The Godfather - P2P Botnets: Security & Communication

1,181 views

Published on

TheGodfather is a DHT oriented Botnet that uses Strong Cryptography

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,181
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Goodmorningboard, mynameis Dário Nascimento, David Dias and Artur Balanuta. We are thegroupnumber 7. TodaywewilltalkaboutPeer-to-Peerbotnetsandhowwe can makethecommunicationbetweenbotsin a secureandstealthway.
  • A bot, or zombie, is a computer infected with a program, which allows an attacker to execute arbitrary commands remotely on it.Botnets, i.e., large network of bots.At the center of many of these attacks is a large pool of compromised computers located in homes, schools, businesses and government around the world. Attackers use these zombies as anonymous proxies to hide their real identities and amplify their attacks.Most part of botnets are based on centralized
  • Grumwasthebiggestbotnet. Itwas C&C fromPanamaand NL butaftershutdown, itrestartonUkraineandRussia. Aftershutdownbytrackingthe network, thebotscan’tsend more messages
  • ArturBotNetTopology -> RallyingMechanism -> CommunicationProtocol -> ControlMechanism -> CommandAuthentication
  • Artur
  • *Artur*SinglepointoffailureCan beeaselyDetectedNotEficient*
  • *David*Unstructuredbotnetshave a very peculiar wayofoperation, thereis no botthathas a way to contacteveryothernode. Commands are trnasferedfrombo to bot, propagatingthroughthe network.Thisraises a hugeproblemwhichismessagelatencyandlackofreability, wecan’tbesurethatthecommandgets to allthebots, since some partes ofthe network maybeshutdownorcompromissed
  • *David*Eachbotjoins a DHT wherehegets a way to routemessages to anothernodes. Thisstructuredbotnetgivestheopportunity for thebotmaster to logoutandloginindifferentpointsofthe network, withoutbeingnoticedandbeingable to routehiscommandsthroughanypointWeopted for a structured network for ourbotnetsolution as youwillsoonsee, sinceit’s a greatway for thebotmaster to routeiscommandssecurelyfromhop to hopTheexampleweseehereis a pastryringwhere a messageisroutedfrom um node to another
  • *David*So taking in mind the good old mafia movies, where one guy would have control over an entire town and hire is boys to do his dirty work, keeping his hands clean, we decided to call our baby born botnet, the God father!
  • *David*The Godfather is a P2P Botnet that uses a structured network based on the Pastry DHT algorithm to provide it’s routing message mechanism.Our goals for this botnet were:Achieve a secure and untraceble way for peers to enter and leave networkDissiminate command messages, knowing they were from master, but not knowing where he is locatedBe able to rent services available by the botnet such as CPU cycles, geographic distribution and network to enable third parties to do their attacksEliminate common threats such as crawlers and Sybil attacks
  • Artur – Explicar a entrada e nós
  • ArturUnstructured Networks can alsobeused to Bootstrap to our Network, becausethe
  • ArturWe are using a twitteraccount to fetchbootstrap nodesWe can also use a Dinamic DNS system to do it.
  • ArturInstedofusingTwitter to bootStapour “LOST” peersWe can also use other :Social Networks, Blogs, WikyLeaks, andotherPublicSharing Media Sites to storeboostrapinformation for our Network Discovery
  • *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
  • *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
  • *David*Spreadmechanism
  • *David*Weset aalsoset a goalthateverycommunicationshouldcypheredandundetectedbyfirewalls, so to accomplishthelastone, we use portswellknownlikeport 80 usedby HTTP. Howeverwehad to overcome a challengeintermsofcypheringmessages. Typically a DiffiHellmanalgorithm to generate a sessionkeyor a CertificateAuthority to share eachpeerPublicKeyandvalidatethem.Butcreating a sessionkey for eachcommunicationis a time exaustivetaskandwewant to makethisdissiminationfast to beeffectiveandhaving a CA wouldimply to haveonecentralizedpointoffailandwedontwantthat.Soweopted for a simplierprotocolthateachnodehas a keypairandbeforesending a commandtheytradepublickeys, withthispublickeysthey are able to cypherthecommandin a waythatonlytheothernode can decypherit.We are awarethatthislookslikeit’svulnurable to PersonIntheMiddleAttacks, butsincewe are usingPastry, andthe network isinconstant , alwayspeersenteringandleaving, themessagepathroutingthekeysishard to predict, almostmakingimpossible for a PersonInthemiddleattack to happen
  • DárioWewantavoidthecrawlingofthe network!Beacusepeerswhich are online tend to be online more time, eachpeer as anaccompilelist. Thisaccomplicelistismadeofnode ID, publickey, thecurrentcreditsandwhenlastmsghasbeenreceived.Ifthenodeshutdown, heloseallcreditsbecauseitcouldbecomprise. Sothelisthaslimitedsizeandissortedbycredits. Theoldpeershavepriorityandtheattackersjoinourpeerlist.Thepeerwilljustacceptnewrequestsiftheold are invalid.Iseasy to a peergetnewaccomplicebutit’sdifficult to beaccompliceofotheroldpeers.
  • DárioTo earncredits, a nodesendvalidandnewcommands. Ifitsends more than 3 invalidcommandsisanattackerandweexpellehimfromourlist.Thisdoesn’tavoidanattackerwhosecreatehundredsofinstancesandmakefastfoward to allpeers to earnlotofpoints.Hesendthecommand to ouraccomplicelist to avoidkeyexchangesandifwedon’thavefriendsenough, wesend to a randomnodefriendsrequestuntilfullfillallthelist.
  • Wecreate a stringcontaining a signedtimestamp, PublicKeydigestand a randomnode. Thenwecalculate T, theHashofthisstring. Thenwesignthissolution. Atlast, wecreate a newrandomnouncewith k bits set to zero.Wesendthebasic data to create X butinsteadof x, wesendthenounce x’. Sothepeer B musthasheachvalueof x’ untilgetthesolution. After, itsendsback, wecheckthetimesatmpandsolutionsignatureandwemakethehash. Ifthehastiscorrect, the puzzle wasbeensolved.
  • Butexchange more 2 messageswouldbecostly. Sowecreate a newmodel. Sendthe data cipherwith a key. Thekeyisthesecretstringwhichisthesolutionofthe puzzle. Thelasy 16 bytes are madebyrandomnounceandhashprivatekeysothereceiverhas 2 options: solve the puzzle (2 bytes) orbruteforce. Thesemessagescontainsthepublickeyandnode ID ofsource.
  • Thesizeofthekeywasn’trandom. Wemadetests.
  • Thesizeofthekeywasn’trandom. Wemadetests.
  • Hereis some pricesonmarket. It’s a greatbussiness. Wecreateourownbusinessmodel!
  • *Artur*
  • Dário Oursolutionwasthisproposalimplemented. Itsuports a genericpeer to peersignedcommandsand
  • CertificategeneratedbyourMasterNode
  • *All*
  • David
  • *David*Westudiedlotsofmethos to establishsecureconnectionbetweenpeers,buttheneedofkeepinglowleveltrafficandstealthnesmadethisjobhardWerealizedthatattackssuch as DenialofService are easy to do, thehardpartisdoingitanonymously, like portuguese saying” roubaréfácil, difíciléroubar e nãoserapanhado”With this line of though, the ideia of name godfather appeared and the mafia served as inspiration for all the development processSince systems to detect botnets evoled, such as honeypots, it starts to be a requirement to have a thrust mechanism to mitigate threatsJust to be clear all the code develop will be not shared or distributed with malicious purposes, only for research
  • The Godfather - P2P Botnets: Security & Communication

    1. 1. Peer-to-Peer Botnets Security & Communication 65963 – David Dias 68208 – Artur Balanuta 68210 – Dário Nascimento Networks and Systems Security 1
    2. 2. OverviewCommunication & OrganizationThe GodfatherDemoConclusions Basic Concepts: • Bot/Zombie • Botnet • Bot Master Can be used for: • DDoS • Spam • Phishing Emails • Click-fraud • Stealing Personal Data Networks and Systems Security 2
    3. 3. Overview Communication & Organization The Godfather Demo Conclusions Facts and Figures“1 trilion monthly spam messages by the end of March 2012”Source: Annual McAffee Threats Report, First Quarter 2012 Networks and Systems Security 3
    4. 4. Overview Communication & Organization The Godfather Demo Conclusions Facts and FiguresMore 5 Million Infections during Q1 2012Cutwail Botnet: 2 million new infectionsGrum botnet: 18% of spam (18 billion/day) sent out across theworldColumbia, Japan, Poland, Spain and USA have the largest botnetincreaseIndonesia, Portugal and South Korea continued to decline Networks and Systems Security 4
    5. 5. Overview 1. PropagationCommunication & Organization 2. OrganizationThe Godfather i. C2 Centralized ii. UnstructuredDemo iii. P2P Overlay NetworkConclusions Networks and Systems Security 5
    6. 6. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Propagation• Phishing Scams (Ex. SPAM)• Social Engineering (Ex. Facebook)• DNS Poisoning• Infected Mobile Storage (Ex. USB Flashdrives)• App Infection (Ex. Android/IOS)• Polluted Files (Ex. Infected Torrents)• Etc 6 Networks and Systems Security
    7. 7. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Centralized Command and Control• Single point of control• Direct control of zombies – Easy to detect using traffic analysis 7 Networks and Systems Security
    8. 8. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Unstructured Control• Unknown botnet size• Bots disseminate commands between themselves• Huge latency => poor performance• Small eficiency (Broadcast messages)• Parts of the network may be unreachable without us knowing Networks and Systems Security 8
    9. 9. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions P2P Overlay Network• Bots join a P2P Network• Communicate through DHT• Botmaster can act as normal bot• Botmaster can enter and exit from several points Networks and Systems Security 9
    10. 10. Overview Communication & Organization The Godfather Demo ConclusionsOur solution? Networks and Systems Security 10
    11. 11. Overview Communication & Organization The Godfather Demo Conclusions• P2P - DHT Pastry• Secure communication• Safe Peer Entry• Renting Model• Avoid Crawlers and Sybil Attacks Networks and Systems Security 11
    12. 12. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Peer entry - BotMaster - Relay DHT - Peer BootStrap List193.166.136.25:8080105.157.88.127:8081… Networks and Systems Security 12
    13. 13. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize modelUnstructured Network Networks and Systems Security 13
    14. 14. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions 5. Monetize model … Networks and Systems Security 14
    15. 15. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions 5. Monetize model Networks and Systems Security 15
    16. 16. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsSecure dissemination of orders Networks and Systems Security 16
    17. 17. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsSecure dissemination of orders Networks and Systems Security 17
    18. 18. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsSecure dissemination of orders Networks and Systems Security 18
    19. 19. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsPeer-to-peer traffic obfuscation Networks and Systems Security 19
    20. 20. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Accomplice List <NodeID,Kpub,Credits,LastMsgReceived> • Limited Size • Sorted by Credits Old peers have priorityDifficult to crawl older bots Networks and Systems Security 20
    21. 21. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Send CommandSend Commands• Preference to avoid key Exchanges Signed by Master or Client• Random Send Credits Lose New >3 invalid Earn Credits Expelled from List It doesn’t avoid Sybil Attacks Networks and Systems Security 21
    22. 22. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsProof-of-Work Networks and Systems Security 22
    23. 23. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Mafia Proof-of-WorkSam wants add Tom to his Accomplice List, they must show that they work to Mafia Sam Tom Node ID Public Key Last 128 bits of puzzle solution are the cipher secret. Options: • Brute-force 128 bits (we will need to check sending message to Sam again) • Solve the puzzle 16 bits Networks and Systems Security 23
    24. 24. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsProof-of-Work Networks and Systems Security 24
    25. 25. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model ConclusionsBit Attemps % Total Time Avg 8 122 47.65 22 ms 16 29 486 44.99 1 sec 24 8 327 669 49.63 6 min 32 2 147 milion 49.98 25 hours 64 9.22337 x 1018 50% 12 306 411 years Average key difficulty is half of size 23.75 attemps / mili secound – Java is slow Networks and Systems Security 25
    26. 26. Overview Communication & Organization The Godfather Demo Conclusions Prices on DarknetCitadel (Zeus variant, financial botnet): US$2,399 $125 for “rent” botnet builder and administration panel $395 for automatic updates for antivirus evasionDarkness (DDoS) From $450 until $1.000 Networks and Systems Security 26
    27. 27. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Monetization ModelBotmaster Generate Private/Public Key + Signed CertificateAttacker sign the command with his private keySend the signed command + signatureBot check the certificate signature, attack and forward the message Networks and Systems Security 27
    28. 28. Overview Communication & Organization The Godfather Demo Conclusions Solution Architecture• Peer-to-Peer DHT with signed commands • Certificate generator• Cipher messages transfer • Twitter Bootstrapper• Cryptopuzzle generator and solver • Reputation Accomplice List Networks and Systems Security 28
    29. 29. OverviewCommunication & OrganizationThe GodfatherDemoConclusions Networks and Systems Security 29
    30. 30. Overview Communication & Organization The Godfather Demo ConclusionsDemo Time! Networks and Systems Security 30
    31. 31. Overview Communication & Organization The Godfather Demo ConclusionsConclusions Networks and Systems Security 31
    32. 32. Overview Communication & Organization The Godfather Demo Conclusions• Keeping both low level of traffic and guarantee secure connections it’s hard in botnets• Attacks such as DoS are easy to perform• Botnet detection systems evolved, trust mechanisms are required• All will be released with researching purpose in mind Networks and Systems Security 32
    33. 33. Thank you! Q&A Networks and Systems Security 33

    ×