Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin...
-
Upload
patience-gilbert -
Category
Documents
-
view
216 -
download
0
Transcript of Report: 鄭志欣 Conference: Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin...
Report:鄭志欣
Conference:Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, in Proceedings of the ACM CCS, Chicago, IL, November 2009.
112/04/19 1Machine Learning and Bioinformatics Lab
Date Collect : 2009/1/25 ~ 2009/2/5
180’000 infections
70GB data
USD$ 83,000 ~ 8,300,000 (bank account and credit card)
112/04/19 2Machine Learning and Bioinformatics Lab
Introduction Botnet Analysis Threats and data analysis Conclusion
112/04/19Machine Learning and Bioinformatics Lab 3
The main purpose of this paper is to analyze the Torpig botnet’s operations.• Botnet size.• The personal information is stolen by
botnets.
112/04/19Machine Learning and Bioinformatics Lab 4
Torpig solves fast-flux by using a different technique for locating its C&C servers, which we refer to as domain flux.
112/04/19Machine Learning and Bioinformatics Lab 5
Data Collection and Format
Submission Header
Botnet Size vs. IP Count
112/04/19Machine Learning and Bioinformatics Lab 6
Date : 70GB (10 day)
Protocol : HTTP POST requests
Submission Header VS. Request body
112/04/19Machine Learning and Bioinformatics Lab 7
112/04/19Machine Learning and Bioinformatics Lab 8
Ts = time stamp IP Sport = SOCKS proxies port Hport = HTTP port OS = operation system version Cn = locale Nid = bot identifier Bld and ver = build and version number of Torpig
gh5
112/04/19Machine Learning and Bioinformatics Lab 9
Counting Bots by Submission Header Fields
(nid , os , cn , bld , ver) decide to unique bot
Delete Probers and Researcher
18200 hosts
112/04/19Machine Learning and Bioinformatics Lab 10
112/04/19Machine Learning and Bioinformatics Lab 11
4690 Bots / hour
705 Bots / hour
112/04/19Machine Learning and Bioinformatics Lab 12
DHCP (ISPs recycles IPs)
112/04/19Machine Learning and Bioinformatics Lab 13
Financial Data Stealing
Password Analysis
112/04/19Machine Learning and Bioinformatics Lab 14
In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217).
112/04/19Machine Learning and Bioinformatics Lab 15
112/04/19Machine Learning and Bioinformatics Lab 16
we found that a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results.
112/04/19Machine Learning and Bioinformatics Lab 17
112/04/19Machine Learning and Bioinformatics Lab 18