ROSAEC center Seoul National University

Seminars & Workshops

Speaker:Byung-Hoon Kang , University of North Carolina at Charlotte
When:2009-01-14 10:00
Place:Room 309-1, Bldg 302, SNU


Modern advanced botnets may employ a decentralized peer-to-peer overlay network to bootstrap and maintain their command and control channels, making them more resilient to traditional mitigation efforts such as server incapacitation. As an alternative strategy, the malware defense community has been trying to identify the bot-infected hosts and enumerate the IP addresses of the participating nodes so that the list can be used by system administrators to identify local infections, block spam emails sent from bots, and configure firewalls to protect local users. Enumerating the infected hosts, however, has presented challenges. One cannot identify infected hosts behind firewalls or NAT devices by employing crawlers, a commonly used enumeration technique where recursive get-peerlist lookup requests are sent newly discovered IP addresses of infected hosts. As many bot-infected machines in homes or offices are behind firewall or NAT devices, these crawler-based enumeration methods would miss a large portions of botnet infections. In this talk, I will present the Passive P2P Monitor (PPM), which can enumerate the infected hosts regardless whether or not they are behind a firewall or NAT. As an empirical study, we examined the Storm botnet and enumerated its infected hosts using the PPM. We also improve our PPM design by incorporating a FireWall Checker (FWC) to identify nodes behind a firewall. Our experiment with the peer-to-peer Storm botnet shows that more than 40% of bots that contact the PPM are behind firewall or NAT devices, implying that crawler-based enumeration techniques would miss out a significant portion of the botnet population. Finally, we show that the PPM's coverage is based on a probability-based coverage model that we derived from the empirical observation of the Storm botnet. If time permits, I will present our research efforts in understanding and mitigating other bot-related crimewares such as banking trojans and info-stealing malware. I will first describe the overall landscape of banking trojans with in-depth analysis of the related toolkits that are used by cyber criminals to customize a trojan. I will then present how current mitigation efforts such as multi-factor authentication have been circumvented by the new tricks employed by trojans. I will also discuss a recent attack on a major U.S. bank through DNS TLD registry hijacking as a result of spear-phishing a sys-admin, and conclude with open research issues in this area.

Short bio

Dr. Kang is currently an assistant professor at the College of Computing and Informatics at University of North Carolina at Charlotte (UNCC). He leads the Infrastructure Systems Research Lab at UNCC which explores the secure architecting of large-scale infrastructure systems. Through the lab, he has worked on (1) securing email infrastructure, (2) research on malware and botnet enumeration and (3) topics such as “premise-aware data protection infrastructure”, and “IT infrastructure design for regulation compliance”. Recently, he has been working with a group of IA (Information Assurance) students in researching malware and bot infection behavior as part of the Global Honeynet Research Alliance. Dr. Kang received his Ph.D. from the University of California at Berkeley, M.S. from the University of Maryland at College Park, and B.S. from the Seoul National University.


© Copyright 2008-2010 ROSAEC Center, Seoul National University