report: 鄭志欣 conference: brett stone-gross, marco cova, lorenzo cavallaro, bob gilbert, martin...

Report:鄭志欣

Conference:Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009.

112/04/19 1Machine Learning and Bioinformatics Lab

Date Collect : 2009/1/25 ~ 2009/2/5

180’000 infections

70GB data

USD$ 83,000 ~ 8,300,000 (bank account and credit card)

112/04/19 2Machine Learning and Bioinformatics Lab

Introduction Botnet Analysis Threats and data analysis Conclusion

112/04/19Machine Learning and Bioinformatics Lab 3

The main purpose of this paper is to analyze the Torpig botnet’s operations.• Botnet size.• The personal information is stolen by

botnets.

112/04/19Machine Learning and Bioinformatics Lab 4

Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux.

112/04/19Machine Learning and Bioinformatics Lab 5

Data Collection and Format

Submission Header

Botnet Size vs. IP Count

112/04/19Machine Learning and Bioinformatics Lab 6

Date : 70GB (10 day)

Protocol : HTTP POST requests

Submission Header VS. Request body

112/04/19Machine Learning and Bioinformatics Lab 7

112/04/19Machine Learning and Bioinformatics Lab 8

Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig

gh5

112/04/19Machine Learning and Bioinformatics Lab 9

Counting Bots by Submission Header Fields

(nid , os , cn , bld , ver) decide to unique bot

Delete Probers and Researcher

18200 hosts

112/04/19Machine Learning and Bioinformatics Lab 10

112/04/19Machine Learning and Bioinformatics Lab 11

4690 Bots / hour

705 Bots / hour

112/04/19Machine Learning and Bioinformatics Lab 12

DHCP (ISPs recycles IPs)

112/04/19Machine Learning and Bioinformatics Lab 13

Financial Data Stealing

Password Analysis

112/04/19Machine Learning and Bioinformatics Lab 14

In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).

112/04/19Machine Learning and Bioinformatics Lab 15

112/04/19Machine Learning and Bioinformatics Lab 16

we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results.

112/04/19Machine Learning and Bioinformatics Lab 17

112/04/19Machine Learning and Bioinformatics Lab 18