tumbling down the rabbit hole
play

Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of - PowerPoint PPT Presentation

Mar 10, 2023 •475 likes •702 views

Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure Chris Nunnery Greg Sinclair Brent ByungHoon Kang [ University of North Carolina at Charlotte ] Wednesday, April 28, 2010

  1. Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure Chris Nunnery Greg Sinclair Brent ByungHoon Kang [ University of North Carolina at Charlotte ] Wednesday, April 28, 2010

  2. Our Work Forensic investigation of botmaster components Interpreting functionality and management using network traces and file-system artifacts Obtained through ISP cooperation Wednesday, April 28, 2010

  3. Purpose Refine notions of how advanced botnets are deployed and managed Reveal mechanisms and techniques to perform malicious activities Expose the systems in the highest tiers, providing a complete view of Waledac’s infrastructure Wednesday, April 28, 2010

  4. Overview Context Topology Components and Deployment Activities, Operations, and Management Wednesday, April 28, 2010

  5. Context Waledac: a successor to Storm Emerged mid-2008 Multi-tier architecture, single-tier peering Leveraged for spamming , data harvesting , and phishing Wednesday, April 28, 2010

  6. Waledac’s Components Botmaster-deployed systems ( 1:6 * ratio ): UTS (single system) TSLs Infected-host tiers ( 1:7 * ratio ) Repeater Layer Spammer Layer *on average Wednesday, April 28, 2010

  7. Topology 4 layers, 2 sections Wednesday, April 28, 2010

  8. Infected-Host Tiers layers 3 and 4 Roles Local data harvesting, spamming HTTP proxying, fast-flux DNS Communication HTTP-based, similar to Storm Limited P2P functionality Certificates + AES Wednesday, April 28, 2010

  9. TSLs layer 2 Purpose Hide UTS from Repeaters Initiate targeted spam campaigns Configuration CentOS ntp, BIND, PHP, nginx, proxychains src (package archives) and pack (specific configs) php_mailer Wednesday, April 28, 2010

  10. UTS layer 1 Purpose Autonomous C&C Credentials repository Hosts binaries and bootstrap lists Monitors population, vitality statistics Affiliates interface ( FairMoney ) Interacts with underground 3rd parties ( spamit.com, j-roger.com ) Configuration CentOS Flat-files, no central DB CLI Wednesday, April 28, 2010

  11. Audit Methodology @UTS layer ERP- Executable Request Proxy Is a repeater hosting a particular file? request reply HTTP/1.1 200 OK GET /readme.exe HTTP/1.0 Server: nginx/0.8.5 Host: 99.56.197.58 Date: Fri, 28 Aug 2009 09:26:11 GMT Content-Type: application/octet-stream Connection: close Content-Length: 2 Last-Modified: Sun, 26 Jul 2009 10:49:55 GMT Accept-Ranges: bytes MZ DR - Domain Response Can a repeater resolve hellohello123.com ? A fast-flux domain without a .com TLD entry Wednesday, April 28, 2010

  12. Third-Party Repacking @UTS layer crypt.j-roger.com and cservice.j-roger.com UTS sends a POST to: /api/apicrypt2/[16 hexadecimal digit hash] ...followed by a binary to repack Repacked binaries returned in ~ 4 seconds 157 binaries repacked during a 2-hour observation Wednesday, April 28, 2010

  13. Monitoring @UTS Wednesday, April 28, 2010

  14. nginx Config @TSL layer /mr.txt - list of repeater nodes; used for targeted spam proxying /pr/ - partnerka; interface to obtain binaries; access affiliates program /lm/ - access to the UTS control scripts Wednesday, April 28, 2010

  15. Affiliates partnerka The FairMoney system Developers create multiple versions of binaries with different affiliate IDs Distribution (URLs) handled by 3rd parties Pricing based on downloads and lifetime Wednesday, April 28, 2010

  16. Activities malicious throughput Differentiated spamming High and Low quality ( HQS / LQS ) Authenticated and targeted v. bulk Data harvesting Network traffic ( winpcap ) HDD Scanning ( email regex ) Wednesday, April 28, 2010

  17. Differentiated Spamming HQS ( High Quality Spam) Utilizes credentials to send authenticated mail(SMTP-AUTH) ‘test’ campaign LQS ( Low Quality Spam) Autonomous, bulk, sent by spammer tier Transmission success statistics are reported Wednesday, April 28, 2010

  18. LQS low quality spam Wednesday, April 28, 2010

  19. HQS high quality spam Wednesday, April 28, 2010

  20. Challenging Notions Differentiated Spamming 3rd-Party Repacking Node Auditing Wednesday, April 28, 2010

  21. Questions Wednesday, April 28, 2010

Recommend

DOWN THE RABBIT HOLE RULES, REGULATIONS, AND RESPONSE OF THE IIAC A Speech by Ian C.W. Russell

DOWN THE RABBIT HOLE RULES, REGULATIONS, AND RESPONSE OF THE IIAC A Speech by Ian C.W. Russell

DOWN THE RABBIT HOLE RULES, REGULATIONS, AND RESPONSE OF THE IIAC A Speech by Ian C.W. Russell President and Chief Executive Officer Investment Industry Association of Canada To NBCN October 19, 2007 DOWN THE RABBIT HOLE RULES, REGULATIONS,

408 views • 16 slides
Down the Rabbit Hole C2C DATA & THE LA JEWISH HOME Molly Forrest, CEO President LA

Down the Rabbit Hole C2C DATA & THE LA JEWISH HOME Molly Forrest, CEO President LA

Down the Rabbit Hole C2C DATA & THE LA JEWISH HOME Molly Forrest, CEO President LA Jewish Home April 4, 2017 Medicare, Social Security & Medicaid Changes +65 Aging Today Martin Short & Tomorrow + 75 Tina

278 views • 23 slides
Regression Testing: Down the Rabbit Hole Neil Studd, Towers Watson About Me 10 years of

Regression Testing: Down the Rabbit Hole Neil Studd, Towers Watson About Me 10 years of

Regression Testing: Down the Rabbit Hole Neil Studd, Towers Watson About Me 10 years of testing Cambridge-based Work for companies with red logos Only the names have changed Chasing the Holy Grail We ll hear lots today

343 views • 16 slides
Shine e Som ome L e Light D Down that Rabbit H Hole: : Cover erage e and Ex Exclusions

Shine e Som ome L e Light D Down that Rabbit H Hole: : Cover erage e and Ex Exclusions

Shine e Som ome L e Light D Down that Rabbit H Hole: : Cover erage e and Ex Exclusions in the PSA Growe wer Tra raining Produce Safety Educators Call #31 May 21, 2018 Don Stoeckel, PSA The PSA Team FDA Produce Safety Network

650 views • 43 slides
Oral Microbiome A secret garden with a rabbit hole Dr Frederik Martin Timmermans BDS MSC PICTON

Oral Microbiome A secret garden with a rabbit hole Dr Frederik Martin Timmermans BDS MSC PICTON

Oral Microbiome A secret garden with a rabbit hole Dr Frederik Martin Timmermans BDS MSC PICTON DENTAL SPA 1982 graduation Uni Utrecht NL BDS MSC Specific training in periodontal surgery 1983 first in Rotterdam to do amalgam replacement 1984

1.43k views • 105 slides
Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole?

Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole?

DLS, Portland, 2006 10 23 Open, extensible dynamic programming systems or just how deep is the dynamic rabbit hole? Ian Piumarta Viewpoints Research Institute ian@squeakland.org dynamic dynamic? data? extending objects

719 views • 42 slides
9/22/20 Falling Down the Rabbit Hole: A Primer for Chronic Pain Management & Comorbid

9/22/20 Falling Down the Rabbit Hole: A Primer for Chronic Pain Management & Comorbid

9/22/20 Falling Down the Rabbit Hole: A Primer for Chronic Pain Management & Comorbid Substance Use Disorders David Cosio, PhD, ABPP 1 Biography David Cosio, PhD, is the psychologist in the Pain Clinic and the CARF- accredited,

190 views • 17 slides
Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast

Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast

Node.js MVC Construction Rabbit.js MVC @ Rabbit.js a fast and light mvc framework for Nodejs https://github.com/xinyu198736/Rabbit.js sudo npm install rabbitjs -g FAST LIGHT why use it light

484 views • 19 slides
Dilute bacterial suspensions 18.S995 - L06 & 07 dunkel@mit.edu E.coli (non-tumbling HCB 437)

Dilute bacterial suspensions 18.S995 - L06 & 07 dunkel@mit.edu E.coli (non-tumbling HCB 437)

Dilute bacterial suspensions 18.S995 - L06 & 07 dunkel@mit.edu E.coli (non-tumbling HCB 437) Drescher, Dunkel, Ganguly, Cisneros, Goldstein (2011) PNAS dunkel@math.mit.edu E.coli (non-tumbling HCB 437) eed V 0 = 22 5 m/s. A A = F

636 views • 24 slides
Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or

First Jilin Rabbit Fair and Conference on Asian Rabbit Production Development, Changchun (China), 8-10 September 2009. Strategy of lifting up Strategy of lifting up small or medium scale rabbit farming into small or medium scale rabbit farming

333 views • 29 slides
EGRAN : an european group for rabbit nutrition. Presentation and activity Article in World Rabbit

EGRAN : an european group for rabbit nutrition. Presentation and activity Article in World Rabbit

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/50841529 EGRAN : an european group for rabbit nutrition. Presentation and activity Article in World Rabbit Science July 2010 DOI:

425 views • 7 slides
T V-R E P O R T u-turn - INFINITY TUMBLING August 07 th , 2010 Walensee (SUI) Distribution

T V-R E P O R T u-turn - INFINITY TUMBLING August 07 th , 2010 Walensee (SUI) Distribution

T V-R E P O R T u-turn - INFINITY TUMBLING August 07 th , 2010 Walensee (SUI) Distribution Areas: INTERNATIONAL FINAL up-date: 26.11.2010 Min Sec World-Wide News Networks 2 42 Single Country Broadcaster 1935 7 Rest of the World

668 views • 29 slides
Motion Planning for the On-orbit Grasping of a Tumbling Target with Large Momentum Roberto

Motion Planning for the On-orbit Grasping of a Tumbling Target with Large Momentum Roberto

Motion Planning for the On-orbit Grasping of a Tumbling Target with Large Momentum Roberto Lampariello Institute of Robotics and Mechatronics German Aerospace Center (DLR) Contents Some Past and Current Space Programs Free-flying

254 views • 24 slides
White Rabbit - Architecture proposal Tomasz Wostowski CERN AB-Co-HT 10/24/08 Tomasz

White Rabbit - Architecture proposal Tomasz Wostowski CERN AB-Co-HT 10/24/08 Tomasz

White Rabbit - Architecture proposal Tomasz Wostowski CERN AB-Co-HT 10/24/08 Tomasz Wostowski 1 Outline Outline: White Rabbit network architecture Core component WR backbone switch White Rabbit Protocol 10/24/08 Tomasz

332 views • 32 slides
1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit? Slide 2 / 196

1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit? Slide 2 / 196

Slide 1 / 196 1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit? Slide 2 / 196 2 During the first 50 s a truck traveled at constant speed of 25 m/s. Find the distance that it traveled. Slide 3 / 196 3 An

2.11k views • 196 slides
Slide 1 / 196 1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit?

Slide 1 / 196 1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit?

Slide 1 / 196 1 A rabbit can cover a distance of 80 m in 5 s. What is the speed of the rabbit? Slide 2 / 196 2 During the first 50 s a truck traveled at constant speed of 25 m/s. Find the distance that it traveled. Slide 3 / 196 3 An

1.1k views • 66 slides
Planting Containerized Trees Dig a hole Dig a hole 3 to 4 times wider than the container and

Planting Containerized Trees Dig a hole Dig a hole 3 to 4 times wider than the container and

Planting Containerized Trees Dig a hole Dig a hole 3 to 4 times wider than the container and only as deep as the existing root ball. The hole should have sloping sides like a saucer to allow for proper root growth. In heavy clay or

323 views • 17 slides
6th AMERICAN RABBIT CONGRESS PRESENTATION ABOUT THE VI ARC AND ZOOTECNIA BRASIL In the year

6th AMERICAN RABBIT CONGRESS PRESENTATION ABOUT THE VI ARC AND ZOOTECNIA BRASIL In the year

6th AMERICAN RABBIT CONGRESS PRESENTATION ABOUT THE VI ARC AND ZOOTECNIA BRASIL In the year of 2018, the VI American Rabbit Congress (VI ARC) will be held within the ZOOTECNIA BRASILprogram. It will take place in the city of Goiania, on

284 views • 3 slides
The science of rabbit control and a local story The Granite Creeks Project Inc. So these

The science of rabbit control and a local story The Granite Creeks Project Inc. So these

The science of rabbit control and a local story The Granite Creeks Project Inc. So these rabbits ARE pests w hat is the evidence who cares? Rabbits are pests Rabbit populations must be controlled Eradication is an agreed

478 views • 31 slides
SLIDE SECTION DESTINATION BARS STILL UNMATCHED by our CLOSEST COMPETITORS and NEVER ANY

SLIDE SECTION DESTINATION BARS STILL UNMATCHED by our CLOSEST COMPETITORS and NEVER ANY

SLIDE SECTION DESTINATION BARS STILL UNMATCHED by our CLOSEST COMPETITORS and NEVER ANY SURCHARGES!! The Rabbit Hole at Sandals Ochi Caribbeans first Speakeasy 5 types of Moonshine, Hendricks Gin, Knob Creek Bourbon Unique glassware

89 views • 7 slides
WHY IS THIS IMPORTANT TO YOU AND YOUR RABBIT? Urinary problems are common in our pet rabbits.

WHY IS THIS IMPORTANT TO YOU AND YOUR RABBIT? Urinary problems are common in our pet rabbits.

URINARY SLUDGE IMAGE FROM MEDIRABBIT Cause, clinical signs, treatment and prevention Dr. Nickey Brown Campus Estates Animal Hospital WHY IS THIS IMPORTANT TO YOU AND YOUR RABBIT? Urinary problems are common in our pet rabbits.

624 views • 14 slides
Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone

Black hole X-ray binaries V: Formation and evolution of black hole binaries Thomas J. Maccarone Jan 14, 2017, 2nd Fudan Winter School on Black Hole Astrophysics Overview Phenomena associated with binary evolution Formation of close binaries

651 views • 30 slides
PIGEON HOLE PRINCIPLE Pigeon Hole Principle If f : [ m ] [ n ] then there exists i [ n ]

PIGEON HOLE PRINCIPLE Pigeon Hole Principle If f : [ m ] [ n ] then there exists i [ n ]

PIGEON HOLE PRINCIPLE Pigeon Hole Principle If f : [ m ] [ n ] then there exists i [ n ] such that | f 1 ( i ) | m / n . Informally: If m pigeons are to be placed in n pigeon-holes, at least one hole will end up with at leat

297 views • 13 slides
The Original Peter Rabbit Presentation Box 1 23 R I The Original Peter Rabbit Presentation Box 1

The Original Peter Rabbit Presentation Box 1 23 R I The Original Peter Rabbit Presentation Box 1

The Original Peter Rabbit Presentation Box 1 23 R I.pdf The Original Peter Rabbit Presentation Box 1 23 R I The Original Peter Rabbit Presentation Box 1 23 R I The Original Peter Rabbit Presentation Box 1 23 R I has been readily available for

409 views • 17 slides

More recommend