report: 鄭志欣 conference: brett stone-gross, marco cova, lorenzo cavallaro, bob gilbert, martin...

Report:鄭志欣

Conference:Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009.

112/04/19 1Machine Learning and Bioinformatics Lab

Date Collect : 2009/1/25 ~ 2009/2/5

180’000 infections

70GB data

USD$ 83,000 ~ 8,300,000 (bank account and credit card)

112/04/19 2Machine Learning and Bioinformatics Lab

Introduction Botnet Analysis Threats and data analysis Conclusion

112/04/19Machine Learning and Bioinformatics Lab 3

The main purpose of this paper is to analyze the Torpig botnet’s operations.• Botnet size.• The personal information is stolen by

botnets.


Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux.


Data Collection and Format

Submission Header

Botnet Size vs. IP Count


Date : 70GB (10 day)

Protocol : HTTP POST requests

Submission Header VS. Request body



Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig

gh5

Counting Bots by Submission Header Fields

(nid , os , cn , bld , ver) decide to unique bot

Delete Probers and Researcher

18200 hosts



4690 Bots / hour

705 Bots / hour

DHCP (ISPs recycles IPs)


Financial Data Stealing

Password Analysis


In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).


we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results.


report: 鄭志欣 conference: brett stone-gross, marco cova, lorenzo cavallaro, bob gilbert, martin...

Documents