This commit is contained in:
Valentin Brandl 2022-09-20 18:47:25 +02:00
parent 29745dbd7a
commit 8bb20127a9
No known key found for this signature in database
GPG Key ID: 62E7C7F2C48DBBF2
4 changed files with 45 additions and 480 deletions

View File

@ -2,4 +2,9 @@
short = {BOF}, short = {BOF},
long = {Buffer Overflow}, long = {Buffer Overflow},
} }
\DeclareAcronym{aslr}{
short = {ASLR},
long = {Address Space Layout Randomization},
}
% vim: set filetype=tex ts=2 sw=2 tw=0 et : % vim: set filetype=tex ts=2 sw=2 tw=0 et :

View File

@ -1,478 +1,8 @@
@article{bib:persistentstruct, @InProceedings{Dep2007,
author = {James R Driscoll and Neil Sarnak and Daniel D. Sleator and Robert E. Tarjan}, author={{{Condit}, Jeremy and {Harren}, Matthew and {Anderson}, Zachary and
title = {Making Data Structures Persistent}, {Gay}, David and {Necula}, George C.}},
journal = {Journal of Computer and System Sciences}, title={{Dependent Types for Low-Level Programming}},
year = {1989}, booktitle={{Programming Languages and Systems}},
month = {02}, year={2007}
volume = {Vol. 38, No. 1},
pages = {86-124}
} }
@article{bib:zhang_building_2014,
title = {Building a Scalable System for Stealthy P2P-Botnet Detection},
volume = {9},
issn = {1556-6013, 1556-6021},
url = {http://ieeexplore.ieee.org/document/6661360/},
doi = {10.1109/TIFS.2013.2290197},
pages = {27--38},
number = {1},
journaltitle = {{IEEE} Transactions on Information Forensics and Security},
shortjournal = {{IEEE} Trans.Inform.Forensic Secur.},
author = {Zhang, Junjie and Perdisci, Roberto and Lee, Wenke and Luo, Xiapu and Sarfraz, Unum},
urldate = {2021-11-09},
date = {2014-01},
file = {Full Text:/home/me/Zotero/storage/PFXP8NLV/Zhang et al. - 2014 - Building a Scalable System for Stealthy P2P-Botnet.pdf:application/pdf}
}
@inproceedings{bib:botgrep2010,
author = {Nagaraja, Shishir and Mittal, Prateek and Hong, Chi-Yao and Caesar, Matthew and Borisov, Nikita},
title = {BotGrep: Finding P2P Bots with Structured Graph Analysis},
year = {2010},
isbn = {8887666655554},
publisher = {USENIX Association},
address = {USA},
abstract = {A key feature that distinguishes modern botnets from earlier counterparts is their increasing use of structured overlay topologies. This lets them carry out sophisticated coordinated activities while being resilient to churn, but it can also be used as a point of detection. In this work, we devise techniques to localize botnet members based on the unique communication patterns arising from their overlay topologies used for command and control. Experimental results on synthetic topologies embedded within Internet traffic traces from an ISP's backbone network indicate that our techniques (i) can localize the majority of bots with low false positive rate, and (ii) are resilient to incomplete visibility arising from partial deployment of monitoring systems and measurement inaccuracies from dynamics of background traffic.},
booktitle = {Proceedings of the 19th USENIX Conference on Security},
pages = {7},
numpages = {1},
location = {Washington, DC},
series = {USENIX Security'10},
}
@inproceedings{bib:botminer2008,
author = {Gu, Guofei and Perdisci, Roberto and Zhang, Junjie and Lee, Wenke},
title = {BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection},
year = {2008},
publisher = {USENIX Association},
address = {USA},
abstract = {Botnets are now the key platform for many Internet attacks, such as spam, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and structures (e.g., centralized), and can become ineffective as botnets change their C&C techniques. In this paper, we present a general detection framework that is independent of botnet C&C protocol and structure, and requires no a priori knowledge of botnets (such as captured bot binaries and hence the botnet signatures, and C&C server names/addresses). We start from the definition and essential properties of botnets. We define a botnet as a coordinated group of malware instances that are controlled via C&C communication channels. The essential properties of a botnet are that the bots communicate with some C&C servers/peers, perform malicious activities, and do so in a similar or correlated way. Accordingly, our detection framework clusters similar communication traffic and similar malicious traffic, and performs cross cluster correlation to identify the hosts that share both similar communication patterns and similar malicious activity patterns. These hosts are thus bots in the monitored network. We have implemented our BotMiner prototype system and evaluated it using many real network traces. The results show that it can detect real-world botnets (IRC-based, HTTP-based, and P2P botnets including Nugache and Storm worm), and has a very low false positive rate.},
booktitle = {Proceedings of the 17th Conference on Security Symposium},
pages = {139154},
numpages = {16},
location = {San Jose, CA},
series = {SS'08},
}
@incollection{bib:kim_survey_2012,
location = {Dordrecht},
title = {A Survey on P2P Botnet Detection},
volume = {120},
isbn = {978-94-007-2910-0 978-94-007-2911-7},
url = {http://link.springer.com/10.1007/978-94-007-2911-7_56},
pages = {589--593},
booktitle = {Proceedings of the International Conference on {IT} Convergence and Security 2011},
publisher = {Springer Netherlands},
author = {Han, Kyoung-Soo and Im, Eul Gyu},
editor = {Kim, Kuinam J. and Ahn, Seong Jin},
urldate = {2021-11-11},
date = {2012},
doi = {10.1007/978-94-007-2911-7_56},
note = {Series Title: Lecture Notes in Electrical Engineering},
file = {Full Text:/home/me/Zotero/storage/CMFWF58V/Han and Im - 2012 - A Survey on P2P Botnet Detection.pdf:application/pdf}
}
@online{bib:statista_iot_2020,
title = {Number of Internet of Things (IoT) Connected Devices Worldwide from 2019 to 2030},
organization = {Statista Inc.},
publisher = {Transforma Insights},
date = {2020-12},
url = {https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/},
urldate = {2021-11-11},
archiveurl = {https://web.archive.org/web/20211025185804/https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/},
archivedate = {2021-10-25}
}
@online{bib:msZloader,
title = {Notorious cybercrime gangs botnet disrupted},
organization = {Microsoft},
author = {Hogan-Burney, Amy},
url = {https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/},
urldate = {2022-04-15},
archiveurl = {https://web.archive.org/web/20220413210653/https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/},
archivedate = {2022-04-13},
}
@online{bib:fbiTakedown2014,
title = {Taking Down Botnets},
organization = {Federal Bureau of Investigation},
author = {Joseph Demarest},
date = {2014-07-15},
url = {https://www.fbi.gov/news/testimony/taking-down-botnets},
urldate = {2022-03-23},
archiveurl = {https://web.archive.org/web/20220318082034/https://www.fbi.gov/news/testimony/taking-down-botnets},
archiveurldate = {2022-03-18},
}
@online{bib:statista_broadband_2021,
title = {Availability of broadband internet to households in Germany from 2017 to 2020, by bandwidth class},
organization = {Statista Inc.},
publisher = {BMVI},
date = {2021-08-16},
url = {https://www.statista.com/statistics/460180/broadband-availability-by-bandwidth-class-germany/},
urldate = {2021-11-11},
archiveurl = {https://web.archive.org/web/20210309010747/https://www.statista.com/statistics/460180/broadband-availability-by-bandwidth-class-germany/},
archivedate = {2021-03-09}
}
@online{bib:ars_ddos_2016,
title = {Brace yourselves --- source code powering potent IoT DDoSes just went public},
date = {2016-10-02},
author = {Dan Goodin},
organization = {Ars Technica},
url = {https://arstechnica.com/information-technology/2016/10/brace-yourselves-source-code-powering-potent-iot-ddoses-just-went-public/},
urldate = {2021-11-11},
archiveurl = {https://web.archive.org/web/20211022032617/https://arstechnica.com/information-technology/2016/10/brace-yourselves-source-code-powering-potent-iot-ddoses-just-went-public/},
archivedate = {2021-10-22},
}
@online{bib:netlab_mozi,
title = {The Mostly Dead Mozi and Its' Lingering Bots},
date = {2021-08-30},
author = {Turing, Alex and Wang, Hui and Ye, Genshen},
organization = {360 Netlab},
url = {https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/},
urldate = {2022-04-07},
archiveurl = {https://web.archive.org/web/20220130162722/https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/},
archivedate = {2022-01-30},
}
@article{bib:fan_p2p_2014,
title = {A P2P Botnet Detection Method Used On-line Monitoring and Off-line Detection},
volume = {8},
issn = {17389976, 17389976},
url = {http://article.nadiapub.com/IJSIA/vol8_no3/10.pdf},
doi = {10.14257/ijsia.2014.8.3.10},
pages = {87--96},
number = {3},
journaltitle = {International Journal of Security and Its Applications},
shortjournal = {{IJSIA}},
author = {Fan, Yuhui and Xu, Ning},
urldate = {2021-11-11},
date = {2014-05-31},
file = {Full Text:/home/me/Zotero/storage/7UI2IFIL/Fan and Xu - 2014 - A P2P Botnet Detection Method Used On-line Monitor.pdf:application/pdf}
}
@inproceedings{bib:bock_poster_2019,
location = {London United Kingdom},
title = {Poster: Challenges of Accurately Measuring Churn in P2P Botnets},
isbn = {978-1-4503-6747-9},
url = {https://dl.acm.org/doi/10.1145/3319535.3363281},
doi = {10.1145/3319535.3363281},
shorttitle = {Challenges of Accurately Measuring Churn in P2P Botnets},
eventtitle = {{CCS} '19: 2019 {ACM} {SIGSAC} Conference on Computer and Communications Security},
pages = {2661--2663},
booktitle = {Proceedings of the 2019 {ACM} {SIGSAC} Conference on Computer and Communications Security},
publisher = {{ACM}},
author = {Böck, Leon and Karuppayah, Shankar and Fong, Kory and Mühlhäuser, Max and Vasilomanolakis, Emmanouil},
urldate = {2021-11-12},
date = {2019-11-06},
langid = {english},
file = {Böck et al. - 2019 - Poster Challenges of Accurately Measuring Churn i.pdf:/home/me/Zotero/storage/FGQXMN3H/Böck et al. - 2019 - Poster Challenges of Accurately Measuring Churn i.pdf:application/pdf}
}
@inproceedings{bib:karuppayah_boobytrap_2016,
location = {Kuala Lumpur, Malaysia},
title = {{BoobyTrap}: On autonomously detecting and characterizing crawlers in P2P botnets},
isbn = {978-1-4799-6664-6},
url = {http://ieeexplore.ieee.org/document/7510885/},
doi = {10.1109/ICC.2016.7510885},
shorttitle = {{BoobyTrap}},
eventtitle = {{ICC} 2016 - 2016 {IEEE} International Conference on Communications},
pages = {1--7},
booktitle = {2016 {IEEE} International Conference on Communications ({ICC})},
publisher = {{IEEE}},
author = {Karuppayah, Shankar and Vasilomanolakis, Emmanouil and Haas, Steffen and Muhlhauser, Max and Fischer, Mathias},
urldate = {2021-11-12},
date = {2016-05},
file = {Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:/home/me/Zotero/storage/UAUH5ZAN/Karuppayah et al. - 2016 - BoobyTrap On autonomously detecting and character.pdf:application/pdf}
}
@inproceedings{bib:andriesse_reliable_2015,
location = {Tokyo Japan},
title = {Reliable Recon in Adversarial Peer-to-Peer Botnets},
isbn = {978-1-4503-3848-6},
url = {https://dl.acm.org/doi/10.1145/2815675.2815682},
doi = {10.1145/2815675.2815682},
eventtitle = {{IMC} '15: Internet Measurement Conference},
pages = {129--140},
booktitle = {Proceedings of the 2015 Internet Measurement Conference},
publisher = {{ACM}},
author = {Andriesse, Dennis and Rossow, Christian and Bos, Herbert},
urldate = {2021-11-16},
date = {2015-10-28},
langid = {english},
file = {Andriesse et al. - 2015 - Reliable Recon in Adversarial Peer-to-Peer Botnets.pdf:/home/me/Zotero/storage/YJZMYTCB/Andriesse et al. - 2015 - Reliable Recon in Adversarial Peer-to-Peer Botnets.pdf:application/pdf}
}
@inproceedings{bib:karuppayah_sensorbuster_2017,
title = {{{SensorBuster}}: {{On Identifying Sensor Nodes}} in {{P2P Botnets}}},
shorttitle = {{{SensorBuster}}},
booktitle = {Proceedings of the 12th {{International Conference}} on {{Availability}}, {{Reliability}} and {{Security}}},
author = {Karuppayah, Shankar and Böck, Leon and Grube, Tim and Manickam, Selvakumar and Mühlhäuser, Max and Fischer, Mathias},
date = {2017-08-29},
pages = {1--6},
publisher = {{Association for Computing Machinery}},
location = {{New York, NY, USA}},
doi = {10.1145/3098954.3098991},
url = {https://doi.org/10.1145/3098954.3098991},
urldate = {2021-03-23},
abstract = {The ever-growing number of cyber attacks originating from botnets has made them one of the biggest threat to the Internet ecosystem. Especially P2P-based botnets like ZeroAccess and Sality require special attention as they have been proven to be very resilient against takedown attempts. To identify weaknesses and to prepare takedowns more carefully it is thus a necessity to monitor them by crawling and deploying sensor nodes. This in turn provokes botmasters to come up with monitoring countermeasures to protect their assets. Most existing anti-monitoring countermeasures focus mainly on the detection of crawlers and not on the detection of sensors deployed in a botnet. In this paper, we propose two sensor detection mechanisms called SensorRanker and SensorBuster. We evaluate these mechanisms in two real world botnets, Sality and ZeroAccess. Our results indicate that SensorRanker and SensorBuster are able to detect up to 17 sensors deployed in Sality and four within ZeroAccess.},
file = {/home/me/Zotero/storage/ZDUFTXYY/Karuppayah et al. - 2017 - SensorBuster On Identifying Sensor Nodes in P2P B.pdf},
isbn = {978-1-4503-5257-4},
keywords = {Anti-monitoring,Countermeasure,Detection,P2P Botnet,Sensor},
series = {{{ARES}} '17}
}
@report{bib:page_pagerank_1998,
title = {{The PageRank Citation Ranking: Bringing Order to the Web}},
shorttitle = {{The PageRank Citation Ranking}},
author = {Page, Lawrence and Brin, Sergey and Motwani, Rajeev and Winograd, Terry},
date = {1998-01-29},
url = {http://ilpubs.stanford.edu:8090/422/1/1999-66.pdf},
urldate = {2021-11-30},
abstract = {The importance of a Web page is an inherently subjective matter, which depends on the readers interests, knowledge and attitudes. But there is still much that can be said objectively about the relative importance of Web pages. This paper describ es PageRank, a method for rating Web pages objectively and mechanically, effectively measuring the human interest and attention devoted to them. We compare PageRank to an idealized random Web surfer. We show how to efficiently compute PageRank for large numbers of pages. And, we show how to apply PageRank to search and to user navigation.}
}
@inproceedings{bib:andriesse_goz_2013,
title = {Highly Resilient Peer-to-Peer Botnets Are Here: {{An}} Analysis of {{Gameover Zeus}}},
shorttitle = {Highly Resilient Peer-to-Peer Botnets Are Here},
booktitle = {2013 8th {{International Conference}} on {{Malicious}} and {{Unwanted Software}}: "{{The Americas}}" ({{MALWARE}})},
author = {Andriesse, Dennis and Rossow, Christian and Stone-Gross, Brett and Plohmann, Daniel and Bos, Herbert},
date = {2013-10},
pages = {116--123},
publisher = {{IEEE}},
location = {{Fajardo, PR, USA}},
doi = {10.1109/MALWARE.2013.6703693},
url = {https://ieeexplore.ieee.org/document/6703693/},
urldate = {2022-02-27},
eventtitle = {2013 8th {{International Conference}} on {{Malicious}} and {{Unwanted Software}}: "{{The Americas}}" ({{MALWARE}})},
isbn = {978-1-4799-2534-6 978-1-4799-2535-3},
file = {/home/me/Zotero/storage/R3AAQR9Q/Andriesse et al. - 2013 - Highly resilient peer-to-peer botnets are here An.pdf}
}
@inproceedings{bib:stutzbach_churn_2006,
title = {Understanding Churn in Peer-to-Peer Networks},
booktitle = {Proceedings of the 6th {{ACM SIGCOMM}} on {{Internet}} Measurement - {{IMC}} '06},
author = {Stutzbach, Daniel and Rejaie, Reza},
date = {2006},
pages = {189},
publisher = {{ACM Press}},
location = {{Rio de Janeriro, Brazil}},
doi = {10.1145/1177080.1177105},
url = {http://portal.acm.org/citation.cfm?doid=1177080.1177105},
urldate = {2022-03-08},
eventtitle = {The 6th {{ACM SIGCOMM}}},
isbn = {978-1-59593-561-8},
langid = {english}
}
@inproceedings{bib:rossow_sok_2013,
location = {Berkeley, {CA}, {USA}},
title = {{SoK}: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets},
isbn = {978-1-4673-6166-8 978-0-7695-4977-4},
url = {https://ieeexplore.ieee.org/document/6547104/},
doi = {10.1109/SP.2013.17},
shorttitle = {{SoK}},
eventtitle = {2013 {IEEE} Symposium on Security and Privacy ({SP}) Conference dates subject to change},
pages = {97--111},
booktitle = {2013 {IEEE} Symposium on Security and Privacy},
publisher = {{IEEE}},
author = {Rossow, Christian and Andriesse, Dennis and Werner, Tillmann and Stone-Gross, Brett and Plohmann, Daniel and Dietrich, Christian J. and Bos, Herbert},
urldate = {2022-03-15},
date = {2013-05},
file = {Submitted Version:/home/me/Zotero/storage/7T8RDXXF/Rossow et al. - 2013 - SoK P2PWNED - Modeling and Evaluating the Resilie.pdf:application/pdf}
}
@inproceedings{bib:antonakakis_dga_2012,
author = {Manos Antonakakis and Roberto Perdisci and Yacin Nadji and Nikolaos Vasiloglou and Saeed Abu-Nimeh and Wenke Lee and David Dagon},
title = {From {Throw-Away} Traffic to Bots: Detecting the Rise of {DGA-Based} Malware},
booktitle = {21st USENIX Security Symposium (USENIX Security 12)},
year = {2012},
isbn = {978-931971-95-9},
address = {Bellevue, WA},
pages = {491--506},
url = {https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/antonakakis},
publisher = {USENIX Association},
month = aug,
}
@inproceedings{bib:pantic_covert_2015,
location = {Los Angeles, {CA}, {USA}},
title = {Covert Botnet Command and Control Using Twitter},
isbn = {978-1-4503-3682-6},
url = {http://dl.acm.org/citation.cfm?doid=2818000.2818047},
doi = {10.1145/2818000.2818047},
eventtitle = {the 31st Annual Computer Security Applications Conference},
pages = {171--180},
booktitle = {Proceedings of the 31st Annual Computer Security Applications Conference on - {ACSAC} 2015},
publisher = {{ACM} Press},
author = {Pantic, Nick and Husain, Mohammad I.},
urldate = {2022-03-15},
date = {2015},
langid = {english}
}
@inproceedings{bib:nazario_as_2008,
location = {Fairfax, {VI}},
title = {As the net churns: Fast-flux botnet observations},
isbn = {978-1-4244-3288-2},
url = {https://ieeexplore.ieee.org/document/4690854/},
doi = {10.1109/MALWARE.2008.4690854},
shorttitle = {As the net churns},
eventtitle = {2008 3rd International Conference on Malicious and Unwanted Software ({MALWARE})},
pages = {24--31},
booktitle = {2008 3rd International Conference on Malicious and Unwanted Software ({MALWARE})},
publisher = {{IEEE}},
author = {Nazario, Jose and Holz, Thorsten},
urldate = {2022-03-15},
date = {2008-10}
}
@inproceedings{bib:nadji_beheading_2013,
location = {Berlin, Germany},
title = {Beheading hydras: performing effective botnet takedowns},
isbn = {978-1-4503-2477-9},
url = {http://dl.acm.org/citation.cfm?doid=2508859.2516749},
doi = {10.1145/2508859.2516749},
shorttitle = {Beheading hydras},
eventtitle = {the 2013 {ACM} {SIGSAC} conference},
pages = {121--132},
booktitle = {Proceedings of the 2013 {ACM} {SIGSAC} conference on Computer \& communications security - {CCS} '13},
publisher = {{ACM} Press},
author = {Nadji, Yacin and Antonakakis, Manos and Perdisci, Roberto and Dagon, David and Lee, Wenke},
urldate = {2022-03-15},
date = {2013},
langid = {english}
}
@article{bib:nadji_still_2017,
title = {Still Beheading Hydras: Botnet Takedowns Then and Now},
volume = {14},
issn = {1545-5971},
url = {http://ieeexplore.ieee.org/document/7312442/},
doi = {10.1109/TDSC.2015.2496176},
shorttitle = {Still Beheading Hydras},
pages = {535--549},
number = {5},
journaltitle = {{IEEE} Transactions on Dependable and Secure Computing},
shortjournal = {{IEEE} Trans. Dependable and Secure Comput.},
author = {Nadji, Yacin and Perdisci, Roberto and Antonakakis, Manos},
urldate = {2022-03-17},
date = {2017-09-01}
}
@report{bib:falliere_sality_2011,
title = {{Sality: Story of a Peer-to-Peer Viral Network}},
author = {{Falliere, Nicolas}},
date = {2011-07},
organization = {Symantec},
url = {https://papers.vx-underground.org/archive/Symantec/sality-story-of-peer-to-peer-11-en.pdf},
urldate = {2022-03-16},
archiveurl = {https://web.archive.org/web/20161223003320/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf},
archivedate = {2016-12-23},
}
@inproceedings{bib:dittrich_takeover_2012,
doi = {10.5555/2228340.2228349},
author = {Dittrich, David},
title = {So You Want to Take over a Botnet},
year = {2012},
publisher = {USENIX Association},
address = {USA},
abstract = {Computer criminals regularly construct large distributed attack networks comprised of many thousands of compromised computers around the globe. Once constituted, these attack networks are used to perform computer crimes, creating yet other sets of victims of secondary computer crimes, such as denial of service attacks, spam delivery, theft of personal and financial information for performing fraud, exfiltration of proprietary information for competitive advantage (industrial espionage), etc.The arms race between criminal actors who create and operate botnets and the computer security industry and research community who are actively trying to take these botnets down is escalating in aggressiveness. As the sophistication level of botnet engineering and operations increases, so does the demand on reverse engineering, understanding weaknesses in design that can be exploited on the defensive (or counter-offensive) side, and the possibility that actions to take down or eradicate the botnet may cause unintended consequences.},
booktitle = {Proceedings of the 5th USENIX Conference on Large-Scale Exploits and Emergent Threats},
pages = {6},
numpages = {1},
location = {San Jose, CA},
series = {LEET'12}
}
@article{bib:wangCollisions,
title={Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD},
author={Wang, Xiaoyun and Feng, Dengguo and Lai, Xuejia and Yu, Hongbo},
journal={Cryptology EPrint Archive},
year={2004}
}
@article{bib:stevensCollision,
author = {Marc Stevens},
title = {Fast Collision Attack on MD5},
howpublished = {Cryptology ePrint Archive, Report 2006/104},
year = {2006},
note = {\url{https://ia.cr/2006/104}},
}
@incollection{bib:baileyNextGen,
location = {Cham},
title = {Next Generation P2P Botnets: Monitoring Under Adverse Conditions},
volume = {11050},
isbn = {978-3-030-00469-9 978-3-030-00470-5},
url = {http://link.springer.com/10.1007/978-3-030-00470-5\_24},
shorttitle = {Next Generation P2P Botnets},
pages = {511--531},
booktitle = {Research in Attacks, Intrusions, and Defenses},
publisher = {Springer International Publishing},
author = {Böck, Leon and Vasilomanolakis, Emmanouil and Mühlhäuser, Max and Karuppayah, Shankar},
editor = {Bailey, Michael and Holz, Thorsten and Stamatogiannakis, Manolis and Ioannidis, Sotiris},
urldate = {2022-04-08},
date = {2018},
doi = {10.1007/978-3-030-00470-5_24},
note = {Series Title: Lecture Notes in Computer Science},
file = {Full Text:/home/me/Zotero/storage/UGX3MEA7/Böck et al. - 2018 - Next Generation P2P Botnets Monitoring Under Adve.pdf:application/pdf}
}
@incollection{bib:carnaNetworkTelescope2014,
location = {Cham},
title = {The Carna Botnet Through the Lens of a Network Telescope},
volume = {8352},
isbn = {978-3-319-05301-1 978-3-319-05302-8},
url = {http://link.springer.com/10.1007/978-3-319-05302-8\_26},
pages = {426--441},
booktitle = {Foundations and Practice of Security},
publisher = {Springer International Publishing},
author = {Le Malécot, Erwan and Inoue, Daisuke},
editor = {Danger, Jean Luc and Debbabi, Mourad and Marion, Jean-Yves and Garcia-Alfaro, Joaquin and Zincir Heywood, Nur},
urldate = {2022-04-16},
date = {2014},
doi = {10.1007/978-3-319-05302-8_26},
note = {Series Title: Lecture Notes in Computer Science}
}
@incollection{bib:kademlia2002,
location = {Berlin, Heidelberg},
title = {Kademlia: A Peer-to-Peer Information System Based on the {XOR} Metric},
volume = {2429},
isbn = {978-3-540-44179-3 978-3-540-45748-0},
url = {http://link.springer.com/10.1007/3-540-45748-8_5},
shorttitle = {Kademlia},
pages = {53--65},
booktitle = {Peer-to-Peer Systems},
publisher = {Springer Berlin Heidelberg},
author = {Maymounkov, Petar and Mazières, David},
editor = {Druschel, Peter and Kaashoek, Frans and Rowstron, Antony},
editorb = {Goos, Gerhard and Hartmanis, Juris and van Leeuwen, Jan},
editorbtype = {redactor},
urldate = {2022-04-16},
date = {2002},
doi = {10.1007/3-540-45748-8_5},
note = {Series Title: Lecture Notes in Computer Science}
}
@article{greengard_war_2012,
title = {The war against botnets},
volume = {55},
issn = {0001-0782, 1557-7317},
url = {https://dl.acm.org/doi/10.1145/2076450.2076456},
doi = {10.1145/2076450.2076456},
abstract = {Increasingly sophisticated botnets have emerged during the last several years. However, security researchers, businesses, and governments are attacking botnets from a number of different angles---and sometimes winning.},
pages = {16--18},
number = {2},
journaltitle = {Communications of the {ACM}},
shortjournal = {Commun. {ACM}},
author = {Greengard, Samuel},
urldate = {2022-04-18},
date = {2012-02},
langid = {english}
}
/* vim: set filetype=bib ts=2 sw=2 tw=0 et :*/ /* vim: set filetype=bib ts=2 sw=2 tw=0 et :*/

Binary file not shown.

View File

@ -30,7 +30,8 @@
% acronyms % acronyms
\usepackage{acro} \usepackage{acro}
\acsetup{single,make-links=true} % \acsetup{single,make-links=true}
\acsetup{make-links=true}
\input{acronyms} \input{acronyms}
% custom commands % custom commands
@ -112,22 +113,50 @@
\section{Stack Layout, Execution Flow} \section{Stack Layout, Execution Flow}
\begin{frame} \begin{frame}
% \frametitle{Stack Layout, Execution Flow} \frametitle{Stack Layout}
\end{frame}
\begin{frame}
\frametitle{Execution Flow}
\end{frame} \end{frame}
\section{Exkurs: Shellcode} \section{Exkurs: Shellcode}
\begin{frame} \begin{frame}
\begin{itemize}
\item Shellcode ist der Maschinencode, der nach Übernahme des Ausführungsablauf ausgeführt werden soll
\item Buffer kann klein sein \(\Rightarrow\) Shellcode häufig auf Größe optimiert
\item Häufig Strings als Eingabe
\item In C terminiert mit \mintinline{c}{\0} \(\Rightarrow\) Payload darf kein \mintinline{c}{0x00} enthalten, da alles danach abgeschnitten wird
\item \(\Rightarrow\) Selbst schreiben ist möglich, aber aufwändig und setzt Kenntnisse in Assembly und der anzugreifenden Architektur/OS/... voraus
\item Verfügbare, öffentliche Sammlungen verwenden:
\begin{itemize}
\item \url{https://shell-storm.org/shellcode/}
\item \url{https://www.exploit-db.com/shellcodes}
\end{itemize}
\end{itemize}
% \frametitle{Exkurs: Shellcode} % \frametitle{Exkurs: Shellcode}
\end{frame} \end{frame}
\section{Exploitation} \section{Exploitation}
\begin{frame} \begin{frame}
% \frametitle{Exploitation} \frametitle{Ablauf}
\begin{itemize}
\item Shellcode im Speicher plazieren
\item Buffer überschreiben
\item \emph{IP} überschreiben
\item \emph{IP} auf Shellcode zeigen lassen
\end{itemize}
\end{frame} \end{frame}
\section{Aktuelle Situation} \section{Aktuelle Situation}
\begin{frame} \begin{frame}
% \frametitle{Aktuelle Situation} \frametitle{Migrationen}
\begin{itemize}
\item \Ac{aslr}
\item \emph{w\^{}x} Memory
\item Runtime Bounds Checks
\item Typesystem basierte Lösungen~\cite{Dep2007}
\end{itemize}
\end{frame} \end{frame}
@ -142,3 +171,4 @@
\end{frame} \end{frame}
\end{document} \end{document}
% vim: set filetype=tex ts=2 sw=2 tw=0 et spell :