Your SlideShare is downloading. ×
Turbot - A Next Generation Botnet
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Turbot - A Next Generation Botnet

1,863
views

Published on

Turbot - A Next Generation Botnet presentation as given in Hackito Ergo Sum 2010 in Paris, France. Turbot is a proof-of-concept implementation of a Botnet without a single point of failure over HTTP. …

Turbot - A Next Generation Botnet presentation as given in Hackito Ergo Sum 2010 in Paris, France. Turbot is a proof-of-concept implementation of a Botnet without a single point of failure over HTTP. Turbot communicates solely via message exchanging on a
mutual writable resources such as Websites with User
Generated Content features.


0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,863
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
67
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Present Greetings My name is … I am a security researcher in the security research group which we refer as Security Operation Center. This lecture is about botnet and their evolution over time
  • Agenda: Describe the 4 sections of the lecture
  • Agenda Scope This research is about understand the future of botnet communication What is known as the C&C Botnets infection technique are out of the scope Botnets actual attacks are out of the scope Methodology Find first the problems and dynamics happening nowadays.
  • Agenda Dynamics There is a lot of going on in the past years P2P botnets, HTTP botnets, no so much IRC botnets Conficker Explain how conficker works Even if the bot-herder looses the battle he doesn’t looses the war Conficker attempts to achieve This two properties are the most important factors of botnets nowadays
  • Agenda SPOF What is SPOF Example: IRC SPOF Resiliency What is SPOF resiliency
  • Agenda What it is? Why is it good?
  • Agenda What is this diagram? We put those 2 factors on graph and try to see how recent and past botnets are performing with respect to this 2 factors Explain the axises Early botnets Did not invest much efforts in excelling in either of the two Agobot P2P Botnets Storm,Confikcer Their trademark is their SPOF resiliency HTTP botnets Twitter botnets The novellity of the botnet it did no used a proprietary server but abused a public resource NG botnets The gap - What we noticed is that there is a gap Botnets do not yet excel on both paramters
  • Repeat each question
  • Repeat each question
  • Repeat each question
  • Transcript

    • 1. Turbot “Catch me if you can” Page Itzik Kotler Ziv Gadot Security Operation Center (SOC)
    • 2. Agenda
      • The Motivation
      • The Turbot Botnet
      • Demo
      • Analysis
    • 3. Motivation Page
    • 4. Botnets Communication Future
      • Research scope
        • Botnets communication
        • Investigating futuristic C&C schemes
      • Methodology
        • In order to understand where botnets communication is going to we need to understand their existing problems first.
      Page
    • 5. Recent Botnets Dynamics
      • Recent botnets
        • New botnets are mostly HTTP or P2P
        • Some comes with new techniques
      • Conficker
        • Conficker A,B,C: HTTP-based
          • New 500 domains names are generated every day using PRNG
        • Conficker D,E : P2P
      • Conficker attempts to achieve
        • SPOF resiliency
        • Blend in common traffic
    • 6. SPOF Resiliency
      • Single Point Of Failure (SPOF)
        • The ability to totally shut down the C&C by stopping a single set of resources
      • SPOF Resiliency
        • A merit of C&C which has or aims of having no SPOF
        • Known technologies
          • P2P (decentralized)
          • Conficker PRNG domain name – failed
    • 7. Blend into Common Traffic
      • Use the most common protocols/methods for the C&C
        • Ultimately
          • HTTP/HTML
          • Client initiates requests
          • Legitimate sites
      • Advantages
        • Pass organization security policy
        • Firewall/NAT issues
        • Minimizes potential network fingerprint
    • 8. SPOF Res vs. Blend In Page P2P Botnets HTTP Botnets NG Botnets Early Botnets Blending in common traffic SPOF Resiliency Excellent Poor Excellent Vacuum! Is it possible? Trin00 (1999) Agobot (2004) Storm (2007) Conficker A,B,C (2008) Twitter Botnet (2008) Black Energy 1.7 (2007) Conficker D,E (2009) PathBot (2004) Rustock (2006) Karaken (2008) Turbot
    • 9. Turbot Protocol Page
    • 10. Introducing: Turbot
      • Turbot is a proof-of-concept implementation of a botnet
      • without a single point of failure over HTTP.
      • Turbot communicates solely via message exchanging on a
      • mutual writeable resources such as Websites with User
      • Generated Content features.
      Page
    • 11. Internet Clipboard
        • Functionality
          • Copies any data to a specific URL to later paste in a different host
          • Also supports files and pictures
        • Examples
          • www.cl1p.net
          • www.padfly.com
          • www.pastebin.com
        • Accessibility
          • No CAPTCHA no login, since service needs to be quick
    • 12. Disposable E-mail Addressing (DEA)
      • Functionality
        • A disposable e-mail address used to avoid spamming
        • The user can choose any e-mail address within given domains, provide it, and later fetch e-mail messages
      • Examples
        • www.mailinator.com
        • www.guerrillamail.com
        • www.spamex.com
      • Accessibility
        • CAPTCHA, if at all, only when deleting a message
        • Sending the e-mail message can also be done by Web services (mostly offering to send large attachments easily )
    • 13. User Generated Content
      • Functionality
        • User comments mostly in news sites and blogs
      • Examples
        • www.moconews.net
        • www.sofiaecho.com
      • Accessibility
        • Many services are protected with CAPTCHA, login or active moderation; however, a significant number are not protected.
        • It is expected that the comment be relevant to its location
          • The message can be encoded in the User Site field (if supported), or it can be encoded in a link within the message.
    • 14. and even URL Shortening
      • Functionality
        • Takes a long URL and generates a short one to replace it. Purposes:
          • To prevent broken links in e-mail
          • To send links in Twitter
      • Examples
        • www.tinyurl.com
        • www.dwarfurl.com
        • www.snipurl.com
      • Alternative usability
        • Compression service—a long message encoded as a URL is compressed to a very short URL.
    • 15. Resources to Room Division Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Resource Room Room Space
    • 16. A Room Example Page www.cl1p.net www.mailinator.com www.pastebin.com … .. www.cl1p.net/foobar Resource Room Room Set
    • 17. Private Room Page www.cl1p.net www.mailinator.com www.pastebin.com … .. Bot Master Bot
      • Private Room
      • Unknown to others
      • Secured
    • 18. What’s a Private Room?
      • A uncast channel between the bot master and a given bot
      • Benefits
        • Allows the bot master to communicate with a single bot in a given time in a secure channel
        • Allows the bot master the ability to form a sub-group within the botnet by communicating a message to a selected number of bots (each in their private room)
        • Isolate the bots from each other, a single bot can’t take down the botnet due to lack of knowledge about other bots existence, locations and/or resources
    • 19. Turbot I/O: Message
      • Turbot I/O is based on HTTP protocol and it allows writing and
      • reading of messages off resources. Reading is usually a periodical
      • GET request to the resource/room and parsing of the HTTP response
      • and Writing is usually a single POST to the resource/room!
      Page Mutual Resource http://cl1p.net/foobar Bot Master Bot HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP GET HTTP POST
    • 20. Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot
      • Private Room Selection
      • Bot randomizes a private room
      • Private room is permanent
      • Bot puts a handshake message (encrypted with Bot Master public key) Message includes a common secret
      1
    • 21. Negotiating a Private Room Page Lobby Space Private Room Space Bot Master Bot
      • Invitation publish
      • Bot prepares an invitation
        • Includes private room ID
        • Encrypted with Bot Master private key
      • Bot publish invitation in the lobby
        • Periodically the Bot ranodomize a room in the lobby
        • Publish the invitation in that room
      2
      • Private Room Selection
      • Bot randomizes a private room
      • Private room is permanent
      • Bot puts a handshake BOT HELLO message (encrypted with Bot Master public key)
      • Message includes a common secret
      1
    • 22. Negotiating a Private Room Page Bingo Lobby Space Private Room Space 2
      • Invitation publish
      • Bot prepares an invitation
        • Invitation includes private room ID
        • Encrypted with Bot Master private key
      • Bot publish invitation in the lobby
        • Periodically the Bot ranodomize a room in the lobby
        • Publish the invitation in that room
      Bot Master Bot
      • Looking for an invitation
      • Bot Master periodically looks for an invitation
        • Randomize a room in the Lobby
        • Check for a message in that room
      3
    • 23. Negotiating a Private Room Page Bingo Lobby Space Private Room Space Bot Master Bot
      • Looking for an invitation
      • Bot Master periodically looks for an invitation
        • Randomize a room in the Lobby
        • Check for a message in that room
      3
      • Meeting in the Private Room
      • Bot Master decrypt message
      • It fetch the private room ID
      • It meets the Bot in the private room and completes the handshake
      4
    • 24. Turbot Demo Page
    • 25. Turbot Project & Source Repository
      • Written in Python and intend to be tinkered,
      • modified and generally to be experiment on.
      • http:// code.google.com/p/turbot
    • 26. Turbot Analysis Page
    • 27. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
    • 28. Technology vs. Problems Turbot Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X
    • 29. Communication Efficiency
        • Assuming:
          • Each Bot posts 1 invitation per hour
          • Bot-Master scans for 1 room per minute
          • Botnet size is 10,000
          • Lobby size is 100,000
        • Then
          • Each bot posts 720 message per month
          • All bots 7,200,000 posts per month
          • The Bot-master will add new Bot every minunte, ~10,000 per week.
        • Simulator
      Page
    • 30. Corporate-Policy Traversal
        • HTTP is always open
        • Turbot does not use HTTPS
        • Turbot does not use problematic sites (for example, anonymizers)
        • No corporate-policy issues are expected
    • 31. Network Footprint
        • The usage of HTTP and HTML makes each message a very common one.
        • Even so, it is possible that the Turbot HTTP implementation will have a unique footprints.
          • Example: send “Turbot 1.0” in the “User-Agent” header
        • Solution:
          • Turbot should use common libraries such as IE and FF
    • 32. Firewall/NAT Issues
        • Turbot doesn’t open a port
        • Turbot always initiate the connection
        • HTTP is the most supported and reliable protocol
        • No firewall or NAT issues are expected
    • 33. Takedown Actions
        • Whole sites – impossible, they are legitimate.
        • Take down the Lobby or the Room Space – too large
        • Take down the room which there is an activity – too difficult to identify and be certain
    • 34. Blacklisting
        • Turbot spans over many resources.
        • If at all, whole domains of legitimate services will have to be blocked in order block the botnet.
        • The percent of organizations that can do so is very small.
    • 35. Communication Interrupting
        • Security agents can delete message in the Lobby
        • The Security agents is competing with
          • Botnet size – usually more powerful than legitimate network
      Page
    • 36. Technology vs. Problems Turbot V V V V V V V Problem Technology IRC P2P HTTP Blend in common traffic Corporate-policy blocking X X V Network footprint detection V X V Firewall and NAT issues V X V SPOF Takedown Actions X V X Blacklisting (IP,URL) X V X Efficiency Interrupting communication
    • 37. Turbot Demerits
        • Message time
          • Messages are fetched by recipient by pulling from a common resource.
          • Time depends on the pulling frequency and is not instant.
          • Workarounds
            • Each message will contain a “next message time”
    • 38. How Can Turbot Be Stopped?
        • Adding CAPTCHA or Login to Web services
    • 39. Questions & answers Page
    • 40. Appendix Page
    • 41. Appendix Content
        • Additional Features
          • Indirect Access
          • Handle Bogus Bots
        • Additional Analysis
          • Private Channels
      Page
    • 42. Indirect Access
        • Problem
          • Slaves accessing the Web leave their identity
        • Solution
          • Indirect access using online site translation services
            • Examples: Google Translate, Yahoo Bubblefish, Windows Live Translator
    • 43. Handle Bogus Bots
        • The attack
          • Security vendors can create numerous virtual bots to slow down communication.
        • Solution
          • Require each bot to perform an action that will distinguish the majority of the real zombies from the bogus ones.
            • Computational work in the form of solving a cryptologic puzzle.
            • Legal complication – ask the bot to take some verifiable illegal action which will complicate it. Security vendors cannot allow this.
    • 44. Private Channels
        • Turbot is unique in having private channels
        • Pros
          • The main reason: part of the no SPOF requirement.
          • Better control of the Botnet especially when selling/renting.
        • Cons
          • Bot-master has to invest labor in the C&C
            • Broadcast over Unicast can be simulated
      Page
    • 45. The End Page