Professional Documents
Culture Documents
Ahmedabad
Dissertation Title :
“Criminology of Botnet Resilience Technology
and
Mitigation of Botnet”
1
Outline of Dissertation
Introduction
Problem Statement
Motivation of Dissertation
History of Botnet
Literature Survey
Orientation of Work
Flow of Dissertation
Implementation
Conclusion and Future Work
References
2
Introduction
3
Problem Statement
4
Continue..
Why not Signature Base Detection?
Reference: http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-
akamai-us-dod-networks.aspx
7
History of Bot Attacks
• 2001-Sub7 Pretty Park(First • 2009 SpyEye
Botnet) • 2010 Waledac
•2002 GTBot • 2011 ZeroAccess
• 2005 Torpig • 2012 FlashFake (Mac OS X)
• 2006 Virut • 2012 Jeef
• 2007 Zeus – one of the biggest • 2012 Smok
(compromised U.S. • 2013 Boatnet
computers: 3.6 million)
• 2013 Zer0n3t
• 2007 Storm
• 2008 Conficker
• 2008 Grum
• 2008 Lethic
• 2008 Mariposa
Literature Survey
Botnet are being used as a vehicle for an array of cybercrimes,
such as spamming ,denial of service, identity theft and
phishing.
9
Botnet lifecycle[1]
Infection:- initial installation of botnet malware on target host.
13
Botnet attacks[6]
Attacking IRC Networks: Botnets are used for attacking IRC
networks. The victim is flooded by service request from
thousands of Bots and thus victim IRC network is takedown.
14
Continue..
Advertisement Installation: Botnets setup a fake web site
with some advertisements. The operator of this website
negotiates a deal with some hosting companies that pay for
clicks on ads. With the help of Botnet, these clicks can be
‘automated’ so that instantly a few thousands Bots clicks on the
pop-ups, hijacks the start page of a compromise machine so
that the ‘clicks’ are executed each time the victim uses the
browser.
15
Techniques in botnet to evade detection[7]
Fast flux:-a mechanism that a set of IP addresses change
frequently corresponding to a unique domain name.
16
Bot Detection Techniques[11]
Signature based: Detection of known botnets
17
Continue..
Mining based : Detect Bots by using mining algorithms.
Machine Learning
Classification
Clustering
Most mining-based approaches function by
monitoring network traffic
18
Prevention techniques
Honey pot based monitoring[9]:
Join in botnet
Act as active servant bot
Monitoring as long as possible
Plaintext gathering
Response DDOS[8]:
19
Continue..
Grey listing[5]:
Related to black list/white list.
Powerful to delaying and refusing spam refuse until the
sender tries again.
Index poisoning[10]:
Inserting massive number of records into the index of
p2p file sharing system.
20
Continue...
Defence against domain Flux[9]:
Session abort[5]:
21
Existing Tools[v]
Phrozensoft Mirage Anti-Bot
Bot Revolt
Implementation of Botnet
Zeus Botnet implementation(key logger)
Installation of bot binary in infected machine
Detection of Botnet
Wire shark tool and Ourmon
23
Projectile Path(Proposed Work)
26
Log file generate by Ourmon
27
VNC
TCP Port Report[i] backdoor
port False
Bad scanner positive
one SA/S
bcz P High work
False weight , [P
positi ,I] flag ,on
ve same
subnet
Ip_s Weig Gue Udp_s Udp_re Unreac Pin L3D/L4D/ Siz Sa/r Appfla Port_count
rc ht ss ent cv hs g L4S es a gs port_sig
[port,count
]
30
Figure: 6: UDP logs taken by ourmon tool
31
UDP Port Report[i]
Floodi 2k
380million
ng of destinati
ww >
88k on
normal ww
packets unreacha
ble
33
Communication pattern via Zues to Client[]
Now , After bot installed into the client’s machine will be part
of the botnet and bot master can update with current scenario of
the positions of the bots with the operating system in which it
install.
38
Continue..
39
Continue..
Figure 12: Payment form that get all information about client’s card if bot is
installed in the machine
41
Continue..
Figure 13: search in database for inserted data by botmaster and get the
information about the card num and pin etc..
42
Continue..
44
Continue..
45
Conclusion and future work
Conclusion
Botnet or any attack is firstly infect the victim’s machine by using
some sort of scanning activity, Base on multiple parameters we
generate scanner report with reduce false positive rate The
detection of Zeus bot is based on the botmaster and bot network
communication some other packets patterns which is abnormal. In
this system we reveal Zeus binary at certain level, leads to
mitigation of botnet. Mainly this approach is applied to Zeus and it
mostly used RC4 stream cipher.
Future Work
To provide more security to network will do some modification in
communication pattern by some encryption; we will also
implement mitigation approach for higher version of Zeus.
46
References
[1]Aniello castiglione,Robert De Priso,Alfredo De Santis,Ugo Flore,Francesco
Palmieri, “A botnet based command and control approach relying on swarm
intelligence”, Journal of Network and Computer Application.
[2]Kuchen Wang,Chun-ying huang,Shang-Jyh lin,Ying-Dar-Lin.”A Fuzzy
pattern based filtering algorithm for botnet detection” ,Journal of Compute
Network.
[3]Ihsan Ullah,Naveed Khan,Hatim A.Aboalsamh,”Survey on Botnet:Its
Architecture,Detection,Prevention and mitigation”,IEEE april 2013.
[4]Ping Wang,Lei Wu,Baber Aslam and Cliff C.Zou,”A Systematic Study ON
Peer-to-Peer Botnets”, University Of Central Florida.
5]Areej Al-Bataineh,Gregory white,”Detection and Prevention Methods of
Botnet-generated spam”,University of Texas .
[6]Jivsh Govil,Jivika Govil,”Criminology of Botnets and their Detection and
Defense Methods”,IEEE EIT 2007.
47
[7] Lei Zhang, Shui Yu, Di Wu, Paul Watters, ”A survey on latest botnet attack
and defense”, 2011 international joint conference of IEEE.
[8] C.Czosseck, E. Tyugu, T. wingfield, ”On the arms race around botnets-
setting up and taking down botnets”,2011 3rd international conference on
cyber conflict.
[9] Zhiqi Zhang, Baochen Lu, Peng Liao, Chaoge Liu, Xiang Cui, ”A
hierarchical hybrid structure for botnet control and command”, Research
center of information security, institute of computing technology , Chinese
academy of sciences.
[10]Li Xiao-nan, Liu Yang, Zheng Hua,” Peer-to-Peer Botnets:Analysis and
Defense”,IEEE 2011.
[11]N.S.Raghava,Divya Sahgal,Seema Chanda,”Classification of Botnet
Detection and Architecture”, Delhi Technological University,IEEE2012
[12]H.Binsalleeh,P.Sinha,A.Youssef “On the analysis of the zeus
botnet”.Canada 2011
48
Reference Links
[I]http://www.chmag.in/article/jan2011/botnet-detection-tool-ourmon
[II] http://www.checkpoint.com/products/anti-bot-software-blade/anti-bot-software-blade-
landing-page.html
[III]https://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets
[IV] en.wikipedia.org/wiki/Botnet
[V] www.thewindowsclub.com/botnet-removal-tools-windows
[VI] http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
Books
[i] Craig A. Schiller , Jim Binkley , David Harley , Gadi Evron , Tony Bradley,
Carsten Willems , Michael Cross, “Botnets The Killer Web App”
49