BotnetsLeonidas Stylianou

CS 682

23/04/2020

Lifecycle of a bot

Botnet malware infects a host.

Infected host becomes a bot and

joins the botnet.

Botmaster controls the botnet.

Coordination of bots with C&C server

Bots query the C&C servers using their IP address and DNS name.

Not flexible and robust to take-down actions.

Fast Flux

Bots query a certain domain that is mapped onto a set of IP addresses

that change frequently.

Constitutes a single point of failure because it uses only a single

domain.

Domain flux

Bots query multiple domains that are mapped onto a set of IP

addresses that change frequently.

Taking down the C&C server is harder because they relocate their

domain name.

Usage of botnets

Send spam mails

Launch DoS attacks

Steal personal data

Your Botnet is My Botnet: Analysis of a Botnet

Takeover

Overview

A comprehensive analysis of the operations of the Torpig botnet.

The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet.

The victims of botnets are often users with poorly maintained machines.

What is Torpig?

Malware service accessible to third parties.

Steals sensitive information from the victim’s host and relays it back to its controllers.

Distributed to its victims as part of the Mebroot rootkit.

Distribution of Mebroot

Victim requests legitimate web site where an attacker injected http code.

The victim’s browser request JavaScript code

from the drive-by-download server.

JavaScript code executes multiple

exploits against the browser and some of

tis components.

If the exploit is successful, the

Mebroot rootkit is downloaded from the server and executed.

Mebroot life cycle

Contacts the Mebroot C&C server to obtain malicious modules.

Provides a generic platform that other modules can leverage to perform their malicious actions.

Overwrites the MBR and is always executed at boot time.

Torpig Capabilities

Trojan that is injected into a number of applications.

Inspects all the data handled by these programmes.

System programmes

Email clientsInstant

messengersWeb

browsersFTP clients

Communication in the Torpig Botnet

Uploads the stolen data since the previous

reporting time to the Torpig C&C server over

HTTP. (1)

Acknowledges the new data with “okn” response.

(2)

1

2

Communication in the Torpig Botnet

Sends a configuration file to the bot with “okc”

response.

How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks.

2

Man in the Browser attacks with Torpig bot

Generation of phishing sites

Infected machine visits one of the domains in the configuration file (bank site).

Torpig issues a request to an injection server.

The injection server’s response specifies the trigger page, the injection URL, and a number of parameters.

Man in the Browser attack

Victim visits the trigger page.

Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser

Injected content reproduces the style of the target web site and the address bar displays a pad lock.

Asks the user for sensitive information and steals personal information.

Coordination in Torpig Botnet: Domain Flux

Each bot uses a domain generation algorithm to compute

a list of domain names.

Attempts to contact the C&C server with a name in the domain

list in order until one succeeds.

Torpigs’s Domain Generation Algorithm

Step 1

• Seeded with the current date and a numerical parameter.

Step 2(a)

• Computes a “weekly” domain name that depends on the current week and year.

• Attempts to resolve dw.(com,net,biz) and contacts the C&C server.

Step 2(b)

• Computes a “daily” domain that depends on the current day.

• Attempts to resolve dd.(com,net,biz) and contacts the C&C server.

Step 2(c)

• Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server

Coordination in Torpig Botnet: Domain Fluxand resilience

Control at least one of the domains that will be contacted by the bots.

Use measures to prevent other groups from seizing domains that will be contacted by bots.

Arms Race between botmasters and defenders

B: The domain generation

algorithm of the bots is modified

frequently.

D: Reverse engineering the botnet protocol could be time

consuming.

B:Force defenders to register a

disproportionate number of names.

D: Economic factor is the

biggest challenge because domain names are not

cheap.

Taking control of the Torpig botnet: Sinkholing Preparation

Purchased two domains (.com and

.net) that were to be used by the botnet.

Registered them to two different

registrars.

Obtain control of the Torpig botnet for ten

days.

Set up Apache web server to receive log

bot requests and recorded all network

traffic.

During their control of botnet, 8.7 GB of Apache log files and 69 GB of pcap data

have been collected.

Taking control of the botnet: Data Collection Principles

Operated the C&C servers based on established legal and ethical principles.

Operated such that any damage to victims

was minimized.

Collecting enough information to enable

remediation of affected parties.

Worked with law enforcement

agencies.

Botnet Analysis: Data Collection and Format

Bots communicate with the Torpig C&C through HTTP POST requests.

URL’s request contains the hexadecimal representation of the

bot identifier and submission header.

Submission header is encrypted with Torpig’s encryption algorithm.

Bot identifier is used as the symmetric key.

Body’s request contains the data stolen from the victim’s machine.

Consists of data items based on the information that was stolen.

Body is encrypted with Torpig’s encryption algorithm.

Botnet Analysis: Data Collection and Format

Submission Header

ts: time stamp when the configuration file was

updated.

ip: IP address of the bot.

hport and sport: port numbers of the HTTP

and SOCKS proxies that Torpig opens on the infected machine.

os and cn: operating system version and

locale.

nid: bot identifier.

bld and ver: build and version number of

Torpig.

Example

Botnet Analysis: Data Collection and Format

Data ItemsMailbox account:

configuration information for email accounts.

Email: email addresses.

Form data: content of HTML forms

submitted by the victim’s browser.

HTTP, FTP, POP: credentials of the

accounts respectively.

SMTP: source and destination

addresses of emails.

Windows password

Data items sent to sinkholed botnet in 10 days

Botnet Size: Definitions

Botnet Size

Botnet’s footprintIndicates the aggregated total number of machines that have been compromised over time.

Botnet’s live population

Indicates the number of compromised hosts that are concurrently communicating

with the C&C server.

Botnet’s Footprint: Counting Bots by “nid” field

Description

• Torpig always sends the “nid”field in the submission header.

• Depends on software or hardware characteristics of the infected machine’s hard disk.

• Attempted to validate whether the “nid” is unique for each bot.

Evaluation

2079 cases have been found were the assumption did not hold.

180 835 “nid” values have been observed in 10 days.

Underestimates the botnet’s footprint.

Botnet Footprint: Counting Bots by Submission Header Fields

Description

• Count unique tuples from the submission header that Torpig bot send.

• “Nid, os, cn, bld and ver” fieldshave been considered whilst “ts, ip, sport and hport” have been discarded.

Evaluation

Botnet’s footprint have been estimated to 182

914 machines.

Botnet’s Footprint: Identifying probers and researchers

Description

• “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded.

• Bots that use the GET HTTP method are not considered.

Evaluation

40 bots have been running

on virtual machines

74 hosts have been probers.

Final estimate of botnet’s footprint is

182 800 hosts.

Botnet’s live population: Botnet Size Vs IP Count

Botnet Size

• 182 800 bots have contacted the C&C server.

IP Count

• 1 247 642 unique IP addresses contacted the C&C server.

• Overestimates the actual size of the botnet’s footprint.

Botnet’s live population: Botnet Size Vs IP Count

Per hour

• Number of unique IP addresses and bot IDs per hour provides a good estimation of the botnet’s live population.

Per day

• Number of unique IP addresses and bot IDs per day does not provide a good estimation of the botnet’s live population.

Botnet Size vs IP Count: Observations

Number of unique IPs per hour provides a good estimation of the botnet’s live population

144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall.

Difference between IP count and actual bot count can be attributed to DHCP and NAT effects.

Threat and data analysis of Torpig

Financial data stealing

• Obtained the credentials of 8130 accounts at 410 different institutions.

• Torpig controllers may have profited anywhere between $83K and $8.3M in ten days.

Proxies and DoS

• Leveraged by malicious users to send spam or navigate anonymously.

• Could cause a massive distributed DDoS attack.

Password analysis

• Bots stole 297,962 unique credentials sent by 52,540 different infected machines.

• 140 000 passwords have been recovered in 24 hours using various techniques.

SoK: P2PWNED— Modelingand Evaluating the Resilience

of Peer-to-Peer Botnets

Overview

Present a model that formalizes reconnaissance and disruption attacks against P2P botnets.

Compare the population sizes of current P2P botnets using crawlers and sensor nodes.

Evaluate the disruption resilience of all four current P2P botnet families.

Architecture of P2P botnets

Eliminates the need for centralized servers.

Bots are connected to each other topologically.

Act as both C&C server and client.

http://cs.ucf.edu/~czou/research/P2PBotnets-bookChapter.pdf

Overview of P2P Networks: Categories

Unstructured P2P

Don’t have a predefined architecture.

Participants communicate randomly with one another.

Robust against high churn activity but higher CPU and memory usage is required.

Botnets use message gossiping to propagate information.

Structured P2P

Organized into a specific topology.

Use a distributed hash table to identify and locate nodes/resources.

More efficient but less robust when faced with high rates of churn.

Botnets maintain a DHT that is used to store and route commands.

Overview of P2P Botnets: Definitions

• Denote a specific strain of botnet.

Botnet Families

• Denote a variant within a botnet family.

Botnet Variants

• Refers to a coherent collection of hosts infected with a specific botnet variant.

Botnets

Overview of P2P Botnets: P2P Botnet Characteristics

P2P botnet variants

• The active P2P botnet families as of November 2012.

Lifespan of botnet variants

• Lifespan of the botnet variants and the most important inactive P2P botnets.

Overview of P2P Botnets: P2P Botnet Purposes

Have unstructured P2P protocols and use message gossiping to propagate information.

Hybrid architectures incorporate centralized servers to collect stolen data.

Used for malware distribution, spam, credentials theft and DDoS attacks.

Formal Model for P2P botnets: Directed Graph

A peer-to-peer (P2P) botnet is

A directed graph G := (V,E), where V is a set of

peers and E ⊆ V ×V edges (u, v) with u, v ∈ V.

The set of peers V := V₁ U V₂ ∪ V₃ is the disjoint union of routable peers V₁, non-

routable peers V₂ and unreachable peers V₃.

V₁: peer that can be contacted by other

peers.

V₂: peer that can’t be reached by other peers but has the

ability to contact one ore more peers.

V₃: peer that can’t be reached by any peers

nor contact other peers.

Formal Model for P2P botnets: Peer List and out/in degree

Peer List

Let G = (V,E) denote a P2P botnet.

The set of edges Ev

:= {(v, u) ∈ E} for a peer v ∈ V is called the peer list of v.

Expresses relationships of

neighbouring peers in the graph.

Out and in degree

• deg+(v) := |Ev|

Out-degree of v

• deg−(v) := |{(u, v) ∈ E}|

• deg−(v) is an important measure for the popularity of a peer because it shows its influence in the botnet.

In-degree of v

Formal Model for P2P botnets: Operations

Deletion of an edge (u,v) in the graph

Transformation D : G → G’ with G’ := (V,E’) and E’ := E \ (u, v)

D∗ = Dn ◦ Dn−1 ◦ . . . ◦ D1 denotes the composition of multiple delete

operations.

Occurs when a peer deletes an unreachable peer entry from its peer

list.

Insertion of an edge (u,v) in the graph

Transformation I : G → G’ with G’ := (V ‘,E’) , where V ‘ := V ∪ {v} and E’ :=

E∪{(u, v)}

I∗ is the composition of multiple inserts.

Occurs when a new peer to peer relationship is established.

Update operation

U := I ◦D , defined as an edge deletion followed by an edge insertion

U∗ denotes multiple subsequent updates.

Attacks against P2P Botnets: Attack Methods(Graph Search)

Understand the P2P topology of a

botnetVisit all nodes

Request their peer lists

Enumerate all edges

The result is crawl graph

Only routable peers have been contacted

The graph search only explored the

peer lists of routable peers

Inaccurate results because P2P botnet

topologies are dynamic

Attacks against P2P Botnets: Attack Methods (Peer Injection)

Change graph topologyManipulate the set of

edges

I(v) : G → G’ = (V ‘,E’) denote a parametrized

insert operation with V’= V ∪˙ v, E’= E ∪˙ {(u, v)}, u

∈ V

Injection of a peer v can be defined as a

composition I∗(v) := In(v) ◦ In−1(v) ◦ . . . ◦ I1(v).

Attacks against P2P Botnets: Attack Methods (Peer List Destruction)

Describes “corrupting changes” to a peer’s

peer list.

Entries can be either deleted or replaced with

invalid entries.

The destruction of v’s peer list is the

Transformation R(v):=U∗(v) ◦ D∗(v) :G →

G’ = (V’,E’).

Attacks against P2P Botnets: Intelligence Gathering

Crawling

Based on graph search

Visit as many peers as possible and

collect information about them.

Represents an effective way to

gather intelligence.

Limited view if only routable peers are

included in the peer lists.

Sensor Nodes

With peer injection, a sensor can be

introduced to botnet.

Can be contacted by non-routable peers.

Potentially overcomes some of the

shortcomings of crawling.

Its coverage depends on its in-degree.

(popularity)

In-degree can be increased by injecting s into any visited peer’s

peer list.

Attacks against P2P Botnets: Disruption and Destruction (Partioning)

Partitioning the graph prohibits the distribution of information.

Apply a series of consecutive peer list destruction operations to create

two disconnected subgraphs.

Decrease the popularity of nodes by deleting certain edges from the P2P

graph.

Information propagation is slow and the graph is more sparse.

Attacks against P2P Botnets: Disruption and Destruction (Sinkholing)

Edges are replaced with edges pointing to special nodes called sinkholes.

Achieved by peer injections and peer list

destructions.

Set of sinkholes S := {s1, s2, . . . , sn} are the

central component for all P2P communication.

Transforms the infrastructure into a centralized network.

Reach a state where every live peer knows at least one sinkhole and no other routable peer.

Attacks against P2P Botnets: Disruption and Destruction (Communication Layer Poisoning)

Specially crafted information is injected into a

botnet.

Achieved by peer injection.

Distribute commands to other

bots or transmit invalid messages.

Put recipients in a non-functional

state.

P2P Botnet intelligence gathering: Resilience Against Peer Enumeration

Reverse Engineer the communication

protocols of six active botnet variants.

Kelihos, Storm, Waledac and Zeus use

unique identifier to distinguish bots.

Zero Access variants and Storms don’t

only store routable peers in the peer list.

Miner and Zero Access v1 share all the peers in their peer list

at once.

Various techniques to include new peers in

the peer list.

Frequency that peers communicate with

their neighbours vary.

P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations

Implemented crawling and sensor injection

attacks for all four active P2P botnet families

Enumerated eleven botnets that were active

in November 2012

Deployed sensor nodes only in the seven UDP-

based botnets

Measurements took after three weeks of the sensor

injection in order to become popular in the

botnet

Values are based on the number of unique IP addresses that were logged during the 24

hours

Crawling provides a limited view on the

overall botnet population because they actively

enumerate peers.

A combination of both is the most appropriate

P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations

Enumerated botnets, the bot version number and its fixed UDP port.

Peers found, peers that responded to peer list requests, and ratio of routable peers.

Peers that connected to the sensor in 24 hours.

Peers that were identified by both methods

Ratio of the number of peers found by the sensor divided by the number of peers and routable peers found through crawling

P2P Botnet intelligence gathering: Convergence Analysis of Zeus botnet

Both IP addresses and peers IDs have been counted for

Zeus.

IP address churn is significant for Zeus.

19% of the bot IDs were observed on

multiple addresses.

P2P Botnet intelligence gathering: Convergence Analysis

Enumeration with crawling converges slowly.

Sensors find many more peers.

IP address churn is one of thereasons for slow node enumeration convergence.

P2P Botnet intelligence gathering: Dynamics of Botnet Populations

Machines joining and leaving the network

cause a steady churn of peers.

Measure population size of Zeus botnet

independently from IP address churn .

Used the static ID to identify infected

machines.

Up to 25 000 new infections per day.

This highly dynamic behaviour means that P2P botnets change

significantly during node enumeration runs

P2P Botnet Disruption and Destruction: Communication Layer Poisoning Resilience

Poison a P2P botnet using its own commands or disrupt the C&C channel.

Defenders could issue arbitrary commands if the commands are not authenticated.

P2P Botnet Disruption and Destruction:Sinkholing Resilience

• Announce some sinkholes to as many peers as possible.

Sinkhole announcement

• Try to eliminate all edges in the P2P graph that don’t point to a sinkhole.

Node isolation

• Ensure that the bots don’t activate backup C&C channels to recover.

Fallback prevention

How a sinkhole can replace peer list entries

How many entries can be destroyed in a single P2P exchange

Fallback command and control channels

P2P Botnet Disruption and Destruction: Partitioning Resilience

Partitioning attack is the last resort.

Impossible to regain control of

the botnet once is partitioned.

Restrict the test to the smallest sub-

graph, consisting of a single peer.

Non routable peers can remain isolated

forever.

Routable peer recover quickly as

they are still known by other peers.

Partitioning attack is only successful if it affects the whole

P2P network.

Questions???

Thanks!!!