Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna (Department of CS, UC Santa Barbara)

presented by: Brandon Fasching Introduction

th th ● From Jan 25 to Feb 4 2009 researchers at UCSB were able to take over the Torpig Botnet. ● They collected 8.6 Gigs of Apache logfiles and 89 Gigs of bot submitted data. ● Based on their takeover, they were able to: – Accurately determine a botnet's size. – See the rate at which new bots joined the botnet. – Estimate the monetary value of the botnet. – Run analysis on a large pool of user passwords.

How to Analyze a Botnet

● Passive Analysis – Observe secondary effects such as spam. – Observe traffic from an ISP. ● Infiltration – Intentionally infect a machine/vm and join the botnet. – Join the IRC Command and Control (C&C) channel and observe. ● Hijacking (Sinkholing) – Become the botmaster (the method used).

How You Join Torpig

● Starts with a drive-by-download. ● Tries to exploit several browser vulnerabilities and downloads an executable. – Installs a DLL into file manager process (explorer.exe). – Installs a kernel driver that wraps disk.sys. – Now that it has raw disk access, it overwrites the MBR with Mebroot (MBR rootkit).

...And Then?

● After first reboot Mebroot calls the Mebroot C&C Server. ● Downloads encrypted modules (Torpig DLLs) – Stored in C:\Windows\System32. – Named after existing files. ● DLLs infect: – Service Control Manager – File Manager – 29 popular applications (IE, Firefox, Opera, ICQ, etc...)

● Phones home every 2 hours. Torpig Phone Home

● Torpig contacts the C&C Server every 20 minutes. – Uploads stolen data. – Done via HTTP. – Uses simple obfuscation scheme (that was cracked). ● Server responds with: – okn : acknowledge data received. – okc : server sends updated configuration file.

Injection Attacks

● Configuration file contains ~300 domains. – Mostly banking sites. ● When user goes to one of the domains: – Torpig Makes a request from an injection server. – Server specifies a trigger page mimicking a legitimate page. – Page asks for user credentials. ● Man in the Browser attack. – URL is correct. SSL is correct.

Example Phishing Page

How it Works (Overview)

(1) Drive-by-Download downloads Mebroot Installer. (2) Mebroot installs and downloads Torpig DLLs. (3) Data is collected from phished sites and programs being “watched.” (4) Torpig C&C contacted every 20 minutes to upload data. How to Shutdown a Botnet?

● What happens when a C&C Server is shutdown? – Police shutdown. – Lost registration due to malicious behavior. ● How can botmasters resolve this?

Domain Flux

● The idea: if one C&C Server is shutdown, have a way for the bots to find another. – Use a Domain Generation Algorithm (DGA). ● In particular, Torpig would: – Generate a weekly domain (static all week). – Append with *.com, *.net, *.biz (in this order). – If bot contacted these servers and failed, it would create a daily domain. – If these three failed, use hard-encoded domains from the configuration file. – Entirely deterministic! All bots create this list. Lessons Learned

● Botnets still use domain flux, but this type of takeover is less feasible... ● Conficker's solution? Create 50k domains a day. ● If good guys want to register all these domains at $5 each/year, that's $91 million. ● Non-determinism?

The Takeover

● The botmaster did not register domains far in advance. ● The researchers ended up registering the first weekly domain generated for 3 consecutive weeks for both *.com and *.net. ● Note: This was for the Torpig C&C only. – Researchers couldn't take over the Mebroot C&C due to its sophisticated encryption scheme. ● After 10 days, Mebroot C&C updated the DGA.

Collected Data ● All Data collected via POST. ● Collected: Mailbox accounts, email items (outlook address books), form data, FTP accounts, POP accounts, SMTP accounts, Windows passwords.

Data Type Data Item (#) Mailbox Account 54,090 Email 1,258,862 Form data 11,966,532 HTTP account 411,039 FTP account 12,307 POP account 415,206 SMTP account 100,472

Windows password 1,235,122 Counting the Bots

● When bots connected to C&C would give a submission header. POST /A15078D49EBA4C4E/qxoT4B5uUFFqw6c35AKDYFpdZHdKLCNn...AaVpJGoSZG1at6E0AaCxQg6 nIGA ts=1232724990&ip=192.168.0.1:&sport=8109&hport=8108&os=5.1.2600&cn=United%20States& nid=A15078D49EBA4C4E&bld=gnh5&ver=229 ● The tuple of (nid, os, cn, bld, ver) uniquely identified bots. ● Remove researchers (VMs create same nid). ● Total bots? 182,800.

● How many IP Addresses? Identified Bots vrs IP Addresses

● During the 10 days they identified 1,247,642 unique IP addresses. Country IP Address Bot Ids % bots by IP US 158209 54627 34.53% IT 383077 46508 12.14% DE 325816 24413 7.49% PL 44117 6365 14.43% ES 31745 5733 18.06% GR 45809 5402 11.79% CH 30706 4826 15.72% UK 21465 4792 22.32% BG 11240 3037 27.02% NL 4073 2331 57.23% Other 180070 24766 13.75%

Totals: 1247642 182800 14.65% Spurious Botnet Counts

● Consider Wikipedia's claim that Conficker has (had) 10 million infections. – http://en.wikipedia.org/wiki/Botnet ● The source given is F-Secure's site, which actually claims 8.9 million infections. – http://www.f-secure.com/weblog/archives/00001584.html ● How did they determine 8.9 million? IP addresses... ● But, Conficker does not provide a way to uniquely identify infected machines like Torpig.

New Infections

● Submission headers contain the time stamp for configuration file. ● Researchers noticed some had a time stamp of 0. ● New to the botnet! ● Noticed 49,294 new infections in 10 days.

Financial Data

● In 10 days stole 8,310 accounts from banks, online trading, and investment companies via phishing. ● An additional 1,660 credit card numbers from form data, etc. ● Symantec indicates ranges between $.10-$25 for a credit card and $10-$1000 for a bank account on the black market. ● 10 days = between $83K and $8.3M.

Spam? DDoS?

● No direct indication that Torpig spams or does DDoS attacks, but both are possible. ● Of the 10k most active bots, 244 are on the ZEN blocklist. ● With 70k bots on at peak, and an average of 435kbps, have a possible bandwidth of 17Gbps.

Password Analysis

● During the 10 days, 300k passwords were taken from 52k different machines. – 28% of victims reused passwords. ● Fed 174k passwords into a password cracker. – Within 75 minutes, over 40% of passwords were guessed. – Within 24 hours, an additional 30k were recovered using bruteforce.

Conclusions

● Botmasters are using domain flux to fortify their control over their botnets. ● Torpig is constructed in such a way that a wealth of information could be figured out. ● IP based botnet counts seem to overestimate the size of infected machines. ● Botnets are monetarily lucrative. ● Passwords are as weak as we all assumed.

Further Information

● Google Tech Talk on Youtube: How to Steal a Botnet and What Can Happen When You Do – http://www.youtube.com/watch?v=2GdqoQJa6r4