review of "An Empirical Study of HTTP-based Financial Botnets"

1. Paper Review
An Empirical Study of HTTP-based Financial Botnets
Raymond
1

2. Outline
• Introduction
• Methodology and Emulation Environment
• Comparative Analysis of Various Bots
• Analytical Observations
• Challenges
• Solution and Conclusion
2

3. Introduction
3

4. Botnet
• A botnet is a collection of infected machines (bots)
controlled by a bot herder through a C&C server
C&C
server
malware
malware
malware
Bot herder
4

5. Financial Botnets
• This breed of botnets is designed and deployed to
conduct financial crimes such as online fraud, money
laundering, and identity theft by infecting a large number
of end-user systems across the globe.
5

6. 232 devices are infected
per minute
• An RSA study further disclosed that every minute on the
Internet approximately 232 computers are being infected
with malware globally.
6

7. Spread bots 1/3
• There are several ways to spread bots but phishing and
drive-by download attacks are the two most prominent
ones
7

8. Spread bots 1/3
Phishing
• attack are executed through emails embedded with
malicious links that are distributed to a large set of users.
• This attack exploits the users’ gullibility using social
engineering tricks.
• Upon clicking a web link, the user’s browser is redirected
to a malicious domain which serves malware.
8

9. Spread bots 1/3
drive-by download
• an attacker compromises a high-traffic website and
injects code that points to a malicious domain.
9

10. Spread bots 2/3
• On visiting a malicious domain, a Browser Exploit Pack
(BEP), an automated framework consisting several
exploits, fingerprints the browsers environment, and if
found vulnerable, an appropriate exploit is served to
compromise the machine.
10

11. Spread bots 3/3
11

12. Botnets have Become
Bigger and Better
Statistic shows the total number of bots present in the various families of botnets when taken down by FBI in different takedown operations.
12

13. Top 4 Financial Botnets
• A Kaspersky study [9] found that the top 4 financial
botnets are Zeus (variants), SpyEye, Carberp and
Citadel.
13

14. Top 4 Financial Botnets
• Carberp botnet caused approximately close to $250
million in losses
• Citadel botnet caused $500 million losses to
companies and organizations across the globe.
• Earlier versions of Zeus and SpyEye botnets
collectively stole $100 million from target organizations
14

15. Methodology and
Emulation Environment
15

16. Test Step
• 1.we used an infiltration technique where we joined the
botnet environment to better understand its behavior
• 2.We conducted several tests using active and passive
approaches for investigating infections:
o Continuous monitoring and traffic analysis
o Reverse engineering and behavior analysis
o Penetration testing
16

17. anti anti-VM bot
• do something made the VMware machines behave like a
standard operating system
o ex:
• VMWare support tools were not installed
• kernel debugging was turned off
• the Media Access Control (MAC) address was modified
• Desktop Management Information (DMI) related to Basic Input Output
System (BIOS) and certain components of operating system (VM) were
modified
17

18. 18

19. Comparative Analysis of
Various Bots
19

20. Protocol
20

21. Anti-sandbox
21

22. Exploitation
Mutex object can be used to determine whether the system is already infected or not,
and detecting the presence of virtual machines, traffic analyzers, Anti-Viruses(AV) in the
system.
the PDEF+ component is designed to check the effectiveness of bots in bypassing anti-
virus systems running on the client side
22

23. Spreading
23

24. Remote Manage
24

25. Defensive Mechanisms
Socks Proxy
bot herders can restrict source direct access to the C&C panels offer vertify method, if
bot match, it allow the bot to download configuration file limit source of incoming http
request
Domain Generation Algorithms
generate pseudorandom domain names,
Advantage is that use DGAs to strengthen their C&C communication channels so that
fingerprinting of C&C servers becomes more difficult
25

26. Module
• This design shows that the bots can be extended by building
additional plugins that can be incorporated directly to execute
extended code in the infected system.
o For example,
• the malware author can design a new plugin for a specific bot and use the C&C
panel to update the bot by sending an updated configuration having a new plugin
listed in it. When the bot gets updated, the new pluginsimply executes.
26

27. Data Exfiltration
27

28. Data Exfiltration
• Man-in-the-Browser Attacks
o MitB is capable of manipulating the communication flow of various browser
components
o most common MitB attack techniques based on hooking used by bots:
• Form-grabbing
• WebInjects
• WebFakes.
28

29. Man-in-the-Browser
Attacks
29

30. DDoS
30

31. Best Botnet
31

32. Analytical Observations
32

33. Analytical Observations
• Malware authors are developing more sophisticated
botnet designs by reusing and modifying existing
botnet source codes.
33

34. Analytical Observations
• Communication channels of HTTP-based financial
botnets are secured using gates
34

35. Analytical Observations
• Use of DGAs as a C&C communication mechanism has
increased in last few years and we expect this trend to
continue in the future
35

36. Analytical Observations
• the bots primarily target browsers to steal sensitive
information pertaining to critical websites. Almost every
HTTP-based botnet performs browser hooking to carry
out nefarious tasks.
36

37. Analytical Observations
• distribution using automated exploit frameworks called
browser exploit packs which exploit a specific
vulnerability in browser components and download bots
onto the user systems without their knowledge
37

38. Analytical Observations
• well-defined development APIs and plugin architecture
frameworks which can be used to extend the
functionalities of bots.
38

39. Analytical Observations
• use Windows built-in cryptographic APIs with custom
encryption routines to avoid detection and further
complicate any analysis.
39

40. Challenges
40

41. Challenges
• HTTPS is an end-to-end security solution that protects
from Man-in-the-Middle (MitM) attack but it does not
provide any protection against MitB attacks
41

42. Challenges
• TFA does not protect from MitB attacks
o TFA raises the bar with respect to the ease of use of stolen authentication data,
but TFA neither prevents the theft nor eliminates the data’s value.
42

43. Challenges
• Developing signatures for IPS/IDS for bot detections fail
to stop unknown malware (financial botnets) running in
the wild. The thriving botnet ecosystem is proof of that
43

44. Solution and Conclusion
44

45. Solutions
To defend against WebInject attacks
• One solution is to build an HTML/JavaScript-based
webpage verification system that detects modifications
that have happened when webpages are rendered in the
browser.
45

46. Solutions
To foil Form-grabbing attacks
• data is encrypted before it is exfiltrated by the bot from
the infected system.
46

47. Solutions
to overcome malware detection VM
• building next-generation complete emulated
environments by simulating the physical hardware
including CPU, memory, etc.
47

48. Solutions
to protect enterprises against unknown attacks
• data mining and machine learning can play a vital
role ,but such solutions are still not able to cope with
existing and emerging threats.
48

49. Solutions
Other
• understanding how one bot detects the presence of
other bot
o ex:
o if mutex names are used by SpyEye to detect Zeus bots, the same patterns can
be fed to end-user security solutions (anti-virus engines) to detect and eradicate
the bots
49

50. Solutions
The most important way
• Technology alone cannot protect users from all types of
malicious attacks.
• Improved user education which instructs the user to
understand the importance of safe surfing habits, best
and secure ways to perform online banking, avoid
visiting the destinations which they are not sure of, etc.
50

51. Q & A
51