paper review about botnet
TRANSCRIPT
![Page 1: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/1.jpg)
1
Paper ReviewAn Empirical Study of HTTP-based Financial
Botnets
Raymond
![Page 2: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/2.jpg)
2
Outline• Introduction• Methodology and Emulation Environment• Comparative Analysis of Various Bots • Analytical Observations• Challenges• Solution and Conclusion
![Page 3: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/3.jpg)
3
Introduction
![Page 4: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/4.jpg)
4
Botnet• A botnet is a collection of infected machines
(bots) controlled by a bot herder through a C&C server
C&Cserver
malware
malware
malware
Bot herder
![Page 5: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/5.jpg)
5
Financial Botnets• This breed of botnets is designed and deployed to
conduct financial crimes such as online fraud, money laundering, and identity theft by infecting a large number of end-user systems across the globe.
![Page 6: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/6.jpg)
6
232 devices are infected per minute
• An RSA study further disclosed that every minute on the Internet approximately 232 computers are being infected with malware globally.
![Page 7: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/7.jpg)
7
Spread bots 1/3• There are several ways to spread bots but
phishing and drive-by download attacks are the two most prominent ones
![Page 8: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/8.jpg)
8
Spread bots 1/3
Phishing• attack are executed through emails embedded
with malicious links that are distributed to a large set of users.
• This attack exploits the users’ gullibility using social engineering tricks.
• Upon clicking a web link, the user’s browser is redirected to a malicious domain which serves malware.
![Page 9: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/9.jpg)
9
Spread bots 1/3 drive-by download
• an attacker compromises a high-traffic website and injects code that points to a malicious domain.
![Page 10: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/10.jpg)
10
Spread bots 2/3 • On visiting a malicious domain, a Browser Exploit
Pack (BEP), an automated framework consisting several exploits, fingerprints the browsers environment, and if found vulnerable, an appropriate exploit is served to compromise the machine.
![Page 11: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/11.jpg)
11
Spread bots 3/3
![Page 12: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/12.jpg)
12
Botnets have Become Bigger and Better
Statistic shows the total number of bots present in the various families of botnets when taken down by FBI in different takedown operations.
![Page 13: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/13.jpg)
13
Top 4 Financial Botnets
• A Kaspersky study [9] found that the top 4 financial botnets are Zeus (variants), SpyEye, Carberp and Citadel.
![Page 14: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/14.jpg)
14
Top 4 Financial Botnets
• Carberp botnet caused approximately close to $250 million in losses
• Citadel botnet caused $500 million losses to companies and organizations across the globe.
• Earlier versions of Zeus and SpyEye botnets collectively stole $100 million from target organizations
![Page 15: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/15.jpg)
15
Methodology and Emulation
Environment
![Page 16: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/16.jpg)
16
Test Step• 1.we used an infiltration technique where we
joined the botnet environment to better understand its behavior
• 2.We conducted several tests using active and passive approaches for investigating infections:o Continuous monitoring and traffic analysiso Reverse engineering and behavior analysiso Penetration testing
![Page 17: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/17.jpg)
17
anti anti-VM bot• do something made the VMware machines
behave like a standard operating systemo ex:
• VMWare support tools were not installed• kernel debugging was turned off• the Media Access Control (MAC) address was modified• Desktop Management Information (DMI) related to Basic Input
Output System (BIOS) and certain components of operating system (VM) were modified
![Page 18: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/18.jpg)
18
![Page 19: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/19.jpg)
19
Comparative Analysis of Various Bots
![Page 20: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/20.jpg)
20
Protocol
![Page 21: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/21.jpg)
21
Anti-sandbox
![Page 22: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/22.jpg)
22
Exploitation
Mutex object can be used to determine whether the system is already infected or not, and detecting the presence of virtual machines, traffic analyzers, Anti-Viruses(AV) in the system.
the PDEF+ component is designed to check the effectiveness of bots in bypassing anti-virus systems running on the client side
![Page 23: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/23.jpg)
23
Spreading
![Page 24: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/24.jpg)
24
Remote Manage
![Page 25: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/25.jpg)
25
Defensive Mechanisms
Socks Proxybot herders can restrict source direct access to the C&C panels offer vertify method, if bot match, it allow the bot to download configuration file limit source of incoming http request
Domain Generation Algorithmsgenerate pseudorandom domain names, Advantage is that use DGAs to strengthen their C&C communication channels so that fingerprinting of C&C servers becomes more difficult
![Page 26: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/26.jpg)
26
Module
• This design shows that the bots can be extended by building additional plugins that can be incorporated directly to execute extended code in the infected system. o For example,
• the malware author can design a new plugin for a specific bot and use the C&C panel to update the bot by sending an updated configuration having a new plugin listed in it. When the bot gets updated, the new pluginsimply executes.
![Page 27: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/27.jpg)
27
Data Exfiltration
![Page 28: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/28.jpg)
28
Data Exfiltration
• Man-in-the-Browser Attackso MitB is capable of manipulating the communication flow of various
browser componentso most common MitB attack techniques based on hooking used by bots:
• Form-grabbing• WebInjects• WebFakes.
![Page 29: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/29.jpg)
29
Man-in-the-Browser Attacks
![Page 30: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/30.jpg)
30
DDoS
![Page 31: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/31.jpg)
31
Best Botnet
![Page 32: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/32.jpg)
32
Analytical Observations
![Page 33: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/33.jpg)
33
Analytical Observations
• Malware authors are developing more sophisticated botnet designs by reusing and modifying existing botnet source codes.
![Page 34: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/34.jpg)
34
Analytical Observations
• Communication channels of HTTP-based financial botnets are secured using gates
![Page 35: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/35.jpg)
35
Analytical Observations
• Use of DGAs as a C&C communication mechanism has increased in last few years and we expect this trend to continue in the future
![Page 36: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/36.jpg)
36
Analytical Observations
• the bots primarily target browsers to steal sensitive information pertaining to critical websites. Almost every HTTP-based botnet performs browser hooking to carry out nefarious tasks.
![Page 37: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/37.jpg)
37
Analytical Observations
• distribution using automated exploit frameworks called browser exploit packs which exploit a specific vulnerability in browser components and download bots onto the user systems without their knowledge
![Page 38: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/38.jpg)
38
Analytical Observations
• well-defined development APIs and plugin architecture frameworks which can be used to extend the functionalities of bots.
![Page 39: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/39.jpg)
39
Analytical Observations
• use Windows built-in cryptographic APIs with custom encryption routines to avoid detection and further complicate any analysis.
![Page 40: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/40.jpg)
40
Challenges
![Page 41: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/41.jpg)
41
Challenges• HTTPS is an end-to-end security solution that
protects from Man-in-the-Middle (MitM) attack but it does not provide any protection against MitB attacks
![Page 42: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/42.jpg)
42
Challenges• TFA does not protect from MitB attacks
o TFA raises the bar with respect to the ease of use of stolen authentication data, but TFA neither prevents the theft nor eliminates the data’s value.
![Page 43: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/43.jpg)
43
Challenges• Developing signatures for IPS/IDS for bot
detections fail to stop unknown malware (financial botnets) running in the wild. The thriving botnet ecosystem is proof of that
![Page 44: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/44.jpg)
44
Solution and Conclusion
![Page 45: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/45.jpg)
45
SolutionsTo defend against WebInject attacks
• One solution is to build an HTML/JavaScript-based webpage verification system that detects modifications that have happened when webpages are rendered in the browser.
![Page 46: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/46.jpg)
46
SolutionsTo foil Form-grabbing attacks
• data is encrypted before it is exfiltrated by the bot from the infected system.
![Page 47: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/47.jpg)
47
Solutionsto overcome malware detection VM
• building next-generation complete emulated environments by simulating the physical hardware including CPU, memory, etc.
![Page 48: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/48.jpg)
48
Solutionsto protect enterprises against unknown
attacks
• data mining and machine learning can play a vital role ,but such solutions are still not able to cope with existing and emerging threats.
![Page 49: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/49.jpg)
49
SolutionsOther
• understanding how one bot detects the presence of other boto ex:o if mutex names are used by SpyEye to detect Zeus bots, the same
patterns can be fed to end-user security solutions (anti-virus engines) to detect and eradicate the bots
![Page 50: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/50.jpg)
50
SolutionsThe most important way
• Technology alone cannot protect users from all types of malicious attacks.
• Improved user education which instructs the user to understand the importance of safe surfing habits, best and secure ways to perform online banking, avoid visiting the destinations which they are not sure of, etc.
![Page 51: paper review about botnet](https://reader031.vdocument.in/reader031/viewer/2022030310/58f9b313760da3da068bd22a/html5/thumbnails/51.jpg)
51
Q & A