Transcript Botnets - Attacks and Defense - ACM SIG
Botnets : Attacks and Defense
by Sammie Bush and Lance Pendergrass
Basic Definitions
• • • •
Botnet
- network of compromised machines that can be remotely controlled by an attacker
Bot
, “
zombie
” - an unwillingly infected host
Command & Control
(C&C) - some channel or structure acting as a handler in relaying commands and updates to the bots
Botmaster
,
Bot-herder
- person(s) anonymously controlling the botnet via C&C
Motivation
• • • • • • • • • • Notoriety versus Long-Term Control Survivability DDoS / Extortion Spam Identity Theft • keylogging • traffic captures Click Fraud / Poll Manipulation Bitcoin Mining – involuntary cloud computing Distributed Storage – warez, malware Search Engine Optimization (SEO) poisoning Blackmarket Services for Rent
C&C relaying instructions to launch DDoS attack
Typical Lifecycle
• • • • • • Creation / Testing Infection • Software Vulnerability • Drive-By Download • Trojan Horse (email attachment, pirated software) • Usually followed by rootkit, infecting system restore Rallying – contacting C&C Potential Propagation Waiting Executing Instructions
IRC Botnets
• • • • • Historically most common Centralized topology Support large number of connections Traffic not as common, easily blocked Server often hosted in public network such as Efnet, Undernet
HTTP Botnets
• • • • • Typically allowed through firewalls Server easily hidden in plain view Https support trivial, difficult to inspect Doesn’t scale as well, easy to overload server Covert channels: DNS, ICMP, SSL, RSS feed, IM
HTTP communications channel with C&C
Decentralized P2P Botnets
• • • • • Lack single point of failure, no centralized C&C Often seeded with initial nodes to contact Download list or learn current peers Common for nodes to relay/proxy traffic Typically make use of existing P2P protocols: BitTorrent, eDonkey/Overnet, Kademlia DHT
Evasion Techniques
• • • • • • • Multiple Failover C&C servers Dynamic DNS Domain Generation Algorithms (DGA) Fast-Flux / Internal Round-Robin Proxies Protocol / IPv6 tunneling Botmaster concealment: SOCKS, TOR, BNC’s Polymorphism / Obfuscation
Defense
• • • • • • • • • • OS / Software Updates Antivirus / IDS Signatures Network Baselines / Anomaly Detection Firewall Rules Domain seizure / Contact ISP Hosting C&C Agent masquerading / Honeypots MitM Attacks against HTTPS communication Sinkholing – analyzing DGA, capturing C&C Reverse Engineering – IDA Pro, OllyDbg, Wireshark Botmaster Traceback
Select History
• • • • • • Agobot (2002 ) – first to use modular design, staged payloads Sinowal (2005) – 1.2 million bots, rootkit/MBR, banking credential thief Zeus (2007) – targets banking info, estimated $12.5mil loss, RC4/XOR encoded traffic, source code leaked in 2011 leading to many variants, custom kits for sale in blackhat forums Storm (2007) – estimated at 1-5mil bots, p2p topology, made use of Fast-Flux technique, IPS rivaling many supercomputers, reputation for launching DDoS defensive measures against researchers SpyEye (2009) – predecessor / competitor to Zeus, Zeus removal, financial MitM attacks, credential theft TDL-4 / Alureon (2011) – 4.5mil bots, MBR rootkit, encrypted p2p communication, removes rival malware, variant implements malicious DHCP/DNS server, used for spamming, DDoS, proxies
DIY HTTP Based Botnet Kit (1)
DIY HTTP Based Botnet Kit (1)
Cythosia Botnet Kit, AJAX Webpanel, SOCKSv5 Proxy, DDoS
Cythosia cont.
Skynet C&C (Zues variant, 2013) – generated over $1mil in Bitcoins
Sources
• Network and System Security, 2ed [2013] – John Vacca http://www.amazon.com/Network-System-Security-Second Vacca/dp/012416689X/ • • • http://www.fortinet.com/sites/default/files/whitepapers/Ana tomy-of-a-Botnet-WP.pdf
https://www.sans.org/reading room/whitepapers/malicious/byob-build-botnet-33729 http://threatpost.com/peer-to-peer-botnets-resilient-to takedown-attempts/100851
Sources
• • • • • http://countermeasures.trendmicro.eu/history-of-the-botnet white-paper/ http://threatpost.com/coming-better-ways-count-and counter-botnets-050212/76516 http://arstechnica.com/security/2013/04/a-beginners-guide to-building-botnets-with-little-assembly-required/ http://www.wired.com/wiredsmallbizprogram/howto-28.html
https://community.rapid7.com/community/infosec/blog/2012 /12/06/skynet-a-tor-powered-botnet-straight-from-reddit