Your botnet is my botnet analysis of a botnet takeover
1 / 14

Your Botnet is My Botnet : Analysis of a Botnet Takeover - PowerPoint PPT Presentation

  • Uploaded on

Your Botnet is My Botnet : Analysis of a Botnet Takeover. Brett Stone-Gross, Marco Cova , Lorenzo Cavallaro , Bob Gilbert, Martin Szydlowski , Richard Kemmerer, Christopher Kruegel , and Giovanni Vigna. Presented by Ryan Genato. Overview. Introduction to Botnets , Torpig

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Your Botnet is My Botnet : Analysis of a Botnet Takeover' - kohana

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Your botnet is my botnet analysis of a botnet takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Presented by Ryan Genato


  • Introduction to Botnets, Torpig

  • Domain Flux and “Your Botnet is My Botnet”

  • Analysis of Torpig Network

  • What Do You Do With 70,000 Computers?

  • Conclusions and Future Work

Introduction terminology
Introduction – Terminology

  • Bot – An application that performs some action or set of actions on behalf of a remote controller

  • Botnet – A network of infection machines controlled by a malicious entity

  • Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages

Introduction mebroot
Introduction – Mebroot

  • Rootkit distributed by Neosploit exploit kit

  • Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine

  • Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)

Introduction torpig
Introduction – Torpig

  • Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server

  • Torpig contacts its own C&C server for updates and to send victim information

Introduction torpig1
Introduction – Torpig

  • What kind of information does Torpig record?

    • Monitoring popular applications

    • “Man-in-the-browser” attacks

Introduction domain flux
Introduction – Domain Flux

  • Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points

  • Advantages:

    • No single point of failure (fast flux)

    • Robustness

  • Disadvantages

    • Deterministic (this implementation)

    • If someone can reverse engineer your DGA, they can anticipate future domain addresses…

Your botnet is my botnet
Your Botnet Is My Botnet

  • And that’s exactly what they did!

  • Reverse engineering the DGA came up with a three week span of unregistered domains

  • Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing)

    • Contrast to passive analysis and previous active analysis attempts

Gathering data
Gathering Data

  • The C&C center hijack lasted for ten days

    • What happened to the three weeks of domains?

  • A couple numbers:

    • Observed a total of 182,800 peers on the Torpigbotnet, 70,000 at peak activity

    • Recorded 1,247,642 unique IP addresses

    • Logged 8,310 accounts from 410 institutions

    • 1,660 credit cards

Data analysis handling
Data Analysis + Handling

  • 173,686 unique passwords recorded, 40% cracked in less than 75 minutes

  • 28% of users exhibited password reuse

  • Working with FBI and National Cyber-Forensics to repatriate the stolen information

    • Need a reputable organization to work things out

What do you do with 70 000 computers
What Do You Do With 70,000 Computers?

  • Take down the government!

    • 70,000 users, average 435 kbps (in 2008) = 17 Gbps

    • 5,635 users to take down and

    • 10 Gbps to take down Wikileaks

  • Distributed password cracking

Conclusions and future work
Conclusions and Future Work

  • Victims of botnets pick easy to crack passwords

    • Better user education, higher password standards

  • Botnets operating with an HTTP C&C center can be hijacked for periods of time

    • There is no “off” switch

    • Improved domain generation algorithms (top Twitter)

Works referenced
Works Referenced

  • Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan. 2012. Web. 23 Jan. 2012.

  • Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr. 2009. Web. 23 Jan. 2012.

  • Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009.

  • Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan. 2012. <>.

  • Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan. 2012.

  • Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM, 2009. 635-47.

  • Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec. 2010. Web. 23 Jan. 2012.