The document analyzes the peer-to-peer Waledac botnet. It implemented a clone of Waledac called Walowdac to infiltrate the botnet without causing harm. Through Walowdac, it observed a minimum daily population of 55,000 Waledac bots and over 390,000 infected machines total over a month. It also gathered internal botnet information like spam campaign success rates and newly introduced credential theft features.
Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software to infect servers and then use them to scan the Internet for more vulnerable servers. While the mechanisms of worm infection and their propagation models are well understood, defense against worms remains an open problem. One branch of defense research investigates the behavioral difference between worm-infected hosts and normal hosts to set them apart. One particular observation is that a worm-infected host, which scans the Internet with randomly selected addresses, has a much higher connection-failure rate than a normal host. Rate-limit algorithms have been proposed to control the spread of worms by traffic shaping based on connection failure rate. However, these rate-limit algorithms can work properly only if it is possible to measure failure rates of individual hosts efficiently and accurately. This paper points out a serious problem in the prior method. To address this problem, we first propose a solution based on a highly efficient double-bitmap data structure, which places only a small memory footprint on the routers, while providing good measurement of connection failure rates whose accuracy can be tuned by system parameters. Furthermore, we propose another solution based on shared register array data structure, achieving better memory efficiency and much larger estimation range than our double-bitmap solution.
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionIJERA Editor
Distributed (P2P) botnets have as of late been received by botmasters for their versatility against take-down
endeavors. Other than being harder to bring down, p2p botnets tend to be stealthier in the way they perform
vindictive exercises, making current discovery approaches ineffectual. In this paper, we simulate our proposal
by detecting a gray hole attack in an Ad Hoc network using NS2.The detected malicious node is listed in a black
hole list and notices all other nodes in the network to stop communicating with them. Our botnet location
framework has been equipped for identifying stealthy P2P botnets (Gray Hole nodes) and can reduce packet loss
caused by malicious nodes and have a better packet delivery ratio (PDR) within less period of time.
SECURITY ISSUES IN THE OPTIMIZED LINK STATE ROUTING PROTOCOL VERSION 2 (OLSRV2)IJNSA Journal
Mobile Ad hoc NETworks (MANETs) are leaving the confines of research laboratories, to find place in real-world deployments. Outside specialized domains (military, vehicular, etc.), city-wide communitynetworks are emerging, connecting regular Internet users with each other, and with the Internet, via MANETs. Growing to encompass more than a handful of “trusted participants”, the question of preserving the MANET network connectivity, even when faced with careless or malicious participants, arises, and must be addressed. A first step towards protecting a MANET is to analyze the vulnerabilities of the routing protocol, managing the connectivity. By understanding how the algorithms of the routing protocol operate, and how these can be exploited by those with ill intent, countermeasures can be developed, readying MANETs for wider deployment and use. This paper takes an abstract look at the algorithms that constitute the Optimized Link State Routing Protocol version 2 (OLSRv2), and identifies for each protocol element the possible vulnerabilities and attacks – in a certain way, provides a “cookbook” for how to best attack an operational OLSRv2 network, or for how to proceed with developing protective countermeasures against these attacks.
Optimal remote access trojans detection based on network behaviorIJECEIAES
RAT is one of the most infected malware in the hyper-connected world. Data is being leaked or disclosed every day because new remote access Trojans are emerging and they are used to steal confidential data from target hosts. Network behavior-based detection has been used to provide an effective detection model for Remote Access Trojans. However, there is still short comings: to detect as early as possible, some False Negative Rate and accuracy that may vary depending on ratio of normal and malicious RAT sessions. As typical network contains large amount of normal traffic and small amount of malicious traffic, the detection model was built based on the different ratio of normal and malicious sessions in previous works. At that time false negative rate is less than 2%, and it varies depending on different ratio of normal and malicious instances. An unbalanced dataset will bias the prediction model towards the more common class. In this paper, each RAT is run many times in order to capture variant behavior of a Remote Access Trojan in the early stage, and balanced instances of normal applications and Remote Access Trojans are used for detection model. Our approach achieves 99 % accuracy and 0.3% False Negative Rate by Random Forest Algorithm.
Self-propagating malware (e.g., an Internet worm) exploits security loopholes in software to infect servers and then use them to scan the Internet for more vulnerable servers. While the mechanisms of worm infection and their propagation models are well understood, defense against worms remains an open problem. One branch of defense research investigates the behavioral difference between worm-infected hosts and normal hosts to set them apart. One particular observation is that a worm-infected host, which scans the Internet with randomly selected addresses, has a much higher connection-failure rate than a normal host. Rate-limit algorithms have been proposed to control the spread of worms by traffic shaping based on connection failure rate. However, these rate-limit algorithms can work properly only if it is possible to measure failure rates of individual hosts efficiently and accurately. This paper points out a serious problem in the prior method. To address this problem, we first propose a solution based on a highly efficient double-bitmap data structure, which places only a small memory footprint on the routers, while providing good measurement of connection failure rates whose accuracy can be tuned by system parameters. Furthermore, we propose another solution based on shared register array data structure, achieving better memory efficiency and much larger estimation range than our double-bitmap solution.
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionIJERA Editor
Distributed (P2P) botnets have as of late been received by botmasters for their versatility against take-down
endeavors. Other than being harder to bring down, p2p botnets tend to be stealthier in the way they perform
vindictive exercises, making current discovery approaches ineffectual. In this paper, we simulate our proposal
by detecting a gray hole attack in an Ad Hoc network using NS2.The detected malicious node is listed in a black
hole list and notices all other nodes in the network to stop communicating with them. Our botnet location
framework has been equipped for identifying stealthy P2P botnets (Gray Hole nodes) and can reduce packet loss
caused by malicious nodes and have a better packet delivery ratio (PDR) within less period of time.
SECURITY ISSUES IN THE OPTIMIZED LINK STATE ROUTING PROTOCOL VERSION 2 (OLSRV2)IJNSA Journal
Mobile Ad hoc NETworks (MANETs) are leaving the confines of research laboratories, to find place in real-world deployments. Outside specialized domains (military, vehicular, etc.), city-wide communitynetworks are emerging, connecting regular Internet users with each other, and with the Internet, via MANETs. Growing to encompass more than a handful of “trusted participants”, the question of preserving the MANET network connectivity, even when faced with careless or malicious participants, arises, and must be addressed. A first step towards protecting a MANET is to analyze the vulnerabilities of the routing protocol, managing the connectivity. By understanding how the algorithms of the routing protocol operate, and how these can be exploited by those with ill intent, countermeasures can be developed, readying MANETs for wider deployment and use. This paper takes an abstract look at the algorithms that constitute the Optimized Link State Routing Protocol version 2 (OLSRv2), and identifies for each protocol element the possible vulnerabilities and attacks – in a certain way, provides a “cookbook” for how to best attack an operational OLSRv2 network, or for how to proceed with developing protective countermeasures against these attacks.
Optimal remote access trojans detection based on network behaviorIJECEIAES
RAT is one of the most infected malware in the hyper-connected world. Data is being leaked or disclosed every day because new remote access Trojans are emerging and they are used to steal confidential data from target hosts. Network behavior-based detection has been used to provide an effective detection model for Remote Access Trojans. However, there is still short comings: to detect as early as possible, some False Negative Rate and accuracy that may vary depending on ratio of normal and malicious RAT sessions. As typical network contains large amount of normal traffic and small amount of malicious traffic, the detection model was built based on the different ratio of normal and malicious sessions in previous works. At that time false negative rate is less than 2%, and it varies depending on different ratio of normal and malicious instances. An unbalanced dataset will bias the prediction model towards the more common class. In this paper, each RAT is run many times in order to capture variant behavior of a Remote Access Trojan in the early stage, and balanced instances of normal applications and Remote Access Trojans are used for detection model. Our approach achieves 99 % accuracy and 0.3% False Negative Rate by Random Forest Algorithm.
This report provides the results from a technical investigation into the distribution and impact of banking Trojan Vawtrak v2 and the behavior of the cybercriminal groups behind it.
Our Threat Intelligence Research Labs team used advanced search and pattern correlation algorithms to perform big data analysis in-house at Blueliv.
Lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
Lab3/Lab 3.docx
Lab 3 Domain Generation Algorithm Reverse Engineering
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figur out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (PDF attached it the folder called stone-gross)
The file you will need to figure out is here (this is written in the computer language C, not malware)
(this file is attached in the folder called code.c)
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here: http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro.
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined in lab 2. Take a lot of screenshots.
Lab3/Lab 4.docx
You will need to download the Kali 2.0 iso from kali.org and create a virtual machine in Virtualbox. Create a virtual machine with INTERNAL networking (tHIS IS IMPORTANT for the security of your network) using the Kali live iso.
Then you will need to look on the Penetration Tester Academy (or pentester academy) for an iso with vulnerable web applications OR find DVL (Damn Vulnerable Linux) from distrowatch.com. With this iso, create a second VM with INTERNAL networking ONLY (for the security of your network).
- Take screenshots (with a notepad file open in the background with your name).
- Exploit the vulnerable VM (whether you are using the vulnerable web applications or a vulnerable virtual machine) in at least 2 different ways: 1 should be remote code execution or Cross-Site Scripting (also CSS or XSS).
Lab3/stone-gross.pdf
Your Botnet is My Botnet: Analysis of a Botnet ...
lab3/cdga.zip
lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
lab3/Domain Generation Algorithm Reverse Engineering.docx
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figure out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (Attached in folder)
The file you will need to figure out is here (this is written in the computer language C, not malware) (this file is attached in folder).
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here:
http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro. (The .exe file is attached in folder)
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined which is abstract, discussion, and conclusion. Take a lot of screenshots
lab3/stone-gross+cova+cavallaro+gilbert+szydlowski+kemmerer+kruegel+vigna+yourBotnetIsMyBotnet.pdf
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidi-
ous type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our effo ...
Botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base.
This report provides the results from a technical investigation into the distribution and impact of banking Trojan Vawtrak v2 and the behavior of the cybercriminal groups behind it.
Our Threat Intelligence Research Labs team used advanced search and pattern correlation algorithms to perform big data analysis in-house at Blueliv.
Lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
Lab3/Lab 3.docx
Lab 3 Domain Generation Algorithm Reverse Engineering
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figur out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (PDF attached it the folder called stone-gross)
The file you will need to figure out is here (this is written in the computer language C, not malware)
(this file is attached in the folder called code.c)
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here: http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro.
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined in lab 2. Take a lot of screenshots.
Lab3/Lab 4.docx
You will need to download the Kali 2.0 iso from kali.org and create a virtual machine in Virtualbox. Create a virtual machine with INTERNAL networking (tHIS IS IMPORTANT for the security of your network) using the Kali live iso.
Then you will need to look on the Penetration Tester Academy (or pentester academy) for an iso with vulnerable web applications OR find DVL (Damn Vulnerable Linux) from distrowatch.com. With this iso, create a second VM with INTERNAL networking ONLY (for the security of your network).
- Take screenshots (with a notepad file open in the background with your name).
- Exploit the vulnerable VM (whether you are using the vulnerable web applications or a vulnerable virtual machine) in at least 2 different ways: 1 should be remote code execution or Cross-Site Scripting (also CSS or XSS).
Lab3/stone-gross.pdf
Your Botnet is My Botnet: Analysis of a Botnet ...
lab3/cdga.zip
lab3/code.c
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <wchar.h>
void dga(int year, int month, int day)
{
char alphabets[]={'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z'};
printf("domain is syn-%c%c%c.com\n",alphabets[year-2000],alphabets[month*2],alphabets[10]);
}
int main()
{
char test[]="Simple DGA example for CIT406";
SYSTEMTIME st;
GetLocalTime(&st);
dga(st.wYear, st.wMonth, st.wDay);
return 0;
}
lab3/Domain Generation Algorithm Reverse Engineering.docx
Scenario:
The university has caught a malware operator on campus and found a domain generating algorithm (DGA) on the campus-owned computer which this person was using. The campus has asked you to figure out how it works so that they can potentially use the command and control server for research like is described here in the attached pdf. (Attached in folder)
The file you will need to figure out is here (this is written in the computer language C, not malware) (this file is attached in folder).
One way to find out how something works is using IDA in Kali Linux information about kali can be found here: kali.org. Some basic stuff about IDA can be found here:
http://securityxploded.com/reversing-basics-ida-pro.php (Links to an external site.). These resources will not be sufficient to get you all the way through the lab, because they were not designed as a step by step walkthrough of the lab, you will need to take the knowledge from these resources and others that you find to complete the lab.
I attached the exe file. You have to unzip the file. The exe file has to be run from command line (in a SAFE environment i.e. a virtual machine).
When reverse engineering the exe file, you should be looking at _dga/dga function. You can use IDA Pro. (The .exe file is attached in folder)
For this lab, you will need to: find out what you can from the files attached, following a lab report format outlined which is abstract, discussion, and conclusion. Take a lot of screenshots
lab3/stone-gross+cova+cavallaro+gilbert+szydlowski+kemmerer+kruegel+vigna+yourBotnetIsMyBotnet.pdf
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski,
Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Department of Computer Science, University of California, Santa Barbara
{bstone,marco,sullivan,rgilbert,msz,kemm,chris,vigna}@cs.ucsb.edu
ABSTRACT
Botnets, networks of malware-infected machines that are controlled
by an adversary, are the root cause of a large number of security
problems on the Internet. A particularly sophisticated and insidi-
ous type of bot is Torpig, a malware program that is designed to
harvest sensitive information (such as bank account and credit card
data) from its victims. In this paper, we report on our effo ...
Botnets are emerging as the most serious threat against cyber-security as they provide a distributed platform for several illegal activities such as launching distributed denial of service attacks against critical targets, malware dissemination, phishing, and click fraud. The defining characteristic of botnets is the use of command and control channels through which they can be updated and directed. Recently, botnet detection has been an interesting research topic related to cyber-threat and cyber-crime prevention. This paper is a survey of botnet and botnet detection. The survey clarifies botnet phenomenon and discusses botnet detection techniques. This survey classifies botnet detection techniques into four classes: signature-based, anomaly-based, DNS-based, and mining-base.
A Dynamic Botnet Detection Model based on Behavior Analysisidescitation
Today different types of malware exist in the Internet. Among them one of the
malware is known as botnet which is frequently used for many cyber attacks and crimes in
the Internet. Currently botnets are the main rootcause for several illegal activities like
spamming, DDoS, click fraud etc. Botnets operate under the command and control(C&C)
infrastructure which makes its functioning unique. As long as the Internet exists botnet also
will exist. It can be used to perpetrate many Internet crimes. So fighting against them is a
challenging problem. The P2P-decentralized based botnets are more dangerous than
centralized botnets. In this paper a novel approach for the detection of P2P based botnet is
presented. The proposed approach for the detection of botnet in the network stream
analysis has been done in three phases. The first phase begins with the identification of P2P
node and the second phase deals with the clustering of the suspicious P2P node. Finally
botnet detection procedure has been applied which is based on stability of bots.
Experimental results show that the proposed approach detects more number of bots with
high accuracy.
Nowadays, cyber-attacks from botnets are increasing at a faster rate than any other malware spread. Detecting the botmaster who commands the tasks has become more difficult. Most of the detecting methods are based on the features of any communication protocol or the history of the network traffic. In this paper, a rational approach is brought for the live detection of the botmaster in the internal network. The victim machine monitors its packets and compromises the bots in the network and finds the traces to the botmaster. This approach works independent of the structure of the botnet, and will be a better option for online detection of the botmaster.
Detection of Botnets using Honeypots and P2P BotnetsCSCJournals
A “botnet” is a group of compromised computers connected to a network, which can be used for both recognition and illicit financial gain; controlled by an attacker (bot-herder). Among the counter measures proposed in the recent developments is the “Honeypot”. The attacker who would be aware of the Honeypot would take adequate steps to maintain the botnet, hence attack the Honeypot (Infected Honeypot). In this paper we propose a method to remove the infected Honeypot by Constructing a Peer-to-peer structured botnet which would detect the uninfected Honeypot and use it to detect botnets originally used by the attacker. Our simulation shows that this method is very effective and can detect the botnets that are intended to malign the network.
Guarding Against Large-Scale Scrabble In Social NetworkEditor IJCATR
Generally, the botnet is one of the most dangerous threats in the network. It has number attackers in the network. The
attacker consists of DDOS attack, remote attack, etc., Bots perform perform repetitive tasks automatically or on a schedule over the
internet, tasks that would be too mundane or time-consuming for an actual person. But the botnets have stealthy behavior as they are
very difficult to identify. These botnets have to be identified and the internet have to be protected. Also the the activity of botnets must
be prevented to provide the users, a reliable service. The past of botnet detection has a transaction process which is not secure. A
efficient stastical data classifier is required to train the botent preventions system. To provide the above features clustering based
analysis is done. our approach can detect and profile various P2P applications rather than identifying a specific P2P application.
Anomaly based detection technique is used to obtain this goal.
Botminer Clustering Analysis Of Network Traffic For Protocol And Structure...ncct
final Year Projects, Final Year Projects in Chennai, Software Projects, Embedded Projects, Microcontrollers Projects, DSP Projects, VLSI Projects, Matlab Projects, Java Projects, .NET Projects, IEEE Projects, IEEE 2009 Projects, IEEE 2009 Projects, Software, IEEE 2009 Projects, Embedded, Software IEEE 2009 Projects, Embedded IEEE 2009 Projects, Final Year Project Titles, Final Year Project Reports, Final Year Project Review, Robotics Projects, Mechanical Projects, Electrical Projects, Power Electronics Projects, Power System Projects, Model Projects, Java Projects, J2EE Projects, Engineering Projects, Student Projects, Engineering College Projects, MCA Projects, BE Projects, BTech Projects, ME Projects, MTech Projects, Wireless Networks Projects, Network Security Projects, Networking Projects, final year projects, ieee projects, student projects, college projects, ieee projects in chennai, java projects, software ieee projects, embedded ieee projects, "ieee2009projects", "final year projects", "ieee projects", "Engineering Projects", "Final Year Projects in Chennai", "Final year Projects at Chennai", Java Projects, ASP.NET Projects, VB.NET Projects, C# Projects, Visual C++ Projects, Matlab Projects, NS2 Projects, C Projects, Microcontroller Projects, ATMEL Projects, PIC Projects, ARM Projects, DSP Projects, VLSI Projects, FPGA Projects, CPLD Projects, Power Electronics Projects, Electrical Projects, Robotics Projects, Solor Projects, MEMS Projects, J2EE Projects, J2ME Projects, AJAX Projects, Structs Projects, EJB Projects, Real Time Projects, Live Projects, Student Projects, Engineering Projects, MCA Projects, MBA Projects, College Projects, BE Projects, BTech Projects, ME Projects, MTech Projects, M.Sc Projects, Final Year Java Projects, Final Year ASP.NET Projects, Final Year VB.NET Projects, Final Year C# Projects, Final Year Visual C++ Projects, Final Year Matlab Projects, Final Year NS2 Projects, Final Year C Projects, Final Year Microcontroller Projects, Final Year ATMEL Projects, Final Year PIC Projects, Final Year ARM Projects, Final Year DSP Projects, Final Year VLSI Projects, Final Year FPGA Projects, Final Year CPLD Projects, Final Year Power Electronics Projects, Final Year Electrical Projects, Final Year Robotics Projects, Final Year Solor Projects, Final Year MEMS Projects, Final Year J2EE Projects, Final Year J2ME Projects, Final Year AJAX Projects, Final Year Structs Projects, Final Year EJB Projects, Final Year Real Time Projects, Final Year Live Projects, Final Year Student Projects, Final Year Engineering Projects, Final Year MCA Projects, Final Year MBA Projects, Final Year College Projects, Final Year BE Projects, Final Year BTech Projects, Final Year ME Projects, Final Year MTech Projects, Final Year M.Sc Projects, IEEE Java Projects, ASP.NET Projects, VB.NET Projects, C# Projects, Visual C++ Projects, Matlab Projects, NS2 Projects, C Projects, Microcontroller Projects, ATMEL Projects, PIC Projects, ARM Projects, DSP Projects, VLSI Projects, FPGA Projects, CPLD Projects, Power Electronics Projects, Electrical Projects, Robotics Projects, Solor Projects, MEMS Projects, J2EE Projects, J2ME Projects, AJAX Projects, Structs Projects, EJB Projects, Real Time Projects, Live Projects, Student Projects, Engineering Projects, MCA Projects, MBA Projects, College Projects, BE Projects, BTech Projects, ME Projects, MTech Projects, M.Sc Projects, IEEE 2009 Java Projects, IEEE 2009 ASP.NET Projects, IEEE 2009 VB.NET Projects, IEEE 2009 C# Projects, IEEE 2009 Visual C++ Projects, IEEE 2009 Matlab Projects, IEEE 2009 NS2 Projects, IEEE 2009 C Projects, IEEE 2009 Microcontroller Projects, IEEE 2009 ATMEL Projects, IEEE 2009 PIC Projects, IEEE 2009 ARM Projects, IEEE 2009 DSP Projects, IEEE 2009 VLSI Projects, IEEE 2009 FPGA Projects, IEEE 2009 CPLD Projects, IEEE 2009 Power Electronics Projects, IEEE 2009 Electrical Projects, IEEE 2009 Robotics Projects, IEEE 2009 Solor Projects, IEEE 2009 MEMS Projects, IEEE 2009 J2EE P
Botnets gained wide visibility in the last few years, becoming one of the most observed and dangerous threats in the malware landscape. This is mainly due to the fact that botnets represents a very valuable and flexible asset in the arsenal of hackers and APTs. We’ve seen botnets becoming real cyber-weapons, capable of targeting nations and the business of famous companies. For this reason, it is crucial to design techniques able to detect bot-infected hosts at different levels (enterprise, ISP, etc.). Different kind of techniques have been studied and researched in the last years, in a never ending race between attackers and defenders. In this work a representative set of the entire literature is analyzed, enlightening the different kind of state-of-theart approaches that researchers have followed with the ultimate goal of designing effective botnet detection solutions. The objective is producing a taxonomy of the botnet detection techniques, showing possible research directions in designing new techniques to mitigate the risks associated to botnet based attacks.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Walowdac Botnet Whitepaper
1. Walowdac – Analysis of a Peer-to-Peer Botnet∗
Ben Stock1 , Jan G¨bel1 , Markus Engelberth1 , Felix C. Freiling1 , and Thorsten Holz1,2
o
1 2
Laboratory for Dependable Distributed Systems Secure Systems Lab
University of Mannheim Technical University Vienna
Abstract Denial of Service (DDoS) attacks threaten every
system connected to the Internet. Therefore, it
A botnet is a network of compromised machines is crucial to explore ways of detecting and miti-
under the control of an attacker. Botnets are gating current and new botnets.
the driving force behind several misuses on the The first generation of botnets uses a central
Internet, for example spam mails or automated Command & Control (C&C) server to dispatch
identity theft. In this paper, we study the most commands. This type of botnet is rather well-
prevalent peer-to-peer botnet in 2009: Waledac. understood [4, 7, 14] and the technique of botnet
We present our infiltration of the Waledac bot- tracking [7] is now a standard method to miti-
net, which can be seen as the successor of the gate this type of threat. The second generation
Storm Worm botnet. To achieve this we im- of botnets tries to avoid a centralized infrastruc-
plemented a clone of the Waledac bot named ture by using a peer-to-peer-based communica-
Walowdac. It implements the communication tion mechanism [8]. The most prominent exam-
features of Waledac but does not cause any ple for this class of botnets is the Storm Worm
harm, i.e., no spam emails are sent and no other botnet that used a distributed hash table as com-
commands are executed. With the help of this munication medium. This mechanism offered a
tool we observed a minimum daily population rather centralized way to infiltrate and analyze
of 55,000 Waledac bots and a total of roughly the botnet [10, 11].
390,000 infected machines throughout the world. The Waledac botnet can be regarded as the
Furthermore, we gathered internal information successor of Storm Worm. However, Waledac
about the success rates of spam campaigns and uses a more decentralized store-and-forward
newly introduced features like the theft of cre- communication paradigm and new communica-
dentials from victim machines. tion protocols so we had to develop novel tech-
niques to track this botnet.
1 Introduction
Related Work. The communication proto-
Botnets, i.e., networks of compromised under the col used by Waledac was already studied by
control of an attacker, are nowadays one of the Leder [12] and Sinclair [15]. Symantec [16] and
most severe threats in Internet security. With a Trend Micro [1] recently released reports about
large number of participating bots, a tremendous the implemented features of Waledac, including
number of spam emails can be send out to for the spam template system, as well as attempts
example acquire new hosts, or to advertise a di- to measure the size of the botnet. A study by
verse set of products. Additionally, Distributed ESET [2] estimated the size of the Waledac bot-
∗
net around 20,000 bots.
Thorsten Holz was supported by the WOMBAT and
FORWARD projects funded by the European Commis-
Another study focussing on Waledac was per-
sion, and the FIT-IT Trust in IT-Systems (Austria) un- formed by Borup [3]. The focus of this work is on
der the project TRUDIE (P820854). the C&C protocol, the binary obfuscation tech-
1
2. niques, as well as mitigation methods against the 2 Background
botnet. The author describes a Sybil attack [6]
that we also used to generate the statistical data In this section, we briefly describe the setup of
that we present in this paper. the Waledac botnet and its propagation mecha-
nism. More details of the botnet and the tech-
nical aspects of its implementation are available
Contributions. In this paper, we present the in different studies [1, 3, 12, 15, 16].
results of yet another analysis of Waledac. Our
focus was to try and verify previous measure-
2.1 Waledac Botnet Structure
ments as well as building and refining tools to
study the botnet efficiently. In contrast to the The botnet consists of (at least) four different
analysis of previous decentralized botnets, a sim- layers, that we describe in the following from
ple crawling of active peers was no solution to bottom to top. Figure 1 shows how these lay-
gather in-depth information like the size of the ers are connected and what kind of information
botnet. Instead, we implemented a bot clone is exchanged between them.
to infiltrate the network and capture all data
passing through this system. Furthermore, to
measure the size we actively interfered with the Mothership?
botnet to inject the IP addresses of our analysis
systems, a method not applied before.
We collected data about the botnet for almost
one month between August 6 and September 1,
Commands
2009. Our measurement results reveal that the Backend- Fast-Flux Traffic
actual size of the botnet is by far bigger than Server Repeaterlists
expected, rendering Waledac one of the most ef-
ficient spam botnets in the wild. We observed
a minimum population of 55,000 bots every day,
with almost 165,000 active bots on a typical day.
In total, we counted more than 390,000 individ- Repeater Repeater
ual bots indicating a similar number of infected
machines during the measurement period.
While investigating the botnet, we also wit-
nessed several changes the bot master applied
to the botnet to introduce new features like the Spammer
Uninfected
theft of credentials. We started our research with Host
version 33 of Waledac and finished our obser-
vation with version 46. Thus, the botnet is in
Figure 1: Schematic overview of the Waledac
active development with frequent updates and
botnet hierarchy.
changes to the core functionality.
At the lowest level of the botnet hierarchy are
Outline. This paper is organized as follows: the so called Spammers. These systems are used
Section 2 gives a brief background on how the to carry out the spam campaigns. The prop-
Waledac botnet is structured, the different roles erty that distinguishes Spammers from the other
of a bot, and their tasks in the botnet. We bots in the network, is that they do not have
present in Section 3 the different experiments we a publicly reachable IP address. That means
performed while monitoring the botnet and the Spammers are for example located behind NAT
results we achieved. Finally, we conclude this routers and therefore cannot be accessed from
paper in Section 4. the Internet directly. The benefit of this prop-
2
3. erty is that although Spammers generate the to ensure that no attacker can insert his own
most attraction due to the massive sending of Backend-Servers into the botnet.
spam emails, they cannot be easily tracked down.
At the next level are the so called Repeaters. 2.2 Propagation Mechanisms
These are the entry points for any new bot join-
ing the network, as well as, the place to go for The Waledac bots themselves do not own any
every running bot. For this reason only bots that built-in propagation mechanisms. That means,
own a publicly reachable IP address can become infected hosts do not scan their local network
a Repeater. A Repeater can be considered as for vulnerable systems. Instead, Waledac propa-
a mediator between the first (lowest) and third gates with the help of social engineering. Hence,
(backend) layer of the botnet. Spammers con- Spammers are frequently instructed to send out
tact the Repeaters to acquire new tasks from emails with URLs pointing to current version of
the bot master or report the success of previous Waledac. To increase the probability of infect-
operations. These requests are relayed to the ing new hosts, the self propagation emails are
next layer, the so called Backend-Servers. Ad- usually masked as greeting cards that host the
ditionally, the Repeaters act as fast-flux agents malicious binary, similar to Storm Worm [10].
for the different Waledac fast-flux domains [9].
That means they also relay HTTP requests of Backend-
uninfected hosts. Server
The next level consists of the Backend-Servers
that answer both the transmitted requests of
8.) Waledac Binary
7.) GET /binary.exe
3.) Send Spam
the Spammers and the fast-flux queries of the 2.) Task?
Repeaters. As the Backend-Servers are per-
fectly synchronized and use a webserver software,
called nginx, that is mainly used for proxy pur-
poses, the assumption of a single server (mother- Repeater
ship) on top of the botnet is obvious. However, 6.)
GE Uninfected
only the analysis of one of the Backend-Servers 9.)
T/
bin
ary
Host
Wa .ex
le
can prove this assumption right.
4.) Send Spam
dac e
Bin
ary
1.) Task?
Although in related works Waledac is referred
to as a pure peer-to-peer botnet, it uses a cen-
il?
tralized structure in the upper layers and only -Ma
S pam
the lower ones (Spammers and Repeaters) make 5.)
up the peer-to-peer part. For this reason, the
Repeaters and the Spammers continuously ex- Spammer
change lists of currently active Repeaters. This
ensures that any bot at any time has at least one Figure 2: Schematic overview of the Waledac in-
currently running Repeater in his list to join the fection cycle.
botnet. As an additional backup, each bot bi-
nary contains a hardcoded fail-over URL which Figure 2 visualizes the infection cycle of the
itself is hosted within the fast-flux network of Waledac botnet. The number at each line
Waledac. This URL points to another list of indicates the order in which actions are per-
active Repeaters. Thus, if a bot is unable to formed. The infection cycle can be summarized
contact ten Repeaters consecutively on its local as follows: a Spammer frequently queries one
list, it downloads a new list from the fail-over of the active Repeaters for new tasks to per-
URL. Additionally, Repeaters exchange lists of form. These queries are relayed to one of the
the currently active Backend-Servers. This list is Backend-Servers, that in turn replies with the
signed with the private key of the botnet herder, current task. In this case, the task is to send
3
4. out spam messages for propagation. An unin- In order give a more precise lower bound of the
fected host that receives one of the emails and Waledac botnet, we push several IP addresses of
follows the embedded link issues a request for hosts running Walowdac into the botnet. This is
the current Waledac binary to one of the fast- possible as Repeaters do not validate the list of
flux agents currently assigned to this domain. Repeater IP addresses they receive. Thus, any-
Again, one of the Backend-Servers transmits the time our script connects to a Repeater, it sends a
requested content across the agent back to the list of its own IP addresses to the Repeater. As a
requesting host. Depending on the reachability result, the IP addresses of our Walowdac systems
of the freshly infected host, it will either show are propagated throughout the complete botnet
up as a new Repeater or Spammer. and Spammer systems start to connect to us.
Figure 3 depicts the single steps performed to
distribute the IP addresses of our fake Repeater.
3 Measurements That way, we are able to measure not only the
For our measurements we ran multiple instances number of Repeaters, but also a large fraction
of Walowdac on computers at Mannheim univer- of Spammers. Among the information we store
sity. Considering the single location, all our re- while running our Waledac imitation are times-
sults for the size should be seen as lower bounds. tamps, IP addresses and identification numbers
of connecting hosts, Windows and Waledac ver-
sions, as well as Spam campaign data distributed
3.1 Methodology: Walowdac
through the botnet. With the newer versions of
Our main objective while investigating Waledac Waledac we also captured stolen credentials of
was to find out more about the actual size of POP3, FTP, and HTTP accounts. During our
the botnet. As the Spammers are not reachable, monitoring period of one month, we collected
just crawling the Repeaters does not provide an login data for 128,271 FTP, 93,950 HTTP, and
accurate size of the botnet. To circumvent this 39,051 POP3 accounts. We have not yet further
problem and to provide a much more accurate investigated the stolen credentials, as this is out
number of bots, we implemented a script to imi- of the scope of this paper.
tate a valid Waledac Repeater. The software im- All bots within the Waledac botnet can be
plements all communication parts of a Repeater, identified by a node ID. This node ID is gen-
but answers the requests directly instead of for- erated directly after an infection and does not
warding them. We refer to this script as Walow- change throughout the lifetime of a bot. Bots
dac, as it is a low-interaction Waledac clone. embed this node ID in every message they ex-
change [16] so it is a good candidate to define a
1.) fake peerlist uniqueness criterion.
Walowdac
Repeater
3.2 Results
The results described in this section were gath-
3.
)f
ak
ered between August 6th and September 1st,
e
pe
er
2009. For the allocation of IP addresses to
lis
ac o
2.
t
wd ct t
)n
countries we used the free version of the GeoIP
alo e
ew
W onn
pe
database maintained by MaxMind [13].
c
er
4.)
lis
t?
Botnet Size. During the data collection pe-
Spammer
riod, we measured 248,983 different node IDs.
The maximum number of node IDs on a sin-
Figure 3: Injecting fake Repeater IP addresses gle day was 102,748 on August 24th. Although
into the botnet. the node IDs are randomly generated and should
4
5. Figure 4: Distribution of running bots according to their location and time on August 24th.
be unique across the botnet, we also monitored
several hosts originating in different autonomous
160000 240000 320000 400000
systems (AS), using the same node ID. The rea-
son might be collisions in the node ID generation
Bots' IP addresses (accumulated)
algorithm used by Waledac. With this fact in
mind we recalculated the number of bots on Au-
gust 24th using the node ID and AS as unique-
ness criteria, resulting in a total of 164,182 bots.
The size of the Waledac botnet we obtained is 188.0.0.0 223.0.0.0
80000
much higher than previous estimations published 58.0.0.0 100.0.0.0
by Trend Micro [1] or ESET [2].
0
Figure 4 shows the hourly number of bots run-
0.0.0.0 50.0.0.0 100.0.0.0 150.0.0.0 200.0.0.0 250.0.0.0
ning on August 24th worldwide. For comparison
IP address space
the figure also shows the number of bots located
in Central Europe and North America, at the
particular hours. The picture also shows the fluc- Figure 5: Cumulative distribution of IP ad-
tuation (diurnal pattern) of running bots due to dresses infected with Waledac.
the different time zones they are located in [5].
Throughout our measurement period, we moni-
tored at least 55,000 node IDs, i.e. active bots,
every day. prise, as most of these IP addresses are managed
by the Regional Internet Registries ARIN and
A cumulative distribution of the bots’ IP ad-
RIPE NCC, which are responsible for the regions
dresses is shown in Figure 5. We counted all
North America and Europe, respectively.
bots monitored during the whole data collection
period and again used the node ID and AS as This fact is also reflected in Table 6a: Most of
uniqueness criteria. As a result, we counted the Spammers originated in the US or in Central
a total of 403,685 bots. The distribution is Europe. The distribution of the Repeaters (see
highly non-uniform: The majority of bots are lo- Table 6b) is very similar and differs only in the
cated in the IP address ranges between 58.*–99.* order of the countries. The main difference is
and 186.*–222.*. This does not come as a sur- that there are more Repeaters in India than in
5
6. Table 6: Top countries in which Waledac bots are located.
Country # Bots Percentage Country # Bots Percentage
United States 67,805 17.34% United States 5,048 19.50%
United Kingdom 30,347 7.76% India 1,456 5.63%
France 27,542 7.04% France 1,386 5.36%
Spain 23,065 5.90% United Kingdom 1,348 5.21%
India 21,503 5.50% Spain 1,191 4.60%
Other 220,807 56.46% other 15,452 59.70%
(a) Spammers (b) Repeaters
the United Kingdom and more Spammers in the
Listing 1: First packet sent after negotiating the
United Kingdom than in India.
session key.
<lm>
Waledac Versions and Distribution Cam- <t>f i r s t </t>
paigns. At the beginning of our measurement <v>34</v>
phase most of the monitored bots were running <i >4b 5 d a 6 1 f 8 d 1 4 e 5 3 f e 9 2 5 2 6 6 9 4 2 7 7 6 9 5 e </i >
<r >0</r>
Waledac version 34. The bot’s version number <props>
is sent in all its communication packets. <p n=” l a b e l ”> m i r a b e l l a s i t e </p>
An example of a so called first packet is shown <p n=”winver ” >5.1.2600 </p>
in Listing 1. These kind of packets are only sent </props>
</lm>
at the bot’s first start after negotiating the ses-
sion key. The version number is included in the
<v>-tag [1, 3, 12, 15, 16].
On July 20, 2009, the botnet was ordered to Next to the current version installed on a
download and run version 36 of Waledac. How- Waledac bot, bots also send the name of the cam-
ever, the command was issued just for a couple of paign which distributed the binary. For exam-
hours, thus, systems not online during this time ple, this information is also included in the first
were unable to update. As a result, even two packets (see Listing 1) – <p>-tag with attribute
weeks after the update was issued (July 31st), n="label". At the beginning of July the biggest
still more than 30 percent of the bots we mon- campaigns identified were birdie6 and swift, with
itored were running the old version 34. That 12,5 percent of all infected machines. The cur-
means, Waledac bots lack a decent update mech- rent campaigns distributing version 46 are called
anism, since although bots propagate their run- spyware.
ning version, they are not updated once the com-
mand is no longer issued. On July 25th, we
monitored the first version 39 bots connecting to OS Version of Infected Machines. Al-
our fake Repeater script. The latest version we though Waledac bots do not continuously send
monitored was 46, which indicates, that the bot- their operating system version with every packet,
net is still actively developed. With version 36, but only the first, we managed to capture few of
the collection of user credentials was introduced. these first packets. However, only about 10 per-
Table 1 summarizes the distribution of Waledac cent of all monitored bots established this initial
versions monitored on two different days. At the connection to Walowdac. Thus, the results of
end of July, most bots are still running version 34 this measurement provide a coarse overview of
and 36. With the beginning of September this the distribution of the operating systems run-
shifted to almost 60% of the bots running the ning on infected machines. Table 2 summarizes
newest version 46. the operating system codes found in initial pack-
6
7. Table 1: Distribution of Waledac version across all monitored bots at the end of July and beginning
of September.
Versionscode 31.7.2009 (65,924 Bots) 9.9.2009 (74,280 Bots)
< 33 114 (0.17%) 86 (0.12%)
33 440 (0.67%) 270 (0.36%)
34 20,718 (31.43%) 9,344 (12.58%)
35 51 (0.08%) 36 (0.05%)
36 35,572 (53.96%) 10,547 (14.20%)
37 2,658 (4.03%) 362 (0.49%)
39 5,681 (8.62%) 1,650 (2.22%)
40 689 (1.05%) 69 (0.09%)
41-45 0 (0.00%) 8,174 (11.00%)
46 0 (0.00%) 43,742 (58.89%)
Table 2: Distribution of Windows version codes (June 28th till July 18th.)
code belongs to number percent of bots
5.1.2600 XP (32 Bit) 10,899 90.2%
6.0.6001 Vista (SP1), Server 2008 678 5.6%
6.0.6000 Vista 353 2.9%
6.0.6002 Vista SP2, Server 2008 (SP2) 78 0.6%
5.2.3790 XP (64 Bit), Server 2003 39 0.3%
5.0.2195 2000 27 0.2%
ets. Windows XP still makes up most of all mon- end up in a user’s inbox. A recent experiment
itored bots, to no surprise. by ESET [2] revealed that on average a Spam-
mer using a normal dial-up account sends about
6,500 emails per hour, resulting in about 150,000
Spam Campaigns. Throughout the analysis
spam mails per day.
time we monitored different pharmacy and email
Taking into account that we monitored at least
harvesting campaigns. The harvesting emails
10,000 bots online at any time of day, gives
advertised cheap watches with the invitation to
Waledac a spam capacity of
contact certain emails if interested. Additionally,
several Waledac propagation campaigns were ob- 6, 500 ∗ 24 ∗ 10, 000 ∗ 0.2532 = 394, 992, 000
served. For this purpose, the botnet herder used
special events, like Valentines or Independence delivered mails per day. This number is only a
Day, to send out masses of spam messages con- rough estimation and corresponds to the emails
taining links to Waledac binaries. The same be- actually accepted by the receiving mailservers –
havior was already observed with Storm. theoretically Waledac is able to send more than
After each spam run a Spammer reports the 1.5 billion spam mails per day. However, this also
status of the transaction for each email. The sta- is only valid for 10,000 bots each hour with our
tus can either be ERR or OK. Thus, it is possible monitoring showing up to 30,000 bots per hour
to determine which mail servers did actually ac- during the daytime. Thus, this number might
cept the incoming email and for which addresses very well be tripled.
it was rejected. During our monitoring phase
we received a total of 662,611,078 notifications, 4 Conclusion
of which 167,784,234 were OK. This gives us an
average of 25.32% for the delivery of mails to In this paper, we showed that it is possible to in-
the recipient’s mailserver. In this scope we did filtrate the Waledac botnet by distributing spe-
not try to determine how many emails actually cially crafted peerlists to other Repeaters. As
7
8. a result, we were able to also collect data from European Symposium On Research In Com-
Spammers connecting to our fake system. That puter Security (ESORICS), 2005.
way we were able to capture few of the first pack-
[8] Julian B. Grizzard, Vikram Sharma, Chris
ets send by freshly infected systems. The anal-
Nunnery, Brent ByungHoon Kang, and
ysis of these packets revealed that most of the David Dagon. Peer-to-Peer Botnets:
compromised hosts are running Windows XP as Overview and Case Study. In Hot Topics
an operating system. in Understanding Botnets (HotBots), 2007.
We showed that current estimations about
the size of the Waledac botnet are far too low. [9] Thorsten Holz, Christian Gorecki, Konrad
At peaks we measured more than 160,000 bots, Rieck, and Felix Freiling. Measuring and
whereas ESET [2] for example counted just Detecting Fast-Flux Service Networks. In
20,000 bots. With this in mind, we can esti- 15th Network & Distributed System Security
Symposium (NDSS), 2008.
mate that the number of spam emails emitted
by Waledac is very high, rendering Waledac one [10] Thorsten Holz, Moritz Steiner, Frederic
of the most efficient spam botnets currently in Dahl, Ernst Biersack, and Felix Freiling.
the wild. The rapid changes to the malware with Measurements and Mitigation of Peer-to-
new versions showing up almost every two weeks Peer-based Botnets: A Case Study on
shows that Waledac is still actively developed. Storm Worm. In First Workshop on
Large-Scale Exploits and Emergent Threats
(LEET), 2008.
References
[11] Chris Kanich, Kirill Levchenko, Brandon
[1] Jonell Baltazar, Joey Costoya, and Ryan Enright, Geoffrey M. Voelker, and Stefan
Flores. Trend Micro: Infiltrating Waledac Savage. The Heisenbot Uncertainty Prob-
Botnet’s Covert Operations, July 2009. lem: Challenges in Separating Bots from
Chaff. In First Workshop on Large-Scale
[2] Sebasti´n Bortnik.
a How much spam
Exploits and Emergent Threats (LEET),
does waledac send?, 2009. Blog:
2008.
http://www.eset.com/.
[12] Felix Leder. Speaking waledac, 2009. Blog:
[3] Lasse Trolle Borup. Peer-to-peer botnets:
http://www.honeynet.org/node/348.
A case study on waledac. Master’s thesis,
Technical University of Denmark, 2009. [13] Maxmind. Geolocation and Online Fraud
[4] Evan Cooke, Farnam Jahanian, and Danny Prevention. http://www.maxmind.com/.
McPherson. The Zombie Roundup: Under- [14] Moheeb Abu Rajab, Jay Zarfoss, Fabian
standing, Detecting, and Disrupting Bot- Monrose, and Andreas Terzis. A Mul-
nets. In Steps to Reducing Unwanted Traffic tifaceted Approach to Understanding the
on the Internet (SRUTI), 2005. Botnet Phenomenon. In 6th Internet Mea-
[5] David Dagon, Cliff Zou, and Wenke Lee. surement Conference (IMC), 2006.
Modeling Botnet Propagation Using Time [15] Greg Sinclair. Waledac’s communcation
Zones. In 13th Network and Distributed Sys- protocol, 2009. Blog: http://bit.ly/
tem Security Symposium (NDSS), 2006. MWOA2.
[6] John R. Douceur. The Sybil Attack. In
[16] Gilou Tenebro. W32.Waledac Threat Anal-
First International Workshop on Peer-to-
ysis. Technical report, Symantec, 2009.
Peer Systems (IPTPS), 2002.
[7] Felix Freiling, Thorsten Holz, and Georg
Wicherski. Botnet Tracking: Exploring a
Root-Cause Methodology to Prevent Dis-
tributed Denial-of-Service Attacks. In 10th
8