Towards Automated Botnet Detection and Mitigation

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Towards Automated Botnet Detection and Mitigation"

Transcription

1 Towards Automated Botnet Detection and Mitigation Stopping the Root Cause of Spam Pi1 - Laboratory for Dependable Distributed Systems

2 Outline Motivation Tools & techniques for botnet detection nepenthes CWSandbox Results

3 Motivation Hundreds of new bots each month Botnets are often used to send spam Botherds rent the botnet to spammer Spammer use a SOCKS proxy on compromised machines to send out spam In order to fight against spam, we need to stop the root cause Detect and mitigate botnets

4 Botnets Typical communication flow using central (IRC) server for Command & Control (C&C) Attacker Bot C&C Server $advscan dcom b Bot IRC hax0r.example.com 3267/TCP Bot.redirect.socks start a SOCKS4 proxy on port 1234

5 Collecting Bots Using Honeypots to Capture Malware

6 nepenthes Tool to automatically collect malware like bots and other autonomous spreading malware Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities Available at

7 Architecture Modular architecture Vulnerability modules Shellcode handler Download modules Submission modules Trigger events Shell-emulation and virtual filesystem

8 Schematic overview

9 Vulnerability modules Emulate vulnerable services Play with exploits until they send us their payload (finite state machine) Currently more than 20 available vulnerability modules More in development Analysis of known vulnerabilities & exploits necessary Automation possible?

10 Vulnerability modules vuln-dcom (MS03-039) vuln-lsass (MS04-011) vuln-asn1 (MS04-007) vuln-wins (MS04-045) vuln-{mssql,msdtc,msmq} vuln-{optix,kuang2,bagle,mydoom} vuln-veritas...

11 Shellcode modules Automatically extract URL used by malware to transfer itself to compromised machine sch_generic_xor Generic XOR decoder sch_generic_createprocess sch_generic_url sch_generic_cmd

12 Download modules download-{http,tftp} Handles HTTP / TFTP URIs download-ftp FTP client from Windows is not RFC compliant... download-{csend,creceive} download-link link:// /hj4g==

13 Submission modules submit-file Write file to hard disk submit-{mysql,postgres,mssql} Store file in database submit-norman Submit file to submit-gotek Send file via G.O.T.E.K.

14 nepenthes-demo Thorsten Holz Laboratory for Dependable Distributed Systems

15 Distributed setup

16 mwcollect Alliance

17 mwcollect Alliance Central database hosted at RWTH Aachen university Everyone who submits binary gets access to the whole database Started in January parties from all around the world 23,000+ unique malware binaries Individual or company login possible

18 Statistics: nepenthes Four months nepenthes on /18 network: 50,000,000+ files downloaded 14,000+ unique binaries based on md5sum ~1,000 different botnets Anti-virus engines detect between 70% and 90% of the binaries Korgobot/Padobot dominates

19 CWSandbox Automatically analyzing a collected binary

20 Overview Automatic behaviour analysis Execute the binary and observe what it is doing Similar to Norman Sandbox Part of diploma thesis by Carsten Willems Currently stable beta version available Results look promising

21 Basics Schematic Overview of Windows API Windows API

22 KRNL.EXE, which is the core of the Windows Operating system. See s r more details about what is going on in NTOSKRNL.EXE. Example

23 LL kernel32. For better understanding the instructions are logically split into s. Of course this is only done in the figure and has no Example semantics in the rea rst block marks the instructions, that will be overwritten by the JMP to our h ion. The second block includes the instructions, that will be untouched by the. e lower port of the figure you can see what happens, when the hook is installe API hooking by Inline Code Overwriting

24 Inner working API hooking, Code Overwriting and DLL injection Hooking of Native API calls from ntdll.dll Tracing of functions for file access, process access, Winsock communication, registry,... Execution for three minutes, then processing of results analysis log in XML format

25 Schematic overview CWSandbox & CWMonitor.dll

26 Conclusion Honeypots can help us to learn more about existing botnets Information can also be used to observe a botnet ( Know Your Enemy: Tracking Botnets ) Also useful for botnet mitigation Needs more research, e.g., 0day support More sensors in different networks would help to collect more information Contact:

27 Michael Becher Thorsten Holz More information: Honeypot compromises & MS Pi1 - Laboratory for Dependable Distributed Systems

Adaptability of IRC Botnet Detection Method to P2P Botnet Detection

Adaptability of IRC Botnet Detection Method to P2P Botnet Detection Adaptability of IRC Botnet Detection Method to P2P Botnet Detection Ji, Yuan Department of Electrical Engineering and Computer Science University of California, Irvine yji1@uci.edu John, Robin Department

More information

Honeypots UNIVERSITÄT MANNHEIM. A quick overview. Pi1 - Laboratory for Dependable Distributed Systems

Honeypots UNIVERSITÄT MANNHEIM. A quick overview. Pi1 - Laboratory for Dependable Distributed Systems Honeypots A quick overview Pi1 - Laboratory for Dependable Distributed Systems Outline Motivation High-interaction vs. low-interaction honeypots Gen III honeynets honeyd nepenthes Examples Intro We see

More information

detection AT R W T H A A C H E N U N I V E R S I T Y, W I T H J A N G Ö B E L, J E N S H E K T O R, A N D T H O R S T E N H O L Z

detection AT R W T H A A C H E N U N I V E R S I T Y, W I T H J A N G Ö B E L, J E N S H E K T O R, A N D T H O R S T E N H O L Z J A N G Ö B E L, J E N S H E K T O R, A N D T H O R S T E N H O L Z advanced honeypot-based intrusion detection Jan Göbel has an M.Sc.in computer science from RWTH Aachen University and wrote his diploma

More information

Medium Interaction Honeypots

Medium Interaction Honeypots Medium Interaction Honeypots Georg Wicherski April 7, 2006 Abstract Autonomously spreading malware has been a global threat to the Internet Community ever since the existence of the Internet as a large-scale

More information

DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS

DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS DISTRIBUTED LOW-INTERACTION HONEYPOT SYSTEM TO DETECT BOTNETS GONG JIAN 2 jgong@njnet.edu.cn Jiangsu Key Laboratory of Computer Networking Technology, China, Nanjing, Southeast University AHMAD JAKALAN

More information

USE HONEYPOTS TO KNOW YOUR ENEMIES

USE HONEYPOTS TO KNOW YOUR ENEMIES USE HONEYPOTS TO KNOW YOUR ENEMIES SHERIF MOUSA (EG-CERT) 9 MAY 2012 WHAT ARE WE GOING TO TALK ABOUT? What exactly happens on the end of your Internet connection. Open Source tools to set up your own Honeypot

More information

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks

Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks Felix C. Freiling, Thorsten Holz, and Georg Wicherski Laboratory for Dependable Distributed Systems,

More information

Honeypots and Honeynets Technologies

Honeypots and Honeynets Technologies New Mexico State University Honeypots and Honeynets Technologies Hussein Al-Azzawi Final Paper CS 579 Special Topics / Computer Security Nov. 27, 2011 Supervised by Mr. Ivan Strnad Table of contents: 1.

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

The Nepenthes Platform: An Efficient Approach to Collect Malware

The Nepenthes Platform: An Efficient Approach to Collect Malware The Nepenthes Platform: An Efficient Approach to Collect Malware Paul Baecher 1, Markus Koetter 1,ThorstenHolz 2, Maximillian Dornseif 2, and Felix Freiling 2 1 Nepenthes Development Team nepenthesdev@gmail.com

More information

The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis

The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis The Honeynet Project: Data Collection Tools, Infrastructure, Archives and Analysis David Watson The UK Honeynet Project Chapter david@honeynet.org.uk Jamie Riden The UK Honeynet Project Chapter jamie@honeynet.org.uk

More information

spying with bots spying with bots

spying with bots spying with bots spying with bots T HORSTEN HOLZ spying with bots Thorsten Holz is a research student at the Laboratory for Dependable Distributed Systems at RWTH Aachen University. He is one of the founders of the German

More information

The HoneyNet Project Scan Of The Month Scan 27

The HoneyNet Project Scan Of The Month Scan 27 The HoneyNet Project Scan Of The Month Scan 27 23 rd April 2003 Shomiron Das Gupta shomiron@lycos.co.uk 1.0 Scope This month's challenge is a Windows challenge suitable for both beginning and intermediate

More information

SECURING APACHE : DOS & DDOS ATTACKS - II

SECURING APACHE : DOS & DDOS ATTACKS - II SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

More information

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic

LASTLINE WHITEPAPER. The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic Abstract A distinguishing characteristic of bots is their ability to establish a command and

More information

Deep Discovery. Technical details

Deep Discovery. Technical details Deep Discovery Technical details Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior

More information

Characterizing the IRC-based Botnet Phenomenon

Characterizing the IRC-based Botnet Phenomenon Reihe Informatik. TR-2007-010 Characterizing the IRC-based Botnet Phenomenon Jianwei Zhuge 1, Thorsten Holz 2, Xinhui Han 1, Jinpeng Guo 1, and Wei Zou 1 1 Peking University 2 University of Mannheim Institute

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform

More information

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer Facts 2 3 WOULD YOU OPEN THIS ATTACHMENT? 4 TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS 5 Check Point Multi-Layered

More information

Anti-Malware Technologies

Anti-Malware Technologies : Trend of Network Security Technologies Anti-Malware Technologies Mitsutaka Itoh, Takeo Hariu, Naoto Tanimoto, Makoto Iwamura, Takeshi Yagi, Yuhei Kawakoya, Kazufumi Aoki, Mitsuaki Akiyama, and Shinta

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define

More information

SGNET: a distributed infrastructure to handle zero-day exploits 3/02/2007

SGNET: a distributed infrastructure to handle zero-day exploits 3/02/2007 Institut Eurécom Department of Corporate Communications 2229, route des Crètes B.P. 93 694 Sophia-Antipolis FRANCE Research Report RR-7-87 SGNET: a distributed infrastructure to handle zero-day exploits

More information

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration

More information

About Botnet, and the influence that Botnet gives to broadband ISP

About Botnet, and the influence that Botnet gives to broadband ISP About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology

More information

Amun: A Python Honeypot

Amun: A Python Honeypot Amun: A Python Honeypot Technical Report Jan Göbel Laboratory for Dependable Distributed Systems University of Mannheim, Germany jan.goebel@informatik.uni-mannheim.de Abstract In this report we describe

More information

Hypervisor-Based, Hardware-Assisted System Monitoring

Hypervisor-Based, Hardware-Assisted System Monitoring Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz

More information

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013

Integrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013 Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013 Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary. 2008: HTTP,

More information

A Critical Investigation of Botnet

A Critical Investigation of Botnet Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

MITB Grabbing Login Credentials

MITB Grabbing Login Credentials MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,

More information

Virtual Honeypots UNIVERSITÄT MANNHEIM. Know Your Enemy. Pi1 - Laboratory for Dependable Distributed Systems

Virtual Honeypots UNIVERSITÄT MANNHEIM. Know Your Enemy. Pi1 - Laboratory for Dependable Distributed Systems Virtual Honeypots Know Your Enemy Pi1 - Laboratory for Dependable Distributed Systems Outline Honeypot 101 Examples honeyd nepenthes Honeyclients Conclusion Honeypots Network-based measurements often show

More information

Cloud Services Prevent Zero-day and Targeted Attacks

Cloud Services Prevent Zero-day and Targeted Attacks Cloud Services Prevent Zero-day and Targeted Attacks WOULD YOU OPEN THIS ATTACHMENT? 2 TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS Duqu Worm Causing Collateral Damage in a Silent Cyber-War Worm exploiting

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information

Check Point: Sandblast Zero-Day protection

Check Point: Sandblast Zero-Day protection Check Point: Sandblast Zero-Day protection Federico Orlandi Itway Support Engineer 2015 Check Point Software Technologies Ltd. 1 Check Point Threat Prevention SandBlast IPS Antivirus SandBlast stops zero-day

More information

Storm Worm & Botnet Analysis

Storm Worm & Botnet Analysis Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing

More information

Rethinking Antivirus: Executable Analysis in the Network Cloud

Rethinking Antivirus: Executable Analysis in the Network Cloud Rethinking Antivirus: Executable Analysis in the Network Cloud Jon Oberheide, Evan Cooke, Farnam Jahanian Electrical Engineering and Computer Science Department University of Michigan, Ann Arbor, MI 48109

More information

Exercise 7 Network Forensics

Exercise 7 Network Forensics Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:

More information

Attacks from the Inside

Attacks from the Inside Attacks from the Inside Eddy Willems, G Data Righard J. Zwienenberg, Norman Attacks from the Inside. Agenda - Social Networking / Engineering - Where are the threats coming from - Infection vectors - The

More information

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious

More information

The beast within Evading dynamic malware analysis using Microsoft COM

The beast within Evading dynamic malware analysis using Microsoft COM The beast within Evading dynamic malware analysis using Microsoft COM Black Hat USA 2016 Ralf Hund Credits: Martin Goll, Emre Güler, Andreas Maaß Outline Introduction Dynamic Malware Analysis Microsoft

More information

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net

Honeypots & Honeynets Overview. Adli Wahid Security Specialist, APNIC.net adli@apnic.net Honeypots & Honeynets Overview Adli Wahid Security Specialist, APNIC.net adli@apnic.net 1 Contents 1. ObjecCves 2. DefiniCon of Honeypot & Honeynets 3. Benefits & Risk consideracon 4. Example of Honeypot

More information

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers

Sandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security

More information

Inside the Storm: Protocols and Encryption of the Storm Botnet

Inside the Storm: Protocols and Encryption of the Storm Botnet Inside the Storm: Protocols and Encryption of the Storm Botnet Joe Stewart, GCIH Director of Malware Research, SecureWorks To be covered in this talk: Quick-and-dirty unpacking of Storm Structure of the

More information

Advanced ANDROID & ios Hands-on Exploitation

Advanced ANDROID & ios Hands-on Exploitation Advanced ANDROID & ios Hands-on Exploitation By Attify Trainers Aditya Gupta Prerequisite The participants are expected to have a basic knowledge of Mobile Operating Systems. Knowledge of programming languages

More information

Virtualization for Security

Virtualization for Security Virtualization for Security t j Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting John Hoopes Technical Editor Aaron Bawcom Paul Kenealy Wesley J. Noonan Craig

More information

RIA SECURITY TECHNOLOGY

RIA SECURITY TECHNOLOGY RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved. Agenda RIA Introduction Flash Security Attack Vectors

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

IDS and Penetration Testing Lab IIIa

IDS and Penetration Testing Lab IIIa IDS and Penetration Testing Lab IIIa Dissecting a Botnet C&C - rbot Triggering Lab Malware operation Upon execution malware connects to botirc.net server and establishes standard IRC session with #test

More information

HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS. Martin Lee Neil Rankin

HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS. Martin Lee Neil Rankin HEY! YOU! GET OFF MY CLOUD! ATTACKS AGAINST CLOUD HONEYPOTS Martin Lee Neil Rankin Cloud Adoption Choose two: Fast Cheap Good Cloud Models Public IaaS PaaS SaaS Private Cloud Models Public IaaS PaaS SaaS

More information

Research Project 2: Metasploit-able Honeypots

Research Project 2: Metasploit-able Honeypots Project 2: wouter.katz@os3.nl University of Amsterdam July 4th 2013 How feasible is an automated method to detect specific exploits on a honeypot by monitoring network traffic of exploits? What setup is

More information

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation

BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke Lee USENIX Security Symposium (Security 07) Presented by Nawanol

More information

Threat Intelligence Gathering, Malware Collection and Incident Response Proposal. Discover, Investigate and Report

Threat Intelligence Gathering, Malware Collection and Incident Response Proposal. Discover, Investigate and Report Threat Intelligence Gathering, Malware Collection and Incident Response Proposal Discover, Investigate and Report United States Military Academy & University of Detroit Mercy Independent Study Class for

More information

Towards Proactive Spam Filtering (Extended Abstract)

Towards Proactive Spam Filtering (Extended Abstract) Towards Proactive Spam Filtering (Extended Abstract) Jan Göbel Thorsten Holz Philipp Trinius {goebel holz trinius}@informatik.uni-mannheim.de Laboratory for Dependable Distributed Systems University of

More information

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels

Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels Exploiting Fundamental Weaknesses in Command and Control (C&C) Panels What Goes Around Comes Back Around! Aditya K Sood Senior Security Researcher and Engineer 1 Dr. Aditya K Sood About the Speaker! Senior

More information

Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs

Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs Visual Analysis of Malware Behavior Using Treemaps and Thread Graphs Philipp Trinius Thorsten Holz Jan Göbel Felix C. Freiling Laboratory for Dependable Distributed Systems, University of Mannheim, Germany

More information

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy Lab 7 - Exploitation 1 NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy Lab 7 - Exploitation 2 Item I. (What were you asked to do?) Metasploit Server Side Exploits Perform the exercises

More information

Using Honeypots to Analyze Bots and Botnets

Using Honeypots to Analyze Bots and Botnets Using Honeypots to Analyze Bots and Botnets Eirik Falk Georg Bergande Jon Fjeldberg Smedsrud Master of Science in Communication Technology Submission date: June 2007 Supervisor: Svein Johan Knapskog, ITEM

More information

A TASTE OF HTTP BOTNETS

A TASTE OF HTTP BOTNETS Botnets come in many flavors. As one might expect, these flavors all taste different. A lot of Internet users have had their taste of IRC, P2P and HTTP based botnets as their computers were infected with

More information

Use of Honeypots for Network Monitoring and Situational Awareness

Use of Honeypots for Network Monitoring and Situational Awareness Use of Honeypots for Network Monitoring and Situational Awareness Cristine Hoepers cristine@cert.br Computer Emergency Response Team Brazil - CERT.br Network Information Center Brazil - NIC.br Brazilian

More information

Detecting Bots with Automatically Generated Network Signatures

Detecting Bots with Automatically Generated Network Signatures Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,

More information

UNMASKCONTENT: THE CASE STUDY

UNMASKCONTENT: THE CASE STUDY DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...

More information

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access OKENA 71 Second Ave., 3 rd Floor Waltham, MA 02451 Phone 781 209 3200 Fax 781 209 3199 6WRUP:DWFK Policies for Dedicated IIS Web Servers Group The policies shipped with StormWatch address both application-specific

More information

Detecting peer-to-peer botnets

Detecting peer-to-peer botnets Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,

More information

WildFire. Preparing for Modern Network Attacks

WildFire. Preparing for Modern Network Attacks WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends

More information

IBM Advanced Threat Protection Solution

IBM Advanced Threat Protection Solution IBM Advanced Threat Protection Solution Fabio Panada IBM Security Tech Sales Leader 1 Advanced Threats is one of today s key mega-trends Advanced Threats Sophisticated, targeted attacks designed to gain

More information

Threat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect

Threat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect How to Implement Software-Defined Protection Nir Naaman, CISSP Senior Security Architect Threat Intelligence 1 The Spanish flu, 1918 killing at least 50-100 million people worldwide. 2 The H1N1 Pandemic,

More information

The InMAS Approach. 1 Introduction and Motivation

The InMAS Approach. 1 Introduction and Motivation The InMAS Approach Markus Engelberth Felix C. Freiling Jan Göbel Christian Gorecki Thorsten Holz Ralf Hund Philipp Trinius Carsten Willems Laboratory for Dependable Distributed Systems University of Mannheim

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Symantec enterprise security. Symantec Internet Security Threat Report April 2009. An important note about these statistics.

Symantec enterprise security. Symantec Internet Security Threat Report April 2009. An important note about these statistics. Symantec enterprise security Symantec Internet Security Threat Report April 00 Regional Data Sheet Latin America An important note about these statistics The statistics discussed in this document are based

More information

Malware Trend Report, Q2 2014 April May June

Malware Trend Report, Q2 2014 April May June Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...

More information

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Botnets: The Advanced Malware Threat in Kenya's Cyberspace Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)

More information

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

LASTLINE WHITEPAPER. In-Depth Analysis of Malware LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).

More information

Operation Liberpy : Keyloggers and information theft in Latin America

Operation Liberpy : Keyloggers and information theft in Latin America Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation

More information

Virmon: A Virtualization-Based Automated Dynamic Malware Analysis System

Virmon: A Virtualization-Based Automated Dynamic Malware Analysis System Virmon: A Virtualization-Based Automated Dynamic Malware Analysis System Huseyin Tirli, Abdurrahman Pektas,, and Nadia Erdogan Abstract Nowadays, security companies are faced tens of thousands new malware

More information

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region

HONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Preventing your Network from Being Abused by Spammers

Preventing your Network from Being Abused by Spammers Preventing your Network from Being Abused by Spammers Marcelo H. P. C. Chaves mhp@cert.br CERT.br Computer Emergency Response Team Brazil NIC.br - Network Information Center Brazil CGI.br - Brazilian Internet

More information

Analyzing HTTP/HTTPS Traffic Logs

Analyzing HTTP/HTTPS Traffic Logs Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that

More information

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours K. Adi, L. Sullivan & A. El Kabbal Computer Security Research Laboratory http://w3.uqo.ca/lrsi NCAC'05 1 Motivation

More information

Protecting the Infrastructure: Symantec Web Gateway

Protecting the Infrastructure: Symantec Web Gateway Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options

More information

Managing Web Security in an Increasingly Challenging Threat Landscape

Managing Web Security in an Increasingly Challenging Threat Landscape Managing Web Security in an Increasingly Challenging Threat Landscape Cybercriminals have increasingly turned their attention to the web, which has become by far the predominant area of attack. Small wonder.

More information

ERNW Newsletter 51 / September 2015

ERNW Newsletter 51 / September 2015 ERNW Newsletter 51 / September 2015 Playing With Fire: Attacking the FireEye MPS Date: 9/10/2015 Classification: Author(s): Public Felix Wilhelm TABLE OF CONTENT 1 MALWARE PROTECTION SYSTEM... 4 2 GAINING

More information

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc

More information

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms

Overview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.

More information

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT

PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT PERDIX: A FRAMEWORK FOR REALTIME BEHAVIORAL EVALUATION OF SECURITY THREATS IN CLOUD COMPUTING ENVIRONMENT December 6, 2013 Julien Lavesque CTO Itrust j.lavesque@itrust.fr Security experts company founded

More information

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park 21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

Novacura Flow 5. Technical Overview Version 5.6

Novacura Flow 5. Technical Overview Version 5.6 Title: NovaCura Flow 5 Technical Overview Sid. 1 av 19 Novacura Flow 5 Technical Overview Version 5.6 Novacura Flow is a platform produced by NovaCura AB for creating and running workflow based business

More information

Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000

Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000 Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000

More information

Solution Guide Parallels Virtualization for Linux

Solution Guide Parallels Virtualization for Linux Solution Guide Parallels Virtualization for Linux Overview Created in 1991, Linux was designed to be UNIX-compatible software that was composed entirely of open source or free software components. Linux

More information

The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report:

The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: The author(s) shown below used Federal funds provided by the U.S. Department of Justice and prepared the following final report: Document Title: Author: Examining the Creation, Distribution, and Function

More information

APPLICATION PROGRAMMING INTERFACE

APPLICATION PROGRAMMING INTERFACE DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With

More information

LASTLINE WHITEPAPER. Dealing with Evasion in Malware Analysis by Analyzing Multiple Execution Paths

LASTLINE WHITEPAPER. Dealing with Evasion in Malware Analysis by Analyzing Multiple Execution Paths LASTLINE WHITEPAPER Dealing with Evasion in Malware Analysis by Analyzing Multiple Execution Paths Abstract Malicious code (or malware) is defined as software that fulfills the deliberately harmful intent

More information

Custom Penetration Testing

Custom Penetration Testing Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools

More information

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon

More information

TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE. User guide. vp.online 2011 2011-10-01

TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE. User guide. vp.online 2011 2011-10-01 TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE vp.online 2011 2011-10-01 Contents 1 PROBLEMS SEEING VP.ONLINE... 3 2 BROWSER CONFIGURATION... 6 3 WRITE ACCESS TO DISK DRIVE... 7 4 SESSION TIMEOUT AND

More information

Reverse Engineering and Computer Security

Reverse Engineering and Computer Security Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and

More information

Malware Analysis Quiz 6

Malware Analysis Quiz 6 Malware Analysis Quiz 6 1. Are these files packed? If so, which packer? The file is not packed, as running the command strings shelll reveals a number of interesting character sequences, such as: irc.ircnet.net

More information

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH

Contents III: Contents II: Contents: Rule Set Based Access Control (RSBAC) 4.2 Model Specifics 5.2 AUTH Rule Set Based Access Control (RSBAC) Linux Kernel Security Extension Tutorial Amon Ott Contents: 1 Motivation: Why We Need Better Security in the Linux Kernel 2 Overview of RSBAC 3 How

More information

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e

Keywords Intrusion detection system, honeypots, attacker, security. 7 P a g e HONEYPOTS IN NETWORK SECURITY Abhishek Sharma Research Scholar Department of Computer Science and Engineering Lovely Professional University (Punjab) - India Abstract Computer Network and Internet is growing

More information