|Title||Your Botnet is My Botnet: Analysis of a Botnet Takeover [link]|
|Author||Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna||From||UCSB|
|Abstract||Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets.|
1. Introduction (Approach)
2. Torpig Infrastructure and background
(2) Domain Flux
(3) Taking control of the botnet
3. Botnet analysis
(1) Stolen Data
(2) Botnet Size
|Note||It is a quite interesting paper because it contains live analysis of sensitive data harvested from the machines infected by real botnets on the fly. Also it is impressive to perform active infiltration impersonating C&C server in order to take over a botnet. This paper discusses one of the notorious botnets, Torpig, which was widely prevalent over the world back in 2009. The authors tried to reach comprehensive understanding on Torpig including infection path, static and dynamic analysis by reversing, relevant analysis of collected/stolen data from diverse perspectives.|
|Title||Dissecting Android Malware: Characterization and Evolution [link]|
|Author||Yajin Zhou and Xuxian Jiang from CS in NSCU||yajin email@example.com|
|Publishing||SP ’12 Proceedings of the 2012 IEEE Symposium on Security and Privacy||Year||2012|
|Abstract||The popularity and adoption of smartphones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.|
1. Goals and contributions
2. Malware Characterization
(1) Malware Installation:
(2) Activation: BOOT_COMLETED, SMS_RECEIVED, ACTION_MAIN
(3) Malicious Payloads
(4) Permission Uses
3. Malware Detection
(1) Anti-Virus Products
(2) signature base: 20.2% – 79.6%
This paper illustrates Android malware features in common, analyzing a large collection (over 1,200) in a chronological order. It raised a need of systematic Android malware analysis, which is not presence today despite of rapid growing in number. The authors collected 1,200 malware samples and classified them into 49 families (categories). A variety of findings has been shown in terms of characterization including malware installation, activation, malicious payloads, and permission use, which provides useful insight to identify Android malware in the near future when deciding if an application is suspicious.
Although the authors mentioned that existing mobile anti-virus application poorly detected malware, the biggest reason might be due to lack of samples as anti-virus detection normally depends on the signatures. It would be great the study could be carried out in a regular basis, making a comparison in changes.
The anonymous networks below are implemented ones, which might be used as hiding malware trace.
a. 토르 네트워크에 접속하려는 자는 우선 디렉토리 노드에서 노드 리스트를 받아 선택한다.
b. 경로에 참여하는 노드 (선택된 노드)는 디피-헬만 키 교환 알고리즘을 통해 세션 키를 생성한다. (TLSv1 상에서)
c. 각 노드는 공개키 스키마를 이용해 라우팅 정보를 포함해 모든 데이터를 암호화한다.
중간 노드는 트래픽이 온 바로 이전 노드와 트래픽을 전송할 바로 다음 노드만 알고 있다. 따라서 마지막 노드를
제외한 노드는 트래픽을 추적할 수 없다.
d. 접속자는 사용할 경로를 여러 개 생성한 다음 이전 세션이 종료되면 다른 경로를 택해 전송한다.
a. The directory node provides node list to originator to choose nodes.
b. Each participating node does Diffie-Hellman key exchange to create session key. (over TLSv1)
c. Each node encrypts all data including routing information with public key scheme.
The node only understands the previous node which this traffic comes from and the next node which it goes to.
Therefore, there is no way to trace the traffic back except exit node.
d. The originator creates several circuits to make use of, and change a new chain when old session is over.
(2) Freenet (https://freenetproject.org/)
Freenet is a separate network that runs over the Internet. However, other than tor, its content can be accessed only through Freenet including: Freesites (websites on Freenet), in-Freenet chat forums (FMS, Sone, etc), files shared within Freenet, and in-Freenet email.
It has a large distributed database. Thus the more popular a file or page, the more widely it will be cached and the faster it will download. With an appropriate key, Freenet returns the proper file which a user have requested. Here is the location to store data: C:\Users\[UserID]\AppData\Local\Freenet\datastore. There is little or no control over what is stored in the datastore folder as you might imagine.
There are four different keys associated with contents, and you have to get access to them with fproxy.
Gnunet은 2001년도에 시작한 프로젝트로 안전한 p2p 네트워크를 목적으로 하고 있다. ECRS라는 컨텐츠 인코딩 방식을 사용하며 검열에 대응한 파일 공유 기법이다. 정식 웹사이트에서는 중앙 데이터베이스를 사용하지 않은 안전한 개별 간 네트워킹 프레임워크를 사용한다고 소개한다.
Gnunet은 주로 파일 공유를 목적으로 하며 실제 웹을 통한 접속은 tor를 이용하라고 권고한다. 파일 공유, 검색, 분배, 캐싱 등을 익명으로 할 수 있도록 설계한 대표적인 익명 네트워크다.
Gnunet has started in late 2001. It also aims to implement for secure peer-to-peer networking. It uses improved content encoding: ECRS or the encoding for censorship resistant sharing. Accroding to Gnunet official website, it is a framework for secure peer-to-peer networking that does not use any centralized database.
Gnunet mainly focuses on anonymous censorship-resistant file-sharing, which provides anonymity by
. making messages originating from a peer indistinguishable from messages that the peer is routing
. acting as routers and use link-encrypted connections with stable bandwidth utilization
It is similar to tor, but limited to share files anonymously, searching, swarming, and caching.
I2P has begun in 2003, which is an anonymizing network, a low latency mix network. According to the original designers, the goal is to to produce a low latency, fully distributed, autonomous, scalable, anonymous, resilient, and secure network. All data is wrapped with several layers of encryption. (End-to-End) This is called Garlic Routing. I2P is made up of a set of nodes (“routers”) with a number of unidirectional inbound and outbound virtual paths (“tunnels”).
The network is both distributed and dynamic, with no trusted parties and no centralized resources. Moreover it has its own internal network database (using a modification of the Kademlia algorithm) for distributing routing and contact information securely.