Botnets Some slides taken from David Choffnes, Northeastern - PowerPoint PPT Presentation

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for- beginners.html https://security.googleblog.com/2018/11/industry-collaboration- leads-to.html

Definitions • Virus • Program that attaches itself to another program • Worm • Replicates itself over the network • Usually relies on remote exploit (e.g. buffer overflow) • Rootkit • Program that infects the operating system (or even lower) • Used for privilege elevation, and to hide files/processes • Trojan horse • Program that opens “back doors” on an infected host • Gives the attacker remote access to machines • Botnet • A large group of Trojaned machines, controlled en-mass • Used for sending spam, DDoS, click-fraud, etc.

Worms to Botnets • Ultimate goal of most Internet worms • Compromise machine, install rootkit, then trojan • One of many in army of remote controlled machines • Used by online criminals to make money • Extortion • “Pay use $100K or we will DDoS your website” • Spam and click-fraud • Phishing and theft of personal information • Credit card numbers, bank login information, etc.

• Used by criminals to make money • Platform for many attacks • Spam forwarding (70% of all spam?) • Click fraud and ad fraud more generally • Keystroke logging • Distributed denial of service attacks • Serious problem • Top concern of banks, online merchants • Vint Cerf: ¼ of hosts connected to Internet

Botnet Attacks • Truly effective as an online weapon for terrorism • i.e. perform targeted attacks on governments and infrastructure • Massive DoS on Estonia • April 27, 2007 – Mid-May, 2007 • Closed off most government and business websites • Attack hosts from US, Canada, Brazil, Vietnam, … • Web posts indicate attacks controlled by Russians • All because Estonia moved a memorial of WWII soldier • Is this a glimpse of the future?

What are Botnets used for?

Botnet Hosts • Fortify system against other malicious attacks • Disable anti-virus software • Harvest sensitive information • PayPal, software keys, etc. • Economic incentives for botnets • Stresses need to patch/protect systems prior to attack • Stronger protection boundaries required across applications in OSes

Detecting / Deterring Botnets • Bots controlled via C&C channels • Potential weakness to disrupt botnet operation • Traditionally relied on IRC channels run by ephemeral servers • Can rotate single DNS name to different IPs on minute-basis • Can be found by mimicking bots (using honeypots) • Bots also identified via DNS blacklist requests • A constant cat and mouse game • Attackers evolving to decentralized C&C structures • Peer to peer model, encrypted traffic • Storm botnet, estimated 1-50 million members in 9/2007

Old-School C&C: IRC Channels 10 snd spam: <subject> Botmaster <msg> snd spam: <subject> snd spam: <subject> <msg> IRC Servers <msg> • Problem: single point of failure • Easy to locate and take down

IRC botnet

IRC botnet

Why IRC? • IRC servers are: • freely available • easy to manage • easy to subvert • Attackers have experience with IRC • IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

P2P Botnets Insert commands into the DHT Structured Botmaster P2P DHT Master Servers Get commands from the DHT

Fast Flux DNS Botmaster HTTP Servers But: ISPs can 12.34.56.78 6.4.2.0 31.64.7.22 245.9.1.43 98.102.8.1 blacklist the rendezvous www.my-botnet.com domain Change DNS � IP mapping every 10 seconds

“Random” Domain Generation …But the Botmaster Bots generate many only needs to register a possible domains Botmaster few each day HTTP Servers www.17-cjbq0n.com www.sb39fwn.com www.xx8h4d9n.com Can be combined with fast flux

“Your Botnet is My Botnet” • Takeover of the Torpig botnet • Random domain generation + fast flux • Team reverse engineered domain generation algorithm • Registered 30 days of domains before the botmaster! • Full control of the botnet for 10 days • Goal of the botnet: theft and phishing • Steals credit card numbers, bank accounts, etc. • Researchers gathered all this data • Other novel point: accurate estimation of botnet size

Torpig Architecture Host gets infected via drive-by- Rootkit Trojan download installation installation Collect stolen data Capture banking Researchers Infiltrated passwords Here

Man-in-the-Browser Attack

Stolen Information � Data gathered from Jan 25-Feb 4 2009 User Accounts Banks Accounts � How much is this data worth? � Credit cards: $0.10-$25 Banks accounts: $10-$1000 � $83K-$8.3M

How to Estimate Botnet Size? • Passive data collection methodologies • Honeypots • Infect your own machines with Trojans • Observe network traffic • Look at DNS traffic • Domains linked to fast flux C&C • Networks flows • Analyze all packets from a large ISP and use heuristics to identify botnet traffic • None of these methods give a complete picture

Size of the Torpig Botnet • Why the disconnect between IPs and bots? • Dynamic IPs, short DHCP leases • Casts doubt on prior studies, enables more realistic estimates of botnet size

Other botnet activity covered in class

Joanap • Around since 2009 • Windows worm downloaded on infected machines • Peer to peer architecture • Performed industrial espionage as well as more mundane activities

“Traditional” botnet

Peer to peer botnet

Peer to peer botnet

FBI takedown: peer poisoning • Each node has a list of connections • FBI node gives others a list of FBI nodes • FBI also contacts Internet Service Providers of infected hosts

DrainerBot • Mobile ad fraud bot • Infected SDK: • Hundreds of consumer Android apps • Blocked by Google PlayStore? Host on regional app store • Mostly on cheap phones in developing nations

3ve • Ad fraud botnet • Massive infrastructure on servers augmented by botnet • Infected machines downloaded bad attachments, infected by drive-by downloads • Centralized command and control center

Impression Fraud: a type of Ad Fraud

Questions • How do botnet operators choose what to do with the infected devices? • How do infected devices notice that they’re in a botnet? Are there good ways to notify them or reduce the harm they do? • What are the benefits of a p2p architecture? C&C? • Compare and contrast mirai (that we discussed much earlier) with drainerbot. What does this tell us about the cybercriminals behind the two?