stegobot a covert social network botnet
play

Stegobot: a covert social-network botnet Shishir Nagaraja Network - PowerPoint PPT Presentation

Nov 02, 2023 •582 likes •747 views

Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems Security Group IIIT Delhi, India http://www.hatswitch.org/~sn275 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC) Botnets

  1. Stegobot: a covert social-network botnet Shishir Nagaraja Network and Distributed Systems Security Group IIIT Delhi, India http://www.hatswitch.org/~sn275 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  2. Botnets ● Primary vehicle in online crime, DDOS attacks and information theft ● Social malware attacks is an emerging trend: Dalai Lama got attacked in 2008, Google in 2009 and 800 or so others were targets in 2010 ● Botnets and anonymous communication networks have similar network properties: availability, resilience and undetectable C&C traffic. ● Standard threat model – global passive adversary IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  3. Designing a covert botnet ● Can we design a botnet using stego channels? ● New traffic links lower traffic analysis resistance ● New traffic patterns lower traffic analysis resistance ● Core idea: infect machines using social malware + use social image exchange behavior on OSN to create unobservable communication channels between infected machines Flickr 2011 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  4. Botnet topologies -- C&C traffic -- Attack traffic IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  5. Designing a covert botnet ● Can we design a botnet using stego channels? ● New traffic links lower traffic analysis resistance ● Core idea: infect machines using social malware + use social image exchange behavior on OSN to create unobservable communication channels between infected machines Flickr 2011 IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  6. Attack vector (targeted malware) ● Hijack social trust -- steal an email with an attachment -- embed malware in the attachment -- send/resend the email to the target ● Initial break -- Social phish constructed with public information -- Once the attacker gains a foothold, neighbors within the social network of the victim are compromised IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  7. Sample subverted email designed to achieve a foothold IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  8. Stegobot architecture Communication channels -- YASS Routing mechanism – restricted flooding IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  9. Channel design ● Malware intercepts facebook image upload and embeds credit card information into it. FB sends notification to all neighbours. ● Image processing engine interference ● Facebook predictively caches images when neighbour visits victim page ● Channel efficiency is evaluated using the BER metric: #error bits / #total bits ● No interference: Stegobot doesn't upload or download the pictures IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  10. YASS parameters Q – compression; q -- redundancy IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  11. Stegobot architecture Communication channels -- YASS Routing mechanism – restricted flooding IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  12. Routing mechanism ● Dataset: Flickr social network; monthly image posting behavior of ~15000 nodes over 40 months ● Assumed 50% infection, sub-graph of 7200 extracted. ● Now we had to find out of you can build a routing network over this. ● Really simple and robust but non-optimal routing algorithm: restricted flooding with ttl = log N ● message queue: local message , fwd_message ● Routing efficiency averaged over randomly chosen botmaster nodes; each bot collects k image payload units of stolen information per month IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  13. Routing results At the bots (efficiency of clearing the local queue) IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  14. Routing b/w, efficiency, duplication Bandwidth -- #unique messages reaching the botmaster IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  15. Network bandwidth IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

  16. Conclusions ● Building distributed systems over steganographic communication channels is fun! ● We have evaluated our proposed wicked system using real-world social behavior data. ● Even with a routing algorithm the botmaster can siphon off 82Mb per month (q=2) at the rate of 10kb per 700x700pixel image or 21.6Mb per month (q=8). ● Duplication rate of 50-80% indicates that with better routing algorithms much botnet bandwidth could at least be doubled or at best quadrupled. IH 2011 nagaraja@iiitd.ac.in Shishir, Vijit (IIIT) Amir, Nikita (UIUC)

Recommend

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert

StealthWare Social Engineering Malware Running malware for Social Engineering and Covert Operations By: Joey Dreijer StealthWare Social Engineering Malware Social Engineering and Covert Operations Introduction Research Security

403 views • 21 slides
PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN

PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION KENTON BORN KENTON.BORN@GMAIL.COM Black Hat USA 2010 GREATEST CAPTCHA EVER Las Vegas, casino floor Wi-Fi (4/6/10) ROADMAP DNS Refresher Covert Channels DNS Tunnels My

435 views • 42 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides
NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using

NetFlow Analysis: Detecting covert channels on the network Detecting malicious traffic by using NetFlow data By: Joey Dreijer, Student OS3 5-07-14 1 NetFlow Analysis: Detecting covert channels on the network Gathering NetFlow data

346 views • 16 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq

1 Domain Flux-based DGA Botnet Detection Using Feedforward Neural Network Md. Ishtiaq Ashiq Khan, Protick Bhowmick, Md. Shohrab Hossain, and Husnu S. Narman 2 Outlines Motivation Problem Contribution Results Conclusions 3

733 views • 34 slides
May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem

May 26: Covert Channels Covert channels Composition of policies Problem Deterministic Noninterference Nondeducibility Generalized Noninterference Restrictiveness May 26, 2017 ECS 235B Spring Quarter 2017 Slide #1

370 views • 33 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov ,

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability Dmitrii Ustiugov , Plamen Petrov, Siavash Katebzadeh, Boris Grot University of Edinburgh This work is supported by ARM Center of Excellence at University of Edinburgh

564 views • 30 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo

Assessing the Feasibility of Machine Learning to Detect Network Covert Channels Name: Diogo Barradas PhD Stage: Planner Advisors: Prof. Lus Rodrigues & Prof. Nuno Santos Research Area: Privacy-Enhancing Technologies Diogo Barradas - EuroSys

395 views • 15 slides
Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks

Mitigating Covert Compromises: A Game-Theoretic Model of Targeted and Non-Targeted Covert Attacks Aron Laszka 1 , 2 Benjamin Johnson 3 Jens Grossklags 1 1 Pennsylvania State University 2 Budapest University of Technology and Economics 3 University

867 views • 43 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman

Abusing the Windows WiFi native API to create a covert channel Andrs Blanco Ezequiel Gutesman 1 Outline Covert Channels Attack Vectors and Scenarios IEEE 802.11 Fundamentals Covert Channel Design Implementation

766 views • 38 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais RIPE75 October,

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais RIPE75 October,

Cleaning up after the Nr 3 SPAM botnet and the worst prefix By Erik Bais RIPE75 October, 2017 1 A bit of background Taking down of the largest GRUM bot network A nice read about this whole story :

314 views • 27 slides

More recommend