Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
- 1. Your Botnet is My Botnet:
Analysis of a Botnet Takeover
Presented by
Sandeep Inampudi & Jishnu Pradeep
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin
Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
- 2. Overview
Introduction
Domain flux
Taking control of the Botnet
Botnet analysis
Threats and data analysis
Conclusion
Some additional contents
Discussion
- 3. Botnets
A Botnet is a collection of software agents, or robots that run
autonomously and automatically. The term is most
commonly associated with malicious software.
Main motivation: recognition and financial gain.
Bot controller can ‘rent’ services of the botnet to third
parties
- 4. Purpose of Botnets
Botnets are the primary means for cyber-criminals to carry
out their nefarious tasks
DDOS
Attacks
Stealing
Credentials
Spamming Spreading
Malware
Manipul.
Polls/Clicks
- 6. C&C Structure
The two main types of command and control structures used
by botnets:
Centralized mechanism (IRC Protocol)
Decentralized (P2P) mechanism
- 7. Studying Botnets
1. Passive analysis - Study of secondary effects
that are caused by the activity of compromised
machines.
Collected spam mails that were likely sent by bots
Measurements focused on DNS queries
Analyzed network traffic at the tier-1 ISP level
Two approaches:
- 8. 2. Active approach - Study botnets via
infiltration.
Using an actual malware sample or a client
simulating a bot, researchers join a botnet (as a
client) to perform analysis from the inside.
To achieve this, honeypots, honey clients, or spam
traps are used to obtain a copy of a malware
Studying Botnets
- 9. Attackers have unfortunately adapted:
Most current botnets use stripped-down IRC or HTTP
servers as their centralized command and control
What can be done now?
Answer: Hijack the system
Directly seize the physical machines that host the
C&C infrastructure.
Collaborating with domain registrars, it is possible
to change the mapping of a botnet domain to
point to a machine controlled by the defender.
- 10. TORPIG Botnet
“One of the most advanced pieces of crimeware ever created”
Also known as Sinowal or Anserin
Development began in 2005
By November 2008, Torpig had stolen the details of about
500,000 online bank accounts + credit/debit cards.
Highly sophisticated + Complex infrastructure
- 11. Functions of TORPIG
Trojan Horse
Injects itself into 29 different applications as DLL
Steals sensitive information such as passwords + HTTP
Post Data
HTTP Injection for phishing
Uses ‘encrypted’ HTTP as C&C Protocol
Uses Doman Flux to locate C&C Server
- 12. How is it distributed?
Torpig has been distributed to its victims as part
of Mebroot.
A Rootkit that takes control of a machine by replacing
the system’s Master Boot Record (MBR).
Executed at boot time, before the operating system
is loaded, and to remain undetected by most anti-
virus tools.
Mebroot is spread via drive-by-download.
- 13. HOW TORPIG DISTRIBUTES AND GETS DATA
‘Hacked’ Web Servers
Innocent Victim
Mebroot
C&C
Torpig
C&C
Injection
Server
Drive-by-download Server
<iframe>
Mebroot
Download
Stolen Data
Config. Files
- 14. Torpig HTML Injection
Domain of interests (~300) stored in config file.
When domain of interest visited:
• Request is issued to injection server
• Server specifies a trigger page on target domain
When triggered page is visited:
• Injection URL is requested from injection server.
• Returned content injected to user’s browser.
Content usually asks for sensitive data and reproduces look
and feel of legit site.
- 15. Man-in-the-browser Attack
Same as man-in-the-middle attack, but a Trojan Horse is used to
intercept and manipulate calls between the browser and its security
mechanisms.
- 17. Communication b/w Master and Bots
A botnet should keep in contact with botmaster to be useful.
Botmaster must coordinate with its bots to efficient.
Hardcoding Domains and IPs in bots = Bad Idea
FAST FLUXING
Way to make these schemes more flexible and robust.
Bots would query a certain domain that is mapped onto a set
of IP addresses, which change frequently.
- 19. Domain flux
Have the bots use an algorithm to generate
domains to use on a daily/weekly basis.
This will be called Domain Generation
Algorithm
If a domain is blocked? The bot simply rolls
over to the following domain in the list.
- 20. Torpig’s DGA
Each bot has same DGA
Seeded by current date
It Generates:
Weekly Domain (dw)
(dw.net / dw.com / dw.biz)
Daily Domain (dd)
(dd.net / dd.org)
If both fails, then it selects one of 3 hard coded domains
from config file of C&C.
- 21. Taking Control of Botnet
SINKHOLING: Technique used to redirect the the identification of
malicious server to own server.
Process:
1. Reverse engineer name generation algorithm & C&C.
2. Bought two domain names to be used by bots. (.com/.net)
3. Purchased hosting space from 2 providers.
4. Set up apache web servers to receive bot requests.
5. Record all traffic.
6. Downloaded and removed data from hosting provider.
- 22. Result
Controlled the Botnet for 10 days
After that, Mebroot (unfortunately) pushed a new binary.
Also a domain was suspended 6 days into the attack due
to abuse complaint.
Data:
8.7 GB Apache Logs
69 GB pcap data (with stolen information)
- 23. Two principles to protect
victims
PRINCIPLE 1: The sinkholed botnet should be
operated so that any harm and/or damage to victims
and targets of attacks would be minimized.
PRINCIPLE 2: The sinkholed botnet should collect
enough information to enable notification and
remediation of affected parties.
- 24. Torpig’s data transmission explained:
The collected data is transferred via HTTP POST
method
The URL contains a bot identifier ID and Submission
header.
The body of the post request contains the stolen data.
Both these are encrypted with Base64 and XOR.
- 25. The submission header contains the information about
the bot from which the information is collected.
Timestamp
IP
sport (SOCKS proxy)
hport (HTTP proxy)
os (operating system)
cn (country name)
nid (node id)
bld (build)
ver (version)
- 27. Torpig’s stolen data analysis
Torpig steals your email clients’ credentials, email
address list, form data you submit to webpages, your
windows passwords and more
54,090
1,258,862
11,966,532
411,039
12,307
415,206
100,472
1,235,122
- 28. Botnet sizing – The problems:
Calculating a botnet’s size is a difficult task
Why not just count the IP addresses?
Many computers are behind a NAT (network address
translation)
DHCP might assign you a new IP when you log off
- 29. Botnet sizing – Torpig
By using some unique values in the
submission header to determine the size
nid, node id is a value based on your hard
drive’s serial number
We use the combination of nid, os, cn, bld,
ver to identify and find the size of the torpig
botnet.
(nid, os, cn, bld, ver)
- 30. Botnet sizing (cont.)
As a reference point, between Jan 25, 2009
and February 4, 2009, 180,835 nid values
were observed.
After subtracting probers and researchers,
our final estimate of the botnet’s footprint is
182,800 hosts.
Where as unique IPs were 1,247,642 which will be
a overestimation
- 31. Botnet size vs. IP count
● after initial spike, consistent diurnal
pattern
● Averaging 4690 new IPs per
hour
● after initial spike, rapid drop-off
● averaging 705 new bots per
hour
- 32. Cumulative IPs and bots per
hour
● Number of cumulative new IPsincreased
linearly
● Number of cumulative bots decayed
quickly
- 33. Using IP addresses to size
Torpig:
● Number of unique bot IPs per
hour and number of unique IPsper hour
are nearly identical
● Number if unique bot IPs per day
does not reflect the number of unique
IPsper day
This difference is a consequence of the bots contacting the C&C every 20
minutes, which occurs more frequently than the rate of DHCP churn
- 34. Observing DHCP churn
DHCP IP allocation is dynamic
Not guaranteed to get the same IP
DHCP churn factor: how many IPs each host received
throughout the 10 day period
In one instance, a single host changed IP address 694
times in this period.
- 36. New infections
Recall that the submission
header contained a timestamp
By counting number of bots
who had timestamp = 0 can
determine new bots
49,294 new infections over the
research period
- 37. Botnet as a service
Recall that the submission header has a build field
The researchers believe this field corresponds to a
customer id
12 different values for bld during the study
dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp
- 38. Financial data theft
In just the 10 days of study, torpig stole 8310 accounts
from 410 different institutions
Institutions Number of
accounts
Paypal 1,770
Poste Italiane 765
Capital one 314
E*Trade 304
Chase 217
Country Institution
s
Accounts
US 60 4,287
IT 34 1,459
DE 122 641
ES 18 228
PL 14 102
Other 162 1,593
Total 410 8,310
- 39. The money involved
1,600 unique credit and debit card numbers were
obtained during the study
Quantifying the net money on all the cards was
uncertain
447
1056
81 36 24
Master card Visa American
Express
Maestro Discover
- 40. The money involved (cont.)
According to Symantec’s estimated rates in the black
market for cards and accounts, the controllers might
have earned $83K to $8.3M
New data was continuously stolen and reported by the
bots during the 10 day period
- 41. Potential for DDOS
During peak intervals, there were around 70,000 live
hosts on torpig
Conservative estimate of 435 kbps pstream bandwidth
for each host
Roughly 17 Gbps of bandwidth available to botmasters
- 42. Privacy:
Web mail, web chats and forum messages
250 charecters or longer on average
1. 14% about jobs/resumes
2. 7% about money and stuff
3. 6% sports fans
4. 5% about exams and worry for exams
5. 10% specifically mention security and think they are
clean
- 43. Password analysis
Torpig stole 297,962 unique
credentials
Researchers found that 28% of
victims reused credentials for
368,501 websites
Strength test:
Created a UNIX like password
file for unique passwords (about
174,000 of them)
Fed into John the Ripper
Cracked around 100,000
passwords in 24 hours
- 44. Conclusions:
Unique opportunity to understand profits and
characteristics of botnets
Previous estimation by IPs can be overestimation
Botnet victims are users with poorly maintained
machines and with weak passwords
People should think their computers as just another
physical possessions
They worked with a lot of people like FBI, banks, ISPS
Finally botnets are like an arms race between the
defenders and the bot masters. It will continue with
new trends always
- 45. Additional Reading
Your computer is now stoned (…again!)
Click to open link
Analysis of Sinowal
Click to open link
Kraken Botnet Infiltration
Click to open link
A Foray into Conficker’s Logic and Rendezvous points
Click to open link
- 46. Discussion
1. What should the users do to prevent their data theft?
2. Can the study be used to research the behavior of botmasters under different
situations?
3. Solutions to remove these from the effected computers/ out of the bot network?
4. If the botnet takeover approach used by the authors reusable or reproducible? If
not, which part is not?
5. Can SDN help in developing countermeasures against botnets?
6. How effective is domain blacklisting in stopping such botnets?
7. Torpig is said be targeting windows operating system mostly. Why do you think
they are doing so? Can torpig target other OS too?
8. How is botnet size being computed today?
9. Do you think that it was ethical to read or mine emails, even if it was done with the
intention of helping victims?