Post on 16-Jan-2016
Case study of the Miner Botnet2012 4th International Conference on Cyber ConflictC. Czosseck, R. Ottis, K. Ziolkowski (Eds.)2012 © NATO CCD COE Publications, Tallinn
朱祐呈
Outline IntroductionMiner botnet TopologyCommand and control protocolAnalysis of Botnet Monitoring the miner botnetConclusion
2/19
WHAT IS BITCOIN ?
3/19
BotnetsCentralised BotnetsType of botnet, all computers are connected to a
single C&C. The C&C waits for new bots to connect, registers them in its database, tracks their status and sends them commands selected by the botnet owner from a list of bot commands
4/19
C&C
C&CC&CBot
Bot Bot
Bot
BotBot
BotnetsP2P (peer-to-peer) botnetsBots connect to several infected machines on
a bot network rather than to a command and control center. Commands are transferred from bot to bot
5/19
The topology of the Miner botnet
6/19
Command and control protocolThe structure of the P2P communication
protocol is shared by all tiers. The port used is fixed to 8080.
A query with the “.txt” extension serves as a status request and returns general information
The communication protocol itself is not encrypted or obfuscated
The only mechanism of protection applied is a signature scheme for executable updates.
7/19
Command and control protocol
Infrastructureloader2.exeThe first module to be executed on a freshly
infected system is a loader that nests as a service called “srvsysdriver32” and then proceeds by performing an online connectivity test
As soon as a successful connection, the loader continues by acquiring updated IP address lists of botnet peers with the commands “ip_list” and “ip_list_2”.
9/19
If the type equals the ID of the distribution module and the reachability test was positive, the node becomes a P2P bot, or else the victim becomes a worker bot.
Infrastructurewdistrib.exeThe distribution module is the fundamental
component of the flexible infrastructure of the Miner botnet
When executed, hard-coded master C&C servers are contacted
This level decides whether a centralised or decentralised mechanism is used for distribution of malicious binaries.
In either case, an IP address list of distribution servers is obtained.
10/19
Infrastructureloader_rezerv.exe This is a network-based downloader with
the ability to install arbitrary executable files on a victim’s computer.
Upon connection, it can be commanded to download a file identified by a download ID from a given URL, together with the protection signature of the file
11/19
Bitcoin-related Modulesbtc_server.exeIt serves as a proxy for the worker bots towards a
selection of Bitcoin mining pools, clusters of miners that cooperate in order to increase their chance of gaining Bitcoins
It downloads one of the Bitcoin clientsThese clients are used to backup the Bitcoin
wallet containing earned Bitcoins. The wallet is posted every twenty minutes to a master C&C server.
12/19
Bitcoin-related Modulesclient_8.exeThis Bitcoin mining module is executed on
bots of both tier 3 and tier 4.After nesting as service “srvbtcclient”, a connection to the botnet is established and multiple operations are started in parallel.
Finally, every five hours a status update about the mining operation is sent to a master C&C server.
13/19
DDos-relate Moduleddhttp.exeThe core module for DDoS attacks web servers
via the HTTP protocol. It installs itself as a system service called “ddservice”
If the target list is acquired successfully, a status report with the unique system identifier and module version number is sent to the contact point every 10 minutes.
The attack then proceeds to request all the identified link targets to create even more load on the server.
14/19
Ddos-relate Moduleudp.exeThe core module for DDoS attacks web
servers via the UDP protocol. A UDP attack can be initiated by sending
a large number of UDP packets to random port in the range of 10 to 65000.
15/19
Social network relatediecheck12.exeIt creates a web server on ports 80/tcp and
443/tcp that acts as a proxy and intercepts requests to Facebook or Vkontakte.
When someone logs in from the infected computer, the credentials are stored in the registry.
Next, the credentials are abused in order to initiate communications based on the downloaded spam templates with individuals from the victim’s friend list.
resetr.exe In order to reduce the chance of being detected or removed from the system,this utility disables and deletes the services responsible for Windows Update functionality
16/19
MONITORING THE MINER BOTNETThe focus of our operation was to get
insights into the population and activity of the Miner botnet.
The general methodology applied is recursive enumeration, also known as crawling.
Starting with a set of bootstrap nodes, each of the nodes is queried for IP addresses of its known peers.
17/19
DAILY POPULATION OF THE MINER BOTNET
18/19
Conclusion In this paper, it have provided an overview of
the Miner botnet.They presented their statistical data on its
population and activities, gathered during four months of tracking efforts
They use of advanced concepts like a P2P infrastructure.
19/19
THANKS FOR YOUR ATTENTION