Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot - - PowerPoint PPT Presentation

Botnets

Leonidas Stylianou CS 682 23/04/2020

Lifecycle of a bot

Botnet malware infects a host. Infected host becomes a bot and joins the botnet. Botmaster controls the botnet.

Coordination of f bots with C&C server

Bots query the C&C servers using their IP address and DNS name. Not flexible and robust to take- down actions. Fast Flux Bots query a certain domain that is mapped onto a set of IP addresses that change frequently. Constitutes a single point of failure because it uses only a single domain. Domain flux Bots query multiple domains that are mapped onto a set of IP addresses that change frequently. Taking down the C&C server is harder because they relocate their domain name.

Usage of f botnets

Send spam mails Launch DoS attacks Steal personal data

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Overview

A comprehensive analysis of the operations of the Torpig botnet. The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet. The victims of botnets are often users with poorly maintained machines.

What is Torpig?

Malware service accessible to third parties. Steals sensitive information from the victim’s host and relays it back to its controllers. Distributed to its victims as part of the Mebroot rootkit.

Distribution of f Mebroot

Victim requests legitimate web site where an attacker injected http code. The victim’s browser request JavaScript code from the drive-by- download server. JavaScript code executes multiple exploits against the browser and some of tis components. If the exploit is successful, the Mebroot rootkit is downloaded from the server and executed.

Mebroot life cycle

Contacts the Mebroot C&C server to obtain malicious modules. Provides a generic platform that other modules can leverage to perform their malicious actions. Overwrites the MBR and is always executed at boot time.

Torpig Capabilities

Trojan that is injected into a number of applications. Inspects all the data handled by these programmes. System programmes Email clients Instant messengers Web browsers FTP clients

Communication in the Torpig Botnet

Uploads the stolen data since the previous reporting time to the Torpig C&C server over

• HTTP. (1)

Acknowledges the new data with “okn” response. (2)

1 2

Communication in the Torpig Botnet

Sends a configuration file to the bot with “okc” response. How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks.

2

Man in the Browser attacks with Torpig bot

Generation of phishing sites

Infected machine visits one of the domains in the configuration file (bank site). Torpig issues a request to an injection server. The injection server’s response specifies the trigger page, the injection URL, and a number of parameters.

Man in the Browser attack

Victim visits the trigger page. Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Injected content reproduces the style of the target web site and the address bar displays a pad lock. Asks the user for sensitive information and steals personal information.

Coordination in Torpig Botnet: Domain Flux

Each bot uses a domain generation algorithm to compute a list of domain names. Attempts to contact the C&C server with a name in the domain list in order until one succeeds.

Torpigs’s Domain Generation Algorithm

Step 1

• Seeded with the current date and a numerical parameter.

Step 2(a)

• Computes a “weekly” domain name that depends on the current week and year.
• Attempts to resolve dw.(com,net,biz) and contacts the C&C server.

Step 2(b)

• Computes a “daily” domain that depends on the current day.
• Attempts to resolve dd.(com,net,biz) and contacts the C&C server.

Step 2(c)

• Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server

Coordination in Torpig Botnet: Domain Flux and resilience

Control at least one of the domains that will be contacted by the bots. Use measures to prevent other groups from seizing domains that will be contacted by bots.

Arms Race between botmasters and defenders

B: The domain generation algorithm of the bots is modified frequently. D: Reverse engineering the botnet protocol could be time consuming. B:Force defenders to register a disproportionate number of names. D: Economic factor is the biggest challenge because domain names are not cheap.

Taking control of f the Torpig botnet: Sinkholing Preparation

Purchased two domains (.com and .net) that were to be used by the botnet. Registered them to two different registrars. Obtain control of the Torpig botnet for ten days. Set up Apache web server to receive log bot requests and recorded all network traffic. During their control

• f botnet, 8.7 GB of

Apache log files and 69 GB of pcap data have been collected.

Taking control of f the botnet: Data Collection Principles

Operated the C&C servers based on established legal and ethical principles. Operated such that any damage to victims was minimized. Collecting enough information to enable remediation of affected parties. Worked with law enforcement agencies.

Botnet Analysis: Data Collection and Format

Bots communicate with the Torpig C&C through HTTP POST requests. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Submission header is encrypted with Torpig’s encryption algorithm. Bot identifier is used as the symmetric key. Body’s request contains the data stolen from the victim’s machine. Consists of data items based on the information that was stolen. Body is encrypted with Torpig’s encryption algorithm.

Botnet Analysis: Data Collection and Format

Submission Header

ts: time stamp when the configuration file was updated. ip: IP address of the bot. hport and sport: port numbers of the HTTP and SOCKS proxies that Torpig opens on the infected machine.

• s and cn: operating

system version and locale. nid: bot identifier. bld and ver: build and version number of Torpig.

Example

Botnet Analysis: Data Collection and Format

Data Items

Mailbox account: configuration information for email accounts. Email: email addresses. Form data: content

• f HTML forms

submitted by the victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively. SMTP: source and destination addresses of emails. Windows password

Data items sent to sinkholed botnet in 10 days

Botnet Size: Definitions

Botnet Size Botnet’s footprint Indicates the aggregated total number of machines that have been compromised over time. Botnet’s live population Indicates the number of compromised hosts that are concurrently communicating with the C&C server.

Botnet’s Footprint: : Counting Bots by “nid” field

Description

• Torpig always sends the “nid”

field in the submission header.

• Depends on software or

hardware characteristics of the infected machine’s hard disk.

• Attempted to validate whether

the “nid” is unique for each bot.

Evaluation

2079 cases have been found were the assumption did not hold. 180 835 “nid” values have been observed in 10 days. Underestimates the botnet’s footprint.

Botnet Footprint: : Counting Bots by Submission Header Fields

Description

• Count unique tuples from the

submission header that Torpig bot send.

• “Nid, os, cn, bld and ver” fields

have been considered whilst “ts, ip, sport and hport” have been discarded.

Evaluation

Botnet’s footprint have been estimated to 182 914 machines.

Botnet’s Footprint: Identifying probers and researchers

Description

• “Nid” values generated on a

standard configuration of the VMware and QEMU virtual machines are discarded.

• Bots that use the GET HTTP

method are not considered.

Evaluation

40 bots have been running

• n virtual

machines 74 hosts have been probers. Final estimate

• f botnet’s

footprint is 182 800 hosts.

Botnet’s live population: Botnet Size Vs IP Count

Botnet Size

• 182 800 bots have contacted the C&C

server. IP Count

• 1 247 642 unique IP addresses

contacted the C&C server.

• Overestimates the actual size of the

botnet’s footprint.

Botnet’s live population: Botnet Size Vs IP Count

Per hour

• Number of unique IP addresses

and bot IDs per hour provides a good estimation of the botnet’s live population.

Per day

• Number of unique IP addresses

and bot IDs per day does not provide a good estimation of the botnet’s live population.

Botnet Size vs IP IP Count: Observations

Number of unique IPs per hour provides a good estimation of the botnet’s live population 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall. Difference between IP count and actual bot count can be attributed to DHCP and NAT effects.

Threat and data analysis of f Torpig

Financial data stealing

• Obtained the

credentials of 8130 accounts at 410 different institutions.

• Torpig controllers may

have profited anywhere between $83K and $8.3M in ten days. Proxies and DoS

• Leveraged by malicious

users to send spam or navigate anonymously.

• Could cause a massive

distributed DDoS attack. Password analysis

• Bots stole 297,962

unique credentials sent by 52,540 different infected machines.

• 140 000 passwords

have been recovered in 24 hours using various techniques.

SoK: P2PWNED— Modeling and Evaluating the Resilience

• f Peer-to-Peer Botnets

Overview

Present a model that formalizes reconnaissance and disruption attacks against P2P botnets. Compare the population sizes of current P2P botnets using crawlers and sensor nodes. Evaluate the disruption resilience of all four current P2P botnet families.

Architecture of f P2P botnets

Eliminates the need for centralized servers. Bots are connected to each other topologically. Act as both C&C server and client.

http://cs.ucf.edu/~czou/research/P2PBotne ts-bookChapter.pdf

Overview of f P2P Networks: Categories

Unstructured P2P

Don’t have a predefined architecture. Participants communicate randomly with

• ne another.

Robust against high churn activity but higher CPU and memory usage is required. Botnets use message gossiping to propagate information.

Structured P2P

Organized into a specific topology. Use a distributed hash table to identify and locate nodes/resources. More efficient but less robust when faced with high rates of churn. Botnets maintain a DHT that is used to store and route commands.

Overview of f P2P Botnets: Definitions

• Denote a specific strain of botnet.

Botnet Families

• Denote a variant within a botnet family.

Botnet Variants

• Refers to a coherent collection of hosts infected with a specific botnet

variant. Botnets

Overview of f P2P Botnets: P2P Botnet Characteristics

P2P botnet variants

• The active P2P botnet families as
• f November 2012.

Lifespan of botnet variants

• Lifespan of the botnet variants

and the most important inactive P2P botnets.

Overview of f P2P Botnets: P2P Botnet Purposes

Have unstructured P2P protocols and use message gossiping to propagate information. Hybrid architectures incorporate centralized servers to collect stolen data. Used for malware distribution, spam, credentials theft and DDoS attacks.

Formal Model for P2P botnets: Directed Graph

A peer-to-peer (P2P) botnet is

A directed graph G := (V,E), where V is a set of peers and E ⊆ V ×V edges (u, v) with u, v ∈ V.

The set of peers V := V₁ U V₂ ∪ V₃ is the disjoint union of routable peers V₁, non- routable peers V₂ and unreachable peers V₃.

V₁: peer that can be contacted by other peers. V₂: peer that can’t be reached by other peers but has the ability to contact one

• re more peers.

V₃: peer that can’t be reached by any peers nor contact other peers.

Formal Model for P2P botnets: Peer List and

• ut/in degree

Peer List

Let G = (V,E) denote a P2P botnet.

The set of edges Ev := {(v, u) ∈ E} for a peer v ∈ V is called the peer list of v. Expresses relationships of neighbouring peers in the graph.

Out and in degree

• deg+(v) := |Ev|

Out-degree of v

• deg−(v) := |{(u, v) ∈ E}|
• deg−(v) is an important measure for

the popularity of a peer because it shows its influence in the botnet. In-degree of v

Formal Model for P2P botnets: Operations

Deletion of an edge (u,v) in the graph

Transformation D : G → G’ with G’ := (V,E’) and E’ := E \ (u, v) D∗ = Dn ◦ Dn−1 ◦ . . . ◦ D1 denotes the composition of multiple delete

• perations.

Occurs when a peer deletes an unreachable peer entry from its peer list.

Insertion of an edge (u,v) in the graph

Transformation I : G → G’ with G’ := (V ‘,E’) , where V ‘ := V ∪ {v} and E’ := E∪{(u, v)} I∗ is the composition of multiple inserts. Occurs when a new peer to peer relationship is established.

Update operation

U := I ◦D , defined as an edge deletion followed by an edge insertion U∗ denotes multiple subsequent updates.

Attacks against P2P Botnets: Attack Methods (Graph Search)

Understand the P2P topology of a botnet Visit all nodes Request their peer lists Enumerate all edges The result is crawl graph Only routable peers have been contacted The graph search

• nly explored the

peer lists of routable peers Inaccurate results because P2P botnet topologies are dynamic

Attacks against P2P Botnets: Attack Methods (Peer Injection)

Change graph topology Manipulate the set of edges I(v) : G → G’ = (V ‘,E’) denote a parametrized insert operation with V’= V ∪˙ v, E’= E ∪˙ {(u, v)}, u ∈ V Injection of a peer v can be defined as a composition I∗(v) := In(v)

• In−1(v) ◦ . . . ◦ I1(v).

Attacks against P2P Botnets: Attack Methods (Peer List Destruction)

Describes “corrupting changes” to a peer’s peer list. Entries can be either deleted or replaced with invalid entries. The destruction of v’s peer list is the Transformation R(v):=U∗(v) ◦ D∗(v) :G → G’ = (V’,E’).

Attacks against P2P Botnets: Intelligence Gathering

Crawling

Based on graph search Visit as many peers as possible and collect information about them. Represents an effective way to gather intelligence. Limited view if only routable peers are included in the peer lists.

Sensor Nodes

With peer injection, a sensor can be introduced to botnet. Can be contacted by non-routable peers. Potentially overcomes some of the shortcomings of crawling. Its coverage depends

• n its in-degree.

(popularity) In-degree can be increased by injecting s into any visited peer’s peer list.

Attacks against P2P Botnets: Disruption and Destruction (Partioning)

Partitioning the graph prohibits the distribution of information. Apply a series of consecutive peer list destruction operations to create two disconnected subgraphs. Decrease the popularity of nodes by deleting certain edges from the P2P graph. Information propagation is slow and the graph is more sparse.

Attacks against P2P Botnets: Disruption and Destruction (Sinkholing)

Edges are replaced with edges pointing to special nodes called sinkholes. Achieved by peer injections and peer list destructions. Set of sinkholes S := {s1, s2, . . . , sn} are the central component for all P2P communication. Transforms the infrastructure into a centralized network. Reach a state where every live peer knows at least one sinkhole and no other routable peer.

Attacks against P2P Botnets: Disruption and Destruction (Communication Layer Poisoning)

Specially crafted information is injected into a botnet. Achieved by peer injection. Distribute commands to other bots or transmit invalid messages. Put recipients in a non-functional state.

P2P Botnet in intelligence gathering: Resilience Against Peer Enumeration

Reverse Engineer the communication protocols of six active botnet variants. Kelihos, Storm, Waledac and Zeus use unique identifier to distinguish bots. Zero Access variants and Storms don’t

• nly store routable

peers in the peer list. Miner and Zero Access v1 share all the peers in their peer list at once. Various techniques to include new peers in the peer list. Frequency that peers communicate with their neighbours vary.

P2P Botnet in intelligence gathering: Peer Enumeration: Real-World Observations

Implemented crawling and sensor injection attacks for all four active P2P botnet families Enumerated eleven botnets that were active in November 2012 Deployed sensor nodes

• nly in the seven UDP-

based botnets Measurements took after three weeks of the sensor injection in order to become popular in the botnet Values are based on the number of unique IP addresses that were logged during the 24 hours Crawling provides a limited view on the

• verall botnet population

because they actively enumerate peers. A combination of both is the most appropriate

P2P Botnet in intelligence gathering: Peer Enumeration: Real-World Observations

Enumerated botnets, the bot version number and its fixed UDP port. Peers found, peers that responded to peer list requests, and ratio of routable peers. Peers that connected to the sensor in 24 hours. Peers that were identified by both methods Ratio of the number of peers found by the sensor divided by the number of peers and routable peers found through crawling

P2P Botnet in intelligence gathering: Convergence Analysis of Zeus botnet

Both IP addresses and peers IDs have been counted for Zeus. IP address churn is significant for Zeus. 19% of the bot IDs were observed on multiple addresses.

P2P Botnet in intelligence gathering: Convergence Analysis

Enumeration with crawling converges slowly. Sensors find many more peers. IP address churn is one of the reasons for slow node enumeration convergence.

P2P Botnet intelligence gathering: Dynamics of Botnet Populations

Machines joining and leaving the network cause a steady churn of peers. Measure population size

• f Zeus botnet

independently from IP address churn . Used the static ID to identify infected machines. Up to 25 000 new infections per day. This highly dynamic behaviour means that P2P botnets change significantly during node enumeration runs

P2P Botnet Disru ruption and Destruction: Communication Layer Poisoning Resilience

Poison a P2P botnet using its own commands or disrupt the C&C channel. Defenders could issue arbitrary commands if the commands are not authenticated.

P2P Botnet Disru ruption and Destruction: Sinkholing Resilience

• Announce some sinkholes to as many

peers as possible. Sinkhole announcement

• Try to eliminate all edges in the P2P graph

that don’t point to a sinkhole. Node isolation

• Ensure that the bots don’t activate backup

C&C channels to recover. Fallback prevention

How a sinkhole can replace peer list entries How many entries can be destroyed in a single P2P exchange Fallback command and control channels

P2P Botnet Disru ruption and Destruction: Partitioning Resilience

Partitioning attack is the last resort. Impossible to regain control of the botnet once is partitioned. Restrict the test to the smallest sub- graph, consisting of a single peer. Non routable peers can remain isolated forever. Routable peer recover quickly as they are still known by other peers. Partitioning attack is only successful if it affects the whole P2P network.

Questions???

Thanks!!!