463.4 Botnets

Computer Security IICS463/ECE424

University of Illinois

• Discussion in two parts– Motives and analysis techniques– Architectures and strategies

Overview

2

463.5.1 Motives and Analysis Techniques for Botnets

• A botnet is a collection of compromised machines (bots) remotely controlled by an attacker

• They are used for various forms of illegal activity• Why the need for compromised machines?– Save money on provisioning– Obscure controlling party by the use of stepping stones

• Why the need for multiple compromised machines?– Defending against multiple machines is harder: DDoS and

dynamic blacklisting

What are Botnets?

4

• An “underground” market is one that operates outside of government regulation, often dealing in illegal goods or services

• Examples: drugs, prostitution• The underground cyber-markets are ones where

underground commerce is carried out over the Internet

Underground Cyber-Markets

5

What’s the Supply and Demand?

6[FranklinPPS07]

• IETF protocol for message exchange• IRC client connects to a server identifying itself

with a nickname (“nick”) and joins a channel• Client can broadcast on the channel or deliver

messages privately on the channel• Channel manager may supply supplementary

services to users

Internet Relay Chat (IRC) Channels

7

• Connect buyers and sellers• Control botnet• Broadcast nature of IRC aids untraceable

communication

IRC Roles for Botnets

8

• Extortion– Cryptoviral extortion– DoS

• Fraud (viz. identity theft)– Bank accounts– Credit cards

• SPAM– Direct advertising– Fraud

Targeted Applications

9

Buyers: seek to make money off scamsCarders: provide credit card dataCashiers: provide ways to convert these to cashDroppers: enable pick-ups of merchandise

purchased with credit cardsRippers: take payment without providing serviceOperators: channel owners who provide integrity

services like “verified status”

Roles of Participants

10

Buyer

11

<buyer a> need fresh US Fullz Msg Me Fast IfU have Am Payin E-gold.<buyer b> i buy uk cc's ..prv me only seriosppl 4 good dill.<buyer c> Looking to buy HSBC debit with pinsand CC's......

Carder

12

<carder a> selling US (Visa, Master) $2, UK(Barclay) $3. e-gold only<carder b> selling us, uk fresh fulls (master& visa) $10. I accept paypal or e-gold<carder c> Am Selling US, UK Mastercard,Visa, and American Express Fulls, Fresh and100% valid, WIth DOB, SSN, DL.

Cashier

13

<cashier a> i Cash Out Wells fargo, Boa,Nation Wide, Chase, WachoviA, WaMu, Citibank,Halifax Msg me.<cashier b> I Cashout Skimmed Dumps + Pins30/70 % Split i Take 30% You Take 70%.<cashier c> can cashout cvv's via WU terminalagent. 500-700 $ per cvv's pvt me for moreinfo.

Dropper

14

<drop a> i drop in usa i can pick any name.<user b> F@!k drops man, I ship to my friendshouse, no fee.<user c> u will lose ur friends soon! ^^<user d> I guess some friends are expendable!

Ripper

15

<ripper> Selling software to verify yourcvv2. Great for carders, payment is $10.<ripper> Selling database of 350,000 cvv2!msg me fast for good deal!!!

Operator

16

<@operator a> If you want verified status msgme, cost is $50.<@operator b> To become verified pm any @op.

Market Demand and Activity

• Markets are active: ~64,000 msgs / day

• Large volume of sensitive data– 4k SSNs, $55 million in vulnerable

accounts[FranklinPPS07] 17

Pricing

• Sale ads often dominate want ads

• Lower barrier to entry – even for n00bs

18

Pricing

• Pricing for compromised hosts varies

• Significant demand for root access

19

Making Money with SPAM

• IronPort claimed that, as of 2006, 80% of SPAM was sent by bots– Direct Advertising– Penny Stocks– Click-fraud– Phishing

Services Available in Market1) Mailers2) Targeting Mailing Lists3) Scam Hosting Infrastructure4) Phishing Pages

[IronPort06] 20

• E-gold (Nevis, Lesser Antilles) was fined $3.7 million for “conspiracy to engage in money laundering” and the “operation of an unlicensed money transmitting business”.

• Western Union requires in country initiation and transfers over $1K require Passport, SSN, Drivers License #

• Drops provide an out-of-band approach• Colorful strategies: touts, gambling, Lindens, etc.

How Do I Get My (Stolen) Money?

21

• Examine source code• Attract compromise with a honeypot– Honeynet project

• Observe public communications and collect statistics– By manual analysis– Using attribute searches– Using machine learning

• Compromise a bot and observe its activities

Analyzing Bots

22

Reading List

23

• [FranklinPPS07] An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007.

• [ThomasA07] Kurt Thomas and David Albrecht, Cashing Out: Exploring Underground Economies, Manuscript 2007.

23

• Assuming an IRC channel, speculate on strategies for reducing the effectiveness of the underground cyber-market.

• How far can/should a honeynet go to gather information about malware?

Discussion

24

463.5.2 Botnet Architectures and Strategies

• Bot code is installed on compromised machines using many different techniques– Scan for victims with vulnerabilities

• Horizontal scans across an address range• Vertical scans across a range of ports

– Look for backdoors or vulnerable software• Bagel and MyDoom worms left backdoors that allow arbitrary code to

be executed on the machine

– Hide bot code in legitimate files placed in open file shares and on peer-to-peer networks

– Send spam email with attachments infected with bot code

Botnet Recruitment/Propagation

26

• After a computer has been compromised, the bot has several goals– Fortify the system against other malicious attacks– Disable anti-virus software– Harvest sensitive information

• The attacker issues commands to the bots– Download updates to the bot code– Download patches to prevent other botnets from capturing

the machine– Participate in the botnet “work”: send spam and phishing

emails, contribute to DDoS attack, etc.

Botnet Maintenance/Control

27

IRC Botnet in a DDoS Attack

[CookeJM05] 28

• Architecture, • Botnet control mechanisms, • Host control mechanisms, • Propagation mechanisms,• Target exploits and attack mechanisms, • Malware delivery mechanisms, • Obfuscation methods, and • Deception strategies.

Case Study: Agobot

29[BarfordY07]

• Source code was released publically around 2002.• IRC-based command and control• DoS attack library• Limited polymorphic obfuscations• Harvests Paypal passwords, AOL keys, etc.• Defends compromised system• Anti-disassembly mechanisms• Built with good SE practices

Architecture

30

Botnet Control Mechanisms

31

Host Control Mechanisms

32

Propagation Mechanisms

33

1. Bagle scanner: scans for back doors left by Bagle variants on port 2745.2. Dcom scanners (1/2): scans for the well known DCE-RPC buffer overflow.3. MyDoom scanner: scans for back doors left by variants of the MyDoom worm

on port 3127.4. Dameware scanner: scans for vulnerable versions of the Dameware network

administration tool.5. NetBIOS scanner: brute force password scanning for open NetBIOS shares.6. Radmin scanner: scans for the Radmin buffer overflow.7. MS-SQL scanner: brute force password scanning for open SQL servers.8. Generic DDoS module

Exploits and Attack Mechanisms Part 1 of 2

34

Exploits and Attack Mechanisms Part 2 of 2

35

• Argobot first exploits a vulnerability and uses this to open a shell on the remote host.

• The encoded malware binary is then uploaded using either HTTP or FTP.

• This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams.

Malware Delivery Mechanisms

36

• A limited set of operations provide some ability to diversify the transfer file– POLY TYPE XOR, – POLY TYPE SWAP (swap consecutive bytes)– POLY TYPE ROR (rotate right)– POLY TYPE ROL (rotate left)

Obfuscation Mechanisms

37

• Deception refers to the mechanisms used to evade detection once a bot is installed on a target host.

• These mechanisms are also referred to as rootkits.

Deception Mechanisms Part 1 of 2

38

• In Agobot the following defenses are included:– Testing for debuggers such as OllyDebug, SoftIce and

procdump, – Testing for VMWare,– Killing anti-virus processes, and – Altering DNS entries of anti-virus software companies

to point to localhost.

Deception Mechanisms Part 2 of 2

39

• Original command-and-control mechanism– Internet Relay Chat (IRC) channels– Centralized control structure

• Improved command-and-control mechanism– Peer-to-peer (P2P) networks– Decentralized control structure– More difficult to dismantle than IRC botnets

Beyond AgobotEvolving Botnet Structure

40

• While IRC bots simply connect to their IRC server, P2P bots must follow a series of steps to connect with their P2P network

• The initial P2P bot code contains a list of possible peers and code that attempts to connect the bot with the P2P network

• After the bot joins the network, the peer list is updated• Then the bot searches the network and downloads the

secondary injection code (code that instructs the bot to send spam or perform other malicious activities)

P2P Botnets

41

• First major botnet to employ peer-to-peer command-and-control structure

• Appeared in 2006, gained prominence in January 2007• MS estimated 500,000 bots as of September 2007• Recruits new bots using a variety of attack vectors

– Email messages with executable attachments– Email messages with links to infected sites– E-card spam

• Uses computing power of compromised machines– Sends and relays SPAM– Hosts the exploits and binaries– Conducts DDoS attacks on anti-spam websites and security

researchers probing the botnet

Case Study: Storm Worm

42

• “230 dead as storm batters Europe,” • “A killer at 11, he’s free at 21 and kill again!,” • “British Muslims Genocide,”• “Naked teens attack home director,” • “Re: Your text,” • “Russian missile shot down USA satellite,”• “US Secretary of State Condoleezza Rice has

kicked German Chancellor Angela Merkel.”

Social Engineering with Email Headers

43

Effectiveness of Storm

44[Smith08]

1. Victim downloads and runs Trojan executable file Kernel mode driver component wincom32.sys Initialization file component peers.ini Malware inserts itself into services.exe process

2. Malware connects with peers on P2P network Uses initial list of 146 peers to connect to P2P network Updates peer list with close peers Searches for encrypted URL of payload

3. Malware downloads full payload Decrypts URL of payload Downloads code that sends spam, participates in DDoS attacks, etc.

4. Malware executes code under the control of the botnet Bots can periodically search the P2P network for code updates

Storm Worm Botnet Infection Process

45

Control Architecture

46

• Overnet is a P2P protocol based on the Kademlia algorithm

• It was created from file sharing community eDonkey2000

• Overnet and eDonkey2000 had an estimated total of 645,000 users as of 2006

• Both were shut down by legal actions of RIAA in 2006

Overnet Protocol

47

• Kademlia, and hence also Overnet and Storm, are DHT protocols

• DHT network manages a collection of nodes that store (key, value) pairs

• DHT can support large scale storage in a robust decentralized system

• Key concepts– Key space partitioning– Overlay network

Distributed Hash Tables (DHT)

48

• Botnet variations make signature-based detection difficult– New email subject lines and file attachment names– Re-encoded malware binary twice per hour

• Anti-malware Response– Microsoft Malicious Software Removal Tool patch issued in

September 2007• Correlated with 20% drop in size of the Storm Worm botnet• Shows that aggressive removal of bots from botnet can make a

significant impact on the size of the botnet

Storm Worm BotnetAnti-malware Response

49

• [CookeJM05] The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian, and Danny McPherson. Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI 2005.

• [BarfordY07] An Inside Look at Botnets, Paul Barford and Vinod Yegneswaran. Advances in Computer Security, Springer 2007.

• [Smith08] A Storm (Worm) Is Brewing, Brad Smith. IEEE Computer, vol. 41, no. 2, pp. 20-22, Feb. 2008.

Reading List

50

• Botnets seem like a major challenge today. How long do you think they will continue as a problem?

• Storm represents a cross-over between the file sharing community and the underground cyber-market (viz. SPAM). Conjecture on similar synergies that might emerge in the future.

Discussion

51