SlideShare a Scribd company logo

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"

Download as PPTX, PDF
Jishnu Pradeep
Jishnu Pradeep

This document summarizes a research study analyzing the takeover of the Torpig botnet. The researchers were able to gain control of the botnet for 10 days by reverse engineering its domain generation algorithm and command and control infrastructure. During this time, they observed over 180,000 infected systems and the theft of thousands of financial accounts and credit cards. The study provided insights into how botnets operate and profit from stolen data.

Related slideshows

Cours php
Cours phpCours php
Cours php
 
Chapitre 3 NP-complétude
Chapitre 3 NP-complétudeChapitre 3 NP-complétude
Chapitre 3 NP-complétude
 
Les architectures client serveur
Les architectures client serveurLes architectures client serveur
Les architectures client serveur
 
1 of 47
Your Botnet is My Botnet: Analysis of a Botnet Takeover Presented by Sandeep Inampudi & Jishnu Pradeep Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Overview  Introduction  Domain flux  Taking control of the Botnet  Botnet analysis  Threats and data analysis  Conclusion  Some additional contents  Discussion
Botnets A Botnet is a collection of software agents, or robots that run autonomously and automatically. The term is most commonly associated with malicious software.  Main motivation: recognition and financial gain.  Bot controller can ‘rent’ services of the botnet to third parties
Purpose of Botnets  Botnets are the primary means for cyber-criminals to carry out their nefarious tasks DDOS Attacks Stealing Credentials Spamming Spreading Malware Manipul. Polls/Clicks
How does a Botnet work?
C&C Structure The two main types of command and control structures used by botnets:  Centralized mechanism (IRC Protocol)  Decentralized (P2P) mechanism
Studying Botnets 1. Passive analysis - Study of secondary effects that are caused by the activity of compromised machines.  Collected spam mails that were likely sent by bots  Measurements focused on DNS queries  Analyzed network traffic at the tier-1 ISP level Two approaches:
2. Active approach - Study botnets via infiltration.  Using an actual malware sample or a client simulating a bot, researchers join a botnet (as a client) to perform analysis from the inside.  To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware Studying Botnets
 Attackers have unfortunately adapted: Most current botnets use stripped-down IRC or HTTP servers as their centralized command and control What can be done now? Answer: Hijack the system  Directly seize the physical machines that host the C&C infrastructure.  Collaborating with domain registrars, it is possible to change the mapping of a botnet domain to point to a machine controlled by the defender.
TORPIG Botnet “One of the most advanced pieces of crimeware ever created”  Also known as Sinowal or Anserin  Development began in 2005  By November 2008, Torpig had stolen the details of about 500,000 online bank accounts + credit/debit cards.  Highly sophisticated + Complex infrastructure
Functions of TORPIG Trojan Horse  Injects itself into 29 different applications as DLL  Steals sensitive information such as passwords + HTTP Post Data  HTTP Injection for phishing  Uses ‘encrypted’ HTTP as C&C Protocol  Uses Doman Flux to locate C&C Server
How is it distributed?  Torpig has been distributed to its victims as part of Mebroot.  A Rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR).  Executed at boot time, before the operating system is loaded, and to remain undetected by most anti- virus tools. Mebroot is spread via drive-by-download.
HOW TORPIG DISTRIBUTES AND GETS DATA ‘Hacked’ Web Servers Innocent Victim Mebroot C&C Torpig C&C Injection Server Drive-by-download Server <iframe> Mebroot Download Stolen Data Config. Files
Torpig HTML Injection Domain of interests (~300) stored in config file.  When domain of interest visited: • Request is issued to injection server • Server specifies a trigger page on target domain  When triggered page is visited: • Injection URL is requested from injection server. • Returned content injected to user’s browser. Content usually asks for sensitive data and reproduces look and feel of legit site.
Man-in-the-browser Attack Same as man-in-the-middle attack, but a Trojan Horse is used to intercept and manipulate calls between the browser and its security mechanisms.
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Communication b/w Master and Bots  A botnet should keep in contact with botmaster to be useful.  Botmaster must coordinate with its bots to efficient.  Hardcoding Domains and IPs in bots = Bad Idea FAST FLUXING  Way to make these schemes more flexible and robust.  Bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently.
Fast Fluxing Disadvantage: Single point of Failure Torpig solves this issue through…..
Domain flux  Have the bots use an algorithm to generate domains to use on a daily/weekly basis.  This will be called Domain Generation Algorithm  If a domain is blocked? The bot simply rolls over to the following domain in the list.
Torpig’s DGA  Each bot has same DGA  Seeded by current date It Generates:  Weekly Domain (dw) (dw.net / dw.com / dw.biz)  Daily Domain (dd) (dd.net / dd.org)  If both fails, then it selects one of 3 hard coded domains from config file of C&C.
Taking Control of Botnet SINKHOLING: Technique used to redirect the the identification of malicious server to own server. Process: 1. Reverse engineer name generation algorithm & C&C. 2. Bought two domain names to be used by bots. (.com/.net) 3. Purchased hosting space from 2 providers. 4. Set up apache web servers to receive bot requests. 5. Record all traffic. 6. Downloaded and removed data from hosting provider.
Result  Controlled the Botnet for 10 days  After that, Mebroot (unfortunately) pushed a new binary.  Also a domain was suspended 6 days into the attack due to abuse complaint.  Data:  8.7 GB Apache Logs  69 GB pcap data (with stolen information)
Two principles to protect victims  PRINCIPLE 1: The sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized.  PRINCIPLE 2: The sinkholed botnet should collect enough information to enable notification and remediation of affected parties.
Torpig’s data transmission explained:  The collected data is transferred via HTTP POST method  The URL contains a bot identifier ID and Submission header.  The body of the post request contains the stolen data.  Both these are encrypted with Base64 and XOR.
 The submission header contains the information about the bot from which the information is collected.  Timestamp  IP  sport (SOCKS proxy)  hport (HTTP proxy)  os (operating system)  cn (country name)  nid (node id)  bld (build)  ver (version)
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Torpig’s stolen data analysis  Torpig steals your email clients’ credentials, email address list, form data you submit to webpages, your windows passwords and more 54,090 1,258,862 11,966,532 411,039 12,307 415,206 100,472 1,235,122
Botnet sizing – The problems:  Calculating a botnet’s size is a difficult task  Why not just count the IP addresses?  Many computers are behind a NAT (network address translation)  DHCP might assign you a new IP when you log off
Botnet sizing – Torpig  By using some unique values in the submission header to determine the size  nid, node id is a value based on your hard drive’s serial number  We use the combination of nid, os, cn, bld, ver to identify and find the size of the torpig botnet. (nid, os, cn, bld, ver)
Botnet sizing (cont.)  As a reference point, between Jan 25, 2009 and February 4, 2009, 180,835 nid values were observed.  After subtracting probers and researchers, our final estimate of the botnet’s footprint is 182,800 hosts.  Where as unique IPs were 1,247,642 which will be a overestimation
Botnet size vs. IP count ● after initial spike, consistent diurnal pattern ● Averaging 4690 new IPs per hour ● after initial spike, rapid drop-off ● averaging 705 new bots per hour
Cumulative IPs and bots per hour ● Number of cumulative new IPsincreased linearly ● Number of cumulative bots decayed quickly
Using IP addresses to size Torpig: ● Number of unique bot IPs per hour and number of unique IPsper hour are nearly identical ● Number if unique bot IPs per day does not reflect the number of unique IPsper day This difference is a consequence of the bots contacting the C&C every 20 minutes, which occurs more frequently than the rate of DHCP churn
Observing DHCP churn  DHCP IP allocation is dynamic  Not guaranteed to get the same IP  DHCP churn factor: how many IPs each host received throughout the 10 day period  In one instance, a single host changed IP address 694 times in this period.
Infected hosts distribution:
New infections  Recall that the submission header contained a timestamp  By counting number of bots who had timestamp = 0 can determine new bots  49,294 new infections over the research period
Botnet as a service  Recall that the submission header has a build field  The researchers believe this field corresponds to a customer id  12 different values for bld during the study dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp
Financial data theft  In just the 10 days of study, torpig stole 8310 accounts from 410 different institutions Institutions Number of accounts Paypal 1,770 Poste Italiane 765 Capital one 314 E*Trade 304 Chase 217 Country Institution s Accounts US 60 4,287 IT 34 1,459 DE 122 641 ES 18 228 PL 14 102 Other 162 1,593 Total 410 8,310
The money involved  1,600 unique credit and debit card numbers were obtained during the study  Quantifying the net money on all the cards was uncertain 447 1056 81 36 24 Master card Visa American Express Maestro Discover
The money involved (cont.)  According to Symantec’s estimated rates in the black market for cards and accounts, the controllers might have earned $83K to $8.3M  New data was continuously stolen and reported by the bots during the 10 day period
Potential for DDOS  During peak intervals, there were around 70,000 live hosts on torpig  Conservative estimate of 435 kbps pstream bandwidth for each host  Roughly 17 Gbps of bandwidth available to botmasters
Privacy:  Web mail, web chats and forum messages  250 charecters or longer on average 1. 14% about jobs/resumes 2. 7% about money and stuff 3. 6% sports fans 4. 5% about exams and worry for exams 5. 10% specifically mention security and think they are clean
Password analysis  Torpig stole 297,962 unique credentials  Researchers found that 28% of victims reused credentials for 368,501 websites  Strength test:  Created a UNIX like password file for unique passwords (about 174,000 of them)  Fed into John the Ripper  Cracked around 100,000 passwords in 24 hours
Conclusions:  Unique opportunity to understand profits and characteristics of botnets  Previous estimation by IPs can be overestimation  Botnet victims are users with poorly maintained machines and with weak passwords  People should think their computers as just another physical possessions  They worked with a lot of people like FBI, banks, ISPS  Finally botnets are like an arms race between the defenders and the bot masters. It will continue with new trends always
Additional Reading  Your computer is now stoned (…again!) Click to open link  Analysis of Sinowal Click to open link  Kraken Botnet Infiltration Click to open link  A Foray into Conficker’s Logic and Rendezvous points Click to open link
Discussion 1. What should the users do to prevent their data theft? 2. Can the study be used to research the behavior of botmasters under different situations? 3. Solutions to remove these from the effected computers/ out of the bot network? 4. If the botnet takeover approach used by the authors reusable or reproducible? If not, which part is not? 5. Can SDN help in developing countermeasures against botnets? 6. How effective is domain blacklisting in stopping such botnets? 7. Torpig is said be targeting windows operating system mostly. Why do you think they are doing so? Can torpig target other OS too? 8. How is botnet size being computed today? 9. Do you think that it was ethical to read or mine emails, even if it was done with the intention of helping victims?
Thank You

More Related Content

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"

  • 1. Your Botnet is My Botnet: Analysis of a Botnet Takeover Presented by Sandeep Inampudi & Jishnu Pradeep Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
  • 2. Overview  Introduction  Domain flux  Taking control of the Botnet  Botnet analysis  Threats and data analysis  Conclusion  Some additional contents  Discussion
  • 3. Botnets A Botnet is a collection of software agents, or robots that run autonomously and automatically. The term is most commonly associated with malicious software.  Main motivation: recognition and financial gain.  Bot controller can ‘rent’ services of the botnet to third parties
  • 4. Purpose of Botnets  Botnets are the primary means for cyber-criminals to carry out their nefarious tasks DDOS Attacks Stealing Credentials Spamming Spreading Malware Manipul. Polls/Clicks
  • 5. How does a Botnet work?
  • 6. C&C Structure The two main types of command and control structures used by botnets:  Centralized mechanism (IRC Protocol)  Decentralized (P2P) mechanism
  • 7. Studying Botnets 1. Passive analysis - Study of secondary effects that are caused by the activity of compromised machines.  Collected spam mails that were likely sent by bots  Measurements focused on DNS queries  Analyzed network traffic at the tier-1 ISP level Two approaches:
  • 8. 2. Active approach - Study botnets via infiltration.  Using an actual malware sample or a client simulating a bot, researchers join a botnet (as a client) to perform analysis from the inside.  To achieve this, honeypots, honey clients, or spam traps are used to obtain a copy of a malware Studying Botnets
  • 9.  Attackers have unfortunately adapted: Most current botnets use stripped-down IRC or HTTP servers as their centralized command and control What can be done now? Answer: Hijack the system  Directly seize the physical machines that host the C&C infrastructure.  Collaborating with domain registrars, it is possible to change the mapping of a botnet domain to point to a machine controlled by the defender.
  • 10. TORPIG Botnet “One of the most advanced pieces of crimeware ever created”  Also known as Sinowal or Anserin  Development began in 2005  By November 2008, Torpig had stolen the details of about 500,000 online bank accounts + credit/debit cards.  Highly sophisticated + Complex infrastructure
  • 11. Functions of TORPIG Trojan Horse  Injects itself into 29 different applications as DLL  Steals sensitive information such as passwords + HTTP Post Data  HTTP Injection for phishing  Uses ‘encrypted’ HTTP as C&C Protocol  Uses Doman Flux to locate C&C Server
  • 12. How is it distributed?  Torpig has been distributed to its victims as part of Mebroot.  A Rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR).  Executed at boot time, before the operating system is loaded, and to remain undetected by most anti- virus tools. Mebroot is spread via drive-by-download.
  • 13. HOW TORPIG DISTRIBUTES AND GETS DATA ‘Hacked’ Web Servers Innocent Victim Mebroot C&C Torpig C&C Injection Server Drive-by-download Server <iframe> Mebroot Download Stolen Data Config. Files
  • 14. Torpig HTML Injection Domain of interests (~300) stored in config file.  When domain of interest visited: • Request is issued to injection server • Server specifies a trigger page on target domain  When triggered page is visited: • Injection URL is requested from injection server. • Returned content injected to user’s browser. Content usually asks for sensitive data and reproduces look and feel of legit site.
  • 15. Man-in-the-browser Attack Same as man-in-the-middle attack, but a Trojan Horse is used to intercept and manipulate calls between the browser and its security mechanisms.
  • 17. Communication b/w Master and Bots  A botnet should keep in contact with botmaster to be useful.  Botmaster must coordinate with its bots to efficient.  Hardcoding Domains and IPs in bots = Bad Idea FAST FLUXING  Way to make these schemes more flexible and robust.  Bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently.
  • 18. Fast Fluxing Disadvantage: Single point of Failure Torpig solves this issue through…..
  • 19. Domain flux  Have the bots use an algorithm to generate domains to use on a daily/weekly basis.  This will be called Domain Generation Algorithm  If a domain is blocked? The bot simply rolls over to the following domain in the list.
  • 20. Torpig’s DGA  Each bot has same DGA  Seeded by current date It Generates:  Weekly Domain (dw) (dw.net / dw.com / dw.biz)  Daily Domain (dd) (dd.net / dd.org)  If both fails, then it selects one of 3 hard coded domains from config file of C&C.
  • 21. Taking Control of Botnet SINKHOLING: Technique used to redirect the the identification of malicious server to own server. Process: 1. Reverse engineer name generation algorithm & C&C. 2. Bought two domain names to be used by bots. (.com/.net) 3. Purchased hosting space from 2 providers. 4. Set up apache web servers to receive bot requests. 5. Record all traffic. 6. Downloaded and removed data from hosting provider.
  • 22. Result  Controlled the Botnet for 10 days  After that, Mebroot (unfortunately) pushed a new binary.  Also a domain was suspended 6 days into the attack due to abuse complaint.  Data:  8.7 GB Apache Logs  69 GB pcap data (with stolen information)
  • 23. Two principles to protect victims  PRINCIPLE 1: The sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized.  PRINCIPLE 2: The sinkholed botnet should collect enough information to enable notification and remediation of affected parties.
  • 24. Torpig’s data transmission explained:  The collected data is transferred via HTTP POST method  The URL contains a bot identifier ID and Submission header.  The body of the post request contains the stolen data.  Both these are encrypted with Base64 and XOR.
  • 25.  The submission header contains the information about the bot from which the information is collected.  Timestamp  IP  sport (SOCKS proxy)  hport (HTTP proxy)  os (operating system)  cn (country name)  nid (node id)  bld (build)  ver (version)
  • 27. Torpig’s stolen data analysis  Torpig steals your email clients’ credentials, email address list, form data you submit to webpages, your windows passwords and more 54,090 1,258,862 11,966,532 411,039 12,307 415,206 100,472 1,235,122
  • 28. Botnet sizing – The problems:  Calculating a botnet’s size is a difficult task  Why not just count the IP addresses?  Many computers are behind a NAT (network address translation)  DHCP might assign you a new IP when you log off
  • 29. Botnet sizing – Torpig  By using some unique values in the submission header to determine the size  nid, node id is a value based on your hard drive’s serial number  We use the combination of nid, os, cn, bld, ver to identify and find the size of the torpig botnet. (nid, os, cn, bld, ver)
  • 30. Botnet sizing (cont.)  As a reference point, between Jan 25, 2009 and February 4, 2009, 180,835 nid values were observed.  After subtracting probers and researchers, our final estimate of the botnet’s footprint is 182,800 hosts.  Where as unique IPs were 1,247,642 which will be a overestimation
  • 31. Botnet size vs. IP count ● after initial spike, consistent diurnal pattern ● Averaging 4690 new IPs per hour ● after initial spike, rapid drop-off ● averaging 705 new bots per hour
  • 32. Cumulative IPs and bots per hour ● Number of cumulative new IPsincreased linearly ● Number of cumulative bots decayed quickly
  • 33. Using IP addresses to size Torpig: ● Number of unique bot IPs per hour and number of unique IPsper hour are nearly identical ● Number if unique bot IPs per day does not reflect the number of unique IPsper day This difference is a consequence of the bots contacting the C&C every 20 minutes, which occurs more frequently than the rate of DHCP churn
  • 34. Observing DHCP churn  DHCP IP allocation is dynamic  Not guaranteed to get the same IP  DHCP churn factor: how many IPs each host received throughout the 10 day period  In one instance, a single host changed IP address 694 times in this period.
  • 36. New infections  Recall that the submission header contained a timestamp  By counting number of bots who had timestamp = 0 can determine new bots  49,294 new infections over the research period
  • 37. Botnet as a service  Recall that the submission header has a build field  The researchers believe this field corresponds to a customer id  12 different values for bld during the study dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp
  • 38. Financial data theft  In just the 10 days of study, torpig stole 8310 accounts from 410 different institutions Institutions Number of accounts Paypal 1,770 Poste Italiane 765 Capital one 314 E*Trade 304 Chase 217 Country Institution s Accounts US 60 4,287 IT 34 1,459 DE 122 641 ES 18 228 PL 14 102 Other 162 1,593 Total 410 8,310
  • 39. The money involved  1,600 unique credit and debit card numbers were obtained during the study  Quantifying the net money on all the cards was uncertain 447 1056 81 36 24 Master card Visa American Express Maestro Discover
  • 40. The money involved (cont.)  According to Symantec’s estimated rates in the black market for cards and accounts, the controllers might have earned $83K to $8.3M  New data was continuously stolen and reported by the bots during the 10 day period
  • 41. Potential for DDOS  During peak intervals, there were around 70,000 live hosts on torpig  Conservative estimate of 435 kbps pstream bandwidth for each host  Roughly 17 Gbps of bandwidth available to botmasters
  • 42. Privacy:  Web mail, web chats and forum messages  250 charecters or longer on average 1. 14% about jobs/resumes 2. 7% about money and stuff 3. 6% sports fans 4. 5% about exams and worry for exams 5. 10% specifically mention security and think they are clean
  • 43. Password analysis  Torpig stole 297,962 unique credentials  Researchers found that 28% of victims reused credentials for 368,501 websites  Strength test:  Created a UNIX like password file for unique passwords (about 174,000 of them)  Fed into John the Ripper  Cracked around 100,000 passwords in 24 hours
  • 44. Conclusions:  Unique opportunity to understand profits and characteristics of botnets  Previous estimation by IPs can be overestimation  Botnet victims are users with poorly maintained machines and with weak passwords  People should think their computers as just another physical possessions  They worked with a lot of people like FBI, banks, ISPS  Finally botnets are like an arms race between the defenders and the bot masters. It will continue with new trends always
  • 45. Additional Reading  Your computer is now stoned (…again!) Click to open link  Analysis of Sinowal Click to open link  Kraken Botnet Infiltration Click to open link  A Foray into Conficker’s Logic and Rendezvous points Click to open link
  • 46. Discussion 1. What should the users do to prevent their data theft? 2. Can the study be used to research the behavior of botmasters under different situations? 3. Solutions to remove these from the effected computers/ out of the bot network? 4. If the botnet takeover approach used by the authors reusable or reproducible? If not, which part is not? 5. Can SDN help in developing countermeasures against botnets? 6. How effective is domain blacklisting in stopping such botnets? 7. Torpig is said be targeting windows operating system mostly. Why do you think they are doing so? Can torpig target other OS too? 8. How is botnet size being computed today? 9. Do you think that it was ethical to read or mine emails, even if it was done with the intention of helping victims?