1 / 25

Analysis of a Botnet Takeover

Analysis of a Botnet Takeover. Rilinda LAMLLARI IMSE student - 729. Agenda. Take control of the Torpig botnet – Show that is possible (with a reasonable accuracy ) to identify bot infections. Domain flux Data collection formats Threats and data analysis. What is a botnet ?.

maddy
Download Presentation

Analysis of a Botnet Takeover

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis of a Botnet Takeover Rilinda LAMLLARI IMSE student - 729

  2. Agenda • Take control of the Torpigbotnet – • Show that is possible (with a reasonable accuracy) to identify bot infections. • Domain flux • Data collection formats • Threats and data analysis

  3. What is a botnet? • Networks of malware-infected machines (trojan horses) that are centrally controlled by an adversary. bots bots Bots C&C servers Stripped-down IRC or HTTP channels bots bots

  4. Why Torpig? • Sophisticated techniques to steal data • Complex network infrastructure • Financial damage it causes

  5. What kind of existing approaches are used to analyze botnets? • Passive analysis of secondary effects: spam emails, DNS queries, DNS blacklist queries, netflow data etc. • Infiltration: a more active approachResearchers join the botnet to perform analysis from the inside. • Monitor the commands between the bot and the C&C server • Active crawling in P2P networks (but many botnets rely most on centralized IRC and HTTP C&C infrastructure )

  6. New approach – hijack entire botnet To overcome the limitations of the first two approaches => gain control of the C&C channel • Law enforcement agencies • Tamper the DNS to point to the machine controlled by the defender

  7. How did they take over Torpig? • Domain flux – each bot generates a list of domains that it contacts (C&C servers). • They registered domains using Domain generation algorithm • Used Torpig’s C&C protocol to send responses back

  8. Torpig network infrastructure

  9. Mebroot C&C server 3 Modules downloaded (one is Torpigmalware). Basically DLLs injected in different applications: • Service control manager, File Manager • Web browsers • FTP clients • Email clients • Instant Messengers • Command line (cmd.exe)

  10. Torpig C&C server • Torpig contacts (over HTTP) the Torpig C&C server sending the stolen data. • Torpig C&C server can reply: • Sending an OKN response • Configuration file (how often the bot should contact the server; set of hard-coded servers; set of parameters to perform “man-in-the-brower” phishing attack)

  11. Man-in-the-browser

  12. Domain Generation Algorithm - DGA • Computed by each bot and regenerated regularly. • First compute names based on week and year (not on the current date) i.e. dw • Append TLDs like .com .net .biz • If connection to all three fails, then computes name based on the day • Last resource: hard-coded domain names (rikora.com, pinakola.com and flippibi.com)

  13. Sinkholing preparation • Botmasters didn’t register in advance all the weekly domains. • Bought domain names from two different service providers (.com and .net domains) • Apache web server to log bot requests

  14. Data Collection and Format • HTTP POST request containing bot identifier and submission header. Body contains the data if stolen. • Body and header are sent encrypted, identifier is sent in clear text. • Submission header contains key-value pairs: • ts: Timestamp when config file was last updated • Ip – IP address or list of IP addresses • Hport, sport, os, bld, ver

  15. Example of sent data items POST /A15078D49EBA4C4E/qxoT4B5uUFFqw6c35AKDYFpdZHdKLCNn...AaVpJGoSZG1at6E0AaCxQg6nIGA ts=1232724990&ip=192.168.0.1:&sport=8109&hport=8108&os=5.1.2600&cn=United%20States&nid=A15078D49EBA4C4E&bld=gnh5&ver=229

  16. Botnet Size – hotly contested topic • Botnet’sfootprint– total number of infected machines over time • Live population – number of machines communicating simultaneously with the C&C server • Torpig C&C architecture provides the advantage of centrally observing the infected machines • Passive monitoring, not polluting the network • Torpig generates and transmits unique and persistent IDs -> good identifiers

  17. Counting botnet’ size nid –8-byte (mostly unique) identifier • Value computed by a hash function taking as input hard disk information • If not available: concatenate 0xBAD1D222 with the Windows volume serial number. • They expected that: os, cn, bld, ver submission header fields were the same for same nid, but this didn’t hold. (nid, os, cn, bld, ver) – unique identifier result: 182,914 machines

  18. Botnet size vs IP count New torpigs / hour 4690 new IP addresses/ hour 750 new bots/ hour

  19. Aggregate number of IP addresses increases linearly75% of all new Torpig bots appear during first 48 hours

  20. Live population – hourly based is the best measure

  21. DHCP churn and NAT effects DHCP churn effects Single host changed IP address 694 times in 10 days NAT effect 78.9% of infected machines were behind a NAT, VPN, proxy or firewall

  22. Botnet as a Service • Indications that different groups would be dividing (and profiting from) the data it steals. • Different bots with same bld field (which is transmitted in all communications) have different behavior. • It might denote different customers • 12 bld values:dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp.

  23. Financial Data Stealing In TORPIG configuration file : 300 domains belonging to banks and other financial institutions In ten days: they obtained credentials of 8,310 accounts at 410 different institutions. Credit cards priced between $0.10–$25 and bank accounts from $10–$1,000. Torpig controller’s profit: $83K and $8.3M

  24. Conclusion • Comprehensive analysis of the operations of the Torpigbotnet. 180,000 infected machines + 70GB of data • Malware problem is a cultural problem • Internet users have to be educated to reduce the number of potential victims.

  25. Thank YOU!

More Related