Professional Documents
Culture Documents
Botnets
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
1 / 23
Botnets I
Bot
Autonomous programs performing tasks More recent trend in malicious development
Benign bots
First bots were programs used for Internet Relay Chat (IRC) React to events in IRC channels Typically oer useful services
Early denition of bot An IRC user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others.
2 / 23
Botnets II
3 / 23
History I
4 / 23
History II
Bots today
Malware (backdoor, Trojan) running on compromised machines Incorporates dierent modules to carry out malicious tasks (spamming, DoS, . . . ) Remote controlled by criminal entity (called bot master or bot herder)
Botnets
Main vehicle for carrying out criminal activities Financial motivation
5 / 23
Botnets
6 / 23
Botnets
6 / 23
Botnets
6 / 23
Botnets
6 / 23
Creation
7 / 23
Drive-By Downloads I
Malicious scripts
Injected into legitimate sites (e.g., via SQL injection) Hosted on malicious sites (URLs distributed via spam) Embedded into ads
Drive-by downloads
Attacks against web browser and/or vulnerable plug-ins Typically launched via client-side scripts (JavaScript, VBScript)
Redirection
Landing page redirects to malicious site (e.g., via iframe) Makes management easier Customize exploits (browser version), serve each IP only once
8 / 23
Drive-By Downloads II
Malicious JavaScript code
Typically obfuscated and hardened (make analysis more dicult)
function X88MxUL0B(U1TaW1TwV, IyxC82Rbo) { var c5kJu150o = 4294967296; var s3KRUV5X6 = arguments.callee; s3KRUV5X6 = s3KRUV5X6.toString(); s3KRUV5X6 = s3KRUV5X6 + location.href; var s4wL1Rf57 = eval; ... // LR8yTdO7t holds the decoded code try { s4wL1Rf57(LR8yTdO7t); } ... } X88MxUL0B(ACada193b99c...76d9A7d6D676279665F5f81);
9 / 23
10 / 23
Propagation Technique
Remote exploit + drive-by-download
11 / 23
Propagation Technique
Remote exploit + drive-by-download
12 / 23
Propagation Technique
Remote exploit + drive-by-download
link to malicious JS into the site exploit MS06-014 + MS07-004 keylogger/backdoor download 3 days prior the Super Bowl!
12 / 23
Propagation Techniques
Rogue Antivirus
13 / 23
Propagation Techniques
Rogue Antivirus
13 / 23
Propagation Techniques
Rogue Antivirus
13 / 23
14 / 23
C & C server
Bot
Bot
Bot
Bot
15 / 23
C & C server
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
Bot
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
If the C&C server is isolated, the botmaster loses control of all the bots
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 15 / 23
C & C server
Bot
Bot
Bot
Bot
It could be very dicult to identify the botmaster! (e.g., coee shops or a chain of compromised machines)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 15 / 23
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
When a C&C server is isolated the bots connect automatically to the others
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 16 / 23
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
When a C&C server is isolated the bots connect automatically to the others
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 16 / 23
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
The use of multiple C&C servers increases the lifetime of the botnet
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 16 / 23
C&C trac is dicult to identify Dicult to block at network level (e.g., rewall) Dicult to block at DNS level (e.g., domains blacklisting)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 17 / 23
C&C trac is dicult to identify Dicult to block at network level (e.g., rewall) Dicult to block at DNS level (e.g., domains blacklisting)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 17 / 23
Hardcoded IP address FustFlux: Hardcoded FQDN or dynamically generated FQDNs (1 FQDN 1 or more IP addresses) DomainFlux: Hardcoded URL or dynamically generated URLs Search keys in the P2P network
3 4
18 / 23
Hardcoded IP address FustFlux: Hardcoded FQDN or dynamically generated FQDNs (1 FQDN 1 or more IP addresses) DomainFlux: Hardcoded URL or dynamically generated URLs Search keys in the P2P network
3 4
18 / 23
Hardcoded IP address FustFlux: Hardcoded FQDN or dynamically generated FQDNs (1 FQDN 1 or more IP addresses) DomainFlux: Hardcoded URL or dynamically generated URLs Search keys in the P2P network
3 4
18 / 23
Network level ACLs DNS ACLs HTTP ACLs DDoS against the C&C server?
19 / 23
Bot master
Overnet
Worker bot Worker bot
20 / 23
Bot master
Overnet
Worker bot Worker bot
Search for keys in the P2P network to locate the proxys (keys are dynamic and published by the proxies trough the P2P)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
Connect to the proxy and wait for commands (each key is associated with the IP and the port of a new proxy)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
The worker bot connects to the proxy, authenticates itself and waits for commands
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
The proxy forwards command from the master to the workers and vice versa
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
The proxy forwards command from the master to the workers and vice versa
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
The proxy forwards command from the master to the workers and vice versa
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
Master servers are controlled directed by the botmaster and are hosted on bullet-proof hosts
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 20 / 23
Bot master
Overnet
Worker bot Worker bot
20 / 23
Agent3
Agent4 Agent6
Victim
O line, disinfected, or problematic agents are replaced with others The botnet is tipically composed of millions of agents The identity of the code components of the infrastructure is well protected Multiple domains are used by the same botnet (it is not sucient to shut down a domain)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 21 / 23
Agent3
Agent4 Agent6
Victim
O line, disinfected, or problematic agents are replaced with others The botnet is tipically composed of millions of agents The identity of the code components of the infrastructure is well protected Multiple domains are used by the same botnet (it is not sucient to shut down a domain)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 21 / 23
Agent3
Agent4 Agent6
Victim
O line, disinfected, or problematic agents are replaced with others The botnet is tipically composed of millions of agents The identity of the code components of the infrastructure is well protected Multiple domains are used by the same botnet (it is not sucient to shut down a domain)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 21 / 23
Agent3
Agent4 Agent6
Victim
O line, disinfected, or problematic agents are replaced with others The botnet is tipically composed of millions of agents The identity of the code components of the infrastructure is well protected Multiple domains are used by the same botnet (it is not sucient to shut down a domain)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 21 / 23
C & C server
Bot
Bot
Bot
Bot
22 / 23
C & C server
Bot
Bot
Bot
Bot
The inltrator connects to C&C server as a normal bot and can see all the bots connected
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 22 / 23
Bot
Bot
Bot
Bot
The inltrator receives commands from the botmaster as the other bots
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 22 / 23
C & C server
Bot
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
23 / 23
C & C server
Bot
Bot
Bot
Bot
The inltrator connects to the C&C server as a normal bot but he cannot see the other bots connected (C&C pull)
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 23 / 23
Bot
Bot
Bot
Bot
The inltrator receives commands from the botmaster as the other bots
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 23 / 23
C & C server
Bot
Bot
Bot
Bot
C & C server
Bot
Bot
Bot
Bot
The server-side inltrator instead can see the other bots and send them commands
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 23 / 23
C Botnet & C server Your is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro,
Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, In the Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009
Bot
Bot
Bot
Bot
The server-side inltrator instead can see the other bots and send them commands
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 23 / 23