![Page 1: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/1.jpg)
PHOENIX & CERBERUSWe haz botnets!
BlueHat conference, October 9th, 2014
Stefano Schiavoni, Edoardo ColomboFederico Maggi
Lorenzo CavallaroStefano Zanero
Politecnico Di Milano & Royal Holloway, University of London
laboratoryNECST
![Page 2: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/2.jpg)
BOTNETS
![Page 3: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/3.jpg)
BOTNETS > REMINDER OF DEFINITIONS
...
C&C Server
..
Botmaster
..
Zombie
..
Zombie
..
Zombie
3
![Page 4: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/4.jpg)
CENTRALIZED BOTNETS > C&C CHANNEL
...
Botmaster
..
Bot
.data, feedback
.commands
botmaster→ bot commands to execute, attacks to launchbot→ botmaster harvested information, feedbacks
4
![Page 5: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/5.jpg)
CENTRALIZED BOTNETS > C&C CHANNEL
...
Botmaster
..
Bot
.data, feedback
.commands
botmaster→ bot commands to execute, attacks to launch
bot→ botmaster harvested information, feedbacks
4
![Page 6: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/6.jpg)
CENTRALIZED BOTNETS > C&C CHANNEL
...
Botmaster
..
Bot
.data, feedback
.commands
botmaster→ bot commands to execute, attacks to launchbot→ botmaster harvested information, feedbacks
4
![Page 7: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/7.jpg)
CENTRALIZED BOTNETS > MITIGATION
...
Bot
...
C&C Server
x C&C channel: single point of failure.x Rallying Mechanisms: the countermeasure.
5
![Page 8: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/8.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
..........
.
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 9: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/9.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
...........
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 10: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/10.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
...........
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 11: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/11.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
...........
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 12: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/12.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
...........
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 13: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/13.jpg)
BOTNETS > DOMAIN GENERATION ALGORITHMS
...
C&C Server, sjq.info
..
Bot
..
DNS Resolver
...........
DNS query: ahj.info
.
DNS reply: NXDOMAIN
.
DNS query: sjq.info
.
DNS reply: 131.75.67.3
.
C&C Channel Open
6
![Page 14: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/14.jpg)
DGA > BENEFITS FOR THE BOTMASTERS
x Asymmetry Botmasters Vs Defenders→ Thousands of domain names,→ only one is the right one.x Blacklists do not work well
7
![Page 15: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/15.jpg)
STATE OF THE ART > DNS MONITORING
Limitations of current research approaches:
x Supervised: require labeled data→ "That domain name is known to be DGA generated",→ "That other domain is not".x Work at the lower levels of the DNS hierarchy:→ not so easy to deploy,→ privacy (visibility of the hosts' IP addresses).
8
![Page 16: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/16.jpg)
STATE OF THE ART > DNS MONITORING
Limitations of current research approaches:
x Supervised: require labeled data
→ "That domain name is known to be DGA generated",→ "That other domain is not".x Work at the lower levels of the DNS hierarchy:→ not so easy to deploy,→ privacy (visibility of the hosts' IP addresses).
8
![Page 17: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/17.jpg)
STATE OF THE ART > DNS MONITORING
Limitations of current research approaches:
x Supervised: require labeled data→ "That domain name is known to be DGA generated",→ "That other domain is not".
x Work at the lower levels of the DNS hierarchy:→ not so easy to deploy,→ privacy (visibility of the hosts' IP addresses).
8
![Page 18: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/18.jpg)
STATE OF THE ART > DNS MONITORING
Limitations of current research approaches:
x Supervised: require labeled data→ "That domain name is known to be DGA generated",→ "That other domain is not".x Work at the lower levels of the DNS hierarchy:→ not so easy to deploy,→ privacy (visibility of the hosts' IP addresses).
8
![Page 19: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/19.jpg)
PHOENIX
![Page 20: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/20.jpg)
STATE OF THE ART > PHOENIX
Phoenix clustersDGA-generated domains froma list of of domains known tobe used by botnets.
The core of Phoenix is its abilityto separate DGA fromnon-DGA domains,using linguistic features.(in a few slides)
10
![Page 21: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/21.jpg)
PHOENIX > DISCOVERING DGA-GENERATED DOMAINS
Malicious Domains Phoenix Clusters
Time DetectiveSuspicious Domains
Filtering
DNS Stream
Classifier
Bootstrap
Filtering
Detection
Sources of malicious domains:
x EXPOSURE http://exposure.iseclab.orgx MLD http://www.malwaredomainlist.comx ...and of course some reversing :-)
11
![Page 22: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/22.jpg)
PHOENIX > DGA VS. NON-DGA
Meaningful Word Ratio (English dict)
d = facebook.com
R(d) =|face|+ |book||facebook|
= 1
likely non-DGA generated
d = pub03str.info
R(d) =|pub|
|pub03str|= 0.375.
likely DGA generated
12
![Page 23: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/23.jpg)
PHOENIX > DGA VS. NON-DGA
N-gram Popularity (English dict)
d = facebook.com
fa ac ce eb bo oo ok109 343 438 29 118 114 45
mean: S2 = 170.8
likely non-DGA generated
d = aawrqv.com
aa aw wr rq qv4 45 17 0 0
mean: S2 = 13.2
likely DGA generated
12
![Page 24: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/24.jpg)
PHOENIX > DGA VS NON-DGA
Seco
nd p
rinci
pal c
ompo
nent
First principal component
μ
Within loose threshold (HGD)Within strict threshold (Semi HGD)
Above strict threshold (AGD)
Λλ
13
![Page 25: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/25.jpg)
PHOENIX > BOTNETS
0 1 2 3 4
0.0
0.2
0.4
0.6
0.8
1.0
X = Mahalanobis distance
ECD
F(X
)HGDs
(Alexa)AGDs
(Bamital)
AGDs (Conficker.A, .B, .C, Torpig)
14
![Page 26: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/26.jpg)
..
![Page 27: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/27.jpg)
PHOENIX > RESULTS (1 WEEK)
Cluster f105c
IPs: 176.74.176.175208.87.35.107
Domains: cvq.comepu.orgbwn.org
(Botnet: Palevo)
Cluster 0f468
IPs: 217.119.57.2291.215.158.57178.162.164.2494.103.151.195
Domains: jhhfghf7.tkfaukiijjj25.tkpvgvy.tk
(Botnet: Sality)
16
![Page 28: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/28.jpg)
PHOENIX > TRACKING MIGRATIONS
5000
30000
55000
80000 US AS2637 (3 sinkholed IPs)US AS1280 (3 sinkholed IPs)DE AS0860 (3 IPs)
Takedown started.
5000
10000
15000
#DN
S re
ques
ts US AS2637 (2 sinkholed IPs) US AS1280 (3 sinkholed IPs)
DE AS0860 (3 IPs)
Takedown in progress.
5000 10000 15000 20000 25000
Nov 10
Jan 11
Mar 11
May 11
Jul 11
Sep 11
Nov 11
Jan 12
Mar 12
May 12
Jul 12
Sep 12
US AS2637 (2 sinkholed IPs) US AS1280 (3 sinkholed IPs)
Takedown completed.
17
![Page 29: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/29.jpg)
PHOENIX > TRACKING MIGRATIONS
1250 4250 7250
KR AS9318 (4 IPs)
1250 4250 7250 KR AS9318 (4 new IPs): C&C IP addresses changed.
1250 4250 7250
#DN
S re
ques
ts
KR AS9318 (2 IPs) and AS4766 (2 IPs): migration started.
1250 4250 7250 KR AS9318 (2 IPs) AS4766 (4 IPs): transition stage.
1250 4250 7250
Jan 11
Mar 11
May 11
Jul 11
Sep 11
Nov 11
Jan 12
Mar 12
May 12
KR AS4766 (4 IPs): migration completed.
17
![Page 30: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/30.jpg)
PHOENIX > SHORTCOMINGS
Leverages historical DNS data:
x Unable to deal with new DGAsx Unseen "domain→IP" mapping are simply discarded.
18
![Page 31: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/31.jpg)
CERBERUS
![Page 32: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/32.jpg)
CERBERUS > FILTERING
Malicious Domains Phoenix Clusters
Time DetectiveSuspicious Domains
Filtering
DNS Stream
Classi!er
Bootstrap
Filtering
Detection
20
![Page 33: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/33.jpg)
CERBERUS > FILTERING
Insight a malicious domain automatically generated will notbecome popular.
Alexa Top 1M Whitelist
We whitelist the domains that appear in the Alexa Top 1M.
21
![Page 34: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/34.jpg)
CERBERUS > FILTERING
Insight a malicious domain automatically generated will notbelong to a CDN r4---sn-a5m7lnes.example.com.
CDN Whitelist
We whitelist the domains that belong to the most popularCDN networks (e.g., YouTube, Google, etc.) andadvertisement services.
22
![Page 35: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/35.jpg)
CERBERUS > FILTERING
Insight an attacker will register a domain with a TLD that doesnot require clearance.
TLD Whitelist
We whitelist the domains featuring a Top Level Domainthat requires authorization by a third party authoritybefore registration (e.g. .gov, .edu, .mil).
23
![Page 36: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/36.jpg)
CERBERUS > FILTERING
Insight How fast is fast?x 2-3 years ago: TTL < 100.x Nowadays: TTL > 300 seconds.
Why? To save money :-) See BH-US 2013 talk1.
TTL
We filter out all those domains featuring a Time To Live outsidethis bound.
1https://media.blackhat.com/us-13/US-13-Xu-New-Trends-in-FastFlux-Networks-Slides.pdf
24
![Page 37: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/37.jpg)
CERBERUS > FILTERING
Insight we are looking for DGA-generated domains.
Phoenix's DGA Filter
We filter out domains likely to be generated by humans.
25
![Page 38: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/38.jpg)
CERBERUS > FILTERING
Insight the attacker will register the domain just a few daysbefore the communication will take place.
Whois
We query the Whois server and discard the domainsthat were registered more than ∆ days before the DNS query.
26
![Page 39: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/39.jpg)
RECAP ON FILTERING
Starting with 50,000 domains:
20,000 TTL > 300 seconds;19,000 not in the Alexa Top 1M list;15,000 not in the most popular CDNs;
800 likely to be DGA generated;700 no previous authorization;300 younger than ∆ days←− suspicious.
27
![Page 40: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/40.jpg)
CERBERUS > FILTERING
Malicious Domains Phoenix Clusters
Time DetectiveSuspicious Domains
Filtering
DNS Stream
Classi!er
Bootstrap
Filtering
Detection
28
![Page 41: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/41.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
..
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 42: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/42.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
.
.
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 43: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/43.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
.
.
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 44: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/44.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
.
.
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 45: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/45.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
..
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 46: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/46.jpg)
CLASSIFIER > CLASSIFICATION
Cluster A
69.43.161.180
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Cluster B
69.43.161.180
391.wap517.net251.wap517.net340.wap517.net
Cluster C
…
..576.wap517.net69.43.161.180
..
Train the Classifier on A, B
.
Assign 576.wap517.net to B
29
![Page 47: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/47.jpg)
CLASSIFIER > SUBSEQUENCE STRING KERNEL
Developed at Royal Holloway in 2002, by Lodhi et al.
c-a c-t a-t c-r a-r
ϕ(cat) λ2 λ3 λ2 0 0ϕ(car) λ2 0 0 λ3 λ2
How many substrings of size k = 2?
ker(car, cat) = λ4
ker(car, car) = ker(cat, cat) = 2λ4 + λ6
kern(car, cat) =λ4
(2λ4 + λ6)=
1
(2 + λ2)∈ [0, 1]
30
![Page 48: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/48.jpg)
CLASSIFIER > SUPPORT VECTOR MACHINES
SVM: find one hyperplane or a set of them that has the largestdistance to the nearest training data point of any class
31
![Page 49: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/49.jpg)
RESULTS > EXPERIMENTS
RESULTSon passive DNS data from
https://farsightsecurity.com/Services/SIE/
32
![Page 50: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/50.jpg)
CLASSIFICATION > RESULTS
Training 1000, Testing 100Overall Accuracy ≃ 0.95
a b c d
a 100 0 0 0b 1 92 6 1c 2 0 98 0d 3 0 6 91
a
caaa89e...d4ca925b3e2.co.ccf1e01ac...51b64079d86.co.ccb
kdnvfyc.bizwapzzwvpwq.infoc
jhhfghf7.tkfaukiijjj25.tkd
cvq.comepu.org
33
![Page 51: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/51.jpg)
CLASSIFICATION > PAIRWISE DISTANCES
..........0 .
5,000
.
10,000
.
15,000
..
..0.2
.0.4
.0.6
.0.6
.0.8
.0 .
5,000
.
Distance
34
![Page 52: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/52.jpg)
The Time Detective discovers new botnets.
![Page 53: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/53.jpg)
TIME DETECTIVE > PASSIVE DNS TRAFFIC
Every ∆ the bots contact the C&C Server, on a new domain.
...
Botmaster131.175.65.1
..
Bot
.spq.org
131.175.65.1: {
evq.org , akh.org , spq.org
}
36
![Page 54: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/54.jpg)
TIME DETECTIVE > PASSIVE DNS TRAFFIC
Every ∆ the bots contact the C&C Server, on a new domain.
...
Botmaster131.175.65.1
..
Bot
.evq.org
.spq.org
131.175.65.1: { evq.org
, akh.org , spq.org
}
36
![Page 55: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/55.jpg)
TIME DETECTIVE > PASSIVE DNS TRAFFIC
Every ∆ the bots contact the C&C Server, on a new domain.
...
Botmaster131.175.65.1
..
Bot
.akh.org
.spq.org
131.175.65.1: { evq.org , akh.org
, spq.org
}
36
![Page 56: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/56.jpg)
TIME DETECTIVE > PASSIVE DNS TRAFFIC
Every ∆ the bots contact the C&C Server, on a new domain.
...
Botmaster131.175.65.1
..
Bot
.spq.org
131.175.65.1: { evq.org , akh.org , spq.org }
36
![Page 57: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/57.jpg)
TIME DETECTIVE > STEPS
..Passive DNS traffic.
Grouping by AS
.
Clustering
.
Merging
.
Clusters
37
![Page 58: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/58.jpg)
TIME DETECTIVE > GROUPING
Z
ZZ
We assume a lazy attackerbehavior: If (s)he finds anobliging AS, (s)he will buy a fewIPs in there.
We group together the domainsthat point to IPs within thesame AS.
38
![Page 59: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/59.jpg)
TIME DETECTIVE > STEPS
..Passive DNS traffic.
Grouping by AS
.
Clustering
.
Merging
.
Clusters
39
![Page 60: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/60.jpg)
TIME DETECTIVE > CLUSTERING
DBSCAN
.....A
.
..
.
..
.
B
.
..
...
.
..
.noise
.ε
SSK as the distance
automatic tuning:x minPts domains per cluster,x ε distance threshold.
40
![Page 61: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/61.jpg)
CLUSTERING > TUNING MINPTS
minPts = 7 domains per cluster
Observation period in days.
Rationale: the bots will contact the C&C serverat least once a day.
41
![Page 62: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/62.jpg)
CLUSTERING > THRESHOLD
intra-cluster distancesinter-cluster distances → 0 (minimize)
42
![Page 63: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/63.jpg)
TIME DETECTIVE > MERGING
What if a new cluster is actually a known botnetthat migrated the C&C server somewhere else?
43
![Page 64: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/64.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
.
.apq.orgpaq.org
…
.apq.orgpaq.org
….
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 65: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/65.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
.
.apq.orgpaq.org
…
.apq.orgpaq.org
….
What t' h3ck!
.
Arrr!
.
. Migration
44
![Page 66: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/66.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
..apq.orgpaq.org
….
apq.orgpaq.org
…
.
What t' h3ck!
.
Arrr!
.
. Migration
44
![Page 67: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/67.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
..apq.orgpaq.org
….
apq.orgpaq.org
…
.
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 68: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/68.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
..apq.orgpaq.org
….
apq.orgpaq.org
…
.
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 69: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/69.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
.
.apq.orgpaq.org
….
apq.orgpaq.org
….
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 70: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/70.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
.
.apq.orgpaq.org
…
.apq.orgpaq.org
…
.
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 71: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/71.jpg)
TIME DETECTIVE > MERGING
...
134.54.12.1
..
134.54.12.2
.
.
.apq.orgpaq.org
…
.apq.orgpaq.org
…
.
What t' h3ck!
.
Arrr!
.. Migration
44
![Page 72: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/72.jpg)
TIME DETECTIVE > STEPS
..Passive DNS traffic.
Grouping by AS
.
Clustering
.
Merging
.
Clusters
45
![Page 73: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/73.jpg)
TIME DETECTIVE > MERGING
Suppose you have cluster A and B.
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
B =
dom1 · · · domn
dom1 d1,1 · · · d1,ndom2 d2,1 · · · d2,n...
.... . .
...domn dn,1 · · · dn,n
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
46
![Page 74: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/74.jpg)
TIME DETECTIVE > MERGING
Suppose you have cluster A and B.
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
B =
dom1 · · · domn
dom1 d1,1 · · · d1,ndom2 d2,1 · · · d2,n...
.... . .
...domn dn,1 · · · dn,n
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
46
![Page 75: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/75.jpg)
TIME DETECTIVE > MERGING
Suppose you have cluster A and B.
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
B =
dom1 · · · domn
dom1 d1,1 · · · d1,ndom2 d2,1 · · · d2,n...
.... . .
...domn dn,1 · · · dn,n
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
46
![Page 76: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/76.jpg)
TIME DETECTIVE > MERGING
Suppose you have cluster A and B.
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
B =
dom1 · · · domn
dom1 d1,1 · · · d1,ndom2 d2,1 · · · d2,n...
.... . .
...domn dn,1 · · · dn,n
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
46
![Page 77: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/77.jpg)
TIME DETECTIVE > WELCH TEST
Stats to the rescue!
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
Welch test: do A and A ∼ B have different intra-clusterdistance distributions?
47
![Page 78: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/78.jpg)
TIME DETECTIVE > WELCH TEST
Stats to the rescue!
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
Welch test: do A and A ∼ B have different intra-clusterdistance distributions?
47
![Page 79: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/79.jpg)
TIME DETECTIVE > WELCH TEST
Stats to the rescue!
A =
dom1 · · · domm
dom1 d1,1 · · · d1,mdom2 d2,1 · · · d2,m...
.... . .
...domm dm,1 · · · dm,m
A ∼ B =
dom1 dom2 · · · domn
dom1 d1,1 d1,2 · · · d1,ndom2 d2,1 d2,2 · · · d2,n...
......
. . ....
domm dm,1 dm,2 · · · dm,n
Welch test: do A and A ∼ B have different intra-clusterdistance distributions?
47
![Page 80: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/80.jpg)
TIME DETECTIVE > EXAMPLE
Day 1
383.ns4000wip.com
382.ns4000wip.com
391.wap517.net
388.ns768.com
48
![Page 81: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/81.jpg)
TIME DETECTIVE > EXAMPLE
Day 2
383.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
391.wap517.net
391.wap517.net
388.ns768.com
389.ns768.com
390.ns768.com
48
![Page 82: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/82.jpg)
TIME DETECTIVE > EXAMPLE
Day 7
383.ns4000wip.com
386.ns4000wip.com
385.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
381.ns4000wip.com
380.ns4000wip.com
391.wap517.net
391.wap517.net
391.wap517.net
388.ns768.com
389.ns768.com
390.ns768.com
391.ns768.com
392.ns768.com
48
![Page 83: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/83.jpg)
TIME DETECTIVE > EXAMPLE
AS 22489
Day
383.ns4000wip.com
386.ns4000wip.com
385.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
381.ns4000wip.com
380.ns4000wip.com
391.wap517.net
391.wap517.net
391.wap517.net
388.ns768.com
389.ns768.com
390.ns768.com
391.ns768.com
392.ns768.com
48
![Page 84: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/84.jpg)
TIME DETECTIVE > EXAMPLE
Merge
Day
383.ns4000wip.com
386.ns4000wip.com
385.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
381.ns4000wip.com
380.ns4000wip.com
391.wap517.net
391.wap517.net
391.wap517.net
388.ns768.com
389.ns768.com
390.ns768.com
391.ns768.com
392.ns768.com
48
![Page 85: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/85.jpg)
TIME DETECTIVE > EXAMPLE
Cluster
Day
388.ns768.com
389.ns768.com
390.ns768.com
391.ns768.com
392.ns768.com383.ns4000wip.com
386.ns4000wip.com
385.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
381.ns4000wip.com
380.ns4000wip.com
391.wap517.net
391.wap517.net
391.wap517.net
48
![Page 86: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/86.jpg)
TIME DETECTIVE > EXAMPLE
New clustersproduced
Day
388.ns768.com
389.ns768.com
390.ns768.com
391.ns768.com
392.ns768.com383.ns4000wip.com
386.ns4000wip.com
385.ns4000wip.com
384.ns4000wip.com
379.ns4000wip.com
382.ns4000wip.com
381.ns4000wip.com
380.ns4000wip.com
391.wap517.net
391.wap517.net
391.wap517.net
Cluster 2 Cluster 3Cluster 1
48
![Page 87: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/87.jpg)
RESULTS > EXPERIMENTS
RESULTSon passive DNS data from
https://farsightsecurity.com/Services/SIE/
49
![Page 88: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/88.jpg)
TIME DETECTIVE > LABELING (1 WEEK)
187 domains classified as malicious and labeled.
Labeled 07e21
Botnet: ConfickerDomains: hhdboqazof.biz
poxqmrfj.bizhcsddszzzc.wstnoucgrje.bizgwizoxej.bizjnmuoiki.biz
50
![Page 89: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/89.jpg)
TIME DETECTIVE > CLUSTERING
3,576 domains were considered suspicious by Cerberusand stored, together with their IP address.
Then we ran the clustering routine to discover new botnets.
51
![Page 90: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/90.jpg)
TIME DETECTIVE > CLUSTERING
Botnet AS IPs Size
Sality 15456 62.116.181.25 26Palevo 53665 199.59.243.118 40Jadtre* 22489 69.43.161.180
69.43.161.174173
Jadtre** 22489 69.43.161.180 37Jadtre*** 22489 69.43.161.167 47Hiloti 22489 69.43.161.167 24Palevo 47846 82.98.86.171
82.98.86.17682.98.86.175
142
Jusabli 30069 69.58.188.49 73Generic Trojan 12306 82.98.86.169
82.98.86.16282.98.86.17882.98.86.163
57
52
![Page 91: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/91.jpg)
TIME DETECTIVE > CLUSTERING
Cluster IP Sample Domains
Jadtre* 69.43.161.18069.43.161.174
379.ns4000wip.com418.ns4000wip.com285.ns4000wip.com
Jadtre** 69.43.161.180 391.wap517.net251.wap517.net340.wap517.net
Jadtre*** 69.43.161.167 388.ns768.com353.ns768.com296.ns768.com
53
![Page 92: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/92.jpg)
TIME DETECTIVE > MERGING
Cluster a (Old)
IPs: 176.74.76.175208.87.35.107
Domains cvq.comepu.orgbwn.orglxx.net
Cluster b (New)
IPs: 82.98.86.17182.98.86.17682.98.86.17582.98.86.16782.98.86.16882.98.86.165
Domains knw.inforrg.infonhy.orgydt.info
Both belonging to the Palevo botnet.
54
![Page 93: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/93.jpg)
TIME DETECTIVE > MERGING
Cluster a (Old)
IPs: 176.74.76.175208.87.35.107
Domains cvq.comepu.orgbwn.orglxx.net
Cluster b (New)
IPs: 82.98.86.17182.98.86.17682.98.86.17582.98.86.16782.98.86.16882.98.86.165
Domains knw.inforrg.infonhy.orgydt.info
Both belonging to the Palevo botnet.
54
![Page 94: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/94.jpg)
TIME DETECTIVE > RECAP
x 187 malicious domains detected and labeled
x 3,576 suspicious domains collectedx 47 clusters of DGA-generated domains discoveredx 319 new domains detected in the next 24 hours
55
![Page 95: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/95.jpg)
TIME DETECTIVE > RECAP
x 187 malicious domains detected and labeledx 3,576 suspicious domains collected
x 47 clusters of DGA-generated domains discoveredx 319 new domains detected in the next 24 hours
55
![Page 96: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/96.jpg)
TIME DETECTIVE > RECAP
x 187 malicious domains detected and labeledx 3,576 suspicious domains collectedx 47 clusters of DGA-generated domains discovered
x 319 new domains detected in the next 24 hours
55
![Page 97: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/97.jpg)
TIME DETECTIVE > RECAP
x 187 malicious domains detected and labeledx 3,576 suspicious domains collectedx 47 clusters of DGA-generated domains discoveredx 319 new domains detected in the next 24 hours
55
![Page 98: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/98.jpg)
CONCLUSIONS & FUTURE WORK
![Page 99: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/99.jpg)
CONCLUSIONS
CERBERUS
x discovers andcharacterizes unknownDGA-based activity,x unsupervised,x easy to deploy,x privacy preserving.
57
![Page 100: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/100.jpg)
FUTURE WORK
this-is-an-easy-way-to-evade-the-linguistic-filter.com
§
58
![Page 101: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/101.jpg)
FUTURE WORK
this-is-an-easy-way-to-evade-the-linguistic-filter.com
§
58
![Page 102: Phoenix & Cerberus - We haz botnets! - Secure Network · PHOENIX&CERBERUS Wehazbotnets! ... Zombie Zombie Zombie 3. CENTRALIZEDBOTNETS>C&CCHANNEL. Botmaster ... Takedown in progress](https://reader034.vdocument.in/reader034/viewer/2022051803/5b033edf7f8b9ab9598f0910/html5/thumbnails/102.jpg)
FUTURE WORK
Release Cerberus as a web service. Hopefully!
59