botnets - uw computer sciences user pagespages.cs.wisc.edu/~ace/media/lectures/botnets.pdf ·...
TRANSCRIPT
todayMalware & botnets / Uses / Command and Control / Size estimation
Botnets
• Botnets:– CommandandControl(C&C)
– Zombiehosts(bots)
• C&Ctype:– centralized,peer-to-peer
• Infectionvector:– spam,scanning,worm(self-propagatingvirus)
• Usage:?
Howtomakemoneyoffabotnet?
• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”
• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”
• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”
• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.
• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”
• Advertiseproducts
think-pair-share
TorpigBotnet
• 2005-2009?
• 50k-180kbots
• 2008:"Mostadvancedpieceofcrimewareeverbuilt"
• Usedomainfluxtocontactcommandandcontrol(C&C)servers
• HijackedbyUCSantaBarbararesearchersandstudiedfor10days
[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]
HowtojoinaTorpigbotnet
1: Clickondodgylinktovulnerablewebsite
2-4:DownloadMebrootmalware
5: MebrootdownloadsTorpigDLL(yourabot!)
6: UploadallyousensitivedatatoTorpigC&C
7: Profit!(notyours)
think-pair-shareWhataredefenses?
DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers
• Probeeachone,usethefirstonethattalkstheC&Cprotocol
• Researchersranthealgorithmforwardseveralweeks
• Discoveredun-registereddomainsandregisteredthem
• SetuptheirownC&Cserver
• Yourbotnetismybotnet
Stealingabotnet
• Researchersboughttwodomainsandhosting
• PutupC&Cservertocaptureallreportedinformationbybots
• ControlledTorpigbotnetfor10days
• Captured70GBsofstoleninformation
• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)
• C&Chijacktotake-downabotnetiscalledsinkholing
Estimatingbotnetsize
TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize
StealingFinancialAccounts
In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)
Ethics
● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.
● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.
Twoprinciplestoprotectvictims
recapMalware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking