SlideShare a Scribd company logo

Turbot - A Next Generation Botnet

Download as PPT, PDF
Itzik Kotler, profile picture
Itzik Kotler

The document describes Turbot, a proof-of-concept botnet protocol that uses HTTP and websites with user-generated content to communicate without single points of failure. Turbot bots exchange messages by writing to and reading from these mutual resources. This allows blending into common web traffic and avoids issues like firewall/NAT blocking. The document analyzes Turbot's advantages over other botnet protocols and discusses potential ways to detect and interrupt its communication channels.

1 of 45
Downloaded 77 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Turbot “Catch me if you can” Page Itzik Kotler Ziv Gadot Security Operation Center (SOC)
Agenda The Motivation The Turbot Botnet Demo Analysis
Motivation Page
Botnets Communication Future Research scope Botnets communication Investigating futuristic C&C schemes Methodology In order to understand where botnets communication is going to we need to understand their existing problems first. Page
Recent Botnets Dynamics Recent botnets New botnets are mostly HTTP or P2P Some comes with new techniques Conficker Conficker A,B,C: HTTP-based New 500 domains names are generated every day using PRNG Conficker D,E : P2P Conficker attempts to achieve SPOF resiliency Blend in common traffic
SPOF Resiliency Single Point Of Failure (SPOF) The ability to totally shut down the C&C by stopping a single set of resources SPOF Resiliency A merit of C&C which has or aims of having no SPOF Known technologies P2P (decentralized) Conficker PRNG domain name – failed
Blend into Common Traffic Use the most common protocols/methods for the C&C Ultimately HTTP/HTML Client initiates requests Legitimate sites Advantages Pass organization security policy Firewall/NAT issues Minimizes potential network fingerprint
SPOF Res vs. Blend In Page P2P Botnets HTTP Botnets NG Botnets Early Botnets Blending in common traffic SPOF Resiliency Excellent Poor Excellent Vacuum! Is it possible? Trin00 (1999) Agobot (2004) Storm (2007) Conficker A,B,C (2008) Twitter Botnet (2008) Black Energy 1.7 (2007) Conficker D,E (2009) PathBot (2004) Rustock (2006) Karaken (2008) Turbot
Turbot Protocol Page
Introducing: Turbot Turbot is a proof-of-concept implementation of a botnet without a single point of failure over HTTP. Turbot communicates solely via message exchanging on a mutual writeable resources such as Websites with User Generated Content features. Page
Internet Clipboard Functionality Copies any data to a specific URL to later paste in a different host Also supports files and pictures Examples www.cl1p.net www.padfly.com www.pastebin.com Accessibility No CAPTCHA no login, since service needs to be quick
Disposable E-mail Addressing (DEA) Functionality A disposable e-mail address used to avoid spamming The user can choose any e-mail address within given domains, provide it, and later fetch e-mail messages Examples www.mailinator.com www.guerrillamail.com www.spamex.com Accessibility CAPTCHA, if at all, only when deleting a message Sending the e-mail message can also be done by Web services (mostly offering to send large attachments easily )
User Generated Content Functionality User comments mostly in news sites and blogs Examples www.moconews.net www.sofiaecho.com Accessibility Many services are protected with CAPTCHA, login or active moderation; however, a significant number are not protected. It is expected that the comment be relevant to its location The message can be encoded in the User Site field (if supported), or it can be encoded in a link within the message.
and even URL Shortening Functionality Takes a long URL and generates a short one to replace it. Purposes: To prevent broken links in e-mail To send links in Twitter Examples www.tinyurl.com www.dwarfurl.com www.snipurl.com Alternative usability Compression service—a long message encoded as a URL is compressed to a very short URL.
Resources to Room Division Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Resource Room Room Space
A Room Example Page www.cl1p.net www.mailinator.com www.pastebin.com … .. www.cl1p.net/foobar Resource Room Room Set
Private Room Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Bot Master Bot Private Room Unknown to others Secured
What’s a Private Room? A uncast channel between the bot master and a given bot Benefits Allows the bot master to communicate with a single bot in a given time in a secure channel Allows the bot master the ability to form a sub-group within the botnet by communicating a message to a selected number of bots (each in their private room) Isolate the bots from each other, a single bot can’t take down the botnet due to lack of knowledge about other bots existence, locations and/or resources
Turbot I/O: Message Turbot I/O is based on HTTP protocol and it allows writing and reading of messages off resources. Reading is usually a periodical GET request to the resource/room and parsing of the HTTP response and Writing is usually a single POST to the resource/room! Page Mutual Resource http://cl1p.net/foobar Bot Master Bot HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP POST
Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot Private Room Selection Bot randomizes a private room Private room is permanent Bot puts a handshake message (encrypted with Bot Master public key) Message includes a common secret 1
Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot Invitation publish Bot prepares an invitation Includes private room ID Encrypted with Bot Master private key Bot publish invitation in the lobby Periodically the Bot ranodomize a room in the lobby Publish the invitation in that room 2 Private Room Selection Bot randomizes a private room Private room is permanent Bot puts a handshake BOT HELLO message (encrypted with Bot Master public key) Message includes a common secret 1
Negotiating a Private Room Page Bingo Lobby Space Private Room Space 2 Invitation publish Bot prepares an invitation Invitation includes private room ID Encrypted with Bot Master private key Bot publish invitation in the lobby Periodically the Bot ranodomize a room in the lobby Publish the invitation in that room Bot Master Bot Looking for an invitation Bot Master periodically looks for an invitation Randomize a room in the Lobby Check for a message in that room 3
Negotiating a Private Room Page Bingo Lobby Space Private Room Space Bot Master Bot Looking for an invitation Bot Master periodically looks for an invitation Randomize a room in the Lobby Check for a message in that room 3 Meeting in the Private Room Bot Master decrypt message It fetch the private room ID It meets the Bot in the private room and completes the handshake 4
Turbot Demo Page
Turbot Project & Source Repository Written in Python and intend to be tinkered, modified and generally to be experiment on. http:// code.google.com/p/turbot
Turbot Analysis Page
Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
Communication Efficiency Assuming: Each Bot posts 1 invitation per hour Bot-Master scans for 1 room per minute Botnet size is 10,000 Lobby size is 100,000 Then Each bot posts 720 message per month All bots 7,200,000 posts per month The Bot-master will add new Bot every minunte, ~10,000 per week. Simulator Page
Corporate-Policy Traversal HTTP is always open Turbot does not use HTTPS Turbot does not use problematic sites (for example, anonymizers) No corporate-policy issues are expected
Network Footprint The usage of HTTP and HTML makes each message a very common one. Even so, it is possible that the Turbot HTTP implementation will have a unique footprints. Example: send “Turbot 1.0” in the “User-Agent” header Solution: Turbot should use common libraries such as IE and FF
Firewall/NAT Issues Turbot doesn’t open a port Turbot always initiate the connection HTTP is the most supported and reliable protocol No firewall or NAT issues are expected
Takedown Actions Whole sites – impossible, they are legitimate. Take down the Lobby or the Room Space – too large Take down the room which there is an activity – too difficult to identify and be certain
Blacklisting Turbot spans over many resources. If at all, whole domains of legitimate services will have to be blocked in order block the botnet. The percent of organizations that can do so is very small.
Communication Interrupting Security agents can delete message in the Lobby The Security agents is competing with Botnet size – usually more powerful than legitimate network Page
Technology vs. Problems Turbot V V V V V V V Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication
Turbot Demerits Message time Messages are fetched by recipient by pulling from a common resource. Time depends on the pulling frequency and is not instant. Workarounds Each message will contain a “next message time”
How Can Turbot Be Stopped? Adding CAPTCHA or Login to Web services
Questions & answers Page
Appendix Page
Appendix Content Additional Features Indirect Access Handle Bogus Bots Additional Analysis Private Channels Page
Indirect Access Problem Slaves accessing the Web leave their identity Solution Indirect access using online site translation services Examples: Google Translate, Yahoo Bubblefish, Windows Live Translator
Handle Bogus Bots The attack Security vendors can create numerous virtual bots to slow down communication. Solution Require each bot to perform an action that will distinguish the majority of the real zombies from the bogus ones. Computational work in the form of solving a cryptologic puzzle. Legal complication – ask the bot to take some verifiable illegal action which will complicate it. Security vendors cannot allow this.
Private Channels Turbot is unique in having private channels Pros The main reason: part of the no SPOF requirement. Better control of the Botnet especially when selling/renting. Cons Bot-master has to invest labor in the C&C Broadcast over Unicast can be simulated Page
The End Page

More Related Content

PPT
Twarfing: Malicious Tweets
Costin Raiu
 
PDF
Dark Fairytales from a Phisherman
Michele Orru
 
PDF
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Edureka!
 
PPT
Web Browsers And Other Mistakes
kuza55
 
PDF
DNS Rebinding Attack
Felipe Japm
 
PDF
Computer network (10)
NYversity
 
PPT
Web Browsers And Other Mistakes
guest2821a2
 
PDF
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 
Twarfing: Malicious Tweets
Costin Raiu
 
Dark Fairytales from a Phisherman
Michele Orru
 
Statistics Using Python | Statistics Python Tutorial | Python Certification T...
Edureka!
 
Web Browsers And Other Mistakes
kuza55
 
DNS Rebinding Attack
Felipe Japm
 
Computer network (10)
NYversity
 
Web Browsers And Other Mistakes
guest2821a2
 
Dark Fairytales from a Phisherman (Vol. II)
Michele Orru
 

Similar to Turbot - A Next Generation Botnet (20)

PPTX
Botnets
Vishwadeep Badgujar
 
PPT
Design Reviewing The Web
amiable_indian
 
PPT
Dmk Bo2 K7 Web
royans
 
PDF
PyMultitor
Tomer Zait
 
PDF
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
PPT
Konsep pembangunan tapak web & laman web
Ahmad Faizar
 
PPT
botnet.ppt
KiranKumar24546
 
PDF
Jetty 9 – The Next Generation Servlet Container
Codemotion
 
PPT
098
Arun Mishra
 
PDF
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
Codemotion
 
PDF
WebAssembly is Key to Better LLM Performance
Samy Fodil
 
PDF
Sounds Like Botnet
Itzik Kotler
 
ODP
Onesocialweb Presentation at OTA10
dianacheng
 
DOCX
All you know about Botnet
Naveen Titare
 
PDF
From Fast To SPDY
Mike Belshe
 
PDF
Improving performance by changing the rules from fast to SPDY
Cotendo
 
PPTX
Tornado web
kurtiss
 
PPTX
.NET Core Today and Tomorrow
Jon Galloway
 
PPT
basic concepts of networking.ppt
ImXaib
 
PPTX
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Botnets
Vishwadeep Badgujar
 
Design Reviewing The Web
amiable_indian
 
Dmk Bo2 K7 Web
royans
 
PyMultitor
Tomer Zait
 
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Konsep pembangunan tapak web & laman web
Ahmad Faizar
 
botnet.ppt
KiranKumar24546
 
Jetty 9 – The Next Generation Servlet Container
Codemotion
 
098
Arun Mishra
 
HTTP, WebSocket, SPDY: evoluzione dei protocolli web by Simone Bordet
Codemotion
 
WebAssembly is Key to Better LLM Performance
Samy Fodil
 
Sounds Like Botnet
Itzik Kotler
 
Onesocialweb Presentation at OTA10
dianacheng
 
All you know about Botnet
Naveen Titare
 
From Fast To SPDY
Mike Belshe
 
Improving performance by changing the rules from fast to SPDY
Cotendo
 
Tornado web
kurtiss
 
.NET Core Today and Tomorrow
Jon Galloway
 
basic concepts of networking.ppt
ImXaib
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Alberto González Trastoy
 
Ad

Turbot - A Next Generation Botnet

  • 1. Turbot “Catch me if you can” Page Itzik Kotler Ziv Gadot Security Operation Center (SOC)
  • 2. Agenda The Motivation The Turbot Botnet Demo Analysis
  • 4. Botnets Communication Future Research scope Botnets communication Investigating futuristic C&C schemes Methodology In order to understand where botnets communication is going to we need to understand their existing problems first. Page
  • 5. Recent Botnets Dynamics Recent botnets New botnets are mostly HTTP or P2P Some comes with new techniques Conficker Conficker A,B,C: HTTP-based New 500 domains names are generated every day using PRNG Conficker D,E : P2P Conficker attempts to achieve SPOF resiliency Blend in common traffic
  • 6. SPOF Resiliency Single Point Of Failure (SPOF) The ability to totally shut down the C&C by stopping a single set of resources SPOF Resiliency A merit of C&C which has or aims of having no SPOF Known technologies P2P (decentralized) Conficker PRNG domain name – failed
  • 7. Blend into Common Traffic Use the most common protocols/methods for the C&C Ultimately HTTP/HTML Client initiates requests Legitimate sites Advantages Pass organization security policy Firewall/NAT issues Minimizes potential network fingerprint
  • 8. SPOF Res vs. Blend In Page P2P Botnets HTTP Botnets NG Botnets Early Botnets Blending in common traffic SPOF Resiliency Excellent Poor Excellent Vacuum! Is it possible? Trin00 (1999) Agobot (2004) Storm (2007) Conficker A,B,C (2008) Twitter Botnet (2008) Black Energy 1.7 (2007) Conficker D,E (2009) PathBot (2004) Rustock (2006) Karaken (2008) Turbot
  • 10. Introducing: Turbot Turbot is a proof-of-concept implementation of a botnet without a single point of failure over HTTP. Turbot communicates solely via message exchanging on a mutual writeable resources such as Websites with User Generated Content features. Page
  • 11. Internet Clipboard Functionality Copies any data to a specific URL to later paste in a different host Also supports files and pictures Examples www.cl1p.net www.padfly.com www.pastebin.com Accessibility No CAPTCHA no login, since service needs to be quick
  • 12. Disposable E-mail Addressing (DEA) Functionality A disposable e-mail address used to avoid spamming The user can choose any e-mail address within given domains, provide it, and later fetch e-mail messages Examples www.mailinator.com www.guerrillamail.com www.spamex.com Accessibility CAPTCHA, if at all, only when deleting a message Sending the e-mail message can also be done by Web services (mostly offering to send large attachments easily )
  • 13. User Generated Content Functionality User comments mostly in news sites and blogs Examples www.moconews.net www.sofiaecho.com Accessibility Many services are protected with CAPTCHA, login or active moderation; however, a significant number are not protected. It is expected that the comment be relevant to its location The message can be encoded in the User Site field (if supported), or it can be encoded in a link within the message.
  • 14. and even URL Shortening Functionality Takes a long URL and generates a short one to replace it. Purposes: To prevent broken links in e-mail To send links in Twitter Examples www.tinyurl.com www.dwarfurl.com www.snipurl.com Alternative usability Compression service—a long message encoded as a URL is compressed to a very short URL.
  • 15. Resources to Room Division Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Resource Room Room Space
  • 16. A Room Example Page www.cl1p.net www.mailinator.com www.pastebin.com … .. www.cl1p.net/foobar Resource Room Room Set
  • 17. Private Room Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Bot Master Bot Private Room Unknown to others Secured
  • 18. What’s a Private Room? A uncast channel between the bot master and a given bot Benefits Allows the bot master to communicate with a single bot in a given time in a secure channel Allows the bot master the ability to form a sub-group within the botnet by communicating a message to a selected number of bots (each in their private room) Isolate the bots from each other, a single bot can’t take down the botnet due to lack of knowledge about other bots existence, locations and/or resources
  • 19. Turbot I/O: Message Turbot I/O is based on HTTP protocol and it allows writing and reading of messages off resources. Reading is usually a periodical GET request to the resource/room and parsing of the HTTP response and Writing is usually a single POST to the resource/room! Page Mutual Resource http://cl1p.net/foobar Bot Master Bot HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP POST
  • 20. Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot Private Room Selection Bot randomizes a private room Private room is permanent Bot puts a handshake message (encrypted with Bot Master public key) Message includes a common secret 1
  • 21. Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot Invitation publish Bot prepares an invitation Includes private room ID Encrypted with Bot Master private key Bot publish invitation in the lobby Periodically the Bot ranodomize a room in the lobby Publish the invitation in that room 2 Private Room Selection Bot randomizes a private room Private room is permanent Bot puts a handshake BOT HELLO message (encrypted with Bot Master public key) Message includes a common secret 1
  • 22. Negotiating a Private Room Page Bingo Lobby Space Private Room Space 2 Invitation publish Bot prepares an invitation Invitation includes private room ID Encrypted with Bot Master private key Bot publish invitation in the lobby Periodically the Bot ranodomize a room in the lobby Publish the invitation in that room Bot Master Bot Looking for an invitation Bot Master periodically looks for an invitation Randomize a room in the Lobby Check for a message in that room 3
  • 23. Negotiating a Private Room Page Bingo Lobby Space Private Room Space Bot Master Bot Looking for an invitation Bot Master periodically looks for an invitation Randomize a room in the Lobby Check for a message in that room 3 Meeting in the Private Room Bot Master decrypt message It fetch the private room ID It meets the Bot in the private room and completes the handshake 4
  • 25. Turbot Project & Source Repository Written in Python and intend to be tinkered, modified and generally to be experiment on. http:// code.google.com/p/turbot
  • 27. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
  • 28. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
  • 29. Communication Efficiency Assuming: Each Bot posts 1 invitation per hour Bot-Master scans for 1 room per minute Botnet size is 10,000 Lobby size is 100,000 Then Each bot posts 720 message per month All bots 7,200,000 posts per month The Bot-master will add new Bot every minunte, ~10,000 per week. Simulator Page
  • 30. Corporate-Policy Traversal HTTP is always open Turbot does not use HTTPS Turbot does not use problematic sites (for example, anonymizers) No corporate-policy issues are expected
  • 31. Network Footprint The usage of HTTP and HTML makes each message a very common one. Even so, it is possible that the Turbot HTTP implementation will have a unique footprints. Example: send “Turbot 1.0” in the “User-Agent” header Solution: Turbot should use common libraries such as IE and FF
  • 32. Firewall/NAT Issues Turbot doesn’t open a port Turbot always initiate the connection HTTP is the most supported and reliable protocol No firewall or NAT issues are expected
  • 33. Takedown Actions Whole sites – impossible, they are legitimate. Take down the Lobby or the Room Space – too large Take down the room which there is an activity – too difficult to identify and be certain
  • 34. Blacklisting Turbot spans over many resources. If at all, whole domains of legitimate services will have to be blocked in order block the botnet. The percent of organizations that can do so is very small.
  • 35. Communication Interrupting Security agents can delete message in the Lobby The Security agents is competing with Botnet size – usually more powerful than legitimate network Page
  • 36. Technology vs. Problems Turbot V V V V V V V Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication
  • 37. Turbot Demerits Message time Messages are fetched by recipient by pulling from a common resource. Time depends on the pulling frequency and is not instant. Workarounds Each message will contain a “next message time”
  • 38. How Can Turbot Be Stopped? Adding CAPTCHA or Login to Web services
  • 41. Appendix Content Additional Features Indirect Access Handle Bogus Bots Additional Analysis Private Channels Page
  • 42. Indirect Access Problem Slaves accessing the Web leave their identity Solution Indirect access using online site translation services Examples: Google Translate, Yahoo Bubblefish, Windows Live Translator
  • 43. Handle Bogus Bots The attack Security vendors can create numerous virtual bots to slow down communication. Solution Require each bot to perform an action that will distinguish the majority of the real zombies from the bogus ones. Computational work in the form of solving a cryptologic puzzle. Legal complication – ask the bot to take some verifiable illegal action which will complicate it. Security vendors cannot allow this.
  • 44. Private Channels Turbot is unique in having private channels Pros The main reason: part of the no SPOF requirement. Better control of the Botnet especially when selling/renting. Cons Bot-master has to invest labor in the C&C Broadcast over Unicast can be simulated Page

Editor's Notes

  • #2: Present Greetings My name is … I am a security researcher in the security research group which we refer as Security Operation Center. This lecture is about botnet and their evolution over time
  • #3: Agenda: Describe the 4 sections of the lecture
  • #5: Agenda Scope This research is about understand the future of botnet communication What is known as the C&C Botnets infection technique are out of the scope Botnets actual attacks are out of the scope Methodology Find first the problems and dynamics happening nowadays.
  • #6: Agenda Dynamics There is a lot of going on in the past years P2P botnets, HTTP botnets, no so much IRC botnets Conficker Explain how conficker works Even if the bot-herder looses the battle he doesn’t looses the war Conficker attempts to achieve This two properties are the most important factors of botnets nowadays
  • #7: Agenda SPOF What is SPOF Example: IRC SPOF Resiliency What is SPOF resiliency
  • #8: Agenda What it is? Why is it good?
  • #9: Agenda What is this diagram? We put those 2 factors on graph and try to see how recent and past botnets are performing with respect to this 2 factors Explain the axises Early botnets Did not invest much efforts in excelling in either of the two Agobot P2P Botnets Storm,Confikcer Their trademark is their SPOF resiliency HTTP botnets Twitter botnets The novellity of the botnet it did no used a proprietary server but abused a public resource NG botnets The gap - What we noticed is that there is a gap Botnets do not yet excel on both paramters
  • #40: Repeat each question
  • #41: Repeat each question
  • #46: Repeat each question