Course M2 – State of the Practice: Botnets and Related Malware

Sven Dietrich, Stevens Institute of Technology

Monday Afternoon, December 5th, Half Day

In the last few years, botnets have become part of the vocabulary beyond the technical books and papers. The ubiquitous nature of computing has allowed malicious software (aka malware) to exist on a variety of platforms, from the company server to the smartphone. By herding these pieces of malware, referred to as bots, into a large conglomerate known as a botnet, a more powerful entity is created. The people directing these botnets, called botmasters or botherders, can exert a tremendous power on the Internet: from distributed denial of service (DDoS) on companies, infrastructure, or governments, to phishing servers, distributing various forms of content including spam, and last but not least collecting keystrokes from the affected devices in the search of authentication or credit card data. Whether for financial gain, political pressure, espionage, or just because it can done, botnets present themselves as a continued problem.

The course will trace the development of botnets from exploitation of server vulnerabilities to install malware, to early forms of DDoS, and evolution to modern botnets that exhibit various topologies or live in your browser. The increase in sophistication of the communication patterns for command and control challenges the normal approaches for detection and mitigation, and these developments will be shown using real examples of botnet traffic. The course will cover the gap between state-of-art and practice and show how to bring some approaches to practice.

The student will walk away with a basic understanding of what malware is, how malware has evolved up to this point, what host and network-based techniques are employed to thwart simple mitigation and response, and what current approaches exist for detection. An intermediate student will learn the depth of sophistication of the malware. Academic researchers will appreciate the exposure to real data and experience about recent botnets (e.g. Nugache, Storm, Conficker, MegaD), a consolidated overview of the relevant papers on this topic, as well as online resources.

Outline

  1. Fundamentals and terminology. Basic networking and routing protocols; Cryptography/cryptanalysis.
  2. Introduction to malware. Droppers, agents, IRC bots, Trojans; Evolution of attack tools.
  3. Classes of botnets. What they do. How they are installed. Exploits vs. social engineering. State of the art bots. Command and control (C&C) techniques in use. Fast flux. Topologies. Centralized, P2P, tiered P2P.
  4. Network-based techniques. Building a state-of-the-art monitoring/traffic capture facility. Correlating traffic. Pcap vs flows. Limitations of the view (local vs. global). Understanding bot communication protocols. Encrypted C&C. Detection of C&C and attacks. Examples. Impact assessment.
  5. Host-based malware techniques and limitations. Packers, loaders, encryptors, and related techniques used by malware, and their countermeasures. Malware updaters, modularization. Instrumenting a host for analysis. Virtual vs. real host.
  6. Beyond the state of the practice. Research directions.

Prerequisites

A basic understanding of IP networking, network protocols, and routing as well as an understanding of computer security fundamentals is required. The course is intended to be useful to system administrators, network administrators and computer security practitioners and researchers.

About the Instructors

Dr. Sven Dietrich is an assistant professor in the computer science department at Stevens Institute of Technology. Prior to joining Stevens in August 2007, he was a Senior Member of the Technical Staff at CERT Research at Carnegie Mellon University and also held an appointment at the Carnegie Mellon University CyLab, a university-wide cybersecurity research and education initiative. He taught cryptography in the Mathematics and Computer Science Department at Duquesne University in Spring 2007. From 1997 to 2001, he was a senior security architect at the NASA Goddard Space Flight Center, where he observed and analyzed the first distributed denial-of-service attacks against the University of Minnesota in 1999. He taught Mathematics and Computer Science as adjunct faculty at Adelphi University, his alma mater, from 1991 to 1997. His research interests include computer and network security, anonymity, cryptographic protocols, and cryptography. His previous work has included a formal analysis of the secure sockets layer protocol (SSL), intrusion detection, analysis of distributed denial-of-service tools, and the security of IP communications in space. His publications include the book Internet Denial of Service: Attack and Defense Mechanisms (Prentice Hall, 2004), as well as recent articles on botnets.

Dr. Dietrich has a Doctor of Arts in Mathematics, a M.S. in Mathematics, and a B.S. in Computer Science and Mathematics from Adelphi University in Garden City, New York.

His web site is http://www.cs.stevens.edu/~spock/.