botnets
play

Botnets Some slides taken from David Choffnes, Northeastern - PowerPoint PPT Presentation

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north


  1. Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north https://www.malwaretech.com/2013/12/peer-to-peer-botnets-for- beginners.html https://security.googleblog.com/2018/11/industry-collaboration- leads-to.html

  2. Definitions • Virus • Program that attaches itself to another program • Worm • Replicates itself over the network • Usually relies on remote exploit (e.g. buffer overflow) • Rootkit • Program that infects the operating system (or even lower) • Used for privilege elevation, and to hide files/processes • Trojan horse • Program that opens “back doors” on an infected host • Gives the attacker remote access to machines • Botnet • A large group of Trojaned machines, controlled en-mass • Used for sending spam, DDoS, click-fraud, etc.

  3. Worms to Botnets • Ultimate goal of most Internet worms • Compromise machine, install rootkit, then trojan • One of many in army of remote controlled machines • Used by online criminals to make money • Extortion • “Pay use $100K or we will DDoS your website” • Spam and click-fraud • Phishing and theft of personal information • Credit card numbers, bank login information, etc.

  4. • Used by criminals to make money • Platform for many attacks • Spam forwarding (70% of all spam?) • Click fraud and ad fraud more generally • Keystroke logging • Distributed denial of service attacks • Serious problem • Top concern of banks, online merchants • Vint Cerf: ¼ of hosts connected to Internet

  5. Botnet Attacks • Truly effective as an online weapon for terrorism • i.e. perform targeted attacks on governments and infrastructure • Massive DoS on Estonia • April 27, 2007 – Mid-May, 2007 • Closed off most government and business websites • Attack hosts from US, Canada, Brazil, Vietnam, … • Web posts indicate attacks controlled by Russians • All because Estonia moved a memorial of WWII soldier • Is this a glimpse of the future?

  6. What are Botnets used for?

  7. Botnet Hosts • Fortify system against other malicious attacks • Disable anti-virus software • Harvest sensitive information • PayPal, software keys, etc. • Economic incentives for botnets • Stresses need to patch/protect systems prior to attack • Stronger protection boundaries required across applications in OSes

  8. Detecting / Deterring Botnets • Bots controlled via C&C channels • Potential weakness to disrupt botnet operation • Traditionally relied on IRC channels run by ephemeral servers • Can rotate single DNS name to different IPs on minute-basis • Can be found by mimicking bots (using honeypots) • Bots also identified via DNS blacklist requests • A constant cat and mouse game • Attackers evolving to decentralized C&C structures • Peer to peer model, encrypted traffic • Storm botnet, estimated 1-50 million members in 9/2007

  9. Old-School C&C: IRC Channels 10 snd spam: <subject> Botmaster <msg> snd spam: <subject> snd spam: <subject> <msg> IRC Servers <msg> • Problem: single point of failure • Easy to locate and take down

  10. IRC botnet

  11. IRC botnet

  12. Why IRC? • IRC servers are: • freely available • easy to manage • easy to subvert • Attackers have experience with IRC • IRC bots usually have a way to remotely upgrade victims with new payloads to stay ahead of security efforts

  13. P2P Botnets Insert commands into the DHT Structured Botmaster P2P DHT Master Servers Get commands from the DHT

  14. Fast Flux DNS Botmaster HTTP Servers But: ISPs can 12.34.56.78 6.4.2.0 31.64.7.22 245.9.1.43 98.102.8.1 blacklist the rendezvous www.my-botnet.com domain Change DNS � IP mapping every 10 seconds

  15. “Random” Domain Generation …But the Botmaster Bots generate many only needs to register a possible domains Botmaster few each day HTTP Servers www.17-cjbq0n.com www.sb39fwn.com www.xx8h4d9n.com Can be combined with fast flux

  16. “Your Botnet is My Botnet” • Takeover of the Torpig botnet • Random domain generation + fast flux • Team reverse engineered domain generation algorithm • Registered 30 days of domains before the botmaster! • Full control of the botnet for 10 days • Goal of the botnet: theft and phishing • Steals credit card numbers, bank accounts, etc. • Researchers gathered all this data • Other novel point: accurate estimation of botnet size

  17. Torpig Architecture Host gets infected via drive-by- Rootkit Trojan download installation installation Collect stolen data Capture banking Researchers Infiltrated passwords Here

  18. Man-in-the-Browser Attack

  19. Stolen Information � Data gathered from Jan 25-Feb 4 2009 User Accounts Banks Accounts � How much is this data worth? � Credit cards: $0.10-$25 Banks accounts: $10-$1000 � $83K-$8.3M

  20. How to Estimate Botnet Size? • Passive data collection methodologies • Honeypots • Infect your own machines with Trojans • Observe network traffic • Look at DNS traffic • Domains linked to fast flux C&C • Networks flows • Analyze all packets from a large ISP and use heuristics to identify botnet traffic • None of these methods give a complete picture

  21. Size of the Torpig Botnet • Why the disconnect between IPs and bots? • Dynamic IPs, short DHCP leases • Casts doubt on prior studies, enables more realistic estimates of botnet size

  22. Other botnet activity covered in class

  23. Joanap • Around since 2009 • Windows worm downloaded on infected machines • Peer to peer architecture • Performed industrial espionage as well as more mundane activities

  24. “Traditional” botnet

  25. Peer to peer botnet

  26. Peer to peer botnet

  27. FBI takedown: peer poisoning • Each node has a list of connections • FBI node gives others a list of FBI nodes • FBI also contacts Internet Service Providers of infected hosts

  28. DrainerBot • Mobile ad fraud bot • Infected SDK: • Hundreds of consumer Android apps • Blocked by Google PlayStore? Host on regional app store • Mostly on cheap phones in developing nations

  29. 3ve • Ad fraud botnet • Massive infrastructure on servers augmented by botnet • Infected machines downloaded bad attachments, infected by drive-by downloads • Centralized command and control center

  30. Impression Fraud: a type of Ad Fraud

  31. Questions • How do botnet operators choose what to do with the infected devices? • How do infected devices notice that they’re in a botnet? Are there good ways to notify them or reduce the harm they do? • What are the benefits of a p2p architecture? C&C? • Compare and contrast mirai (that we discussed much earlier) with drainerbot. What does this tell us about the cybercriminals behind the two?

Recommend


More recommend