Leveraging Honest Users: Stealth Command-and-Control of Botnets - - PowerPoint PPT Presentation

leveraging honest users
SMART_READER_LITE
LIVE PREVIEW

Leveraging Honest Users: Stealth Command-and-Control of Botnets - - PowerPoint PPT Presentation

Dec 21, 2022 273 likes •610 views

Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mnica INESC-ID/IST diogo.monica@ist.utl.pt Thursday, August 29, 13 Summary Motivation Problem statement Stealth C&C using browsers Final remarks

slide-1
SLIDE 1

Leveraging Honest Users:

Stealth Command-and-Control of Botnets Diogo Mónica

INESC-ID/IST diogo.monica@ist.utl.pt

Thursday, August 29, 13

slide-2
SLIDE 2

Summary

  • Motivation
  • Problem statement
  • Stealth C&C using browsers
  • Final remarks

Thursday, August 29, 13

slide-3
SLIDE 3

Motivation

  • Botnets continue to evolve
  • New strategies must be employed to avoid

takedown and detection

  • Our objective is to explore new directions future

C&C infrastructure might take

Thursday, August 29, 13

slide-4
SLIDE 4

Problem Statement

  • Create a botnet that:
  • Avoids infiltration, size estimation
  • Reduces the likelihood of detection of individual bots
  • Maintains Botmaster anonymity

Thursday, August 29, 13

slide-5
SLIDE 5

Assumptions

  • Pre-existing population of infected hosts
  • Trust anchor in the binary (public key)
  • Bots can receive commands from bot master

through some open port

Thursday, August 29, 13

slide-6
SLIDE 6

Basic Architecture

  • No active participation from bots in a botmaster
  • wned C&C
  • Bots passively listen for commands
  • Commands are signed by the botmaster and pushed
  • ut to all the bots

Thursday, August 29, 13

slide-7
SLIDE 7

Basic Architecture

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bots

BM

Thursday, August 29, 13

slide-8
SLIDE 8

Basic Architecture

  • No C&C means:
  • no infiltration
  • no size estimation

Thursday, August 29, 13

slide-9
SLIDE 9

Problems

  • Command dissemination
  • Botmaster doesn’t know IPs of bots
  • Direct dissemination exposes the botmaster
  • Disseminating commands takes too long
  • Information retrieval
  • Bots don’t know the IP of the botmaster

Thursday, August 29, 13

slide-10
SLIDE 10

Command Dissemination

  • Expendable layer of hosts
  • No knowledge about the botmaster
  • Do the “heavy lifting” of disseminating commands

for the botmaster

Thursday, August 29, 13

slide-11
SLIDE 11

Browsers!

  • Browsers were created/optimized to do large

number of requests per second

  • Available crypto libraries in Javascript
  • HTML5 brings new capabilities to the table

Thursday, August 29, 13

slide-12
SLIDE 12

“Honest” intermediate layer

  • Botmaster deploys (or infects) website with

malicious code

Botmaster

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bots

Vulnerable Web App

Web Users

Thursday, August 29, 13

slide-13
SLIDE 13

“Honest” intermediate layer

  • Command dissemination is not done by botmaster
  • Reduces the vulnerability to detection
  • Visitors of the infected website propagate commands
  • Dissemination speed increase x #Web Users
  • Detecting the existence of a bot is difficult
  • Commands are received but not acknowledged

Thursday, August 29, 13

slide-14
SLIDE 14

“Honest” intermediate layer

  • Replaying the commands will only further spread the

botmaster’s orders

  • Intermediate layer is expendable and can expire

quickly

  • Once the page is closed, all traces of “infection” of

the web-browser disappear

  • It is hard for researchers to find the original malicious page

Thursday, August 29, 13

slide-15
SLIDE 15

Analysis of Command Dissemination

  • We created Javascript PoC
  • Measured the number of AJAX requests per second
  • Used EasyXDM to bypass Same-Origin-Policy
  • Implemented public-key signatures for commands in

Javascript

Thursday, August 29, 13

slide-16
SLIDE 16

Analysis of Command Dissemination

  • N = #bots
  • S = #ips in the address space
  • r = #requests / second a browser can make
  • d = #days the malicious website is active
  • v = #visitors per day the website receives
  • m = #minutes a user spends on the website

Thursday, August 29, 13

slide-17
SLIDE 17

Analysis of Command Dissemination

  • N = 150000 bots
  • S = 3086889768 (2^32 - Bogons)
  • r = 250 requests/second
  • d = 1day

Thursday, August 29, 13

slide-18
SLIDE 18

Analysis of Command Dissemination

30,000 500 5000 10,000 15,000 20,000 25,000 1 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9

Number of Hosts

Percentage of bots %

  • 10 minutes

▲ 15 minutes

■ 20 minutes

20 minutes

w/ cooperation

S M B

Thursday, August 29, 13

slide-19
SLIDE 19

Getting Visitors

  • Create malicious website
  • Advertise through spam email, twitter, search engine

poisoning, abuse URL shortener, etc

  • Infect existing website:
  • XSS or SQL injection sufficient to get malicious code on

legitimate websites

  • Keeping users on the websites
  • Tabnabbing, clickjacking

Thursday, August 29, 13

slide-20
SLIDE 20

Information Upstream

  • Botmasters want to send stolen data upstream

(credit-cards, email accounts, SSN’s, etc)

  • Our command dissemination infrastructure isolates

each bot for robustness and stealthiness, but makes it difficult to create an upstream channel

Thursday, August 29, 13

slide-21
SLIDE 21

Information Upstream

  • For spamming-only botnets a simple solution, send

information encoded along with spam

  • All information is encrypted with the botmaster’s public

key, ensuring confidentiality of data

  • The bot only has to do one thing: send spam

Thursday, August 29, 13

slide-22
SLIDE 22

Information Upstream

  • Does not expose the botmaster
  • Stealth operation
  • Only the botmaster can extract data from the bots

Thursday, August 29, 13

slide-23
SLIDE 23

Information Upstream

  • Botmaster creates website private/public key-pair

and signs it with it’s own public key

  • The malicious code sent to the browsers includes

this key-pair

  • Browsers can prove themselves as originating from a

“legitimate” dissemination website

Thursday, August 29, 13

slide-24
SLIDE 24

Information Upstream

Bot Master (bm)

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

Bot Dissemination Website (W) Dissemination Layer Host

1 2

Kbm, K-1 w, {Kw}K-1 bm, {C}K-1 bm Kbm{Kw}K-1 bm, {M}K-1 w

1 2 1

Thursday, August 29, 13

slide-25
SLIDE 25

Information Upstream

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bot

Dissemination Layer Host

Dst IP, {C}K-1 bm Message M

{Kw}K-1 bm, {M}K-1 w M'

Ack Message M'

Thursday, August 29, 13

slide-26
SLIDE 26

Information Upstream

Encrypted finger

Dissemination Layer Host

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

Command Dissemination A B C D

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

2 1 3 4

N/A {A}Kbm {A}Kbm,{B}Kbm,{C}Kbm

1 2 4

{A}Kbm,{B}Kbm

3 Thursday, August 29, 13

slide-27
SLIDE 27

Accessing the overlay

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

Bots

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

Encrypted finger set by D1 Encrypted finger set by D2

x 7 2 e 4 b 7 6 x c 5 2 b 7 d x 8 7 6 2 b 8 x d e 3 2 5 4 e

Dissemination Layer Hosts

D1 D2 Thursday, August 29, 13

slide-28
SLIDE 28

Overlay connectivity

Thursday, August 29, 13

slide-29
SLIDE 29

Accessing the overlay

  • Botmaster randomly scans the internet until it finds
  • ne host.
  • Uses the encrypted fingers of this host to start

crawling through the overlay.

  • But...

Thursday, August 29, 13

slide-30
SLIDE 30

Accessing the overlay

BM

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e 0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

q

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
  • Botmaster still needs to bounce through some nodes

to guarantee anonymity when retrieving data

Thursday, August 29, 13

slide-31
SLIDE 31

Final remarks

  • Stealth C&C using browsers are feasible
  • Increasing role of browsers in the malware

landscape

  • We should focus some IDS effort on the browsers
  • We aren’t good enough at detecting malicious

websites

Thursday, August 29, 13

slide-32
SLIDE 32

Thank you

Questions?

diogo.monica@ist.utl.pt

Thursday, August 29, 13