1 / 14

Your Botnet is My Botnet : Analysis of a Botnet Takeover

Your Botnet is My Botnet : Analysis of a Botnet Takeover. Brett Stone-Gross, Marco Cova , Lorenzo Cavallaro , Bob Gilbert, Martin Szydlowski , Richard Kemmerer, Christopher Kruegel , and Giovanni Vigna. Presented by Ryan Genato. Overview. Introduction to Botnets , Torpig

kohana
Download Presentation

Your Botnet is My Botnet : Analysis of a Botnet Takeover

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presented by Ryan Genato

  2. Overview • Introduction to Botnets, Torpig • Domain Flux and “Your Botnet is My Botnet” • Analysis of Torpig Network • What Do You Do With 70,000 Computers? • Conclusions and Future Work

  3. Introduction – Terminology • Bot – An application that performs some action or set of actions on behalf of a remote controller • Botnet – A network of infection machines controlled by a malicious entity • Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages

  4. Introduction – Mebroot • Rootkit distributed by Neosploit exploit kit • Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine • Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)

  5. Introduction – Torpig • Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server • Torpig contacts its own C&C server for updates and to send victim information

  6. Introduction – Torpig • What kind of information does Torpig record? • Monitoring popular applications • “Man-in-the-browser” attacks

  7. Introduction – Domain Flux • Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points • Advantages: • No single point of failure (fast flux) • Robustness • Disadvantages • Deterministic (this implementation) • If someone can reverse engineer your DGA, they can anticipate future domain addresses…

  8. Your Botnet Is My Botnet • And that’s exactly what they did! • Reverse engineering the DGA came up with a three week span of unregistered domains • Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing) • Contrast to passive analysis and previous active analysis attempts

  9. Gathering Data • The C&C center hijack lasted for ten days • What happened to the three weeks of domains? • A couple numbers: • Observed a total of 182,800 peers on the Torpigbotnet, 70,000 at peak activity • Recorded 1,247,642 unique IP addresses • Logged 8,310 accounts from 410 institutions • 1,660 credit cards

  10. Data Analysis + Handling • 173,686 unique passwords recorded, 40% cracked in less than 75 minutes • 28% of users exhibited password reuse • Working with FBI and National Cyber-Forensics to repatriate the stolen information • Need a reputable organization to work things out

  11. What Do You Do With 70,000 Computers? • Take down the government! • 70,000 users, average 435 kbps (in 2008) = 17 Gbps • 5,635 users to take down fbi.gov and justice.gov • 10 Gbps to take down Wikileaks • Distributed password cracking

  12. Conclusions and Future Work • Victims of botnets pick easy to crack passwords • Better user education, higher password standards • Botnets operating with an HTTP C&C center can be hijacked for periods of time • There is no “off” switch • Improved domain generation algorithms (top Twitter)

  13. Works Referenced • Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan. 2012. Web. 23 Jan. 2012. • Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr. 2009. Web. 23 Jan. 2012. • Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009. • Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan. 2012. <http://www.youtube.com/watch?v=2GdqoQJa6r4>. • Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan. 2012. • Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM, 2009. 635-47. • Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec. 2010. Web. 23 Jan. 2012.

  14. Questions?

More Related