anatomy of a massive p2p botnet takedown reversing and
play

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking - PowerPoint PPT Presentation

Sep 26, 2022 •33 likes •1.02k views

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018 Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich

  1. Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018

  2. Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich (CrowdStrike) Christian Rossow (Saarland University) Frank Ruiz, Michael Sandee (Fox-IT) Elliott Peterson (FBI) The ShadowServer Foundation CERT.PL Too many others to name here... Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 1 of 76

  3. Introduction to Botnets What is a botnet? • Network of malware–infected computers ( bots ) • Controlled by botmaster to perform malicious actions • Typically contains 100.000 - 1.000.000 bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 2 of 76

  4. Evolution of Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 3 of 76

  5. Evolution of Botnets Centralized botnets • Original botnets were centralized • Command and Control ( C2 ) server spreads commands to bots • First botnets based on IRC (a chat protocol) • Bots enter the “chat room” and listen to commands • Later botnets used HTTP • Bots fetch commands from a “web server” Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 4 of 76

  6. Evolution of Botnets Centralized botnets • Simple, easy to maintain for the bad guys • Easy to disable for the good guys • Just take out the C2 server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 5 of 76

  7. Evolution of Botnets Centralized botnets • Simple, easy to maintain for the bad guys • Easy to disable for the good guys • Just take out the C2 server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 5 of 76

  8. Evolution of Botnets Redundant infrastructure • Early way to strengthen centralized botnets: multiple C2 servers • If one of the servers is disabled, bots just switch to another Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 6 of 76

  9. Evolution of Botnets Redundant infrastructure • Early way to strengthen centralized botnets: multiple C2 servers • If one of the servers is disabled, bots just switch to another Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 6 of 76

  10. Evolution of Botnets Peer-to-Peer (P2P) botnets • Centralized botnets are vulnerable because of their C2 servers • P2P botnets have no centralized C2 servers • Every bot knows some of the other bots • Bots use P2P communication to spread commands • Much more resilient against takedowns Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 7 of 76

  11. Functionality of P2P Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 8 of 76

  12. P2P Botnets: Terminology Topologies • Structured: Peers have addresses, information is routed • Unstructured: Protocol based on gossiping Bootstrapping • Process of establishing connectivity with a P2P network • Finding initial peers • Seeding via separate channel • Pre-shared peer lists • Scanning Maintenance • Bots regularly update their peer list to account for churn • Typically some backup channel in case this fails Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 9 of 76

  13. Example: Storm Worm • Hybrid architecture • Structured P2P network, nodes have addresses • Peer-to-Peer network used for C2 server lookups • Peers are constantly searching for Time-Dependent Hashes • Responses encode C2 IP Address and TCP Port • Peers poll announced C2 host for commands Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 10 of 76

  14. Example: Storm Worm • Hybrid architecture • Structured P2P network, nodes have addresses • Peer-to-Peer network used for C2 server lookups • Peers are constantly searching for Time-Dependent Hashes • Responses encode C2 IP Address and TCP Port • Peers poll announced C2 host for commands Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 10 of 76

  15. Example: Kelihos • Strategy: disposable botnets • P2P layer is part of a multi-tier topology • C2 Proxies are announced to all peers • Dynamic, self-organizing backbone • Router nodes act as intermediate proxies Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 11 of 76

  16. Example: Sality • Pure P2P, protocol based on gossiping • Peers attempt to pull URLs from their neighboring nodes • Reputation scheme • Valid response from p : Reputation p := Reputation p + 1 • Invalid response from p : Reputation p := Reputation p − 1 Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 12 of 76

  17. How to Deal with “Disposable Botnets”? • When taken down, botnets like Kelihos quickly respawn • To prevent this, we must take out the droppers (Sality, Zeus, . . . ) • Not so easy, especially Sality and Zeus are quite resilient Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 13 of 76

  18. Attacking P2P Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 14 of 76

  19. Attacking P2P Botnets Commanding bots to uninstall • Usually not possible because of command signing • Bredolab did not use command encryption • Team High Tech Crime performed a complete takeover in 2010 • They were rewarded with a Big Brother Award Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 15 of 76

  20. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  21. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  22. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  23. Attacking P2P Botnets Reconnaissance • Cannot find NATed nodes this way • 60% – 87% of nodes is NATed! • Infiltrate the botnet and get them to connect to you Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 17 of 76

  24. Attacking P2P Botnets Reconnaissance • Cannot find NATed nodes this way • 60% – 87% of nodes is NATed! • Infiltrate the botnet and get them to connect to you Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 17 of 76

  25. Attacking P2P Botnets Sinkholing • Sinkholing attacks try to disconnect bots from each other • Requires a way to modify bots’ peer lists • Try to redirect all bots to a benign sinkhole server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 18 of 76

  26. Attacking P2P Botnets Sinkholing • Sinkholing attacks try to disconnect bots from each other • Requires a way to modify bots’ peer lists • Try to redirect all bots to a benign sinkhole server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 18 of 76

  27. P2P Zeus Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 19 of 76

  28. Introduction to P2P Zeus The Zeus Bot • Banking trojan, information stealer • Centralized version around since 2005 • Sold as DIY toolkit for $4000 • FBI tracked a group in 2010 which stole over $70m with it Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 20 of 76

  29. Zeus v1/v2 • Configuring your own Zeus is as easy as running a wizard program • Zeus toolkits even include anti–piracy mechanisms Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 21 of 76

  30. Zeus v1/v2 • Your Zeus can be controlled using a handy web interface Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 22 of 76

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of Thousands of Internet Businesses and Millions of Users in October 2016 William Favre Slater, III, M.S. MBA, PMP, CISSP, CISA Sr. Cybersecurity

1.36k views • 53 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug hunting

759 views • 32 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Basic Anatomy Anatomy: General Planes of the body

Basic Anatomy Anatomy: General Planes of the body

Musculoskeletal Biomechanics BIOEN 520 | ME 527 Mini-Lab 1 Basic Anatomy Anatomy: General Planes of the body DirecGonal terms Joint

1.24k views • 65 slides
2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a cloud d computing platform Lih Shyang Chen Department of Electrical En ngineering National Cheng Kung Unive N ti l Ch K U i ersity

319 views • 27 slides
Wire Fraud in Real Estate Transactions Craig Goldenberg Senior Division President Craig

Wire Fraud in Real Estate Transactions Craig Goldenberg Senior Division President Craig

Wire Fraud in Real Estate Transactions Craig Goldenberg Senior Division President Craig Goldenberg Senior Division President Direct Operations in ME, NH, NY, NJ, MD, DC, VA Division President of New York Direct Operations CIO of Stewart

409 views • 38 slides
Interprofessional Peer Assisted Learning (IPAL) IPE Ontario 2011 Gary Kapelus, IPE Coordinator,

Interprofessional Peer Assisted Learning (IPAL) IPE Ontario 2011 Gary Kapelus, IPE Coordinator,

Interprofessional Peer Assisted Learning (IPAL) IPE Ontario 2011 Gary Kapelus, IPE Coordinator, George Brown College

450 views • 21 slides
1 The institution employs an adequate number of full time faculty members to support the

1 The institution employs an adequate number of full time faculty members to support the

John Hardt , Vice President Michael Hoefer , Vice President Southern Association of Colleges and Schools Commission on Colleges July 24, 2018 Atlanta, Georgia Basic Introduction to Section 6: Faculty Primary focus on 6.2.a ( Faculty qualifications )

393 views • 12 slides
Geisinger Commonwealth Vision Ensure the supply of physicians and scientists NEPA

Geisinger Commonwealth Vision Ensure the supply of physicians and scientists NEPA

Geisinger Commonwealth Vision Ensure the supply of physicians and scientists NEPA Improve area healthcare Enhance economy 2 Accreditation Full Accreditation Liaison Committee on Medical Education (LCME) Middle

311 views • 29 slides
Golden Parachutes & 280G: Design Pointers on How to Win Presentation for: Presentation by:

Golden Parachutes & 280G: Design Pointers on How to Win Presentation for: Presentation by:

Golden Parachutes & 280G: Design Pointers on How to Win Presentation for: Presentation by: Executive Compensation Webinar Series Anthony J. Eppert March 15, 2019 AnthonyEppert@HuntonAK.com 713.220.4276 Housekeeping: Technical Issues and

349 views • 18 slides
BDC Meeting # 5 Mat Su Career & Technical High School Matanus ka S us itna Borough Mat S

BDC Meeting # 5 Mat Su Career & Technical High School Matanus ka S us itna Borough Mat S

BDC Meeting # 5 Mat Su Career & Technical High School Matanus ka S us itna Borough Mat S u S chool Dis trict McCool Carls on Green Architects Mat-Su Career & Technical High School Agenda Process Overview Space Program

372 views • 24 slides
1H 2019 Financial results 3 rd September 2019 PATIENT WELL-BEING MEDICAL EDUCATION INNOVATION 1

1H 2019 Financial results 3 rd September 2019 PATIENT WELL-BEING MEDICAL EDUCATION INNOVATION 1

1H 2019 Financial results 3 rd September 2019 PATIENT WELL-BEING MEDICAL EDUCATION INNOVATION 1 Disclaimer This presentation (the "Presentation") has been prepared by Medacta Group SA ("Medacta" and together with its

492 views • 25 slides
Good overall growth with one-offs affecting profitability Q2 report 2019/20 November 28, 2019

Good overall growth with one-offs affecting profitability Q2 report 2019/20 November 28, 2019

Good overall growth with one-offs affecting profitability Q2 report 2019/20 November 28, 2019 Agenda 1. Q2 performance 2. Financials 3. Outlook 4. Q&A 3 3 Important information This presentation includes forward-looking statements

740 views • 33 slides

More recommend