Botnets : Attacks and Defense

by Sammie Bush and Lance Pendergrass

Basic Definitions

• • • •

Botnet

- network of compromised machines that can be remotely controlled by an attacker

Bot

, “

zombie

” - an unwillingly infected host

Command & Control

(C&C) - some channel or structure acting as a handler in relaying commands and updates to the bots

Botmaster

,

Bot-herder

- person(s) anonymously controlling the botnet via C&C

Motivation

• • • • • • • • • • Notoriety versus Long-Term Control Survivability DDoS / Extortion Spam Identity Theft • keylogging • traffic captures Click Fraud / Poll Manipulation Bitcoin Mining – involuntary cloud computing Distributed Storage – warez, malware Search Engine Optimization (SEO) poisoning Blackmarket Services for Rent

C&C relaying instructions to launch DDoS attack

Typical Lifecycle

• • • • • • Creation / Testing Infection • Software Vulnerability • Drive-By Download • Trojan Horse (email attachment, pirated software) • Usually followed by rootkit, infecting system restore Rallying – contacting C&C Potential Propagation Waiting Executing Instructions

IRC Botnets

• • • • • Historically most common Centralized topology Support large number of connections Traffic not as common, easily blocked Server often hosted in public network such as Efnet, Undernet

HTTP Botnets

• • • • • Typically allowed through firewalls Server easily hidden in plain view Https support trivial, difficult to inspect Doesn’t scale as well, easy to overload server Covert channels: DNS, ICMP, SSL, RSS feed, IM

HTTP communications channel with C&C

Decentralized P2P Botnets

• • • • • Lack single point of failure, no centralized C&C Often seeded with initial nodes to contact Download list or learn current peers Common for nodes to relay/proxy traffic Typically make use of existing P2P protocols: BitTorrent, eDonkey/Overnet, Kademlia DHT

Evasion Techniques

• • • • • • • Multiple Failover C&C servers Dynamic DNS Domain Generation Algorithms (DGA) Fast-Flux / Internal Round-Robin Proxies Protocol / IPv6 tunneling Botmaster concealment: SOCKS, TOR, BNC’s Polymorphism / Obfuscation

Defense

• • • • • • • • • • OS / Software Updates Antivirus / IDS Signatures Network Baselines / Anomaly Detection Firewall Rules Domain seizure / Contact ISP Hosting C&C Agent masquerading / Honeypots MitM Attacks against HTTPS communication Sinkholing – analyzing DGA, capturing C&C Reverse Engineering – IDA Pro, OllyDbg, Wireshark Botmaster Traceback

Select History

• • • • • • Agobot (2002 ) – first to use modular design, staged payloads Sinowal (2005) – 1.2 million bots, rootkit/MBR, banking credential thief Zeus (2007) – targets banking info, estimated $12.5mil loss, RC4/XOR encoded traffic, source code leaked in 2011 leading to many variants, custom kits for sale in blackhat forums Storm (2007) – estimated at 1-5mil bots, p2p topology, made use of Fast-Flux technique, IPS rivaling many supercomputers, reputation for launching DDoS defensive measures against researchers SpyEye (2009) – predecessor / competitor to Zeus, Zeus removal, financial MitM attacks, credential theft TDL-4 / Alureon (2011) – 4.5mil bots, MBR rootkit, encrypted p2p communication, removes rival malware, variant implements malicious DHCP/DNS server, used for spamming, DDoS, proxies

DIY HTTP Based Botnet Kit (1)

DIY HTTP Based Botnet Kit (1)

Cythosia Botnet Kit, AJAX Webpanel, SOCKSv5 Proxy, DDoS

Cythosia cont.

Skynet C&C (Zues variant, 2013) – generated over $1mil in Bitcoins

Sources

• Network and System Security, 2ed [2013] – John Vacca http://www.amazon.com/Network-System-Security-Second Vacca/dp/012416689X/ • • • http://www.fortinet.com/sites/default/files/whitepapers/Ana tomy-of-a-Botnet-WP.pdf

https://www.sans.org/reading room/whitepapers/malicious/byob-build-botnet-33729 http://threatpost.com/peer-to-peer-botnets-resilient-to takedown-attempts/100851

Sources

• • • • • http://countermeasures.trendmicro.eu/history-of-the-botnet white-paper/ http://threatpost.com/coming-better-ways-count-and counter-botnets-050212/76516 http://arstechnica.com/security/2013/04/a-beginners-guide to-building-botnets-with-little-assembly-required/ http://www.wired.com/wiredsmallbizprogram/howto-28.html

https://community.rapid7.com/community/infosec/blog/2012 /12/06/skynet-a-tor-powered-botnet-straight-from-reddit