Dr. Steven Gianvecchio

Internet of Things botnet
 Includes TV and refrigerator

Flashback hits Mac OS X
 800K Macs infected

Explosion of Android threats
 6x growth

LinkedIn, Dropbox, and other leaks
 6.5 million LinkedIn passwords hashes leaked

Java 0-days
 30% of computers vulnerable

Brazil DSL hacks
 4.5 million modems hacked

99 billion spam emails/day
 68% of all email traffic


US banks flooded with >150Gbps of traffic
37 million phishing attempts
 Password theft up 3x

What connects all of
these problems?

What is a bot?
 Short for “robot”
 An automated program that operates an
application normally used by humans
▪ e.g., Web bot, Twitter bot
 Bots are not always bad
▪ e.g., Google uses bots to build its search results
(these bots are also called spiders)

What are zombies?
 Computers infected with malicious bot software
allowing them to be remotely controlled
▪ Zombie (n) 2.a.3. “in West Indian voodoo, a supernatural power
through which a corpse supposedly is brought to a state of
trancelike animation and made to obey the commands of the
person exercising the power” [Merriam-Webster]
 Typically someone’s home or office computer
(unknown to them)

What are botnets?
 Botnets are networks of zombie- or bot-infected
computers
▪ Thousands or even millions of bots
▪ 1-5% of Internet-connected computers
[Arbor10]
▪ Controlled by
independent hackers or
criminal organizations
(or military)
ZeroAccess botnet:
• ~2-3 million infections
• ~$100K/day in profits
through Click Fraud
ZeroAccess botnet - Europe infections [Fsecure12]

1. Propagation – computer is infected with
malicious bot software

2. Communication - bot “phones home”, i.e.,
contacts its controller and awaits orders

3. Attack - bot responds to commands

The first step is “recruiting” bots
 Infect computers and install bot software
▪ Many infection methods
 Infect as many computers as possible
▪ Bigger is usually better
▪ More bots = faster propagation
(rate can be exponential)
Infection Methods
From Security Intelligence Report ‘12 [Microsoft12]

How bots receive commands
 What if a node is lost?
Centralized
Peer-to-Peer





Spam (about 80% is from botnets)
Distributed Denial of Service, aka DDoS
(floods host with traffic)
Click Fraud (fake traffic or “clicks”)
Phishing (steal passwords using fake sites)
Identity or Data Theft
 Keylogging
 Spying
$$
$$$
$
$
$
$$

The Turing Test
 A human judge chats with two unknown
participants: a human and computer
 Judge guesses which is human

Human Interactive Proofs
 Ideal Proof: hard for computers, easy for humans
 e.g., CAPTCHA
▪ Like Turing Test, but judge also a computer
 CAPTCHAs are hard for humans and computers 
(or maybe I’m a computer?)
 Are they still effective?

Behavioral Detection
 Humans
▪ Biological
▪ Highly complex (many systems within systems)
 Bots
▪ Automated (good at repeating things)
▪ Limited complexity (does whatever is in the code)

Can we tell them apart?

Types





Web
Email
Social Network
Online Game
And Others

Bots use these applications for propagation or
communication, or target them for attack

Bots are modular
 Could propagate via Email and communicate via Web

Bots are on Twitter and Facebook
 Friend or follow you
 Send spam or phishing links
(via Tweet or direct message)
 Send links to malicious code
(also via Tweet or direct message)

Live Twitter bots
 https://twitter.com/lizzycin
 https://twitter.com/JustinQBarbee
 https://twitter.com/bluelyndia
 https://twitter.com/trekkerdeb
 https://twitter.com/wingsaquino
 …

Live Twitter bots
 https://twitter.com/lizzycin - created 7-28-2013
 https://twitter.com/JustinQBarbee created 7-28-2013
 https://twitter.com/bluelyndia created 7-28-2013
 https://twitter.com/trekkerdeb created 7-28-2013
 https://twitter.com/wingsaquino created 7-28-2013

Likely created by the same person?

Bots play games
 Gambling
▪ Online Poker
$$$
 Gold farming
▪ World of Warcraft
▪ Guild Wars 2
▪ Rift Online
▪ Star Wars: The Old Republic
▪…
$$$

Bot plays endlessly
 Gathers gold 24 hours a day
 Sells on virtual black market for real currency

Bot plays like a human
 “Presses” keys (changes key state)
 “Moves” mouse (changes mouse x, y coordinates)
 “Views” screen (reads color values of pixels)

Can we tell them apart from how they play?

Setup
 World of Warcraft
 Collect user-input recordings
▪ Log mouse and keyboard events
▪ Compute statistics
▪ 10 bots for 40 hours
▪ 30 humans for 55 hours

Bot vs Human
 82% of bot mouse
movements are 1.0
move efficiency
bot
move
efficiency
▪ i.e., a straight line
 14% of human
movements are 1.0
move efficiency
human
move
efficiency

bot
mouse
speed
Bot vs Human
 Bot moves mouse at
random speeds in
different directions
 Human moves faster
on diagonals
human
mouse
speed

Advertisers often are paid per click
 Bots can click things!

Advertiser pays botmaster for clicks
 Thousands of bots click on the ads

Client pays advertiser (and gets ripped off)
 ZeroAccess (mentioned earlier) makes about
$100,000/day on Click Fraud

Click Fraud Study
 Setup web page and collect clicks and mouse
movements for bots and human users [Spider.io13]

Bot vs Human
 Bot clicks and mouse
movements are
randomly distributed
 Human clicks and
movements are
focused on key areas

Focus on the Botnet Lifecycle
 1. Propagation / 2. Communication / 3. Attack

Detecting Botnet Propagation
 Look for attempts to infect other machines
 Exploits change regularly
 Very hard
▪ If we could reliably detect exploits, we wouldn’t have the
botnet problem

Detecting Botnet Communication
 Look for communication with command and
control server
▪ Bots often contact their controller at regular intervals,
e.g., every 5 minutes
 Clustering works well
▪ Lots of computers doing the same thing
 Identify the bots and command and control
servers

Detecting Botnet Attacks
 Look for bots attacking or targeting systems
 Only identifies the bots involved in the attack
 Lots of different techniques needed to detect
attacks
▪ Spam, DDoS, Click Fraud, Phishing, etc.

Setup a network of unpatched computers
 Must be isolated from primary network

Get infected

Monitor the network
 Collect logs
 Learn about the bots



Can monitor individual bots to discover their
controller
Target the controller, not the bots
Take down or take over the botnet
 Symantec recently disabled 500,000 bots from
ZeroAccess using this approach



Bots are a major security problem
Botnets are the source of most cyber attacks
Can detect them in various ways
 Bot vs human behavior
 Also, propagation / communication / attack

Can disrupt them by taking down or taking
over parts of the botnet

Interested students (or faculty) that want to get
involved in bot, online game, or social network
research can contact Dr. Gianvecchio,
[email protected].





[Arbor10] “Analyzing and understanding
botnets.” Jose Nazario.
[AFJ08] “Carpet bombing in cyberspace: Why
America needs a military botnet.” Charles
Williamson.
[Kaspersky13] “The evolution of phishing
attacks: 2011-2013.” Kaspersky Labs.
[Pingdom13] “Internet 2012 in numbers.”
Pingdom.
[ZDnet12] “10 Security stories that shaped
2012.” Ryan Naraine.


[Symantec13] “Grappling with the
ZeroAccess botnet.” Ross Gibb and Vikram
Thakur.
[Gianvecchio09] “Battle of Botcraft: Fighting
Bots in Online Games using Human
Observational Proofs.” Steven Gianvecchio,
Zhenyu Wu, Mengjun Xie, and Haining Wang.