1 / 51

463.4 Botnets

463.4 Botnets. Computer Security II CS463/ECE424 University of Illinois. Overview. Discussion in two parts Motives and analysis techniques Architectures and strategies. 463.5.1 Motives and Analysis Techniques for Botnets. What are Botnets?.

iona
Download Presentation

463.4 Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 463.4 Botnets Computer Security II CS463/ECE424 University of Illinois

  2. Overview • Discussion in two parts • Motives and analysis techniques • Architectures and strategies

  3. 463.5.1 Motives and Analysis Techniques for Botnets

  4. What are Botnets? • A botnet is a collection of compromised machines (bots) remotely controlled by an attacker • They are used for various forms of illegal activity • Why the need for compromised machines? • Save money on provisioning • Obscure controlling party by the use of stepping stones • Why the need for multiple compromised machines? • Defending against multiple machines is harder: DDoS and dynamic blacklisting

  5. Underground Cyber-Markets • An “underground” market is one that operates outside of government regulation, often dealing in illegal goods or services • Examples: drugs, prostitution • The underground cyber-markets are ones where underground commerce is carried out over the Internet

  6. What’s the Supply and Demand? [FranklinPPS07]

  7. Internet Relay Chat (IRC) Channels • IETF protocol for message exchange • IRC client connects to a server identifying itself with a nickname (“nick”) and joins a channel • Client can broadcast on the channel or deliver messages privately on the channel • Channel manager may supply supplementary services to users

  8. IRC Roles for Botnets • Connect buyers and sellers • Control botnet • Broadcast nature of IRC aids untraceable communication

  9. Targeted Applications • Extortion • Cryptoviral extortion • DoS • Fraud (viz. identity theft) • Bank accounts • Credit cards • SPAM • Direct advertising • Fraud

  10. Roles of Participants Buyers: seek to make money off scams Carders: provide credit card data Cashiers: provide ways to convert these to cash Droppers: enable pick-ups of merchandise purchased with credit cards Rippers: take payment without providing service Operators: channel owners who provide integrity services like “verified status”

  11. Buyer <buyer a> need fresh US Fullz Msg Me Fast If U have Am Payin E-gold. <buyer b> i buy uk cc's ..prv me only serios ppl 4 good dill. <buyer c> Looking to buy HSBC debit with pins and CC's......

  12. Carder <carder a> selling US (Visa, Master) $2, UK (Barclay) $3. e-gold only <carder b> selling us, uk fresh fulls (master & visa) $10. I accept paypal or e-gold <carder c> Am Selling US, UK Mastercard, Visa, and American Express Fulls, Fresh and 100% valid, WIth DOB, SSN, DL.

  13. Cashier <cashier a> i Cash Out Wells fargo, Boa, Nation Wide, Chase, WachoviA, WaMu, Citibank, Halifax Msg me. <cashier b> I Cashout Skimmed Dumps + Pins 30/70 % Split i Take 30% You Take 70%. <cashier c> can cashout cvv's via WU terminal agent. 500-700 $ per cvv's pvt me for more info.

  14. Dropper <drop a> i drop in usa i can pick any name. <user b> F@!k drops man, I ship to my friends house, no fee. <user c> u will lose ur friends soon! ^^ <user d> I guess some friends are expendable!

  15. Ripper <ripper> Selling software to verify your cvv2. Great for carders, payment is $10. <ripper> Selling database of 350,000 cvv2! msg me fast for good deal!!!

  16. Operator <@operator a> If you want verified status msg me, cost is $50. <@operator b> To become verified pm any @op.

  17. Market Demand and Activity • Markets are active: ~64,000 msgs / day • Large volume of sensitive data • 4k SSNs, $55 million in vulnerable accounts [FranklinPPS07]

  18. Sale ads often dominate want ads Lower barrier to entry even for n00bs Pricing

  19. Pricing for compromised hosts varies Significant demand for root access Pricing

  20. Making Money with SPAM • Services Available in Market • Mailers • Targeting Mailing Lists • Scam Hosting Infrastructure • Phishing Pages • IronPort claimed that, as of 2006, 80% of SPAM was sent by bots • Direct Advertising • Penny Stocks • Click-fraud • Phishing [IronPort06]

  21. How Do I Get My (Stolen) Money? • E-gold (Nevis, Lesser Antilles) was fined $3.7 million for “conspiracy to engage in money laundering” and the “operation of an unlicensed money transmitting business”. • Western Union requires in country initiation and transfers over $1K require Passport, SSN, Drivers License # • Drops provide an out-of-band approach • Colorful strategies: touts, gambling, Lindens, etc.

  22. Analyzing Bots • Examine source code • Attract compromise with a honeypot • Honeynet project • Observe public communications and collect statistics • By manual analysis • Using attribute searches • Using machine learning • Compromise a bot and observe its activities

  23. Reading List • [FranklinPPS07] An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007. • [ThomasA07] Kurt Thomas and David Albrecht, Cashing Out: Exploring Underground Economies, Manuscript 2007. 23

  24. Discussion • Assuming an IRC channel, speculate on strategies for reducing the effectiveness of the underground cyber-market. • How far can/should a honeynet go to gather information about malware?

  25. 463.5.2 Botnet Architectures and Strategies

  26. Botnet Recruitment/Propagation • Bot code is installed on compromised machines using many different techniques • Scan for victims with vulnerabilities • Horizontal scans across an address range • Vertical scans across a range of ports • Look for backdoors or vulnerable software • Bagel and MyDoom worms left backdoors that allow arbitrary code to be executed on the machine • Hide bot code in legitimate files placed in open file shares and on peer-to-peer networks • Send spam email with attachments infected with bot code

  27. Botnet Maintenance/Control • After a computer has been compromised, the bot has several goals • Fortify the system against other malicious attacks • Disable anti-virus software • Harvest sensitive information • The attacker issues commands to the bots • Download updates to the bot code • Download patches to prevent other botnets from capturing the machine • Participate in the botnet “work”: send spam and phishing emails, contribute to DDoS attack, etc.

  28. IRC Botnet in a DDoS Attack [CookeJM05]

  29. Case Study: Agobot • Architecture, • Botnet control mechanisms, • Host control mechanisms, • Propagation mechanisms, • Target exploits and attack mechanisms, • Malware delivery mechanisms, • Obfuscation methods, and • Deception strategies. [BarfordY07]

  30. Architecture • Source code was released publically around 2002. • IRC-based command and control • DoS attack library • Limited polymorphic obfuscations • Harvests Paypal passwords, AOL keys, etc. • Defends compromised system • Anti-disassembly mechanisms • Built with good SE practices

  31. Botnet Control Mechanisms

  32. Host Control Mechanisms

  33. Propagation Mechanisms

  34. Exploits and Attack Mechanisms Part 1 of 2 1. Bagle scanner: scans for back doors left by Bagle variants on port 2745. 2. Dcom scanners (1/2): scans for the well known DCE-RPC buffer overflow. 3. MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127. 4. Dameware scanner: scans for vulnerable versions of the Dameware network administration tool. 5. NetBIOS scanner: brute force password scanning for open NetBIOS shares. 6. Radmin scanner: scans for the Radmin buffer overflow. 7. MS-SQL scanner: brute force password scanning for open SQL servers. 8. Generic DDoS module

  35. Exploits and Attack Mechanisms Part 2 of 2

  36. Malware Delivery Mechanisms • Argobot first exploits a vulnerability and uses this to open a shell on the remote host. • The encoded malware binary is then uploaded using either HTTP or FTP. • This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams.

  37. Obfuscation Mechanisms • A limited set of operations provide some ability to diversify the transfer file • POLY TYPE XOR, • POLY TYPE SWAP (swap consecutive bytes) • POLY TYPE ROR (rotate right) • POLY TYPE ROL (rotate left)

  38. Deception Mechanisms Part 1 of 2 • Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. • These mechanisms are also referred to as rootkits.

  39. Deception Mechanisms Part 2 of 2 • In Agobot the following defenses are included: • Testing for debuggers such as OllyDebug, SoftIce and procdump, • Testing for VMWare, • Killing anti-virus processes, and • Altering DNS entries of anti-virus software companies to point to localhost.

  40. Beyond AgobotEvolving Botnet Structure • Original command-and-control mechanism • Internet Relay Chat (IRC) channels • Centralized control structure • Improved command-and-control mechanism • Peer-to-peer (P2P) networks • Decentralized control structure • More difficult to dismantle than IRC botnets

  41. P2P Botnets • While IRC bots simply connect to their IRC server, P2P bots must follow a series of steps to connect with their P2P network • The initial P2P bot code contains a list of possible peers and code that attempts to connect the bot with the P2P network • After the bot joins the network, the peer list is updated • Then the bot searches the network and downloads the secondary injection code (code that instructs the bot to send spam or perform other malicious activities)

  42. Case Study: Storm Worm • First major botnet to employ peer-to-peer command-and-control structure • Appeared in 2006, gained prominence in January 2007 • MS estimated 500,000 bots as of September 2007 • Recruits new bots using a variety of attack vectors • Email messages with executable attachments • Email messages with links to infected sites • E-card spam • Uses computing power of compromised machines • Sends and relays SPAM • Hosts the exploits and binaries • Conducts DDoS attacks on anti-spam websites and security researchers probing the botnet

  43. Social Engineering with Email Headers • “230 dead as storm batters Europe,” • “A killer at 11, he’s free at 21 and kill again!,” • “British Muslims Genocide,” • “Naked teens attack home director,” • “Re: Your text,” • “Russian missile shot down USA satellite,” • “US Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.”

  44. Effectiveness of Storm [Smith08]

  45. Storm Worm Botnet Infection Process • Victim downloads and runs Trojan executable file • Kernel mode driver component wincom32.sys • Initialization file component peers.ini • Malware inserts itself into services.exe process • Malware connects with peers on P2P network • Uses initial list of 146 peers to connect to P2P network • Updates peer list with close peers • Searches for encrypted URL of payload • Malware downloads full payload • Decrypts URL of payload • Downloads code that sends spam, participates in DDoS attacks, etc. • Malware executes code under the control of the botnet • Bots can periodically search the P2P network for code updates

  46. Control Architecture

  47. Overnet Protocol • Overnet is a P2P protocol based on the Kademlia algorithm • It was created from file sharing community eDonkey2000 • Overnet and eDonkey2000 had an estimated total of 645,000 users as of 2006 • Both were shut down by legal actions of RIAA in 2006

  48. Distributed Hash Tables (DHT) • Kademlia, and hence also Overnet and Storm, are DHT protocols • DHT network manages a collection of nodes that store (key, value) pairs • DHT can support large scale storage in a robust decentralized system • Key concepts • Key space partitioning • Overlay network

  49. Storm Worm BotnetAnti-malware Response • Botnet variations make signature-based detection difficult • New email subject lines and file attachment names • Re-encoded malware binary twice per hour • Anti-malware Response • Microsoft Malicious Software Removal Tool patch issued in September 2007 • Correlated with 20% drop in size of the Storm Worm botnet • Shows that aggressive removal of bots from botnet can make a significant impact on the size of the botnet

  50. Reading List • [CookeJM05] The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian, and Danny McPherson. Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI 2005. • [BarfordY07] An Inside Look at Botnets, Paul Barford and Vinod Yegneswaran. Advances in Computer Security, Springer 2007. • [Smith08] A Storm (Worm) Is Brewing, Brad Smith. IEEE Computer, vol. 41, no. 2, pp. 20-22, Feb. 2008.

More Related