Understanding DNS-based criminal infrastructure for informing takedowns

Nadji, Yacin Ibrahim

07 January 2016

Botnets are a pervasive threat to the Internet and its inhabitants. A botnet is a collection of infected machines that receive commands from the botmaster, a person, group or nation- state, to perform malicious actions. Instead of “cleaning” individual infections, one can sever the method of communication between a botmaster and her zombies by attempting a botnet takedown, which contains the botnet and its malicious actions. Unfortunately, takedowns are currently performed without technical rigor nor are there automated and independent means to measure success or assist in performing them. This dissertation focuses on understanding the criminal infrastructure that enables communication between a botmaster and her zombies in order to measure attempts at, and to perform, successful takedowns. We show that by interrogating malware and performing large-scale analysis of passively collected network data, we can measure if a past botnet takedown was successful and use the same techniques to perform more comprehensive takedowns in the future.

Botnet takedown

Advanced persistent threat

Network security

DNS

Detecção de Redes de Serviço de Fluxo Rápido Baseada em Otimização por Colônia de Formiga

Barbosa, Kaio Rafael de, 981278437

04 April 2018

Submitted by Kaio Barbosa (kaiorafael@gmail.com) on 2018-11-23T19:03:22Z No. of bitstreams: 4 main8.pdf: 5626368 bytes, checksum: d3778f7a787ea1c33de8006e8e9f83b4 (MD5) 39 ATA de Defesa - Kaio Rafael (Assinada).pdf: 168862 bytes, checksum: 949b4b93de6b1b36821292d15ed216af (MD5) 39 Folha de Aprovação - Kaio Rafael (Assinada).pdf: 192234 bytes, checksum: e04a9d8029f559ecc1aa33e00c5e4618 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) / Approved for entry into archive by Secretaria PPGI (secretariappgi@icomp.ufam.edu.br) on 2018-11-23T19:09:52Z (GMT) No. of bitstreams: 4 main8.pdf: 5626368 bytes, checksum: d3778f7a787ea1c33de8006e8e9f83b4 (MD5) 39 ATA de Defesa - Kaio Rafael (Assinada).pdf: 168862 bytes, checksum: 949b4b93de6b1b36821292d15ed216af (MD5) 39 Folha de Aprovação - Kaio Rafael (Assinada).pdf: 192234 bytes, checksum: e04a9d8029f559ecc1aa33e00c5e4618 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) / Approved for entry into archive by Divisão de Documentação/BC Biblioteca Central (ddbc@ufam.edu.br) on 2018-11-23T20:52:12Z (GMT) No. of bitstreams: 4 main8.pdf: 5626368 bytes, checksum: d3778f7a787ea1c33de8006e8e9f83b4 (MD5) 39 ATA de Defesa - Kaio Rafael (Assinada).pdf: 168862 bytes, checksum: 949b4b93de6b1b36821292d15ed216af (MD5) 39 Folha de Aprovação - Kaio Rafael (Assinada).pdf: 192234 bytes, checksum: e04a9d8029f559ecc1aa33e00c5e4618 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) / Made available in DSpace on 2018-11-23T20:52:12Z (GMT). No. of bitstreams: 4 main8.pdf: 5626368 bytes, checksum: d3778f7a787ea1c33de8006e8e9f83b4 (MD5) 39 ATA de Defesa - Kaio Rafael (Assinada).pdf: 168862 bytes, checksum: 949b4b93de6b1b36821292d15ed216af (MD5) 39 Folha de Aprovação - Kaio Rafael (Assinada).pdf: 192234 bytes, checksum: e04a9d8029f559ecc1aa33e00c5e4618 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Previous issue date: 2018-04-04 / FAPEAM - Fundação de Amparo à Pesquisa do Estado do Amazonas / Remote control and remote access of malicious code-enabled computers allow the network operator (botnet) to perform various fraudulent activities such as orchestrating distributed denial of service (DDoS) attacks or propagating malicious code such as virus and IT worms. To maintain control of these infected machines, it is necessary to use a robust communication mechanism against attempts to disrupt network services and to be able to evade intrusion detection systems. Such a mechanism is also known as Command and Control (C&C) channel. To do this, some malicious networks often adopt the Domain Name System (DNS) because of its global and distributed operation, allowing them to simulate legitimate network behaviors from techniques such as Round-Robin DNS (RRDNS) and Content Distribution Networks (CDN). Malicious networks that employ these strategies are called Fast Flow Service Networks, because they are able to modify their behavior to ensure the continuous operation of the services, as well as the Command and Control (C&C) channel. To identify such networks, current intrusion detection systems are constructed from models based on a fixed set of attributes observed at a given time point. However, the operators of these networks are able to subvert such detection models by modifying characteristics such as the number of IP addresses or the lifetime (TTL) of a domain name. For these reasons, this work presents a bioinspired model in the concept of Optimization by Colony of Ants for detection of botnets based on Fast Flow Service Networks. The main objective is to analyze a suspicious domain from different perspectives, because even if it is possible to manipulate certain features, the operator is unlikely to modify a of attributes to evade different classification models at the same time. The experimental results using a real database show that the model is able to generate classification rules that prioritize lower cost from the combination of different detection methods, obtaining an accuracy of more than 93%. / O controle e o acesso remoto de computadores infectados por códigos maliciosos permitem ao operador desse tipo de rede (botnet) realizar diferentes atividades fraudulentas como orquestrar ataques distribuídos de negação de serviço (DDoS) ou propagar códigos maliciosos como vírus e worms. Para manter o controle dessas máquinas infectadas, é necessário utilizar um mecanismo de comunicação robusto contra tentativas de interrupção dos serviços da rede e que seja capaz de evadir sistemas de detecção de intrusos. Tal mecanismo é também conhecido como canal de Comando e Controle (C&C). Para isso, algumas redes maliciosas adotam com frequência o Sistema de Nomes de Domínios (DNS) devido ao seu funcionamento global e distribuído, permitindo assim que simulem comportamentos de redes legítimas a partir de técnicas como Round-Robin DNS (RRDNS) e Redes de Distribuição de Conteúdo (CDN). Redes maliciosas que empregam essas estratégias são denominadas como Redes de Serviço de Fluxo Rápido, pois são capazes de modificar seu comportamento para garantir a operação contínua dos serviços, assim como do canal de Comando e Controle (C&C). Para identificar essas redes, os sistemas de detecção de intrusos atuais são construídos a partir de modelos baseados em um conjunto fixo de atributos observados em determinado instante de tempo. No entanto, os operadores dessas redes são capazes de subverter tais modelos de detecção pela modificação de características como a quantidade de endereços IP ou tempo de vida (TTL) de um nome de domínio. Por esses motivos, este trabalho apresenta um modelo bioinspirado no conceito de Otimização por Colônia de Formigas para detecção de botnets baseadas em Redes de Serviço de Fluxo Rápido. O principal objetivo é analisar um domínio suspeito a partir de diferentes perspectivas, pois mesmo que seja possível a manipulação de determinadas características, é improvável que o operador modifique um conjunto considerável de atributos para evadir diferentes modelos de classificação ao mesmo tempo. Os resultados experimentais usando uma base de dados real mostram que o modelo é capaz de gerar regras de classificação que priorizam menor custo a partir da combinação de diferentes métodos de detecção, obtendo uma acurácia superior a 93%.

Botnet

Segurança

Colônia de Formigas

Fast-Flux

CIÊNCIAS EXATAS E DA TERRA

Protecting Networked Systems from Malware Threats

Shin, Seungwon

16 December 2013

Currently, networks and networked systems are essential media for us to communicate with other people, access resources, and share information. Reading (or sending) emails, navigating web sites, and uploading pictures to social medias are common behaviors using networks. Besides these, networks and networked systems are used to store or access sensitive or private information. In addition, major economic activities, such as buying food and selling used cars, can also be operated with networks. Likewise, we live with networks and networked systems. As network usages are increasing and popular, people face the problems of net- work attacks. Attackers on the networks can steal people’s private information, mislead people to pay money for fake products, and threaten people, who operate online commercial sites, by bothering their services. There are much more diverse types of network attacks that torture many people using networks, and the situation is still serious. The proposal in this dissertation starts from the following two research questions: (i) what kind of network attack is prevalent and how we can investigate it and (ii) how we can protect our networks and networked systems from these attacks. Therefore, this dissertation spans two main areas to provide answers for each question. First, we analyze the behaviors and characteristics of large-scale bot infected hosts, and it provides us new findings of network malware and new insights that are useful to detect (or defeat) recent network threats. To do this, we investigate the characteristics of victims infected by recent popular botnet - Conficker, MegaD, and Srizbi. In addition, we propose a method to detect these bots by correlating network and host features. Second, we suggest new frameworks to make our networks secure based on the new network technology of Software Defined Networking (SDN). Currently, SDN technology is considered as a future major network trend, and it can dynamically program networks as we want. Our suggested frameworks for SDN can be used to devise network security applications easily, and we also provide an approach to make SDN technology secure.

Network Security

Software Defined Networking Security

Botnet Detection

Peer to peer botnet detection based on flow intervals and fast flux network capture

Zhao, David

16 October 2012

Botnets are becoming the predominant threat on the Internet today and is the primary vector for carrying out attacks against organizations and individuals. Botnets have been used in a variety of cybercrime, from click-fraud to DDOS attacks to the generation of spam. In this thesis we propose an approach to detect botnet activity using two different strategies both based on machine learning techniques. In one, we examine the network flow based metrics of potential botnet traffic and show that we are able to detect botnets with only data from a small time interval of operation. For our second technique, we use a similar strategy to identify botnets based on their potential fast flux behavior. For both techniques, we show experimentally that the presence of botnets may be detected with a high accuracy and identify their potential limitations. / Graduate

Botnet

Network Intrusion Detection

Traffic Behavior Analysis

Network Flows

Arquitetura distribuída e automatizada para mitigação de botnet baseada em análise dinâmica de malwares / An automated and distributed architecture for botnet mitigation based in dynamic malware analysis

Ceron, João Marcelo

January 2010

Atualmente, uma das mais sérias ameaças a segurança da Internet são as botnets. As botnets - rede de máquinas comprometidas e controladas remotamente por um atacante - caracterizam-se por serem muito dinâmicas. Frequentemente novas características são incorporadas as redes dificultando que ferramentas tradicionais tal como sistemas de antivírus e IDS sejam efetivas. Diante disso, faz-se necessário desenvolver novos mecanismos que possam complementar as atuais técnicas de defesa. Esta dissertação de mestrado apresenta uma proposta de arquitetura para uma ferramenta de mitigação e detecção de botnets baseada em assinatura de rede de máquinas comprometidas por bots. Essa arquitetura automatiza o processo de geração de assinaturas compilando informações de analisadores de malwares gratuitamente disponibilizados na Web. Além disso, utilizouse de monitoração de fluxos através da solução Netflow para identificar o comportamento de rede similar aos mapeados em arquivos maliciosos analisados. Esse comportamento mapeado sinaliza uma possível infecção de máquinas na rede monitorada. Essa identificação dispara eventos na ferramenta proposta que auxiliará o gerente a mitigar a máquina comprometida. Por fim, avaliou-se a solução proposta no contexto de uma grande rede acadêmica: da própria Universidade Federal do Rio Grande do Sul (UFRGS). Os resultados alcançados por essa solução permitiram concluir que 1,5% dos controladores ficam por um longo período (52 dias) realizando atividades maliciosas e, também, observouse um pequeno grupo de controladores responsáveis pela administração de uma grande quantidade de máquinas. / Currently, botnets are one of the most serious threats of Internet security. The botnets - network of compromissed machines remotely controlled by an attacker - are being very dynamic threats. Often new features are incorporated into thismalicious networksmaking hard for traditional tools, such as antivirus and IDS, to be effective. Therefore, it is necessary to develop new mechanisms that can complement the current defense techniques. This dissertation presents an architecture for a tool for botnet mitigation and detection. The tool is based in network signature obtained from bot compromissed machine’s. This architecture automates the process of signature generation compiling information from online malwares analyze tools. Furthermore, flows monitoring tools was used to identify similar behavior to those mapped in malware (bot) analyzed by the system. This mapped behavior in flows indicates possible compromissed machines, with this, the system triggers events to help the security manager to mitigate the compromissed machines. Finally, the proposed solution was evaluated in a academic network: in the Federal University of Rio Grande do Sul. The results achieved by this solution helped to observe that more than 1.5% of the botnet controllers’s remain active for a long period of time (52 days) performing malicious activities. Also, was observed a small group of controllers responsible for the adminstration of a large number of compromissed machines.

Redes : Computadores

Seguranca : Redes : Comunicacao : Dados

Botnet

Bot

Malware analysis

Arquitetura distribuída e automatizada para mitigação de botnet baseada em análise dinâmica de malwares / An automated and distributed architecture for botnet mitigation based in dynamic malware analysis

Ceron, João Marcelo

January 2010

Atualmente, uma das mais sérias ameaças a segurança da Internet são as botnets. As botnets - rede de máquinas comprometidas e controladas remotamente por um atacante - caracterizam-se por serem muito dinâmicas. Frequentemente novas características são incorporadas as redes dificultando que ferramentas tradicionais tal como sistemas de antivírus e IDS sejam efetivas. Diante disso, faz-se necessário desenvolver novos mecanismos que possam complementar as atuais técnicas de defesa. Esta dissertação de mestrado apresenta uma proposta de arquitetura para uma ferramenta de mitigação e detecção de botnets baseada em assinatura de rede de máquinas comprometidas por bots. Essa arquitetura automatiza o processo de geração de assinaturas compilando informações de analisadores de malwares gratuitamente disponibilizados na Web. Além disso, utilizouse de monitoração de fluxos através da solução Netflow para identificar o comportamento de rede similar aos mapeados em arquivos maliciosos analisados. Esse comportamento mapeado sinaliza uma possível infecção de máquinas na rede monitorada. Essa identificação dispara eventos na ferramenta proposta que auxiliará o gerente a mitigar a máquina comprometida. Por fim, avaliou-se a solução proposta no contexto de uma grande rede acadêmica: da própria Universidade Federal do Rio Grande do Sul (UFRGS). Os resultados alcançados por essa solução permitiram concluir que 1,5% dos controladores ficam por um longo período (52 dias) realizando atividades maliciosas e, também, observouse um pequeno grupo de controladores responsáveis pela administração de uma grande quantidade de máquinas. / Currently, botnets are one of the most serious threats of Internet security. The botnets - network of compromissed machines remotely controlled by an attacker - are being very dynamic threats. Often new features are incorporated into thismalicious networksmaking hard for traditional tools, such as antivirus and IDS, to be effective. Therefore, it is necessary to develop new mechanisms that can complement the current defense techniques. This dissertation presents an architecture for a tool for botnet mitigation and detection. The tool is based in network signature obtained from bot compromissed machine’s. This architecture automates the process of signature generation compiling information from online malwares analyze tools. Furthermore, flows monitoring tools was used to identify similar behavior to those mapped in malware (bot) analyzed by the system. This mapped behavior in flows indicates possible compromissed machines, with this, the system triggers events to help the security manager to mitigate the compromissed machines. Finally, the proposed solution was evaluated in a academic network: in the Federal University of Rio Grande do Sul. The results achieved by this solution helped to observe that more than 1.5% of the botnet controllers’s remain active for a long period of time (52 days) performing malicious activities. Also, was observed a small group of controllers responsible for the adminstration of a large number of compromissed machines.

Redes : Computadores

Seguranca : Redes : Comunicacao : Dados

Botnet

Bot

Malware analysis

Arquitetura distribuída e automatizada para mitigação de botnet baseada em análise dinâmica de malwares / An automated and distributed architecture for botnet mitigation based in dynamic malware analysis

Ceron, João Marcelo

January 2010

Atualmente, uma das mais sérias ameaças a segurança da Internet são as botnets. As botnets - rede de máquinas comprometidas e controladas remotamente por um atacante - caracterizam-se por serem muito dinâmicas. Frequentemente novas características são incorporadas as redes dificultando que ferramentas tradicionais tal como sistemas de antivírus e IDS sejam efetivas. Diante disso, faz-se necessário desenvolver novos mecanismos que possam complementar as atuais técnicas de defesa. Esta dissertação de mestrado apresenta uma proposta de arquitetura para uma ferramenta de mitigação e detecção de botnets baseada em assinatura de rede de máquinas comprometidas por bots. Essa arquitetura automatiza o processo de geração de assinaturas compilando informações de analisadores de malwares gratuitamente disponibilizados na Web. Além disso, utilizouse de monitoração de fluxos através da solução Netflow para identificar o comportamento de rede similar aos mapeados em arquivos maliciosos analisados. Esse comportamento mapeado sinaliza uma possível infecção de máquinas na rede monitorada. Essa identificação dispara eventos na ferramenta proposta que auxiliará o gerente a mitigar a máquina comprometida. Por fim, avaliou-se a solução proposta no contexto de uma grande rede acadêmica: da própria Universidade Federal do Rio Grande do Sul (UFRGS). Os resultados alcançados por essa solução permitiram concluir que 1,5% dos controladores ficam por um longo período (52 dias) realizando atividades maliciosas e, também, observouse um pequeno grupo de controladores responsáveis pela administração de uma grande quantidade de máquinas. / Currently, botnets are one of the most serious threats of Internet security. The botnets - network of compromissed machines remotely controlled by an attacker - are being very dynamic threats. Often new features are incorporated into thismalicious networksmaking hard for traditional tools, such as antivirus and IDS, to be effective. Therefore, it is necessary to develop new mechanisms that can complement the current defense techniques. This dissertation presents an architecture for a tool for botnet mitigation and detection. The tool is based in network signature obtained from bot compromissed machine’s. This architecture automates the process of signature generation compiling information from online malwares analyze tools. Furthermore, flows monitoring tools was used to identify similar behavior to those mapped in malware (bot) analyzed by the system. This mapped behavior in flows indicates possible compromissed machines, with this, the system triggers events to help the security manager to mitigate the compromissed machines. Finally, the proposed solution was evaluated in a academic network: in the Federal University of Rio Grande do Sul. The results achieved by this solution helped to observe that more than 1.5% of the botnet controllers’s remain active for a long period of time (52 days) performing malicious activities. Also, was observed a small group of controllers responsible for the adminstration of a large number of compromissed machines.

Redes : Computadores

Seguranca : Redes : Comunicacao : Dados

Botnet

Bot

Malware analysis

Towards Advanced Malware Classification: A Reused Code Analysis of Mirai Bonnet and Ransomware

January 2020

abstract: Due to the increase in computer and database dependency, the damage caused by malicious codes increases. Moreover, gravity and the magnitude of malicious attacks by hackers grow at an unprecedented rate. A key challenge lies on detecting such malicious attacks and codes in real-time by the use of existing methods, such as a signature-based detection approach. To this end, computer scientists have attempted to classify heterogeneous types of malware on the basis of their observable characteristics. Existing literature focuses on classifying binary codes, due to the greater accessibility of malware binary than source code. Also, for the improved speed and scalability, machine learning-based approaches are widely used. Despite such merits, the machine learning-based approach critically lacks the interpretability of its outcome, thus restricts understandings of why a given code belongs to a particular type of malicious malware and, importantly, why some portions of a code are reused very often by hackers. In this light, this study aims to enhance understanding of malware by directly investigating reused codes and uncovering their characteristics. To examine reused codes in malware, both malware with source code and malware with binary code are considered in this thesis. For malware with source code, reused code chunks in the Mirai botnet. This study lists frequently reused code chunks and analyzes the characteristics and location of the code. For malware with binary code, this study performs reverse engineering on the binary code for human readers to comprehend, visually inspects reused codes in binary ransomware code, and illustrates the functionality of the reused codes on the basis of similar behaviors and tactics. This study makes a novel contribution to the literature by directly investigating the characteristics of reused code in malware. The findings of the study can help cybersecurity practitioners and scholars increase the performance of malware classification. / Dissertation/Thesis / Masters Thesis Computer Science 2020

Computer science

Cyber-security

Mirai Botnet

Ransomware

Reused-code

Detection and simulation of generic botnet from real-life large netflow dataset

Harun, Sarah

09 August 2019

Botnets are networks formed with a number of machines infected by malware called bots. Detection of these malicious networks is a major concern as they pose a serious threat to network security. Most of the research on botnet detection is based on particular botnet characteristics which fail to detect other types of botnet. There exist several generic botnet detection methods that can detect varieties of botnets. But, these generic detection methods perform very poorly in real-life dataset as the methods are not developed based on a real-life botnet dataset. A crucial reason for those detection methods not being developed based on a real-life dataset is that there is a scarcity of large-scale real-life botnet dataset. Due to security and privacy concerns, organizations do not publish their real-life botnet dataset. Therefore, there is a dire need for a simulation methodology that generates a large-scale botnet dataset similar to the original real-life dataset while preserving the security and privacy of the network. In this dissertation, we develop a generic bot detection methodology that can detect a variety of bots and evaluate the methodology in a real-life, large, highly class-imbalanced dataset. Numerical results show that our methodology can detect bots more accurately than the existing methods. Realizing the need for real-life large-scale botnet dataset, we develop a simulation methodology to simulate a large-scale botnet dataset from a real-life botnet dataset. Our simulation methodology is based on Markov chain and role–mining process that can simulate the degree distributions along with triangles (community structures). To scale-up the original graph to large-scale graph, we also propose a scaling-up algorithm, Enterprise connection algorithm. We evaluate our simulated graph by comparing with the original graph as well as with the graph generated by Preferential attachment algorithm. Comparisons are done in the following three major categories: comparison of botnet subgraphs, comparison of overall graphs and comparison of scaled-up graphs. Result demonstrates that our methodology outperform Preferential attachment algorithm in simulating the triangle distributions and the botnet structure.

Botnet detection

Bot detection

graph simulation

large-scale

Machine Learning for Botnet Detection: An Optimized Feature Selection Approach

Lefoane, Moemedi, Ghafir, Ibrahim, Kabir, Sohag, Awan, Irfan U.

05 April 2022

Yes / Technological advancements have been evolving for so long, particularly Internet of Things (IoT) technology that has seen an increase in the number of connected devices surpass non IoT connections. It has unlocked a lot of potential across different organisational settings from healthcare, transportation, smart cities etc. Unfortunately, these advancements also mean that cybercriminals are constantly seeking new ways of exploiting vulnerabilities for malicious and illegal activities. IoT is a technology that presents a golden opportunity for botnet attacks that take advantage of a large number of IoT devices and use them to launch more powerful and sophisticated attacks such as Distributed Denial of Service (DDoS) attacks. This calls for more research geared towards the detection and mitigation of botnet attacks in IoT systems. This paper proposes a feature selection approach that identifies and removes less influential features as part of botnet attack detection method. The feature selection is based on the frequency of occurrence of the value counts in each of the features with respect to total instances. The effectiveness of the proposed approach is tested and evaluated on a standard IoT dataset. The results reveal that the proposed feature selection approach has improved the performance of the botnet attack detection method, in terms of True Positive Rate (TPR) and False Positive Rate (FPR). The proposed methodology provides 100% TPR, 0% FPR and 99.9976% F-score.

Botnet detection

Machine learning

Cyber attacks

Internet of Things

Network security