270 likes | 521 Views
Your Botnet is My Botnet : Analysis of a Botnet Takeover. Brett Stone-Gross, Marco Cova , Lorenzo Cavallaro , Bob Gilbert, Martin Szydlowski , Richard Kemmerer, Christopher Kruegel and Giovanni Vigna University of California, Santa Barbara Paper Presentation: Nick Louloudakis.
E N D
Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel and Giovanni Vigna University of California, Santa Barbara Paper Presentation: Nick Louloudakis
Your Botnet is My Botnet: Analysis of a Botnet Takeover • Bot: a type o malware written with the intent of talking over a large number of Internet hosts. • Botnets: networks of malware-infected machines that are controlled by an adversary. • Root cause of a large number of security problems on the Internet • Torpig: a particularly sophisticated and insidious type of bot, a malware designed to harvest sensitive information, • Torpigbotnet: called as “one of the most advanced pieces of crimeware ever created” • This paper: Efforts report on taking control of the Torpigbonet and study its operations for 10 days • 70 GB of data the bots collected. • TorpigBotnet is interesting because: • It is possible to accurately identify unique bot infections and relate that to more than 1.2 M IP addresses contacted the Command and Control Server • The botnet is large, targets a variety of applications and gathers a rich and diverse set of data
Botnets: How it’s done • Bots intend to infect internet hosts • Once infected with a bot, the victim host will join a botnet – a network of compromised machines under the control of a malicious entity, the botmaster. • Used from criminals for malicious tasks, such as: • Spam email sending • Launching DOS attacks • Stealing Personal Data (mail accounts, bank credentials etc.)
Botnets Study (1/2) • Passive Analysis: • Secondary effects analysis caused by the activity of compromised machines. • For example: spam mails that were likely sent by bots, DNS/DNS blacklist queries retrieval etc. • Interesting results, although one can typically monitor only one portion of the internet. • Active Analysis: • Infiltration: using an actual malware sample or a client simulating a bot to join the botnet in order to perform analysis from the inside • Honeypots, honey clients or spam traps are used to obtain a malicious sample copy • This is executed in controlled environment, making possible the monitoring of its malicious activity and communication with the C&C server
Botnets Study (2/2) • For some IRC based botnets, it was possible to get the IP addressed of other bots by joining a botnet • Unfortunately, this has stopped by the attackers, using stripped-down IRC or HTTP servers for their C&C channels • P2P botnets are also possible, such as Storm • Researchers have developed crawlers that actively search the P2P network for client nodes that exhibit bot-like characteristics and are used as the basis of study of the infected machines. • To overcome passive measurement limitations, one can attempt to hijack the entire botnet • This is done by taking control of the C&C channel • One way is to seize the physical machines that host the C&C infrastructure, an option only for law enforcement agencies. • One can tamper with the DNS, as bots typically resolve domain names to connect to their C&C infrastructure • By collaborating with a domain registrar or a dynDNS provider, it is possible to change the mapping of the botnet to point to the defender
Torpig case of study(1/2) • The paper is a comprehensive analysis of the operations of the Torpigbotnet, having been taken control for 10 days by the researchers • Torpig bots transmit identifiers allowing the distinguishing between different infections • This allows the researchers to make a precise estimate of the botnet size. • Torpig is a data harvesting bot, that targets a wide variety of applications and extracts a wealth of information from the infected victims (observed more than 180K infections)
Torpig Case Of Study(2/2) • Torpig has been distributed to its victims as part of Mebroot • Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record(MBR) • Mebroot can be executed at boot time, before OS is loaded – that makes it undetectable from the antivirus tools
Mebroot Installation • Victims are infected through drive-by download attacks, applying a number of exploits against the browser or some of its components. • If it becomes exploited, an executable is downloaded from the drive-by download server to the victim machine and becomes executedThe executable installs Mebroot, injecting a DLL into the file manager process (explorer.exe) and execution continues in the file manager’s context • This way, all subsequent actions appear as performed by a legitimate system process • The installer loads a kernel driver that wraps the original disk driver, gaining raw disk access on the infected machine • Now, the MBR can be overwritten by the “installer” with Mebroot. After a few minutes, the machine automatically reboots, and Mebroot is loaded from the MBR
Mebroot Behavior • Mebroot works as a platform that other modules can leverage to perform malicious actions. • Mebroot provides functionality to manage(install/uninstall/activate) additional modules. • Immediately after the initial reboot, Mebroot contacts the Mebroot C&C server to obtain malicious modules • Those modules are saved as encrypted in the system32 directory in order to be used on next reboot without any need of contacting the server again. • Malicious modules are timestamped, named after existing files using an extension • Periodically, in 2 hour intervals, mebroot contacts its C&C server using HTTP requests using a sophisticated, of custom encryption algorithm
Torpig Behavior • During researchers monitoring, 3 modules were distributed by the C&C server, comprising the Torpig malware • Mebroot injects those DLLs in a number of well known applications, including system programs(cmd.exe) • Periodically, every 20 minutes, Torpig contacts the Torpig C&C server to upload the stolen data since the previous reporting time • Server can respond in several ways: • Just acknowledge the data (okn response) • Send a configuration file to the bot (okc response)
Torpig Phishing Attacks • Torpig uses phishing attacks in order to retrieve sensitive information from its victims apart its normal, monitoring actions. • Whenever the machine visits one of the domains specified in the configuration file of the Torpig(typically, a banking web site), Torpig issues a request to an injection server. • The server’s response specifies a page on the target domain where the attack should be triggered, a URL on the injection server that contains the phishing content and a number of parameters to fine tune the attack. • In fact, those attacks are very difficult to detect, as the Torpig reproduces the original style and look and feel of the target website and defies all phishing indicators included in modern browsers. • Because of not checking the validity of the server’s certificate, it is possible to mount a man in the middle attack and recover the data exchanged with the injection server. • Generally, despite relying on a very complex infrastructure to infect machines, Torpig can not guarantee basic security properties such as confidentiality, integrity and authenticity, making it vulnerable on potential takeovers – as it finally happened.
Domain Flux • A bot - C&C communication procedure • Each bot periodically generates a list of domains that it contacts using a domain generation algorithm (DGA). • The bot then proceeds to contact them one after another. • The first host reply identifying it as a valid C&C server is considered genuine, until the next period of domain generation • The list is computed independently by each bot and regenerates periodically • The bot attempts to contact the hosts in the domain list in order until one succeeds • It practically creates some “rendezvous points” • Via reverse engineering the domain generation algorithm, it is possible to pre-register domains contacted by bots at some future point, redirecting the control from the default botmaster to another one
Domain Flux in Torpig • In Torpig, DGA is seeded with the current date and a numerical parameter. • Algorithm assigns a weekly domain and the malware attempts to connect using different TLDs, if all fail, then it assigns a daily domain, which depends on day too.If these fail, bot attempts to connect to hardcoded addresses. • Everything is done in a deterministic way • Domain flux can protect the botnet from potential C&C communication takedown • On the contrary, it may allow botnet hijacking • Attempting to take down server domain names is economically infeasible
Taking Control of the Botnet: Preparation • January 25th – February 4th, 2009(3 weeks registered, Mebroot binary update ended it prematurely) • Purchased service from two different hosting providers, unresponsive to abuse complaints, and registered .com & .net domains (unregistered) with 2 different registrars, in case one domain was suspended. • Apache web server was set up on their machines and a preparation occurred to log bot requests and record all network traffic • Machines were expected to connect on January 25th, but a week ago 359 infected machines made requests, probably because of wrong clock settings
Botnet Control Principles • The botnet was controlled by the researchers under some principles: • The sinkholedbotnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized. • Was ensured by sending an okn message always to connected bots • The sink holed botnet should collect enough information to enable notification and remediation of affected parties • Data were stored, team worked in collaboration with the United Stated Department of Defense and FBI Cybercrime units
Data Collection and Format • A total of 8.7 GB Apache log files and 69 GB of pcap data was collected. The information retrieved is of remarkable value • Bots were communicating with the Torpig C&C via HTTP POST Requests. The URL used contains a hex representation of the bot id and a submission header. • The body of the request contains the data stolen from the victim’s machine, if any • Both header and body were encrypted using the Torpig encryption algorithm (base64 & XOR). The bot id is used as symmetric key • The submission header consists of a number of key-value pairs with basic information about the bot, such as configuration file update timestamp, IP address of the bot, or a list in case of a multi-homed machine the port numbers of the HTTP and SOCKS proxies, the OS version and locale, the bot id and the build and version number of the Torpig.
Botnet Size(1/2) • The paper emphasizes on 2 definitions: • The botnet’s Footprint which indicates the aggregated total number of machines that have been compromised over time, • The botnet’s live population, which denotes the number of compromised hosts that are simultaneously communicating with the C&C server • There are various approaches attempted to estimate to estimate the size of a botnet, such as IRC nicknames or DHT tables crawling (P2P) but mostly unsuccessfully • In Torpig, the estimates were based on nid header field count • It resulted to a number of 182.800 bots (705 new bots per our) • 75% of bots contacted the server the first 48 hours • In 10 days, 1,247,642 unique IP addresses contacted our server. (4.690 new per hour) • The median and average size of the live population of the Torpigbotnet was 49.272 and 48.532 machines • The bot IDs were only 1.3% less than the no of IP addresses per hour so the estimation per hour gives a good estimation about the live population of the botnet
Botnet Size(2/2) • By examining the headers, it was found out that 144,236 (78.9%) bots were behind a NAT. • 49,294 new infections occurred in those 10 days, peaked on 25th and 27th of January. • After removing some non-counted as bot machines, the botnet’s footprint for those 10 days was 182,914 nodes.
Botnet as a Service • Taking into consideration the build header field and the variation of values, we can assume that the botnet might offer as a service, providing information to a variety of users • During the study, were observed 12 different values for the bld parameter: • dxtrbc,eagle,gnh1,gnh2,gnh3,gnh4,gnh5,grey,grobin,grobin1,mentat, and zipp. Not all builds contribute equally to the amount of data stolen. • The most active versions are dxtrbc(5,432,528 submissions), gnh5(2,836,198), and mentat(1,582,547).
Financial Data Stolen • The typical Torpig configuration file lists roughly 300 domains belonging to banks and other finantial institutions that will be target of the “man-in-the-browser” phishing attacks. • The top targeted institutions were PayPal (1,770 accounts), PosteItaliane (765), Capital One (314), E*Trade (304), and Chase (217). • 1660 unique credit and debit card numbers were extracted in 10 days. • Visa(1056), MasterCard(447), American Express(81), Maestro(36), Discover(24) • 86% was about users having a single credit/debit card number • 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session.
Other Uses of botnets • Judging by the ports open on each machine via the header inspection, a proxy use can be possible • Torpigbotnet is such big that can be used to cause a massive Denial-Of-Service Attack to a specific target
Passwords Stolen • Torpig stole 297.962 unique credentials, sent by 52.540 different Torpig-infected machines, in the period of 10 days. • 28% of the victims reused their credentials, to access 368.501 web sites • The strength of the 173.686 passwords was tested. • 56000 of them were recovered in less than 65 minutes using simple replacement rules • Another 14000 were recovered in the next 10 minutes using a larger wordlist • 30.000 more passwords were recovered in the next 24 hours using the brute force (the “incremental” mode).
Related Work • Research done on • Mebroot and Torpig, focusing on MBR • On Domain Flux, used of other bot families like Kraken/Bobax, Srizbi and Conflicker • Kanich infiltrated the Storm P2P botnet • Many studies on estimating the size of the botnet using DHT ids and IP pairs. • Holz on financial data stealing
Summary • This paper is about taking the control of a large scale botnet called Torpigbotnet • Torpigbotnet was interesting for the variety of data and the ability to identify bot infections • The researchers team took control of the botnet for 10 days, retrieving about 70GB of valuable data and examined the botnet from many perspectives and roles