Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"

Your Botnet is My Botnet:
Analysis of a Botnet Takeover
Presented by
Sandeep Inampudi & Jishnu Pradeep
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin
Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Overview
 Introduction
 Domain flux
 Taking control of the Botnet
 Botnet analysis
 Threats and data analysis
 Conclusion
 Some additional contents
 Discussion

Botnets
A Botnet is a collection of software agents, or robots that run
autonomously and automatically. The term is most
commonly associated with malicious software.
 Main motivation: recognition and financial gain.
 Bot controller can ‘rent’ services of the botnet to third
parties

Purpose of Botnets
 Botnets are the primary means for cyber-criminals to carry
out their nefarious tasks
DDOS
Attacks
Stealing
Credentials
Spamming Spreading
Malware
Manipul.
Polls/Clicks

C&C Structure
The two main types of command and control structures used
by botnets:
 Centralized mechanism (IRC Protocol)
 Decentralized (P2P) mechanism

Studying Botnets
1. Passive analysis - Study of secondary effects
that are caused by the activity of compromised
machines.
 Collected spam mails that were likely sent by bots
 Measurements focused on DNS queries
 Analyzed network traffic at the tier-1 ISP level
Two approaches:

2. Active approach - Study botnets via
infiltration.
 Using an actual malware sample or a client
simulating a bot, researchers join a botnet (as a
client) to perform analysis from the inside.
 To achieve this, honeypots, honey clients, or spam
traps are used to obtain a copy of a malware
Studying Botnets

 Attackers have unfortunately adapted:
Most current botnets use stripped-down IRC or HTTP
servers as their centralized command and control
What can be done now?
Answer: Hijack the system
 Directly seize the physical machines that host the
C&C infrastructure.
 Collaborating with domain registrars, it is possible
to change the mapping of a botnet domain to
point to a machine controlled by the defender.

TORPIG Botnet
“One of the most advanced pieces of crimeware ever created”
 Also known as Sinowal or Anserin
 Development began in 2005
 By November 2008, Torpig had stolen the details of about
500,000 online bank accounts + credit/debit cards.
 Highly sophisticated + Complex infrastructure

Functions of TORPIG
Trojan Horse
 Injects itself into 29 different applications as DLL
 Steals sensitive information such as passwords + HTTP
Post Data
 HTTP Injection for phishing
 Uses ‘encrypted’ HTTP as C&C Protocol
 Uses Doman Flux to locate C&C Server

How is it distributed?
 Torpig has been distributed to its victims as part
of Mebroot.
 A Rootkit that takes control of a machine by replacing
the system’s Master Boot Record (MBR).
 Executed at boot time, before the operating system
is loaded, and to remain undetected by most anti-
virus tools.
Mebroot is spread via drive-by-download.

HOW TORPIG DISTRIBUTES AND GETS DATA
‘Hacked’ Web Servers
Innocent Victim
Mebroot
C&C
Torpig
C&C
Injection
Server
Drive-by-download Server
<iframe>
Mebroot
Download
Stolen Data
Config. Files

Torpig HTML Injection
Domain of interests (~300) stored in config file.
 When domain of interest visited:
• Request is issued to injection server
• Server specifies a trigger page on target domain
 When triggered page is visited:
• Injection URL is requested from injection server.
• Returned content injected to user’s browser.
Content usually asks for sensitive data and reproduces look
and feel of legit site.

Man-in-the-browser Attack
Same as man-in-the-middle attack, but a Trojan Horse is used to
intercept and manipulate calls between the browser and its security
mechanisms.

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"

Communication b/w Master and Bots
 A botnet should keep in contact with botmaster to be useful.
 Botmaster must coordinate with its bots to efficient.
 Hardcoding Domains and IPs in bots = Bad Idea
FAST FLUXING
 Way to make these schemes more flexible and robust.
 Bots would query a certain domain that is mapped onto a set
of IP addresses, which change frequently.

Fast Fluxing
Disadvantage: Single
point of Failure
Torpig solves this
issue through…..

Domain flux
 Have the bots use an algorithm to generate
domains to use on a daily/weekly basis.
 This will be called Domain Generation
Algorithm
 If a domain is blocked? The bot simply rolls
over to the following domain in the list.

Torpig’s DGA
 Each bot has same DGA
 Seeded by current date
It Generates:
 Weekly Domain (dw)
(dw.net / dw.com / dw.biz)
 Daily Domain (dd)
(dd.net / dd.org)
 If both fails, then it selects one of 3 hard coded domains
from config file of C&C.

Taking Control of Botnet
SINKHOLING: Technique used to redirect the the identification of
malicious server to own server.
Process:
1. Reverse engineer name generation algorithm & C&C.
2. Bought two domain names to be used by bots. (.com/.net)
3. Purchased hosting space from 2 providers.
4. Set up apache web servers to receive bot requests.
5. Record all traffic.
6. Downloaded and removed data from hosting provider.

Result
 Controlled the Botnet for 10 days
 After that, Mebroot (unfortunately) pushed a new binary.
 Also a domain was suspended 6 days into the attack due
to abuse complaint.
 Data:
 8.7 GB Apache Logs
 69 GB pcap data (with stolen information)

Two principles to protect
victims
 PRINCIPLE 1: The sinkholed botnet should be
operated so that any harm and/or damage to victims
and targets of attacks would be minimized.
 PRINCIPLE 2: The sinkholed botnet should collect
enough information to enable notification and
remediation of affected parties.

Torpig’s data transmission explained:
 The collected data is transferred via HTTP POST
method
 The URL contains a bot identifier ID and Submission
header.
 The body of the post request contains the stolen data.
 Both these are encrypted with Base64 and XOR.

 The submission header contains the information about
the bot from which the information is collected.
 Timestamp
 IP
 sport (SOCKS proxy)
 hport (HTTP proxy)
 os (operating system)
 cn (country name)
 nid (node id)
 bld (build)
 ver (version)

Torpig’s stolen data analysis
 Torpig steals your email clients’ credentials, email
address list, form data you submit to webpages, your
windows passwords and more
54,090
1,258,862
11,966,532
411,039
12,307
415,206
100,472
1,235,122

Botnet sizing – The problems:
 Calculating a botnet’s size is a difficult task
 Why not just count the IP addresses?
 Many computers are behind a NAT (network address
translation)
 DHCP might assign you a new IP when you log off

Botnet sizing – Torpig
 By using some unique values in the
submission header to determine the size
 nid, node id is a value based on your hard
drive’s serial number
 We use the combination of nid, os, cn, bld,
ver to identify and find the size of the torpig
botnet.
(nid, os, cn, bld, ver)

Botnet sizing (cont.)
 As a reference point, between Jan 25, 2009
and February 4, 2009, 180,835 nid values
were observed.
 After subtracting probers and researchers,
our final estimate of the botnet’s footprint is
182,800 hosts.
 Where as unique IPs were 1,247,642 which will be
a overestimation

Botnet size vs. IP count
● after initial spike, consistent diurnal
pattern
● Averaging 4690 new IPs per
hour
● after initial spike, rapid drop-off
● averaging 705 new bots per
hour

Cumulative IPs and bots per
hour
● Number of cumulative new IPsincreased
linearly
● Number of cumulative bots decayed
quickly

Using IP addresses to size
Torpig:
● Number of unique bot IPs per
hour and number of unique IPsper hour
are nearly identical
● Number if unique bot IPs per day
does not reflect the number of unique
IPsper day
This difference is a consequence of the bots contacting the C&C every 20
minutes, which occurs more frequently than the rate of DHCP churn

Observing DHCP churn
 DHCP IP allocation is dynamic
 Not guaranteed to get the same IP
 DHCP churn factor: how many IPs each host received
throughout the 10 day period
 In one instance, a single host changed IP address 694
times in this period.

New infections
 Recall that the submission
header contained a timestamp
 By counting number of bots
who had timestamp = 0 can
determine new bots
 49,294 new infections over the
research period

Botnet as a service
 Recall that the submission header has a build field
 The researchers believe this field corresponds to a
customer id
 12 different values for bld during the study
dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp

Financial data theft
 In just the 10 days of study, torpig stole 8310 accounts
from 410 different institutions
Institutions Number of
accounts
Paypal 1,770
Poste Italiane 765
Capital one 314
E*Trade 304
Chase 217
Country Institution
s
Accounts
US 60 4,287
IT 34 1,459
DE 122 641
ES 18 228
PL 14 102
Other 162 1,593
Total 410 8,310

The money involved
 1,600 unique credit and debit card numbers were
obtained during the study
 Quantifying the net money on all the cards was
uncertain
447
1056
81 36 24
Master card Visa American
Express
Maestro Discover

The money involved (cont.)
 According to Symantec’s estimated rates in the black
market for cards and accounts, the controllers might
have earned $83K to $8.3M
 New data was continuously stolen and reported by the
bots during the 10 day period

Potential for DDOS
 During peak intervals, there were around 70,000 live
hosts on torpig
 Conservative estimate of 435 kbps pstream bandwidth
for each host
 Roughly 17 Gbps of bandwidth available to botmasters

Privacy:
 Web mail, web chats and forum messages
 250 charecters or longer on average
1. 14% about jobs/resumes
2. 7% about money and stuff
3. 6% sports fans
4. 5% about exams and worry for exams
5. 10% specifically mention security and think they are
clean

Password analysis
 Torpig stole 297,962 unique
credentials
 Researchers found that 28% of
victims reused credentials for
368,501 websites
 Strength test:
 Created a UNIX like password
file for unique passwords (about
174,000 of them)
 Fed into John the Ripper
 Cracked around 100,000
passwords in 24 hours

Conclusions:
 Unique opportunity to understand profits and
characteristics of botnets
 Previous estimation by IPs can be overestimation
 Botnet victims are users with poorly maintained
machines and with weak passwords
 People should think their computers as just another
physical possessions
 They worked with a lot of people like FBI, banks, ISPS
 Finally botnets are like an arms race between the
defenders and the bot masters. It will continue with
new trends always

Additional Reading
 Your computer is now stoned (…again!)
Click to open link
 Analysis of Sinowal
Click to open link
 Kraken Botnet Infiltration
Click to open link
 A Foray into Conficker’s Logic and Rendezvous points
Click to open link

Discussion
1. What should the users do to prevent their data theft?
2. Can the study be used to research the behavior of botmasters under different
situations?
3. Solutions to remove these from the effected computers/ out of the bot network?
4. If the botnet takeover approach used by the authors reusable or reproducible? If
not, which part is not?
5. Can SDN help in developing countermeasures against botnets?
6. How effective is domain blacklisting in stopping such botnets?
7. Torpig is said be targeting windows operating system mostly. Why do you think
they are doing so? Can torpig target other OS too?
8. How is botnet size being computed today?
9. Do you think that it was ethical to read or mine emails, even if it was done with the
intention of helping victims?

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"

More Related Content

What's hot (20)

Similar to Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover" (20)

More from Jishnu Pradeep (6)

Recently uploaded (20)

Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"