Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet. Coordination of bots with C&C server Bots query the C&C servers using Fast Flux Domain flux their IP address and DNS name. Bots query a certain domain that is Bots query multiple domains that Not flexible and robust to take- mapped onto a set of IP addresses are mapped onto a set of IP down actions. that change frequently. addresses that change frequently. Constitutes a single point of failure Taking down the C&C server is because it uses only a single harder because they relocate their domain. domain name. Usage of botnets Send spam mails Launch DoS attacks Steal personal data Your Botnet is My Botnet: Analysis of a Botnet Takeover Overview A comprehensive analysis of the operations of the Torpig botnet. The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet. The victims of botnets are often users with poorly maintained machines. What is Torpig? Distributed to its victims as part of the Mebroot rootkit. Steals sensitive information from the victim’s host and relays it back to its controllers. Malware service accessible to third parties. Distribution of Mebroot Victim requests The victim’s browser legitimate web site request JavaScript code where an attacker from the drive-by- injected http code. download server. If the exploit is JavaScript code successful, the executes multiple Mebroot rootkit is exploits against the downloaded from the browser and some of server and executed. tis components. Mebroot life cycle Overwrites the MBR and is always executed at boot time. Provides a generic platform that other modules can leverage to perform their malicious actions. Contacts the Mebroot C&C server to obtain malicious modules. Torpig Capabilities Trojan that is injected into a number of applications. Inspects all the data handled by these programmes. System Instant Web Email clients FTP clients programmes messengers browsers Communication in the Torpig Botnet Uploads the stolen data 1 since the previous reporting time to the Torpig C&C server over HTTP. (1) 2 Acknowledges the new data with “okn” response. (2) Communication in the Torpig Botnet Sends a configuration file to the bot with “okc” response. 2 How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks. Man in the Browser attacks with Torpig bot Generation of phishing sites Man in the Browser attack Infected machine visits one of the Victim visits the trigger page. domains in the configuration file (bank site). Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Torpig issues a request to an injection server. Injected content reproduces the style of the target web site and the address bar displays a pad lock. The injection server’s response specifies the trigger page, the injection URL, and a number of Asks the user for sensitive information and parameters. steals personal information. Coordination in Torpig Botnet: Domain Flux Each bot uses a domain Attempts to contact the C&C generation algorithm to compute server with a name in the domain a list of domain names. list in order until one succeeds. Torpigs’s Domain Generation Algorithm Step 1 • Seeded with the current date and a numerical parameter. Step 2(a) • Computes a “weekly” domain name that depends on the current week and year. • Attempts to resolve dw.(com,net,biz) and contacts the C&C server. Step 2(b) • Computes a “daily” domain that depends on the current day. • Attempts to resolve dd.(com,net,biz) and contacts the C&C server. Step 2(c) • Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server Coordination in Torpig Botnet: Domain Flux and resilience Control at least one of the domains that will be contacted by the bots. Use measures to prevent other groups from seizing domains that will be contacted by bots. Arms Race between botmasters and defenders B: The domain D: Reverse generation engineering the algorithm of the botnet protocol bots is modified could be time frequently. consuming. D: Economic factor is the B:Force defenders biggest challenge to register a because domain disproportionate names are not number of names. cheap. Taking control of the Torpig botnet: Sinkholing Preparation Purchased two Registered them to Obtain control of the domains (.com and two different Torpig botnet for ten .net) that were to be registrars. days. used by the botnet. Set up Apache web During their control server to receive log of botnet, 8.7 GB of bot requests and Apache log files and recorded all network 69 GB of pcap data traffic. have been collected. Taking control of the botnet: Data Collection Principles Operated the C&C servers based on established legal and ethical principles. Collecting enough Operated such that Worked with law information to enable any damage to victims enforcement remediation of was minimized. agencies. affected parties. Botnet Analysis: Data Collection and Format Submission header is encrypted with Torpig’s encryption algorithm. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Bot identifier is used as the symmetric key. Bots communicate with the Torpig C&C through HTTP POST requests. Consists of data items based on the information that was stolen. Body’s request contains the data stolen from the victim’s machine. Body is encrypted with Torpig’s encryption algorithm. Botnet Analysis: Data Collection and Format Submission Header Example ts: time stamp when the configuration file was updated. bld and ver: build and ip: IP address of the version number of bot. Torpig. hport and sport: port numbers of the HTTP nid: bot identifier. and SOCKS proxies that Torpig opens on the infected machine. os and cn: operating system version and locale. Botnet Analysis: Data Collection and Format Data items sent to sinkholed botnet in Data Items 10 days Mailbox account: configuration information for email accounts. Email: email Windows password addresses. SMTP: source and Form data: content destination of HTML forms addresses of submitted by the emails. victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively. Botnet Size: Definitions Indicates the aggregated total Botnet’s footprint number of machines that have been compromised over time. Botnet Size Indicates the number of compromised hosts that are Botnet’s live population concurrently communicating with the C&C server. Botnet’s Footprint: Counting Bots by “nid” field Description Evaluation • Torpig always sends the “nid” 2079 cases have been field in the submission header. found were the assumption did not hold. • Depends on software or hardware characteristics of the 180 835 “nid” values have infected machine’s hard disk. been observed in 10 days. • Attempted to validate whether the “nid” is unique for each bot. Underestimates the botnet’s footprint. Botnet Footprint: Counting Bots by Submission Header Fields Description Evaluation • Count unique tuples from the submission header that Torpig bot send. • “Nid, os, cn, bld and ver” fields Botnet’s footprint have have been considered whilst “ts, been estimated to 182 ip, sport and hport” have been 914 machines. discarded. Botnet’s Footprint: Identifying probers and researchers Description Evaluation • “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded. 40 bots have Final estimate been running 74 hosts have of botnet’s • Bots that use the GET HTTP on virtual been probers. footprint is method are not considered. machines 182 800 hosts. Botnet’s live population: Botnet Size Vs IP Count Botnet Size IP Count • 182 800 bots have contacted the C&C • 1 247 642 unique IP addresses server. contacted the C&C server. • Overestimates the actual size of the botnet’s footprint. Botnet’s live population: Botnet Size Vs IP Count Per hour Per day • Number of unique IP addresses • Number of unique IP addresses and bot IDs per hour provides a and bot IDs per day does not good estimation of the botnet’s provide a good estimation of the live population. botnet’s live population. Botnet Size vs IP Count: Observations Number of unique IPs per hour provides a good estimation of the botnet’s live population 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall. Difference between IP count and actual bot count can be attributed to DHCP and NAT effects. Threat and data analysis of Torpig Financial data stealing Proxies and DoS Password analysis • Obtained the • Leveraged by malicious • Bots stole 297,962 credentials of 8130 users to send spam or unique credentials sent accounts at 410 navigate anonymously. by 52,540 different different institutions. • Could cause a massive infected machines. • Torpig controllers may distributed DDoS • 140 000 passwords have profited anywhere attack. have been recovered in between $83K and 24 hours using various $8.3M in ten days. techniques. SoK: P2PWNED— Modeling and Evaluating the Resilience of Peer-to-Peer Botnets Overview Present a model that formalizes reconnaissance and disruption attacks against P2P botnets. Compare the population sizes of current P2P botnets using crawlers and sensor nodes. Evaluate the disruption resilience of all four current P2P botnet families. Architecture of P2P botnets Eliminates the need for centralized servers. Bots are connected to each other topologically. Act as both C&C server and client. http://cs.ucf.edu/~czou/research/P2PBotne ts-bookChapter.pdf Overview of P2P Networks: Categories Unstructured P2P Structured P2P Don’t have a predefined architecture. Organized into a specific topology. Participants communicate randomly with one another.