1 / 40

Recent Advanced Botnets - MegaD & Waledac

Explore the world of botnets, including their structure and operations with a focus on MegaD and Waledac. Discover the challenges and techniques used to infiltrate and monitor these botnets.

flittle
Download Presentation

Recent Advanced Botnets - MegaD & Waledac

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Recent Advanced Botnets - MegaD & Waledac

  2. What is Botnet? • Bots: compromised hosts, “Zombies” • Botnets: networks of bots that are under the control of a human operator (botmaster) • (generally looks like) Worm + C&C channel • Command and Control Channel • Disseminate the botmasters’ commands to their bot armies Communication (IRC, HTTP, … (can be encrypted)) Attack (DoS, spamming, phishing site, …) Worm Propagation (vulnerabilities, file sharing, P2P, …) Speaker: Li-Ming Chen

  3. Lifecycle of a Typical Botnet Infection • Uses of Botnets: • Phishing attacks • Spam • ID/information theft • DDoS • Distributing other malwares Speaker: Li-Ming Chen

  4. Why is Botnet so Daunting? Underground Economics! Multilayered/Multifunction C&C Architecture Always behind the mirror Botnet structures change (e.g., P2P) Fast-flux (hide C&C servers or other bots behind an ever-changing network) Secure Comm.! Multi-vector exploitation + Social Engineering Tech. Speaker: Li-Ming Chen

  5. Overview • MegaD (aka Ozdok) • Analysis method • Architecture • Operation/Malicious Activities • Waledac • Analysis method • Architecture • Operation/Malicious Activities • Summary & Discussion Speaker: Li-Ming Chen

  6. Paper Reference • MegaD • Chia Yuan Cho, Juan Caballero, Chris Grier, Vern Paxson, and Dawn Song, “Insights from the Inside: A View of Botnet Management from Infiltration,” in Proc. USENIX LEET, 2010. • Waledac • Greg Sinclair, Chris Nunnery, and Brent ByungHoon Kang, “The Waledac Protocol: The How and Why,” in Proc. MALWARE, 2009. • Chris Nunnery, Greg Sinclair, and Brent ByungHoon Kang, “Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure,” in Proc. USENIX LEET, 2010. Speaker: Li-Ming Chen

  7. MegaD • MegaD (aka Ozdok) • http://en.wikipedia.org/wiki/Mega-D_botnet • A mass spamming botnet, appeared 2007 • 1/3 of worldwide spam at its peak!! • Resilience – survived two major takedown attempts • 2008/12, US FTC + Marshal Software (McColo ISP shutdown) • 2009/11, Takedown effort by FireEye Speaker: Li-Ming Chen

  8. MegaD C&C Servers & Dialogs • A MegaD bot interacts during its lifetime with 4 types of C&C servers • Master Servers (MS) • Drop Servers (DS) • Template Servers (TS) • SMTP Servers (SS) • 2 different “sequences of commands” (dialog) issued by MS are observed • Spam Dialog (launch spam campaigns) • Download Dialog (update a new binary code) Speaker: Li-Ming Chen

  9. MegaD – Spam Dialog • (1) request a command • (2) test spam-sending capability • (3) MS engages the bot in an elaborate preparation phase to obtain information about the infected host • (4) get a spam template • (5) start spam • When it finishes, it (bot) re-initiates the spam dialog Speaker: Li-Ming Chen

  10. MegaD – Download Dialog • (1) request a command • (2) test spam-sending capability • (3, 4, 5) MS orders the bot to download a new binary from a DS and execute it Speaker: Li-Ming Chen

  11. MegaD C&C Servers Speaker: Li-Ming Chen

  12. Infiltrating MegaD • Goal • Monitor MegaD’s malicious activities (spam only!) • Discover complete C&C architecture • Techniques: • Milker [11, 12] – a bot emulator w/o malicious side effects • Google hacking – a trick to discover MS • *Honeypot [11] Juan Caballero et al., “Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering,” in Proc. ACM CCS, 2009. [12] Juan Caballero et al., “Binary code extraction and interface identification for security applications,” in Proc. NDSS, 2010. Speaker: Li-Ming Chen

  13. Milker • (Observation) MegaD only carries out spams •  Templates fully describe the botnet’s spam operation • Milkers: • C&C Milker: periodically query a MS for commands • Template Milker: periodically query a TS for templates • IP address diversity: Tor (onion network) • Pre-requisites: • MegaD’s protocol grammar [11] • Encryption/decryption functions used by MegaD [12] Speaker: Li-Ming Chen

  14. Google Hacking • Google hacking is just a “trick” • Intuition: • MegaD MSes listen at TCP port 80 or 443 • Camouflaged as normal web servers by crafting response to “GET /” • Hyperlink to a MicroSoft webpage •  leverage the ubiquity of search engines locating web servers on port 80/443 around the Internet • The camouflage content gets added to the search engineer’s database •  just google the “distinguishable elements” to locate that MSes • 4 results on 4 unique hostnames with no false positive Speaker: Li-Ming Chen

  15. Google Hack Returns 4 Unique Results (MegaD crafted response) (copy from author’s slides) Speaker: Li-Ming Chen

  16. Insights from Infiltration • Takedown and Reconstruction • View of Complete C&C Architecture • Template Milking & Botnet Management Speaker: Li-Ming Chen

  17. FireEye’s Takedown Effort • Finding: • Template contents remain unchanged for 1 week after takedown • Lack of backup domains and ISPs/infrastructure • Time taken to setup new infrastructure = 1 week (infiltration begin) (FireEye takedown the MS-S1 and SS1) (Spam: 4%  0% (11/6)  17% (16 days later)) Speaker: Li-Ming Chen

  18. MegaD’s Takedown Recovery 11/13, templates updated to point to new SS2 & MS-S2 • Recovery: • (1) Resilience: remnant servers redirect remaining bots to new C&C servers • (2) New bots: push out new MegaD binaries! • 16 days after takedown, MegaD’s spam exceeded pre-takedown level X O Speaker: Li-Ming Chen

  19. X X TS2 443 TS3 443 MegaD’s C&C Architecture Q: multiple botmaster? A: maybe.. (evidence #1) 1/29, MS-D1 by google hacking, and led to others 1/17 11/13 11/13 (TS server replacement) 10/27~2/18 (always on) 1/24 2/17 12/10~ 1/14 12/22~ 2/2 Speaker: Li-Ming Chen

  20. Template Milking & Botnet Management • Collect 271K templates from the 7 TSes over 4 months • Template: • Template + element database • Each data element has a set of values in the template •  polymorphic • Template’s change shows that how botmaster manages the botnet Speaker: Li-Ming Chen

  21. Changes in Template Structure • Plot occurrences of unique data elements across all template servers •  It’s an evidence (#2) of separate management! (only 2 days templates from TS7) (element ID) Speaker: Li-Ming Chen

  22. Changes in Polymorphic Data Elements • 3 types of (element) polymorphism been identified • Single-set polymorphic (fixed set) • Multi-set polymorphic (manually updated by botmaster) • e.g., URL, BODY_HTML • Every-set polymorphic (auto-updated by TS) • e.g., DOMAINS, IMG, LINK Every-set Multi-set Speaker: Li-Ming Chen

  23. Changes in Polymorphic Data Elements (cont’d) • Update rate for multi-set polymorphic elements is also an evidence (#3) of separate management! • Days between dynamic subject updates, {DIKSBJ} • Groups: Speaker: Li-Ming Chen

  24. Conclusion (MegaD) • MegaD infiltration over 4 months • Techniques: • Milker + Google Hacking • Insights: • Rich view of the MegaD C&C architecture • How the botnet actually recovers from a takedown • Evidence of distinct botmaster management groups • But they share the same SMTP server Speaker: Li-Ming Chen

  25. Overview • MegaD (aka Ozdok) • Analysis method • Architecture • Operation/Malicious Activities • Waledac • Analysis method • Architecture • Operation/Malicious Activities • Summary & Discussion Speaker: Li-Ming Chen

  26. Waledac • Waledac (possible successor to the Stome botnet) • http://en.wikipedia.org/wiki/Waledac_botnet • Appeared in late 2008 • A spam-generating phishing infrastructure with fast-flux functionality • 3 Symantec’s blog and a technical report • http://www.symantec.com/connect/blogs/paper-waledac • Trend Micro’s report http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating_the_waledac_botnet_v2.pdf Speaker: Li-Ming Chen

  27. Analysis Method • Not use infiltration • Methods: • Binary analysis • Have file system data from higher tiers of the botnet • Network traffic traces analysis Speaker: Li-Ming Chen

  28. Waledac Hierarchy • Botmaster • Botmaster-owned infrastructure • UTS (Upper-Tier Server) • TSL (just the name of the Window registry entry) • Infected host systems • Repeater • Spammer (C&C servers) w/o NAT, Single tier peering (Bots) Nodes behind NAT Speaker: Li-Ming Chen

  29. Lower Layer: Infected Host Systems • An infected victim decides itself as a: • Spammer: if it is unreachable by other nodes (private IP) • Tasks: spamming, local data harvesting (e.g., email addresses) • Repeater: if it has non-private IP address • More tasks: HTTP proxying, fast-flux DNS • Bootstrap (after compromise…): • Waledac binary contains a bootstrap IP list and a URL (fast-flux) • Locate neighboring repeaters • Join/registration (through each tier to the head-end C&C server) • Get section key for future communication Speaker: Li-Ming Chen

  30. Botnet Communication • Security: 5 types of encoding scheme: • P2P (repeater tier only): • Each bot maintains a “fresh” repeater nodes list • “Single tier peering” reduces the overall traffic handling requirements for the higher tiers Speaker: Li-Ming Chen

  31. Botnet Communication • Command and Control: • Request and reply both use “symmetric” XML format • 9 unique commands been identified • Fast-flux: • A repeater may act as a DNS server for supporting Waledac fast-flux network • It will respond to DNS queries from both lower bots and other nodes in the Internet • Spammers retrieve commands in a pull-based scheme Speaker: Li-Ming Chen

  32. TSL • Hide UTS from repeaters & Initiate target spam campaigns • (Guess) servers in TSL tier: • (1) self-organizing, information sharing • (2) independently report to a central server • TSL Configuration: • CentOS • ntp, BIND (a DNS server), PHP, nginx (a http server), … • phpmailer X O Speaker: Li-Ming Chen

  33. UTS (Upper-Tier Server) • Purpose: • Autonomous C&C • Credential repository • Maintain binaries and bootstrap lists • Audit, monitors population, vitality statistics • Interact with underground 3rd parties (spamit.com, j-roger.com) • UTS Configuration: • CentOS • PHP, CLI (command line interface), flat-files, no central DB… Provide repacking service Speaker: Li-Ming Chen

  34. Malicious Activities • Differentiated spamming • Low Quality Spam (buck spam through spammers) • High Quality Spam (authenticated & targeted) • Data harvesting • Network traffic (winpcap) • HDD Scanning (email) Speaker: Li-Ming Chen

  35. High Quality Spam (HQS) (Collected from bots) 3rd party collaboration (test credentials before real spam) Speaker: Li-Ming Chen

  36. Conclude (Waledac) • Hierarchical C&C architecture (multi-service tiers) • Repeater  single tier peering • HQS  authenticated spam • Node auditing Speaker: Li-Ming Chen

  37. Overview • MegaD (aka Ozdok) • Analysis method • Architecture • Operation/Malicious Activities • Waledac • Analysis method • Architecture • Operation/Malicious Activities • Summary & Discussion Speaker: Li-Ming Chen

  38. Summary • MegaD • Multifunction C&C Architecture • Takedown & Recovery • Waledac • Multilayered C&C Architecture + P2P Botnet Infrastructure • Advanced spam technique and botnet management Speaker: Li-Ming Chen

  39. Botnet Detection • Target: • Bots, whole botnet, C&C servers, botmaster!! • Solutions: • BotHunter  detect bot’s lifecycle • BotSniffer  detect spatial-temporal properties of C&C • BotMinner  monitor malicious activities and C&C communication, and co-inference • Temporal persistence characteristic of a single bot • Infiltration • BotGrep  detect P2P structure of botnet • … Speaker: Li-Ming Chen

  40. Discussion • Things make botnet detection more challenging • Pull-based C&C communication • Fast-flux • Encryption/polymorphism • Proprietary C&C techniques and architecture • Problems: • Forensics – identify botmaster • bots  botnet or botnet  bots Speaker: Li-Ming Chen

More Related