4 BOT BOT MAGAZINE E€¦ · ่ณัทว 4 bot e 5 cover story ฟินเทคถูกคาดหวังว่าจะเข้ามาช่วยเพิ่ม ...
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
-
Upload
positive-hack-days -
Category
Technology
-
view
1.595 -
download
4
Transcript of Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
![Page 1: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/1.jpg)
Taming Botnets
Life cycle and detection of bot infections through network traffic analysis
![Page 2: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/2.jpg)
agenda
● Introduction● Bots and botnets: short walk-through● Taming botnets: Detection and Evasion● Our approach● Case studies● Conclusion● Disclaimer:
We steal our images
From google image :)
![Page 3: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/3.jpg)
Introduction
● Why we are doing this research?● Objectives● Our data sources● Our environment
bunch of code in node.js
and python. Customized sandboxing platform (cuckoo based). Data indexed in solr
![Page 4: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/4.jpg)
Introduction: bots
● “bot”: a software program, installed on target machine(s) for the purpose of utilizing that machine computational/network resources or collect information
● A typical bot is controlled by external party therefore needs to be able to utilize a communication channel in order to receive commands and pass information
● Bots typically are used for malicious purposes ;-)
![Page 5: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/5.jpg)
Introduction: bots (lifecycle)
● Installation (infection) phase: often by means of a software exploit or a social engineering technique (fake antivirus, fake software update)
● Post-infection phase: communication (C&C, peer etc)
![Page 6: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/6.jpg)
Introduction
● Our basic assumption is that a bot needs to be able to communicate back in order to be useful.
● Our analysis is primarily “blackbox” by observing network traffic of a large network infrastructure in order to identify possible infections and “communication” links
● We also utilize sandboxing techniques to observe behavior (mainly from the network side)
● We do not attempt to reverse engineer (manually or automatically) botnet software
![Page 7: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/7.jpg)
Botnets
● Infection vectors → often targetting enduser machines (clients) in large number of occurrences by exploiting a software vulnerability in browser or related components
● C&C communication:● Remember IRC bots? :)● over HTTP (most common)● Proprietary protocol● Centralized or P2P infrastructure
![Page 8: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/8.jpg)
Botnets: lifecycle● C&C Hosting itself is another interesting
research area ;-)
![Page 9: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/9.jpg)
So how do you get bots on your machine? :)
![Page 10: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/10.jpg)
How do you get bots on your machine? ;-)
● Compromised servers: most widespread, often through silly vulns (i.e. wordpress!), but also high profile web sites are affected, or domains taken over (DNS poisoning and more)
● Placing a javascript iframe on compromised high-traffic machine is way more profitable than defacing (hacktivism is only for hippies? ;)
![Page 11: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/11.jpg)
How do you get bots (pt 2)
● SEO poisoning/manipulation.
![Page 12: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/12.jpg)
How you get bots (pt 3)
● Advertisements and malvertisements: whole new ecosystem:
OpenX is a huge security hole ;)
![Page 13: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/13.jpg)
Anyways
● Once infected, the bot talks back...
Lets look at some real-life cases. (data is very recently, mostly past few months).
![Page 14: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/14.jpg)
Old-school bots (still active. For real! ;-))May/2012: IRC bots still real :-D
![Page 15: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/15.jpg)
Carberp
● Bot Infection: Drive-By-HTTP
● Payload and intermediate malware domains: normal, just registered/DynDNS
● Distributed via: Many many compromised web-sites, top score > 100 compromised resources detected during 1 week.
● C&C domains usually generated, but some special cases below ;-).
● C&C and Malware domains located on the same AS (from bot point of view). Easy to detect.
● Typical bot activity: Mass HTTP Post
![Page 16: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/16.jpg)
Domain URL Referrer Payload Size
beatshine.is-saved.org
/g/18418362672595167.js www.*****press.ru javascript 9414
activatedreplacing.is-very-evil.org
/index.php?28d9000e56c2a63080ff89c6f5357591
www.*****press.ru html 45443
activatedreplacing.is-very-evil.org
//images/r/785cee8be7f1da9a9d60820cbf8b1840.jar
application/x-jar
4135
activatedreplacing.is-very-evil.org
/server_privileges.php?91370f5f009a815950578cb539f28b58=3
application/executable
155529
![Page 17: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/17.jpg)
Activity and update
![Page 18: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/18.jpg)
Another attack atempt and update URLs
Time Domain URL IP
10/Apr/2012:10:29:09
nod32-matrosov-pideri.org //images/785cee8be7f1da9a9d60820cbf8b1840.jar
62.122.79.42
10/Apr/2012:10:29:10
nod32-matrosov-pideri.org /expl0it/At00micArray.class 62.122.79.42
10/Apr/2012:10:29:11
nod32-matrosov-pideri.org /expl0it/At00micArray/class.class
62.122.79.42
02/May/2012:08:42:59
rgn7er8yafh89cehuighv.org /bxlkizmfgtlfwcdmljmrjlunqkvsslfiru.tpl
91.228.134.210
02/May/2012:08:42:59
avast-pidersiy-gandon.com /crypt/files/crypted/config.bin 62.122.79.52
02/May/2012:08:43:00
rgn7er8yafh89cehuighv.org /aDHfNt8w43yYGM.tiff 91.228.134.210
![Page 19: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/19.jpg)
Detection during infection and by postinfection activity
● Infection: executable transfer from just registered, example lifenews-sport.org or Dyn-DNS domains, like uphchtxmji.homelinux.com
● Updates: executable transfer from just registered or DynDNS domain
● Postinfection activity: Mass HTTP Post to generated domains like n87e0wfoghoucjfe0id.org, URL ends with different extensions
![Page 20: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/20.jpg)
Netprotocol.exe
● Bot Infection was: Drive-By-FTP,
now: Drive-By-FTP, Drive-By-HTTP
● Payload and intermediate malware domains:Normal, Obfuscated
● Distributed via: compromised web-sites
● C&C domains usually generated, many domains in .be zone.
● C&C and Malware domains located on the different AS. Bot updates payload via HTTP
● Typical bot activity: HTTP Post, payload updates via HTTP.
![Page 21: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/21.jpg)
Domain URL Referrer Payload Size
3645455029 /1/s.html Infected site html 997
Java.com /js/deployJava.js 3645455029 javascript 4923
3645455029 /1/exp.jar application/x-jar
18046
3645455029 /file1.dat application/executable
138352
![Page 22: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/22.jpg)
Attack analysis- Script from www. Java.com used during attack.
- Applet exp.jar loaded by FTP
- FTP Server IP address obfuscated to avoid detection
![Page 23: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/23.jpg)
Interesting modificationsGET http://java.com/ru/download
/windows_ie.jsp?host=java.com%26
returnPage=ftp://217.73.58.181/1/s.html%26
locale=ru HTTP/1.1
Key feature exampleDate/Time 2012-04-20 11:11:49 MSD
Tag Name FTP_Pass
Target IP Address 217.73.63.202
Target Object Name 21
:password Java1.6.0_30@:user anonymous
![Page 24: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/24.jpg)
Activity exampleDate/Time 2012-04-29 02:05:48 MSDTag Name HTTP_PostTarget IP Address217.73.60.107:serverrugtif.be● :URL
/check_system.phpDomain registered: 2012-04-21
Date/Time 2012-04-29 02:06:08 MSDTag Name HTTP_PostTarget IP Address208.73.210.29:servereksyghskgsbakrys.com:URL/check_system.php
![Page 25: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/25.jpg)
Onhost deteciton and activityPayload: usually netprotocol.exe. Located in
Users\USER_NAME\AppData\Roaming, which periodically downloads other malware
Further payload loaded via HTTP http://64.191.65.99/view_img.php?c=4& k=a4422297a462ec0f01b83bc96068e064
![Page 26: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/26.jpg)
Detection By AV Sample from May 09 2012 Detect ratio 1/42
● (demos, recoreded as videos)
![Page 27: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/27.jpg)
Detection during infection and by postinfection activity
● Infection: .jar and .dat file downloaded by FTP, server name = obfuscated IP Addres, example ftp://3645456330/6/e.jarJava version in FTP password, example Java1.6.0_29@
● Updates: executable transfer from some Internet host, example GET http://184.82.0.35/f/kwe.exe
● Postinfection activity: Mass HTTP Post to normal and generated domains with URL: check_system.php
09:04:46 POST http://hander.be/check_system.php 09:05:06 POST http://aratecti.be/check_system.php09:06:48 POST http://hander.be/check_system.php09:07:11 POST http://aratecti.be/check_system.php
![Page 28: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/28.jpg)
Noproblemslove.com, whoismistergreen.com, etc...
● Bot Infection: Drive-By-HTTP● Payload and intermediate malware
domains:Normal /DynDNS● Distributed via: Compromised web-sites. ● C&C domains: normal.● C&C and Malware domains located on the
different AS. Sophisticated attack scheme. Timeout before activity.
● Typical bot activity: Mass HTTP Post
![Page 29: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/29.jpg)
Noproblemslove.com, whoismistergreen.com, etc...
![Page 30: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/30.jpg)
Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012)
Domain Name IP
www.google-analylics.com 184.82.149.179
google-anatylics.com 184.82.149.178
www.google-analitycs.com 184.82.149.180
webmaster-google.ru 184.82.149.178
paged2.googlesyndlcation.com 184.82.149.179
googlefilter.ru 184.82.149.179
rambler-analytics.ru 184.82.149.179
site-yandex.net 184.82.149.180
paged2.googlesyndlcation.com 184.82.149.179
www.yandex-analytics.ru 184.82.149.178
googles.4pu.com 184.82.149.178
googleapis.www1.biz 184.82.149.178
syn1-adriver.ru 184.82.149.178
![Page 31: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/31.jpg)
HOSTER RANGE AND AS
www.google-analylics.com looks good,
BUT
Google, Rambler and Yandex together on 184.82.149.176/29 ?
hoster range and autonomous system (AS)
are useful, when you analyze suspicious events.
![Page 32: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/32.jpg)
What happens next?
![Page 33: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/33.jpg)
Other domains but owner is the same
![Page 34: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/34.jpg)
What's commonwhoismistergreen.com
IP-адрес: 213.5.68.105
Create: 2011-07-26
Registrant Name: JOHN ABRAHAM
Address: ul. Dubois 119
City: Lodz
noproblemslove.com
213.5.68.105
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
noproblemsbro.com
176.65.166.28
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
patr1ckjane.com
IP Was 176.65.166.28
IP Now 213.5.68.105
Create: 2011-07-21
Registrant Name: patrick jane
Address: ul. Dubois 119
City: Lodz
![Page 35: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/35.jpg)
Detection during infection and by postinfection activity
● Infection: executable transfer from just registered, or Dyn-DNS domains, like fx58.ddns.us
● Updates: application/octet-stream bulk data load from C&C
● Postinfection activity: Mass HTTP Post to seem-normal domains,i.e: noproblemslove.com, whoismistergreen.com, etc...
![Page 36: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/36.jpg)
Detection
![Page 37: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/37.jpg)
Detection
● What we are building ;)
![Page 38: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/38.jpg)
Cross-correlation data sources
● WHOIS (including team cymru whois)● Our own DNS index, also talking to ISC about
possibilities of data swaps● Sandbox farm (mainly to detect compromised
websites automagically and study behavior)● Public “malicious IP address” databases.● Public reputation (I.e ToS) databases.
● (still work in progress)
![Page 39: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/39.jpg)
Detection
● Manual and Automated● Automated detection is largely based on
analysis of network traffic:● Anomaly detection● Pattern based-analysis● Signatures (snort!)● Traffic profiling (DNS traffic profiling, HTTP traffic
profiling etc)
![Page 40: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/40.jpg)
Detection
● Detecting malicious botnet activity is very popular in academia (interesting problem).
● In our research we do not claim extreme novelty but rather will demonstrate our experience and a few practical solutions that seem to work :-)
![Page 41: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/41.jpg)
Detection: loooots of papers!~
![Page 42: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/42.jpg)
Detection: intreresting bits
● Botnet detection evolved from pattern based approach (hardcoded bot CMD patterns and capture then with snort) to a complex field of generic detection of automated “call-back” communication channels..
![Page 43: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/43.jpg)
Detection
● Different “callback” methods, as seen in the wild, possess interesting properties, such as:● Large number of failed DNS requests● Large number of DNS requests for IP addresses,
which are offline● Connection attempts to mostly dead IP addresses● Traffic pattern (differs from regular browsing)
![Page 44: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/44.jpg)
Cat and mouse game
● Of course all of this is easy to evade. Once you know the method. But security is always about 'cat-n-mouse' game ;-)
![Page 45: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/45.jpg)
Detection
● Detecting botnet activities by analyzing DNS traffic● Analyzing DNS names (dictionary-comparison,
alpha numeric characters, detection of “generated” domain names (similarities/patterns)
● Analyzing failed DNS queries● DNS “ranking” (based on whois information)
![Page 46: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/46.jpg)
Detection: rcode: 3 (Non-existing domains)
Row 1 Row 2 Row 3 Row 40
2
4
6
8
10
12
Column 1
Column 2
Column 3
![Page 47: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/47.jpg)
Detection: rcode:2 (server failure)Rcode:2 domains(failed servers)
![Page 48: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/48.jpg)
Detection
● WHOIS cross-correlation – easily automated.
![Page 49: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/49.jpg)
Detection
● Further step: cross-correlation to domain names which have the same WHOIS attributes
● Sandboxing (we use modified version of cuckoosandbox, with user event simulation, not perfect but works)● Challenges:
– Simulate complex user behavior (mouse movements)– Simulate complex user browsing pattern (visiting X with
search engine (image?) as referer)
![Page 50: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/50.jpg)
Detectionflow
![Page 51: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/51.jpg)
Detection (visualization)
● Parallel coordinates (also see recent talk by Alexandre Dulaunoy from CIRCL.LU and Sebastien Tricaud from Picviz Labs at cansectwest)
![Page 52: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/52.jpg)
Detection
● (demos, lets look at some videos :)
![Page 53: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/53.jpg)
Conclusions
● Detection is still trivial, but keep your methods “private” ;-)
● Detecting 'advanced' botnets (name your favourite traffic profiling evasion method!) is out of question here. Unless this becomes wide-spread
● Cat and mouse game is still fun! ;-)
![Page 54: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/54.jpg)
Tips and recommendations
● For infected machines: boot from clean media and periodically do OFFLINE AV checking
● Monitor network traffic for any unusual activity● Default-deny firewall policies + block any active
executable content
![Page 55: Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis](https://reader033.fdocuments.in/reader033/viewer/2022052900/5562ebb8d8b42ad26c8b5086/html5/thumbnails/55.jpg)
questions
● Contact us at:● [email protected] ● [email protected]
http://github.com/fygrave/dnslyzer for some code