FAKULTAT¨ FUR¨ INFORMATIK DER TECHNISCHEN UNIVERSITAT¨ MUNCHEN¨ Master’s Thesis in Computer Science Adapting Blackhat Approaches to Increase the Resilience of Whitehat Application Scenarios Bartlomiej Polot FAKULTAT¨ FUR¨ INFORMATIK DER TECHNISCHEN UNIVERSITAT¨ MUNCHEN¨ Master’s Thesis in Computer Science Adapting Blackhat Approaches to Increase the Resilience of Whitehat Application Scenarios Adaptieren von Blackhat-Ansatzen¨ um die Ausfallsicherheit in Whitehat-Anwendungsszenarien zu erhohen¨ Author: Bartlomiej Polot Supervisor: Prof. Dr. Claudia Eckert Advisor: Dipl. Inf. Christian Schneider Advisor: Martin Brunner, BSc Date: June 15, 2010 Ich versichere, dass ich diese Masters Thesis selbstandig¨ verfasst und nur die angegebenen Quellen und Hilfsmittel verwendet habe. Munchen,¨ den 15.Juni 2010 Bartlomiej Polot Dedication I dedicate this thesis to my father Bogusław who celebrates his 50th birthday today, June 15th, 2010. Acknowledgments I would like to thank my advisor Martin Brunner, from Fraunhofer SIT in Munich, for his guidance in all aspects throughout the creation of this thesis. I would also like to thank Alexander Kiening, also from Fraunhofer SIT in Munich, for his help in the revision of the drafts. Finally, I want to thank my parents Ewa and Bogusław for their support during my whole academic life. vii Abstract Botnets, large networks of computers controlled by a malicious master, are nowadays big threats to computer security. They have evolved from being simple centralized net- works of hundreds of computers to complex multi-function systems with millions of com- puters. Botnets use different novel techniques to increase their resilience and be harder to analyze, track and control by numerous groups of people trying to counter-measure them. In this thesis, the techniques botnets use to achieve their high resilience are gathered and analyzed to form a general idea about the state of the art in distributed malware. This knowledge is used to build a proof of concept application which takes advantage of the research and development done by botmasters, for its possible use in a number of whitehat scenarios. The application combines well known Peer-to-Peer technologies with techniques used in famous botnets. This creates a network resilient to internal and external DoS attacks. The attacks that made former networks stop working, only cause an increase in response time and extra traffic in this network. This thesis shows that botnet techniques can be applicable for general-purpose contexts and that combining all known protection measures it is possible to build a highly resilient network, resistant to most attacks that can bring normal networks down. ix Zusammenfassung Botnets, große Netzwerke von Computern die ein bose¨ Master gesteuert wurde, sind heute große Bedrohungen fur¨ die Computersicherheit. Sie haben von einfache zentral- isierte Netze von Hunderten Computern zu komplexen Multi-Funktions-Systeme mit Mil- lionen Computern entwickelt. Botnets verwenden verschiedene neue Techniken, um ihre Widerstandsfahigkeit¨ zu erhohen¨ und um schwieriger zu analysieren, zu verfolgen und zu steuern sind. In dieser Thesis, die Techniken Botnets ihrer Widerstandsfahigkeit¨ zu erhohen¨ verwen- det, werden gesammelt und analysiert, um einen Uberblick¨ uber¨ den Stand der Technik in Verteilt Malware zu haben. Dieses Wissen wird verwendet, um ein Proof of Concept An- wendung, die Vorteilt von der Forschung und Entwicklung Botmasters gemacht hat und verwenden sie es in Whitehat Szenarien, zu bauen. Die Anwendung kombiniert bekannte Peer-to-Peer Technologien mit Techniken, die in beruhmten¨ Botnets verwendet sind, um ein Netzwerk anfallig¨ fur¨ interne und externe DoS-Attacken zu herstellen. Die Angriffe, die ehemalige Netzwerken kaputt gemacht haben, nur einem Anstieg der Reaktionszeit und zusatzlichen¨ Netzwerkverkehr auslosen.¨ Diese Thesis zeigt, dass Botnet-Techniken konnen¨ fur¨ allgemeine Zwecke und Kontexte anwendbar sein und dass mit der Kombination aller bekannten Schutzmaßnahmen ist es moglich,¨ ein hoch belastbares Netzwerk, bestandig¨ gegen die meisten Angriffe, die nor- male Netze fuhren¨ kann, zu bauen. xi xii Contents Dedication and Acknowledgements vii Abstract ix Zusammenfassung xi Outline of the Thesis xix I. Introduction1 1. Introduction3 1.1. Initial situation...................................3 1.2. Motivation......................................3 1.3. A brief history of botnets..............................4 II. Theoretical Background9 2. Software requirements of bots 11 2.1. Introduction..................................... 11 2.2. Stealthiness..................................... 11 2.2.1. Hide presence................................ 11 2.2.2. Hide size................................... 12 2.3. Confidentiality.................................... 13 2.4. Quick response................................... 13 2.4.1. Fast propagation of commands and data inside the network..... 14 2.4.2. Fast infection and propagation of the bot to other hosts........ 14 2.5. Availability...................................... 15 2.6. Anonymity...................................... 15 2.7. Authentication.................................... 16 2.8. Size assessment................................... 16 2.9. Conclusion...................................... 16 3. Techniques used in botnets 19 3.1. Introduction..................................... 19 3.2. Bots.......................................... 19 3.2.1. Infection................................... 19 3.2.2. Obfuscation and self protection...................... 21 xiii Contents 3.3. Architecture..................................... 24 3.3.1. Centralized networks........................... 24 3.3.2. Peer to peer networks........................... 24 3.4. Segmentation.................................... 31 3.4.1. Size assessment............................... 32 3.5. Resilience....................................... 32 3.5.1. Traditional approaches........................... 32 3.5.2. Fast Flux Service Networks........................ 33 3.5.3. Domain name randomization....................... 36 3.6. Anonymization................................... 37 3.6.1. Onion routing................................ 37 3.6.2. Message authentication.......................... 38 3.7. Conclusion...................................... 38 4. Future evolution 39 4.1. Introduction..................................... 39 4.2. Diversification of infection vectors........................ 39 4.3. No clear central C&C................................ 39 4.3.1. Random nodes as C&C.......................... 40 4.3.2. No C&C nodes at all............................ 40 4.3.3. Hybrid.................................... 40 4.4. Size obfuscation................................... 41 4.5. Encrypted traffic................................... 41 4.6. Signed content.................................... 42 4.7. Disguised traffic................................... 42 4.8. Dynamic domain name generation........................ 42 4.9. Using third party services............................. 43 4.10. Friend to friend................................... 43 4.11. Improved Fast Flux structures........................... 44 4.12. Smartphones..................................... 45 4.13. Conclusion...................................... 45 III. Case Study 47 5. Application 49 5.1. Introduction..................................... 49 5.1.1. Description................................. 49 5.1.2. Related work................................ 49 5.1.3. Uses..................................... 49 5.2. Design........................................ 50 5.2.1. Store..................................... 51 5.2.2. Find Value.................................. 52 5.2.3. Iteration values............................... 53 5.3. Size assessment................................... 55 5.3.1. Local routing table............................. 55 xiv Contents 5.3.2. Random search............................... 56 5.4. Authentication.................................... 57 5.5. Cryptography.................................... 58 5.5.1. Confidentiality............................... 59 5.5.2. Segmentation................................ 59 5.6. Conclusion...................................... 60 6. Conclusion 61 6.1. Further improvements............................... 61 6.2. Conclusions..................................... 61 Bibliography 63 xv Contents xvi List of Figures 1.1. Classic botnet structure...............................5 1.2. Modern botnet structure...............................6 3.1. Example of P2P network............................... 25 3.2. Hash Table...................................... 27 3.3. DHT......................................... 28 3.4. Segmented botnet.................................. 32 3.5. Fast Flux diagram.................................. 34 3.6. Double Fast Flux - Registration.......................... 35 3.7. Double Fast Flux - Query.............................. 36 4.1. Fast Flux - Evolution................................ 45 5.1. Store iteration.................................... 52 5.2. Search iteration................................... 53 5.3. Probability to find the information........................ 54 5.4. Size assessment by local analysis......................... 56 5.5. Size assessment by remote study......................... 57 xvii List of Figures Outline of the Thesis Part I: Introduction CHAPTER 1: INTRODUCTION This chapter presents an overview of the thesis and it purpose. The initial situation