AI-Powered Covert Botnet Command and Control on Osns
Total Page:16
File Type:pdf, Size:1020Kb
DeepC2: AI-powered Covert Botnet Command and Control on OSNs Zhi Wang, Chaoge Liu, Xiang Cui, Jiaxi Liu, Di Wu, Jie Yin Abstract—Command and control (C&C) is the essential com- TABLE I ponent of a botnet. In previous C&C using online social networks CARRIERS FOR BUILDING C&C CHANNELS (OSNs), the botmasters’ identifiers are reversible. After a bot is analyzed, the botmaster’s accounts can be predicted in advance. Year Name Platform Identity CMD Additionally, abnormal content from explicit commands may ex- 2009 upd4t3 [7] Twitter ID Base64 pose botmasters and raise anomalies on OSNs. To overcome these 2012 - [8] Twitter Token Plain 2014 Garybot [9] Twitter Token Encrypted deficiencies, we proposed DeepC2, an AI-powered covert C&C 2015 Hammertoss [3] Twitter DGA Plain method on OSNs. By leveraging neural networks, bots can find 2015 MiniDuke [10] Twitter DGA Base64 2015 - [6] Twitter DGA Tweets botmasters by avatars, which are converted into feature vectors 2017 ROKRAT [11] Twitter ID, Token Plain and built into bots. Defenders cannot predict the botmaster’s 2017 PlugX [12] Pastebin URL XOR accounts from the vectors in advance. Commands are embedded 2018 Comnie [13] GitHub URL Base64, RC4 2019 DarkHydrus [14] GoogleDrive URL Plain into normal contents (e.g., tweets and comments) using easy data 2020 Turla [5] Gmail Token Encrypted augmentation and hash collision. Experiments on Twitter show that command-embedded contents can be generated efficiently, and bots can find botmasters and obtain commands accurately. Security analysis on different scenarios show that it is hard to predict the botmaster’s avatars. By demonstrating how AI may help promote covert communication on OSNs, this work provides a new perspective on botnet detection and confrontation. Index Terms—Online Social Networks, Command and Control, Botnet, Convert Communication, Neural Networks I. INTRODUCTION A botnet refers to a group of compromised devices that are remotely controlled by a botmaster via command and control (C&C) channels [1]. Multiple types of attacks can be launched based on botnets, such as DDoS, spam and crypto-mining. Fig. 1. Commands posted by Hammertoss and MiniDuke Compared to other malware, the major feature of a botnet is that it has a one-to-many C&C channel, which receives commands from the botmaster and forwards them to bots. reversible botmaster identifiers (i.e., ids, links, tokens, and With the evolution of botnet, the construction of C&C chan- DGAs) have to hardcode into bots (see Table I). Once the nels has focused on concealment and has begun to utilize on- bots are analyzed by defenders, with the C&C infrastructure line web services [2], such as online social networks (OSNs), being exposed, all the botmaster’s accounts can be calcu- cloud drives, and online clipboards. For example, Hammertoss lated in advance. Additionally, in most cases, commands are (APT-29) [3] used Twitter and GitHub to publish commands published in plain, encoded or encrypted forms (see Fig. 1). and hide communication traces. HeroRat [4] used Telegram for These abnormal contents will expose C&C activities and raise arXiv:2009.07707v6 [cs.CR] 3 Sep 2021 C&C communication on Android devices. Turla [5] utilized anomalies on OSNs, triggering restrictions on botmaster’s Gmail to receive commands and to exfiltrate information to accounts and interrupting C&C activities. When OSNs block the operators. all the accounts from the botmaster, it is difficult for the bots OSNs have some features to build a good C&C channel. It to retrieve new commands and recover the C&C channel. is nearly impossible for OSNs to go offline. Users have access To reduce the anomaly of C&C communication on OSNs, to OSNs anytime with a networked device. Then, visiting Pantic et al. [6] proposed a method that embeds commands OSNs is allowed by most anti-virus software. This ensures the into tweets using tweet metadata (length). The length of a availability of the commands. As many people use the OSNs, tweet represents an ASCII code in decimal form. As at that the botmaster’s accounts can hide among normal users. Also, time a tweet had a maximum length of 140, 7 bits could be it is easy to limit the accounts but not easy to shut down conveyed through one tweet. While commands can be issued the OSNs. With the help of dynamic addressing, the bots can stealthily, the system has a low capacity. It needs to post N obtain commands from multiple accounts. tweets to publish a command of length N. However, there are still some deficiencies of building C&C The deficiencies above can be solved by introducing AI channels using OSNs. Firstly, to help bots addressing, the technology. Neural network models can obtain excellent accu- 1 racy in different tasks, but they have poor explainability [15]. II. BACKGROUND It is not clear how neural networks make decisions. Therefore, A. Botnet it is difficult to reverse the decision-making process. Neural network models also have good generalization ability and A botnet is composed of a botmaster, bots and a C&C fault tolerance. It can help to build block-resistant C&C channel. By reverse-engineering a bot, analysts will know communication. how the bot addressing and communicating with the C&C server [16]. Also, analysts will know all the botmaster’s The main idea of DeepC2 is as follows. To overcome the accounts (domains, IDs, etc.) and commands by running a deficiencies brought by reversible hardcoding, we use a neural bot. However, when the analysts know the commands, the network model for addressing. The bots find the botmaster’s bots in the wild also know the commands. From the defence accounts on OSNs by the avatars’ feature vectors. The feature perspective, it’s a failure [17]. Defenders should find and limit vectors are extracted by a neural network model. Defenders the botmaster’s accounts in advance. When addressing using cannot calculate and predict the avatars in advance through DGAs or IDs, the botmaster’s identifiers can be calculated in the model and vectors. Then, to eliminate the abnormal advance. It gives the defenders chances to defend the C&C. contents, we propose a new method to embed the commands Therefore, the key issue in designing a botnet is to design a into contextual and readable contents (we take Twitter and block-resistant C&C channel that even the analysts know the tweets as the example in this work). To achieve this, the detailed information about the C&C infrastructure, it is hard botmaster crawls tweets about a certain topic, and uses data to calculate the botmaster’s identifiers and limit the C&C in augmentation to generate a large number of related tweets. advance. Then the botmaster uses hash collision to get the command- embedded tweets from the generated ones and posts them. We B. Siamese Neural Network use Twitter trends as the rendezvous point for the bots and the The Siamese neural network [18] is effective in measuring botmaster. The botmaster crawls and posts tweets to a trending the similarity between two inputs. The two inputs accepted topic, and the bots can find the botmaster quickly among the by the Siamese neural network will feed into two identical Twitter users. After addressing, the commands can be parsed neural networks to generate two outputs. Like “Siamese” twins from the tweets posted by the botmaster’s accounts. sharing the same organs, the identical neural networks share The contributions of this paper are summarized as follows: the same architecture and weights. By calculating the distance between two outputs, the similarity between two inputs can • We propose a method to build a more block-resistant be measured. C&C communication on OSNs. Fig. 2 shows the architecture of the Siamese neural network. • We introduce neural networks to solve the problem of In this work, the two identical neural networks are CNNs [19]. reversible hardcoding in C&C addressing. They are used to extract feature vectors from avatars. Images • We propose a method for embedding commands into input into CNN models are converted into vectors of the natural semantic tweets to avoid anomalies caused by same length. Contrasting loss function [20] is used to help abnormal contents on OSNs. backpropagate error and train the model. • We also evaluate this method and discuss possible coun- termeasures to mitigate this kind of attack. CNN Image1 Ethical Considerations. The combination of AI and botnet is considered to be an upward trend. We cannot stop the evolution of cyberattacks, but we should draw attention to Shared weights the defenses in advance. The goal of this work is not to Contrastive loss CNN inspire malware authors to write more efficient malware but Image2 to motivate security researchers and vendors to find solutions for an emerging threat. To this end, we intend to provide this method to build a possible scenario to help prevent this kind of attack in advance. The remainder of this paper is structured as follows. Sec- tion II describes relevant backgrounds on the techniques in Fig. 2. Architecture of Siamese neural network this work. Section III presents the methodology for building the covert C&C channel. Detailed implementations are demon- strated in Section IV. Section V is the evaluations on the C. Easy Data Augmentation experiments. Section VI discusses possible contermeasures. Data augmentation is a technique to solve the insufficiency Section VII presents related works to this paper. Conclusions of training data. By applying data augmentation, researchers are summarized in Section VIII. can enlarge the existing dataset to meet the needs of training 2 TABLE II SENTENCES GENERATED BY EDA Extract feature vectors Publish bots with the Train the neural network model from pictures model and vectors Prepare some pictures Neural networks model Operation Sentence Vectors Pictures None Our TAXII server is going to be taking a short nap Twitter accounts RULES at 11am ET today for an update.