DOCSLIB.ORG

A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection A Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Science with a Major in Computer Science in the College of Graduate Studies University of Idaho by Maxine Major Major Professor: Jim Alves-Foss, Ph.D. Committee Members: Daniel Conte de Leon, Ph.D.; Sara Eftekharnejad, Ph.D. Department Administrator: Gregory Donohoe, Ph.D. July 2015 ii Authorization to Submit Thesis This Thesis of Maxine Major, submitted for the degree of Master of Science with a ma- jor in Computer Science and titled \A Taxonomic Evaluation of Rootkit Deployment, Behavior and Detection", has been reviewed in final form. Permission, as indicated by the signatures and dates given below, is now granted to submit final copies to the College of Graduate Studies for approval. Major Professor Date Jim Alves-Foss, Ph.D. Committee Members Date Daniel Conte de Leon, Ph.D. Date Sara Eftekharnejad, Ph.D. Computer Science Department Administrator Date Gregory Donohoe, Ph.D. iii Abstract Increased inter-connectivity between cyber and cyber-physical systems increases the danger of Advanced Persistent Threat (APT) cyber attacks, against which perimeter-focused defenses are no longer sufficient. Rootkits are debatably the most important piece of malicious software to the success of an APT. Rootkits are are often planted through social engineering, which intend to bypass perimeter{focused defenses. APTs, the most dangerous of cyber attacks, is facilitated by one of the least-detected attack methods. In order to further the practice of detecting rootkits and aid with early detection, this thesis presents a taxonomy of rootkit activities through each stage of installation and exploita- tion. Correspondingly, this thesis presents a taxonomy of rootkit detection methods to address rootkit infection vectors. These taxonomies are then applied to a real-world rootkit example to demonstrate how combined application of rootkit detection tools and techniques can provide full-coverage of the possible rootkit-targeted attack surface. iv Acknowledgments I would first like to thank my advisor, Dr. Jim Alves-Foss, for his support, encouragement, and patient guidance throughout my graduate studies. I would also like to thank my other committee members, Dr. Conte de Leon, and Dr. Sara Eftekharne- jad, for their valuable input and comments on my thesis. I would like to thank Dr. Paul Oman for launching my interest in cyber security, and structuring courses which encouraged curiosity and allowed me to explore. I would like to thank all my instructors for their hard work and dedication in providing me with a comprehensive and valuable education. I would like to thank the department chair, Dr. Gregory Donohoe, and Mrs. Arvilla Daf- fin and other staff in the Department of Computer Science and the Center for Secure and Dependable Systems for their help during my study in the department. I wish to acknowledge the National Science Foundation CyberCorps R Scholarship for Ser- vice, for supporting me during the course of my graduate studies. Last, but certainly not least, I would like to thank my family and all the friends I have met while at University of Idaho for their support, encouragement, and love which have helped me make this thesis a reality. v Table of Contents Authorization to Submit Thesis .............................. ii Abstract ............................................. iii Acknowledgments ....................................... iv List of Figures ......................................... ix List of Tables .......................................... x 1 Introduction ........................................ 1 1.1 The Problem Space . 1 1.1.1 Advanced Persistent Threats . 1 1.1.2 Rootkits . 2 1.1.3 The Practice of Rootkit Detection . 3 1.2 Motivation . 4 1.3 Objectives . 4 1.4 Thesis Impact . 5 1.5 Thesis Overview . 6 2 Background ......................................... 8 2.1 Advanced Persistent Threats . 8 2.1.1 APT Goals . 8 2.1.2 APT Persistence . 9 2.1.3 APT Launch and Detection . 9 2.1.4 Famous APTs . 12 2.2 The Kill Chain . 14 2.3 Perimeter-Focused Defenses . 16 3 Rootkit Preparation and Delivery ........................... 18 3.1 Rootkit Overview . 19 vi 3.1.1 Rootkit Kill Chain . 20 3.1.2 Breakdown of Rootkit Activities . 21 3.2 Reconnaissance . 22 3.2.1 Cyber Reconnaissance . 22 3.2.2 Social Reconnaissance . 23 3.3 Weaponization . 25 3.3.1 Delivery Considerations . 25 3.3.2 Exploits and Payloads . 31 3.3.3 Exploit Kits . 32 3.3.4 Obfuscation . 33 3.4 Rootkit Delivery . 35 3.4.1 Active vs. Passive Delivery . 36 3.4.2 Physical vs. Cyber Delivery . 38 4 Kernel{mode Rootkits .................................. 42 4.1 Rootkit Installation and Exploitation . 43 4.1.1 Operational Goals . 44 4.1.2 The Kernel . 45 4.1.3 Kernel Structures . 48 4.1.4 Installation Techniques . 51 4.1.5 Installation Process . 59 4.1.6 Rootkit Privilege Escalation . 60 4.1.7 Rootkit Persistence . 62 4.1.8 Rootkit Hiding Methods . 65 4.2 Backdoor Creation . 72 4.2.1 Backdoor Implementations . 72 4.2.2 C2 Objectives . 75 4.2.3 C2 Communication . 77 4.3 Rootkit Actions . 79 4.3.1 Disable Security Services . 80 4.3.2 Malware Dissemination . 81 4.3.3 Information Capture . 81 vii 4.4 Specialized Rootkits . 82 4.4.1 Advanced Rootkits . 82 4.4.2 SCADA/ICS Rootkits . 83 4.5 Summary of Rootkit Activities . 85 5 Rootkit Detection ..................................... 87 5.1 Rootkit Detection Methods Overview . 88 5.1.1 Detection Technique Categorization . 88 5.1.2 Detection Metrics and Considerations . 90 5.1.3 Detection Method Constraints . 92 5.2 Static Rootkit Detection Techniques . 93 5.2.1 Signatures . 94 5.2.2 Static Heuristics . 96 5.2.3 Static Memory Forensics and Mapping . 98 5.3 Dynamic Rootkit Detection Techniques . 99 5.3.1 Dynamic Behavior Analysis . 100 5.3.2 Crossview Detection . 102 5.3.3 Dynamic Memory Forensics and Mapping . 103 5.4 Detection Execution Platform . 104 5.4.1 Local Execution . 105 5.4.2 Virtualization . 106 5.4.3 Hardware . 107 5.5 Rootkit Detection Methods Evaluation . 108 5.5.1 Coverage Evaluation . 109 5.5.2 Conclusions . 110 6 Application .........................................113 6.1 The ZeroAccess Rootkit . 113 6.1.1 ZeroAccess Background . 113 6.1.2 ZeroAccess Weaponization and Delivery . 113 6.1.3 ZeroAccess Installation . 114 6.1.4 Privilege Escalation . 115 6.1.5 C2 / Botnet . 115 viii 6.1.6 Additional Activities . 116 6.2 Taxonomic Evaluation of the ZeroAccess Rootkit . 117 6.3 Application Conclusions . 120 7 Conclusions and Future Work .............................122 7.1 Summary of Work . 122 7.1.1 Research Summary . 122 7.1.2 Contribution . 126 7.2 Future Work . 127 7.2.1 Taxonomy Expansion . 128 7.2.2 Tool Evaluation . 129 Bibliography and References ................................129 Appendix A: Acronyms ...................................139 Appendix B: Compilation of Taxonomies ........................141 ix List of Figures Figure 2.1 Kill Chain . 14 Figure 3.1 Stages of the Rootkit Kill Chain . 20 Figure 3.2 Rootkit Objectives as Related to the Kill Chain . ..
Load more

Recommended publications
  • Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G
    IJRECE VOL. 7 ISSUE 2 (APRIL- JUNE 2019) ISSN: 2393-9028 (PRINT) | ISSN: 2348-2281 (ONLINE) Trojan Vs Rat Vs Rootkit Mayuri More1, Rajeshwari Gundla2, Siddharth Nanda3 1U.G. Student, 2 Senior Faculty, 3Senior Faculty SOE, ADYPU, Lohegaon, Pune, Maharashtra, India1 IT, iNurture, Bengaluru, India2,3 Abstract - Malicious Software is Malware is a dangerous of RATs completely and prevent confidential data being software which harms computer systems. With the increase leaked. So Dan Jiang and Kazumasa Omote researchers in technology in today’s days, malwares are also increasing. have proposed an approach to detect RAT in the early stage This paper is based on Malware. We have discussed [10]. TROJAN, RAT, ROOTKIT in detail. Further, we have discussed the adverse effects of malware on the system as III. CLASSIFICATION well as society. Then we have listed some trusted tools to Rootkit vs Trojan vs Rat detect and remove malware. Rootkit - A rootkit is a malicious software that permits a legitimate user to have confidential access to a system and Keywords - Malware, Trojan, RAT, Rootkit, System, privileged areas of its software. A rootkit possibly contains Computer, Anti-malware a large number of malicious means for example banking credential stealers, keyloggers, antivirus disablers, password I. INTRODUCTION stealers and bots for DDoS attacks. This software stays Nowadays, this world is full of technology, but with the hidden in the computer and allocates the remote access of advantages of technology comes its disadvantages like the computer to the attacker[2]. hacking, corrupting the systems, stealing of data etc. These Types of Rootkit: malpractices are possible because of malware and viruses 1.
    [Show full text]
  • Biuletyn 2016 1.Pdf
    szkolenia badania raport zgłoszenie DBI.pl CERT.pl inicjatywy domena .pl bezpieczeństwo honeypot seminarium biometria eksperci konferencje dyżurnet.pl digitalizacja nauka BIPSE SPIS treści KONFERENCJE 5 Razem tworzymy lepszy Internet 7 Globalne wyzwanie – bezpieczny Internet dla dzieci i młodzieży 8 SECURE 2015 – Cyberpolicjanci kontra cyberprzestępcy WYDARZENIA 10 Piknik Naukowy 10 Festiwal Nauki 10 CyberPol – szkolenia dla Policji 11 Seminarium eksperckie 11 Konferencja naukowa „Nastolatki wobec internetu” 11 Sukces polskiej biometrii RAPORTY 12 Roczny raport CERT Polska za 2014 rok 13 Raport Dyżurnet.pl 15 Rekordowy III kwartał w rejestrze domeny .pl BADANIA 17 Nastolatki wobec internetu PROJEKTY 21 Malware kontra lodówka 22 Bezpieczne uwierzytelnienie we współczesnym świecie 24 Digitalizacja, cyfryzacja czyli dostępność…. BEZPIECZEńStwO 28 Cyberprzestępcy podszywają się pod Pocztę Polską 29 Dorkbot już nam nie zagraża ROZMOWA Z … 30 Senior dla kultury NR 1/2016 Redakcja: Anna Maj, Monika Gajewska-Pol Projekt okładki, skład i przygotowanie do druku: Anna Nykiel Adres: ul. Wąwozowa 18, 02-796 Warszawa, Redakcja zastrzega sobie prawo do skrótu tel. (22) 38 08 200, e-mail: [email protected] i opracowania redakcyjnego otrzymanych tekstów. Biuletyn Szanowni Państwo, Mam przyjemność zaprosić Państwa do lektury najnow- celu ochronę przed zagrożeniami najmłodszych użyt- szego numeru „Biuletynu NASK”. Prezentujemy w nim kowników internetu. W ramach realizowanego przez nasze osiągnięcia, najważniejsze wydarzenia minione- NASK projektu Safer Internet funkcjonuje zespół go roku, opisujemy ciekawe i ważne projekty oraz naj- Dyżurnet.pl, przyjmujący zgłoszenia o niebezpiecz- nowsze opracowane przez nas rozwiązania naukowe. nych treściach internetowych, które zagrażają dzie- ciom i młodzieży korzystającym z sieci. W czasie swo- NASK jest instytutem badawczym, który realizuje jej dziesięcioletniej działalności zespół przeanalizował liczne projekty naukowe oraz komercyjne, szczególnie blisko 45 tysięcy zgłoszeń.
    [Show full text]
  • Cyberaanval Op Nederland Citadel-Malwareonderzoek “Pobelka” Botnet
    Cyberaanval op Nederland Citadel-malwareonderzoek “Pobelka” botnet Cyberaanval op Nederland | Citadel-malwareonderzoek “Pobelka” botnet Pagina 1 Inhoudsopgave Inleiding ....................................................................................................................................................................................................... 3 Telegraaf.nl ............................................................................................................................................................................................ 3 Pobelka ........................................................................................................................................................................................................ 4 Doelgericht ............................................................................................................................................................................................ 4 Nederland............................................................................................................................................................................................... 5 Java exploits .......................................................................................................................................................................................... 5 Cyberincidenten ..................................................................................................................................................................................
    [Show full text]
  • Adware-Searchsuite
    McAfee Labs Threat Advisory Adware-SearchSuite June 22, 2018 McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs. To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html Summary Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections: Infection and Propagation Vectors Mitigation Characteristics and Symptoms Restart Mechanism McAfee Foundstone Services The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please review the above mentioned Threat Library for the most up to date coverage information. Infection and Propagation Vectors Adware-SearchSuite is a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them. Mitigation Mitigating the threat at multiple levels like file, registry and URL could be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described in the Characteristics and symptoms section.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q3 2020 NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q3 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Quarter in Review 8 Malware 9 Botnets 15 Exploits 20 The New Normal 28 Conclusion and Recommendations 31 About Nuspire 33 3 | Contents Nuspire Threat Report | Q3 | 2020 Introduction In Q2 2020, Nuspire observed the increasing lengths threat actors were going to in order to capitalize on the pandemic and resulting crisis. New attack vectors were created; including VPN usage, home network security issues, personal device usage for business purposes and auditability of network traffic. In Q3 2020, we’ve observed threat actors become even more ruthless. Shifting focus from home networks to overburdened public entities including the education sector and the Election Assistance Commission (EAC). Many school districts were forced into 100% virtual or hybrid learning models by the pandemic. Attackers have waged ransomware attacks at learning institutions who not only have the financial resources to pay ransoms but feel a sense of urgency to do so in order to avoid disruptions during the school year. Meanwhile, the U.S. Elections have provided lures for phishers to attack. Nuspire witnessed Q3 attempts to guide victims to fake voter registration pages to harvest information while spoofing the Election Assistance Commission (EAC). Like these examples, cybercriminals taking advantage of prominent media themes are expected. We anticipate our Q4 2020 Threat Report 4 | Introduction Nuspire Threat Report | Q3 | 2020 to find campaigns leveraging more of the United report each quarter is a great step to gain that States Presidential election as well.
    [Show full text]
  • Crimeware on the Net
    Crimeware on the Net The “Behind the scenes” of the new web economy Iftach Ian Amit Director, Security Research – Finjan BlackHat Europe, Amsterdam 2008 Who Am I ? (iamit) • Iftach Ian Amit – In Hebrew it makes more sense… • Director Security Research @ Finjan • Various security consulting/integration gigs in the past – R&D – IT • A helping hand when needed… (IAF) 2 BlackHat Europe – Amsterdam 2008 Today’s Agenda • Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like? – Anti-Forensics techniques – Propagation methods • What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful (video). • Anything in it for us to learn from? – Looking forward on extrusion testing methodologies 3 BlackHat Europe – Amsterdam 2008 Some Terminology • Crimeware – what we refer to most malware these days is actually crimeware – malware with specific goals for making $$$ for the attackers. • Attackers – not to be confused with malicious code writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko‟s of the web security field. The buy low, and capitalize on the investment. • Smart (often mislead) guys write the crimeware and get paid to do so. 4 BlackHat Europe – Amsterdam 2008 How Do Cybercriminals Steal Business Data? Criminals’ activity in the cyberspace Federal Prosecutor: “Cybercrime Is Funding Organized Crime” 5 BlackHat Europe – Amsterdam 2008 The Business Impact Of Crimeware Criminals target sensitive business data
    [Show full text]
  • A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics
    UNIVERSIDAD POLITECNICA´ DE MADRID ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics PH.D THESIS Platon Pantelis Kotzias Copyright c 2019 by Platon Pantelis Kotzias iv DEPARTAMENTAMENTO DE LENGUAJES Y SISTEMAS INFORMATICOS´ E INGENIERIA DE SOFTWARE ESCUELA TECNICA´ SUPERIOR DE INGENIEROS INFORMATICOS´ A Systematic Empirical Analysis of Unwanted Software Abuse, Prevalence, Distribution, and Economics SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF: Doctor of Philosophy in Software, Systems and Computing Author: Platon Pantelis Kotzias Advisor: Dr. Juan Caballero April 2019 Chair/Presidente: Marc Dasier, Professor and Department Head, EURECOM, France Secretary/Secretario: Dario Fiore, Assistant Research Professor, IMDEA Software Institute, Spain Member/Vocal: Narseo Vallina-Rodriguez, Assistant Research Professor, IMDEA Networks Institute, Spain Member/Vocal: Juan Tapiador, Associate Professor, Universidad Carlos III, Spain Member/Vocal: Igor Santos, Associate Research Professor, Universidad de Deusto, Spain Abstract of the Dissertation Potentially unwanted programs (PUP) are a category of undesirable software that, while not outright malicious, can pose significant risks to users’ security and privacy. There exist indications that PUP prominence has quickly increased over the last years, but the prevalence of PUP on both consumer and enterprise hosts remains unknown. Moreover, many important aspects of PUP such as distribution vectors, code signing abuse, and economics also remain unknown. In this thesis, we empirically and sys- tematically analyze in both breadth and depth PUP abuse, prevalence, distribution, and economics. We make the following four contributions. First, we perform a systematic study on the abuse of Windows Authenticode code signing by PUP and malware.
    [Show full text]
  • SMM Rootkits
    SMM Rootkits: A New Breed of OS Independent Malware Shawn Embleton Sherri Sparks Cliff Zou University of Central Florida University of Central Florida University of Central Florida [email protected] [email protected] [email protected] ABSTRACT 1. INTRODUCTION The emergence of hardware virtualization technology has led to A rootkit consists of a set of programs that work to subvert the development of OS independent malware such as the Virtual control of an Operating System from its legitimate users [16]. If Machine based rootkits (VMBRs). In this paper, we draw one were asked to classify viruses and worms by a single defining attention to a different but related threat that exists on many characteristic, the first word to come to mind would probably be commodity systems in operation today: The System Management replication. In contrast, the single defining characteristic of a Mode based rootkit (SMBR). System Management Mode (SMM) rootkit is stealth. Viruses reproduce, but rootkits hide. They hide is a relatively obscure mode on Intel processors used for low-level by compromising the communication conduit between an hardware control. It has its own private memory space and Operating System and its users. Secondary to hiding themselves, execution environment which is generally invisible to code rootkits are generally capable of gathering and manipulating running outside (e.g., the Operating System). Furthermore, SMM information on the target machine. They may, for example, log a code is completely non-preemptible, lacks any concept of victim user’s keystrokes to obtain passwords or manipulate the privilege level, and is immune to memory protection mechanisms.
    [Show full text]
  • Trojans and Malware on the Internet an Update
    Attitude Adjustment: Trojans and Malware on the Internet An Update Sarah Gordon and David Chess IBM Thomas J. Watson Research Center Yorktown Heights, NY Abstract This paper continues our examination of Trojan horses on the Internet; their prevalence, technical structure and impact. It explores the type and scope of threats encountered on the Internet - throughout history until today. It examines user attitudes and considers ways in which those attitudes can actively affect your organization’s vulnerability to Trojanizations of various types. It discusses the status of hostile active content on the Internet, including threats from Java and ActiveX, and re-examines the impact of these types of threats to Internet users in the real world. Observations related to the role of the antivirus industry in solving the problem are considered. Throughout the paper, technical and policy based strategies for minimizing the risk of damage from various types of Trojan horses on the Internet are presented This paper represents an update and summary of our research from Where There's Smoke There's Mirrors: The Truth About Trojan Horses on the Internet, presented at the Eighth International Virus Bulletin Conference in Munich Germany, October 1998, and Attitude Adjustment: Trojans and Malware on the Internet, presented at the European Institute for Computer Antivirus Research in Aalborg, Denmark, March 1999. Significant portions of those works are included here in original form. Descriptors: fidonet, internet, password stealing trojan, trojanized system, trojanized application, user behavior, java, activex, security policy, trojan horse, computer virus Attitude Adjustment: Trojans and Malware on the Internet Trojans On the Internet… Ever since the city of Troy was sacked by way of the apparently innocuous but ultimately deadly Trojan horse, the term has been used to talk about something that appears to be beneficial, but which hides an attack within.
    [Show full text]
  • The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware
    The Role of Hosting Providers in Fighting Command and Control Infrastructure of Financial Malware Samaneh Tajalizadehkhoob, Carlos Gañán, Arman Noroozian, and Michel van Eeten Faculty of Technology, Policy and Management, Delft University of Technology Delft, the Netherlands [email protected] ABSTRACT command and control (C&C) infrastructure and the cleanup A variety of botnets are used in attacks on financial ser- process of the infected end user machines (bots) [12,32,43]. vices. Banks and security firms invest a lot of effort in The first strategy has the promise of being the most effec- detecting and combating malware-assisted takeover of cus- tive, taking away control of the botnet from the botmasters. tomer accounts. A critical resource of these botnets is their In reality, however, this is often not possible. The second command-and-control (C&C) infrastructure. Attackers rent strategy is not about striking a fatal blow, but about the or compromise servers to operate their C&C infrastructure. war of attrition to remove malware, one machine at a time. Hosting providers routinely take down C&C servers, but the It has not been without success, however. Infection levels effectiveness of this mitigation strategy depends on under- have been stable in many countries [5]. standing how attackers select the hosting providers to host In practice, a third strategy is also being pursued. Similar their servers. Do they prefer, for example, providers who to access providers cleaning up end user machines, there is are slow or unwilling in taking down C&Cs? In this paper, a persistent effort by hosting providers to take down C&C we analyze 7 years of data on the C&C servers of botnets servers, one at a time.
    [Show full text]
  • S. Shiaeles: Real Time Detection and Response of Distributed Denial of Service Attacks for Web Services
    Contents Real time detection and response of distributed denial of service attacks for web services A thesis submitted for the degree of Doctor of Philosophy by Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Xanthi, October 2013 i Contents Copyright ©2013 Stavros Shiaeles Democritus University of Thrace Department of Electrical and Computer Engineering Building A, ECE, University Campus – Kimmeria, 67100 Xanthi, Greece All rights reserved. No parts of this book may be reproduced or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the author. ii Contents I would like to dedicate this thesis to my parents. iii Contents iv Contents Contents Advising Committee of this Doctoral Thesis .................................... ix Approved by the Examining Committee .......................................... xi Acknowledgements ........................................................................ xiii Abstract ......................................................................................... xv Extended Abstract in Greek (Περίληψη) ......................................... xvii List of Figures ................................................................................ xxiii List of Tables .................................................................................. xxv Abbreviations ................................................................................. xxvii Chapter 1: Introduction
    [Show full text]