botcoin: monetizing stolen cycles
DESCRIPTION
Botcoin: Monetizing Stolen Cycles. UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security. Outline. Introduction Related Work Background Methodology Analysis Discussion Conclusion Epilogue. Bots. - PowerPoint PPT PresentationTRANSCRIPT
Botcoin: Monetizing Stolen
CyclesUC San Diego and George Mason University
Presented By: Amanda Watson
CSCI 780: Advanced Network Security
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Bots Send spam, commit click fraud, DOS attacks, steal
user data
Botmaster: uses bots to extract value from the above actions
Botnet: compromised computers under the control of the botmaster
Demand for a bot determines the value
Security evolution depends on the demand
Bitcoin Mining Repeatedly computing the SHA-256 cryptographic
hash function over a large range of values
State-Space search
Can be conducted in parallel
Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others
Pro: Potentially lucrative depending on the number of bots
Con: Easier to detect than other activities
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Related Work Analysis of the transactions in the Bitcoin network
Measures activity
Tests the limits of anonymity
Analysis of the silk road (underground drug market)
Shutdown October 13, 2013
Bitcoin mining can be “gamed” by an appropriately powerful adversary
Can disrupt the Bitcoin economy
Profitable malware
Pay-per-install, fake anti-virus, click fraud
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Bitcoin Proposed by Satoshi Nakamoto in 2008
Not backed by any government
Purely a peer to peer virtual currency
Bitcoins are acquired through mining
Transactions are public through the blockchain
Public ledger maintained by a peer-to-peer network
Bitcoin 1Bitcoin = $402.53
Bitcoin Mining Miner receives valid transactions through the
peer-to-peer network
Group them into blocks
set of transactions
header containing a hash of the previous block and a nonce
Compute a SHA-256 hash value of the block
If the value has the correct number of leading zeros
Miner passes it on to others to verify
Coinbase: pays transaction fees and the block reward
If the value does not have the correct number of leading zeros
Repeat the process
Pooled Mining Combine the mining power of many individual
miner and payout a small amount for work completed
Pool server manages pending transaction
Provides starting point to workers
Workers mine the blocks
Report results to the server
Botnet Mining Use a existing or newly created botnet to mine for
bitcoins
Direct Pool Mining
Distribute a mining executable with a wrapper script that specifies mining parameters
Generally banned for mining pools
Proxied Pool Mining
Proxy connections through a controlled server
Requires additional infrastructure
Dark Pool Mining
Botmaster maintains a pool server
Bots connect to his pool
Limited to the number of bots he controls
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Methodology Goals:
Identify mining malware
Identify size of infected population
Identify the value of the bitcoins extracted
Methodology
Identify Mining Malware
Extract Mining Credentials
Estimate Earnings
Estimate Infected Population
Identify Pool Proxies
Identifying Mining Malware All mining malware uses the HTTP-based getwork
protocol
Use this to identify mining malware with a network trace
To get the network traffic of various malware
Execute the binaries in a malware execution environment
Use data for public and private sandboxes that provides information and logs of the actions of the binaries
If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining
Extracting Mining Credentials Mining software is generally generic
Credentials are passed on command line
Extract the credentials:
Command-line arguments
Extract the credentials from the packaged binary
HTTP basic authentication
Extract credentials from a network trace
Command-and-control channel
Credentials are contained in a Dropbox or Pastebin file
Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload
Pool operators
Public pool operators provide lists of user names and wallet addresses
Earnings Mapping miners to wallet addresses
Contact the pool operators to ask for the information
Publicly visible pool statistics
Some pools provide public leaderboards
Blockchain analysis
All transactions are visible
Knowing the payout address allows estimates for a specific miner
Clustering wallet addresses
Botmasters may use different addresses for different campaigns
Addresses used as inputs to the same transaction will be controlled by the same user
This allows us to cluster addresses used by a single botmaster
Estimating Infected Population Contact anti-virus software vendors to obtain
mining malware data
Ei : estimated bot population
Ii : number of infections in country i per vender
Mi : number of machines in country i per vendor
Ti : number of machines in country i
This is the expected lower bound
Computers without antivirus for the vendors are not counted
Estimates are only for specific binaries
Identifying Pool Proxies Cross-login test
Credentials can be hidden by an HTTP proxy
Create miner accounts in major mining pools
If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining
Passive DNS The lifetime of a dark mining pool depends on the
lifetime of the botnet
Use passive DNS data from the ISC Security Information Exchange
Block Reversal A pool will provide the same coinbase across similar
workers
This allows us to match possible bots to a pool
Leaked Data
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
DLoad.asia(Redem and Darksons) Began mining in 2011
Ended in November of 2012
Earnings
Darksons : 2,403 BTC
Redem : over 10,000 BTC
Over 100,000 IP’s
Population - number of infections
ZeroAccess 9,000,000 infected PC’s
Began December 2011
Earnings : 400 BTC
Began mining through proxy servers, now a part of Eligus
Population - number of infections
BMControl Began mining in September 2012
Part of Eligus
Earnings
Adds 16,000 new bots per day
Average mining rate/ bot : 3.75MH/sec
Now mines for Litecoin
Population - number of infections
FeodalCash Began mining in May 2013
Part of Eligus
Earnings : 168 BTC
Population - 62,500 infections at its peak
Fareit Bots Began mining April 9, 2013
Used a pool proxy with the Black Hole exploit kit
Earnings : 265 BTC
Population - 12,500 infections
Zenica Earnings
312,000 or more active IP’s
170 BTC in 3 months
Population
Prevalent in Southeast Asia
Vietnam and Thailand account for 70% of sampled infections
HitmanUK Botmaster launched a DDoS attacked after the
pool blacklisted the botnet
Paralyzed the pool
Prevented mining for a few hours
Pool operator then let the botmaster back in
Began in February 2013
Earnings : 4 BTC
Adds 16,000 new bots per day
Average mining rate/ bot : 3.75MH/sec
Xfhp.ru Miner Uses Zbot to download the Bitcoin mining plugin
Population
Southeast Asia
South America
Skype Miner Used Skype and social engineering to distribute
bot
Sent a compromised skype message
If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware
Began mining in July 2012
Earnings : 250
Miscellaneous There are many small mining operations
Outline
Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Mining Revenue Depends on hashing and network difficulty
Daily Revenue:
MH – million SHA-256 computations
8.22 x 10-12 MH/sec
Botnet Costs Cost of acquiring bots
Cost associated with the monetization scheme
More information is needed for non-acquisition costs:
Infrastructure
Development
Day to day operation
Profitability Varies based on exchange rates
3 classes of profitability
Absolutely profitable: revenue exceeds cost for a botnet solely for mining
Marginally profitable: revenue exceeds additional cost for an established botnet adding mining
Unprofitable: mining does not cover additional costs
Bitcoin is expected to remain profitable for large botnets
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Conclusion
It is possible to track the earning of botnets because Bitcoin transactions are public
Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years
Most of these are found in geographic locations with lower costs of bots
Developed a method to trace mining pool malware even when proxy server are used to hide the pool
Outline Introduction
Related Work
Background
Methodology
Analysis
Discussion
Conclusion
Epilogue
Litecoin Decentralized virtual currency based on bitcoin
1 litecoin = $4.19
4 times faster to produce a block when mining
Lessens the effect of specialized hardware
Questions?