DOCSLIB.ORG

Botnets-Presentation.Pdf

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Botnets-Presentation.Pdf Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet. Coordination of bots with C&C server Bots query the C&C servers using Fast Flux Domain flux their IP address and DNS name. Bots query a certain domain that is Bots query multiple domains that Not flexible and robust to take- mapped onto a set of IP addresses are mapped onto a set of IP down actions. that change frequently. addresses that change frequently. Constitutes a single point of failure Taking down the C&C server is because it uses only a single harder because they relocate their domain. domain name. Usage of botnets Send spam mails Launch DoS attacks Steal personal data Your Botnet is My Botnet: Analysis of a Botnet Takeover Overview A comprehensive analysis of the operations of the Torpig botnet. The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet. The victims of botnets are often users with poorly maintained machines. What is Torpig? Distributed to its victims as part of the Mebroot rootkit. Steals sensitive information from the victim’s host and relays it back to its controllers. Malware service accessible to third parties. Distribution of Mebroot Victim requests The victim’s browser legitimate web site request JavaScript code where an attacker from the drive-by- injected http code. download server. If the exploit is JavaScript code successful, the executes multiple Mebroot rootkit is exploits against the downloaded from the browser and some of server and executed. tis components. Mebroot life cycle Overwrites the MBR and is always executed at boot time. Provides a generic platform that other modules can leverage to perform their malicious actions. Contacts the Mebroot C&C server to obtain malicious modules. Torpig Capabilities Trojan that is injected into a number of applications. Inspects all the data handled by these programmes. System Instant Web Email clients FTP clients programmes messengers browsers Communication in the Torpig Botnet Uploads the stolen data 1 since the previous reporting time to the Torpig C&C server over HTTP. (1) 2 Acknowledges the new data with “okn” response. (2) Communication in the Torpig Botnet Sends a configuration file to the bot with “okc” response. 2 How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks. Man in the Browser attacks with Torpig bot Generation of phishing sites Man in the Browser attack Infected machine visits one of the Victim visits the trigger page. domains in the configuration file (bank site). Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Torpig issues a request to an injection server. Injected content reproduces the style of the target web site and the address bar displays a pad lock. The injection server’s response specifies the trigger page, the injection URL, and a number of Asks the user for sensitive information and parameters. steals personal information. Coordination in Torpig Botnet: Domain Flux Each bot uses a domain Attempts to contact the C&C generation algorithm to compute server with a name in the domain a list of domain names. list in order until one succeeds. Torpigs’s Domain Generation Algorithm Step 1 • Seeded with the current date and a numerical parameter. Step 2(a) • Computes a “weekly” domain name that depends on the current week and year. • Attempts to resolve dw.(com,net,biz) and contacts the C&C server. Step 2(b) • Computes a “daily” domain that depends on the current day. • Attempts to resolve dd.(com,net,biz) and contacts the C&C server. Step 2(c) • Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server Coordination in Torpig Botnet: Domain Flux and resilience Control at least one of the domains that will be contacted by the bots. Use measures to prevent other groups from seizing domains that will be contacted by bots. Arms Race between botmasters and defenders B: The domain D: Reverse generation engineering the algorithm of the botnet protocol bots is modified could be time frequently. consuming. D: Economic factor is the B:Force defenders biggest challenge to register a because domain disproportionate names are not number of names. cheap. Taking control of the Torpig botnet: Sinkholing Preparation Purchased two Registered them to Obtain control of the domains (.com and two different Torpig botnet for ten .net) that were to be registrars. days. used by the botnet. Set up Apache web During their control server to receive log of botnet, 8.7 GB of bot requests and Apache log files and recorded all network 69 GB of pcap data traffic. have been collected. Taking control of the botnet: Data Collection Principles Operated the C&C servers based on established legal and ethical principles. Collecting enough Operated such that Worked with law information to enable any damage to victims enforcement remediation of was minimized. agencies. affected parties. Botnet Analysis: Data Collection and Format Submission header is encrypted with Torpig’s encryption algorithm. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Bot identifier is used as the symmetric key. Bots communicate with the Torpig C&C through HTTP POST requests. Consists of data items based on the information that was stolen. Body’s request contains the data stolen from the victim’s machine. Body is encrypted with Torpig’s encryption algorithm. Botnet Analysis: Data Collection and Format Submission Header Example ts: time stamp when the configuration file was updated. bld and ver: build and ip: IP address of the version number of bot. Torpig. hport and sport: port numbers of the HTTP nid: bot identifier. and SOCKS proxies that Torpig opens on the infected machine. os and cn: operating system version and locale. Botnet Analysis: Data Collection and Format Data items sent to sinkholed botnet in Data Items 10 days Mailbox account: configuration information for email accounts. Email: email Windows password addresses. SMTP: source and Form data: content destination of HTML forms addresses of submitted by the emails. victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively. Botnet Size: Definitions Indicates the aggregated total Botnet’s footprint number of machines that have been compromised over time. Botnet Size Indicates the number of compromised hosts that are Botnet’s live population concurrently communicating with the C&C server. Botnet’s Footprint: Counting Bots by “nid” field Description Evaluation • Torpig always sends the “nid” 2079 cases have been field in the submission header. found were the assumption did not hold. • Depends on software or hardware characteristics of the 180 835 “nid” values have infected machine’s hard disk. been observed in 10 days. • Attempted to validate whether the “nid” is unique for each bot. Underestimates the botnet’s footprint. Botnet Footprint: Counting Bots by Submission Header Fields Description Evaluation • Count unique tuples from the submission header that Torpig bot send. • “Nid, os, cn, bld and ver” fields Botnet’s footprint have have been considered whilst “ts, been estimated to 182 ip, sport and hport” have been 914 machines. discarded. Botnet’s Footprint: Identifying probers and researchers Description Evaluation • “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded. 40 bots have Final estimate been running 74 hosts have of botnet’s • Bots that use the GET HTTP on virtual been probers. footprint is method are not considered. machines 182 800 hosts. Botnet’s live population: Botnet Size Vs IP Count Botnet Size IP Count • 182 800 bots have contacted the C&C • 1 247 642 unique IP addresses server. contacted the C&C server. • Overestimates the actual size of the botnet’s footprint. Botnet’s live population: Botnet Size Vs IP Count Per hour Per day • Number of unique IP addresses • Number of unique IP addresses and bot IDs per hour provides a and bot IDs per day does not good estimation of the botnet’s provide a good estimation of the live population. botnet’s live population. Botnet Size vs IP Count: Observations Number of unique IPs per hour provides a good estimation of the botnet’s live population 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall. Difference between IP count and actual bot count can be attributed to DHCP and NAT effects. Threat and data analysis of Torpig Financial data stealing Proxies and DoS Password analysis • Obtained the • Leveraged by malicious • Bots stole 297,962 credentials of 8130 users to send spam or unique credentials sent accounts at 410 navigate anonymously. by 52,540 different different institutions. • Could cause a massive infected machines. • Torpig controllers may distributed DDoS • 140 000 passwords have profited anywhere attack. have been recovered in between $83K and 24 hours using various $8.3M in ten days. techniques. SoK: P2PWNED— Modeling and Evaluating the Resilience of Peer-to-Peer Botnets Overview Present a model that formalizes reconnaissance and disruption attacks against P2P botnets. Compare the population sizes of current P2P botnets using crawlers and sensor nodes. Evaluate the disruption resilience of all four current P2P botnet families. Architecture of P2P botnets Eliminates the need for centralized servers. Bots are connected to each other topologically. Act as both C&C server and client. http://cs.ucf.edu/~czou/research/P2PBotne ts-bookChapter.pdf Overview of P2P Networks: Categories Unstructured P2P Structured P2P Don’t have a predefined architecture. Organized into a specific topology. Participants communicate randomly with one another.
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • Malware Analysis and Antivirus Technologies: Kernel Malware & A
    Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware Today Protecting the irreplaceable | f-secure.com Copyright F-Secure 2010. All rights reserved. 2 06 April, 2011 © F-Secure Confidential Brain • Brain is the first known PC virus • Discovered in 1986 • Boot sector virus • First versions only infected 360k floppies • Stealth features • Hides infected boot sector by hooking sector read interrupt • Marks sectors in FAT bad • … but after all hiding efforts, some variants change floppy label to “© Brain” 3 06 April, 2011 © F-Secure Brain: Boot Sector Before Infection 4 06 April, 2011 © F-Secure Brain: Infected Boot Sector 5 06 April, 2011 © F-Secure Demo: Brain PUBLIC 7 06 April, 2011 © F-Secure Confidential 8 06 April, 2011 © F-Secure Confidential 9 06 April, 2011 © F-Secure Confidential Definition “Kernel malware is malicious software that runs fully or partially at the most privileged execution level, ring 0, having full access to memory, all CPU instructions, and all hardware.” • Can be divided into two subcategories • Full-Kernel malware • Semi-Kernel malware Copyright F-Secure 2010. All rights reserved. History • Kernel malware is not new – it has just been rare • WinNT/Infis • Discovered in November 1999 • Full-Kernel malware • Payload – PE EXE file infector • Virus.Win32.Chatter • Discovered in January 2003 • Semi-Kernel malware • Payload – PE SYS file infector • Mostly proof of concepts Copyright F-Secure 2010. All rights reserved. Increase of Kernel-Mode Malware Unique malicious drivers 37000 32000 15500
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • The Trojan Wars: Building the Big Picture to Combat Efraud
    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
    [Show full text]
  • Dgarchive a Deep Dive Into Domain Generating Malware
    DGArchive A deep dive into domain generating malware Daniel Plohmann [email protected] 2015-12-03 | Botconf, Paris © 2015 Fraunhofer FKIE 1 About me Daniel Plohmann PhD candidate at University of Bonn, Germany Security Researcher at Fraunhofer FKIE Focus: Reverse Engineering / Malware Analysis / Automation Projects ENISA Botnet Study 2011 [1] Analysis Tools PyBox, IDAscope, DGArchive, … Botnet Analysis Gameover Zeus / P2P protocols [2] DGA-based Malware [1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda Intro: Domain Generation Algorithms / DGArchive Comparison of DGA Features Registration Status of DGA Domain Space Case Studies © 2015 Fraunhofer FKIE 3 Intro Domain Generation Algorithms © 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions Concept first described ~2008: Domain Flux Domain Generation Algorithm (DGA) An algorithm producing Command & Control rendezvous points dynamically Shared secret between malware running on compromised host and botmaster Seeds Collection of parameters influencing the output of the algorithm Algorithmically-Generated Domain (AGD) Domains resulting from a DGA © 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History Feb 2006 Sality: dynamically generates 3rd-level domain part July 2007 Torpig: Report by Verisign includes DGA-like domains July 2007 Kraken: VirusTotal upload of binary using DDNS
    [Show full text]
  • Banking Trojans: from Stone Age to Space Era
    Europol Public Information Europol Public Information Banking Trojans: From Stone Age to Space Era A Joint Report by Check Point and Europol The Hague, 21/03/2017 Europol Public Information 1 / 16 Europol Public Information Contents 1 Introduction .............................................................................................................. 3 2 The Founding Fathers ................................................................................................ 3 3 The Current Top Tier ................................................................................................. 5 4 The Latest .................................................................................................................. 9 5 Mobile Threat .......................................................................................................... 10 6 Evolutionary Timeline ............................................................................................. 11 7 Impressions/Current Trends ................................................................................... 11 8 Banking Trojans: The Law Enforcement View ......................................................... 12 9 How are Banking Trojans used by Criminals? ......................................................... 13 10 How are the Criminals Structured? ......................................................................... 14 11 Building on Public-Private-Partnerships - The Law Enforcement Response ........... 15 12 How to Protect Yourself .........................................................................................
    [Show full text]
  • CS 3700 Networks and Distributed Systems
    CS 3700 Networks and Distributed Systems Lecture 20: Malware/Botnets Slides stolen from Vern Paxson (ICSI) and Stefan Savage (UCSD) Motivation 2 Internet currently used for important services ! Financial transactions, medical records Increasingly used for critical services ! 911, surgical operations, water/electrical system control, remote controlled drones, etc. Networks more open than ever before ! Global, ubiquitous Internet, wireless Malicious Users 3 Miscreants, e.g. LulzSec ! In it for thrills, street cred, or just to learn ! Defacing web pages, spreading viruses, etc. Hacktivists, e.g. Anonymous ! Online political protests ! Stealing and revealing classified information Organized Crime ! Profit driven, online criminals ! Well organized, divisions of labor, highly motivated Network Security Problems 4 Host Compromise ! Attacker gains control of a host ! Can then be used to try and compromise others Denial-of-Service ! Attacker prevents legitimate users from gaining service Attack can be both ! E.g., host compromise that provides resources for denial-of- service Definitions 5 Virus ! Program that attaches itself to another program Worm ! Replicates itself over the network ! Usually relies on remote exploit (e.g. buffer overflow) Rootkit ! Program that infects the operating system (or even lower) ! Used for privilege elevation, and to hide files/processes Trojan horse ! Program that opens “back doors” on an infected host ! Gives the attacker remote access to machines Botnet ! A large group of Trojaned machines, controlled
    [Show full text]
  • [Recognising Botnets in Organisations] Barry Weymes Number
    [Recognising Botnets in Organisations] Barry Weymes Number: 662 A thesis submitted to the faculty of Computer Science, Radboud University in partial fulfillment of the requirements for the degree of Master of Science Eric Verheul, Chair Erik Poll Sander Peters (Fox-IT) Department of Computer Science Radboud University August 2012 Copyright © 2012 Barry Weymes Number: 662 All Rights Reserved ABSTRACT [Recognising Botnets in Organisations] Barry WeymesNumber: 662 Department of Computer Science Master of Science Dealing with the raise in botnets is fast becoming one of the major problems in IT. Their adaptable and dangerous nature makes detecting them difficult, if not impossible. In this thesis, we present how botnets function, how they are utilised and most importantly, how to limit their impact. DNS Dynamic Reputations Systems, among others, are an innovative new way to deal with this threat. By indexing individual DNS requests and responses together we can provide a fuller picture of what computer systems on a network are doing and can easily provide information about botnets within the organisation. The expertise and knowledge presented here comes from the IT security firm Fox-IT in Delft, the Netherlands. The author works full time as a security analyst there, and this rich environment of information in the field of IT security provides a deep insight into the current botnet environment. Keywords: [Botnets, Organisations, DNS, Honeypot, IDS] ACKNOWLEDGMENTS • I would like to thank my parents, whom made my time in the Netherlands possible. They paid my tuition, and giving me the privilege to follow my ambition of getting a Masters degree. • My dear friend Dave, always gets a mention in my thesis for asking the questions other dont ask.
    [Show full text]
  • Botnets and E-Crime
    Botnets and E-crime Tom Ristenpart CS 6431 Spam, phishing, scams • Spam – unsolicited bulk emails – 2006: 80% of emails on web, 85 billion messages a day • Scam spam – Nigerian emails (advanced fee fraud / confidence trick) • Phishing – trick users into downloading malware, submitting CC info to attacker, etc. – Spear phishing: targeted on individuals (used in high- profile intrusions) Spanish Prisoner confidence trick • Late 19th century • In contact with rich guy in Spanish prison • Just need a little money to bribe guards, he’ll reward you greatly Spam • The frontend (email recipients) – Filtering, classification – Psychology, usability • The backend (email generation) – Open email relays – Botnets – Social structure • Affiliates • Criminal organizations http://www.symantec.com/connect/blogs/why-my-email-went Botnets • Botnets: – Command and Control (C&C) – Zombie hosts (bots) • C&C type: – centralized, peer-to-peer • Infection vector: – spam, random/targeted scanning • Usage: – What they do: spam, DDoS, SEO, traffic generation, … How to make money off a botnet? • Rental – “Pay me money, and I’ll let you use my botnet… no questions asked” • DDoS extortion – “Pay me or I take your legitimate business off web” • Bulk traffic selling – “Pay me to direct bots to websites to boost visit counts” • Click fraud, SEO – “Simulate clicks on advertised links to generate revenue” – Cloaking, link farms, etc. • Theft of monetizable data (eg., financial accounts) • Data ransom – “I’ve encrypted your harddrive, now pay me money to unencrypt it” • Advertise
    [Show full text]
  • Internet Security Threat Report
    INTERNET SECURITY THREAT REPORT 2011 Trends Volume 17 Published April 2012 INTERNET SECURITY THREAT REPORT Paul Wood Mathew Nisbet Executive Editor Malware Data Analyst Manager, Cyber Security Intelligence Security Technology and Response Security Technology and Response Nicholas Johnston Gerry Egan Sr. Software Engineer Sr. Director, Product Management Security Technology and Response Security Technology and Response Bhaskar Krishnappa Kevin Haley Sr. Software Engineer Director, Product Management Security Technology and Response Security Technology and Response Irfan Asrar Tuan-Khanh Tran Security Response Manager Group Product Manager Security Technology and Response Security Technology and Response Sean Hittel Orla Cox Principal Software Engineer Sr. Manager, Security Operations Security Technology and Response Security Technology and Response Eric Chien Hon Lau Technical Director Manager, Development Security Technology and Response Security Technology and Response Eric Park Candid Wueest Sr. Business Intelligence Analyst Principal Software Engineer Anti-Spam Engineering Security Technology and Response Mathew Maniyara David McKinney Security Response Analyst Principal Threat Analyst Anti-Fraud Response Security Technology and Response Olivier Thonnard Tony Millington Sr. Research Engineer Associate Software Engineer Symantec Research Laboratories Security Technology and Response Pierre-Antoine Vervier Benjamin Nahorney Network Systems Engineer Senior Information Developer Symantec Research Laboratories Security Technology and Response
    [Show full text]
  • Paint It Black: Evaluating the Effectiveness Of
    Paint it Black: Evaluating the Effectiveness of Malware Blacklists Marc K¨uhrer,Christian Rossow, and Thorsten Holz Horst G¨ortzInstitute for IT-Security, Ruhr-University Bochum, Germany [email protected] Abstract. Blacklists are commonly used to protect computer systems against the tremendous number of malware threats. These lists include abusive hosts such as malware sites or botnet Command & Control and dropzone servers to raise alerts if suspicious hosts are contacted. Up to now, though, little is known about the effectiveness of malware blacklists. In this paper, we empirically analyze 15 public malware blacklists and 4 blacklists operated by antivirus (AV) vendors. We aim to categorize the blacklist content to understand the nature of the listed domains and IP addresses. First, we propose a mechanism to identify parked domains in blacklists, which we find to constitute a substantial number of blacklist entries. Second, we develop a graph-based approach to identify sinkholes in the blacklists, i.e., servers that host malicious domains which are con- trolled by security organizations. In a thorough evaluation of blacklist effectiveness, we show to what extent real-world malware domains are actually covered by blacklists. We find that the union of all 15 public blacklists includes less than 20% of the malicious domains for a major- ity of prevalent malware families and most AV vendor blacklists fail to protect against malware that utilizes Domain Generation Algorithms. Keywords: Blacklist Evaluation, Sinkholing Servers, Parking Domains 1 Introduction The security community needs to deal with an increasing number of malware samples that infect computer systems world-wide.
    [Show full text]