Your SlideShare is downloading. ×
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet Takeover
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Your Botnet is My Botnet: Analysis of a Botnet Takeover

571

Published on

Your Botnet is My Botnet: Analysis of a Botnet Takeover …

Your Botnet is My Botnet: Analysis of a Botnet Takeover
Botnets are the primary means for cyber-criminals to carry out their malicious tasks
• sending spam mails
• launching denial-of-service attacks
• stealing personal data such as mail accounts or bank credentials.

Published in: Internet, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
571
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
31
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. YourBotnet is My Botnet: Analysis of a Botnet Takeover Ahmed Ali El-Kosairy Nile University IS Prog 121173
  • 2. 281] And fear the Day when ye shall be brought back to Allah. Then shall every soul be paid what it earned, and none shall be dealt with unjustly. ‫ما‬َ ‫س‬ٍ ‫ف‬ْ ‫ن‬َ ‫ل‬ّ ‫ك‬ُ ‫فى‬ّ ‫و‬َ ‫ت‬ُ ‫م‬ّ ‫ث‬ُ ‫ه‬ِ ‫ل‬ّ ‫ال‬ ‫لى‬َ ‫إ‬ِ ‫ه‬ِ ‫في‬ِ ‫ن‬َ ‫عو‬ُ ‫ج‬َ ‫ر‬ْ ‫ت‬ُ ‫ما‬ً ‫و‬ْ ‫ي‬َ ‫قوا‬ُ ‫ت‬ّ ‫وا‬َ ‫ن‬َ ‫مو‬ُ ‫ل‬َ ‫ظ‬ْ ‫ي‬ُ ‫ل‬َ ‫م‬ْ ‫ه‬ُ ‫و‬َ ‫ت‬ْ ‫ب‬َ ‫س‬َ ‫ك‬َ
  • 3. Outline • Introduction • Domain flux • Taking control of the Botnet • Botnet analysis • Threats and data analysis • Conclusion
  • 4. Introduction Torpig (a.k.a. Sinowal, or Anserin) botnet for ten days., one of the most advanced pieces of crimeware ever created,” is a type of malware that is typically associated with bank account and credit card theft. However, as we will see, it also steals a variety of other personal information.
  • 5. Introduction (cont.)
  • 6. Introduction (cont.) • Botnets are the primary means for cyber- criminals to carry out their malicious tasks • sending spam mails • launching denial-of-service attacks • stealing personal data such as mail accounts or bank credentials.
  • 7. Introduction (cont.) • By collaborating with domain registrars, it is possible to change the mapping of a botnet domain to a machine which is controlled by the defender . • Several recent botnets, including Torpig, use the concept of domain flux. • This is an approach that is similar to botnet takeover attempts of the Kraken [1] and Conficker[32] botnets.
  • 8. Introduction (cont.) • Torpig uses Mebroot to get new victims – Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR). – This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools.
  • 9. Introduction (cont.) How Torpig distributes and gets data
  • 10. Introduction (cont.) • Torpig uses phishing attacks • Mebroot provides functionality to manage (install, uninstall, and activate) such additional modules. • Immediately after the initial reboot, Mebroot contacts the Mebroot C&C server to obtain malicious modules (5). These modules are saved in encrypted form in the system32 directory, • so that, if the user reboots the machine, they can be immediately reused without having to contact the C&C server again. • After the initial update, Mebroot contacts its C&C server periodically, in two-hourintervals.
  • 11. Introduction (cont.) Mebroot injects these modules (i.e., DLLs) into a number of applications. (services.exe), as web browsers , FTP clients , email clients , instant messengers and system programs (e.g., cmd.exe). After the injection, Torpig can inspect all the data. Periodically Torpig contacts the Torpig C&C server to upload the data stolen.This communication with the server is also overHTTP. protected by a simple obfuscation mechanism, based on XORing the clear text with an 8-byte key and base64 encoding. <Broken>
  • 12. Introduction (cont.) How Torpig distributes and gets data The C&C servercan reply to a bot in one of several ways:  simply acknowledge the data. ( okn response) In addition, the C&C server can send a configuration file to the bot (we call this reply an okc response). The configuration file is obfuscated using a simple XOR-11 encoding. Config file contains new info and updated domains , encryption...etc
  • 13. Introduction (cont.)
  • 14. Domain flux • Botnet authors have identified several ways to make these schemes more flexible and robust against take- down actions, e.g., by using fast-flux techniques . • With fast-flux, the bots would query a certain domain that is mapped onto a set of IP addresses, which change frequently. • However, fast-flux uses only a single domain name, which constitutes a single point of failure.
  • 15. Domain flux, Fast-flux Prob
  • 16. Domain flux (cont.) • Torpig solves this issue by using a different technique for locating its C&C servers: domain flux (Using DGA) .
  • 17. Domain flux (cont.) DGA: For example, consider a DGA where every minute the malware connects to the GMT-time-based server address <month><day><year><hour><minute>.com. • example, on July 31, 2013, at 2:30 PM, the malware would connect to 07 31 13 14 30.com. •Every time an attacker wants to communicate with their malware, they choose a strike-time and a register the domain corresponding to that strike-time 24 hours before the time is hit.
  • 18. Domain flux (cont.) • Kraken was one of the first malware families to use a DGA, beginning around April of 2008 • Although several families such as Torpig and Srizbi have also been known to use DGAs, and the famous Conficker.
  • 19. Domain flux (cont.) • The feasibility of these sinkholing attacks depends not only on technical means but also on economic factors. • Sinkholing : (Sinkholing is a technique that researchers use to redirect the identification of the malicious C&C serverto their own analysis server.) • Trendmicro: ref:http://www.trendmicro.com.tr/media/misc/sinkholing- botnets-technical-paper-en.pdf
  • 20. Domain flux (cont.)
  • 21. Taking control of the Botnet • Author registered the .comand .net domains that were to be used by the botnet from January 25th, 2009 to February 15th, 2009. • However, on February 4th, 2009, the Mebroot controllers distributed a new Torpig binary that updated the domain algorithm.
  • 22. Taking control of the Botnet (cont.) • During the ten days that author controlled the botnet, and collected over 8.7GB of Apache log files and 69GB of pcap data. • However, on January 19th, when we started our collection, we instantly received HTTP requests from 359 infected machines. ??? Why???
  • 23. Taking control of the Botnet (cont.) Author protected the victims according to: • PRINCIPLE 1. – The sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized. • PRINCIPLE 2. – The sinkholed botnet should collect enough information to enable notification and remediation of affected parties.
  • 24. Taking control of the Botnet (cont.) Also Authorprotected the victims according to:  when a bot contacted our server, we always replied with an okn message and neversent it a new configuration file.  By responding with okn, the bots remained in contact only with our servers.  If we had not replied with a valid Torpig response, the bots would have switched overto the .biz  Although we could have sent a blankconfiguration file to potentially remove the web sites currently targeted by Torpig.  We also did not send a configuration file with a different HTML injection server IP address for the same reasons.  FBI & CERT
  • 25. Botnet analysis • The submission header and the body are encrypted using the Torpig encryption algorithm (base64 and XOR). – The headercontains the time stamp when the configuration file was last updated (ts), – the IPaddress of the bot (ip), – the port numbers of the HTTPand SOCKS proxies that Torpig opens on the infected machine (hport and sport), – the operating systemversion and locale (os and cn), – the bot identifier(nid), – and the build and version numberof Torpig (bld and ver)
  • 26. Botnet analysis (cont.)
  • 27. Botnet analysis (cont.)
  • 28. Botnet analysis (cont.) Botnet sizeBotnet size • Counting Bots by nid • this value was unique for each machine and remained constant over time • therefore, it would provide an accurate method to uniquely identify each bot. • My Botnet is Biggerthan Yours (Maybe, Betterthan Yours) : , very Good Paper M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. My Botnet is Bigger than Yours (Maybe, Better than Yours) : Why Size Estimates Remain Challenging. In USENIX Workshop on Hot Topics in Understanding Botnet, 2007.
  • 29. Botnet analysis (cont.) • Authors were able to reconstruct the algorithm used to compute this 8-byte value by reverse engineering the Torpig binary. • For static, the nid depends on (software orhardware) characteristics of the infected machine’s hard disk.
  • 30. Botnet analysis (cont.) • the number of unique IP addresses observed during the ten days.
  • 31. Botnet analysis (cont.)
  • 32. Botnet analysis (cont.) Botnet as a service • Torpig DLLs are marked with a build type represented by the bld field in the header. • 12 different values for the bld parameter: dxtrbc, eagle, gnh1, gnh2, gnh3, gnh4, gnh5, grey, grobin, grobin1, mentat, and zipp. • the most convincing explanation ??
  • 33. Threats and data analysis • Financial Data Stealing • Torpig is specifically crafted to obtain information that can be readily monetized in the underground market. • “man-in-the-browser” phishing attacks • in ten days of activity, the Torpig controllers may have profited anywhere between $83K and $8.3M.
  • 34. Threats and data analysis (cont.) • the number of accounts at financial institutions that were stolen by Torpig and sent to our C&C server.
  • 35. Threats and data analysis (cont.) Proxies •Authors wanted to verify if spam was sent through machines in the Torpig botnet. •Torpig has the potential to drag its victims into a variety of malicious activities.
  • 36. Threats and data analysis (cont.)Denial-of Service •using 435 kbps as a conservative estimate for each bot’s upstream bandwidth. The aggregate bandwidth for the DSL/Cable connections is roughly 17 Gbps •a botnet of this size could cause a massive distributed denial-of- service (DDoS) attack.
  • 37. Threats and data analysis (cont.)• Password Analysis • almost 28% of the victims reused their credentials for accessing 368,501 web sites.
  • 38. Conclusion • Author addresses a comprehensive analysis of the operations of the Torpig botnet. • First, a naïve evaluation of botnet size based on the count of distinct IPs yields grossly overestimated results. • Second, the victims of botnets are often users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites. • Third, interacting with registrars, hosting facilities, victiminstitutions, and law enforcement is a rather complicated process.
  • 39. Thank you & Question?

×