uncovering and visualizing botnet infrastructure and
play

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR - PowerPoint PPT Presentation

May 08, 2023 •357 likes •1.51k views

UNCOVERING AND VISUALIZING BOTNET INFRASTRUCTURE AND BEHAVIOR ANDREA SCARFO (SECURITY RESEARCHER) Security Research Analyst @ Cisco Umbrella (formerly OpenDNS) in San Francisco since 2015 Previously a System Administrator for 12 years JOSH

  4. DGA Archive provides regex lookups to find similar patterns

  5. Hash Samples uploaded by community, honeypots and malware authors

  6. FEEDS

  7. hfjrlydjpponowxnlq.com

  8. isctdtaulbpoprun.pw

  9. lkvxmbtxsbiqp.com

  10. UNCOVERING INFRASTRUCTURE

  11. IOCS

  12. IOCs SEEN THROUGHOUT THE BOT LIFECYCLE DOMAIN NAMES C&C communications DGAs - resolving and NX domains 
 IP ADDRESSES Hosting IPs 
 NAMSERVERS, EMAIL REGISTRANT WHOIS Information 
 HASHES OF MALICIOUS BINARIES Dropped by RATS Contained in Spam Dropped by compromised websites or malvertising

  13. CLEANING THE DATA

  14. Process data and organize

  15. Process data and organize Still A Pain To Look At

  16. Visually map hash to domain

  17. Visually map TTL to domain

  18. Clean data for useful visuals That doesn’t look right

  19. MONGO DB We sent data to mongo for historical lookups

  20. CLEANING DATA ‣ 175 IPs related to botnet C&C servers over a 1 month period

  21. UNCOVERING BEHAVIOR

  22. Looking at a list of IP’s isn’t immediately useful

  23. CLEANING DATA ‣ Relationships between other indicators can develop intelligence on attack and botnet infrastructure

  24. ▸ Which behavior features would be interesting? ▸ lat/lon ▸ how many clients are visiting? ▸ the first seen date of a particular ioc ▸ connected infrastructure : ips, asns, domains, namerserver

  25. CLEANING DATA ‣ Some are not connected and need cleaned out 127.0.0.1 8.8.8.8 255* Get rid of data that doesn’t help

  26. This domain points to a reserved IP

  28. CLEANING DATA ‣ Some IPs are usually compromised webservers used to proxy/hide the C&C communications

  29. Using Necurs as an example NECURS BOTNET

  30. NECURS BOTNET INSIDE STORY ‣ Infection Method ‣ Spam with malicious attachments ‣ Malvertising ‣ Exploit Kits ‣ Malicious links in emails

  31. NECURS BOTNET INSIDE STORY ‣ Prominent Malware ‣ Ransomware ‣ Banking Trojans

  32. NECURS BOTNET INSIDE STORY Noteworthy DDoS ability Uses 2 DGAs in effort to keep communications secret

  33. CO-OCCURRING DGAS AND HOSTING IPS

  34. We’ll show some examples using the OpenSource tool: OpenGraphiti (and networkx/ symanticnet python libs)

  35. View of OpenGraphiti output

  36. Co-occuring dga domains: IP’s and email registrants

  37. Another view

  38. Co-occuring dga domains: IP Location data

  39. ATTACK CAMPAIGNS

  40. Using Globeimposter as an example GLOBEIMPOSTER

  41. HAILSTORM SPAM BOT SENDS GLOBEIMPOSTER ▸ dategs[.]ru/js/tasok11[.]exe - from a hailstorm spam bot - 182.56.129.116 - Passive DNS

  42. Timeline of Domain use

  43. HAILSTORM SPAM BOT SENDS GLOBEIMPOSTER ▸ 420855ef0326743f46da71127620be22089152c 9029ba450d4f4679b8a8a122d - globeimposter

Recommend

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data -

Outline - Tasks - Map projections - Visualizing area data - Visualizing point data - Visualizing trajectories - Visualizing time Tasks Locations (0D, Points) Areas (2D) Distribution Comparison Sensity Max/min values

961 views • 48 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through

Abstracting and Visualizing Host Behaviour Abstracting and Visualizing Host Behaviour through Graphs Eduard Glatz Computer Engineering and Networks Laboratory ETH Zurich (Switzerland) eglatz@tik.ee.ethz.ch 20. Dec. 2009 Motivation

466 views • 27 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL

Thesis Proposal VISUALIZING UNCERTAINTY Fall 2017 Mac Hill VISUALIZING UNCERTAINTY 2 DEVELOPING A VISUAL VOCABULARY FOR UNCERTAINTY How can the design of information visualizations commonly found in news media coverage incorporate

591 views • 20 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012

Visualizing Data with Graphs and Maps Yifan Hu AT&T Labs Research NIST May 7, 2012 Outline The graph visualization problem Algorithms & challenges for visualizing large graphs Visualizing cluster relationships as maps

1.06k views • 76 slides
CSSS 569 Visualizing Data and Models Lab 7: Visualizing Spatial Data Kai Ping (Brian) Leung

CSSS 569 Visualizing Data and Models Lab 7: Visualizing Spatial Data Kai Ping (Brian) Leung

CSSS 569 Visualizing Data and Models Lab 7: Visualizing Spatial Data Kai Ping (Brian) Leung Department of Political Science, UW February 20, 2020 Introduction GRL RUS CAN KAZ MNG USA CHN IRN DZA LBY MEX SAU IND MLI NER TCD SDN

776 views • 59 slides
CSSS 569 Visualizing Data and Models Lab 8: Visualizing Relational Data Kai Ping (Brian) Leung

CSSS 569 Visualizing Data and Models Lab 8: Visualizing Relational Data Kai Ping (Brian) Leung

CSSS 569 Visualizing Data and Models Lab 8: Visualizing Relational Data Kai Ping (Brian) Leung Department of Political Science, UW March 2, 2020 Prerequisite The following packages are required for this lab: packages <- c

757 views • 73 slides
Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Threat analysis of a Cellular Botnet regarding DoS attacks (Bedrohungsanalyse von Mobilfunk-Botnetzen im Hinblick auf DoS-Angriffe)

311 views • 20 slides
Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko

Uncovering Interactions Between Moving Objects Gennady Andrienko & Natalia Andrienko http://geoanalytics.net Monica Wachowicz & Daniel Orellana Uncovering Interactions between Moving Objects Research Topic Research focus: interactions (

376 views • 26 slides
Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner

Indian Rural Panel Uncovering the Farmers Mindset By Exclusive Indian Research partner with IRIS Date : 23 rd September, 2017 Indian Rural Panel Uncovering Farmers Mindset_777_520 1 Content Overview of Indian agriculture and

268 views • 24 slides
Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter

Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter

Working Group 7: Botnet Remediation March 22, 2012 Michael OReirdan (MAAWG) Chair Peter Fonash (DHS) Vice Chair WG 7 Objectives Working Group 7 Botnet Remediation Description: This Working Group will review the efforts

126 views • 9 slides
SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak

SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak

SinkMiner Mining Botnet Sinkholes for Fun and Profit Babak Rahbarinia 1 , Roberto Perdisci 1,2 , Manos Antonakakis 3 , David Dagon 2 1 University of Georgia 2 Georgia

179 views • 15 slides
Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu

Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu

Di Discovery of the he Bur ursty Di Discovery of the he Bur ursty Botnet b Bo by u unusu sual t tweeting Botnet b Bo by u unusu sual t tweeting be beha havio iour urs beha be havio iour urs Juan Echeverria, Christoph

591 views • 22 slides

More recommend