SlideShare a Scribd company logo

Turbot - A Next Generation Botnet

Download as PPT, PDF
Itzik Kotler
Itzik Kotler

The document describes Turbot, a proof-of-concept botnet protocol that uses HTTP and websites with user-generated content to communicate without single points of failure. Turbot bots exchange messages by writing to and reading from these mutual resources. This allows blending into common web traffic and avoids issues like firewall/NAT blocking. The document analyzes Turbot's advantages over other botnet protocols and discusses potential ways to detect and interrupt its communication channels.

1 of 45
Turbot “Catch me if you can” Page Itzik Kotler Ziv Gadot Security Operation Center (SOC)
Agenda ,[object Object],[object Object],[object Object],[object Object]
Motivation Page
Botnets Communication Future ,[object Object],[object Object],[object Object],[object Object],[object Object],Page
Recent Botnets Dynamics ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SPOF Resiliency ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Blend into Common Traffic ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SPOF Res vs. Blend In Page P2P Botnets HTTP Botnets NG Botnets Early Botnets Blending in common traffic SPOF Resiliency Excellent Poor Excellent Vacuum! Is it possible? Trin00 (1999) Agobot (2004) Storm (2007) Conficker A,B,C (2008) Twitter Botnet (2008) Black Energy 1.7 (2007) Conficker D,E (2009) PathBot (2004) Rustock (2006) Karaken (2008) Turbot
Turbot Protocol Page
Introducing: Turbot ,[object Object],[object Object],[object Object],[object Object],[object Object],Page
Internet Clipboard ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Disposable E-mail Addressing (DEA) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
User Generated Content ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
and even URL Shortening ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Resources to Room Division Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Resource Room Room Space
A Room Example Page www.cl1p.net www.mailinator.com www.pastebin.com … .. www.cl1p.net/foobar Resource Room Room Set
Private Room Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Bot Master Bot ,[object Object],[object Object],[object Object]
What’s a Private Room? ,[object Object],[object Object],[object Object],[object Object],[object Object]
Turbot I/O: Message ,[object Object],[object Object],[object Object],[object Object],Page Mutual Resource http://cl1p.net/foobar Bot Master Bot HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP POST
Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot ,[object Object],[object Object],[object Object],[object Object],1
Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],2 ,[object Object],[object Object],[object Object],[object Object],[object Object],1
Negotiating a Private Room Page Bingo Lobby Space Private Room Space 2 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Bot Master Bot ,[object Object],[object Object],[object Object],[object Object],3
Negotiating a Private Room Page Bingo Lobby Space Private Room Space Bot Master Bot ,[object Object],[object Object],[object Object],[object Object],3 ,[object Object],[object Object],[object Object],[object Object],4
Turbot Demo Page
Turbot Project & Source Repository ,[object Object],[object Object],[object Object]
Turbot Analysis Page
Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
Communication Efficiency ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Page
Corporate-Policy Traversal ,[object Object],[object Object],[object Object],[object Object]
Network Footprint ,[object Object],[object Object],[object Object],[object Object],[object Object]
Firewall/NAT Issues ,[object Object],[object Object],[object Object],[object Object]
Takedown Actions ,[object Object],[object Object],[object Object]
Blacklisting ,[object Object],[object Object],[object Object]
Communication Interrupting ,[object Object],[object Object],[object Object],Page
Technology vs. Problems Turbot V V V V V V V Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication
Turbot Demerits ,[object Object],[object Object],[object Object],[object Object],[object Object]
How Can Turbot Be Stopped? ,[object Object]
Questions & answers Page
Appendix Page
Appendix Content ,[object Object],[object Object],[object Object],[object Object],[object Object],Page
Indirect Access ,[object Object],[object Object],[object Object],[object Object],[object Object]
Handle Bogus Bots ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Private Channels ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Page
The End Page

Recommended

Twarfing: Malicious Tweets
Twarfing: Malicious TweetsTwarfing: Malicious Tweets
Twarfing: Malicious Tweets
Costin Raiu
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
Michele Orru
 
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Statistics Using Python | Statistics Python Tutorial | Python Certification T...Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Edureka!
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
kuza55
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
Felipe Japm
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)
NYversity
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a2
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 

Recommended

Twarfing: Malicious Tweets
Twarfing: Malicious TweetsTwarfing: Malicious Tweets
Twarfing: Malicious Tweets
Costin Raiu
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a Phisherman
Michele Orru
 
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Statistics Using Python | Statistics Python Tutorial | Python Certification T...Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Edureka!
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
kuza55
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
Felipe Japm
 
Computer network (10)
Computer network (10)Computer network (10)
Computer network (10)
NYversity
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
guest2821a2
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
royans
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
Tomer Zait
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman web
Ahmad Faizar
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
KiranKumar24546
 
Jetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet ContainerJetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet Container
Codemotion
 
098
098098
098Arun Mishra
 
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone BordetHTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
Codemotion
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
Samy Fodil
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like Botnet
Itzik Kotler
 
Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10dianacheng
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 
From Fast To SPDY
From Fast To SPDYFrom Fast To SPDY
From Fast To SPDY
Mike Belshe
 
Improving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDYImproving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDY
Cotendo
 
Tornado web
Tornado webTornado web
Tornado web
kurtiss
 
.NET Core Today and Tomorrow
.NET Core Today and Tomorrow.NET Core Today and Tomorrow
.NET Core Today and Tomorrow
Jon Galloway
 
basic concepts of networking.ppt
basic concepts of networking.pptbasic concepts of networking.ppt
basic concepts of networking.ppt
ImXaib
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 

More Related Content

Similar to Turbot - A Next Generation Botnet

Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
amiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
royans
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
Tomer Zait
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman web
Ahmad Faizar
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
KiranKumar24546
 
Jetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet ContainerJetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet Container
Codemotion
 
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone BordetHTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
Codemotion
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
Samy Fodil
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like Botnet
Itzik Kotler
 
Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10dianacheng
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 
From Fast To SPDY
From Fast To SPDYFrom Fast To SPDY
From Fast To SPDY
Mike Belshe
 
Improving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDYImproving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDY
Cotendo
 
Tornado web
Tornado webTornado web
Tornado web
kurtiss
 
.NET Core Today and Tomorrow
.NET Core Today and Tomorrow.NET Core Today and Tomorrow
.NET Core Today and Tomorrow
Jon Galloway
 
basic concepts of networking.ppt
basic concepts of networking.pptbasic concepts of networking.ppt
basic concepts of networking.ppt
ImXaib
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 

Similar to Turbot - A Next Generation Botnet (20)

Botnets
BotnetsBotnets
Botnets
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
PyMultitor
PyMultitorPyMultitor
PyMultitor
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman web
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
 
Jetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet ContainerJetty 9 – The Next Generation Servlet Container
Jetty 9 – The Next Generation Servlet Container
 
098
098098
098
 
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone BordetHTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Sounds Like Botnet
Sounds Like BotnetSounds Like Botnet
Sounds Like Botnet
 
Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
 
From Fast To SPDY
From Fast To SPDYFrom Fast To SPDY
From Fast To SPDY
 
Improving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDYImproving performance by changing the rules from fast to SPDY
Improving performance by changing the rules from fast to SPDY
 
Tornado web
Tornado webTornado web
Tornado web
 
.NET Core Today and Tomorrow
.NET Core Today and Tomorrow.NET Core Today and Tomorrow
.NET Core Today and Tomorrow
 
basic concepts of networking.ppt
basic concepts of networking.pptbasic concepts of networking.ppt
basic concepts of networking.ppt
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 

Turbot - A Next Generation Botnet

  • 1. Turbot “Catch me if you can” Page Itzik Kotler Ziv Gadot Security Operation Center (SOC)
  • 2.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. SPOF Res vs. Blend In Page P2P Botnets HTTP Botnets NG Botnets Early Botnets Blending in common traffic SPOF Resiliency Excellent Poor Excellent Vacuum! Is it possible? Trin00 (1999) Agobot (2004) Storm (2007) Conficker A,B,C (2008) Twitter Botnet (2008) Black Energy 1.7 (2007) Conficker D,E (2009) PathBot (2004) Rustock (2006) Karaken (2008) Turbot
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Resources to Room Division Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Resource Room Room Space
  • 16. A Room Example Page www.cl1p.net www.mailinator.com www.pastebin.com … .. www.cl1p.net/foobar Resource Room Room Set
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 25.
  • 27. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
  • 28. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
  • 29.
  • 30.
  • 31.
  • 32.
  • 33.
  • 34.
  • 35.
  • 36. Technology vs. Problems Turbot V V V V V V V Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication
  • 37.
  • 38.
  • 41.
  • 42.
  • 43.
  • 44.

Editor's Notes

  1. Present Greetings My name is … I am a security researcher in the security research group which we refer as Security Operation Center. This lecture is about botnet and their evolution over time
  2. Agenda: Describe the 4 sections of the lecture
  3. Agenda Scope This research is about understand the future of botnet communication What is known as the C&C Botnets infection technique are out of the scope Botnets actual attacks are out of the scope Methodology Find first the problems and dynamics happening nowadays.
  4. Agenda Dynamics There is a lot of going on in the past years P2P botnets, HTTP botnets, no so much IRC botnets Conficker Explain how conficker works Even if the bot-herder looses the battle he doesn’t looses the war Conficker attempts to achieve This two properties are the most important factors of botnets nowadays
  5. Agenda SPOF What is SPOF Example: IRC SPOF Resiliency What is SPOF resiliency
  6. Agenda What it is? Why is it good?
  7. Agenda What is this diagram? We put those 2 factors on graph and try to see how recent and past botnets are performing with respect to this 2 factors Explain the axises Early botnets Did not invest much efforts in excelling in either of the two Agobot P2P Botnets Storm,Confikcer Their trademark is their SPOF resiliency HTTP botnets Twitter botnets The novellity of the botnet it did no used a proprietary server but abused a public resource NG botnets The gap - What we noticed is that there is a gap Botnets do not yet excel on both paramters
  8. Repeat each question
  9. Repeat each question
  10. Repeat each question