Botnets Leonidas Stylianou CS 682 23/04/2020
Lifecycle of a bot Infected host Botnet malware Botmaster controls becomes a bot and infects a host. the botnet. joins the botnet .
Coordination of f bots with C&C server Bots query the C&C servers using Fast Flux Domain flux their IP address and DNS name. Bots query a certain domain that is Bots query multiple domains that Not flexible and robust to take- mapped onto a set of IP addresses are mapped onto a set of IP down actions. that change frequently. addresses that change frequently. Constitutes a single point of failure Taking down the C&C server is because it uses only a single harder because they relocate their domain. domain name.
Usage of f botnets Send spam mails Launch DoS attacks Steal personal data
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Overview A comprehensive analysis of the operations of the Torpig botnet. The count of distinct IPs that contacted the sinkholed C&C overestimates the size of the botnet. The victims of botnets are often users with poorly maintained machines.
What is Torpig? Distributed to its victims as part of the Mebroot rootkit. Steals sensitive information from the victim’s host and relays it back to its controllers. Malware service accessible to third parties.
Distribution of f Mebroot Victim requests The victim’s browser legitimate web site request JavaScript code where an attacker from the drive-by- injected http code. download server. If the exploit is JavaScript code successful, the executes multiple Mebroot rootkit is exploits against the downloaded from the browser and some of server and executed. tis components.
Mebroot life cycle Overwrites the MBR and is always executed at boot time. Provides a generic platform that other modules can leverage to perform their malicious actions. Contacts the Mebroot C&C server to obtain malicious modules.
Torpig Capabilities Trojan that is injected into a number of applications. Inspects all the data handled by these programmes. System Instant Web Email clients FTP clients programmes messengers browsers
Communication in the Torpig Botnet Uploads the stolen data 1 since the previous reporting time to the Torpig C&C server over HTTP. (1) 2 Acknowledges the new data with “ okn ” response. (2)
Communication in the Torpig Botnet Sends a configuration file to the bot with “ okc ” response. 2 How often the bot should contact the C&C server, hard-coded servers and parameters to perform MiTB phishing attacks.
Man in the Browser attacks with Torpig bot Generation of phishing sites Man in the Browser attack Infected machine visits one of the Victim visits the trigger page. domains in the configuration file (bank site). Torpig requests the injection URL from the injection server and injects the returned content into the user’s browser Torpig issues a request to an injection server. Injected content reproduces the style of the target web site and the address bar displays a pad lock. The injection server’s response specifies the trigger page, the Asks the user for sensitive information and injection URL, and a number of steals personal information. parameters.
Coordination in Torpig Botnet: Domain Flux Each bot uses a domain Attempts to contact the C&C generation algorithm to compute server with a name in the domain a list of domain names. list in order until one succeeds.
Torpigs’s Domain Generation Algorithm Step 1 • Seeded with the current date and a numerical parameter. Step 2(a) • Computes a “weekly” domain name that depends on the current week and year. • Attempts to resolve dw.(com,net,biz) and contacts the C&C server. Step 2(b) • Computes a “daily” domain that depends on the current day. • Attempts to resolve dd.(com,net,biz) and contacts the C&C server. Step 2(c) • Attempts to resolve domains that are hardcoded in the configuration file and contact the C&C server
Coordination in Torpig Botnet: Domain Flux and resilience Control at least one of the domains that will be contacted by the bots. Use measures to prevent other groups from seizing domains that will be contacted by bots.
Arms Race between botmasters and defenders B : The domain D : Reverse generation engineering the algorithm of the botnet protocol bots is modified could be time frequently. consuming. D : Economic factor is the B :Force defenders biggest challenge to register a because domain disproportionate names are not number of names. cheap.
Taking control of f the Torpig botnet: Sinkholing Preparation Purchased two Registered them to Obtain control of the domains (.com and two different Torpig botnet for ten .net) that were to be registrars. days. used by the botnet. Set up Apache web During their control server to receive log of botnet, 8.7 GB of bot requests and Apache log files and recorded all network 69 GB of pcap data traffic. have been collected.
Taking control of f the botnet: Data Collection Principles Operated the C&C servers based on established legal and ethical principles. Collecting enough Operated such that Worked with law information to enable any damage to victims enforcement remediation of was minimized. agencies. affected parties.
Botnet Analysis: Data Collection and Format Submission header is encrypted with Torpig’s encryption algorithm. URL’s request contains the hexadecimal representation of the bot identifier and submission header. Bot identifier is used as the symmetric key. Bots communicate with the Torpig C&C through HTTP POST requests. Consists of data items based on the information that was stolen. Body’s request contains the data stolen from the victim’s machine. Body is encrypted with Torpig’s encryption algorithm.
Botnet Analysis: Data Collection and Format Submission Header Example ts : time stamp when the configuration file was updated. bld and ver : build and ip : IP address of the version number of bot. Torpig. hport and spor t: port numbers of the HTTP nid : bot identifier. and SOCKS proxies that Torpig opens on the infected machine. os and cn : operating system version and locale.
Botnet Analysis: Data Collection and Format Data items sent to sinkholed botnet in Data Items 10 days Mailbox account : configuration information for email accounts. Email: email Windows password addresses. SMTP: source and Form data: content destination of HTML forms addresses of submitted by the emails. victim’s browser. HTTP, FTP, POP: credentials of the accounts respectively.
Botnet Size: Definitions Indicates the aggregated total Botnet’s footprint number of machines that have been compromised over time. Botnet Size Indicates the number of compromised hosts that are Botnet’s live population concurrently communicating with the C&C server.
Botnet’s Footprint : : Counting Bots by “nid” field Description Evaluation • Torpig always sends the “ nid” 2079 cases have been found were the assumption field in the submission header. did not hold. • Depends on software or hardware characteristics of the 180 835 “nid” values have infected machine’s hard disk. been observed in 10 days. • Attempted to validate whether the “ nid ” is unique for each bot. Underestimates the botnet’s footprint.
Botnet Footprint: : Counting Bots by Submission Header Fields Description Evaluation • Count unique tuples from the submission header that Torpig bot send. Botnet’s footprint have • “Nid, os, cn, bld and ver” fields been estimated to 182 have been considered whilst “ts, ip, sport and hport” have been 914 machines. discarded.
Botnet’s Footprint: Identifying probers and researchers Description Evaluation • “Nid” values generated on a standard configuration of the VMware and QEMU virtual machines are discarded. 40 bots have Final estimate been running 74 hosts have of botnet’s • Bots that use the GET HTTP on virtual been probers. footprint is machines 182 800 hosts . method are not considered.
Botnet’s live population: Botnet Size Vs IP Count Botnet Size IP Count • 182 800 bots have contacted the C&C • 1 247 642 unique IP addresses server. contacted the C&C server. • Overestimates the actual size of the botnet’s footprint.
Botnet’s live population: Botnet Size Vs IP Count Per hour Per day • Number of unique IP addresses • Number of unique IP addresses and bot IDs per hour provides a and bot IDs per day does not good estimation of the botnet’s provide a good estimation of the live population. botnet’s live population.
Botnet Size vs IP IP Count: Observations Number of unique IPs per hour provides a good estimation of the botnet’s live population 144,236 (78.9%) of the infected machines were behind a NAT, VPN, proxy, or firewall. Difference between IP count and actual bot count can be attributed to DHCP and NAT effects.
Recommend
More recommend