The Godfather - P2P Botnets: Security & Communication
1. Peer-to-Peer Botnets
Security & Communication
65963 – David Dias
68208 – Artur Balanuta
68210 – Dário Nascimento
Networks and Systems Security 1
2. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Basic Concepts:
• Bot/Zombie
• Botnet
• Bot Master
Can be used for:
• DDoS
• Spam
• Phishing Emails
• Click-fraud
• Stealing Personal Data
Networks and Systems Security 2
3. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Facts and Figures
“1 trilion monthly spam messages by the end of March 2012”
Source: Annual McAffee Threats Report, First Quarter 2012
Networks and Systems Security 3
4. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Facts and Figures
More 5 Million Infections during Q1 2012
Cutwail Botnet: 2 million new infections
Grum botnet: 18% of spam (18 billion/day) sent out across the
world
Columbia, Japan, Poland, Spain and USA have the largest botnet
increase
Indonesia, Portugal and South Korea continued to decline
Networks and Systems Security 4
5. Overview 1. Propagation
Communication & Organization 2. Organization
The Godfather i. C2 Centralized
ii. Unstructured
Demo
iii. P2P Overlay Network
Conclusions
Networks and Systems Security 5
6. Overview 1. Propagation
Communication & Organization 2. Organization
The Godfather i. C2 Centralized
ii. Unstructured
Demo
iii. P2P Overlay Network
Conclusions
Propagation
• Phishing Scams (Ex. SPAM)
• Social Engineering (Ex. Facebook)
• DNS Poisoning
• Infected Mobile Storage (Ex. USB Flashdrives)
• App Infection (Ex. Android/IOS)
• Polluted Files (Ex. Infected Torrents)
• Etc
6
Networks and Systems Security
7. Overview 1. Propagation
Communication & Organization 2. Organization
The Godfather i. C2 Centralized
ii. Unstructured
Demo
iii. P2P Overlay Network
Conclusions
Centralized Command and Control
• Single point of control
• Direct control of zombies
– Easy to detect using traffic analysis
7
Networks and Systems Security
8. Overview 1. Propagation
Communication & Organization 2. Organization
The Godfather i. C2 Centralized
ii. Unstructured
Demo
iii. P2P Overlay Network
Conclusions
Unstructured Control
• Unknown botnet size
• Bots disseminate commands between themselves
• Huge latency => poor performance
• Small eficiency (Broadcast messages)
• Parts of the network may be
unreachable without us knowing
Networks and Systems Security 8
9. Overview 1. Propagation
Communication & Organization 2. Organization
The Godfather i. C2 Centralized
ii. Unstructured
Demo
iii. P2P Overlay Network
Conclusions
P2P Overlay Network
• Bots join a P2P Network
• Communicate through DHT
• Botmaster can act as normal bot
• Botmaster can enter and exit
from several points
Networks and Systems Security 9
10. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Our solution?
Networks and Systems Security 10
11. Overview
Communication & Organization
The Godfather
Demo
Conclusions
• P2P - DHT Pastry
• Secure communication
• Safe Peer Entry
• Renting Model
• Avoid Crawlers and Sybil Attacks
Networks and Systems Security 11
12. Overview 1. Peer Entry
Communication & Organization 2. Secure Dissemination of botmaster
The Godfather Commands
3. Peer-to-peer Trust System
Demo
4. Proof-of-work
Conclusions 5. Monetize model
Peer entry
- BotMaster
- Relay
DHT
- Peer
BootStrap List
193.166.136.25:8080
105.157.88.127:8081
…
Networks and Systems Security 12
13. Overview 1. Peer Entry
Communication & Organization 2. Secure Dissemination of botmaster
The Godfather Commands
3. Peer-to-peer Trust System
Demo
4. Proof-of-work
Conclusions 5. Monetize model
Unstructured Network
Networks and Systems Security 13
14. Overview 1. Peer Entry
Communication & Organization 2. Secure Dissemination of botmaster
The Godfather Commands
3. Peer-to-peer Trust System
Demo
4. Proof-of-work
Conclusions 5. Monetize model
…
Networks and Systems Security 14
15. Overview 1. Peer Entry
Communication & Organization 2. Secure Dissemination of botmaster
The Godfather Commands
3. Peer-to-peer Trust System
Demo
4. Proof-of-work
Conclusions 5. Monetize model
Networks and Systems Security 15
16. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Secure dissemination of orders
Networks and Systems Security 16
17. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Secure dissemination of orders
Networks and Systems Security 17
18. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Secure dissemination of orders
Networks and Systems Security 18
19. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Peer-to-peer traffic obfuscation
Networks and Systems Security 19
20. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Peer-to-Peer Trust
Accomplice List
<NodeID,Kpub,Credits,LastMsgReceived>
• Limited Size
• Sorted by Credits
Old peers have priority
Difficult to crawl older bots
Networks and Systems Security 20
21. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Peer-to-Peer Trust
Send Command
Send Commands
• Preference to avoid key Exchanges Signed by Master or Client
• Random Send
Credits Lose
New
>3 invalid
Earn Credits Expelled from List
It doesn’t avoid Sybil Attacks
Networks and Systems Security 21
22. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Proof-of-Work
Networks and Systems Security 22
23. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Mafia Proof-of-Work
Sam wants add Tom to his Accomplice List, they must show that they work to Mafia
Sam Tom
Node ID
Public Key
Last 128 bits of puzzle solution are the cipher secret.
Options:
• Brute-force 128 bits (we will need to check sending message
to Sam again)
• Solve the puzzle 16 bits
Networks and Systems Security 23
24. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Proof-of-Work
Networks and Systems Security 24
25. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Bit Attemps % Total Time Avg
8 122 47.65 22 ms
16 29 486 44.99 1 sec
24 8 327 669 49.63 6 min
32 2 147 milion 49.98 25 hours
64 9.22337 x 1018 50% 12 306 411 years
Average key difficulty is half of size
23.75 attemps / mili secound – Java is slow
Networks and Systems Security 25
26. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Prices on Darknet
Citadel (Zeus variant, financial botnet):
US$2,399
$125 for “rent” botnet builder and administration panel
$395 for automatic updates for antivirus evasion
Darkness (DDoS)
From $450 until $1.000
Networks and Systems Security 26
27. Overview Peer Entry
Communication & Organization Secure Dissemination of botmaster Commands
The Godfather Peer-to-peer Trust System
Proof-of-work
Demo
Monetize model
Conclusions
Monetization Model
Botmaster Generate Private/Public Key + Signed Certificate
Attacker sign the command with his private key
Send the signed command + signature
Bot check the certificate signature, attack and forward the message
Networks and Systems Security 27
28. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Solution Architecture
• Peer-to-Peer DHT with signed commands • Certificate generator
• Cipher messages transfer • Twitter Bootstrapper
• Cryptopuzzle generator and solver • Reputation Accomplice List
Networks and Systems Security 28
30. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Demo Time!
Networks and Systems Security 30
31. Overview
Communication & Organization
The Godfather
Demo
Conclusions
Conclusions
Networks and Systems Security 31
32. Overview
Communication & Organization
The Godfather
Demo
Conclusions
• Keeping both low level of traffic and guarantee
secure connections it’s hard in botnets
• Attacks such as DoS are easy to perform
• Botnet detection systems evolved, trust mechanisms
are required
• All will be released with researching purpose in mind
Networks and Systems Security 32
33. Thank you!
Q&A
Networks and Systems Security 33
Editor's Notes
Goodmorningboard, mynameis Dário Nascimento, David Dias and Artur Balanuta. We are thegroupnumber 7. TodaywewilltalkaboutPeer-to-Peerbotnetsandhowwe can makethecommunicationbetweenbotsin a secureandstealthway.
A bot, or zombie, is a computer infected with a program, which allows an attacker to execute arbitrary commands remotely on it.Botnets, i.e., large network of bots.At the center of many of these attacks is a large pool of compromised computers located in homes, schools, businesses and government around the world. Attackers use these zombies as anonymous proxies to hide their real identities and amplify their attacks.Most part of botnets are based on centralized
*David*Unstructuredbotnetshave a very peculiar wayofoperation, thereis no botthathas a way to contacteveryothernode. Commands are trnasferedfrombo to bot, propagatingthroughthe network.Thisraises a hugeproblemwhichismessagelatencyandlackofreability, wecan’tbesurethatthecommandgets to allthebots, since some partes ofthe network maybeshutdownorcompromissed
*David*Eachbotjoins a DHT wherehegets a way to routemessages to anothernodes. Thisstructuredbotnetgivestheopportunity for thebotmaster to logoutandloginindifferentpointsofthe network, withoutbeingnoticedandbeingable to routehiscommandsthroughanypointWeopted for a structured network for ourbotnetsolution as youwillsoonsee, sinceit’s a greatway for thebotmaster to routeiscommandssecurelyfromhop to hopTheexampleweseehereis a pastryringwhere a messageisroutedfrom um node to another
*David*So taking in mind the good old mafia movies, where one guy would have control over an entire town and hire is boys to do his dirty work, keeping his hands clean, we decided to call our baby born botnet, the God father!
*David*The Godfather is a P2P Botnet that uses a structured network based on the Pastry DHT algorithm to provide it’s routing message mechanism.Our goals for this botnet were:Achieve a secure and untraceble way for peers to enter and leave networkDissiminate command messages, knowing they were from master, but not knowing where he is locatedBe able to rent services available by the botnet such as CPU cycles, geographic distribution and network to enable third parties to do their attacksEliminate common threats such as crawlers and Sybil attacks
Artur – Explicar a entrada e nós
ArturUnstructured Networks can alsobeused to Bootstrap to our Network, becausethe
ArturWe are using a twitteraccount to fetchbootstrap nodesWe can also use a Dinamic DNS system to do it.
ArturInstedofusingTwitter to bootStapour “LOST” peersWe can also use other :Social Networks, Blogs, WikyLeaks, andotherPublicSharing Media Sites to storeboostrapinformation for our Network Discovery
*David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
*David*To avoidcommanddissiminationthatisnotinitiatedbymaster, wesigneverycommandwithbotmasterrivatekeyandeachofthedeployedpeers/botshasit’s X509Certificate hardcoded, previouslysignedbybotmasteritselfThiswayeverycommandhad to validateit’ssignture, makingitimpossible for non authorizedpeers to execute commandsinthenameofBotmaster
*David*Spreadmechanism
*David*Weset aalsoset a goalthateverycommunicationshouldcypheredandundetectedbyfirewalls, so to accomplishthelastone, we use portswellknownlikeport 80 usedby HTTP. Howeverwehad to overcome a challengeintermsofcypheringmessages. Typically a DiffiHellmanalgorithm to generate a sessionkeyor a CertificateAuthority to share eachpeerPublicKeyandvalidatethem.Butcreating a sessionkey for eachcommunicationis a time exaustivetaskandwewant to makethisdissiminationfast to beeffectiveandhaving a CA wouldimply to haveonecentralizedpointoffailandwedontwantthat.Soweopted for a simplierprotocolthateachnodehas a keypairandbeforesending a commandtheytradepublickeys, withthispublickeysthey are able to cypherthecommandin a waythatonlytheothernode can decypherit.We are awarethatthislookslikeit’svulnurable to PersonIntheMiddleAttacks, butsincewe are usingPastry, andthe network isinconstant , alwayspeersenteringandleaving, themessagepathroutingthekeysishard to predict, almostmakingimpossible for a PersonInthemiddleattack to happen
DárioWewantavoidthecrawlingofthe network!Beacusepeerswhich are online tend to be online more time, eachpeer as anaccompilelist. Thisaccomplicelistismadeofnode ID, publickey, thecurrentcreditsandwhenlastmsghasbeenreceived.Ifthenodeshutdown, heloseallcreditsbecauseitcouldbecomprise. Sothelisthaslimitedsizeandissortedbycredits. Theoldpeershavepriorityandtheattackersjoinourpeerlist.Thepeerwilljustacceptnewrequestsiftheold are invalid.Iseasy to a peergetnewaccomplicebutit’sdifficult to beaccompliceofotheroldpeers.
DárioTo earncredits, a nodesendvalidandnewcommands. Ifitsends more than 3 invalidcommandsisanattackerandweexpellehimfromourlist.Thisdoesn’tavoidanattackerwhosecreatehundredsofinstancesandmakefastfoward to allpeers to earnlotofpoints.Hesendthecommand to ouraccomplicelist to avoidkeyexchangesandifwedon’thavefriendsenough, wesend to a randomnodefriendsrequestuntilfullfillallthelist.
Wecreate a stringcontaining a signedtimestamp, PublicKeydigestand a randomnode. Thenwecalculate T, theHashofthisstring. Thenwesignthissolution. Atlast, wecreate a newrandomnouncewith k bits set to zero.Wesendthebasic data to create X butinsteadof x, wesendthenounce x’. Sothepeer B musthasheachvalueof x’ untilgetthesolution. After, itsendsback, wecheckthetimesatmpandsolutionsignatureandwemakethehash. Ifthehastiscorrect, the puzzle wasbeensolved.
Butexchange more 2 messageswouldbecostly. Sowecreate a newmodel. Sendthe data cipherwith a key. Thekeyisthesecretstringwhichisthesolutionofthe puzzle. Thelasy 16 bytes are madebyrandomnounceandhashprivatekeysothereceiverhas 2 options: solve the puzzle (2 bytes) orbruteforce. Thesemessagescontainsthepublickeyandnode ID ofsource.
Thesizeofthekeywasn’trandom. Wemadetests.
Thesizeofthekeywasn’trandom. Wemadetests.
Hereis some pricesonmarket. It’s a greatbussiness. Wecreateourownbusinessmodel!
*Artur*
Dário Oursolutionwasthisproposalimplemented. Itsuports a genericpeer to peersignedcommandsand
CertificategeneratedbyourMasterNode
*All*
David
*David*Westudiedlotsofmethos to establishsecureconnectionbetweenpeers,buttheneedofkeepinglowleveltrafficandstealthnesmadethisjobhardWerealizedthatattackssuch as DenialofService are easy to do, thehardpartisdoingitanonymously, like portuguese saying” roubaréfácil, difíciléroubar e nãoserapanhado”With this line of though, the ideia of name godfather appeared and the mafia served as inspiration for all the development processSince systems to detect botnets evoled, such as honeypots, it starts to be a requirement to have a thrust mechanism to mitigate threatsJust to be clear all the code develop will be not shared or distributed with malicious purposes, only for research