Botnets
Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot
Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet. Coordination of bots with C&C server
Bots query the C&C servers using Fast Flux Domain flux their IP address and DNS name.
Bots query a certain domain that is Bots query multiple domains that Not flexible and robust to take- mapped onto a set of IP addresses are mapped onto a set of IP down actions. that change frequently. addresses that change frequently.
Constitutes a single point of failure Taking down the C&C server is because it uses only a single harder because they relocate their domain. domain name. Usage of botnets
Send spam mails
Launch DoS attacks
Steal personal data Your Botnet is My Botnet: Analysis of a Botnet Takeover Overview
A comprehensive analysis of the operations of the Torpig botnet.
The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet.
The victims of botnets are often users with poorly maintained machines. What is Torpig?
Distributed to its victims as part of the Mebroot rootkit.
Steals sensitive information from the victim’s host and relays it back to its controllers.
Malware service accessible to third parties. Distribution of Mebroot
Victim requests The victim’s browser legitimate web site request JavaScript code where an attacker from the drive-by- injected http code. download server.
If the exploit is JavaScript code successful, the executes multiple Mebroot rootkit is exploits against the downloaded from the browser and some of server and executed. tis components. Mebroot life cycle
Overwrites the MBR and is always executed at boot time.
Provides a generic platform that other modules can leverage to perform their malicious actions.
Contacts the Mebroot C&C server to obtain malicious modules. Torpig Capabilities
Trojan that is injected into a number of applications.
Inspects all the data handled by these programmes.
System Instant Web Email clients FTP clients programmes messengers browsers Communication in the Torpig Botnet
Uploads the stolen data 1 since the previous reporting time to the Torpig C&C server over HTTP. (1)
2
Acknowledges the new data with “okn” response. (2) Communication in the Torpig Botnet
Sends a configuration file to the bot with “okc” response.
2
How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks. Man in the Browser attacks with Torpig bot
Generation of phishing sites Man in the Browser attack
Infected machine visits one of the Victim visits the trigger page. domains in the configuration file (bank site).
Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Torpig issues a request to an injection server. Injected content reproduces the style of the target web site and the address bar displays a pad lock. The injection server’s response specifies the trigger page, the injection URL, and a number of Asks the user for sensitive information and parameters. steals personal information. Coordination in Torpig Botnet: Domain Flux
Each bot uses a domain Attempts to contact the C&C generation algorithm to compute server with a name in the domain a list of domain names. list in order until one succeeds. Torpigs’s Domain Generation Algorithm
Step 1 • Seeded with the current date and a numerical parameter. Step 2(a) • Computes a “weekly” domain name that depends on the current week and year. • Attempts to resolve dw.(com,net,biz) and contacts the C&C server. Step 2(b) • Computes a “daily” domain that depends on the current day. • Attempts to resolve dd.(com,net,biz) and contacts the C&C server. Step 2(c) • Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server Coordination in Torpig Botnet: Domain Flux and resilience
Control at least one of the domains that will be contacted by the bots.
Use measures to prevent other groups from seizing domains that will be contacted by bots. Arms Race between botmasters and defenders
B: The domain D: Reverse generation engineering the algorithm of the botnet protocol bots is modified could be time frequently. consuming.
D: Economic factor is the B:Force defenders biggest challenge to register a because domain disproportionate names are not number of names. cheap. Taking control of the Torpig botnet: Sinkholing Preparation
Purchased two Registered them to Obtain control of the domains (.com and two different Torpig botnet for ten .net) that were to be registrars. days. used by the botnet.
Set up Apache web During their control server to receive log of botnet, 8.7 GB of bot requests and Apache log files and recorded all network 69 GB of pcap data traffic. have been collected. Taking control of the botnet: Data Collection Principles
Operated the C&C servers based on established legal and ethical principles.
Collecting enough Operated such that Worked with law information to enable any damage to victims enforcement remediation of was minimized. agencies. affected parties. Botnet Analysis: Data Collection and Format
Submission header is encrypted with Torpig’s encryption algorithm. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Bot identifier is used as the symmetric key. Bots communicate with the Torpig C&C through HTTP POST requests. Consists of data items based on the information that was stolen. Body’s request contains the data stolen from the victim’s machine. Body is encrypted with Torpig’s encryption algorithm. Botnet Analysis: Data Collection and Format
Submission Header Example
ts: time stamp when the configuration file was updated.
bld and ver: build and ip: IP address of the version number of bot. Torpig.
hport and sport: port numbers of the HTTP nid: bot identifier. and SOCKS proxies that Torpig opens on the infected machine.
os and cn: operating system version and locale. Botnet Analysis: Data Collection and Format
Data items sent to sinkholed botnet in Data Items 10 days Mailbox account: configuration information for email accounts.
Email: email Windows password addresses.
SMTP: source and Form data: content destination of HTML forms addresses of submitted by the emails. victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively. Botnet Size: Definitions
Indicates the aggregated total Botnet’s footprint number of machines that have been compromised over time. Botnet Size Indicates the number of compromised hosts that are Botnet’s live population concurrently communicating with the C&C server. Botnet’s Footprint: Counting Bots by “nid” field
Description Evaluation • Torpig always sends the “nid” 2079 cases have been field in the submission header. found were the assumption did not hold. • Depends on software or hardware characteristics of the 180 835 “nid” values have infected machine’s hard disk. been observed in 10 days. • Attempted to validate whether the “nid” is unique for each bot. Underestimates the botnet’s footprint. Botnet Footprint: Counting Bots by Submission Header Fields
Description Evaluation • Count unique tuples from the submission header that Torpig bot send. • “Nid, os, cn, bld and ver” fields Botnet’s footprint have have been considered whilst “ts, been estimated to 182 ip, sport and hport” have been 914 machines. discarded. Botnet’s Footprint: Identifying probers and researchers
Description Evaluation • “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded. 40 bots have Final estimate been running 74 hosts have of botnet’s • Bots that use the GET HTTP on virtual been probers. footprint is method are not considered. machines 182 800 hosts. Botnet’s live population: Botnet Size Vs IP Count
Botnet Size IP Count • 182 800 bots have contacted the C&C • 1 247 642 unique IP addresses server. contacted the C&C server. • Overestimates the actual size of the botnet’s footprint. Botnet’s live population: Botnet Size Vs IP Count
Per hour Per day • Number of unique IP addresses • Number of unique IP addresses and bot IDs per hour provides a and bot IDs per day does not good estimation of the botnet’s provide a good estimation of the live population. botnet’s live population. Botnet Size vs IP Count: Observations
Number of unique IPs per hour provides a good estimation of the botnet’s live population
144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall.
Difference between IP count and actual bot count can be attributed to DHCP and NAT effects. Threat and data analysis of Torpig
Financial data stealing Proxies and DoS Password analysis
• Obtained the • Leveraged by malicious • Bots stole 297,962 credentials of 8130 users to send spam or unique credentials sent accounts at 410 navigate anonymously. by 52,540 different different institutions. • Could cause a massive infected machines. • Torpig controllers may distributed DDoS • 140 000 passwords have profited anywhere attack. have been recovered in between $83K and 24 hours using various $8.3M in ten days. techniques. SoK: P2PWNED— Modeling and Evaluating the Resilience of Peer-to-Peer Botnets Overview
Present a model that formalizes reconnaissance and disruption attacks against P2P botnets.
Compare the population sizes of current P2P botnets using crawlers and sensor nodes.
Evaluate the disruption resilience of all four current P2P botnet families. Architecture of P2P botnets
Eliminates the need for centralized servers.
Bots are connected to each other topologically.
Act as both C&C server and client.
http://cs.ucf.edu/~czou/research/P2PBotne ts-bookChapter.pdf Overview of P2P Networks: Categories
Unstructured P2P Structured P2P
Don’t have a predefined architecture. Organized into a specific topology.
Participants communicate randomly with one another. Use a distributed hash table to identify and locate nodes/resources. Robust against high churn activity but higher CPU and memory usage is required. More efficient but less robust when faced with high rates of churn. Botnets use message gossiping to propagate information. Botnets maintain a DHT that is used to store and route commands. Overview of P2P Botnets: Definitions
Botnet Families
• Denote a specific strain of botnet.
Botnet Variants
• Denote a variant within a botnet family.
Botnets
• Refers to a coherent collection of hosts infected with a specific botnet variant. Overview of P2P Botnets: P2P Botnet Characteristics
P2P botnet variants Lifespan of botnet variants • The active P2P botnet families as • Lifespan of the botnet variants of November 2012. and the most important inactive P2P botnets. Overview of P2P Botnets: P2P Botnet Purposes
Have unstructured P2P protocols and use message gossiping to propagate information.
Hybrid architectures incorporate centralized servers to collect stolen data.
Used for malware distribution, spam, credentials theft and DDoS attacks. Formal Model for P2P botnets: Directed Graph
V₁: peer that can be contacted by other A directed graph G := peers. A peer-to-peer (P2P) (V,E), where V is a set of botnet is peers and E ⊆ V ×V edges (u, v) with u, v ∈ V.
The set of peers V := V₁ U V₂ ∪ V₃ is the V₂: peer that can’t be V₃: peer that can’t be disjoint union of routable peers V₁, non- reached by other reached by any peers peers but has the routable peers V₂ and unreachable nor contact other ability to contact one peers V₃. peers. ore more peers. Formal Model for P2P botnets: Peer List and out/in degree
Peer List Out and in degree
Out-degree of v The set of edges Ev Let G = (V,E) denote a := {(v, u) ∈ E} for a P2P botnet. peer v ∈ V is called • deg+(v) := |Ev| the peer list of v. In-degree of v
Expresses • deg−(v) := |{(u, v) ∈ E}| relationships of • deg−(v) is an important measure for neighbouring peers the popularity of a peer because it in the graph. shows its influence in the botnet. Formal Model for P2P botnets: Operations
Deletion of an edge Insertion of an edge Update operation (u,v) in the graph (u,v) in the graph
Transformation I : G → G’ with G’ := Transformation D : G → G’ with G’ := U := I ◦D , defined as an edge deletion (V ‘,E’) , where V ‘ := V ∪ {v} and E’ := (V,E’) and E’ := E \ (u, v) followed by an edge insertion E∪{(u, v)}
D∗ = Dn ◦ Dn−1 ◦ . . . ◦ D1 denotes the I∗ is the composition of multiple U∗ denotes multiple subsequent composition of multiple delete inserts. updates. operations.
Occurs when a peer deletes an Occurs when a new peer to peer unreachable peer entry from its peer relationship is established. list. Attacks against P2P Botnets: Attack Methods (Graph Search)
Understand the P2P Request their peer Enumerate all topology of a Visit all nodes lists edges botnet
The graph search Inaccurate results Only routable peers The result is crawl only explored the because P2P botnet have been graph peer lists of topologies are contacted routable peers dynamic Attacks against P2P Botnets: Attack Methods (Peer Injection)
Manipulate the set of Change graph topology edges
I(v) : G → G’ = (V ‘,E’) Injection of a peer v can denote a parametrized be defined as a insert operation with V’= composition I∗(v) := In(v) V ∪˙ v, E’= E ∪˙ {(u, v)}, u ◦ In−1(v) ◦ . . . ◦ I1(v). ∈ V Attacks against P2P Botnets: Attack Methods (Peer List Destruction)
Describes “corrupting Entries can be either changes” to a peer’s deleted or replaced with peer list. invalid entries.
The destruction of v’s peer list is the Transformation R(v):=U∗(v) ◦ D∗(v) :G → G’ = (V’,E’). Attacks against P2P Botnets: Intelligence Gathering
Crawling Sensor Nodes
With peer injection, a Can be contacted by sensor can be Visit as many peers non-routable peers. Based on graph as possible and introduced to botnet. search collect information about them. Potentially overcomes Its coverage depends some of the on its in-degree. shortcomings of (popularity) crawling. Limited view if only Represents an routable peers are effective way to included in the peer In-degree can be gather intelligence. increased by injecting s lists. into any visited peer’s peer list. Attacks against P2P Botnets: Disruption and Destruction (Partioning)
Apply a series of consecutive peer list destruction operations to create two disconnected subgraphs. Partitioning the graph prohibits the Information propagation is slow and distribution of information. the graph is more sparse. Decrease the popularity of nodes by deleting certain edges from the P2P graph. Attacks against P2P Botnets: Disruption and Destruction (Sinkholing)
Set of sinkholes S := {s1, Edges are replaced with Achieved by peer s2, . . . , sn} are the edges pointing to special injections and peer list central component for all nodes called sinkholes. destructions. P2P communication.
Reach a state where Transforms the every live peer knows at infrastructure into a least one sinkhole and centralized network. no other routable peer. Attacks against P2P Botnets: Disruption and Destruction (Communication Layer Poisoning)
Specially crafted information is Achieved by peer injected into a injection. botnet.
Distribute Put recipients in a commands to other non-functional bots or transmit state. invalid messages. P2P Botnet intelligence gathering: Resilience Against Peer Enumeration
Reverse Engineer the Kelihos, Storm, communication Waledac and Zeus use protocols of six active unique identifier to botnet variants. distinguish bots.
Miner and Zero Zero Access variants Access v1 share all the and Storms don’t peers in their peer list only store routable at once. peers in the peer list.
Various techniques to Frequency that peers include new peers in communicate with the peer list. their neighbours vary. P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations
Measurements took after Implemented crawling Enumerated eleven Deployed sensor nodes three weeks of the sensor and sensor injection botnets that were active only in the seven UDP- injection in order to attacks for all four active in November 2012 based botnets become popular in the P2P botnet families botnet
Values are based on the Crawling provides a number of unique IP limited view on the A combination of both is addresses that were overall botnet population the most appropriate logged during the 24 because they actively hours enumerate peers. P2P Botnet intelligence gathering: Peer Enumeration: Real-World Observations
Ratio of the number of peers found by the sensor Enumerated botnets, the divided by the number of bot version number and peers and routable peers its fixed UDP port. found through crawling
Peers found, peers that Peers that connected to Peers that were identified responded to peer list the sensor in 24 hours. by both methods requests, and ratio of routable peers. P2P Botnet intelligence gathering: Convergence Analysis of Zeus botnet
Both IP addresses and peers IDs have IP address churn is been counted for significant for Zeus. Zeus.
19% of the bot IDs were observed on multiple addresses. P2P Botnet intelligence gathering: Convergence Analysis IP address churn is one of the reasons for slow node enumeration Sensors find many more Enumeration with crawling convergence. peers. converges slowly. P2P Botnet intelligence gathering: Dynamics of Botnet Populations
Machines joining and Measure population size leaving the network of Zeus botnet cause a steady churn of independently from IP peers. address churn .
Used the static ID to Up to 25 000 new identify infected infections per day. machines.
This highly dynamic behaviour means that P2P botnets change significantly during node enumeration runs P2P Botnet Disruption and Destruction: Communication Layer Poisoning Resilience
Poison a P2P botnet using its own commands or disrupt the C&C channel.
Defenders could issue arbitrary commands if the commands are not authenticated. P2P Botnet Disruption and Destruction: Sinkholing Resilience How a sinkhole can replace peer list entries Sinkhole announcement
• Announce some sinkholes to as many peers as possible.
Node isolation
• Try to eliminate all edges in the P2P graph that don’t point to a sinkhole.
Fallback prevention
• Ensure that the bots don’t activate backup Fallback command and control C&C channels to recover. channels How many entries can be destroyed in a single P2P exchange P2P Botnet Disruption and Destruction: Partitioning Resilience
Impossible to Restrict the test to Partitioning attack regain control of the smallest sub- is the last resort. the botnet once is graph, consisting of partitioned. a single peer.
Routable peer Partitioning attack Non routable peers recover quickly as is only successful if can remain isolated they are still known it affects the whole forever. by other peers. P2P network. Questions??? Thanks!!!