Successfully reported this slideshow.
Your SlideShare is downloading. ×

The Godfather - P2P Botnets: Security & Communication

More Related Content

Related Audiobooks

Free with a 30 day trial from Scribd

See all

The Godfather - P2P Botnets: Security & Communication

  1. 1. Peer-to-Peer Botnets Security & Communication 65963 – David Dias 68208 – Artur Balanuta 68210 – Dário Nascimento Networks and Systems Security 1
  2. 2. Overview Communication & Organization The Godfather Demo Conclusions Basic Concepts: • Bot/Zombie • Botnet • Bot Master Can be used for: • DDoS • Spam • Phishing Emails • Click-fraud • Stealing Personal Data Networks and Systems Security 2
  3. 3. Overview Communication & Organization The Godfather Demo Conclusions Facts and Figures “1 trilion monthly spam messages by the end of March 2012” Source: Annual McAffee Threats Report, First Quarter 2012 Networks and Systems Security 3
  4. 4. Overview Communication & Organization The Godfather Demo Conclusions Facts and Figures More 5 Million Infections during Q1 2012 Cutwail Botnet: 2 million new infections Grum botnet: 18% of spam (18 billion/day) sent out across the world Columbia, Japan, Poland, Spain and USA have the largest botnet increase Indonesia, Portugal and South Korea continued to decline Networks and Systems Security 4
  5. 5. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Networks and Systems Security 5
  6. 6. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Propagation • Phishing Scams (Ex. SPAM) • Social Engineering (Ex. Facebook) • DNS Poisoning • Infected Mobile Storage (Ex. USB Flashdrives) • App Infection (Ex. Android/IOS) • Polluted Files (Ex. Infected Torrents) • Etc 6 Networks and Systems Security
  7. 7. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Centralized Command and Control • Single point of control • Direct control of zombies – Easy to detect using traffic analysis 7 Networks and Systems Security
  8. 8. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions Unstructured Control • Unknown botnet size • Bots disseminate commands between themselves • Huge latency => poor performance • Small eficiency (Broadcast messages) • Parts of the network may be unreachable without us knowing Networks and Systems Security 8
  9. 9. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii. Unstructured Demo iii. P2P Overlay Network Conclusions P2P Overlay Network • Bots join a P2P Network • Communicate through DHT • Botmaster can act as normal bot • Botmaster can enter and exit from several points Networks and Systems Security 9
  10. 10. Overview Communication & Organization The Godfather Demo Conclusions Our solution? Networks and Systems Security 10
  11. 11. Overview Communication & Organization The Godfather Demo Conclusions • P2P - DHT Pastry • Secure communication • Safe Peer Entry • Renting Model • Avoid Crawlers and Sybil Attacks Networks and Systems Security 11
  12. 12. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Peer entry - BotMaster - Relay DHT - Peer BootStrap List 193.166.136.25:8080 105.157.88.127:8081 … Networks and Systems Security 12
  13. 13. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Unstructured Network Networks and Systems Security 13
  14. 14. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model … Networks and Systems Security 14
  15. 15. Overview 1. Peer Entry Communication & Organization 2. Secure Dissemination of botmaster The Godfather Commands 3. Peer-to-peer Trust System Demo 4. Proof-of-work Conclusions 5. Monetize model Networks and Systems Security 15
  16. 16. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 16
  17. 17. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 17
  18. 18. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Secure dissemination of orders Networks and Systems Security 18
  19. 19. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-peer traffic obfuscation Networks and Systems Security 19
  20. 20. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Accomplice List <NodeID,Kpub,Credits,LastMsgReceived> • Limited Size • Sorted by Credits Old peers have priority Difficult to crawl older bots Networks and Systems Security 20
  21. 21. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Peer-to-Peer Trust Send Command Send Commands • Preference to avoid key Exchanges Signed by Master or Client • Random Send Credits Lose New >3 invalid Earn Credits Expelled from List It doesn’t avoid Sybil Attacks Networks and Systems Security 21
  22. 22. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Proof-of-Work Networks and Systems Security 22
  23. 23. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Mafia Proof-of-Work Sam wants add Tom to his Accomplice List, they must show that they work to Mafia Sam Tom Node ID Public Key Last 128 bits of puzzle solution are the cipher secret. Options: • Brute-force 128 bits (we will need to check sending message to Sam again) • Solve the puzzle 16 bits Networks and Systems Security 23
  24. 24. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Proof-of-Work Networks and Systems Security 24
  25. 25. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Bit Attemps % Total Time Avg 8 122 47.65 22 ms 16 29 486 44.99 1 sec 24 8 327 669 49.63 6 min 32 2 147 milion 49.98 25 hours 64 9.22337 x 1018 50% 12 306 411 years Average key difficulty is half of size 23.75 attemps / mili secound – Java is slow Networks and Systems Security 25
  26. 26. Overview Communication & Organization The Godfather Demo Conclusions Prices on Darknet Citadel (Zeus variant, financial botnet): US$2,399 $125 for “rent” botnet builder and administration panel $395 for automatic updates for antivirus evasion Darkness (DDoS) From $450 until $1.000 Networks and Systems Security 26
  27. 27. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The Godfather Peer-to-peer Trust System Proof-of-work Demo Monetize model Conclusions Monetization Model Botmaster Generate Private/Public Key + Signed Certificate Attacker sign the command with his private key Send the signed command + signature Bot check the certificate signature, attack and forward the message Networks and Systems Security 27
  28. 28. Overview Communication & Organization The Godfather Demo Conclusions Solution Architecture • Peer-to-Peer DHT with signed commands • Certificate generator • Cipher messages transfer • Twitter Bootstrapper • Cryptopuzzle generator and solver • Reputation Accomplice List Networks and Systems Security 28
  29. 29. Overview Communication & Organization The Godfather Demo Conclusions Networks and Systems Security 29
  30. 30. Overview Communication & Organization The Godfather Demo Conclusions Demo Time! Networks and Systems Security 30
  31. 31. Overview Communication & Organization The Godfather Demo Conclusions Conclusions Networks and Systems Security 31
  32. 32. Overview Communication & Organization The Godfather Demo Conclusions • Keeping both low level of traffic and guarantee secure connections it’s hard in botnets • Attacks such as DoS are easy to perform • Botnet detection systems evolved, trust mechanisms are required • All will be released with researching purpose in mind Networks and Systems Security 32
  33. 33. Thank you! Q&A Networks and Systems Security 33

Editor's Notes

  • Goodmorningboard, mynameis Dário Nascimento, David Dias and Artur Balanuta. We are thegroupnumber 7. TodaywewilltalkaboutPeer-to-Peerbotnetsandhowwe can makethecommunicationbetweenbotsin a secureandstealthway.
  • A bot, or zombie, is a computer infected with a program, which allows an attacker to execute arbitrary commands remotely on it.Botnets, i.e., large network of bots.At the center of many of these attacks is a large pool of compromised computers located in homes, schools, businesses and government around the world. Attackers use these zombies as anonymous proxies to hide their real identities and amplify their attacks.Most part of botnets are based on centralized
  • Grumwasthebiggestbotnet. Itwas C&amp;C fromPanamaand NL butaftershutdown, itrestartonUkraineandRussia. Aftershutdownbytrackingthe network, thebotscan’tsend more messages
  • ArturBotNetTopology -&gt; RallyingMechanism -&gt; CommunicationProtocol -&gt; ControlMechanism -&gt; CommandAuthentication
  • Artur
  • *Artur*SinglepointoffailureCan beeaselyDetectedNotEficient*
  • *David*Unstructuredbotnetshave a very peculiar wayofoperation, thereis no botthathas a way to contacteveryothernode. Commands are trnasferedfrombo to bot, propagatingthroughthe network.Thisraises a hugeproblemwhichismessagelatencyandlackofreability, wecan’tbesurethatthecommandgets to allthebots, since some partes ofthe network maybeshutdownorcompromissed
  • *David*Eachbotjoins a DHT wherehegets a way to routemessages to anothernodes. Thisstructuredbotnetgivestheopportunity for thebotmaster to logoutandloginindifferentpointsofthe network, withoutbeingnoticedandbeingable to routehiscommandsthroughanypointWeopted for a structured network for ourbotnetsolution as youwillsoonsee, sinceit’s a greatway for thebotmaster to routeiscommandssecurelyfromhop to hopTheexampleweseehereis a pastryringwhere a messageisroutedfrom um node to another
  • *David*So taking in mind the good old mafia movies, where one guy would have control over an entire town and hire is boys to do his dirty work, keeping his hands clean, we decided to call our baby born botnet, the God father!
  • *David*The Godfather is a P2P Botnet that uses a structured network based on the Pastry DHT algorithm to provide it’s routing message mechanism.Our goals for this botnet were:Achieve a secure and untraceble way for peers to enter and leave networkDissiminate command messages, knowing they were from master, but not knowing where he is locatedBe able to rent services available by the botnet such as CPU cycles, geographic distribution and network to enable third parties to do their attacksEliminate common threats such as crawlers and Sybil attacks
  • Artur – Explicar a entrada e nós
  • ArturUnstructured Networks can alsobeused to Bootstrap to our Network, becausethe
  • ArturWe are using a twitteraccount to fetchbootstrap nodesWe can also use a Dinamic DNS system to do it.
  • ArturInstedofusingTwitter to bootStapour “LOST” peersWe can also use other :Social Networks, Blogs, WikyLeaks, andotherPublicSharing Media Sites to storeboostrapinformation for our Network Discovery
  • *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
  • *David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
  • *David*Spreadmechanism
  • *David*Weset aalsoset a goalthateverycommunicationshouldcypheredandundetectedbyfirewalls, so to accomplishthelastone, we use portswellknownlikeport 80 usedby HTTP. Howeverwehad to overcome a challengeintermsofcypheringmessages. Typically a DiffiHellmanalgorithm to generate a sessionkeyor a CertificateAuthority to share eachpeerPublicKeyandvalidatethem.Butcreating a sessionkey for eachcommunicationis a time exaustivetaskandwewant to makethisdissiminationfast to beeffectiveandhaving a CA wouldimply to haveonecentralizedpointoffailandwedontwantthat.Soweopted for a simplierprotocolthateachnodehas a keypairandbeforesending a commandtheytradepublickeys, withthispublickeysthey are able to cypherthecommandin a waythatonlytheothernode can decypherit.We are awarethatthislookslikeit’svulnurable to PersonIntheMiddleAttacks, butsincewe are usingPastry, andthe network isinconstant , alwayspeersenteringandleaving, themessagepathroutingthekeysishard to predict, almostmakingimpossible for a PersonInthemiddleattack to happen
  • DárioWewantavoidthecrawlingofthe network!Beacusepeerswhich are online tend to be online more time, eachpeer as anaccompilelist. Thisaccomplicelistismadeofnode ID, publickey, thecurrentcreditsandwhenlastmsghasbeenreceived.Ifthenodeshutdown, heloseallcreditsbecauseitcouldbecomprise. Sothelisthaslimitedsizeandissortedbycredits. Theoldpeershavepriorityandtheattackersjoinourpeerlist.Thepeerwilljustacceptnewrequestsiftheold are invalid.Iseasy to a peergetnewaccomplicebutit’sdifficult to beaccompliceofotheroldpeers.
  • DárioTo earncredits, a nodesendvalidandnewcommands. Ifitsends more than 3 invalidcommandsisanattackerandweexpellehimfromourlist.Thisdoesn’tavoidanattackerwhosecreatehundredsofinstancesandmakefastfoward to allpeers to earnlotofpoints.Hesendthecommand to ouraccomplicelist to avoidkeyexchangesandifwedon’thavefriendsenough, wesend to a randomnodefriendsrequestuntilfullfillallthelist.
  • Wecreate a stringcontaining a signedtimestamp, PublicKeydigestand a randomnode. Thenwecalculate T, theHashofthisstring. Thenwesignthissolution. Atlast, wecreate a newrandomnouncewith k bits set to zero.Wesendthebasic data to create X butinsteadof x, wesendthenounce x’. Sothepeer B musthasheachvalueof x’ untilgetthesolution. After, itsendsback, wecheckthetimesatmpandsolutionsignatureandwemakethehash. Ifthehastiscorrect, the puzzle wasbeensolved.
  • Butexchange more 2 messageswouldbecostly. Sowecreate a newmodel. Sendthe data cipherwith a key. Thekeyisthesecretstringwhichisthesolutionofthe puzzle. Thelasy 16 bytes are madebyrandomnounceandhashprivatekeysothereceiverhas 2 options: solve the puzzle (2 bytes) orbruteforce. Thesemessagescontainsthepublickeyandnode ID ofsource.
  • Thesizeofthekeywasn’trandom. Wemadetests.
  • Thesizeofthekeywasn’trandom. Wemadetests.
  • Hereis some pricesonmarket. It’s a greatbussiness. Wecreateourownbusinessmodel!
  • *Artur*
  • Dário Oursolutionwasthisproposalimplemented. Itsuports a genericpeer to peersignedcommandsand
  • CertificategeneratedbyourMasterNode
  • *All*
  • David
  • *David*Westudiedlotsofmethos to establishsecureconnectionbetweenpeers,buttheneedofkeepinglowleveltrafficandstealthnesmadethisjobhardWerealizedthatattackssuch as DenialofService are easy to do, thehardpartisdoingitanonymously, like portuguese saying” roubaréfácil, difíciléroubar e nãoserapanhado”With this line of though, the ideia of name godfather appeared and the mafia served as inspiration for all the development processSince systems to detect botnets evoled, such as honeypots, it starts to be a requirement to have a thrust mechanism to mitigate threatsJust to be clear all the code develop will be not shared or distributed with malicious purposes, only for research

×