Leveraging Honest Users: Stealth Command-and-Control of Botnets - PowerPoint PPT Presentation

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt Thursday, August 29, 13

Summary • Motivation • Problem statement • Stealth C&C using browsers • Final remarks Thursday, August 29, 13

Motivation • Botnets continue to evolve • New strategies must be employed to avoid takedown and detection • Our objective is to explore new directions future C&C infrastructure might take Thursday, August 29, 13

Problem Statement • Create a botnet that: • Avoids infiltration, size estimation • Reduces the likelihood of detection of individual bots • Maintains Botmaster anonymity Thursday, August 29, 13

Assumptions • Pre-existing population of infected hosts • Trust anchor in the binary (public key) • Bots can receive commands from bot master through some open port Thursday, August 29, 13

Basic Architecture • No active participation from bots in a botmaster owned C&C • Bots passively listen for commands • Commands are signed by the botmaster and pushed out to all the bots Thursday, August 29, 13

Basic Architecture BM 0x72e4b76 0x72e4b76 0xc52b7d0 0xc52b7d0 0x72e4b76 0x80762b8 0x80762b8 0xc52b7d0 0xde3254e 0xde3254e 0x80762b8 0xde3254e Bots Thursday, August 29, 13

Basic Architecture • No C&C means: • no infiltration • no size estimation Thursday, August 29, 13

Problems • Command dissemination • Botmaster doesn’t know IPs of bots • Direct dissemination exposes the botmaster • Disseminating commands takes too long • Information retrieval • Bots don’t know the IP of the botmaster Thursday, August 29, 13

Command Dissemination • Expendable layer of hosts • No knowledge about the botmaster • Do the “heavy lifting” of disseminating commands for the botmaster Thursday, August 29, 13

Browsers! • Browsers were created/optimized to do large number of requests per second • Available crypto libraries in Javascript • HTML5 brings new capabilities to the table Thursday, August 29, 13

“Honest” intermediate layer Vulnerable Web App Web Users Botmaster 0x72e4b76 0x72e4b76 0xc52b7d0 0xc52b7d0 0x72e4b76 0x80762b8 0x80762b8 0xc52b7d0 0xde3254e 0xde3254e 0x80762b8 0xde3254e Bots • Botmaster deploys (or infects) website with malicious code Thursday, August 29, 13

“Honest” intermediate layer • Command dissemination is not done by botmaster • Reduces the vulnerability to detection • Visitors of the infected website propagate commands • Dissemination speed increase x #Web Users • Detecting the existence of a bot is difficult • Commands are received but not acknowledged Thursday, August 29, 13

“Honest” intermediate layer • Replaying the commands will only further spread the botmaster’s orders • Intermediate layer is expendable and can expire quickly • Once the page is closed, all traces of “infection” of the web-browser disappear • It is hard for researchers to find the original malicious page Thursday, August 29, 13

Analysis of Command Dissemination • We created Javascript PoC • Measured the number of AJAX requests per second • Used EasyXDM to bypass Same-Origin-Policy • Implemented public-key signatures for commands in Javascript Thursday, August 29, 13

Analysis of Command Dissemination • N = #bots • S = #ips in the address space • r = #requests / second a browser can make • d = #days the malicious website is active • v = #visitors per day the website receives • m = #minutes a user spends on the website Thursday, August 29, 13

Analysis of Command Dissemination • N = 150000 bots • S = 3086889768 (2^32 - Bogons) • r = 250 requests/second • d = 1day Thursday, August 29, 13

Analysis of Command Dissemination 1 0.9 0.8 Percentage of bots % 0.7 B 0.6 0.5 0.4 ● 10 minutes M ▲ 15 minutes 0.3 ■ 20 minutes 0.2 20 minutes 0.1 w/ cooperation S 0 500 5000 10,000 15,000 20,000 25,000 30,000 Number of Hosts Thursday, August 29, 13

Getting Visitors • Create malicious website • Advertise through spam email, twitter, search engine poisoning, abuse URL shortener, etc • Infect existing website: • XSS or SQL injection sufficient to get malicious code on legitimate websites • Keeping users on the websites • Tabnabbing, clickjacking Thursday, August 29, 13

Information Upstream • Botmasters want to send stolen data upstream (credit-cards, email accounts, SSN’s, etc) • Our command dissemination infrastructure isolates each bot for robustness and stealthiness, but makes it difficult to create an upstream channel Thursday, August 29, 13

Information Upstream • For spamming-only botnets a simple solution, send information encoded along with spam • All information is encrypted with the botmaster’s public key, ensuring confidentiality of data • The bot only has to do one thing: send spam Thursday, August 29, 13

Information Upstream • Does not expose the botmaster • Stealth operation • Only the botmaster can extract data from the bots Thursday, August 29, 13

Information Upstream • Botmaster creates website private/public key-pair and signs it with it’s own public key • The malicious code sent to the browsers includes this key-pair • Browsers can prove themselves as originating from a “legitimate” dissemination website Thursday, August 29, 13

Information Upstream Dissemination Website (W) Dissemination Layer Host Bot Master (bm) 1 1 2 0 x 7 2 e 4 0 b x c 7 5 6 2 b 0 7 x d 8 0 0 7 6 0 2 x b d 8 e 3 2 5 4 e Kbm, K-1 w, {Kw}K-1 bm, {C}K-1 1 bm Bot Kbm{Kw}K-1 bm, {M}K-1 2 w Thursday, August 29, 13

Information Upstream Dst IP, {C}K-1 Message M bm {Kw}K-1 bm, {M}K-1 w 0x72e4b76 0xc52b7d0 Dissemination 0x80762b8 0xde3254e Bot Layer Host M' Message M' Ack Thursday, August 29, 13

Information Upstream Dissemination Layer Host 4 3 2 1 0 0 x x 0 7 2 0 7 2 x 7 e x 7 e 2 e 0 4 b 2 0 4 b 4 x c 7 e 4 x c 7 0 x b 7 5 6 0 x b 7 5 6 c 5 6 2 b c 6 2 b 2 0 x 7 5 2 0 7 0 b 7 8 d 0 0 b 7 x 8 d 0 x d 0 7 x d 0 7 8 0 0 6 8 0 0 6 7 0 x 2 b 7 0 x 2 b 0 6 2 d e 8 0 6 2 d e 8 x d b 8 3 x d b 3 e 2 5 e 8 2 5 3 2 4 3 2 4 5 e 5 e 4 e 4 e D C B A 0 x 0 x 0 7 2 0 7 2 x 7 e x 7 e 2 0 4 b 2 0 4 b e 4 x c 7 e 4 x 7 0 x b 5 6 0 x b c 5 6 c 7 6 2 b c 7 6 2 b 5 2 0 7 5 2 0 7 0 b x 8 d 0 b x 8 d 0 x 7 d 0 7 0 x 7 d 0 8 0 0 6 8 0 0 7 6 7 0 x 2 b 7 0 x 2 b 0 6 2 d 8 0 6 2 d 8 x d b e 3 x d b e 3 e 8 2 5 e 8 2 3 2 4 3 2 5 4 5 e 5 e 4 e 4 e 3 {A}Kbm,{B}Kbm 1 N/A {A}Kbm {A}Kbm,{B} Kbm ,{C}Kbm 2 4 Command Encrypted finger Dissemination Thursday, August 29, 13

Accessing the overlay Dissemination Layer Hosts D1 D2 Encrypted finger set by D1 0 x 7 2 e 4 0 0 x b 7 x c 5 6 7 2 2 e 0 b 7 0 4 b x d x c 7 8 0 0 5 6 7 6 2 b 0 2 0 x 7 x d b 8 8 d 0 e 0 7 3 2 0 6 5 4 x 2 b e 0 d e 8 x 7 3 2 e 2 5 4 4 0 x b 7 e c 5 6 0 x 2 7 0 b 7 2 e x d 0 4 b 8 0 0 x 7 7 6 c 5 6 0 2 2 b x d b 8 0 7 e Encrypted finger x 8 d 0 3 2 0 5 4 7 6 e 0 x 2 b d 8 e 3 2 5 4 e set by D2 0 x 7 2 e 4 0 x b 7 c 5 6 2 0 b 7 x d 8 0 0 7 0 6 2 0 x d b 8 x e 7 2 3 2 e 5 0 4 b 4 e x c 7 6 5 2 b 0 x 7 d 8 0 0 7 0 6 x 2 b d e 8 3 2 5 4 e 0 x 7 2 e 0 4 x b 7 c 5 6 2 0 b 7 x 8 d 0 0 7 6 0 x 2 d b 8 e 3 2 5 4 e Bots Thursday, August 29, 13

Overlay connectivity Thursday, August 29, 13

Accessing the overlay • Botmaster randomly scans the internet until it finds one host. • Uses the encrypted fingers of this host to start crawling through the overlay. • But... Thursday, August 29, 13

Accessing the overlay 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0x72e4b76 0xc52b7d0 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0xc52b7d0 0x80762b8 0x80762b8 0xde3254e 0xde3254e 0x72e4b76 0xc52b7d0 0x72e4b76 0x80762b8 0xc52b7d0 0xde3254e 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e BM q • Botmaster still needs to bounce through some nodes to guarantee anonymity when retrieving data Thursday, August 29, 13

Final remarks • Stealth C&C using browsers are feasible • Increasing role of browsers in the malware landscape • We should focus some IDS effort on the browsers • We aren’t good enough at detecting malicious websites Thursday, August 29, 13

Thank you Questions? diogo.monica@ist.utl.pt Thursday, August 29, 13