Presentation is loading. Please wait.

Presentation is loading. Please wait.

Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security.

Published byScott Gardner Modified over 9 years ago

Similar presentations

Presentation on theme: "Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security."— Presentation transcript:

1 Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security

2 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

3 Bots  Send spam, commit click fraud, DOS attacks, steal user data  Botmaster: uses bots to extract value from the above actions  Botnet: compromised computers under the control of the botmaster  Demand for a bot determines the value  Security evolution depends on the demand

4 Bitcoin Mining  Repeatedly computing the SHA-256 cryptographic hash function over a large range of values  State-Space search  Can be conducted in parallel  Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others  Pro: Potentially lucrative depending on the number of bots  Con: Easier to detect than other activities

5 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

6 Related Work  Analysis of the transactions in the Bitcoin network  Measures activity  Tests the limits of anonymity  Analysis of the silk road (underground drug market)  Shutdown October 13, 2013  Bitcoin mining can be “gamed” by an appropriately powerful adversary  Can disrupt the Bitcoin economy  Profitable malware  Pay-per-install, fake anti-virus, click fraud

7 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

8 Bitcoin  Proposed by Satoshi Nakamoto in 2008  Not backed by any government  Purely a peer to peer virtual currency  Bitcoins are acquired through mining  Transactions are public through the blockchain  Public ledger maintained by a peer-to-peer network

9 Bitcoin  1Bitcoin = $402.53

10 Bitcoin Mining  Miner receives valid transactions through the peer-to- peer network  Group them into blocks  set of transactions  header containing a hash of the previous block and a nonce  Compute a SHA-256 hash value of the block  If the value has the correct number of leading zeros  Miner passes it on to others to verify  Coinbase: pays transaction fees and the block reward  If the value does not have the correct number of leading zeros  Repeat the process

11 Pooled Mining  Combine the mining power of many individual miner and payout a small amount for work completed  Pool server manages pending transaction  Provides starting point to workers  Workers mine the blocks  Report results to the server

12 Botnet Mining  Use a existing or newly created botnet to mine for bitcoins  Direct Pool Mining  Distribute a mining executable with a wrapper script that specifies mining parameters  Generally banned for mining pools  Proxied Pool Mining  Proxy connections through a controlled server  Requires additional infrastructure  Dark Pool Mining  Botmaster maintains a pool server  Bots connect to his pool  Limited to the number of bots he controls

13 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

14 Methodology  Goals:  Identify mining malware  Identify size of infected population  Identify the value of the bitcoins extracted  Methodology  Identify Mining Malware  Extract Mining Credentials  Estimate Earnings  Estimate Infected Population  Identify Pool Proxies

15 Identifying Mining Malware  All mining malware uses the HTTP-based getwork protocol  Use this to identify mining malware with a network trace  To get the network traffic of various malware  Execute the binaries in a malware execution environment  Use data for public and private sandboxes that provides information and logs of the actions of the binaries  If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining

16 Extracting Mining Credentials  Mining software is generally generic  Credentials are passed on command line  Extract the credentials:  Command-line arguments  Extract the credentials from the packaged binary  HTTP basic authentication  Extract credentials from a network trace  Command-and-control channel  Credentials are contained in a Dropbox or Pastebin file  Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload  Pool operators  Public pool operators provide lists of user names and wallet addresses

17 Earnings  Mapping miners to wallet addresses  Contact the pool operators to ask for the information  Publicly visible pool statistics  Some pools provide public leaderboards  Blockchain analysis  All transactions are visible  Knowing the payout address allows estimates for a specific miner  Clustering wallet addresses  Botmasters may use different addresses for different campaigns  Addresses used as inputs to the same transaction will be controlled by the same user  This allows us to cluster addresses used by a single botmaster

18 Estimating Infected Population  Contact anti-virus software vendors to obtain mining malware data  E i : estimated bot population  I i : number of infections in country i per vender  M i : number of machines in country i per vendor  T i : number of machines in country i  This is the expected lower bound  Computers without antivirus for the vendors are not counted  Estimates are only for specific binaries

19 Identifying Pool Proxies  Cross-login test  Credentials can be hidden by an HTTP proxy  Create miner accounts in major mining pools  If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining  Passive DNS  The lifetime of a dark mining pool depends on the lifetime of the botnet  Use passive DNS data from the ISC Security Information Exchange  Block Reversal  A pool will provide the same coinbase across similar workers  This allows us to match possible bots to a pool  Leaked Data

20 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

21 DLoad.asia(Redem and Darksons)  Began mining in 2011  Ended in November of 2012  Earnings  Darksons : 2,403 BTC  Redem : over 10,000 BTC  Over 100,000 IP’s  Population - number of infections

22 ZeroAccess  9,000,000 infected PC’s  Began December 2011  Earnings : 400 BTC  Began mining through proxy servers, now a part of Eligus  Population - number of infections

23 BMControl  Began mining in September 2012  Part of Eligus  Earnings  Adds 16,000 new bots per day  Average mining rate/ bot : 3.75MH/sec  Now mines for Litecoin  Population - number of infections

24 FeodalCash  Began mining in May 2013  Part of Eligus  Earnings : 168 BTC  Population - 62,500 infections at its peak

25 Fareit Bots  Began mining April 9, 2013  Used a pool proxy with the Black Hole exploit kit  Earnings : 265 BTC  Population - 12,500 infections

26 Zenica  Earnings  312,000 or more active IP’s  170 BTC in 3 months  Population  Prevalent in Southeast Asia  Vietnam and Thailand account for 70% of sampled infections

27 HitmanUK  Botmaster launched a DDoS attacked after the pool blacklisted the botnet  Paralyzed the pool  Prevented mining for a few hours  Pool operator then let the botmaster back in  Began in February 2013  Earnings : 4 BTC  Adds 16,000 new bots per day  Average mining rate/ bot : 3.75MH/sec

28 Xfhp.ru Miner  Uses Zbot to download the Bitcoin mining plugin  Population  Southeast Asia  South America

29 Skype Miner  Used Skype and social engineering to distribute bot  Sent a compromised skype message  If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware  Began mining in July 2012  Earnings : 250

30 Miscellaneous  There are many small mining operations

31 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

32 Mining Revenue  Depends on hashing and network difficulty  Daily Revenue:  MH – million SHA-256 computations  8.22 x 10 -12 MH/sec

33 Botnet Costs  Cost of acquiring bots  Cost associated with the monetization scheme  More information is needed for non-acquisition costs:  Infrastructure  Development  Day to day operation

34 Profitability  Varies based on exchange rates  3 classes of profitability  Absolutely profitable: revenue exceeds cost for a botnet solely for mining  Marginally profitable: revenue exceeds additional cost for an established botnet adding mining  Unprofitable: mining does not cover additional costs  Bitcoin is expected to remain profitable for large botnets

35 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

36 Conclusion  It is possible to track the earning of botnets because Bitcoin transactions are public  Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years  Most of these are found in geographic locations with lower costs of bots  Developed a method to trace mining pool malware even when proxy server are used to hide the pool

37 Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

38 Litecoin  Decentralized virtual currency based on bitcoin  1 litecoin = $4.19  4 times faster to produce a block when mining  Lessens the effect of specialized hardware

39 Questions?

Download ppt "Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security."

Similar presentations

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
ECrime Research Richard Clayton Luxembourg 11 th May 2010.

ECrime Research Richard Clayton Luxembourg 11 th May 2010.
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.

Detecting Botnets Using Hidden Markov Models on Network Traces Wade Gobel Bio-Grid, Summer 2008.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Bitcoin is the FUTURE of MONEY!!

Bitcoin is the FUTURE of MONEY!!
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.

1 Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling - Proceedings.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
Botnets An Introduction Into the World of Botnets Tyler Hudak

Botnets An Introduction Into the World of Botnets Tyler Hudak
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

Similar presentations

Ads by Google