Botnets Some slides taken from David Choffnes, Northeastern - - PowerPoint PPT Presentation

botnets
SMART_READER_LITE
LIVE PREVIEW

Botnets Some slides taken from David Choffnes, Northeastern - - PowerPoint PPT Presentation

May 31, 2023 372 likes •708 views

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north

slide-1
SLIDE 1

Botnets

Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for- beginners.html https://security.googleblog.com/2018/11/industry-collaboration- leads-to.html

slide-2
SLIDE 2

Definitions

  • Virus
  • Program that attaches itself to another program
  • Worm
  • Replicates itself over the network
  • Usually relies on remote exploit (e.g. buffer overflow)
  • Rootkit
  • Program that infects the operating system (or even lower)
  • Used for privilege elevation, and to hide files/processes
  • Trojan horse
  • Program that opens “back doors” on an infected host
  • Gives the attacker remote access to machines
  • Botnet
  • A large group of Trojaned machines, controlled en-mass
  • Used for sending spam, DDoS, click-fraud, etc.
slide-3
SLIDE 3

Worms to Botnets

  • Ultimate goal of most Internet worms
  • Compromise machine, install rootkit, then trojan
  • One of many in army of remote controlled machines
  • Used by online criminals to make money
  • Extortion
  • “Pay use $100K or we will DDoS your website”
  • Spam and click-fraud
  • Phishing and theft of personal information
  • Credit card numbers, bank login information, etc.
slide-4
SLIDE 4
  • Used by criminals to make money
  • Platform for many attacks
  • Spam forwarding (70% of all spam?)
  • Click fraud and ad fraud more generally
  • Keystroke logging
  • Distributed denial of service attacks
  • Serious problem
  • Top concern of banks, online merchants
  • Vint Cerf: ¼ of hosts connected to Internet
slide-5
SLIDE 5

Botnet Attacks

  • Truly effective as an online weapon for terrorism
  • i.e. perform targeted attacks on governments and infrastructure
  • Massive DoS on Estonia
  • April 27, 2007 – Mid-May, 2007
  • Closed off most government and business websites
  • Attack hosts from US, Canada, Brazil, Vietnam, …
  • Web posts indicate attacks controlled by Russians
  • All because Estonia moved a memorial of WWII soldier
  • Is this a glimpse of the future?
slide-6
SLIDE 6

What are Botnets used for?

slide-7
SLIDE 7

Botnet Hosts

  • Fortify system against other malicious attacks
  • Disable anti-virus software
  • Harvest sensitive information
  • PayPal, software keys, etc.
  • Economic incentives for botnets
  • Stresses need to patch/protect systems prior to

attack

  • Stronger protection boundaries required across

applications in OSes

slide-8
SLIDE 8
slide-9
SLIDE 9

Detecting / Deterring Botnets

  • Bots controlled via C&C channels
  • Potential weakness to disrupt botnet operation
  • Traditionally relied on IRC channels run by ephemeral servers
  • Can rotate single DNS name to different IPs on minute-basis
  • Can be found by mimicking bots (using honeypots)
  • Bots also identified via DNS blacklist requests
  • A constant cat and mouse game
  • Attackers evolving to decentralized C&C structures
  • Peer to peer model, encrypted traffic
  • Storm botnet, estimated 1-50 million members in 9/2007
slide-10
SLIDE 10

Old-School C&C: IRC Channels

10

IRC Servers Botmaster

snd spam: <subject> <msg> snd spam: <subject> <msg> snd spam: <subject> <msg>

  • Problem: single point of failure
  • Easy to locate and take down
slide-11
SLIDE 11

IRC botnet

slide-12
SLIDE 12

IRC botnet

slide-13
SLIDE 13

Why IRC?

  • IRC servers are:
  • freely available
  • easy to manage
  • easy to subvert
  • Attackers have experience with IRC
  • IRC bots usually have a way to remotely upgrade

victims with new payloads to stay ahead of security efforts

slide-14
SLIDE 14

P2P Botnets

Master Servers Botmaster Structured P2P DHT

Insert commands into the DHT Get commands from the DHT

slide-15
SLIDE 15

Fast Flux DNS

HTTP Servers Botmaster

12.34.56.78 6.4.2.0 31.64.7.22 245.9.1.43 98.102.8.1

www.my-botnet.com

Change DNSIP mapping every 10 seconds But: ISPs can blacklist the rendezvous domain

slide-16
SLIDE 16

“Random” Domain Generation

HTTP Servers Botmaster

www.sb39fwn.com www.17-cjbq0n.com www.xx8h4d9n.com

Bots generate many possible domains each day …But the Botmaster

  • nly needs to register a

few Can be combined with fast flux

slide-17
SLIDE 17

“Your Botnet is My Botnet”

  • Takeover of the Torpig botnet
  • Random domain generation + fast flux
  • Team reverse engineered domain generation algorithm
  • Registered 30 days of domains before the botmaster!
  • Full control of the botnet for 10 days
  • Goal of the botnet: theft and phishing
  • Steals credit card numbers, bank accounts, etc.
  • Researchers gathered all this data
  • Other novel point: accurate estimation of botnet size
slide-18
SLIDE 18

Torpig Architecture

Host gets infected via drive-by- download Rootkit installation Trojan installation Collect stolen data Capture banking passwords

Researchers Infiltrated Here

slide-19
SLIDE 19

Man-in-the-Browser Attack

slide-20
SLIDE 20

Stolen Information

Data gathered from Jan 25-Feb 4 2009

User Accounts Banks Accounts

How much is this data worth?

Credit cards: $0.10-$25 Banks accounts: $10-$1000 $83K-$8.3M

slide-21
SLIDE 21

How to Estimate Botnet Size?

  • Passive data collection methodologies
  • Honeypots
  • Infect your own machines with Trojans
  • Observe network traffic
  • Look at DNS traffic
  • Domains linked to fast flux C&C
  • Networks flows
  • Analyze all packets from a large ISP and use heuristics

to identify botnet traffic

  • None of these methods give a complete picture
slide-22
SLIDE 22

Size of the Torpig Botnet

  • Why the disconnect between IPs and bots?
  • Dynamic IPs, short DHCP leases
  • Casts doubt on prior studies, enables more realistic

estimates of botnet size

slide-23
SLIDE 23

Other botnet activity covered in class

slide-24
SLIDE 24

Joanap

  • Around since 2009
  • Windows worm downloaded on infected machines
  • Peer to peer architecture
  • Performed industrial espionage as well as more

mundane activities

slide-25
SLIDE 25

“Traditional” botnet

slide-26
SLIDE 26

Peer to peer botnet

slide-27
SLIDE 27

Peer to peer botnet

slide-28
SLIDE 28

FBI takedown: peer poisoning

  • Each node has a list of connections
  • FBI node gives others a list of FBI nodes
  • FBI also contacts Internet Service Providers of

infected hosts

slide-29
SLIDE 29

DrainerBot

  • Mobile ad fraud bot
  • Infected SDK:
  • Hundreds of consumer Android apps
  • Blocked by Google PlayStore? Host on regional

app store

  • Mostly on cheap phones in developing nations
slide-30
SLIDE 30

3ve

  • Ad fraud botnet
  • Massive infrastructure on servers augmented by

botnet

  • Infected machines downloaded bad attachments,

infected by drive-by downloads

  • Centralized command and control center
slide-31
SLIDE 31

Impression Fraud: a type of Ad Fraud

slide-32
SLIDE 32

Questions

  • How do botnet operators choose what to do with the

infected devices?

  • How do infected devices notice that they’re in a botnet?

Are there good ways to notify them or reduce the harm they do?

  • What are the benefits of a p2p architecture? C&C?
  • Compare and contrast mirai (that we discussed much

earlier) with drainerbot. What does this tell us about the cybercriminals behind the two?