Unsolicited bulk email, or spam, accounts for more than 90% of worldwide email traffic. The underground economy behind email spam is prosperous, and involves parties located in many parts of the world. Nowadays, most spam is sent by botnets, which are large networks of compromised computers that act under the control of a single entity, called a botmaster. Security researchers have entered an arms race with spammers and botmasters. The goal of researchers is to secure networks and prevent malicious operations from happening, while the goal of cybercriminals is to keep their business up and running.
In this talk I will analyze the outcome of this arms race. On one side, I will talk about the different levels of sophistication the botmasters developed to make their network resilient to take down attempts. On the research side, I will analyze the approaches proposed to prevent machines from being infected, identifying compromised ones, and disrupting command and control structures. In particular, I will focus on the shortcomings of previous approaches, as well as open problems in the area and the areas that have not been studied yet.
Ethical challenges for online social science research: Networks, rentals and ...berniehogan
Presentation at the 5th International Conference on eSocial Science. Part of a workshop on the law and ethics of eSocial Science research. It outlines three domains I am currently researching and some of the ethical issues I have encountered including reporting on a third party (Facebook), deception (craigslist) and information access (grouphug.us).
Software engineering is inherently a collaborative venture, involving many stakeholders that coordinate their efforts to produce large software systems. While importance of human aspects in software engineering has been recognised already in the 1970s, emergence of open source software (late 1990s) and platforms such as Stack Overflow and GitHub (late 2000s) enabled application of empirical methods to study of human aspects of software engineering.
In the first part of the talk we present a selection of recent results pertaining to two main
questions: who are the software developers and in what kind of activities they engage. The second part of the talk focuses on tools and techniques that have been used to obtain
the aforementioned results.
Ethical challenges for online social science research: Networks, rentals and ...berniehogan
Presentation at the 5th International Conference on eSocial Science. Part of a workshop on the law and ethics of eSocial Science research. It outlines three domains I am currently researching and some of the ethical issues I have encountered including reporting on a third party (Facebook), deception (craigslist) and information access (grouphug.us).
Software engineering is inherently a collaborative venture, involving many stakeholders that coordinate their efforts to produce large software systems. While importance of human aspects in software engineering has been recognised already in the 1970s, emergence of open source software (late 1990s) and platforms such as Stack Overflow and GitHub (late 2000s) enabled application of empirical methods to study of human aspects of software engineering.
In the first part of the talk we present a selection of recent results pertaining to two main
questions: who are the software developers and in what kind of activities they engage. The second part of the talk focuses on tools and techniques that have been used to obtain
the aforementioned results.
The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them.
The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
2010 CodeEngn Conference 04
사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다.
http://codeengn.com/conference/04
lab3/cdga.zip
lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
lab3/Domain Generation Algorithm Reverse Engineering.docx
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figure out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (Attached in folder)
The file you will need to figure out is here (this is written in the computer language C, not malware) (this file is attached in folder).
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here:
http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro. (The .exe file is attached in folder)
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined which is abstract, discussion, and conclusion. Take a lot of screenshots
lab3/stone-gross+cova+cavallaro+gilbert+szydlowski+kemmerer+kruegel+vigna+yourBotnetIsMyBotnet.pdf
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidi-
ous type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our effo ...
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
Spam which is one of the most popular and also the most relevant topic that needs to be understood in the current scenario. Everyone whether it may be a small child or an old person are using emails everyday all around the world. The scenario which we are seeing is that almost no one is aware or in simple sentence they do not know what actually the spam is and what they will do in their systems. Spam in general means unsolicited or unwanted mails. Botnets are considered one of the main source of the spam. Botnet means the group of software's called bots and the function of these bots is to run on several compromised computers autonomously and automatically. The main objective of this paper is to detect such a bot or spambots for the Bulletin Board System (BBS). BBS is a computer that is running software that allows users to leave a message and access information of general interest. Originally BBSes were accessed only over a phone line using a modem, but nowadays some BBSes allowed access via a Telnet, packet switched network, or packet radio connection. The main methodology that we are going to focus is on Behavioural-based Spam Detection (BSD) method. Behavioral-based Spam Detector (BSD) combines several behaviours of the spam bots at different stages including the behaviour of spam preparation before the spam session when the spammers search for an open relay SMTP service to send e-mails through, and the behaviour of spammers while connecting to the mail server. Detecting the abnormal behaviour produced by the spam activities gives a high rate of suspicion on the existence of bots.
Internet threats have increased manifold with the
arrival of botnets. Many organizations worldwide and the
social networks have been affected by botnets. Numerous
researches have been carried to understand the concept of
bots, C&C channels, botnet and botmasters. These botnets
have been able to update itself regularly which makes them
very difficult to be detected. The purpose of this paper is to
understand the of behavior of botnets and its affect on the
virtual world. The paper has also analyzed the types of
botnets, lifecycle and elements of botnets.
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
Botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base.
Lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
Lab3/Lab 3.docx
Lab 3 Domain Generation Algorithm Reverse Engineering
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figur out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (PDF attached it the folder called stone-gross)
The file you will need to figure out is here (this is written in the computer language C, not malware)
(this file is attached in the folder called code.c)
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here: http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro.
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined in lab 2. Take a lot of screenshots.
Lab3/Lab 4.docx
You will need to download the Kali 2.0 iso from kali.org and create a virtual machine in Virtualbox. Create a virtual machine with INTERNAL networking (tHIS IS IMPORTANT for the security of your network) using the Kali live iso.
Then you will need to look on the Penetration Tester Academy (or pentester academy) for an iso with vulnerable web applications OR find DVL (Damn Vulnerable Linux) from distrowatch.com. With this iso, create a second VM with INTERNAL networking ONLY (for the security of your network).
- Take screenshots (with a notepad file open in the background with your name).
- Exploit the vulnerable VM (whether you are using the vulnerable web applications or a vulnerable virtual machine) in at least 2 different ways: 1 should be remote code execution or Cross-Site Scripting (also CSS or XSS).
Lab3/stone-gross.pdf
Your Botnet is My Botnet: Analysis of a Botnet ...
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesGianluca Stringhini
Cybercriminals misuse accounts on online services (e.g., webmails and online social networks) to perform malicious activity, such as spreading malicious content or stealing sensitive information. In this paper, we show that accounts that are accessed by botnets are a popular choice by cybercriminals. Since botnets are composed of a finite number of infected computers, we observe that cybercriminals tend to have their bots connect to multiple online accounts to perform malicious activity.
We present EVILCOHORT, a system that detects online accounts that are accessed by a common set of infected machines. EVILCOHORT only needs the mapping between an online account and an IP address to operate, and can therefore detect malicious accounts on any online service (webmail services, online social networks, storage services) regardless of the type of malicious activity that these accounts perform. Unlike previous work, our system can identify malicious accounts that are controlled by botnets but do not post any malicious content (e.g., spam) on the service. We evaluated EVILCOHORT on multiple online services of different types (a webmail service and four online social networks), and show that it accurately identifies malicious accounts.
That Ain't You: Detecting Spearphishing Through Behavioral ModellingGianluca Stringhini
One of the ways in which attackers steal sensitive information from corporations is by
sending spearphishing emails.
A typical spearphishing email appears to be sent by one of the victim's
coworkers or business partners, but has instead been crafted by the attacker.
A particularly insidious type of spearphishing emails are the ones that do not only
claim to be written by a certain person, but are also sent by that person's
email account, which has been compromised.
Spearphishing emails are very dangerous for companies, because they can be
the starting point to a more sophisticated attack or cause intellectual
property theft, and lead to high financial losses.
Currently, there are no effective systems to protect users against such threats.
Existing systems leverage adaptations of anti-spam techniques. However, these
techniques are often inadequate to detect spearphishing attacks.
The reason is that spearphishing has very different characteristics from spam
and even traditional phishing. To fight the spearphishing threat, we propose a change of focus in the
techniques that we use for detecting malicious emails: instead of looking for
features that are indicative of attack emails, we look for emails that claim
to have been written by a certain person within a company, but were actually
authored by an attacker. We do this by modelling the
email-sending behavior of users over time, and comparing any subsequent email
sent by their accounts against this model. Our approach can block advanced email
attacks that traditional protection systems are unable to detect, and is an important step
towards detecting advanced spearphishing attacks.
More Related Content
Similar to The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming Botnet Mitigation
The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them.
The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.
[2010 CodeEngn Conference 04] Max - Fighting against BotnetGangSeok Lee
2010 CodeEngn Conference 04
사이버 전쟁의 대표적 공격 무기가 되어버린 봇넷은 네트워크가 점점 초고속화되고, 복잡해진 상황속에서 7.7 DDoS와 같은 DDoS 공격, 인터넷 계정이나 금융 정보등과 같은 개인 정보 유출 등이 봇넷을 통해 이루어지고 있는 상황이다. 이에 해당 주제 발표에서는 실제 사이버상에서 운영되고 있는 봇넷들을 분석해 보며, 그들의 추구하는 봇넷 비즈니스 모델을 찾아보려 한다. 또한, 봇넷의 설계, 운영, 관리, 대응에 관한 시연 그리고 봇넷들간의 전쟁에 대해 이야기하고자 한다.
http://codeengn.com/conference/04
lab3/cdga.zip
lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
lab3/Domain Generation Algorithm Reverse Engineering.docx
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figure out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (Attached in folder)
The file you will need to figure out is here (this is written in the computer language C, not malware) (this file is attached in folder).
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here:
http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro. (The .exe file is attached in folder)
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined which is abstract, discussion, and conclusion. Take a lot of screenshots
lab3/stone-gross+cova+cavallaro+gilbert+szydlowski+kemmerer+kruegel+vigna+yourBotnetIsMyBotnet.pdf
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidi-
ous type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our effo ...
Detecting Spambot as an Antispam Technique for Web Internet BBSijsrd.com
Spam which is one of the most popular and also the most relevant topic that needs to be understood in the current scenario. Everyone whether it may be a small child or an old person are using emails everyday all around the world. The scenario which we are seeing is that almost no one is aware or in simple sentence they do not know what actually the spam is and what they will do in their systems. Spam in general means unsolicited or unwanted mails. Botnets are considered one of the main source of the spam. Botnet means the group of software's called bots and the function of these bots is to run on several compromised computers autonomously and automatically. The main objective of this paper is to detect such a bot or spambots for the Bulletin Board System (BBS). BBS is a computer that is running software that allows users to leave a message and access information of general interest. Originally BBSes were accessed only over a phone line using a modem, but nowadays some BBSes allowed access via a Telnet, packet switched network, or packet radio connection. The main methodology that we are going to focus is on Behavioural-based Spam Detection (BSD) method. Behavioral-based Spam Detector (BSD) combines several behaviours of the spam bots at different stages including the behaviour of spam preparation before the spam session when the spammers search for an open relay SMTP service to send e-mails through, and the behaviour of spammers while connecting to the mail server. Detecting the abnormal behaviour produced by the spam activities gives a high rate of suspicion on the existence of bots.
Internet threats have increased manifold with the
arrival of botnets. Many organizations worldwide and the
social networks have been affected by botnets. Numerous
researches have been carried to understand the concept of
bots, C&C channels, botnet and botmasters. These botnets
have been able to update itself regularly which makes them
very difficult to be detected. The purpose of this paper is to
understand the of behavior of botnets and its affect on the
virtual world. The paper has also analyzed the types of
botnets, lifecycle and elements of botnets.
How To Protect Your Website From Bot Attacks is a one-hour continuing education course. After successfully completing the course and final exam, you will be awarded a certificate of completion that you can use towards fulfilling your continuing education requirements.
Botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base.
Lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
Lab3/Lab 3.docx
Lab 3 Domain Generation Algorithm Reverse Engineering
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figur out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (PDF attached it the folder called stone-gross)
The file you will need to figure out is here (this is written in the computer language C, not malware)
(this file is attached in the folder called code.c)
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here: http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro.
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined in lab 2. Take a lot of screenshots.
Lab3/Lab 4.docx
You will need to download the Kali 2.0 iso from kali.org and create a virtual machine in Virtualbox. Create a virtual machine with INTERNAL networking (tHIS IS IMPORTANT for the security of your network) using the Kali live iso.
Then you will need to look on the Penetration Tester Academy (or pentester academy) for an iso with vulnerable web applications OR find DVL (Damn Vulnerable Linux) from distrowatch.com. With this iso, create a second VM with INTERNAL networking ONLY (for the security of your network).
- Take screenshots (with a notepad file open in the background with your name).
- Exploit the vulnerable VM (whether you are using the vulnerable web applications or a vulnerable virtual machine) in at least 2 different ways: 1 should be remote code execution or Cross-Site Scripting (also CSS or XSS).
Lab3/stone-gross.pdf
Your Botnet is My Botnet: Analysis of a Botnet ...
EvilCohort: Detecting Communities of Malicious Accounts on Online ServicesGianluca Stringhini
Cybercriminals misuse accounts on online services (e.g., webmails and online social networks) to perform malicious activity, such as spreading malicious content or stealing sensitive information. In this paper, we show that accounts that are accessed by botnets are a popular choice by cybercriminals. Since botnets are composed of a finite number of infected computers, we observe that cybercriminals tend to have their bots connect to multiple online accounts to perform malicious activity.
We present EVILCOHORT, a system that detects online accounts that are accessed by a common set of infected machines. EVILCOHORT only needs the mapping between an online account and an IP address to operate, and can therefore detect malicious accounts on any online service (webmail services, online social networks, storage services) regardless of the type of malicious activity that these accounts perform. Unlike previous work, our system can identify malicious accounts that are controlled by botnets but do not post any malicious content (e.g., spam) on the service. We evaluated EVILCOHORT on multiple online services of different types (a webmail service and four online social networks), and show that it accurately identifies malicious accounts.
That Ain't You: Detecting Spearphishing Through Behavioral ModellingGianluca Stringhini
One of the ways in which attackers steal sensitive information from corporations is by
sending spearphishing emails.
A typical spearphishing email appears to be sent by one of the victim's
coworkers or business partners, but has instead been crafted by the attacker.
A particularly insidious type of spearphishing emails are the ones that do not only
claim to be written by a certain person, but are also sent by that person's
email account, which has been compromised.
Spearphishing emails are very dangerous for companies, because they can be
the starting point to a more sophisticated attack or cause intellectual
property theft, and lead to high financial losses.
Currently, there are no effective systems to protect users against such threats.
Existing systems leverage adaptations of anti-spam techniques. However, these
techniques are often inadequate to detect spearphishing attacks.
The reason is that spearphishing has very different characteristics from spam
and even traditional phishing. To fight the spearphishing threat, we propose a change of focus in the
techniques that we use for detecting malicious emails: instead of looking for
features that are indicative of attack emails, we look for emails that claim
to have been written by a certain person within a company, but were actually
authored by an attacker. We do this by modelling the
email-sending behavior of users over time, and comparing any subsequent email
sent by their accounts against this model. Our approach can block advanced email
attacks that traditional protection systems are unable to detect, and is an important step
towards detecting advanced spearphishing attacks.
The Tricks of the Trade: What Makes Spam Campaigns Successful?Gianluca Stringhini
Spam is a profitable business for cybercriminals, with the revenue of a spam
campaign that can be in the order of millions of dollars. For this
reason, a wealth of research has been performed on understanding how spamming
botnets operate, as well as what the economic model behind spam looks like.
Running a spamming botnet is a complex task: the spammer needs to manage the
infected machines, the spam content being sent, and the email addresses to be
targeted, among the rest. In this paper, we try to understand which factors
influence the spam delivery process and what characteristics make a spam
campaign successful. To this end, we analyzed the data stored on a number of
command and control servers of a large spamming botnet, together with the
guidelines and suggestions that the botnet creators provide to spammers to
improve the performance of their botnet.
Follow the Green: Growth and Dynamics on Twitter Follower MarketsGianluca Stringhini
The users of microblogging services, such as Twitter, use the count of followers
of an account as a measure of its reputation or influence. For those unwilling or unable to
attract followers naturally, a growing industry of “Twitter follower markets” provides followers
for sale. Some markets use fake accounts to boost the follower count of their customers,
while others rely on a pyramid scheme to turn non-paying customers into followers for each
other, and into followers for paying customers. In this paper, we present a detailed study of Twitter Followers Markets, and we show that it is possible to detect users that purchased followers on Twitter.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
The Spammer, the Botmaster, and the Researcher: On the Arms Race in Spamming Botnet Mitigation
1. The Spammer, the Botmaster, and the Researcher: On the
Arms Race in Spamming Botnet Mitigation
Gianluca Stringhini
Major Area Exam
December 5, 2011
2. What is spam?
Spam is a big problem
Everyone receives spam
90-95% of emails are spam
Organic vs. Junk food
Spam vs. Ham
We need a definition a
computer can understand
Unsolicited Bulk Email
3. Early days spam
Spam as a hobby
Businesses ran from home’s basement
CAN-SPAM Act (2003)
Doesn’t forbid to spam, but the spammer
has to be nice.
$16k fine per violating email
The world is big
Not every country prosecutes spammers
5. Modern spam
1
Affiliate programs [Samosseiko 2009]
Are banks the weak link? [Levchenko 2011]
1
source: Levchenko et al., Click Trajectories: End-to-End Analysis of the
Spam Value Chain
6. Is Spam Profitable?
Yes, it is
Estimates between $300k and $1M a month for large affiliate
programs [Kanich 2008, Kanich 2011]
Relatively low risk
Small fishes are the ones who get caught
The geographic dispersion makes coordinated actions difficult
7. How is Spam Delivered?
Botnets
Botnets are networks of compromised computers that act under the
control of a single entity (Botmaster)
What are botnets used for?
Running DoS
Stealing Information
Solving Captchas
Sending spam
Botnets are responsible for 85% of worldwide spam
Why botnets?
Botnets combine the best of two worlds: worms and IRC bots
Researchers and Botmasters are involved in an arms race
10. Botnet Evolution - Structure
IRC botnets
The C&C is an IRC server
Bots join a channel and get orders
Problems
Researchers can join the channel too
DNS sinkholing is possible
12. Botnet Evolution - Structure
Proprietary protocol botnets
The C&C uses a proprietary encrypted protocol
Two architectures:
Pull architecture
Push architecture
Problems
Researchers can reverse engineer the protocol
DNS sinkholing is still possible
14. Botnet Evolution - Structure
Multiple tier botnets
The bots don’t connect directly to the C&C
The domains used by the proxies use Fast Flux
Fast Flux
Technique similar to Round-robin DNS and CDNs
Give high reliability for the botnet backbone
Many IP addresses associated to a domain
Low TTL, the record changes all the time
15. Botnet Evolution - Structure
Problem
The domains used can still be sinkholed / blacklisted
The solution
Domain Generation Algorithms
Bots contact a domain according to a time-dependent algorithm
Used by Torpig (2008)
Problems
The algorithm can be reverse engineered [StoneGross 2009a]
Botmasters can add non-determinism (e.g., Twitter trends)
17. Botnet Evolution - Structure
Peer-to-peer botnets
Bots with private IPs act as workers
Bots with public IPs act as proxies
Workers find proxies based on some overnet protocol
Problem
Proxies are not under the control of the botmaster
Researchers can impersonate a proxy and infiltrate the botnet
18. Botnet Evolution - Infection model
Worm-like spread
The bot scans the network for vulnerabilities and propagates
Non-spreading bots
Infections are propagated through
Drive-by-download websites [Provos 2008, StoneGross 2011]
Email attachments
Pay-per-Install
The new trend is paying third parties for “installing” a certain number
of bots [Caballero 2011]
22. Host-based detection
Traditional anti-virus approach
Look for the presence of virus specific instructions in the binaries
Antiviruses can be fooled by simple obfuscations
[Christodorescu 2003, Christodorescu 2004]
Obfuscations
NOP insertion and code transposition are usually enough
Metamorphic malware
Polymorphic malware
23. Host-based detection
Static analysis
Take program semantics into account [Christodorescu 2003,
Christodorescu 2005]
Dynamic analysis
Model the behavior of a program (e.g., using system calls)
[Kolbitsch 2009]
Monitor access to sensitive information [Yin 2007]
Reverse engineer of the C&C protocol [Caballero 2009]
Problems
Program equivalence is undecidable!
Analysis of samples takes time and resources
25. Malicious Web Pages Detection
Infection happening through browser exploits are a big problem
Detecting Drive-by-Download pages
Malicious Javascript can be detected by:
Emulation [Cova 2010]
Monitoring system changes [Provos 2008]
Hooking runtime [Curtsinger 2011, Heiderich 2011]
Look for common attack patterns (e.g., heap spray)
[Ratanaworabhan 2009]
Problems
The analysis could be detected
These systems might not detect newer attacks
27. Command and Control-based Detection
IRC server infiltration [AbuRajab2006]
Protocol Reverse Engineering
Protocol reverse engineering by active probing [Cho 2010a]
This enables botnet infiltration [Stock 2009, Kreibich 2009,
Cho 2010b]
Botnet Takeovers
Reverse engineering of DGAs [StoneGross 2009a]
This enables C&C impersonation [StoneGross 2009a]
28. Honeypots
Running bots in virtual machines allows to learn important botnet
features [John 2009]
This can be used for
Blacklisting the domains that host C&C servers
[StoneGross 2009b]
Performing botnet takedowns [StoneGross 2011]
Problems
Bots might detect virtualization [Balzarotti 2010]
Containment problems arise [Kreibich 2011]
30. DNS Based Detection
Detecting infected IPs
DNS sinkhole [Dagon 2006]
Look for DNS cached results [AbuRajab 2006]
Detect Fast-Flux Domains
Fast Flux domains present very different characteristics than
legitimate ones [Holz 2008, Passerini 2008, Hu 2009]
IPs belong to different networks
TTL is low
results change very frequently
31. DNS Based Detection
Detecting Malicious Domains
It is possible to build classifiers to detect malicious domains
Passive analysis of RDNSs queries [Antonanakis 2010,
Bilge 2011]
Limitation: only local view
Analysis at the authoritative server level or TLDs
[Antonanakis 2011]
Limitation: it can be evaded using diverse DNS servers
33. SMTP based Detection: Content Analysis
Rule-based Spam Detection
The nature of spam changes over time
Having a binary decision introduces problems.
Machine Learning
Bayesian Filtering: uses na¨ Bayes [Sahami 1998,
ıve
Androutsopolous 2000]
Support Vector Machines [Drucker 1999]
Problems
Feature selection has to be performed
“Good word” attacks are possible [Lowd 2005, Karlserger 2007]
34. SMTP based Detection: Content Analysis
Assign a Reputation to Received Emails
Different features between spam and ham [Hao 2009]
Building Signatures from Spam
[Pitsillidis 2010] ran bots and assigned templates to different botnets
Detect Spam by Looking at URLs
Study the URL structure [Xie 2008, Ma 2009]
Learning features from the landing page [Thomas 2011]
Problem
In general, content analysis is expensive
35. SMTP based Detection: IP Blacklisting
DNS-based blacklists
Mailservers can query the service to know whether an individual IP is
a known spammer
Problems
Low coverage [Ramachandran 2006a, Sinha 2008]
Bot machines have dynamic IPs
What happens when IPv6 takes over?
Better Approaches
IP reputation [Ramachandran 2006b, Sinha 2010, Qian 2010]
Behavioral blacklisting [Ramachandran 2007, Stringhini 2011]
36. SMTP based Detection: Policies
Greylisting
If a delivery temporary fails, spambots will not try again
Easy to bypass and prone to false positives [Levine 2005]
Multi-level greylisting [Janecek 2008]
Sender Validation
Spam pretends to come from legitimate addresses
SPF,DomainKeys,DKIM [Leiba 2007]
The solution chosen by Google
User voting on spam and ham [Taylor 2006]
Main problem: Spam hits server performances!
Mail prioritization systems [Twining 2004, Venkataraman 2007]
38. Social Network Detection
Online Social Networks are very successful
Users are not as risk aware as they are with email spam
Miscreants create fake profiles to spread spam
Systems to detect fake profiles have been developed
[Benvenuto 2010, Lee 2010, Stringhini 2010, Yang 2011a,
Yang 2011b]
Real accounts that get compromised are more valuable
45% of social network users click on any link by their friends
[Bilge 2009]
89% of profiles sending malicious content on Facebook are
compromised [Gao 2010]
40. Intrusion Detection
Signature-based intrusion detection
Snort,Bro [Paxson 1998]
Problems
Constant need of new rules
Problems with encrypted traffic
Anomaly-based intrusion detection
The system learns the “normal” behavior of a network and flags
anomalies [Portnoy 2001, Kruegel 2002, Wang 2004]
Problems
What is ”normal“ behavior?
It is hard to get traffic that is free of infections
41. Network Edge Detection
Detecting Successful Infections
Botnet infection can as a set of communication flows [Gu 2007]
Problem: what’s the infection model of a botnet?
Detecting Malicious Activity
Correlation between C&C commands and malicious activity
[Gu 2008a]
How to identify C&C traffic?
Well-known protocols (e.g., IRC, HTTP) [Gu 2008b]
Look for malicious activity first [Wurzinger 2010]
Leverage Previous Knowledge
Detect hosts that contact the same IPs as infected machines
[Coskun 2010]
43. How About the Future?
The arms race between researchers and cybercriminals is far from
being over
Is security research like fighting the Hydra?
44. Future Directions
Botmasters will keep developing more sophisticated techniques
However, a functional botnet has to interact with legitimate services
DNS servers
SMTP servers
Web servers
Social Networks
This interaction cannot be obfuscated!
45. My Research
In my research, I focus on analyzing how bots interact with
legitimate, third party services
Bots can be distinguished from real users in the way they use such
services
The main reason is that bots have a different goal than real users:
Fast interaction vs. Good user experience
46. My Research
So far, I have been looking at:
Social Networks
How fake accounts differ from legitimate ones [ACSAC 2010]
How users behavior change once an account is compromised
[In submission]
SMTP servers
Distinguishing bots:
based on the destinations they target [USENIX 2011]
based on the (wrong) way in which they implement SMTP
[Work in progress]
47. My Research
Other interesting areas:
Login patterns on Social Networks
Interaction with search engines (e.g., SEO)
What if bots started behaving like legitimate users / programs?
This conflicts with their goal!