Your Botnet is My Botnet:Analysis of a Botnet Takeover

Presented by

Sandeep Inampudi & Jishnu Pradeep

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Overview

Introduction

Domain flux

Taking control of the Botnet

Botnet analysis

Threats and data analysis

Conclusion

Some additional contents

Discussion

Botnets

A Botnet is a collection of software agents, or robots that run autonomously and automatically. The term is most commonly associated with malicious software.

Main motivation: recognition and financial gain.

Bot controller can ‘rent’ services of the botnet to third parties

Purpose of Botnets

Botnets are the primary means for cyber-criminals to carry out their nefarious tasks

DDOS Attacks

Stealing Credentials

Spamming Spreading Malware

Manipul. Polls/Clicks

How does a Botnet work?

C&C Structure

The two main types of command and control structures used by botnets:

Centralized mechanism (IRC Protocol)

Decentralized (P2P) mechanism

Studying Botnets

1. Passive analysis - Study of secondary effects that are caused by the activity of compromised machines.

Collected spam mails that were likely sent by bots

Measurements focused on DNS queries

Analyzed network traffic at the tier-1 ISP level

Two approaches:

2. Active approach - Study botnets via infiltration.

Using an actual malware sample or a client simulating a bot, researchers join a botnet (as a client) to perform analysis from the inside.

To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware

Studying Botnets

Attackers have unfortunately adapted: Most current botnets use stripped-down IRC or HTTP servers as their centralized command and control

What can be done now?

Answer: Hijack the system Directly seize the physical machines that host the

C&C infrastructure.

Collaborating with domain registrars, it is possible to change the mapping of a botnet domain to point to a machine controlled by the defender.

TORPIG Botnet

“One of the most advanced pieces of crimeware ever created”

Also known as Sinowal or Anserin

Development began in 2005

By November 2008, Torpig had stolen the details of about 500,000 online bank accounts + credit/debit cards.

Highly sophisticated + Complex infrastructure

Functions of TORPIG

Trojan Horse

Injects itself into 29 different applications as DLL

Steals sensitive information such as passwords + HTTP Post Data

HTTP Injection for phishing

Uses ‘encrypted’ HTTP as C&C Protocol

Uses Doman Flux to locate C&C Server

How is it distributed?

Torpig has been distributed to its victims as part of Mebroot.

A Rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR).

Executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools.

Mebroot is spread via drive-by-download.

HOW TORPIG DISTRIBUTES AND GETS DATA

‘Hacked’ Web Servers

Innocent Victim

Mebroot C&C

TorpigC&C

InjectionServer

Drive-by-download Server

<iframe>

Mebroot Download

Stolen Data

Config. Files

Torpig HTML Injection

Domain of interests (~300) stored in config file.

When domain of interest visited:

• Request is issued to injection server

• Server specifies a trigger page on target domain

When triggered page is visited:

• Injection URL is requested from injection server.

• Returned content injected to user’s browser.

Content usually asks for sensitive data and reproduces look and feel of legit site.

Man-in-the-browser Attack

Same as man-in-the-middle attack, but a Trojan Horse is used to intercept and manipulate calls between the browser and its security mechanisms.

Communication b/w Master and Bots

A botnet should keep in contact with botmaster to be useful.

Botmaster must coordinate with its bots to efficient.

Hardcoding Domains and IPs in bots = Bad Idea

FAST FLUXING

Way to make these schemes more flexible and robust.

Bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently.

Fast Fluxing

Disadvantage: Single point of Failure

Torpig solves this issue through…..

Domain flux

Have the bots use an algorithm to generate domains to use on a daily/weekly basis.

This will be called Domain Generation Algorithm

If a domain is blocked? The bot simply rolls over to the following domain in the list.

Torpig’s DGA

Each bot has same DGA

Seeded by current date

It Generates:

Weekly Domain (dw)

(dw.net / dw.com / dw.biz)

Daily Domain (dd)

(dd.net / dd.org)

If both fails, then it selects one of 3 hard coded domains from config file of C&C.

Taking Control of Botnet

SINKHOLING: Technique used to redirect the the identification of malicious server to own server.

Process:

1. Reverse engineer name generation algorithm & C&C.

2. Bought two domain names to be used by bots. (.com/.net)

3. Purchased hosting space from 2 providers.

4. Set up apache web servers to receive bot requests.

5. Record all traffic.

6. Downloaded and removed data from hosting provider.

Result

Controlled the Botnet for 10 days

After that, Mebroot (unfortunately) pushed a new binary.

Also a domain was suspended 6 days into the attack due to abuse complaint.

Data:

8.7 GB Apache Logs

69 GB pcap data (with stolen information)

Two principles to protect victims

PRINCIPLE 1: The sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized.

PRINCIPLE 2: The sinkholed botnet should collect enough information to enable notification and remediation of affected parties.

Torpig’s data transmission explained:

The collected data is transferred via HTTP POST method

The URL contains a bot identifier ID and Submission header.

The body of the post request contains the stolen data.

Both these are encrypted with Base64 and XOR.

The submission header contains the information about the bot from which the information is collected.

Timestamp

IP

sport (SOCKS proxy)

hport (HTTP proxy)

os (operating system)

cn (country name)

nid (node id)

bld (build)

ver (version)

Torpig’s stolen data analysis

Torpig steals your email clients’ credentials, email address list, form data you submit to webpages, your windows passwords and more

54,0

90

1,2

58,8

62

11,9

66,5

32

411,0

39

12,3

07

415,2

06

100,4

72

1,2

35,1

22

Botnet sizing – The problems:

Calculating a botnet’s size is a difficult task

Why not just count the IP addresses?

Many computers are behind a NAT (network address translation)

DHCP might assign you a new IP when you log off

Botnet sizing – Torpig

By using some unique values in the submission header to determine the size

nid, node id is a value based on your hard drive’s serial number

We use the combination of nid, os, cn, bld, ver to identify and find the size of the torpigbotnet.

(nid, os, cn, bld, ver)

Botnet sizing (cont.)

As a reference point, between Jan 25, 2009 and February 4, 2009, 180,835 nid values were observed.

After subtracting probers and researchers, our final estimate of the botnet’s footprint is 182,800 hosts.

Where as unique IPs were 1,247,642 which will be a overestimation

Botnet size vs. IP count

● after initial spike, consistent diurnal pattern

● Averaging 4690 new IPs per hour

● after initial spike, rapid drop-off

● averaging 705 new bots perhour

Cumulative IPs and bots per hour

● Number of cumulative new IPs increased linearly

● Number of cumulative bots decayedquickly

Using IP addresses to size Torpig:

● Number o f un ique bot IPs per hour and number of unique IPsper hour are nearly identical

● Number i f un ique bot IPs per day does not reflect the number of unique IPs per day

This difference is a consequence of the bots contacting the C&C every 20minutes, which occurs more frequently than the rate of DHCP churn

Observing DHCP churn

DHCP IP allocation is dynamic

Not guaranteed to get the same IP

DHCP churn factor: how many IPs each host received throughout the 10 day period

In one instance, a single host changed IP address 694 times in this period.

Infected hosts distribution:

New infections

Recall that the submission header contained a timestamp

By counting number of bots who had timestamp = 0 can determine new bots

49,294 new infections over the research period

Botnet as a service

Recall that the submission header has a build field

The researchers believe this field corresponds to a customer id

12 different values for bld during the study

dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp

Financial data theft

In just the 10 days of study, torpig stole 8310 accounts from 410 different institutions

Institutions Number of accounts

Paypal 1,770

Poste Italiane 765

Capital one 314

E*Trade 304

Chase 217

Country Institutions

Accounts

US 60 4,287

IT 34 1,459

DE 122 641

ES 18 228

PL 14 102

Other 162 1,593

Total 410 8,310

The money involved

1,600 unique credit and debit card numbers were obtained during the study

Quantifying the net money on all the cards was uncertain

447

1056

81 36 24

Master card Visa American

Express

Maestro Discover

The money involved (cont.)

According to Symantec’s estimated rates in the black market for cards and accounts, the controllers might have earned $83K to $8.3M

New data was continuously stolen and reported by the bots during the 10 day period

Potential for DDOS

During peak intervals, there were around 70,000 live hosts on torpig

Conservative estimate of 435 kbps pstream bandwidth for each host

Roughly 17 Gbps of bandwidth available to botmasters

Privacy:

Web mail, web chats and forum messages

250 charecters or longer on average

1. 14% about jobs/resumes

2. 7% about money and stuff

3. 6% sports fans

4. 5% about exams and worry for exams

5. 10% specifically mention security and think they are clean

Password analysis

Torpig stole 297,962 unique credentials

Researchers found that 28% of victims reused credentials for 368,501 websites

Strength test:

Created a UNIX like password file for unique passwords (about 174,000 of them)

Fed into John the Ripper

Cracked around 100,000 passwords in 24 hours

Conclusions:

Unique opportunity to understand profits and characteristics of botnets

Previous estimation by IPs can be overestimation

Botnet victims are users with poorly maintained machines and with weak passwords

People should think their computers as just another physical possessions

They worked with a lot of people like FBI, banks, ISPS

Finally botnets are like an arms race between the defenders and the bot masters. It will continue with new trends always

Additional Reading

Your computer is now stoned (…again!)

Click to open link

Analysis of Sinowal

Click to open link

Kraken Botnet Infiltration

Click to open link

A Foray into Conficker’s Logic and Rendezvous points

Click to open link

Discussion

1. What should the users do to prevent their data theft?

2. Can the study be used to research the behavior of botmasters under different situations?

3. Solutions to remove these from the effected computers/ out of the bot network?

4. If the botnet takeover approach used by the authors reusable or reproducible? If not, which part is not?

5. Can SDN help in developing countermeasures against botnets?

6. How effective is domain blacklisting in stopping such botnets?

7. Torpig is said be targeting windows operating system mostly. Why do you think they are doing so? Can torpig target other OS too?

8. How is botnet size being computed today?

9. Do you think that it was ethical to read or mine emails, even if it was done with the intention of helping victims?

Thank You