Language Analysis - Mining Java Class Naming Conventions
Natural Language Analysis - Mining Java Class Naming Conventions
ICSM 2011
 
Industry - Testing & Quality Assurance in Data Migration Projects
Industry - Testing & Quality Assurance in Data Migration Projects Industry - Testing & Quality Assurance in Data Migration Projects
Industry - Testing & Quality Assurance in Data Migration Projects
ICSM 2011
 
ERA - Tracking Technical Debt
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical Debt
ICSM 2011
 
Reliability and Quality - Predicting post-release defects using pre-release f...
Reliability and Quality - Predicting post-release defects using pre-release f...Reliability and Quality - Predicting post-release defects using pre-release f...
Reliability and Quality - Predicting post-release defects using pre-release f...
ICSM 2011
 

Recommended

Postdoc Symposium - Abram Hindle
Postdoc Symposium - Abram HindlePostdoc Symposium - Abram Hindle
Postdoc Symposium - Abram Hindle
ICSM 2011
 
Metrics - You can't control the unfamiliar
Metrics - You can't control the unfamiliarMetrics - You can't control the unfamiliar
Metrics - You can't control the unfamiliar
ICSM 2011
 
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ERA Poster - Measuring Disruption from Software Evolution Activities Using Gr...
ICSM 2011
 
Industry - Evolution and migration - Incremental and Iterative Reengineering ...
Industry - Evolution and migration - Incremental and Iterative Reengineering ...Industry - Evolution and migration - Incremental and Iterative Reengineering ...
Industry - Evolution and migration - Incremental and Iterative Reengineering ...
ICSM 2011
 
Natural Language Analysis - Mining Java Class Naming Conventions
Natural Language Analysis - Mining Java Class Naming ConventionsNatural Language Analysis - Mining Java Class Naming Conventions
Natural Language Analysis - Mining Java Class Naming Conventions
ICSM 2011
 
Industry - Testing & Quality Assurance in Data Migration Projects
Industry - Testing & Quality Assurance in Data Migration Projects Industry - Testing & Quality Assurance in Data Migration Projects
Industry - Testing & Quality Assurance in Data Migration Projects
ICSM 2011
 
ERA - Tracking Technical Debt
ERA - Tracking Technical DebtERA - Tracking Technical Debt
ERA - Tracking Technical Debt
ICSM 2011
 
Reliability and Quality - Predicting post-release defects using pre-release f...
Reliability and Quality - Predicting post-release defects using pre-release f...Reliability and Quality - Predicting post-release defects using pre-release f...
Reliability and Quality - Predicting post-release defects using pre-release f...
ICSM 2011
 
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
ICSM 2011
 
Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...
ICSM 2011
 
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
ICSM 2011
 
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ICSM 2011
 
Faults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussionsFaults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussions
ICSM 2011
 
Components - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API LimitationsComponents - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API Limitations
ICSM 2011
 
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
ICSM 2011
 
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
ICSM 2011
 
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
ICSM 2011
 
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
ICSM 2011
 
Lionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 KeynoteLionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 Keynote
ICSM 2011
 
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
ICSM 2011
 
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java InterfacesMetrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
ICSM 2011
 
ERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to TaskERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to Task
ICSM 2011
 
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
ICSM 2011
 
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
ICSM 2011
 
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
ICSM 2011
 
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software SearchERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ICSM 2011
 
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change PropagationImpact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
ICSM 2011
 
Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...
ICSM 2011
 
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet TakeoverYour Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Ahmed EL-KOSAIRY
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Jishnu Pradeep
 

More Related Content

Viewers also liked

Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
ICSM 2011
 
Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...
ICSM 2011
 
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
ICSM 2011
 
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ICSM 2011
 
Faults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussionsFaults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussions
ICSM 2011
 
Components - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API LimitationsComponents - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API Limitations
ICSM 2011
 
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
ICSM 2011
 
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
ICSM 2011
 
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
ICSM 2011
 
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
ICSM 2011
 
Lionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 KeynoteLionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 Keynote
ICSM 2011
 
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
ICSM 2011
 
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java InterfacesMetrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
ICSM 2011
 
ERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to TaskERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to Task
ICSM 2011
 
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
ICSM 2011
 
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
ICSM 2011
 
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
ICSM 2011
 
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software SearchERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ICSM 2011
 
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change PropagationImpact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
ICSM 2011
 
Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...
ICSM 2011
 

Viewers also liked (20)

Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
Impact Analysis - ImpactScale: Quantifying Change Impact to Predict Faults in...
 
Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...Industry - The Evolution of Information Systems. A Case Study on Document Man...
Industry - The Evolution of Information Systems. A Case Study on Document Man...
 
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
Components - Crossing the Boundaries while Analyzing Heterogeneous Component-...
 
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
ERA - Measuring Disruption from Software Evolution Activities Using Graph-Bas...
 
Faults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussionsFaults and Regression Testing - Fault interaction and its repercussions
Faults and Regression Testing - Fault interaction and its repercussions
 
Components - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API LimitationsComponents - Graph Based Detection of Library API Limitations
Components - Graph Based Detection of Library API Limitations
 
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
Natural Language Analysis - Expanding Identifiers to Normalize Source Code Vo...
 
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
Tutorial 2 - Practical Combinatorial (t-way) Methods for Detecting Complex Fa...
 
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
Industry - Precise Detection of Un-Initialized Variables in Large, Real-life ...
 
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
Migration and Refactoring - Identifying Overly Strong Conditions in Refactori...
 
Lionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 KeynoteLionel Briand ICSM 2011 Keynote
Lionel Briand ICSM 2011 Keynote
 
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
Traceability - Structural Conformance Checking with Design Tests: An Evaluati...
 
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java InterfacesMetrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
Metrics - Using Source Code Metrics to Predict Change-Prone Java Interfaces
 
ERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to TaskERA - Clustering and Recommending Collections of Code Relevant to Task
ERA - Clustering and Recommending Collections of Code Relevant to Task
 
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
Industry - Relating Developers' Concepts and Artefact Vocabulary in a Financ...
 
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
Postdoc symposium - A Logic Meta-Programming Foundation for Example-Driven Pa...
 
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
Dynamic Analysis - SCOTCH: Improving Test-to-Code Traceability using Slicing ...
 
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software SearchERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
ERA - A Comparison of Stemmers on Source Code Identifiers for Software Search
 
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change PropagationImpact analysis - A Seismology-inspired Approach to Study Change Propagation
Impact analysis - A Seismology-inspired Approach to Study Change Propagation
 
Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...Industry - Estimating software maintenance effort from use cases an indu...
Industry - Estimating software maintenance effort from use cases an indu...
 

Similar to Richard Kemmerer Keynote icsm11

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet TakeoverYour Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Ahmed EL-KOSAIRY
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Jishnu Pradeep
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
Eric Vanderburg
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eric Vanderburg
 
Botnet and its Detection Techniques
Botnet and its Detection Techniques Botnet and its Detection Techniques
Botnet and its Detection Techniques
SafiUllah Saikat
 
Defense against botnets
Defense against botnetsDefense against botnets
Defense against botnets
Vaibhav Ahlawat
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Logan Best
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
Positive Hack Days
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
vngundi
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
StHack
 
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber AttacksOnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Amirali Sanatinia
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
Llobarro2
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
Workshop slides
Workshop slidesWorkshop slides
Workshop slides
Rishabh Jain
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
Avast
 
Botnet takeover
Botnet takeoverBotnet takeover
Botnet takeover
harrykim_Suny
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
Sagi Brody
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 

Similar to Richard Kemmerer Keynote icsm11 (20)

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet TakeoverYour Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet Takeover
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
Botnet and its Detection Techniques
Botnet and its Detection Techniques Botnet and its Detection Techniques
Botnet and its Detection Techniques
 
Defense against botnets
Defense against botnetsDefense against botnets
Defense against botnets
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
Day 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious UseDay 2 Dns Cert 4c Malicious Use
Day 2 Dns Cert 4c Malicious Use
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber AttacksOnionBots: Subverting Privacy Infrastructure for Cyber Attacks
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
Workshop slides
Workshop slidesWorkshop slides
Workshop slides
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Botnet takeover
Botnet takeoverBotnet takeover
Botnet takeover
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Multi-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation StrategiesMulti-Layer DDoS Mitigation Strategies
Multi-Layer DDoS Mitigation Strategies
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Internet
InternetInternet
Internet
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 

Richard Kemmerer Keynote icsm11

  • 1. How to Steal a Botnet and What Can Happen When You Do Richard A. Kemmerer Security Group Department of Computer Science University of California, Santa Barbara kemm@cs.ucsb.edu ICSM 2011 September 27, 2011
  • 2. Botnet Terminology UC Santa Barbara • Bot – an application that performs some action or set of actions on behalf of a remote controller – installed on a victim machine (zombie) – modular (plug in your functionality/exploit/payload) • Botnet – network of infected machines controlled by a malicious entity • Control channel – required to send commands to bots and obtain results and status messages – usually via IRC, HTTP, HTTPs, or Peer-to-Peer • Bot Herder – aka botmaster or controller – owns control channel, sends commands to botnet army – motivations are usually power or money 2
  • 3. Torpig UC Santa Barbara • Trojan horse – distributed via the Mebroot “malware platform” – injects itself into 29 different applications as DLL – steals sensitive information (passwords, HTTP POST data) – HTTP injection for phishing – uses “encrypted” HTTP as C&C protocol – uses domain flux to locate C&C server • Mebroot – spreads via drive-by downloads – sophisticated rootkit (overwrites master boot record) 3
  • 4. Torpig: Behind the scenes UC Santa Barbara s and Mebroot C&C mm Co orpig +t “Hacked” web servers STOLE N DAT A nlo ad Innocent victim ow o ot d M ebr Torpig C&C “Drive-By Download” server Injection server 4
  • 5. Torpig HTML Injection UC Santa Barbara • Domains of interest (~300) stored in configuration file • When domain of interest visited – Torpig issues request to injection server – server specifies a trigger page on target domain and a URL on injection server to be visited when user visits trigger page • When user visits the trigger page – Torpig requests injection URL from injection server – Torpig injects the returned content into the user’s browser • Content is usually html phishing form that asks for sensitive data – reproduces look and style of target web site 5
  • 6. Example Phishing Page UC Santa Barbara 6
  • 7. Example Phishing Page UC Santa Barbara 7
  • 8. Domain Flux UC Santa Barbara • Taking down a single bot has little effect on botmaster • C&C servers are vulnerable to take down – if you use a static IP address, people will block or remove host – if you use a DNS name, people will block or remove domain name • Domain flux – idea is to have bots periodically generate new C&C domain names – often, use local date (system time) as input – botmaster needs to register one of these domains and respond properly so that bots recognize valid C&C server – defenders must register all domains to take down botnet 8
  • 9. Torpig Domain Flux UC Santa Barbara • Each bot has – same domain generation algorithm (DGA) – three fixed domains to be used if all else fails • DGA generates – weekly domain name (wd) – daily domain name (dd) • Every 20 minutes bot attempts to connect (in order) to – wd.com, wd.net, wd.biz – if all three fail, then dd.com, dd.net, dd.biz – if they also fail, then the three fixed domains • Criminals normally registered wd.com (and wd.net) 9
  • 10. Sinkholing Torpig C&C Overview UC Santa Barbara • Reverse engineered name generation algorithm and C&C protocol • Observed that domains for 01/25 – 02/15 unregistered • Registered these domains ourselves • Unfortunately, Mebroot pushed new Torpig binary on 02/04 • We controlled the botnet for ~10 days • Data – 8.7 GB Apache logs – 69 GB pcap data (contains stolen information) 10
  • 11. Sinkholing Torpig C&C UC Santa Barbara • Purchased hosting from two different hosting providers known to be unresponsive to complaints • Registered wd.com and wd.net with two different registrars – One was suspended 01/31 due to abuse complaint • Set up Apache web servers to receive bot requests • Recorded all network traffic • Automatically downloaded and removed data from our hosting providers • Enabled hosts a week early – immediately received data from 359 infected machines 11
  • 12. Data Collection Principles UC Santa Barbara • Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized – always responded with okn message – never sent new/blank configuration file – removed data from servers regularly – stored data offline in encrypted form • Principle 2: the sinkholed botnet should collect enough information to enable notification and remediation of affected parties – worked with law enforcement (FBI and DoD Cybercrime units) – worked with bank security officers – worked with ISPs 12
  • 13. Data Collection UC Santa Barbara • Bot connects to Torpig C&C every 20 minutes via HTTP POST • Sends a header – timestamp, IP address, proxy ports, OS version, locale, nid, Torpig build and version number • nid – 8 byte value, used for encrypting header and data – derived from hard disk information or volume serial number – serves as a convenient, unique identifier – allows one to detect VMware machines • Optional body data – stolen information (accounts, browser data, …) 13
  • 14. Size Estimation UC Santa Barbara • Count number of infections – usually based on unique IP addresses – problematic: DHCP and NAT effects (we saw 1.2M unique IPs) – our count based on header information: ~180K hosts (nids) seen Average 4,690 new IPs Average 705 new nids 14
  • 15. Size Estimation UC Santa Barbara • Cummulative number of infections – linear for unique IP addresses – decayed quickly for unique nids – more than 75% of unique nids were observed in first 48 hours 15
  • 16. Threats UC Santa Barbara • Theft of financial data • Denial of service • Proxy servers • Privacy threats 16
  • 17. Threats: Theft of Financial Information UC Santa Barbara • 8,310 unique accounts from 410 financial institutions – Top 10: PayPal (1,770), Poste Italiane, Capital One, E*Trade, Chase, Bank of America, UniCredit, Postbank, Scottrade, Wells Fargo – 38% of credentials stolen from browser’s password manager • 1,660 credit cards – Top 5: Visa (1,056), Mastercard, American Express, Maestro, Discover – US (49%), Italy (12%), Spain (8%) – typically, one CC per victim, but there are exceptions … 17
  • 18. Value of the Financial Information UC Santa Barbara • Symantec [2008] estimates – Credit card value at $.10 to $25.00 – Bank account at $10.00 to $1,000.00 • Using Symantec estimates,10 days of Torpig data valued at $83K to $8.3M 18
  • 19. Threats: Denial of Service UC Santa Barbara • More than 60,000 active hosts at any given time • Determine network speed from ip2location DB – cable and DSL make up 65% of infected hosts – used 435 kbps conservative upstream bandwidth – yields greater than 17 Gbps just from DSL/cable – corporate networks make up 22% of infected hosts • Potential for a massive DDOS attack 19
  • 20. Threats: Proxy Servers UC Santa Barbara • Torpig opens SOCKS and HTTP proxy • 20% of infected machines are publicly reachable • Only 2.45% of those marked by Spamhaus blacklist • Could be abused for spamming 20
  • 21. Threats: Privacy UC Santa Barbara • Web mail, web chat, and forum messages • Focused on 6,542 messages in English that were 250 characters or longer • Zeitgeist of the Torpig network – 14% are about jobs/resumes – 7% discuss money – 6% are sports fans – 5% prepare for exams and worry about grades – 4% partners/sex online • Online security is a concern, but think they are clean – 10% specifically mention security/malware 21
  • 22. Password Analysis UC Santa Barbara • 297,962 unique credentials used on 368,501 web sites (domains) – mostly web mail (Google, live, Yahoo) and social networking sites (Facebook, MySpace, netlog.com) – 28% of the victims reused their password on multiple domains • Used John the Ripper to assess the strength of the passwords – 173,686 unique passwords – 56,000 in < 65 minutes using permutation, substitution, etc. – 14,000 in next 10 minutes using large wordlist (i.e., 40% cracked in less than 75 minutes) – another 30,000 in next 24 hours 22
  • 23. Password Analysis UC Santa Barbara 23
  • 24. What about? UC Santa Barbara • Criminal retribution • Law enforcement • Repatriating the data • Ethics, IRB, etc. 24
  • 25. Criminal Retribution UC Santa Barbara • Big concern on January 25 – are the criminals going to come to get us? • More realistically - when will they DDOS our servers? • Biggest question – why did it take them 10 days to download a new DGA? 25
  • 26. Law Enforcement UC Santa Barbara • We needed to inform law enforcement about this – who do we notify? – need someone knowledgeable so they don’t shut us down • How do we get a hold of law enforcement? – US CERT gives you a form to fill out – contacted David Dagon at Ga Tech and got FBI contact – contacted FBI cybercrime unit – also contacted DoD defense criminal investigative services • FBI was very good to work with and gave us lots of contacts for repatriation 26
  • 27. Repatriating the Data UC Santa Barbara • 8,310 accounts from 410 financial institutions • 1,660 credit cards from various financial institutions • Need to mine the information from the raw data files • Cannot just cold call a bank and say I have information that you might want, send me your BINs • Need introductions from trusted individuals or groups • FBI and National Cyber-Forensics and Training Alliance (NCFTA) were very helpful – leads to individuals who could handle an entire country 27
  • 28. Ethics UC Santa Barbara • Recall Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized • Collected sensitive data that potentially could threaten the privacy of victims • Should emails be viewed at all? • What about IRB approval? – not working with human subjects, why would we need it? – we didn’t plan on getting this kind of data – any data that can be used to identify an individual needs IRB 28
  • 29. Conclusions UC Santa Barbara • Unique opportunity to understand – potential for profit and malicious activity of botnet’s creators – characteristics of botnet victims • Previous evaluations of botnet sizes based on distinct IPs may be grossly overestimated • Botnet victims are users with poorly maintained machines and choose easily guessable passwords to protect sensitive data • Interacting with registrars, hosting facilities, victim institutions, and law enforcement can be a complicated process • Papers: http://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf http://seclab.cs.ucsb.edu/media/uploads/papers/torpig_spmag11.pdf 29
  • 30. Credits UC Santa Barbara • Brett Stone-Gross • Marco Cova • Lorenzo Cavallaro • Bob Gilbert • Martin Szydlowski • Richard Kemmerer • Chris Kruegel • Giovanni Vigna 30