390 likes | 539 Views
Botcoin: Monetizing Stolen Cycles. UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security. Outline. Introduction Related Work Background Methodology Analysis Discussion Conclusion Epilogue. Bots.
E N D
Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Bots • Send spam, commit click fraud, DOS attacks, steal user data • Botmaster: uses bots to extract value from the above actions • Botnet: compromised computers under the control of the botmaster • Demand for a bot determines the value • Security evolution depends on the demand
Bitcoin Mining • Repeatedly computing the SHA-256 cryptographic hash function over a large range of values • State-Space search • Can be conducted in parallel • Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others • Pro: Potentially lucrative depending on the number of bots • Con: Easier to detect than other activities
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Related Work • Analysis of the transactions in the Bitcoin network • Measures activity • Tests the limits of anonymity • Analysis of the silk road (underground drug market) • Shutdown October 13, 2013 • Bitcoin mining can be “gamed” by an appropriately powerful adversary • Can disrupt the Bitcoin economy • Profitable malware • Pay-per-install, fake anti-virus, click fraud
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Bitcoin • Proposed by Satoshi Nakamoto in 2008 • Not backed by any government • Purely a peer to peer virtual currency • Bitcoins are acquired through mining • Transactions are public through the blockchain • Public ledger maintained by a peer-to-peer network
Bitcoin • 1Bitcoin = $402.53
Bitcoin Mining • Miner receives valid transactions through the peer-to-peer network • Group them into blocks • set of transactions • header containing a hash of the previous block and a nonce • Compute a SHA-256 hash value of the block • If the value has the correct number of leading zeros • Miner passes it on to others to verify • Coinbase: pays transaction fees and the block reward • If the value does not have the correct number of leading zeros • Repeat the process
Pooled Mining • Combine the mining power of many individual miner and payout a small amount for work completed • Pool server manages pending transaction • Provides starting point to workers • Workers mine the blocks • Report results to the server
Botnet Mining • Use a existing or newly created botnet to mine for bitcoins • Direct Pool Mining • Distribute a mining executable with a wrapper script that specifies mining parameters • Generally banned for mining pools • Proxied Pool Mining • Proxy connections through a controlled server • Requires additional infrastructure • Dark Pool Mining • Botmaster maintains a pool server • Bots connect to his pool • Limited to the number of bots he controls
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Methodology • Goals: • Identify mining malware • Identify size of infected population • Identify the value of the bitcoins extracted • Methodology • Identify Mining Malware • Extract Mining Credentials • Estimate Earnings • Estimate Infected Population • Identify Pool Proxies
Identifying Mining Malware • All mining malware uses the HTTP-based getwork protocol • Use this to identify mining malware with a network trace • To get the network traffic of various malware • Execute the binaries in a malware execution environment • Use data for public and private sandboxes that provides information and logs of the actions of the binaries • If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining
Extracting Mining Credentials • Mining software is generally generic • Credentials are passed on command line • Extract the credentials: • Command-line arguments • Extract the credentials from the packaged binary • HTTP basic authentication • Extract credentials from a network trace • Command-and-control channel • Credentials are contained in a Dropbox or Pastebin file • Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload • Pool operators • Public pool operators provide lists of user names and wallet addresses
Earnings • Mapping miners to wallet addresses • Contact the pool operators to ask for the information • Publicly visible pool statistics • Some pools provide public leaderboards • Blockchain analysis • All transactions are visible • Knowing the payout address allows estimates for a specific miner • Clustering wallet addresses • Botmasters may use different addresses for different campaigns • Addresses used as inputs to the same transaction will be controlled by the same user • This allows us to cluster addresses used by a single botmaster
Estimating Infected Population • Contact anti-virus software vendors to obtain mining malware data • Ei : estimated bot population • Ii : number of infections in country i per vender • Mi : number of machines in country i per vendor • Ti : number of machines in country i • This is the expected lower bound • Computers without antivirus for the vendors are not counted • Estimates are only for specific binaries
Identifying Pool Proxies • Cross-login test • Credentials can be hidden by an HTTP proxy • Create miner accounts in major mining pools • If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining • Passive DNS • The lifetime of a dark mining pool depends on the lifetime of the botnet • Use passive DNS data from the ISC Security Information Exchange • Block Reversal • A pool will provide the same coinbase across similar workers • This allows us to match possible bots to a pool • Leaked Data
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
DLoad.asia(Redem and Darksons) • Began mining in 2011 • Ended in November of 2012 • Earnings • Darksons : 2,403 BTC • Redem : over 10,000 BTC • Over 100,000 IP’s • Population - number of infections
ZeroAccess • 9,000,000 infected PC’s • Began December 2011 • Earnings : 400 BTC • Began mining through proxy servers, now a part of Eligus • Population - number of infections
BMControl • Began mining in September 2012 • Part of Eligus • Earnings • Adds 16,000 new bots per day • Average mining rate/ bot : 3.75MH/sec • Now mines for Litecoin • Population - number of infections
FeodalCash • Began mining in May 2013 • Part of Eligus • Earnings : 168 BTC • Population - 62,500 infections at its peak
Fareit Bots • Began mining April 9, 2013 • Used a pool proxy with the Black Hole exploit kit • Earnings : 265 BTC • Population - 12,500 infections
Zenica • Earnings • 312,000 or more active IP’s • 170 BTC in 3 months • Population • Prevalent in Southeast Asia • Vietnam and Thailand account for 70% of sampled infections
HitmanUK • Botmaster launched a DDoS attacked after the pool blacklisted the botnet • Paralyzed the pool • Prevented mining for a few hours • Pool operator then let the botmaster back in • Began in February 2013 • Earnings : 4 BTC • Adds 16,000 new bots per day • Average mining rate/ bot : 3.75MH/sec
Xfhp.ru Miner • Uses Zbot to download the Bitcoin mining plugin • Population • Southeast Asia • South America
Skype Miner • Used Skype and social engineering to distribute bot • Sent a compromised skype message • If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware • Began mining in July 2012 • Earnings : 250
Miscellaneous • There are many small mining operations
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Mining Revenue • Depends on hashing and network difficulty • Daily Revenue: • MH – million SHA-256 computations • 8.22 x 10-12 MH/sec
Botnet Costs • Cost of acquiring bots • Cost associated with the monetization scheme • More information is needed for non-acquisition costs: • Infrastructure • Development • Day to day operation
Profitability • Varies based on exchange rates • 3 classes of profitability • Absolutely profitable: revenue exceeds cost for a botnet solely for mining • Marginally profitable: revenue exceeds additional cost for an established botnet adding mining • Unprofitable: mining does not cover additional costs • Bitcoin is expected to remain profitable for large botnets
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Conclusion • It is possible to track the earning of botnets because Bitcoin transactions are public • Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years • Most of these are found in geographic locations with lower costs of bots • Developed a method to trace mining pool malware even when proxy server are used to hide the pool
Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue
Litecoin • Decentralized virtual currency based on bitcoin • 1 litecoin = $4.19 • 4 times faster to produce a block when mining • Lessens the effect of specialized hardware