SlideShare une entreprise Scribd logo

Fight fire with fire draft

Télécharger en tant que PPT, PDF
Nishant Agrawal
Nishant Agrawal

Internet threats are difficult to defend. Malware defensive tools use more of ‘Botnets’ Fighting malware is asymmetric,favouring attackers. P2P botnets are used as its more resilent Using re-engineering existing malware, defenders can build antidotes to eradicate spreading functions. Antidote can be used to monitor on-site activity of the malwares. Malware families such as Hlux, Sality, Zeus would be most effective approach.

Formation
1  sur  28
Fight Fire with Fire: the ultimate active deFense Prepared by Nishant Agrawal Poonam Jha Aakruti Shah 1
Introduction • Internet threats are difficult to defend. • Malware defensive tools use more of ‘Botnets’ • Fighting malware is asymmetric,favouring attackers. • P2P botnets are used as its more resilent • Using re-engineering existing malware, defenders can build antidotes to eradicate spreading functions. • Antidote can be used to monitor on-site activity of the malwares. • Malware families such as Hlux, Sality, Zeus would be most effective approach.
Related work • Rossow (2013) analysis of resilience of botnets by using 3 types of attacks i. Enumeration-gathering information about the topology of the network ii. Sinkholing-mechanism to force bots to non-existing /fake bot peers iii. Partitioning-split the botnet in disjoint, partially unreachable sub-networks. •. Analysis has been conducted on Storm, Waledec, Zeus ,Sality malware families. •. Holz et al (2008) discusses Storm Botnets which exploits Social Engineering and spreads by e- mails. Storm uses Kademlia structured P2P protocol using encrypted messages. •. Stock et al (2009) analyses Waledec which is more decentralized. It is re-engineered to infiltrate the botnet. •. Bureau (2011) discussed the Hlux (Kehlios) botnet which is a successor of Waledac. It uses strong encryption routines and is based on unstructured P2P protocol.
Continue…. • Ormerod et al.(2010) has analysed the first version of Zeus botnet which was based on centralised architecture. • Andriesse and Bos(2013) have analysed the newer P2P version(Gameover) which is based on unstructured P2P protocol and uses strong cryptographic algorithms. • Falliere(2011) has analysed the Sality downloader botnet which is Version 4 which uses hard encoded repository servers URLs and missing verification of executables to install. • Frei.et al (2008), Duebender and Frei(2009) discusses the early patch application for browsers. • Tang et al.(2012) discusses mobile applications. • Khouzani et.al(2012) analyses the importance of patching policies to stem the malware. • Griffin et.al(2009) discusses signature matching for local malware techniques. • Coskun et al.(2010) uses peer traffic for malware analysis.
Approach-Flowchart
Approach taken by the Authors • 2 fundamental basis of this approach: i. It is not limited to the re-engineering of the targeted malware. Here general purpose antidote is created to start the detection phase to infiltrate the infection. ii. It must be the last resort for the defender. The threshold for decision is application dependent as its based on the type of malware targeted. •. Preliminary phase and re-engineering: Its initial phase where active or passive methods are used to obtain malware binary by using reverse engineering activity. Here defenders acquires a deep understanding of the malware protocols and functionalities. Next step is re-engineer the malware by disabling the components and introducing new functionalities to infiltrate and sanitise. •. Spreading: Here the defender has to consider how the targeted malware spreads. It uses 2 aspects:
Approach taken by the Authors i. Exploitation vector: Malware spreads quickly like epidemics for human viruses. It uses the below techniques Use the same In this defender uses the same spreading tools antidote as malware to improve the effectiveness to hit an infected host. Take the advantage of vulnerability in the malware software: In this defender sanitizes infected machine. Taking the advantage of vulnerability in the victim’s host. In this, known vulnerabilities or zero- day vulnerabilities are used by the antidote. Using black-market services: In this defender acts as undercover and buys the downloader. Enumeration and sink holing , If the defender knows enumerating, it can be addressed by the antidote.
Continue… i. Infiltration: If the victim is detected, antidote can be used to infiltrate the malware by overtaking the process, observing and fixing infected files. Here the defender overtakes a running malware binary on the victim’s host and mimic its behavior. •. Detection and Eradicating: Here the general purpose antidote is used to detect and verify a known malware family. Here the antidote is deployed after the initial information gathering about the host and is further checked and depends on the target. •. Patching and Update: In this antidote fixes the known bugs and exploits vulnerabilities by forcing updates and patches application on the victim’s machine to stop an epidemic. Antidotes leverages silent updates, improves the resilience of the victim’s host against the new attacks. Social engineering are difficult to sanitise Antidote can use countermeasures such as blacklisting is known bad-domains and e-mail addresses.
Case-study Approach Applications • 3 Resilient botnets are discussed in the Case study: 1) Zeus P2P & Sality P2P: It leverages the drive by download-by means of browser vulnerabilities or other security flaws. This malware is automatically installed when user drives by infectious website, technique to infect new machines. It uses social engineering to spread. To keep the protocol from further spreading, the antidote can follow the behavior of the on-site malware to remain in the malicious network and acquire information about the infected hosts. 2) Hlux: It exploits a well known Windows vulnerability issue. It has more chances to hit an already infected host. Here the malware doesn’t fix the issue after installing itself on the victim.
Limitations Requires lots of reverse engineering especially for access. Even though techniques exist that are able to detect a malware, encryption are still difficult to defeat Current available techniques are not 100% accurate.
Conclusions • Defenders need to develop more complex tools to oppose and track down the attackers • Active offensive security tools should be used to fight back malware and infections • Improvement of Sality and Zeus P2P should be used to turn a malware binary into antidote
Other Cases Referred • Ability to take over command and control functions of the Storm botnet (was being used to engage in illegal activities worldwide) 1. Botmaster: A Botmaster is a person who controls and commands botnet to do some illegal activities 2. Botclients: A Bot is a victim computer that installed the botnet program by various malware spreading mechanisms. 3. C&C communication protocols: they are protocol that botnets use for communication between botmaster and botclients 4. C&C servers: This component is the coordinator servers between botmaster and botclients.
Botnet life cycle work flow
Continue… • Initial infection : sending email with malware attachments or URL links that leads to a browser exploit • Secondary injection : initiate after the first phase completed , user opens email attachments, the infected computer will download bot binaries from remote servers and automatically install to an exploit machine • Connection: Sometime the connection phase is called “Rallying”. Although the victim machines turn to bots through different mechanisms, finally the new bot clients must connect to the C&C server to register or send some information of zombie machines.
Continue…. • Malicious commands: After connecting to C&C servers, bot clients wait for commands which send by botmaster. If they receive the commands, they will execute and perform the malicious activities to attack the target machines • Maintenance and update: Changing the pattern of malicious activities from time period to random, or change C&C servers addresses
Botnet Architectures
Centralized botnet • To avoid being detected easily and hide their malicious activities from firewall, most of the new centralized botnet are designed by using the HTTP protocol. • They are complexity to classify and detection, since the normal http traffic and botnet http traffic are very similar. • This model is simple to implement, management and control, but there is a single point of failure problem because of C&C server. If they are detected or destroyed, the whole bot clients will be useless or inefficient.
Distributed model
Continue… • This model is designed to solve a single point of failure issue of centralized model. The peer to peer structure is applied in this model of botnets which is more flexible • The concept is the botmaster send commands to more bot clients, and then they deliver the commands to other bots, and each bot clients can act as client and server in the same time thus P2P botnets are more difficult to disable, destroy and shut them down. • Disadvantage of this model is difficult and complex to implement.
Other Papers Referred 1. Trends and challenges of Botnet Architecture and Detection Techniques -- Ritthichai Limarunothai and Mohd Amin Munlin • They explained botnet mechanism along with its components and its life-cycle • Apart from that they also gave botnet detection techniques • Mainly there are two techniques: 1. Honeynet based 2. Intrusion Detection System (IDS) • More advanced techniques are under IDS • Anomaly based One of the best technique to detect unknown botnet attacks compared to other techniques via two steps:
Other Papers Referred • First is training phase in which normal traffic profile is created • Second is anomaly detection phase wherein normal traffic profile is compared with current traffic to find out anomalies. • It identifies new botnets which are unknown. • Data mining based • Anomaly technique can not detect and differentiate between legitimate and benign traffic • Use of data mining based detection technique such as machine learning (ML) is an efficient approach and easily identify botnet traffic. • Combination of anomaly based and data mining based technique would remove their weaknesses and increase their performance.
Questionnaire What is the problem and/or purpose of the research study? • Due to (increasing malware epidemics on internet) / (to wide spread of malicious software on internet), the research proposes to study different malware families, to analyse and evaluate spreading of botnet and its resilience and to develop more intrusive approaches to disrupt them. What significance of the problem, if any, has the investigator identified? • Investigator feels that fighting malware is an asymmetric fight between attackers and defenders. He/she feels that defender should fight with more active and defensive techniques to reduce the threat.
Continue… • Does the paper present a theoretical model? • Yes. The investigator has developed a structured technique General- Purpose Antidote to fight against a botnet. • What concepts are included in the review? • Rossow (2013) Analyses the flexibility of botnets Holz et al. (2008) study e- mails that trick the u ser in installing the malicious software. Holz et al. (2008) present the weakness of protocol, namely, the lack of authentication, used to disrupt the botnet. Stock et al. (2009) analyze this new malware. propagation mechanism is the same, but the architecture changes, in favor of a more decentralized one.
• What are the limitations that discussed in the paper? • The approach discussed by the researcher to fight against malware requires lot of reengineering. He/she feels that detection of malware is simple but to defeat is even more difficult. Currently available techniques do not even show 100 percent accuracy in detection. • What recommendations for future research are stated or implied ? • Attackers can easily develop simple and compact codes to obtain their illegal intents. So defenders have to develop significantly more complex tools to oppose and track down these attackers. Moreover, attackers are improving their malicious software and architectures to be significantly more resilient to take down attempts. For this reasons, in the future, defenders will need active defense and offensive security tools to fight back malware and infections
• Are there other studies with similar findings? Yes. Ritthichai limarunothai and mohd.Amin munlin (2015) , Joseph and Shishir (2016) etc has similar studies. • What are the key results? The use of active defence by the defenders to moderate malware. how botnet works and give an idea to develop the efficient botnet detection system. behavior of real Intel enterprise end-host background traffic and contrast it to real botnet C&C channel activity • Are the results interpreted in the context of the problem/purpose, hypothesis, and theoretical framework/literature reviewed? Yes result are interpreted in the context of the problem and theoretical framework/literature
References • Deibert, R., & Crete-Nishihata, M. (2011). Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5), 531-537. • Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the Storm Worm botnet. ZD Net. • E. Pilli, P. Sharma, S. Tiwari, A Bijalwan, “ Botnet Detection Framework,” International Journal of Computer Applications, Vol. 93, May 2014 • M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” Internet Measurement Conference, pp. 41– 52, 2006 • M. Yang, G. Ren, J. Zhang,“ Talk about botnets,” The community communications conference, pp. 629-633, 2006. [4] R. S. Abdullah , M. F. Abdollah, Z. A. Muhamad Noh, M. Z.
Continue… • Limarunothai, R., & Munlin, M. (2015). Trends and Challenges of Botnet Architectures and Detection Techniques. Journal of Information Science & Technology • Mas'ud, S. R. Selamat,R. Yusof, “Revealing the Criterion on Botnet Detection Technique,” IJCSI International Journal of Computer Science, Vol. 10, pp. 208- 215, March 2013 • Rossow, C. (2013), “Using malware analysis to evaluate botnet resilience”, PhD thesis, VU Amsterdam • Stock, B., Goebel, J., Engelberth, M., Freiling, F.C. and Holz, T. (2009), “Walowdac – analysis of a peer-to-peer Botnet”, EC2ND ’09, IEEE, Washington, DC
Fight fire with fire draft

Recommandé

Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionFabrizio Farinacci
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...Matthew J McMahon
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 

Recommandé

Classifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionClassifying IoT malware delivery patterns for attack detection
Classifying IoT malware delivery patterns for attack detectionFabrizio Farinacci
 
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...
HCA 530, Week 2, Introduction to cyber threats and opportunities online cours...Matthew J McMahon
 
Project in malware analysis:C2C
Project in malware analysis:C2CProject in malware analysis:C2C
Project in malware analysis:C2CFabrizio Farinacci
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Broadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorBroadband network virus detection system based on bypass monitor
Broadband network virus detection system based on bypass monitorUltraUploader
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Defend Your Company Against Ransomware
Defend Your Company Against RansomwareDefend Your Company Against Ransomware
Defend Your Company Against RansomwareKevo Meehan
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusionKishor Datta Gupta
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
list of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewarelist of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewareAJAY VISHKARMA
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsLecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsDr. Ramchandra Mangrulkar
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technologyAhmed Muzammil
 
intruders types ,detection & prevention
intruders types ,detection & preventionintruders types ,detection & prevention
intruders types ,detection & preventionCentral University Of Kashmir
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
Malware detection
Malware detectionMalware detection
Malware detectionssuser1eca7d
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 
Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdfgoogle
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfuzair
 

Contenu connexe

Tendances

Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Pruthvi Monarch
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesJoseph Bugeja
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Defend Your Company Against Ransomware
Defend Your Company Against RansomwareDefend Your Company Against Ransomware
Defend Your Company Against RansomwareKevo Meehan
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...IJERA Editor
 
Attack on computer
Attack on computerAttack on computer
Attack on computerRabail khan
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZeditsRod Soto
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethicsArgie242424
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service laxmi chandolia
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
list of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewarelist of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewareAJAY VISHKARMA
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsLecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsDr. Ramchandra Mangrulkar
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technologyAhmed Muzammil
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516Yasser Mohammed
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architectureUltraUploader
 

Tendances (20)

Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch Virus and its CounterMeasures -- Pruthvi Monarch
Virus and its CounterMeasures -- Pruthvi Monarch
 
Malware and Modern Propagation Techniques
Malware and Modern Propagation TechniquesMalware and Modern Propagation Techniques
Malware and Modern Propagation Techniques
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Defend Your Company Against Ransomware
Defend Your Company Against RansomwareDefend Your Company Against Ransomware
Defend Your Company Against Ransomware
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
Client Honeypot Based Drive by Download Exploit Detection and their Categoriz...
 
Attack on computer
Attack on computerAttack on computer
Attack on computer
 
AktaionPPTv5_JZedits
AktaionPPTv5_JZeditsAktaionPPTv5_JZedits
AktaionPPTv5_JZedits
 
Security and ethics
Security and ethicsSecurity and ethics
Security and ethics
 
Cyber intrusion
Cyber intrusionCyber intrusion
Cyber intrusion
 
Ddos- distributed denial of service
Ddos- distributed denial of service Ddos- distributed denial of service
Ddos- distributed denial of service
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
list of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for malewarelist of Deception as well as detection techniques for maleware
list of Deception as well as detection techniques for maleware
 
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest StatisticsLecture #1: Access Control : Various Cyber attacks and Latest Statistics
Lecture #1: Access Control : Various Cyber attacks and Latest Statistics
 
Virus detection based on virus throttle technology
Virus detection based on virus throttle technologyVirus detection based on virus throttle technology
Virus detection based on virus throttle technology
 
intruders types ,detection & prevention
intruders types ,detection & preventionintruders types ,detection & prevention
intruders types ,detection & prevention
 
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
EXTERNAL - Whitepaper - How 3 Cyber ThreatsTransform Incident Response 081516
 
Malware detection
Malware detectionMalware detection
Malware detection
 
An email worm vaccine architecture
An email worm vaccine architectureAn email worm vaccine architecture
An email worm vaccine architecture
 

Similaire à Fight fire with fire draft

Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdfgoogle
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfuzair
 
Paper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfPaper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfRishikhesanALMuniand
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfManjuAppukuttan2
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnetJhang Raymond
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...APNIC
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software securityG Prachi
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationSecurity Innovation
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 

Similaire à Fight fire with fire draft (20)

Untitled document.pdf
Untitled document.pdfUntitled document.pdf
Untitled document.pdf
 
Botnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdfBotnet Attacks How They Work and How to Defend Against Them.pdf
Botnet Attacks How They Work and How to Defend Against Them.pdf
 
Paper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdfPaper-ComputerWormClassification.pdf
Paper-ComputerWormClassification.pdf
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Gg2511351142
Gg2511351142Gg2511351142
Gg2511351142
 
Botnets
BotnetsBotnets
Botnets
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdfCHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
Cyber Security Terms
Cyber Security TermsCyber Security Terms
Cyber Security Terms
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnet
 
Spyware and rootkit
Spyware and rootkitSpyware and rootkit
Spyware and rootkit
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039
 
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
Meet Remaiten : Malware Builds Botnet on Linux based routers and potentially ...
 
Malware
MalwareMalware
Malware
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Get Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and OrganizationGet Smart about Ransomware: Protect Yourself and Organization
Get Smart about Ransomware: Protect Yourself and Organization
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 

Plus de Nishant Agrawal

Green Supply Chain in Automobile Industry
Green Supply Chain in Automobile IndustryGreen Supply Chain in Automobile Industry
Green Supply Chain in Automobile IndustryNishant Agrawal
 
A Not for Profit Medical Research Center
A Not for Profit Medical Research CenterA Not for Profit Medical Research Center
A Not for Profit Medical Research CenterNishant Agrawal
 
Production Planning and Control
Production Planning and ControlProduction Planning and Control
Production Planning and ControlNishant Agrawal
 
Material resource planning
Material resource planningMaterial resource planning
Material resource planningNishant Agrawal
 
Nokia Beginning to End Story
Nokia Beginning to End Story Nokia Beginning to End Story
Nokia Beginning to End Story Nishant Agrawal
 
The Consumer Research Process
The Consumer Research ProcessThe Consumer Research Process
The Consumer Research ProcessNishant Agrawal
 
Facility Location Planning
Facility Location PlanningFacility Location Planning
Facility Location PlanningNishant Agrawal
 
Production and Operations Management
Production and Operations ManagementProduction and Operations Management
Production and Operations ManagementNishant Agrawal
 
Setting Product Strategy
Setting Product StrategySetting Product Strategy
Setting Product StrategyNishant Agrawal
 
Crafting the Brand Positioning
Crafting the Brand PositioningCrafting the Brand Positioning
Crafting the Brand PositioningNishant Agrawal
 
Identifying Market Segments and Targets
Identifying Market Segments and TargetsIdentifying Market Segments and Targets
Identifying Market Segments and TargetsNishant Agrawal
 
Analyzing Business Markets
Analyzing Business MarketsAnalyzing Business Markets
Analyzing Business MarketsNishant Agrawal
 
Analyzing Consumer Markets
Analyzing Consumer MarketsAnalyzing Consumer Markets
Analyzing Consumer MarketsNishant Agrawal
 

Plus de Nishant Agrawal (20)

Green Supply Chain in Automobile Industry
Green Supply Chain in Automobile IndustryGreen Supply Chain in Automobile Industry
Green Supply Chain in Automobile Industry
 
A Not for Profit Medical Research Center
A Not for Profit Medical Research CenterA Not for Profit Medical Research Center
A Not for Profit Medical Research Center
 
Scheduling
SchedulingScheduling
Scheduling
 
Purchasing management
Purchasing managementPurchasing management
Purchasing management
 
Production Planning and Control
Production Planning and ControlProduction Planning and Control
Production Planning and Control
 
Material resource planning
Material resource planningMaterial resource planning
Material resource planning
 
Material handling
Material handling Material handling
Material handling
 
Inventory management
Inventory managementInventory management
Inventory management
 
It Happened in India
It Happened in IndiaIt Happened in India
It Happened in India
 
Nokia Beginning to End Story
Nokia Beginning to End Story Nokia Beginning to End Story
Nokia Beginning to End Story
 
The Consumer Research Process
The Consumer Research ProcessThe Consumer Research Process
The Consumer Research Process
 
Market segmentation
Market segmentationMarket segmentation
Market segmentation
 
Plant Layout
Plant LayoutPlant Layout
Plant Layout
 
Facility Location Planning
Facility Location PlanningFacility Location Planning
Facility Location Planning
 
Production and Operations Management
Production and Operations ManagementProduction and Operations Management
Production and Operations Management
 
Setting Product Strategy
Setting Product StrategySetting Product Strategy
Setting Product Strategy
 
Crafting the Brand Positioning
Crafting the Brand PositioningCrafting the Brand Positioning
Crafting the Brand Positioning
 
Identifying Market Segments and Targets
Identifying Market Segments and TargetsIdentifying Market Segments and Targets
Identifying Market Segments and Targets
 
Analyzing Business Markets
Analyzing Business MarketsAnalyzing Business Markets
Analyzing Business Markets
 
Analyzing Consumer Markets
Analyzing Consumer MarketsAnalyzing Consumer Markets
Analyzing Consumer Markets
 

Dernier

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingTeacherCyreneCayanan
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Dernier (20)

Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
fourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writingfourth grading exam for kindergarten in writing
fourth grading exam for kindergarten in writing
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

Fight fire with fire draft

  • 1. Fight Fire with Fire: the ultimate active deFense Prepared by Nishant Agrawal Poonam Jha Aakruti Shah 1
  • 2. Introduction • Internet threats are difficult to defend. • Malware defensive tools use more of ‘Botnets’ • Fighting malware is asymmetric,favouring attackers. • P2P botnets are used as its more resilent • Using re-engineering existing malware, defenders can build antidotes to eradicate spreading functions. • Antidote can be used to monitor on-site activity of the malwares. • Malware families such as Hlux, Sality, Zeus would be most effective approach.
  • 3. Related work • Rossow (2013) analysis of resilience of botnets by using 3 types of attacks i. Enumeration-gathering information about the topology of the network ii. Sinkholing-mechanism to force bots to non-existing /fake bot peers iii. Partitioning-split the botnet in disjoint, partially unreachable sub-networks. •. Analysis has been conducted on Storm, Waledec, Zeus ,Sality malware families. •. Holz et al (2008) discusses Storm Botnets which exploits Social Engineering and spreads by e- mails. Storm uses Kademlia structured P2P protocol using encrypted messages. •. Stock et al (2009) analyses Waledec which is more decentralized. It is re-engineered to infiltrate the botnet. •. Bureau (2011) discussed the Hlux (Kehlios) botnet which is a successor of Waledac. It uses strong encryption routines and is based on unstructured P2P protocol.
  • 4. Continue…. • Ormerod et al.(2010) has analysed the first version of Zeus botnet which was based on centralised architecture. • Andriesse and Bos(2013) have analysed the newer P2P version(Gameover) which is based on unstructured P2P protocol and uses strong cryptographic algorithms. • Falliere(2011) has analysed the Sality downloader botnet which is Version 4 which uses hard encoded repository servers URLs and missing verification of executables to install. • Frei.et al (2008), Duebender and Frei(2009) discusses the early patch application for browsers. • Tang et al.(2012) discusses mobile applications. • Khouzani et.al(2012) analyses the importance of patching policies to stem the malware. • Griffin et.al(2009) discusses signature matching for local malware techniques. • Coskun et al.(2010) uses peer traffic for malware analysis.
  • 6. Approach taken by the Authors • 2 fundamental basis of this approach: i. It is not limited to the re-engineering of the targeted malware. Here general purpose antidote is created to start the detection phase to infiltrate the infection. ii. It must be the last resort for the defender. The threshold for decision is application dependent as its based on the type of malware targeted. •. Preliminary phase and re-engineering: Its initial phase where active or passive methods are used to obtain malware binary by using reverse engineering activity. Here defenders acquires a deep understanding of the malware protocols and functionalities. Next step is re-engineer the malware by disabling the components and introducing new functionalities to infiltrate and sanitise. •. Spreading: Here the defender has to consider how the targeted malware spreads. It uses 2 aspects:
  • 7. Approach taken by the Authors i. Exploitation vector: Malware spreads quickly like epidemics for human viruses. It uses the below techniques Use the same In this defender uses the same spreading tools antidote as malware to improve the effectiveness to hit an infected host. Take the advantage of vulnerability in the malware software: In this defender sanitizes infected machine. Taking the advantage of vulnerability in the victim’s host. In this, known vulnerabilities or zero- day vulnerabilities are used by the antidote. Using black-market services: In this defender acts as undercover and buys the downloader. Enumeration and sink holing , If the defender knows enumerating, it can be addressed by the antidote.
  • 8. Continue… i. Infiltration: If the victim is detected, antidote can be used to infiltrate the malware by overtaking the process, observing and fixing infected files. Here the defender overtakes a running malware binary on the victim’s host and mimic its behavior. •. Detection and Eradicating: Here the general purpose antidote is used to detect and verify a known malware family. Here the antidote is deployed after the initial information gathering about the host and is further checked and depends on the target. •. Patching and Update: In this antidote fixes the known bugs and exploits vulnerabilities by forcing updates and patches application on the victim’s machine to stop an epidemic. Antidotes leverages silent updates, improves the resilience of the victim’s host against the new attacks. Social engineering are difficult to sanitise Antidote can use countermeasures such as blacklisting is known bad-domains and e-mail addresses.
  • 9. Case-study Approach Applications • 3 Resilient botnets are discussed in the Case study: 1) Zeus P2P & Sality P2P: It leverages the drive by download-by means of browser vulnerabilities or other security flaws. This malware is automatically installed when user drives by infectious website, technique to infect new machines. It uses social engineering to spread. To keep the protocol from further spreading, the antidote can follow the behavior of the on-site malware to remain in the malicious network and acquire information about the infected hosts. 2) Hlux: It exploits a well known Windows vulnerability issue. It has more chances to hit an already infected host. Here the malware doesn’t fix the issue after installing itself on the victim.
  • 10. Limitations Requires lots of reverse engineering especially for access. Even though techniques exist that are able to detect a malware, encryption are still difficult to defeat Current available techniques are not 100% accurate.
  • 11. Conclusions • Defenders need to develop more complex tools to oppose and track down the attackers • Active offensive security tools should be used to fight back malware and infections • Improvement of Sality and Zeus P2P should be used to turn a malware binary into antidote
  • 12. Other Cases Referred • Ability to take over command and control functions of the Storm botnet (was being used to engage in illegal activities worldwide) 1. Botmaster: A Botmaster is a person who controls and commands botnet to do some illegal activities 2. Botclients: A Bot is a victim computer that installed the botnet program by various malware spreading mechanisms. 3. C&C communication protocols: they are protocol that botnets use for communication between botmaster and botclients 4. C&C servers: This component is the coordinator servers between botmaster and botclients.
  • 13. Botnet life cycle work flow
  • 14. Continue… • Initial infection : sending email with malware attachments or URL links that leads to a browser exploit • Secondary injection : initiate after the first phase completed , user opens email attachments, the infected computer will download bot binaries from remote servers and automatically install to an exploit machine • Connection: Sometime the connection phase is called “Rallying”. Although the victim machines turn to bots through different mechanisms, finally the new bot clients must connect to the C&C server to register or send some information of zombie machines.
  • 15. Continue…. • Malicious commands: After connecting to C&C servers, bot clients wait for commands which send by botmaster. If they receive the commands, they will execute and perform the malicious activities to attack the target machines • Maintenance and update: Changing the pattern of malicious activities from time period to random, or change C&C servers addresses
  • 17. Centralized botnet • To avoid being detected easily and hide their malicious activities from firewall, most of the new centralized botnet are designed by using the HTTP protocol. • They are complexity to classify and detection, since the normal http traffic and botnet http traffic are very similar. • This model is simple to implement, management and control, but there is a single point of failure problem because of C&C server. If they are detected or destroyed, the whole bot clients will be useless or inefficient.
  • 19. Continue… • This model is designed to solve a single point of failure issue of centralized model. The peer to peer structure is applied in this model of botnets which is more flexible • The concept is the botmaster send commands to more bot clients, and then they deliver the commands to other bots, and each bot clients can act as client and server in the same time thus P2P botnets are more difficult to disable, destroy and shut them down. • Disadvantage of this model is difficult and complex to implement.
  • 20. Other Papers Referred 1. Trends and challenges of Botnet Architecture and Detection Techniques -- Ritthichai Limarunothai and Mohd Amin Munlin • They explained botnet mechanism along with its components and its life-cycle • Apart from that they also gave botnet detection techniques • Mainly there are two techniques: 1. Honeynet based 2. Intrusion Detection System (IDS) • More advanced techniques are under IDS • Anomaly based One of the best technique to detect unknown botnet attacks compared to other techniques via two steps:
  • 21. Other Papers Referred • First is training phase in which normal traffic profile is created • Second is anomaly detection phase wherein normal traffic profile is compared with current traffic to find out anomalies. • It identifies new botnets which are unknown. • Data mining based • Anomaly technique can not detect and differentiate between legitimate and benign traffic • Use of data mining based detection technique such as machine learning (ML) is an efficient approach and easily identify botnet traffic. • Combination of anomaly based and data mining based technique would remove their weaknesses and increase their performance.
  • 22. Questionnaire What is the problem and/or purpose of the research study? • Due to (increasing malware epidemics on internet) / (to wide spread of malicious software on internet), the research proposes to study different malware families, to analyse and evaluate spreading of botnet and its resilience and to develop more intrusive approaches to disrupt them. What significance of the problem, if any, has the investigator identified? • Investigator feels that fighting malware is an asymmetric fight between attackers and defenders. He/she feels that defender should fight with more active and defensive techniques to reduce the threat.
  • 23. Continue… • Does the paper present a theoretical model? • Yes. The investigator has developed a structured technique General- Purpose Antidote to fight against a botnet. • What concepts are included in the review? • Rossow (2013) Analyses the flexibility of botnets Holz et al. (2008) study e- mails that trick the u ser in installing the malicious software. Holz et al. (2008) present the weakness of protocol, namely, the lack of authentication, used to disrupt the botnet. Stock et al. (2009) analyze this new malware. propagation mechanism is the same, but the architecture changes, in favor of a more decentralized one.
  • 24. • What are the limitations that discussed in the paper? • The approach discussed by the researcher to fight against malware requires lot of reengineering. He/she feels that detection of malware is simple but to defeat is even more difficult. Currently available techniques do not even show 100 percent accuracy in detection. • What recommendations for future research are stated or implied ? • Attackers can easily develop simple and compact codes to obtain their illegal intents. So defenders have to develop significantly more complex tools to oppose and track down these attackers. Moreover, attackers are improving their malicious software and architectures to be significantly more resilient to take down attempts. For this reasons, in the future, defenders will need active defense and offensive security tools to fight back malware and infections
  • 25. • Are there other studies with similar findings? Yes. Ritthichai limarunothai and mohd.Amin munlin (2015) , Joseph and Shishir (2016) etc has similar studies. • What are the key results? The use of active defence by the defenders to moderate malware. how botnet works and give an idea to develop the efficient botnet detection system. behavior of real Intel enterprise end-host background traffic and contrast it to real botnet C&C channel activity • Are the results interpreted in the context of the problem/purpose, hypothesis, and theoretical framework/literature reviewed? Yes result are interpreted in the context of the problem and theoretical framework/literature
  • 26. References • Deibert, R., & Crete-Nishihata, M. (2011). Blurred boundaries: Probing the ethics of cyberspace research. Review of Policy Research, 28(5), 531-537. • Danchev, D. (2009, January 16). Legal concerns stop researchers from disrupting the Storm Worm botnet. ZD Net. • E. Pilli, P. Sharma, S. Tiwari, A Bijalwan, “ Botnet Detection Framework,” International Journal of Computer Applications, Vol. 93, May 2014 • M. A. Rajab, J. Zarfoss, F. Monrose, A. Terzis, “A multifaceted approach to understanding the botnet phenomenon,” Internet Measurement Conference, pp. 41– 52, 2006 • M. Yang, G. Ren, J. Zhang,“ Talk about botnets,” The community communications conference, pp. 629-633, 2006. [4] R. S. Abdullah , M. F. Abdollah, Z. A. Muhamad Noh, M. Z.
  • 27. Continue… • Limarunothai, R., & Munlin, M. (2015). Trends and Challenges of Botnet Architectures and Detection Techniques. Journal of Information Science & Technology • Mas'ud, S. R. Selamat,R. Yusof, “Revealing the Criterion on Botnet Detection Technique,” IJCSI International Journal of Computer Science, Vol. 10, pp. 208- 215, March 2013 • Rossow, C. (2013), “Using malware analysis to evaluate botnet resilience”, PhD thesis, VU Amsterdam • Stock, B., Goebel, J., Engelberth, M., Freiling, F.C. and Holz, T. (2009), “Walowdac – analysis of a peer-to-peer Botnet”, EC2ND ’09, IEEE, Washington, DC