463.4 botnets computer security ii cs463/ece424 university of illinois
Post on 21-Dec-2015
217 views
TRANSCRIPT
463.4 Botnets
Computer Security IICS463/ECE424
University of Illinois
• Discussion in two parts– Motives and analysis techniques– Architectures and strategies
Overview
2
463.5.1 Motives and Analysis Techniques for Botnets
• A botnet is a collection of compromised machines (bots) remotely controlled by an attacker
• They are used for various forms of illegal activity• Why the need for compromised machines?– Save money on provisioning– Obscure controlling party by the use of stepping stones
• Why the need for multiple compromised machines?– Defending against multiple machines is harder: DDoS and
dynamic blacklisting
What are Botnets?
4
• An “underground” market is one that operates outside of government regulation, often dealing in illegal goods or services
• Examples: drugs, prostitution• The underground cyber-markets are ones where
underground commerce is carried out over the Internet
Underground Cyber-Markets
5
What’s the Supply and Demand?
6[FranklinPPS07]
• IETF protocol for message exchange• IRC client connects to a server identifying itself
with a nickname (“nick”) and joins a channel• Client can broadcast on the channel or deliver
messages privately on the channel• Channel manager may supply supplementary
services to users
Internet Relay Chat (IRC) Channels
7
• Connect buyers and sellers• Control botnet• Broadcast nature of IRC aids untraceable
communication
IRC Roles for Botnets
8
• Extortion– Cryptoviral extortion– DoS
• Fraud (viz. identity theft)– Bank accounts– Credit cards
• SPAM– Direct advertising– Fraud
Targeted Applications
9
Buyers: seek to make money off scamsCarders: provide credit card dataCashiers: provide ways to convert these to cashDroppers: enable pick-ups of merchandise
purchased with credit cardsRippers: take payment without providing serviceOperators: channel owners who provide integrity
services like “verified status”
Roles of Participants
10
Buyer
11
<buyer a> need fresh US Fullz Msg Me Fast IfU have Am Payin E-gold.<buyer b> i buy uk cc's ..prv me only seriosppl 4 good dill.<buyer c> Looking to buy HSBC debit with pinsand CC's......
Carder
12
<carder a> selling US (Visa, Master) $2, UK(Barclay) $3. e-gold only<carder b> selling us, uk fresh fulls (master& visa) $10. I accept paypal or e-gold<carder c> Am Selling US, UK Mastercard,Visa, and American Express Fulls, Fresh and100% valid, WIth DOB, SSN, DL.
Cashier
13
<cashier a> i Cash Out Wells fargo, Boa,Nation Wide, Chase, WachoviA, WaMu, Citibank,Halifax Msg me.<cashier b> I Cashout Skimmed Dumps + Pins30/70 % Split i Take 30% You Take 70%.<cashier c> can cashout cvv's via WU terminalagent. 500-700 $ per cvv's pvt me for moreinfo.
Dropper
14
<drop a> i drop in usa i can pick any name.<user b> F@!k drops man, I ship to my friendshouse, no fee.<user c> u will lose ur friends soon! ^^<user d> I guess some friends are expendable!
Ripper
15
<ripper> Selling software to verify yourcvv2. Great for carders, payment is $10.<ripper> Selling database of 350,000 cvv2!msg me fast for good deal!!!
Operator
16
<@operator a> If you want verified status msgme, cost is $50.<@operator b> To become verified pm any @op.
Market Demand and Activity
• Markets are active: ~64,000 msgs / day
• Large volume of sensitive data– 4k SSNs, $55 million in vulnerable
accounts[FranklinPPS07] 17
Pricing
• Sale ads often dominate want ads
• Lower barrier to entry – even for n00bs
18
Pricing
• Pricing for compromised hosts varies
• Significant demand for root access
19
Making Money with SPAM
• IronPort claimed that, as of 2006, 80% of SPAM was sent by bots– Direct Advertising– Penny Stocks– Click-fraud– Phishing
Services Available in Market1) Mailers2) Targeting Mailing Lists3) Scam Hosting Infrastructure4) Phishing Pages
[IronPort06] 20
• E-gold (Nevis, Lesser Antilles) was fined $3.7 million for “conspiracy to engage in money laundering” and the “operation of an unlicensed money transmitting business”.
• Western Union requires in country initiation and transfers over $1K require Passport, SSN, Drivers License #
• Drops provide an out-of-band approach• Colorful strategies: touts, gambling, Lindens, etc.
How Do I Get My (Stolen) Money?
21
• Examine source code• Attract compromise with a honeypot– Honeynet project
• Observe public communications and collect statistics– By manual analysis– Using attribute searches– Using machine learning
• Compromise a bot and observe its activities
Analyzing Bots
22
Reading List
23
• [FranklinPPS07] An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007.
• [ThomasA07] Kurt Thomas and David Albrecht, Cashing Out: Exploring Underground Economies, Manuscript 2007.
23
• Assuming an IRC channel, speculate on strategies for reducing the effectiveness of the underground cyber-market.
• How far can/should a honeynet go to gather information about malware?
Discussion
24
463.5.2 Botnet Architectures and Strategies
• Bot code is installed on compromised machines using many different techniques– Scan for victims with vulnerabilities
• Horizontal scans across an address range• Vertical scans across a range of ports
– Look for backdoors or vulnerable software• Bagel and MyDoom worms left backdoors that allow arbitrary code to
be executed on the machine
– Hide bot code in legitimate files placed in open file shares and on peer-to-peer networks
– Send spam email with attachments infected with bot code
Botnet Recruitment/Propagation
26
• After a computer has been compromised, the bot has several goals– Fortify the system against other malicious attacks– Disable anti-virus software– Harvest sensitive information
• The attacker issues commands to the bots– Download updates to the bot code– Download patches to prevent other botnets from capturing
the machine– Participate in the botnet “work”: send spam and phishing
emails, contribute to DDoS attack, etc.
Botnet Maintenance/Control
27
IRC Botnet in a DDoS Attack
[CookeJM05] 28
• Architecture, • Botnet control mechanisms, • Host control mechanisms, • Propagation mechanisms,• Target exploits and attack mechanisms, • Malware delivery mechanisms, • Obfuscation methods, and • Deception strategies.
Case Study: Agobot
29[BarfordY07]
• Source code was released publically around 2002.• IRC-based command and control• DoS attack library• Limited polymorphic obfuscations• Harvests Paypal passwords, AOL keys, etc.• Defends compromised system• Anti-disassembly mechanisms• Built with good SE practices
Architecture
30
Botnet Control Mechanisms
31
Host Control Mechanisms
32
Propagation Mechanisms
33
1. Bagle scanner: scans for back doors left by Bagle variants on port 2745.2. Dcom scanners (1/2): scans for the well known DCE-RPC buffer overflow.3. MyDoom scanner: scans for back doors left by variants of the MyDoom worm
on port 3127.4. Dameware scanner: scans for vulnerable versions of the Dameware network
administration tool.5. NetBIOS scanner: brute force password scanning for open NetBIOS shares.6. Radmin scanner: scans for the Radmin buffer overflow.7. MS-SQL scanner: brute force password scanning for open SQL servers.8. Generic DDoS module
Exploits and Attack Mechanisms Part 1 of 2
34
Exploits and Attack Mechanisms Part 2 of 2
35
• Argobot first exploits a vulnerability and uses this to open a shell on the remote host.
• The encoded malware binary is then uploaded using either HTTP or FTP.
• This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams.
Malware Delivery Mechanisms
36
• A limited set of operations provide some ability to diversify the transfer file– POLY TYPE XOR, – POLY TYPE SWAP (swap consecutive bytes)– POLY TYPE ROR (rotate right)– POLY TYPE ROL (rotate left)
Obfuscation Mechanisms
37
• Deception refers to the mechanisms used to evade detection once a bot is installed on a target host.
• These mechanisms are also referred to as rootkits.
Deception Mechanisms Part 1 of 2
38
• In Agobot the following defenses are included:– Testing for debuggers such as OllyDebug, SoftIce and
procdump, – Testing for VMWare,– Killing anti-virus processes, and – Altering DNS entries of anti-virus software companies
to point to localhost.
Deception Mechanisms Part 2 of 2
39
• Original command-and-control mechanism– Internet Relay Chat (IRC) channels– Centralized control structure
• Improved command-and-control mechanism– Peer-to-peer (P2P) networks– Decentralized control structure– More difficult to dismantle than IRC botnets
Beyond AgobotEvolving Botnet Structure
40
• While IRC bots simply connect to their IRC server, P2P bots must follow a series of steps to connect with their P2P network
• The initial P2P bot code contains a list of possible peers and code that attempts to connect the bot with the P2P network
• After the bot joins the network, the peer list is updated• Then the bot searches the network and downloads the
secondary injection code (code that instructs the bot to send spam or perform other malicious activities)
P2P Botnets
41
• First major botnet to employ peer-to-peer command-and-control structure
• Appeared in 2006, gained prominence in January 2007• MS estimated 500,000 bots as of September 2007• Recruits new bots using a variety of attack vectors
– Email messages with executable attachments– Email messages with links to infected sites– E-card spam
• Uses computing power of compromised machines– Sends and relays SPAM– Hosts the exploits and binaries– Conducts DDoS attacks on anti-spam websites and security
researchers probing the botnet
Case Study: Storm Worm
42
• “230 dead as storm batters Europe,” • “A killer at 11, he’s free at 21 and kill again!,” • “British Muslims Genocide,”• “Naked teens attack home director,” • “Re: Your text,” • “Russian missile shot down USA satellite,”• “US Secretary of State Condoleezza Rice has
kicked German Chancellor Angela Merkel.”
Social Engineering with Email Headers
43
Effectiveness of Storm
44[Smith08]
1. Victim downloads and runs Trojan executable file Kernel mode driver component wincom32.sys Initialization file component peers.ini Malware inserts itself into services.exe process
2. Malware connects with peers on P2P network Uses initial list of 146 peers to connect to P2P network Updates peer list with close peers Searches for encrypted URL of payload
3. Malware downloads full payload Decrypts URL of payload Downloads code that sends spam, participates in DDoS attacks, etc.
4. Malware executes code under the control of the botnet Bots can periodically search the P2P network for code updates
Storm Worm Botnet Infection Process
45
Control Architecture
46
• Overnet is a P2P protocol based on the Kademlia algorithm
• It was created from file sharing community eDonkey2000
• Overnet and eDonkey2000 had an estimated total of 645,000 users as of 2006
• Both were shut down by legal actions of RIAA in 2006
Overnet Protocol
47
• Kademlia, and hence also Overnet and Storm, are DHT protocols
• DHT network manages a collection of nodes that store (key, value) pairs
• DHT can support large scale storage in a robust decentralized system
• Key concepts– Key space partitioning– Overlay network
Distributed Hash Tables (DHT)
48
• Botnet variations make signature-based detection difficult– New email subject lines and file attachment names– Re-encoded malware binary twice per hour
• Anti-malware Response– Microsoft Malicious Software Removal Tool patch issued in
September 2007• Correlated with 20% drop in size of the Storm Worm botnet• Shows that aggressive removal of bots from botnet can make a
significant impact on the size of the botnet
Storm Worm BotnetAnti-malware Response
49
• [CookeJM05] The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian, and Danny McPherson. Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI 2005.
• [BarfordY07] An Inside Look at Botnets, Paul Barford and Vinod Yegneswaran. Advances in Computer Security, Springer 2007.
• [Smith08] A Storm (Worm) Is Brewing, Brad Smith. IEEE Computer, vol. 41, no. 2, pp. 20-22, Feb. 2008.
Reading List
50
• Botnets seem like a major challenge today. How long do you think they will continue as a problem?
• Storm represents a cross-over between the file sharing community and the underground cyber-market (viz. SPAM). Conjecture on similar synergies that might emerge in the future.
Discussion
51