DOCSLIB.ORG

Reliable Recon in Adversarial Peer-To-Peer Botnets

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Reliable Recon in Adversarial Peer-to-Peer Botnets Dennis Andriesse Christian Rossow Herbert Bos VU University Amsterdam Saarland University, Germany VU University Amsterdam The Netherlands [email protected] The Netherlands [email protected] saarland.de [email protected] ABSTRACT sinkholing, which target all bots in the network [28]. Due The decentralized nature of Peer-to-Peer (P2P) botnets pre- to the high resilience of P2P botnet architectures, many cludes traditional takedown strategies, which target dedi- high-profile botnets have migrated from centralized to P2P cated command infrastructure. P2P botnets replace this networks. Among the most resilient of these are Sality [10] infrastructure with command channels distributed across and P2P (GameOver) Zeus [2]. the full infected population. Thus, mitigation strongly re- The recent takedown of GameOver Zeus underscores the lies on accurate reconnaissance techniques which map the resilience of botnets like these. This notorious banking trojan botnet population.While prior work has studied passive dis- has been active since 2011, and has survived despite multiple turbances to reconnaissance accuracy —such as IP churn intensive sinkholing efforts [28, 4], until finally being crippled and NAT gateways—, the same is not true of active anti- in May 2014, following a massive collaboration between the reconnaissance attacks. This work shows that active attacks FBI, VU University Amsterdam, Saarland University, Crowd- against crawlers and sensors occur frequently in major P2P strike, Dell SecureWorks, and other agencies, universities and botnets. Moreover, we show that current crawlers and sen- malware analysis labs [5, 3]. sors in the Sality and Zeus botnets produce easily detectable Attacks against botnets like these are fundamentally based anomalies, making them prone to such attacks. Based on on knowledge about the composition of the botnet [28]. For our findings, we categorize and evaluate vectors for stealthier instance, sinkholing attacks disrupt C2 connections between and more reliable P2P botnet reconnaissance. bots, and thus require a view of the botnet connectivity graph. Similarly, banks use P2P botnet mappings to identify infected customers, and several nations are currently setting Categories and Subject Descriptors up centralized repositories for reporting infected IPs [31]. D.4.6 [Operating Systems]: Security and Protection—In- Knowledge about the nodes in a botnet and the connections vasive Software; C.2.0 [Computer-Communication Net- between them is obtained using intelligence gathering (recon- works]: General—Security and Protection naissance/recon) techniques. Reliable recon techniques for P2P botnets are thus crucial for both invasive attacks (e.g., General Terms sinkholing) and non-invasive countermeasures (e.g., infection notifications). All recent P2P botnet takedowns required Security accurate recon, including the ZeroAccess and GameOver Zeus attacks [5, 3, 22, 35, 19]. Note that connectivity graph- Keywords agnostic Sybil attacks, which could effectively disrupt early DHT-based P2P botnets [6], are not effective against modern Peer-to-Peer Botnet, Crawling, Reconnaissance unstructured networks like Sality and Zeus, which use dense, dynamic connectivity graphs to propagate signed commands 1. INTRODUCTION between bots. The decentralized nature of Peer-to-Peer (P2P) botnet To maximize the reliability of reconnaissance results, prior architectures eliminates the need for centralized Command- work has studied a myriad of passive disruptive factors, such and-Control (C2) servers. As a result, P2P botnets are im- as bots behind NAT gateways and IP address aliasing [28, mune to traditional takedown strategies, designed to disrupt 17]. In contrast, very little attention has been devoted in the centralized C2 channels. Instead, takedown efforts against literature to the hardening of recon against active disruption P2P botnets require large-scale distributed attacks, such as by botnet operators. We believe this issue calls for closer analysis, as botmas- Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed ters increasingly implement active anti-recon strategies in for profit or commercial advantage and that copies bear this notice and the full citation P2P botnets, largely in response to recent successful take- on the first page. Copyrights for components of this work owned by others than the downs. These upcoming anti-recon strategies are aimed at author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or compromising the intelligence gathered by malware analysts republish, to post on servers or to redistribute to lists, requires prior specific permission in P2P botnets, using attacks such as (automatic) black- and/or a fee. Request permissions from [email protected]. listing [2], reputation schemes [10], and even DDoS against IMC’15 , October 28-30 2015, Tokyo, Japan Copyright is held by the owner/author(s). Publication rights licensed to ACM. recon nodes [4]. Botmasters use anti-recon strategies to aug- ACM 978-1-4503-3848-6/15/10 ...$15.00. ment previously disabled botnets, and redeploy hardened DOI: http://dx.doi.org/10.1145/2815675.2815682. 129 versions of them, which are more difficult to take down. For a instance, the Hlux botnet has already respawned three times, each time with additional hardening strategies [35, 19, 11]. e b These patterns suggest that next-generation P2P botnets will incorporate stronger anti-recon techniques. Because take- down and disinfection efforts against P2P botnets hinge on cd reliable reconnaissance, our work is aimed at proactively in- vestigating the full extent of anti-recon implemented by P2P Figure 1: An example botnet connectivity graph. An arrow from botmasters, and the range of possible defenses to safeguard node a to node b indicates that a knows b. Non-routable nodes reconnaissance in next-generation botnets. are shaded. We show that recon tools used by malware analysts to monitor high-profile botnets suffer from serious protocol de- ficiencies, making them easily detectable. Specifically, we 2. RECON IN P2P BOTNETS infiltrate the Sality v3 and GameOver Zeus botnets by insert- Reconnaissance methods for P2P botnets can be divided ing passive sensors, which scan incoming traffic for anomalies into two classes, namely crawler-based and sensor-based and deviations from the botnet protocol. Additionally, we methods (though hybrids are feasible [28]). This section use active peer list requests to locate sensor nodes which introduces both of these classes, and compares their tradeoffs do not actively initiate communication. (At the time of our and resilience to passive disruption. We discuss active recon analysis, the attack against GameOver Zeus had not yet disruption in Section 3. been launched.) We identify 21 Zeus crawlers, 10 distinct Throughout this paper, we consider a botnet to be a Zeus sensors, and 11 Sality crawlers belonging to well-known digraph G = (V, E), where V is the set of vertices (e.g. malware analysis laboratories, network security companies, bots), and E is the set of edges (e.g. is-neighbor connections and CERTs. We find that all of these have shortcomings between bots). We refer to the number of outgoing edges which make them easy to identify among the bot populations from a bot v as its out-degree deg+(v), and the number of (200.000 bots for Zeus, and 900.000 for Sality) [28]. incoming edges as in-degree deg−(v). At first glance, it may seem that the situation could be remedied by eliminating syntactic protocol deficiencies in 2.1 Crawlers crawlers and sensors. We show that this is not so; even syn- Crawler-based reconnaissance relies upon the peer list tactically sound recon tools can be detected by anomalous in- exchange mechanism available in all P2P botnets [28, 2, 10, or out-degrees. This is commonly true especially for crawlers, 13, 33, 35]. In P2P botnets, every bot maintains a list of as they strive to contact as many bots in as short a time span addresses of other peers it has been contacted by or has as possible. To evaluate the magnitude of this problem, we learned about from other bots. To maintain connectivity design and implement a novel distributed crawler detection with the network despite the constant churn of bots that model, and show that it can automatically detect all crawlers join and leave the botnet, peers regularly exchange (parts in GameOver Zeus without false positives. We illustrate that of) their peer list with their neighbors. Support for peer list the algorithm is applicable not only to Zeus, but also to other exchanges is typically implemented through special request P2P botnets, including Sality. Based on these results, we messages included in the botnet protocol, called peer list propose and evaluate techniques to evade out-degree-based requests, which each bot can use to request a set of peer detection, such as rate limiting and distributed crawling, addresses from another. Crawlers abuse this mechanism and we measure the impact of these techniques on crawling by recursively requesting peer lists from all bots they learn accuracy and completeness. about, starting from an initial bootstrap peer list (usually We also discuss an alternative reconnaissance strategy obtained from a bot sample). which has been widely proposed for use in P2P botnets, Due to its simplicity and ability to rapidly request peers namely Internet-wide scanning [9]. We show that it is applica- from many bots, crawling is a highly popular intelligence ble to some P2P botnets, but is unfortunately not compatible gathering method used by malware analysts [15, 28]. Never- with all P2P botnet protocols. theless, crawlers have been reported to suffer from a myriad Summarizing, our main contributions are: of inaccuracy problems. For instance, address aliasing can 1. We identify and classify anti-recon attacks taking place occur with bots that use dynamic IP addresses, leading to in current P2P botnets, and generalize to potential significant botnet size overestimations if the crawling period attacks which could be implemented in future botnets.
Recommended publications
  • Ransom Where?

    Ransom Where?

    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
  • Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G

    Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines.
  • Internet Security Threat Report Volume 24 | February 2019

    Internet Security Threat Report Volume 24 | February 2019

    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
  • 1.Computer Virus Reported (1) Summary for This Quarter

    1.Computer Virus Reported (1) Summary for This Quarter

    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

    Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

    Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown Colin C. Ife¢, Yun Sheny, Steven J. Murdoch¢, and Gianluca Stringhiniz ¢University College London, yNorton Research Group, zBoston University ¢yUnited Kingdom, zUnited States {colin.ife,s.murdoch}@ucl.ac.uk,[email protected],[email protected] ABSTRACT 1 INTRODUCTION The malware and botnet phenomenon is among the most signif- Malware delivery has evolved into a major business for the cyber- icant threats to cybersecurity today. Consequently, law enforce- criminal economy and a complex problem for the security commu- ment agencies, security companies, and researchers are constantly nity. The botnet – a network of malware-infected devices that is seeking to disrupt these malicious operations through so-called controlled by a single actor through one or more command and takedown counter-operations. Unfortunately, the success of these control (C&C) servers – is one phenomenon that has benefited takedowns is mixed. Furthermore, very little is understood as to from the malware delivery revolution. Diverse distribution vectors how botnets and malware delivery operations respond to takedown have enabled such malicious networks to expand more quickly and attempts. We present a comprehensive study of three malware de- efficiently than ever before. Once established, these botnets canbe livery operations that were targeted for takedown in 2015–16 using leveraged to commit a wide array of secondary computer crimes, global download metadata provided by Symantec. In summary, we such as data theft, financial fraud, coercion (ransomware), send- found that: (1) Distributed delivery architectures were commonly ing spam messages, distributed denial of service (DDoS) attacks, used, indicating the need for better security hygiene and coordina- and unauthorised cryptocurrency mining [1, 14, 17, 47, 48].

  • Mcafee Labs Threats Report August 2014

    McAfee Labs Threats Report August 2014 Heartbleed Heartbleed presents a new cybercrime opportunity. 600,000 To-do lists The Heartbleed vulnerability Lists of Heartbleed-vulnerable exposed an estimated 600,000 websites are helpful to users but websites to information theft. can also act as “to-do” lists for cyber thieves. Unpatched websites Black market Despite server upgrades, many Criminals continue to extract websites remain vulnerable. information from Heartbleed- vulnerable websites and are selling it on the black market. McAfee Phishing Quiz Phishing continues to be an effective tactic for infiltrating enterprise networks. Average Score by Department (percent of email samples correctly identified) Only 6% of all test takers correctly 65% identified all ten email samples as phishing or legitimate. 60% 80% 55% of all test takers fell for at least one of the seven phishing emails. 50% 88% of test takers in Accounting & 0 Finance and HR fell for at least one of the seven phishing emails. Accounting & Finance Human Resources Other Departments The McAfee Phishing Quiz tested business users’ ability to detect online scams. Operation Tovar During Operation Tovar—The Gameover Zeus and CryptoLocker takedown: For CryptoLocker For Gameover Zeus more than 125,000 more than 120,000 domains were blocked. domains were sinkholed. Since the announcement of Operation Tovar: 80,000 times Copycats ****** McAfee Stinger, a free ****** are on the rise, creating tool that detects and ****** new ransomware or removes malware financial-targeting (including Gameover Zeus malware using the leaked and CryptoLocker), was Zeus source code. downloaded more than 80,000 times. McAfee joined global law enforcement agencies and others to take down Gameover Zeus and CryptoLocker.
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust

    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
  • The Customer As a Target Risks of Phishing and Trojans

    The Customer As a Target Risks of Phishing and Trojans

    The Customer as a Target Risks of Phishing and Trojans Gijs Hollestelle | Deloitte Netherlands January 31, 2012 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (1/2) •1980‟s • First worm: Morris Worm • Phone Phreaking • BBS Hacking boards • Movie: Wargames • Computer hacking was primarily done by people in universities to find out how things worked •1990‟s: • Real start of computer crime, targeting financial institutions • Succesful hacks of various banks, phone companies, etc • Kevin Mitnick convicted • 2000‟s / Today • Early 2000‟s examples of „Hobby‟ projects, everyone can be a hacker. I love You/Kournikova Virus • Late 2000‟s Professionalization of computer crime • Internet banking and online shopping become popular, leading to increased incentive to use computer crime for financial gain • Avanced trojans • Shift of hacking companies to hacking consumers • Sophisticated trojans/virusses such as Zeus and Stuxnet 2 © 2012 Deloitte Touche Tohmatsu History of Computer Crime (2/2) 3 © 2012 Deloitte Touche Tohmatsu The Underground Economy (1/2) Some recent figures • Dutch Association of Banks (NVB) released information that in 2012 Internet banking fraud was 9.8 mln euro. • In first half of 2011 alone, this has increased to 11.2 mln euro. • In Germany Internet banking fraud is estimated at 17mln euro in 2012 • In the UK 60mln pounds in Internet Crime in 2009 4 © 2012 Deloitte Touche Tohmatsu The Underground Economy (2/2) Where are these identities sold? Source: krebsonsecurity.com 5 © 2012 Deloitte Touche Tohmatsu The Logic of the Cyber Criminal • Stricter regulations such as PCI have forced companies have forced companies to further increase their security measures.
  • Modeling and Evaluating the Resilience of Peer-To-Peer Botnets

    Modeling and Evaluating the Resilience of Peer-To-Peer Botnets

    P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets Christian Rossow∗‡, Dennis Andriesse‡, Tillmann Werner¶, Brett Stone-Gross†, Daniel Plohmann§, Christian J. Dietrich∗, Herbert Bos‡ ∗ Institute for Internet Security, Gelsenkirchen, Germany {rossow,dietrich}@internet-sicherheit.de ‡ VU University Amsterdam, The Netherlands {d.a.andriesse,h.j.bos}@vu.nl § Fraunhofer FKIE, Bonn, Germany, [email protected] † Dell SecureWorks, [email protected] ¶ CrowdStrike, Inc. Abstract—Centralized botnets are easy targets for takedown disrupted using the traditional approach of attacking critical efforts by computer security researchers and law enforcement. centralized infrastructure. Thus, botnet controllers have sought new ways to harden the Even though active P2P botnets such as the Zeus P2P infrastructures of their botnets. In order to meet this objective, some botnet operators have (re)designed their botnets to use variant, Sality, ZeroAccess and Kelihos have survived in the Peer-to-Peer (P2P) infrastructures. Many P2P botnets are far wild for as long as five years, relatively little is known about more resilient to takedown attempts than centralized botnets, the sizes of these botnets. It is difficult to estimate a P2P because they have no single points of failure. However, P2P botnets are subject to unique classes of attacks, such as node botnet’s size, for a number of reasons. P2P botnets often enumeration and poisoning. In this paper, we introduce a use custom protocols, so that researchers must first reverse formal graph model to capture the intrinsic properties and engineer the protocol and encryption before they can track fundamental vulnerabilities of P2P botnets. We apply our the botnet’s population.
  • Understanding and Analyzing Malicious Domain Take-Downs

    Understanding and Analyzing Malicious Domain Take-Downs

    Cracking the Wall of Confinement: Understanding and Analyzing Malicious Domain Take-downs Eihal Alowaisheq1,2, Peng Wang1, Sumayah Alrwais2, Xiaojing Liao1, XiaoFeng Wang1, Tasneem Alowaisheq1,2, Xianghang Mi1, Siyuan Tang1, and Baojun Liu3 1Indiana University, Bloomington. fealowais, pw7, xliao, xw7, talowais, xm, [email protected] 2King Saud University, Riyadh, Saudi Arabia. [email protected] 3Tsinghua University, [email protected] Abstract—Take-down operations aim to disrupt cybercrime “clean”, i.e., no longer involved in any malicious activities. involving malicious domains. In the past decade, many successful Challenges in understanding domain take-downs. Although take-down operations have been reported, including those against the Conficker worm, and most recently, against VPNFilter. domain seizures are addressed in ICANN guidelines [55] Although it plays an important role in fighting cybercrime, the and in other public articles [14, 31, 38], there is a lack of domain take-down procedure is still surprisingly opaque. There prominent and comprehensive understanding of the process. seems to be no in-depth understanding about how the take-down In-depth exploration is of critical importance for combating operation works and whether there is due diligence to ensure its cybercrime but is by no means trivial. The domain take-down security and reliability. process is rather opaque and quite complicated. In particular, In this paper, we report the first systematic study on domain it involves several steps (complaint submission, take-down takedown. Our study was made possible via a large collection execution, and release, see SectionII). It also involves multiple of data, including various sinkhole feeds and blacklists, passive parties (authorities, registries, and registrars), and multiple DNS data spanning six years, and historical WHOIS informa- domain management elements (DNS, WHOIS, and registry tion.
  • Symantec Intelligence Report: June 2011

    Symantec Intelligence Report: June 2011

    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.