510 likes | 728 Views
463.4 Botnets. Computer Security II CS463/ECE424 University of Illinois. Overview. Discussion in two parts Motives and analysis techniques Architectures and strategies. 463.5.1 Motives and Analysis Techniques for Botnets. What are Botnets?.
E N D
463.4 Botnets Computer Security II CS463/ECE424 University of Illinois
Overview • Discussion in two parts • Motives and analysis techniques • Architectures and strategies
What are Botnets? • A botnet is a collection of compromised machines (bots) remotely controlled by an attacker • They are used for various forms of illegal activity • Why the need for compromised machines? • Save money on provisioning • Obscure controlling party by the use of stepping stones • Why the need for multiple compromised machines? • Defending against multiple machines is harder: DDoS and dynamic blacklisting
Underground Cyber-Markets • An “underground” market is one that operates outside of government regulation, often dealing in illegal goods or services • Examples: drugs, prostitution • The underground cyber-markets are ones where underground commerce is carried out over the Internet
What’s the Supply and Demand? [FranklinPPS07]
Internet Relay Chat (IRC) Channels • IETF protocol for message exchange • IRC client connects to a server identifying itself with a nickname (“nick”) and joins a channel • Client can broadcast on the channel or deliver messages privately on the channel • Channel manager may supply supplementary services to users
IRC Roles for Botnets • Connect buyers and sellers • Control botnet • Broadcast nature of IRC aids untraceable communication
Targeted Applications • Extortion • Cryptoviral extortion • DoS • Fraud (viz. identity theft) • Bank accounts • Credit cards • SPAM • Direct advertising • Fraud
Roles of Participants Buyers: seek to make money off scams Carders: provide credit card data Cashiers: provide ways to convert these to cash Droppers: enable pick-ups of merchandise purchased with credit cards Rippers: take payment without providing service Operators: channel owners who provide integrity services like “verified status”
Buyer <buyer a> need fresh US Fullz Msg Me Fast If U have Am Payin E-gold. <buyer b> i buy uk cc's ..prv me only serios ppl 4 good dill. <buyer c> Looking to buy HSBC debit with pins and CC's......
Carder <carder a> selling US (Visa, Master) $2, UK (Barclay) $3. e-gold only <carder b> selling us, uk fresh fulls (master & visa) $10. I accept paypal or e-gold <carder c> Am Selling US, UK Mastercard, Visa, and American Express Fulls, Fresh and 100% valid, WIth DOB, SSN, DL.
Cashier <cashier a> i Cash Out Wells fargo, Boa, Nation Wide, Chase, WachoviA, WaMu, Citibank, Halifax Msg me. <cashier b> I Cashout Skimmed Dumps + Pins 30/70 % Split i Take 30% You Take 70%. <cashier c> can cashout cvv's via WU terminal agent. 500-700 $ per cvv's pvt me for more info.
Dropper <drop a> i drop in usa i can pick any name. <user b> F@!k drops man, I ship to my friends house, no fee. <user c> u will lose ur friends soon! ^^ <user d> I guess some friends are expendable!
Ripper <ripper> Selling software to verify your cvv2. Great for carders, payment is $10. <ripper> Selling database of 350,000 cvv2! msg me fast for good deal!!!
Operator <@operator a> If you want verified status msg me, cost is $50. <@operator b> To become verified pm any @op.
Market Demand and Activity • Markets are active: ~64,000 msgs / day • Large volume of sensitive data • 4k SSNs, $55 million in vulnerable accounts [FranklinPPS07]
Sale ads often dominate want ads Lower barrier to entry even for n00bs Pricing
Pricing for compromised hosts varies Significant demand for root access Pricing
Making Money with SPAM • Services Available in Market • Mailers • Targeting Mailing Lists • Scam Hosting Infrastructure • Phishing Pages • IronPort claimed that, as of 2006, 80% of SPAM was sent by bots • Direct Advertising • Penny Stocks • Click-fraud • Phishing [IronPort06]
How Do I Get My (Stolen) Money? • E-gold (Nevis, Lesser Antilles) was fined $3.7 million for “conspiracy to engage in money laundering” and the “operation of an unlicensed money transmitting business”. • Western Union requires in country initiation and transfers over $1K require Passport, SSN, Drivers License # • Drops provide an out-of-band approach • Colorful strategies: touts, gambling, Lindens, etc.
Analyzing Bots • Examine source code • Attract compromise with a honeypot • Honeynet project • Observe public communications and collect statistics • By manual analysis • Using attribute searches • Using machine learning • Compromise a bot and observe its activities
Reading List • [FranklinPPS07] An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007. • [ThomasA07] Kurt Thomas and David Albrecht, Cashing Out: Exploring Underground Economies, Manuscript 2007. 23
Discussion • Assuming an IRC channel, speculate on strategies for reducing the effectiveness of the underground cyber-market. • How far can/should a honeynet go to gather information about malware?
Botnet Recruitment/Propagation • Bot code is installed on compromised machines using many different techniques • Scan for victims with vulnerabilities • Horizontal scans across an address range • Vertical scans across a range of ports • Look for backdoors or vulnerable software • Bagel and MyDoom worms left backdoors that allow arbitrary code to be executed on the machine • Hide bot code in legitimate files placed in open file shares and on peer-to-peer networks • Send spam email with attachments infected with bot code
Botnet Maintenance/Control • After a computer has been compromised, the bot has several goals • Fortify the system against other malicious attacks • Disable anti-virus software • Harvest sensitive information • The attacker issues commands to the bots • Download updates to the bot code • Download patches to prevent other botnets from capturing the machine • Participate in the botnet “work”: send spam and phishing emails, contribute to DDoS attack, etc.
IRC Botnet in a DDoS Attack [CookeJM05]
Case Study: Agobot • Architecture, • Botnet control mechanisms, • Host control mechanisms, • Propagation mechanisms, • Target exploits and attack mechanisms, • Malware delivery mechanisms, • Obfuscation methods, and • Deception strategies. [BarfordY07]
Architecture • Source code was released publically around 2002. • IRC-based command and control • DoS attack library • Limited polymorphic obfuscations • Harvests Paypal passwords, AOL keys, etc. • Defends compromised system • Anti-disassembly mechanisms • Built with good SE practices
Exploits and Attack Mechanisms Part 1 of 2 1. Bagle scanner: scans for back doors left by Bagle variants on port 2745. 2. Dcom scanners (1/2): scans for the well known DCE-RPC buffer overflow. 3. MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127. 4. Dameware scanner: scans for vulnerable versions of the Dameware network administration tool. 5. NetBIOS scanner: brute force password scanning for open NetBIOS shares. 6. Radmin scanner: scans for the Radmin buffer overflow. 7. MS-SQL scanner: brute force password scanning for open SQL servers. 8. Generic DDoS module
Malware Delivery Mechanisms • Argobot first exploits a vulnerability and uses this to open a shell on the remote host. • The encoded malware binary is then uploaded using either HTTP or FTP. • This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams.
Obfuscation Mechanisms • A limited set of operations provide some ability to diversify the transfer file • POLY TYPE XOR, • POLY TYPE SWAP (swap consecutive bytes) • POLY TYPE ROR (rotate right) • POLY TYPE ROL (rotate left)
Deception Mechanisms Part 1 of 2 • Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. • These mechanisms are also referred to as rootkits.
Deception Mechanisms Part 2 of 2 • In Agobot the following defenses are included: • Testing for debuggers such as OllyDebug, SoftIce and procdump, • Testing for VMWare, • Killing anti-virus processes, and • Altering DNS entries of anti-virus software companies to point to localhost.
Beyond AgobotEvolving Botnet Structure • Original command-and-control mechanism • Internet Relay Chat (IRC) channels • Centralized control structure • Improved command-and-control mechanism • Peer-to-peer (P2P) networks • Decentralized control structure • More difficult to dismantle than IRC botnets
P2P Botnets • While IRC bots simply connect to their IRC server, P2P bots must follow a series of steps to connect with their P2P network • The initial P2P bot code contains a list of possible peers and code that attempts to connect the bot with the P2P network • After the bot joins the network, the peer list is updated • Then the bot searches the network and downloads the secondary injection code (code that instructs the bot to send spam or perform other malicious activities)
Case Study: Storm Worm • First major botnet to employ peer-to-peer command-and-control structure • Appeared in 2006, gained prominence in January 2007 • MS estimated 500,000 bots as of September 2007 • Recruits new bots using a variety of attack vectors • Email messages with executable attachments • Email messages with links to infected sites • E-card spam • Uses computing power of compromised machines • Sends and relays SPAM • Hosts the exploits and binaries • Conducts DDoS attacks on anti-spam websites and security researchers probing the botnet
Social Engineering with Email Headers • “230 dead as storm batters Europe,” • “A killer at 11, he’s free at 21 and kill again!,” • “British Muslims Genocide,” • “Naked teens attack home director,” • “Re: Your text,” • “Russian missile shot down USA satellite,” • “US Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.”
Effectiveness of Storm [Smith08]
Storm Worm Botnet Infection Process • Victim downloads and runs Trojan executable file • Kernel mode driver component wincom32.sys • Initialization file component peers.ini • Malware inserts itself into services.exe process • Malware connects with peers on P2P network • Uses initial list of 146 peers to connect to P2P network • Updates peer list with close peers • Searches for encrypted URL of payload • Malware downloads full payload • Decrypts URL of payload • Downloads code that sends spam, participates in DDoS attacks, etc. • Malware executes code under the control of the botnet • Bots can periodically search the P2P network for code updates
Overnet Protocol • Overnet is a P2P protocol based on the Kademlia algorithm • It was created from file sharing community eDonkey2000 • Overnet and eDonkey2000 had an estimated total of 645,000 users as of 2006 • Both were shut down by legal actions of RIAA in 2006
Distributed Hash Tables (DHT) • Kademlia, and hence also Overnet and Storm, are DHT protocols • DHT network manages a collection of nodes that store (key, value) pairs • DHT can support large scale storage in a robust decentralized system • Key concepts • Key space partitioning • Overlay network
Storm Worm BotnetAnti-malware Response • Botnet variations make signature-based detection difficult • New email subject lines and file attachment names • Re-encoded malware binary twice per hour • Anti-malware Response • Microsoft Malicious Software Removal Tool patch issued in September 2007 • Correlated with 20% drop in size of the Storm Worm botnet • Shows that aggressive removal of bots from botnet can make a significant impact on the size of the botnet
Reading List • [CookeJM05] The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian, and Danny McPherson. Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI 2005. • [BarfordY07] An Inside Look at Botnets, Paul Barford and Vinod Yegneswaran. Advances in Computer Security, Springer 2007. • [Smith08] A Storm (Worm) Is Brewing, Brad Smith. IEEE Computer, vol. 41, no. 2, pp. 20-22, Feb. 2008.