The Godfather - P2P Botnets: Security & Communication
Report
ArturBalanutaFollow
Feb. 24, 2013•0 likes•1,704 views
The Godfather - P2P Botnets: Security & Communication
Feb. 24, 2013•0 likes•1,704 views
Download to read offline
Report
TheGodfather is a DHT oriented Botnet that uses Strong Cryptography
ArturBalanutaFollow
Recommended
Vol13 no2fphart
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMIBM Danmark
OpenDNS Whitepaper: DNS's Role in Botnet C&CCourtland Smith
Part06 infrastructure securityLê Liêu
Création d'un botnet et défenseESD Cybersecurity Academy
Black Energy18 - Russian botnet package analysisRoberto Suggi Liverani
More Related Content
Viewers also liked
Botnets - Detection and MitigationAjit Skanda Kumaraswamy
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...Gianluca Stringhini
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSMahdi Sayyad
Cryptovirology Introduction, SecurityThreats, Safeguards and CountermeasuresM Mehdi Ahmadian
Barcamp2015 cyberguerre et-botnetBarcampCameroon
آشنایی با جرمیابی قانونی رایانهایRamin Najjarbashi
Similar to The Godfather - P2P Botnets: Security & Communication
Bot net detection by using ssl encryptionAcad
Botnet detection by Imitation methodAcad
Peering Through the Cloud Forrester EMEA 2010graywilliams
BYOD and Your Businesscherienetclarity
Peer to peer systemJahanzaib Niazi
Telesemana ce nominum:mefRafael Junquera
The Godfather - P2P Botnets: Security & Communication
- 1. Peer-to-Peer Botnets Security & Communication 65963 – David Dias 68208 – Artur Balanuta 68210 – Dário Nascimento Networks and Systems Security 1
- 2. Overview Communication & Organization The Godfather Demo Conclusions Basic Concepts: • Bot/Zombie • Botnet • Bot Master Can be used for: • DDoS • Spam • Phishing Emails • Click-fraud • Stealing Personal Data Networks and Systems Security 2
- 3. Overview Communication & Organization The Godfather Demo Conclusions Facts and Figures “1 trilion monthly spam messages by the end of March 2012” Source: Annual McAffee Threats Report, First Quarter 2012 Networks and Systems Security 3
- 4. Overview Communication & Organization The Godfather Demo Conclusions Facts and Figures More 5 Million Infections during Q1 2012 Cutwail Botnet: 2 million new infections Grum botnet: 18% of spam (18 billion/day) sent out across the world Columbia, Japan, Poland, Spain and USA have the largest botnet increase Indonesia, Portugal and South Korea continued to decline Networks and Systems Security 4
- 5. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Networks and Systems Security 5
- 6. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Propagation • Phishing Scams (Ex. SPAM) • Social Engineering (Ex. Facebook) • DNS Poisoning • Infected Mobile Storage (Ex. USB Flashdrives) • App Infection (Ex. Android/IOS) • Polluted Files (Ex. Infected Torrents) • Etc 6 Networks and Systems Security
- 7. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Centralized Command and Control • Single point of control • Direct control of zombies – Easy to detect using traffic analysis 7 Networks and Systems Security
- 8. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Unstructured Control • Unknown botnet size • Bots disseminate commands between themselves • Huge latency => poor performance • Small eficiency (Broadcast messages) • Parts of the network may be unreachable without us knowing Networks and Systems Security 8
- 9. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions P2P Overlay Network • Bots join a P2P Network • Communicate through DHT • Botmaster can act as normal bot • Botmaster can enter and exit from several points Networks and Systems Security 9
- 10. Overview Communication & Organization The Godfather Demo Conclusions Our solution? Networks and Systems Security 10
- 11. Overview Communication & Organization The Godfather Demo Conclusions • P2P - DHT Pastry • Secure communication • Safe Peer Entry • Renting Model • Avoid Crawlers and Sybil Attacks Networks and Systems Security 11
- 12. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Peer entry - BotMaster - Relay DHT - Peer BootStrap List 193.166.136.25:8080 105.157.88.127:8081 … Networks and Systems Security 12
- 13. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Unstructured Network Networks and Systems Security 13
- 14. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model … Networks and Systems Security 14
- 15. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Networks and Systems Security 15
- 16. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 16
- 17. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 17
- 18. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 18
- 19. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-peer traffic obfuscation Networks and Systems Security 19
- 20. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Accomplice List <NodeID,Kpub,Credits,LastMsgReceived> • Limited Size • Sorted by Credits Old peers have priority Difficult to crawl older bots Networks and Systems Security 20
- 21. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Send Command Send Commands • Preference to avoid key Exchanges Signed by Master or Client • Random Send Credits Lose New >3 invalid Earn Credits Expelled from List It doesn’t avoid Sybil Attacks Networks and Systems Security 21
- 22. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Proof-of-Work Networks and Systems Security 22
- 23. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Mafia Proof-of-Work Sam wants add Tom to his Accomplice List, they must show that they work to Mafia Sam Tom Node ID Public Key Last 128 bits of puzzle solution are the cipher secret. Options: • Brute-force 128 bits (we will need to check sending message to Sam again) • Solve the puzzle 16 bits Networks and Systems Security 23
- 24. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Proof-of-Work Networks and Systems Security 24
- 25. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Bit Attemps % Total Time Avg 8 122 47.65 22 ms 16 29 486 44.99 1 sec 24 8 327 669 49.63 6 min 32 2 147 milion 49.98 25 hours 64 9.22337 x 1018 50% 12 306 411 years Average key difficulty is half of size 23.75 attemps / mili secound – Java is slow Networks and Systems Security 25
- 26. Overview Communication & Organization The Godfather Demo Conclusions Prices on Darknet Citadel (Zeus variant, financial botnet): US$2,399 $125 for “rent” botnet builder and administration panel $395 for automatic updates for antivirus evasion Darkness (DDoS) From $450 until $1.000 Networks and Systems Security 26
- 27. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Monetization Model Botmaster Generate Private/Public Key + Signed Certificate Attacker sign the command with his private key Send the signed command + signature Bot check the certificate signature, attack and forward the message Networks and Systems Security 27
- 28. Overview Communication & Organization The Godfather Demo Conclusions Solution Architecture • Peer-to-Peer DHT with signed commands • Certificate generator • Cipher messages transfer • Twitter Bootstrapper • Cryptopuzzle generator and solver • Reputation Accomplice List Networks and Systems Security 28
- 29. Overview Communication & Organization The Godfather Demo Conclusions Networks and Systems Security 29
- 30. Overview Communication & Organization The Godfather Demo Conclusions Demo Time! Networks and Systems Security 30
- 31. Overview Communication & Organization The Godfather Demo Conclusions Conclusions Networks and Systems Security 31
- 32. Overview Communication & Organization The Godfather Demo Conclusions • Keeping both low level of traffic and guarantee secure connections it’s hard in botnets • Attacks such as DoS are easy to perform • Botnet detection systems evolved, trust mechanisms are required • All will be released with researching purpose in mind Networks and Systems Security 32
- 33. Thank you! Q&A Networks and Systems Security 33
Editor's Notes
- Goodmorningboard, mynameis Dário Nascimento, David Dias and Artur Balanuta. We are thegroupnumber 7. TodaywewilltalkaboutPeer-to-Peerbotnetsandhowwe can makethecommunicationbetweenbotsin a secureandstealthway.
- A bot, or zombie, is a computer infected with a program, which allows an attacker to execute arbitrary commands remotely on it.Botnets, i.e., large network of bots.At the center of many of these attacks is a large pool of compromised computers located in homes, schools, businesses and government around the world. Attackers use these zombies as anonymous proxies to hide their real identities and amplify their attacks.Most part of botnets are based on centralized
- Grumwasthebiggestbotnet. Itwas C&C fromPanamaand NL butaftershutdown, itrestartonUkraineandRussia. Aftershutdownbytrackingthe network, thebotscan’tsend more messages
- ArturBotNetTopology -> RallyingMechanism -> CommunicationProtocol -> ControlMechanism -> CommandAuthentication
- Artur
- *Artur*SinglepointoffailureCan beeaselyDetectedNotEficient*
- *David*Unstructuredbotnetshave a very peculiar wayofoperation, thereis no botthathas a way to contacteveryothernode. Commands are trnasferedfrombo to bot, propagatingthroughthe network.Thisraises a hugeproblemwhichismessagelatencyandlackofreability, wecan’tbesurethatthecommandgets to allthebots, since some partes ofthe network maybeshutdownorcompromissed
- *David*Eachbotjoins a DHT wherehegets a way to routemessages to anothernodes. Thisstructuredbotnetgivestheopportunity for thebotmaster to logoutandloginindifferentpointsofthe network, withoutbeingnoticedandbeingable to routehiscommandsthroughanypointWeopted for a structured network for ourbotnetsolution as youwillsoonsee, sinceit’s a greatway for thebotmaster to routeiscommandssecurelyfromhop to hopTheexampleweseehereis a pastryringwhere a messageisroutedfrom um node to another
- *David*So taking in mind the good old mafia movies, where one guy would have control over an entire town and hire is boys to do his dirty work, keeping his hands clean, we decided to call our baby born botnet, the God father!
- *David*The Godfather is a P2P Botnet that uses a structured network based on the Pastry DHT algorithm to provide it’s routing message mechanism.Our goals for this botnet were:Achieve a secure and untraceble way for peers to enter and leave networkDissiminate command messages, knowing they were from master, but not knowing where he is locatedBe able to rent services available by the botnet such as CPU cycles, geographic distribution and network to enable third parties to do their attacksEliminate common threats such as crawlers and Sybil attacks
- Artur – Explicar a entrada e nós
- ArturUnstructured Networks can alsobeused to Bootstrap to our Network, becausethe
- ArturWe are using a twitteraccount to fetchbootstrap nodesWe can also use a Dinamic DNS system to do it.
- ArturInstedofusingTwitter to bootStapour “LOST” peersWe can also use other :Social Networks, Blogs, WikyLeaks, andotherPublicSharing Media Sites to storeboostrapinformation for our Network Discovery
- *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
- *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
- *David*Spreadmechanism
- *David*Weset aalsoset a goalthateverycommunicationshouldcypheredandundetectedbyfirewalls, so to accomplishthelastone, we use portswellknownlikeport 80 usedby HTTP. Howeverwehad to overcome a challengeintermsofcypheringmessages. Typically a DiffiHellmanalgorithm to generate a sessionkeyor a CertificateAuthority to share eachpeerPublicKeyandvalidatethem.Butcreating a sessionkey for eachcommunicationis a time exaustivetaskandwewant to makethisdissiminationfast to beeffectiveandhaving a CA wouldimply to haveonecentralizedpointoffailandwedontwantthat.Soweopted for a simplierprotocolthateachnodehas a keypairandbeforesending a commandtheytradepublickeys, withthispublickeysthey are able to cypherthecommandin a waythatonlytheothernode can decypherit.We are awarethatthislookslikeit’svulnurable to PersonIntheMiddleAttacks, butsincewe are usingPastry, andthe network isinconstant , alwayspeersenteringandleaving, themessagepathroutingthekeysishard to predict, almostmakingimpossible for a PersonInthemiddleattack to happen
- DárioWewantavoidthecrawlingofthe network!Beacusepeerswhich are online tend to be online more time, eachpeer as anaccompilelist. Thisaccomplicelistismadeofnode ID, publickey, thecurrentcreditsandwhenlastmsghasbeenreceived.Ifthenodeshutdown, heloseallcreditsbecauseitcouldbecomprise. Sothelisthaslimitedsizeandissortedbycredits. Theoldpeershavepriorityandtheattackersjoinourpeerlist.Thepeerwilljustacceptnewrequestsiftheold are invalid.Iseasy to a peergetnewaccomplicebutit’sdifficult to beaccompliceofotheroldpeers.
- DárioTo earncredits, a nodesendvalidandnewcommands. Ifitsends more than 3 invalidcommandsisanattackerandweexpellehimfromourlist.Thisdoesn’tavoidanattackerwhosecreatehundredsofinstancesandmakefastfoward to allpeers to earnlotofpoints.Hesendthecommand to ouraccomplicelist to avoidkeyexchangesandifwedon’thavefriendsenough, wesend to a randomnodefriendsrequestuntilfullfillallthelist.
- Wecreate a stringcontaining a signedtimestamp, PublicKeydigestand a randomnode. Thenwecalculate T, theHashofthisstring. Thenwesignthissolution. Atlast, wecreate a newrandomnouncewith k bits set to zero.Wesendthebasic data to create X butinsteadof x, wesendthenounce x’. Sothepeer B musthasheachvalueof x’ untilgetthesolution. After, itsendsback, wecheckthetimesatmpandsolutionsignatureandwemakethehash. Ifthehastiscorrect, the puzzle wasbeensolved.
- Butexchange more 2 messageswouldbecostly. Sowecreate a newmodel. Sendthe data cipherwith a key. Thekeyisthesecretstringwhichisthesolutionofthe puzzle. Thelasy 16 bytes are madebyrandomnounceandhashprivatekeysothereceiverhas 2 options: solve the puzzle (2 bytes) orbruteforce. Thesemessagescontainsthepublickeyandnode ID ofsource.
- Thesizeofthekeywasn’trandom. Wemadetests.
- Thesizeofthekeywasn’trandom. Wemadetests.
- Hereis some pricesonmarket. It’s a greatbussiness. Wecreateourownbusinessmodel!
- *Artur*
- Dário Oursolutionwasthisproposalimplemented. Itsuports a genericpeer to peersignedcommandsand
- CertificategeneratedbyourMasterNode
- *All*
- David
- *David*Westudiedlotsofmethos to establishsecureconnectionbetweenpeers,buttheneedofkeepinglowleveltrafficandstealthnesmadethisjobhardWerealizedthatattackssuch as DenialofService are easy to do, thehardpartisdoingitanonymously, like portuguese saying” roubaréfácil, difíciléroubar e nãoserapanhado”With this line of though, the ideia of name godfather appeared and the mafia served as inspiration for all the development processSince systems to detect botnets evoled, such as honeypots, it starts to be a requirement to have a thrust mechanism to mitigate threatsJust to be clear all the code develop will be not shared or distributed with malicious purposes, only for research