DOCSLIB.ORG

Large-Scale Detection and Measurement of Malicious Content

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Large-Scale Detection and Measurement of Malicious Content Large-Scale Detection and Measurement of Malicious Content Inauguraldissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften der Universität Mannheim vorgelegt von Jan Gerrit Göbel aus Köln, Deutschland Mannheim, 2011 Dekan: Professor Dr. Wolfgang Effelsberg, Universität Mannheim Referent: Professor Dr. Felix Christoph Freiling, Universität Mannheim Korreferent: Professor Dr. Christopher Kruegel, University of California, Santa Barbara Tag der mündlichen Prüfung: 27. April 2011 Abstract Many different network and host-based security solutions have been developed in the past to counter the threat of autonomously spreading malware. Among the most common detection techniques for such attacks are network traffic analysis and the so-called honeypots. In this thesis, we introduce two new malware detection sensors that make use of the above mentioned techniques. The first sensor called Rishi, passively monitors network traffic to automatically detect bot infected machines. The second sensor called Amun follows the concept of honeypots and detects malware through the emulation of vulnerabilities in network services that are commonly exploited. Both sensors were operated for two years and collected valuable data on autonomously spreading malware in the Internet. From this data we were able to, for example, study the change in exploit behavior and derive predictions about preferred targets of todays’ malware. Zusammenfassung In der Vergangenheit wurden viele Sicherheitslösungen zur Bekämpfung von sich autonom verbreitenden Schadprogrammen entwickelt. Einige von diesen Lösungen set- zen lokal an einem Rechner an, andere hingegen an Netzen und deren Datenverkehr. Zu den bekanntesten Erkennungstechniken gehören die Analyse des Netzverkehrs und sogenannte Hon- eypots. In dieser Arbeit stellen wir zwei neue Sensoren zur Erkennung von Schadprogrammen vor, die die eben genannten Techniken verwenden. Der erste Sensor, genannt Rishi, lauscht passiv an einem Netz und erkennt durch die Analyse des Datenverkehrs Rechner, die mit einem Bot infiziert sind. Der zweite Sensor ist Amun. Dies ist ein Honeypot und erkennt Schadprogramme durch die Emulation von oft ausgenutzten Schwachstellen in Netzwerkdiensten. Beide Sensoren wur- den über zwei Jahre hinweg betrieben und haben in dieser Zeit wertvolle Informationen über sich autonom verbreitende Schadprogramme im Internet gesammelt. Zum Beispiel konnten wir Verän- derungen im Exploit-Verhalten feststellen und Aussagen über zukünftige Angriffsziele ableiten. “A spoonful of honey will catch more flies than a gallon of vinegar.” Benjamin Franklin [Hal04] Acknowledgements First of all, I would like to thank my advisor Prof. Dr. Freiling, who gave me the opportu- nity to work in this exciting area of computer science and supported my research in every way. Throughout this thesis, he always provided me with valuable feedback and I never had a question unanswered. Thank you for this excellent guidance. Furthermore, I would like to thank Prof. Dr. Christopher Krügel for accepting to be my co- advisor. Although, we have never really met in person his name and work is well-known in the context of malware detection and analysis. Thus, i am honoured that he accepted to be my co- advisor. I would also like to thank all members of the Network Operations Center (NOC) at RWTH Aachen University, especially Jens Hektor, who allowed me to deploy and maintain one of the biggest Honeynets in Germany. Without the information collected at this network during the last years all the work presented in this thesis would not have been possible. In this context, I would also like to thank Jens Syckor from TU Dresden, Matteo Cantoni from Italy, and Eric Chio from China, who all thankfully provided me with their honeypot sensor data and thus enabled me to make predictions about optimal sensor placement strategies with respect to geographical distant sensors. There are also many other people I would like to thank for supporting me in the development of various aspects of my work. First of all, I would like to thank Philipp Trinius for writing some interesting papers with me and providing me with valuable feedback and suggestions, but also for being an uncomplicated co-worker and friend. This last statement holds actually true for all people working at the Laboratory for Dependable Distributed Systems of Mannheim University that I met during this time. Without the assistance of Michael Becher, Zina Benenson, Andreas Dewald, Markus Engelberth, Christian Gorecki, Thorsten Holz, Philipp Trinius, and Carsten Willems it would not have been so much fun. Part of this work also benefited from the valuable feedback and enhancements of Stefan Vömel who volunteered proof-reading one of the chapters. I would also like to thank all diploma/bachelor students and student workers, who helped over the years to implement some parts of the work presented in this thesis. In particular, Ben Stock and Matthias Luft helped a lot to develop and implement tools to evaluate the large amount of Honeynet data we have collected. Both the atmosphere and cheerfulness at the Laboratory for Dependable Distributed Systems of the University of Mannheim, as well as the great cooperation with the Center for Computing and Communication of RWTH Aachen University was amazing and tremendously contributed to the vii outcome of this thesis. It was a pleasure working with all of you. Finally, I have to express my gratitude to my wife and my son. Without her doing most of the work at home I could not have spent so much time working on this thesis. But they both were also very helpful in distracting me and helping me not to forget that there is an everyday life next to work. Contents Acknowledgements List of Figures v List of Tables ix List of Listings xi 1 Introduction 1 1.1 Introduction . .1 1.2 Motivation . .2 1.3 Contributions . .2 1.3.1 Malware Sensors . .2 1.3.2 Large-Scale Data Evaluation . .3 1.4 Thesis Outline . .4 1.5 List of Publications . .5 2 Background 7 2.1 Introduction . .7 2.2 Internet Relay Chat . .8 2.3 Bots and Botnets . .9 2.4 Honeypots and Honeynets . 11 2.4.1 Honeypot Definition . 12 2.4.2 Low- and High-Interaction Honeypots . 12 2.4.3 Physical and Virtual Honeypots . 16 2.4.4 Client and Server Honeypots . 17 2.5 Exploits and Shellcode . 18 2.5.1 Buffer Overflow . 19 2.5.2 Shellcode Obfuscation Techniques . 21 2.6 Summary . 25 3 Related Work 27 3.1 Introduction . 27 i Contents 3.2 IRC Botnet Detection . 27 3.3 Low-Interaction Honeypots . 28 3.4 Early Warning Systems . 30 3.5 Large-Scale Evaluation of Incident Information . 32 3.6 Summary . 33 4 No-Interaction Malware Sensor 35 4.1 Introduction . 35 4.2 Concept and Methodology . 36 4.3 Rishi Botnet Detection . 37 4.4 Implementation Details of Rishi . 40 4.4.1 The Scoring Function . 40 4.4.2 Regular Expression . 41 4.4.3 Whitelisting . 42 4.4.4 Blacklisting . 43 4.4.5 Rishi Configuration . 44 4.5 Limitations . 47 4.6 Selected Events Monitored with Rishi . 49 4.6.1 Case Study: Detecting Spam-Bots . 49 4.6.2 Case Study: Spotting Botnet Tracking . 50 4.7 Rishi Webinterface . 51 4.8 Summary . 55 5 Low-Interaction Malware Sensor 57 5.1 Introduction . 57 5.2 Concept and Methodology . 58 5.3 Amun Honeypot . 61 5.4 Implementation Details of Amun . 63 5.4.1 Amun Configuration . 63 5.4.2 Amun Kernel . 67 5.4.3 Request Handler . 68 5.4.4 Vulnerability Modules . 69 5.4.5 Shellcode Analyser . 81 5.4.6 Command-Shell Module . 83 5.4.7 Download Modules . 83 5.4.8 Submission Modules . 86 5.4.9 Logging Modules . 89 5.5 Limitations . 90 5.6 Selected Events Monitored with Amun . 92 5.6.1 Case Study: Amun Webserver Emulation . 92 5.6.2 Case Study: Palevo worm . 94 5.7 Summary . 98 6 Malware Sensor Infrastructure 101 6.1 Introduction . 101 6.2 InMAS Infrastructure Overview . 102 6.3 Malware Capture . 103 6.4 Malware Repository . 107 ii Contents 6.5 Malware Analysis . 108 6.6 Webinterface . 110 6.7 Summary . 114 7 Malware Sensor Evaluation 117 7.1 Introduction . 117 7.2 Rishi Evaluation . 118 7.2.1 Data Points and Definitions . 118 7.2.2 Measurement Periods . 119 7.2.3 Long-term Investigation of Sandbox Traffic . 119 7.2.4 Selected Aspects of Collected Botnet Data . 127 7.3 Amun Evaluation . 130 7.3.1 Data Points and Definitions . 130 7.3.2 Measurement Periods . 131 7.3.3 Honeypot Sensors . 131 7.3.4 Database Layout . 134 7.3.5 Long-term Investigation of the Aachen Honeynet . 136 7.3.6 Short-term comparison of Honeynet Attacks . 149 7.4 Summary . ..
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • The Botnet Chronicles a Journey to Infamy
    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Symantec Intelligence Report: June 2011
    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
    [Show full text]
  • The Trojan Wars: Building the Big Picture to Combat Efraud
    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
    [Show full text]
  • Downloading and Running
    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
    [Show full text]
  • Dgarchive a Deep Dive Into Domain Generating Malware
    DGArchive A deep dive into domain generating malware Daniel Plohmann [email protected] 2015-12-03 | Botconf, Paris © 2015 Fraunhofer FKIE 1 About me Daniel Plohmann PhD candidate at University of Bonn, Germany Security Researcher at Fraunhofer FKIE Focus: Reverse Engineering / Malware Analysis / Automation Projects ENISA Botnet Study 2011 [1] Analysis Tools PyBox, IDAscope, DGArchive, … Botnet Analysis Gameover Zeus / P2P protocols [2] DGA-based Malware [1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda Intro: Domain Generation Algorithms / DGArchive Comparison of DGA Features Registration Status of DGA Domain Space Case Studies © 2015 Fraunhofer FKIE 3 Intro Domain Generation Algorithms © 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions Concept first described ~2008: Domain Flux Domain Generation Algorithm (DGA) An algorithm producing Command & Control rendezvous points dynamically Shared secret between malware running on compromised host and botmaster Seeds Collection of parameters influencing the output of the algorithm Algorithmically-Generated Domain (AGD) Domains resulting from a DGA © 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History Feb 2006 Sality: dynamically generates 3rd-level domain part July 2007 Torpig: Report by Verisign includes DGA-like domains July 2007 Kraken: VirusTotal upload of binary using DDNS
    [Show full text]
  • Banking Trojans: from Stone Age to Space Era
    Europol Public Information Europol Public Information Banking Trojans: From Stone Age to Space Era A Joint Report by Check Point and Europol The Hague, 21/03/2017 Europol Public Information 1 / 16 Europol Public Information Contents 1 Introduction .............................................................................................................. 3 2 The Founding Fathers ................................................................................................ 3 3 The Current Top Tier ................................................................................................. 5 4 The Latest .................................................................................................................. 9 5 Mobile Threat .......................................................................................................... 10 6 Evolutionary Timeline ............................................................................................. 11 7 Impressions/Current Trends ................................................................................... 11 8 Banking Trojans: The Law Enforcement View ......................................................... 12 9 How are Banking Trojans used by Criminals? ......................................................... 13 10 How are the Criminals Structured? ......................................................................... 14 11 Building on Public-Private-Partnerships - The Law Enforcement Response ........... 15 12 How to Protect Yourself .........................................................................................
    [Show full text]
  • FORECAST – Skimming Off the Malware Cream
    FORECAST – Skimming off the Malware Cream Matthias Neugschwandtner1, Paolo Milani Comparetti1, Gregoire Jacob2, and Christopher Kruegel2 1Vienna University of Technology, {mneug,pmilani}@seclab.tuwien.ac.at 2University of California, Santa Barbara, {gregoire,chris}@cs.ucsb.edu ABSTRACT Malware commonly employs various forms of packing and ob- To handle the large number of malware samples appearing in the fuscation to resist static analysis. Therefore, the most widespread wild each day, security analysts and vendors employ automated approach to the analysis of malware samples is currently based on tools to detect, classify and analyze malicious code. Because mal- executing the malicious code in a controlled environment to ob- ware is typically resistant to static analysis, automated dynamic serve its behavior. Dynamic analysis tools such as CWSandbox [3], analysis is widely used for this purpose. Executing malicious soft- Norman Sandbox and Anubis [13, 2] execute a malware sample in ware in a controlled environment while observing its behavior can an instrumented sandbox and record its interactions with system provide rich information on a malware’s capabilities. However, and network resources. This information can be distilled into a running each malware sample even for a few minutes is expensive. human-readable report that provides an analyst with a high level For this reason, malware analysis efforts need to select a subset of view of a sample’s behavior, but it can also be fed as input to fur- samples for analysis. To date, this selection has been performed ei- ther automatic analysis tasks. Execution logs and network traces ther randomly or using techniques focused on avoiding re-analysis provided by dynamic analysis have been used to classify malware of polymorphic malware variants [41, 23].
    [Show full text]
  • CS 3700 Networks and Distributed Systems
    CS 3700 Networks and Distributed Systems Lecture 20: Malware/Botnets Slides stolen from Vern Paxson (ICSI) and Stefan Savage (UCSD) Motivation 2 Internet currently used for important services ! Financial transactions, medical records Increasingly used for critical services ! 911, surgical operations, water/electrical system control, remote controlled drones, etc. Networks more open than ever before ! Global, ubiquitous Internet, wireless Malicious Users 3 Miscreants, e.g. LulzSec ! In it for thrills, street cred, or just to learn ! Defacing web pages, spreading viruses, etc. Hacktivists, e.g. Anonymous ! Online political protests ! Stealing and revealing classified information Organized Crime ! Profit driven, online criminals ! Well organized, divisions of labor, highly motivated Network Security Problems 4 Host Compromise ! Attacker gains control of a host ! Can then be used to try and compromise others Denial-of-Service ! Attacker prevents legitimate users from gaining service Attack can be both ! E.g., host compromise that provides resources for denial-of- service Definitions 5 Virus ! Program that attaches itself to another program Worm ! Replicates itself over the network ! Usually relies on remote exploit (e.g. buffer overflow) Rootkit ! Program that infects the operating system (or even lower) ! Used for privilege elevation, and to hide files/processes Trojan horse ! Program that opens “back doors” on an infected host ! Gives the attacker remote access to machines Botnet ! A large group of Trojaned machines, controlled
    [Show full text]
  • [Recognising Botnets in Organisations] Barry Weymes Number
    [Recognising Botnets in Organisations] Barry Weymes Number: 662 A thesis submitted to the faculty of Computer Science, Radboud University in partial fulfillment of the requirements for the degree of Master of Science Eric Verheul, Chair Erik Poll Sander Peters (Fox-IT) Department of Computer Science Radboud University August 2012 Copyright © 2012 Barry Weymes Number: 662 All Rights Reserved ABSTRACT [Recognising Botnets in Organisations] Barry WeymesNumber: 662 Department of Computer Science Master of Science Dealing with the raise in botnets is fast becoming one of the major problems in IT. Their adaptable and dangerous nature makes detecting them difficult, if not impossible. In this thesis, we present how botnets function, how they are utilised and most importantly, how to limit their impact. DNS Dynamic Reputations Systems, among others, are an innovative new way to deal with this threat. By indexing individual DNS requests and responses together we can provide a fuller picture of what computer systems on a network are doing and can easily provide information about botnets within the organisation. The expertise and knowledge presented here comes from the IT security firm Fox-IT in Delft, the Netherlands. The author works full time as a security analyst there, and this rich environment of information in the field of IT security provides a deep insight into the current botnet environment. Keywords: [Botnets, Organisations, DNS, Honeypot, IDS] ACKNOWLEDGMENTS • I would like to thank my parents, whom made my time in the Netherlands possible. They paid my tuition, and giving me the privilege to follow my ambition of getting a Masters degree. • My dear friend Dave, always gets a mention in my thesis for asking the questions other dont ask.
    [Show full text]