Botcoin: Monetizing Stolen Cycles
-
Upload
kiona-mccullough -
Category
Documents
-
view
46 -
download
3
description
Transcript of Botcoin: Monetizing Stolen Cycles
![Page 1: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/1.jpg)
Botcoin: Monetizing Stolen
CyclesUC San Diego and George Mason University
Presented By: Amanda Watson
CSCI 780: Advanced Network Security
![Page 2: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/2.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 3: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/3.jpg)
Bots Send spam, commit click fraud, DOS attacks, steal
user data
Botmaster: uses bots to extract value from the above actions
Botnet: compromised computers under the control of the botmaster
Demand for a bot determines the value
Security evolution depends on the demand
![Page 4: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/4.jpg)
Bitcoin Mining Repeatedly computing the SHA-256 cryptographic
hash function over a large range of values
State-Space search
Can be conducted in parallel
Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others
Pro: Potentially lucrative depending on the number of bots
Con: Easier to detect than other activities
![Page 5: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/5.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 6: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/6.jpg)
Related Work Analysis of the transactions in the Bitcoin network
Measures activity
Tests the limits of anonymity
Analysis of the silk road (underground drug market)
Shutdown October 13, 2013
Bitcoin mining can be “gamed” by an appropriately powerful adversary
Can disrupt the Bitcoin economy
Profitable malware
Pay-per-install, fake anti-virus, click fraud
![Page 7: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/7.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 8: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/8.jpg)
Bitcoin Proposed by Satoshi Nakamoto in 2008
Not backed by any government
Purely a peer to peer virtual currency
Bitcoins are acquired through mining
Transactions are public through the blockchain
Public ledger maintained by a peer-to-peer network
![Page 9: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/9.jpg)
Bitcoin 1Bitcoin = $402.53
![Page 10: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/10.jpg)
Bitcoin Mining Miner receives valid transactions through the
peer-to-peer network
Group them into blocks
set of transactions
header containing a hash of the previous block and a nonce
Compute a SHA-256 hash value of the block
If the value has the correct number of leading zeros
Miner passes it on to others to verify
Coinbase: pays transaction fees and the block reward
If the value does not have the correct number of leading zeros
Repeat the process
![Page 11: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/11.jpg)
Pooled Mining Combine the mining power of many individual
miner and payout a small amount for work completed
Pool server manages pending transaction
Provides starting point to workers
Workers mine the blocks
Report results to the server
![Page 12: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/12.jpg)
Botnet Mining Use a existing or newly created botnet to mine for
bitcoins
Direct Pool Mining
Distribute a mining executable with a wrapper script that specifies mining parameters
Generally banned for mining pools
Proxied Pool Mining
Proxy connections through a controlled server
Requires additional infrastructure
Dark Pool Mining
Botmaster maintains a pool server
Bots connect to his pool
Limited to the number of bots he controls
![Page 13: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/13.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 14: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/14.jpg)
Methodology Goals:
Identify mining malware
Identify size of infected population
Identify the value of the bitcoins extracted
Methodology
Identify Mining Malware
Extract Mining Credentials
Estimate Earnings
Estimate Infected Population
Identify Pool Proxies
![Page 15: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/15.jpg)
Identifying Mining Malware All mining malware uses the HTTP-based getwork
protocol
Use this to identify mining malware with a network trace
To get the network traffic of various malware
Execute the binaries in a malware execution environment
Use data for public and private sandboxes that provides information and logs of the actions of the binaries
If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining
![Page 16: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/16.jpg)
Extracting Mining Credentials Mining software is generally generic
Credentials are passed on command line
Extract the credentials:
Command-line arguments
Extract the credentials from the packaged binary
HTTP basic authentication
Extract credentials from a network trace
Command-and-control channel
Credentials are contained in a Dropbox or Pastebin file
Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload
Pool operators
Public pool operators provide lists of user names and wallet addresses
![Page 17: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/17.jpg)
Earnings Mapping miners to wallet addresses
Contact the pool operators to ask for the information
Publicly visible pool statistics
Some pools provide public leaderboards
Blockchain analysis
All transactions are visible
Knowing the payout address allows estimates for a specific miner
Clustering wallet addresses
Botmasters may use different addresses for different campaigns
Addresses used as inputs to the same transaction will be controlled by the same user
This allows us to cluster addresses used by a single botmaster
![Page 18: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/18.jpg)
Estimating Infected Population Contact anti-virus software vendors to obtain
mining malware data
Ei : estimated bot population
Ii : number of infections in country i per vender
Mi : number of machines in country i per vendor
Ti : number of machines in country i
This is the expected lower bound
Computers without antivirus for the vendors are not counted
Estimates are only for specific binaries
![Page 19: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/19.jpg)
Identifying Pool Proxies Cross-login test
Credentials can be hidden by an HTTP proxy
Create miner accounts in major mining pools
If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining
Passive DNS The lifetime of a dark mining pool depends on the
lifetime of the botnet
Use passive DNS data from the ISC Security Information Exchange
Block Reversal A pool will provide the same coinbase across similar
workers
This allows us to match possible bots to a pool
Leaked Data
![Page 20: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/20.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 21: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/21.jpg)
DLoad.asia(Redem and Darksons) Began mining in 2011
Ended in November of 2012
Earnings
Darksons : 2,403 BTC
Redem : over 10,000 BTC
Over 100,000 IP’s
Population - number of infections
![Page 22: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/22.jpg)
ZeroAccess 9,000,000 infected PC’s
Began December 2011
Earnings : 400 BTC
Began mining through proxy servers, now a part of Eligus
Population - number of infections
![Page 23: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/23.jpg)
BMControl Began mining in September 2012
Part of Eligus
Earnings
Adds 16,000 new bots per day
Average mining rate/ bot : 3.75MH/sec
Now mines for Litecoin
Population - number of infections
![Page 24: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/24.jpg)
FeodalCash Began mining in May 2013
Part of Eligus
Earnings : 168 BTC
Population - 62,500 infections at its peak
![Page 25: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/25.jpg)
Fareit Bots Began mining April 9, 2013
Used a pool proxy with the Black Hole exploit kit
Earnings : 265 BTC
Population - 12,500 infections
![Page 26: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/26.jpg)
Zenica Earnings
312,000 or more active IP’s
170 BTC in 3 months
Population
Prevalent in Southeast Asia
Vietnam and Thailand account for 70% of sampled infections
![Page 27: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/27.jpg)
HitmanUK Botmaster launched a DDoS attacked after the
pool blacklisted the botnet
Paralyzed the pool
Prevented mining for a few hours
Pool operator then let the botmaster back in
Began in February 2013
Earnings : 4 BTC
Adds 16,000 new bots per day
Average mining rate/ bot : 3.75MH/sec
![Page 28: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/28.jpg)
Xfhp.ru Miner Uses Zbot to download the Bitcoin mining plugin
Population
Southeast Asia
South America
![Page 29: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/29.jpg)
Skype Miner Used Skype and social engineering to distribute
bot
Sent a compromised skype message
If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware
Began mining in July 2012
Earnings : 250
![Page 30: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/30.jpg)
Miscellaneous There are many small mining operations
![Page 31: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/31.jpg)
Outline
Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 32: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/32.jpg)
Mining Revenue Depends on hashing and network difficulty
Daily Revenue:
MH – million SHA-256 computations
8.22 x 10-12 MH/sec
![Page 33: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/33.jpg)
Botnet Costs Cost of acquiring bots
Cost associated with the monetization scheme
More information is needed for non-acquisition costs:
Infrastructure
Development
Day to day operation
![Page 34: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/34.jpg)
Profitability Varies based on exchange rates
3 classes of profitability
Absolutely profitable: revenue exceeds cost for a botnet solely for mining
Marginally profitable: revenue exceeds additional cost for an established botnet adding mining
Unprofitable: mining does not cover additional costs
Bitcoin is expected to remain profitable for large botnets
![Page 35: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/35.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 36: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/36.jpg)
Conclusion
It is possible to track the earning of botnets because Bitcoin transactions are public
Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years
Most of these are found in geographic locations with lower costs of bots
Developed a method to trace mining pool malware even when proxy server are used to hide the pool
![Page 37: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/37.jpg)
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
![Page 38: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/38.jpg)
Litecoin Decentralized virtual currency based on bitcoin
1 litecoin = $4.19
4 times faster to produce a block when mining
Lessens the effect of specialized hardware
![Page 39: Botcoin: Monetizing Stolen Cycles](https://reader036.fdocuments.net/reader036/viewer/2022062516/56812b70550346895d8f9075/html5/thumbnails/39.jpg)
Questions?