anatomy of a massive p2p botnet takedown reversing and
play

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking - PowerPoint PPT Presentation

Sep 26, 2022 •33 likes •1.02k views

Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018 Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich

  1. Anatomy of a Massive P2P Botnet Takedown: Reversing and Attacking GameOver Zeus Dennis Andriesse Vrije Universiteit Amsterdam Finse Winter School 2018

  2. Acknowledgements Brett Stone-Gross (Dell SecureWorks) Tillmann Werner, Christian Dietrich (CrowdStrike) Christian Rossow (Saarland University) Frank Ruiz, Michael Sandee (Fox-IT) Elliott Peterson (FBI) The ShadowServer Foundation CERT.PL Too many others to name here... Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 1 of 76

  3. Introduction to Botnets What is a botnet? • Network of malware–infected computers ( bots ) • Controlled by botmaster to perform malicious actions • Typically contains 100.000 - 1.000.000 bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 2 of 76

  4. Evolution of Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 3 of 76

  5. Evolution of Botnets Centralized botnets • Original botnets were centralized • Command and Control ( C2 ) server spreads commands to bots • First botnets based on IRC (a chat protocol) • Bots enter the “chat room” and listen to commands • Later botnets used HTTP • Bots fetch commands from a “web server” Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 4 of 76

  6. Evolution of Botnets Centralized botnets • Simple, easy to maintain for the bad guys • Easy to disable for the good guys • Just take out the C2 server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 5 of 76

  7. Evolution of Botnets Centralized botnets • Simple, easy to maintain for the bad guys • Easy to disable for the good guys • Just take out the C2 server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 5 of 76

  8. Evolution of Botnets Redundant infrastructure • Early way to strengthen centralized botnets: multiple C2 servers • If one of the servers is disabled, bots just switch to another Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 6 of 76

  9. Evolution of Botnets Redundant infrastructure • Early way to strengthen centralized botnets: multiple C2 servers • If one of the servers is disabled, bots just switch to another Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 6 of 76

  10. Evolution of Botnets Peer-to-Peer (P2P) botnets • Centralized botnets are vulnerable because of their C2 servers • P2P botnets have no centralized C2 servers • Every bot knows some of the other bots • Bots use P2P communication to spread commands • Much more resilient against takedowns Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 7 of 76

  11. Functionality of P2P Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 8 of 76

  12. P2P Botnets: Terminology Topologies • Structured: Peers have addresses, information is routed • Unstructured: Protocol based on gossiping Bootstrapping • Process of establishing connectivity with a P2P network • Finding initial peers • Seeding via separate channel • Pre-shared peer lists • Scanning Maintenance • Bots regularly update their peer list to account for churn • Typically some backup channel in case this fails Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 9 of 76

  13. Example: Storm Worm • Hybrid architecture • Structured P2P network, nodes have addresses • Peer-to-Peer network used for C2 server lookups • Peers are constantly searching for Time-Dependent Hashes • Responses encode C2 IP Address and TCP Port • Peers poll announced C2 host for commands Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 10 of 76

  14. Example: Storm Worm • Hybrid architecture • Structured P2P network, nodes have addresses • Peer-to-Peer network used for C2 server lookups • Peers are constantly searching for Time-Dependent Hashes • Responses encode C2 IP Address and TCP Port • Peers poll announced C2 host for commands Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 10 of 76

  15. Example: Kelihos • Strategy: disposable botnets • P2P layer is part of a multi-tier topology • C2 Proxies are announced to all peers • Dynamic, self-organizing backbone • Router nodes act as intermediate proxies Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 11 of 76

  16. Example: Sality • Pure P2P, protocol based on gossiping • Peers attempt to pull URLs from their neighboring nodes • Reputation scheme • Valid response from p : Reputation p := Reputation p + 1 • Invalid response from p : Reputation p := Reputation p − 1 Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 12 of 76

  17. How to Deal with “Disposable Botnets”? • When taken down, botnets like Kelihos quickly respawn • To prevent this, we must take out the droppers (Sality, Zeus, . . . ) • Not so easy, especially Sality and Zeus are quite resilient Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 13 of 76

  18. Attacking P2P Botnets Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 14 of 76

  19. Attacking P2P Botnets Commanding bots to uninstall • Usually not possible because of command signing • Bredolab did not use command encryption • Team High Tech Crime performed a complete takeover in 2010 • They were rewarded with a Big Brother Award Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 15 of 76

  20. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  21. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  22. Attacking P2P Botnets Reconnaissance • Reconnaissance attacks try to find all the bots • Know how big the botnet is • Report bot addresses to Internet providers • Abuse botnet’s maintenance mechanism: 1 Start with a few known bot addresses 2 Ask these bots which other bots they know 3 Repeat for newly found bots Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 16 of 76

  23. Attacking P2P Botnets Reconnaissance • Cannot find NATed nodes this way • 60% – 87% of nodes is NATed! • Infiltrate the botnet and get them to connect to you Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 17 of 76

  24. Attacking P2P Botnets Reconnaissance • Cannot find NATed nodes this way • 60% – 87% of nodes is NATed! • Infiltrate the botnet and get them to connect to you Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 17 of 76

  25. Attacking P2P Botnets Sinkholing • Sinkholing attacks try to disconnect bots from each other • Requires a way to modify bots’ peer lists • Try to redirect all bots to a benign sinkhole server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 18 of 76

  26. Attacking P2P Botnets Sinkholing • Sinkholing attacks try to disconnect bots from each other • Requires a way to modify bots’ peer lists • Try to redirect all bots to a benign sinkhole server Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 18 of 76

  27. P2P Zeus Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 19 of 76

  28. Introduction to P2P Zeus The Zeus Bot • Banking trojan, information stealer • Centralized version around since 2005 • Sold as DIY toolkit for $4000 • FBI tracked a group in 2010 which stole over $70m with it Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 20 of 76

  29. Zeus v1/v2 • Configuring your own Zeus is as easy as running a wizard program • Zeus toolkits even include anti–piracy mechanisms Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 21 of 76

  30. Zeus v1/v2 • Your Zeus can be controlled using a handy web interface Dennis Andriesse Anatomy of a Massive P2P Botnet Takedown,Reversing and Attacking GameOver Zeus 22 of 76

Recommend

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of

Mirai Botnet: How IoT Botnets Performed Massive DDoS Attacks and Negatively Impacted Hundreds of Thousands of Internet Businesses and Millions of Users in October 2016 William Favre Slater, III, M.S. MBA, PMP, CISSP, CISA Sr. Cybersecurity

1.36k views • 53 slides
MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet

MetaNet A botnet with Metasploit integration By : Matan Ramrazker, Guy Gelber What is a Botnet A Botnet is a software that is designed to perform simple automated and usually cyclical operations. Botnet management is performed remotely

507 views • 24 slides
Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec

Reversing on the Edge Jason Jones Jasiel Spelman Arbor ASERT HPSR ZDI 1 Jason Jones Sr Sec Research Analyst @ Arbor ex-TippingPoint ASI Primarily reverse malware Interests / Research DDoS Botnet tracking Malware Clustering Bug hunting

759 views • 32 slides
Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet

Welcome to Storm ! The Storm botnet Reachability check Overnet (UDP) The Storm botnet Botmaster Hosted infrastructure HTTP proxies HTTP Proxy Infected machines bots TCP Workers The Storm botnet Botmaster Hosted infrastructure HTTP

517 views • 31 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware

Botnets Leonidas Stylianou CS 682 23/04/2020 Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet . Coordination of f bots with C&C server Bots query the

1k views • 58 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis & Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster.

409 views • 11 slides
A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T

A Framework for Understanding Botnets Justin Leonard, Shouhuai Xu, Ravi Sandhu University of T exas at San Antonio Overview Botnet Lifecycle Botnet Architecture Command and Control Mechanisms (C&C) Dynamic Graph Model Botnet

195 views • 18 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa -

Introduction Advantages Skype Supernodes Botnet Our Model Features Communication protocol Experiments Limitations Countermeasures Take a deep breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype Antonio Nappa - Universit`

483 views • 16 slides
An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking

An Open Botnet Analysis Framework for An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization Automatic Tracking and Activity Visualization marco riccardi Italian Chapter - The Honeynet Project marco cremonini

393 views • 36 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Basic Anatomy Anatomy: General Planes of the body

Basic Anatomy Anatomy: General Planes of the body

Musculoskeletal Biomechanics BIOEN 520 | ME 527 Mini-Lab 1 Basic Anatomy Anatomy: General Planes of the body DirecGonal terms Joint

1.24k views • 65 slides
2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a

2D and 3D Medical Ima 2D and 3D Medical Ima ages for Anatomy ages for Anatomy Education using a cloud d computing platform Lih Shyang Chen Department of Electrical En ngineering National Cheng Kung Unive N ti l Ch K U i ersity

319 views • 27 slides
Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot

Network Security: Botnet Seungwon Shin GSIS, KAIST many slides from Dr. Yan Chen Definition Bot a software application that runs automated tasks over the Internet Botnet a collection of Internet-connected programs communicating with other

659 views • 39 slides
Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen

Challenges in Experimenting with Botnet Detection Systems Adam J. Aviv Andreas Haeberlen University of Pennsylvania August 8th, 2011 CSET-2011 1 Alice has developed a new botnet detector!!! What should the evaluation show? Alice's

767 views • 42 slides
The FIFA Universe Massive scale, massive influence, massive corruption First, Some History.

The FIFA Universe Massive scale, massive influence, massive corruption First, Some History.

The FIFA Universe Massive scale, massive influence, massive corruption First, Some History. Football Association (FA) Formed 1863, governs association football in England Prior to this, football was just a school yard sport Rule

579 views • 35 slides
Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu

Motivation/Overview Taxonomy Detection Response Botnet Detection and Response The Network is the Infection David Dagon dagon@cc.gatech.edu Georgia Institute of Technology College of Computing OARC Workshop, 2005 David Dagon Botnet

675 views • 45 slides
1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

1 Reason Anatomy and Physiology are the foundation on which all medicine is based. Learn well

EAPIntroduction to Anatomy and Physiology PFN: SOMAPL11 Hours: 1.5 JSOMTC, SWMG(A) Slide 1 Terminal Learning Objective Action: Communicate knowledge of Introduction to Anatomy and Physiology Condition: Given a lecture in a

630 views • 30 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
BIOMETRY COURSE Module 1 Anatomy & Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy & Vision Welcome to Anatomy Emma Deighan Trainer in

BIOMETRY COURSE Module 1 Anatomy & Vision Welcome to Anatomy Emma Deighan Trainer in Ophthalmology for 20 Years Please ask questions! Email emma@medsalesacademy.co.uk www.medsalesacademy.co.uk Today we will learn Anatomy

1.24k views • 29 slides

More recommend