Botnets - UCY...Botnets use message gossiping to propagate information. Structured P2P Organized...
Transcript of Botnets - UCY...Botnets use message gossiping to propagate information. Structured P2P Organized...
BotnetsLeonidas Stylianou
CS 682
23/04/2020
Lifecycle of a bot
Botnet malware infects a host.
Infected host becomes a bot and
joins the botnet.
Botmaster controls the botnet.
Coordination of bots with C&C server
Bots query the C&C servers using their IP address and DNS name.
Not flexible and robust to take-down actions.
Fast Flux
Bots query a certain domain that is mapped onto a set of IP addresses
that change frequently.
Constitutes a single point of failure because it uses only a single
domain.
Domain flux
Bots query multiple domains that are mapped onto a set of IP
addresses that change frequently.
Taking down the C&C server is harder because they relocate their
domain name.
Usage of botnets
Send spam mails
Launch DoS attacks
Steal personal data
Your Botnet is My Botnet: Analysis of a Botnet
Takeover
Overview
A comprehensive analysis of the operations of the Torpig botnet.
The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet.
The victims of botnets are often users with poorly maintained machines.
What is Torpig?
Malware service accessible to third parties.
Steals sensitive information from the victim’s host and relays it back to its controllers.
Distributed to its victims as part of the Mebroot rootkit.
Distribution of Mebroot
Victim requests legitimate web site where an attacker injected http code.
The victim’s browser request JavaScript code
from the drive-by-download server.
JavaScript code executes multiple
exploits against the browser and some of
tis components.
If the exploit is successful, the
Mebroot rootkit is downloaded from the server and executed.
Mebroot life cycle
Contacts the Mebroot C&C server to obtain malicious modules.
Provides a generic platform that other modules can leverage to perform their malicious actions.
Overwrites the MBR and is always executed at boot time.
Torpig Capabilities
Trojan that is injected into a number of applications.
Inspects all the data handled by these programmes.
System programmes
Email clientsInstant
messengersWeb
browsersFTP clients
Communication in the Torpig Botnet
Uploads the stolen data since the previous
reporting time to the Torpig C&C server over
HTTP. (1)
Acknowledges the new data with “okn” response.
(2)
1
2
Communication in the Torpig Botnet
Sends a configuration file to the bot with “okc”
response.
How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks.
2
Man in the Browser attacks with Torpig bot
Generation of phishing sites
Infected machine visits one of the domains in the configuration file (bank site).
Torpig issues a request to an injection server.
The injection server’s response specifies the trigger page, the injection URL, and a number of parameters.
Man in the Browser attack
Victim visits the trigger page.
Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser
Injected content reproduces the style of the target web site and the address bar displays a pad lock.
Asks the user for sensitive information and steals personal information.
Coordination in Torpig Botnet: Domain Flux
Each bot uses a domain generation algorithm to compute
a list of domain names.
Attempts to contact the C&C server with a name in the domain
list in order until one succeeds.
Torpigs’s Domain Generation Algorithm
Step 1
• Seeded with the current date and a numerical parameter.
Step 2(a)
• Computes a “weekly” domain name that depends on the current week and year.
• Attempts to resolve dw.(com,net,biz) and contacts the C&C server.
Step 2(b)
• Computes a “daily” domain that depends on the current day.
• Attempts to resolve dd.(com,net,biz) and contacts the C&C server.
Step 2(c)
• Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server
Coordination in Torpig Botnet: Domain Fluxand resilience
Control at least one of the domains that will be contacted by the bots.
Use measures to prevent other groups from seizing domains that will be contacted by bots.
Arms Race between botmasters and defenders
B: The domain generation
algorithm of the bots is modified
frequently.
D: Reverse engineering the botnet protocol could be time
consuming.
B:Force defenders to register a
disproportionate number of names.
D: Economic factor is the
biggest challenge because domain names are not
cheap.
Taking control of the Torpig botnet: Sinkholing Preparation
Purchased two domains (.com and
.net) that were to be used by the botnet.
Registered them to two different
registrars.
Obtain control of the Torpig botnet for ten
days.
Set up Apache web server to receive log
bot requests and recorded all network
traffic.
During their control of botnet, 8.7 GB of Apache log files and 69 GB of pcap data
have been collected.
Taking control of the botnet: Data Collection Principles
Operated the C&C servers based on established legal and ethical principles.
Operated such that any damage to victims
was minimized.
Collecting enough information to enable
remediation of affected parties.
Worked with law enforcement
agencies.
Botnet Analysis: Data Collection and Format
Bots communicate with the Torpig C&C through HTTP POST requests.
URL’s request contains the hexadecimal representation of the
bot identifier and submission header.
Submission header is encrypted with Torpig’s encryption algorithm.
Bot identifier is used as the symmetric key.
Body’s request contains the data stolen from the victim’s machine.
Consists of data items based on the information that was stolen.
Body is encrypted with Torpig’s encryption algorithm.
Botnet Analysis: Data Collection and Format
Submission Header
ts: time stamp when the configuration file was
updated.
ip: IP address of the bot.
hport and sport: port numbers of the HTTP
and SOCKS proxies that Torpig opens on the infected machine.
os and cn: operating system version and
locale.
nid: bot identifier.
bld and ver: build and version number of
Torpig.
Example
Botnet Analysis: Data Collection and Format
Data ItemsMailbox account:
configuration information for email accounts.
Email: email addresses.
Form data: content of HTML forms
submitted by the victim’s browser.
HTTP, FTP, POP: credentials of the
accounts respectively.
SMTP: source and destination
addresses of emails.
Windows password
Data items sent to sinkholed botnet in 10 days
Botnet Size: Definitions
Botnet Size
Botnet’s footprintIndicates the aggregated total number of machines that have been compromised over time.
Botnet’s live population
Indicates the number of compromised hosts that are concurrently communicating
with the C&C server.
Botnet’s Footprint: Counting Bots by “nid” field
Description
• Torpig always sends the “nid”field in the submission header.
• Depends on software or hardware characteristics of the infected machine’s hard disk.
• Attempted to validate whether the “nid” is unique for each bot.
Evaluation
2079 cases have been found were the assumption did not hold.
180 835 “nid” values have been observed in 10 days.
Underestimates the botnet’s footprint.
Botnet Footprint: Counting Bots by Submission Header Fields
Description
• Count unique tuples from the submission header that Torpig bot send.
• “Nid, os, cn, bld and ver” fieldshave been considered whilst “ts, ip, sport and hport” have been discarded.
Evaluation
Botnet’s footprint have been estimated to 182
914 machines.
Botnet’s Footprint: Identifying probers and researchers
Description
• “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded.
• Bots that use the GET HTTP method are not considered.
Evaluation
40 bots have been running
on virtual machines
74 hosts have been probers.
Final estimate of botnet’s footprint is
182 800 hosts.
Botnet’s live population: Botnet Size Vs IP Count
Botnet Size
• 182 800 bots have contacted the C&C server.
IP Count
• 1 247 642 unique IP addresses contacted the C&C server.
• Overestimates the actual size of the botnet’s footprint.
Botnet’s live population: Botnet Size Vs IP Count
Per hour
• Number of unique IP addresses and bot IDs per hour provides a good estimation of the botnet’s live population.
Per day
• Number of unique IP addresses and bot IDs per day does not provide a good estimation of the botnet’s live population.
Botnet Size vs IP Count: Observations
Number of unique IPs per hour provides a good estimation of the botnet’s live population
144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall.
Difference between IP count and actual bot count can be attributed to DHCP and NAT effects.
Threat and data analysis of Torpig
Financial data stealing
• Obtained the credentials of 8130 accounts at 410 different institutions.
• Torpig controllers may have profited anywhere between $83K and $8.3M in ten days.
Proxies and DoS
• Leveraged by malicious users to send spam or navigate anonymously.
• Could cause a massive distributed DDoS attack.
Password analysis
• Bots stole 297,962 unique credentials sent by 52,540 different infected machines.
• 140 000 passwords have been recovered in 24 hours using various techniques.
SoK: P2PWNED— Modelingand Evaluating the Resilience
of Peer-to-Peer Botnets
Overview
Present a model that formalizes reconnaissance and disruption attacks against P2P botnets.
Compare the population sizes of current P2P botnets using crawlers and sensor nodes.
Evaluate the disruption resilience of all four current P2P botnet families.
Architecture of P2P botnets
Eliminates the need for centralized servers.
Bots are connected to each other topologically.
Act as both C&C server and client.
http://cs.ucf.edu/~czou/research/P2PBotnets-bookChapter.pdf
Overview of P2P Networks: Categories
Unstructured P2P
Don’t have a predefined architecture.
Participants communicate randomly with one another.
Robust against high churn activity but higher CPU and memory usage is required.
Botnets use message gossiping to propagate information.
Structured P2P
Organized into a specific topology.
Use a distributed hash table to identify and locate nodes/resources.
More efficient but less robust when faced with high rates of churn.
Botnets maintain a DHT that is used to store and route commands.
Overview of P2P Botnets: Definitions
• Denote a specific strain of botnet.
Botnet Families
• Denote a variant within a botnet family.
Botnet Variants
• Refers to a coherent collection of hosts infected with a specific botnet variant.
Botnets
Overview of P2P Botnets: P2P Botnet Characteristics
P2P botnet variants
• The active P2P botnet families as of November 2012.
Lifespan of botnet variants
• Lifespan of the botnet variants and the most important inactive P2P botnets.
Overview of P2P Botnets: P2P Botnet Purposes
Have unstructured P2P protocols and use message gossiping to propagate information.
Hybrid architectures incorporate centralized servers to collect stolen data.
Used for malware distribution, spam, credentials theft and DDoS attacks.
Formal Model for P2P botnets: Directed Graph
A peer-to-peer (P2P) botnet is
A directed graph G := (V,E), where V is a set of
peers and E ⊆ V ×V edges (u, v) with u, v ∈ V.
The set of peers V := V₁ U V₂ ∪ V₃ is the disjoint union of routable peers V₁, non-
routable peers V₂ and unreachable peers V₃.
V₁: peer that can be contacted by other
peers.
V₂: peer that can’t be reached by other peers but has the
ability to contact one ore more peers.
V₃: peer that can’t be reached by any peers
nor contact other peers.
Formal Model for P2P botnets: Peer List and out/in degree
Peer List
Let G = (V,E) denote a P2P botnet.
The set of edges Ev
:= {(v, u) ∈ E} for a peer v ∈ V is called the peer list of v.
Expresses relationships of
neighbouring peers in the graph.
Out and in degree
• deg+(v) := |Ev|
Out-degree of v
• deg−(v) := |{(u, v) ∈ E}|
• deg−(v) is an important measure for the popularity of a peer because it shows its influence in the botnet.
In-degree of v
Formal Model for P2P botnets: Operations
Deletion of an edge (u,v) in the graph
Transformation D : G → G’ with G’ := (V,E’) and E’ := E \ (u, v)
D∗ = Dn ◦ Dn−1 ◦ . . . ◦ D1 denotes the composition of multiple delete
operations.
Occurs when a peer deletes an unreachable peer entry from its peer
list.
Insertion of an edge (u,v) in the graph
Transformation I : G → G’ with G’ := (V ‘,E’) , where V ‘ := V ∪ {v} and E’ :=
E∪{(u, v)}
I∗ is the composition of multiple inserts.
Occurs when a new peer to peer relationship is established.
Update operation
U := I ◦D , defined as an edge deletion followed by an edge insertion
U∗ denotes multiple subsequent updates.
Attacks against P2P Botnets: Attack Methods(Graph Search)
Understand the P2P topology of a
botnetVisit all nodes
Request their peer lists
Enumerate all edges
The result is crawl graph
Only routable peers have been contacted
The graph search only explored the
peer lists of routable peers
Inaccurate results because P2P botnet
topologies are dynamic
Attacks against P2P Botnets: Attack Methods (Peer Injection)
Change graph topologyManipulate the set of
edges
I(v) : G → G’ = (V ‘,E’) denote a parametrized
insert operation with V’= V ∪˙ v, E’= E ∪˙ {(u, v)}, u
∈ V
Injection of a peer v can be defined as a
composition I∗(v) := In(v) ◦ In−1(v) ◦ . . . ◦ I1(v).
Attacks against P2P Botnets: Attack Methods (Peer List Destruction)
Describes “corrupting changes” to a peer’s
peer list.
Entries can be either deleted or replaced with
invalid entries.
The destruction of v’s peer list is the
Transformation R(v):=U∗(v) ◦ D∗(v) :G →
G’ = (V’,E’).
Attacks against P2P Botnets: Intelligence Gathering
Crawling
Based on graph search
Visit as many peers as possible and
collect information about them.
Represents an effective way to
gather intelligence.
Limited view if only routable peers are
included in the peer lists.
Sensor Nodes
With peer injection, a sensor can be
introduced to botnet.
Can be contacted by non-routable peers.
Potentially overcomes some of the
shortcomings of crawling.
Its coverage depends on its in-degree.
(popularity)
In-degree can be increased by injecting s into any visited peer’s
peer list.
Attacks against P2P Botnets: Disruption and Destruction (Partioning)
Partitioning the graph prohibits the distribution of information.
Apply a series of consecutive peer list destruction operations to create
two disconnected subgraphs.
Decrease the popularity of nodes by deleting certain edges from the P2P
graph.
Information propagation is slow and the graph is more sparse.
Attacks against P2P Botnets: Disruption and Destruction (Sinkholing)
Edges are replaced with edges pointing to special nodes called sinkholes.
Achieved by peer injections and peer list
destructions.
Set of sinkholes S := {s1, s2, . . . , sn} are the
central component for all P2P communication.
Transforms the infrastructure into a centralized network.
Reach a state where every live peer knows at least one sinkhole and no other routable peer.
Attacks against P2P Botnets: Disruption and Destruction (Communication Layer Poisoning)
Specially crafted information is injected into a
botnet.
Achieved by peer injection.
Distribute commands to other
bots or transmit invalid messages.
Put recipients in a non-functional
state.
P2P Botnet intelligence gathering: Resilience Against Peer Enumeration
Reverse Engineer the communication
protocols of six active botnet variants.
Kelihos, Storm, Waledac and Zeus use
unique identifier to distinguish bots.
Zero Access variants and Storms don’t
only store routable peers in the peer list.
Miner and Zero Access v1 share all the peers in their peer list
at once.
Various techniques to include new peers in
the peer list.
Frequency that peers communicate with
their neighbours vary.
P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations
Implemented crawling and sensor injection
attacks for all four active P2P botnet families
Enumerated eleven botnets that were active
in November 2012
Deployed sensor nodes only in the seven UDP-
based botnets
Measurements took after three weeks of the sensor
injection in order to become popular in the
botnet
Values are based on the number of unique IP addresses that were logged during the 24
hours
Crawling provides a limited view on the
overall botnet population because they actively
enumerate peers.
A combination of both is the most appropriate
P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations
Enumerated botnets, the bot version number and its fixed UDP port.
Peers found, peers that responded to peer list requests, and ratio of routable peers.
Peers that connected to the sensor in 24 hours.
Peers that were identified by both methods
Ratio of the number of peers found by the sensor divided by the number of peers and routable peers found through crawling
P2P Botnet intelligence gathering: Convergence Analysis of Zeus botnet
Both IP addresses and peers IDs have been counted for
Zeus.
IP address churn is significant for Zeus.
19% of the bot IDs were observed on
multiple addresses.
P2P Botnet intelligence gathering: Convergence Analysis
Enumeration with crawling converges slowly.
Sensors find many more peers.
IP address churn is one of thereasons for slow node enumeration convergence.
P2P Botnet intelligence gathering: Dynamics of Botnet Populations
Machines joining and leaving the network
cause a steady churn of peers.
Measure population size of Zeus botnet
independently from IP address churn .
Used the static ID to identify infected
machines.
Up to 25 000 new infections per day.
This highly dynamic behaviour means that P2P botnets change
significantly during node enumeration runs
P2P Botnet Disruption and Destruction: Communication Layer Poisoning Resilience
Poison a P2P botnet using its own commands or disrupt the C&C channel.
Defenders could issue arbitrary commands if the commands are not authenticated.
P2P Botnet Disruption and Destruction:Sinkholing Resilience
• Announce some sinkholes to as many peers as possible.
Sinkhole announcement
• Try to eliminate all edges in the P2P graph that don’t point to a sinkhole.
Node isolation
• Ensure that the bots don’t activate backup C&C channels to recover.
Fallback prevention
How a sinkhole can replace peer list entries
How many entries can be destroyed in a single P2P exchange
Fallback command and control channels
P2P Botnet Disruption and Destruction: Partitioning Resilience
Partitioning attack is the last resort.
Impossible to regain control of
the botnet once is partitioned.
Restrict the test to the smallest sub-
graph, consisting of a single peer.
Non routable peers can remain isolated
forever.
Routable peer recover quickly as
they are still known by other peers.
Partitioning attack is only successful if it affects the whole
P2P network.
Questions???
Thanks!!!