cloud - uw computer sciences user pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud...
TRANSCRIPT
![Page 1: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/1.jpg)
![Page 3: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/3.jpg)
announcementsHW4 due in one week
This week: cloud computing and malware & ecrime
Next week: Bitcoin and Android security
Friday, May 6: Exam review session
Sunday, May 8: Final exam
![Page 4: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/4.jpg)
todayCloud computing and placement vulnerabilities
Malware, botnets, and crime
![Page 5: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/5.jpg)
CloudServices
VMsInfrastructure-as-a-service
Storage
WebCache/TLSTermination
![Page 6: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/6.jpg)
Asimplifiedmodelofpubliccloudcomputing
Owned/operatedbycloudprovider
UserA
UserB
virtualmachines(VMs)
virtualmachines(VMs)
UsersrunVirtualMachines(VMs)oncloudprovider’sinfrastructure
VirtualMachineManager
VirtualMachineManager(VMM)managesphysicalserverresourcesforVMs
TotheVMshouldlooklikededicatedserver
Multitenancy(userssharephysicalresources)
![Page 7: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/7.jpg)
Anewthreatmodel:
UserA
Badguy
AttackeridentifiesoneormorevictimsVMsincloud
2)Launchattacksusingphysicalproximity
1)AchieveadvantageousplacementvialaunchingofVMinstances
ExploitVMMvulnerability Side-channelattackDoS
![Page 8: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/8.jpg)
Checkingforco-residence
Anatomyofattack
checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels
Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence
bruteforcingplacementinstancefloodingaftertargetlaunches
Location-basedattacksside-channels,DoS,escape-from-VM
![Page 9: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/9.jpg)
Cross-VMsidechannelsusingCPUcachecontention
AttackerVM
VictimVM
Mainmemory
CPUdatacache
1)Readinalargearray(fillCPUcachewithattackerdata)
2)Busyloop(allowvictimtorun)
3)Measuretimetoreadlargearray(theloadmeasurement)
![Page 10: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/10.jpg)
Cache-basedcross-VMloadmeasurementonEC2
RepeatedHTTPgetrequests
Performscacheloadmeasurements
RunningApacheserver
Instancesco-resident Instancesco-resident InstancesNOTco-resident
3pairsofinstances,2pairsco-residentand1not100cacheloadmeasurementsduringHTTPgets(1024bytepage)andwithnoHTTPgets
[Hey,You,GetOffofmyCloud,2009,Ristenpart,etal.]
![Page 11: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/11.jpg)
Checkingforco-residence
Anatomyofattack
checkthatVMisonsameserverastarget-network-basedco-residencechecks-efficacyconfirmedbycovertchannels
Placementvulnerability:attackerscanknowinglyachieveco-residencewithtargetAchievingco-residence
bruteforcingplacementinstancefloodingaftertargetlaunches
Location-basedattacksside-channels,DoS,escape-from-VM
![Page 12: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/12.jpg)
Howhardshouldco-locationbe?
- Randomplacementpolicy- N=50kmachines- v=#victimVMs,a=#attackerVMs- Probabilityofcollision:Pc=1-(1-v/N)a
UserA
Badguy
![Page 13: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/13.jpg)
Co-locationStrategies
• Basicstrategy
• TriggerlaunchofvictimVMs• DriveHTTPtrafficandtrigger
autoscalingtolaunchmorevictimVMs
• TimelaunchofattackerVMsinco-ordination
• Howeffectiveisthis?
• Howmuchdoesthiscost?
• Howlongdoesthistake?
![Page 14: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/14.jpg)
[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]
![Page 15: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/15.jpg)
[APlacementVulnerabilityStudyinPublicClouds,2015,VVaradarajan]
• Cheapeststrategy:$0.14(GCE)
• Mostexpensivestrategy:$5.30(Azure)
![Page 16: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/16.jpg)
ecrime
![Page 17: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/17.jpg)
Botnets
• Botnets:– CommandandControl(C&C)
– Zombiehosts(bots)
• C&Ctype:– centralized,peer-to-peer
• Infectionvector:– spam,scanning,worm(self-propagatingvirus)
• Usage:?
![Page 18: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/18.jpg)
Howtomakemoneyoffabotnet?
• Rental– “Paymemoney,andI’llletyouusemybotnet…noquestionsasked”
• DDoSextortion– “PaymeorItakeyourlegitimatebusinessoffweb”
• Bulktrafficselling– “Paymetodirectbotstowebsitestoboostvisitcounts”
• Clickfraud,SEO– “Simulateclicksonadvertisedlinkstogeneraterevenue”– Cloaking,linkfarms,etc.
• Theftofmonetizableinformation(eg.,financialaccounts)• Ransomware– “I’veencryptedyourharddrive,nowpaymemoneytounencryptit”
• Advertiseproducts
think-pair-share
![Page 19: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/19.jpg)
TorpigBotnet
• 2005-2009?
• 50k-180kbots
• 2008:"Mostadvancedpieceofcrimewareeverbuilt"
• Usedomainfluxtocontactcommandandcontrol(C&C)servers
• HijackedbyUCSantaBarbararesearchersandstudiedfor10days
[YourBotnetisMyBotnet:AnalysisofaBotnetTakeover,2009,Stone-Grossetal.]
![Page 20: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/20.jpg)
HowtojoinaTorpigbotnet
1: Clickondodgylinktovulnerablewebsite
2-4:DownloadMebrootmalware
5: MebrootdownloadsTorpigDLL(yourabot!)
6: UploadallyousensitivedatatoTorpigC&C
7: Profit!(notyours)
![Page 21: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/21.jpg)
DomainFlux• EachbotgeneratescandidatedomainnamesforC&Cservers
• Probeeachone,usethefirstonethattalkstheC&Cprotocol
• Researchersranthealgorithmforwardseveralweeks
• Discoveredun-registereddomainsandregisteredthem
• SetuptheirownC&Cserver
• Yourbotnetismybotnet
![Page 22: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/22.jpg)
Stealingabotnet
• Researchersboughttwodomainsandhosting
• PutupC&Cservertocaptureallreportedinformationbybots
• ControlledTorpigbotnetfor10days
• Captured70GBsofstoleninformation
• Usedthesedatatostudyhowbigthebotnetwasandwhatitdid(crime)
![Page 23: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/23.jpg)
Estimatingbotnetsize
TorpigbotsreporttoC&CserversusingauniquebotnetIDUsefulforcorrectlyestimatingsize
![Page 24: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/24.jpg)
![Page 25: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/25.jpg)
StealingFinancialAccounts
In10days,stolenaccountsfrom:- Paypal(1770)- PosteItaliane(765)- CapitalOne(314)- E*Trade(304)- Chase(217)
![Page 26: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/26.jpg)
Ethics
● PRINCIPLE1.● Thesinkholedbotnetshouldbeoperatedsothatanyharmand/ordamagetovictimsandtargetsofattackswouldbeminimized.
● PRINCIPLE2.● Thesinkholedbotnetshouldcollectenoughinformationtoenablenotificationandremediationofaffectedparties.
Twoprinciplestoprotectvictims
![Page 27: cloud - UW Computer Sciences User Pagespages.cs.wisc.edu/~ace/media/lectures/cloud.pdf · cloud computing & e-crime ... [Your Botnet is My Botnet: Analysis of a Botnet Takeover, 2009](https://reader031.vdocuments.site/reader031/viewer/2022022520/5b1e2b6d7f8b9a8c648b47c5/html5/thumbnails/27.jpg)
recapCloud computing / Placement vulnerabilities / Co-residency detection via side-channels / Co-location strategies
Malware + botnets / Botnet uses / Architecture / Domain flux, C&C hijacking