leveraging honest users: stealth command-and-control of botnets
DESCRIPTION
WOOT 2013 Leveraging Honest Users: Stealth Command-and-Control of BotnetsTRANSCRIPT
![Page 1: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/1.jpg)
Leveraging Honest Users:
Stealth Command-and-Control of Botnets
Diogo MónicaINESC-ID/IST
![Page 2: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/2.jpg)
Summary
• Motivation
• Problem statement
• Stealth C&C using browsers
• Final remarks
![Page 3: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/3.jpg)
Motivation
• Botnets continue to evolve
• New strategies must be employed to avoid takedown and detection
• Our objective is to explore new directions future C&C infrastructure might take
![Page 4: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/4.jpg)
Problem Statement
• Create a botnet that:
• Avoids infiltration, size estimation
• Reduces the likelihood of detection of individual bots
• Maintains Botmaster anonymity
![Page 5: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/5.jpg)
Assumptions
• Pre-existing population of infected hosts
• Trust anchor in the binary (public key)
• Bots can receive commands from bot master through some open port
![Page 6: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/6.jpg)
Basic Architecture
• No active participation from bots in a botmaster owned C&C
• Bots passively listen for commands
• Commands are signed by the botmaster and pushed out to all the bots
![Page 7: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/7.jpg)
Basic Architecture
![Page 8: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/8.jpg)
Basic Architecture
• No C&C means:
• no infiltration
• no size estimation
![Page 9: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/9.jpg)
Problems
• Command dissemination
• Botmaster doesn’t know IPs of bots
• Direct dissemination exposes the botmaster
• Disseminating commands takes too long
• Information retrieval
• Bots don’t know the IP of the botmaster
![Page 10: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/10.jpg)
Command Dissemination
• Expendable layer of hosts
• No knowledge about the botmaster
• Do the “heavy lifting” of disseminating commands for the botmaster
![Page 11: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/11.jpg)
Browsers!
• Browsers were created/optimized to do large number of requests per second
• Available crypto libraries in Javascript
• HTML5 brings new capabilities to the table
![Page 12: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/12.jpg)
“Honest” intermediate layer
• Botmaster deploys (or infects) website with malicious code
![Page 13: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/13.jpg)
“Honest” intermediate layer
• Command dissemination is not done by botmaster
• Reduces the vulnerability to detection
• Visitors of the infected website propagate commands
• Dissemination speed increase x #Web Users
• Detecting the existence of a bot is difficult
• Commands are received but not acknowledged
![Page 14: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/14.jpg)
“Honest” intermediate layer
• Replaying the commands will only further spread the botmaster’s orders
• Intermediate layer is expendable and can expire quickly
• Once the page is closed, all traces of “infection” of the web-browser disappear
• It is hard for researchers to find the original malicious page
![Page 15: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/15.jpg)
Analysis of Command Dissemination
• We created Javascript PoC
• Measured the number of AJAX requests per second
• Used EasyXDM to bypass Same-Origin-Policy
• Implemented public-key signatures for commands in Javascript
![Page 16: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/16.jpg)
Analysis of Command Dissemination
• N = #bots
• S = #ips in the address space
• r = #requests / second a browser can make
• d = #days the malicious website is active
• v = #visitors per day the website receives
• m = #minutes a user spends on the website
![Page 17: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/17.jpg)
Analysis of Command Dissemination
• N = 150000 bots
• S = 3086889768 (2^32 - Bogons)
• r = 250 requests/second
• d = 1day
![Page 18: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/18.jpg)
Analysis of Command Dissemination
![Page 19: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/19.jpg)
Getting Visitors
• Create malicious website
• Advertise through spam email, twitter, search engine poisoning, abuse URL shortener, etc
• Infect existing website:
• XSS or SQL injection sufficient to get malicious code on legitimate websites
• Keeping users on the websites
• Tabnabbing, clickjacking
![Page 20: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/20.jpg)
Information Upstream
• Botmasters want to send stolen data upstream (credit-cards, email accounts, SSN’s, etc)
• Our command dissemination infrastructure isolates each bot for robustness and stealthiness, but makes it difficult to create an upstream channel
![Page 21: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/21.jpg)
Information Upstream
• For spamming-only botnets a simple solution, send information encoded along with spam
• All information is encrypted with the botmaster’s public key, ensuring confidentiality of data
• The bot only has to do one thing: send spam
![Page 22: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/22.jpg)
Information Upstream
• Does not expose the botmaster
• Stealth operation
• Only the botmaster can extract data from the bots
![Page 23: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/23.jpg)
Information Upstream
• Botmaster creates website private/public key-pair and signs it with it’s own public key
• The malicious code sent to the browsers includes this key-pair
• Browsers can prove themselves as originating from a “legitimate” dissemination website
![Page 24: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/24.jpg)
Information Upstream
![Page 25: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/25.jpg)
Information Upstream
![Page 26: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/26.jpg)
Information Upstream
![Page 27: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/27.jpg)
Accessing the overlay
![Page 28: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/28.jpg)
Overlay connectivity
![Page 29: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/29.jpg)
Accessing the overlay
• Botmaster randomly scans the internet until it finds one host.
• Uses the encrypted fingers of this host to start crawling through the overlay.
• But...
![Page 30: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/30.jpg)
Accessing the overlay
• Botmaster still needs to bounce through some nodes to guarantee anonymity when retrieving data
![Page 31: Leveraging Honest Users: Stealth Command-and-Control of Botnets](https://reader035.vdocuments.site/reader035/viewer/2022062616/5495c1d8b479596a4d8b4de2/html5/thumbnails/31.jpg)
Final remarks
• Stealth C&C using browsers are feasible
• Increasing role of browsers in the malware landscape
• We should focus some IDS effort on the browsers
• We aren’t good enough at detecting malicious websites