Cybercriminal Organizations : Utilization of Botnets

Jacobsson, Bastian

January 2016

Botnets, networks of hundreds to millions of computers, controlled by one or more individuals, increasingly play a part in cybercrimes, with astonishing results. The access of a botnet gives the controller abilities of a large majority of all the cyberattacks over the internet, and with the possibility of buying a complete botnet, this opens the market to nontechnical criminals. The Darknet and the market it provides, enable the buyers to buy and trade everything from botnets and malware to complete schemes.   The increase in cybercriminal activities and organizations has been alarmingly high in recent years, and no wonder, when criminals just need to invest a small amount of money to gain potentially millions of dollars without any advance knowledge of computer science, and with only a slight chance of getting caught due to the anonymity of the internet and botnets.   Based on a literature review combined with a critically reflective analysis of a selection of information about botnets from other sources available on the internet, this paper has identified some of the main types of organizations used in cybercrime and their operations as well as basic information about botnets, the players and stakeholders in this area, the theft and schemes used by botnets and the online money laundering service involved.

Botnets

Cybercriminal Organizations

Security

Money Laundering.

Computer Sciences

Datavetenskap (datalogi)

Evaluating the Effects of Denial-of-Service Attacks from IoT Devices

Lernefalk, Marcus

January 2021

Internet växer idag konstant och det förväntas finnas fler än 50 miljarder enheter anslutna till internet efter år 2020. Flertalet av dessa enheter kommer vara små, inbäddade enheter som är anslutna och kommunicerar via Internet of Things. Att försäkra att dessa enheter är säkra och skyddade från obehörig åtkomst har varit något som väckt oro ända sedan så kallade botnets visat sig kapabla till att ta över och utnyttja hundratusentals Internet of Things anslutna enheter för att utföra Distributed Denial-of-Service attacker. Målet med denna studie har varit att ställa frågan samt svara på hur stor påverkan Internet of Things enheter har när de utnyttjas för att utföra en Distributed Denial-of-Service attack i ett lokalt trådlöst nätverk. För att besvara denna fråga har denna avhandling forskat kring områden som rör cybersäkerhet, Internet of Things, samt metoder för att utföra Distributed Denial-of-Service attacker. Denna studie har implementerat ett scenario som mäter påverkan vid en Distributed Denial-of-Service attack när upp till sex emulerade Internet of Things enheter som attackerar en ensam offerdator via TCP, UDP och HTTP flood metoder i ett lokalt nätverk. Flertalet test har utförts samt analyserats. Resultatet från denna studie presenteras och jämförs vilket visar att offerdatorn är relativt kapabel till att försvara sig mot TCP och HTTP floods med upp till sex Internet of Things enheter vid respektive attack.  Det implementerade scenariot och metoden är huruvida kapabel till att tungt överbelasta offerdatorn när UDP flood används för samtliga sex Internet of Things enheter. / The internet is constantly growing, we are expecting there to be more than 50 billion devices on the internet past 2020. Many of these devices will be small, embedded devices connected and communicating using the Internet of Things. Keeping these devices secure and protected from unauthorized access has been a raising concern in part due to botnets that have proven capable of exploiting hundreds of thousands of Internet of Things devices to carry out Distributed Denial-of-Service attacks in the past. The objective of this study has been to answer how big of an impact compromised IoT devices might have when exploited to carry out a Distributed Denial-of-Service attack in a Wireless Local Area Network. To answer this question this thesis has done research in the fields concerning cyber-security, the Internet of Things, and methods of distributing Denial-of-Service attacks. This study implements a scenario that measures the impact of a Distributed Denial-of-Service attack utilizing up to six emulated IoT devices that attack a single victim computer using a TCP, UDP or HTTP flood. Several tests have been performed and analyzed. The results from this work are presented and compared and shows that the victim computer is relatively capable of mitigating and defending against the TCP and HTTP flood with up to six utilized IoT devices in each attack. In the implemented scenario and method are however capable of heavily congesting and overwhelming a single victim computer when utilizing a UDP flood with all six IoT devices simultaneously attacking.

IoT

DoS

DDoS

LOIC

Botnets

Cyber-security

Software Engineering

Programvaruteknik

Towards An Enterprise Self-healing System against Botnets Attacks

Alhomoud, Adeeb M., Awan, Irfan U., Pagna Disso, Jules F.

05 1900

no / Protecting against cyber attacks is no longer a problem of organizations and home users only. Cyber security programs are now a priority of most governments. Cyber criminals have been using botnets to gain control over millions of computer, steel information and commit other malicious activities. In this paper we propose a self-healing architecture that was originally inspired from a nature paradigm and applied in the computer field. Our solution is designed to work within a network domain. We present the initial design of our solution based on the principles of self healing systems and the analysis of botnet behaviour. We discuss how to either neutralize or reverse (correct) their actions ensuring that network operations continue without disruption.

A Next Generation Approach to Combating Botnets

Alhomoud, Adeeb M., Awan, Irfan U., Pagna Disso, Jules F., Younas, M.

04 1900

no / As part of a defense-in-depth security solution for domain-controlled enterprise networks, a proposed self-healing system architecture is designed to increase resiliency against botnets with minimal disruption to network services.

A self-healing framework to combat cyber attacks. Analysis and development of a self-healing mitigation framework against controlled malware attacks for enterprise networks.

Alhomoud, Adeeb M.

January 2014

Cybercrime costs a total loss of about $338 billion annually which makes it one of the most profitable criminal activities in the world. Controlled malware (Botnet) is one of the most prominent tools used by cybercriminals to infect, compromise computer networks and steal important information. Infecting a computer is relatively easy nowadays with malware that propagates through social networking in addition to the traditional methods like SPAM messages and email attachments. In fact, more than 1/4 of all computers in the world are infected by malware which makes them viable for botnet use. This thesis proposes, implements and presents the Self-healing framework that takes inspiration from the human immune system. The designed self-healing framework utilises the key characteristics and attributes of the nature’s immune system to reverse botnet infections. It employs its main components to heal the infected nodes. If the healing process was not successful for any reason, it immediately removes the infected node from the Enterprise’s network to a quarantined network to avoid any further botnet propagation and alert the Administrators for human intervention. The designed self-healing framework was tested and validated using different experiments and the results show that it efficiently heals the infected workstations in an Enterprise network.

Framework for botnet emulation and analysis

Lee, Christopher Patrick

12 March 2009

Criminals use the anonymity and pervasiveness of the Internet to commit fraud, extortion, and theft. Botnets are used as the primary tool for this criminal activity. Botnets allow criminals to accumulate and covertly control multiple Internet-connected computers. They use this network of controlled computers to flood networks with traffic from multiple sources, send spam, spread infection, spy on users, commit click fraud, run adware, and host phishing sites. This presents serious privacy risks and financial burdens to businesses and individuals. Furthermore, all indicators show that the problem is worsening because the research and development cycle of the criminal industry is faster than that of security research. To enable researchers to measure botnet connection models and counter-measures, a flexible, rapidly augmentable framework for creating test botnets is provided. This botnet framework, written in the Ruby language, enables researchers to run a botnet on a closed network and to rapidly implement new communication, spreading, control, and attack mechanisms for study. This is a significant improvement over augmenting C++ code-bases for the most popular botnets, Agobot and SDBot. Rubot allows researchers to implement new threats and their corresponding defenses before the criminal industry can. The Rubot experiment framework includes models for some of the latest trends in botnet operation such as peer-to-peer based control, fast-flux DNS, and periodic updates. Our approach implements the key network features from existing botnets and provides the required infrastructure to run the botnet in a closed environment.

Simulation

Simulators

Emulation

Spam

DDoS

Information security

Botnets

Network security

Computer networks Security measures

Computer crimes

Models to Combat Email Spam Botnets and Unwanted Phone Calls

Husna, Husain

05 1900

With the amount of email spam received these days it is hard to imagine that spammers act individually. Nowadays, most of the spam emails have been sent from a collection of compromised machines controlled by some spammers. These compromised computers are often called bots, using which the spammers can send massive volume of spam within a short period of time. The motivation of this work is to understand and analyze the behavior of spammers through a large collection of spam mails. My research examined a the data set collected over a 2.5-year period and developed an algorithm which would give the botnet features and then classify them into various groups. Principal component analysis was used to study the association patterns of group of spammers and the individual behavior of a spammer in a given domain. This is based on the features which capture maximum variance of information we have clustered. Presence information is a growing tool towards more efficient communication and providing new services and features within a business setting and much more. The main contribution in my thesis is to propose the willingness estimator that can estimate the callee's willingness without his/her involvement, the model estimates willingness level based on call history. Finally, the accuracy of the proposed willingness estimator is validated with the actual call logs.

Spam

models

botnets

Spam (Electronic mail) -- Prevention.

Spam filtering (Electronic mail)

Telephone calls.

Detection of IoT Botnets using Decision Trees

Meghana Raghavendra (10723905)

29 April 2021

<p>International Data Corporation^[3] (IDC) data estimates that 152,200 Internet of things (IoT) devices will be connected to the Internet every minute by the year 2025. This rapid expansion in the utilization of IoT devices in everyday life leads to an increase in the attack surface for cybercriminals. IoT devices are frequently compromised and used for the creation of botnets. However, it is difficult to apply the traditional methods to counteract IoT botnets and thus calls for finding effective and efficient methods to mitigate such threats. In this work, the network snapshots of IoT traffic infected with two botnets, i.e., Mirai and Bashlite, are studied. Specifically, the collected datasets include network traffic from 9 different IoT devices such as baby monitor, doorbells, thermostat, web cameras, and security cameras. Each dataset consists of 115 stream aggregation feature statistics like weight, mean, covariance, correlation coefficient, standard deviation, radius, and magnitude with a timeframe decay factor, along with a class label defining the traffic as benign or anomalous.</p><p>The goal of the research is to identify a proper machine learning method that can detect IoT botnet traffic accurately and in real-time on IoT edge devices with low computation power, in order to form the first line of defense in an IoT network. The initial step is to identify the most important features that distinguish between benign and anomalous traffic for IoT devices. Specifically, the Input Perturbation Ranking algorithm^[12] with XGBoost^[26]is applied to find the 9 most important features among the 115 features. These 9 features can be collected in real time and be applied as inputs to any detection method. Next, a supervised predictive machine learning method, i.e., Decision Trees, is proposed for faster and accurate detection of botnet traffic. The advantage of using decision trees over other machine learning methodologies, is that it achieves accurate results with low computation time and power. Unlike deep learning methodologies, decision trees can provide visual representation of the decision making and detection process. This can be easily translated into explicit security policies in the IoT environment. In the experiments conducted, it can be clearly seen that decision trees can detect anomalous traffic with an accuracy of 99.997% and takes 59 seconds for training and 0.068 seconds for prediction, which is much faster than the state-of-art deep-learning based detector, i.e., Kitsune^[4]. Moreover, our results show that decision trees have an extremely low false positive rate of 0.019%. Using the 9 most important features, decision trees can further reduce the processing time while maintaining the accuracy. Hence, decision trees with important features are able to accurately and efficiently detect IoT botnets in real time and on a low performance edge device such as Raspberry Pi^[9].</p>

Computer System Security

Internet of Things

Botnets

Decision Trees

Input Perturbation Ranking Algorithm

Lutte aux botnets : les politiques de prévention s'avèrent-elles efficaces?

Allaire, Marie-Renée

07 1900

No description available.

Menaces informatiques

cybercriminalité

cybermenaces

Politiques de prévention

Botnets

Security threats

cyber crime

cyber threats

Prevention policies

Topology-aware vulnerability mitigation worms

Al-Salloum, Ziyad

January 2011

In very dynamic Information and Communication Technology (ICT) infrastructures, with rapidly growing applications, malicious intrusions have become very sophisticated, effective, and fast. Industries have suffered billions of US dollars losses due only to malicious worm outbreaks. Several calls have been issued by governments and industries to the research community to propose innovative solutions that would help prevent malicious breaches, especially with enterprise networks becoming more complex, large, and volatile. In this thesis we approach self-replicating, self-propagating, and self-contained network programs (i.e. worms) as vulnerability mitigation mechanisms to eliminate threats to networks. These programs provide distinctive features, including: Short distance communication with network nodes, intermittent network node vulnerability probing, and network topology discovery. Such features become necessary, especially for networks with frequent node association and disassociation, dynamically connected links, and where hosts concurrently run multiple operating systems. We propose -- to the best of our knowledge -- the first computer worm that utilize the second layer of the OSI model (Data Link Layer) as its main propagation medium. We name our defensive worm Seawave, a controlled interactive, self-replicating, self-propagating, and self-contained vulnerability mitigation mechanism. We develop, experiment, and evaluate Seawave under different simulation environments that mimic to a large extent enterprise networks. We also propose a threat analysis model to help identify weaknesses, strengths, and threats within and towards our vulnerability mitigation mechanism, followed by a mathematical propagation model to observe Seawave's performance under large scale enterprise networks. We also preliminary propose another vulnerability mitigation worm that utilizes the Link Layer Discovery Protocol (LLDP) for its propagation, along with an evaluation of its performance. In addition, we describe a preliminary taxonomy that rediscovers the relationship between different types of self-replicating programs (i.e. viruses, worms, and botnets) and redefines these programs based on their properties. The taxonomy provides a classification that can be easily applied within the industry and the research community and paves the way for a promising research direction that would consider the defensive side of self-replicating programs.

500