Presentation is loading. Please wait.

Presentation is loading. Please wait.

Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer,

Similar presentations


Presentation on theme: "Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer,"— Presentation transcript:

1 Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presented by Ryan Genato

2 Overview  Introduction to Botnets, Torpig  Domain Flux and “Your Botnet is My Botnet”  Analysis of Torpig Network  What Do You Do With 70,000 Computers?  Conclusions and Future Work

3 Introduction – Terminology  Bot – An application that performs some action or set of actions on behalf of a remote controller  Botnet – A network of infection machines controlled by a malicious entity  Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages

4 Introduction – Mebroot  Rootkit distributed by Neosploit exploit kit  Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine  Mebroot overwrites the master boot record of the machine, circumventing most anti- virus tools (back then)

5 Introduction – Torpig  Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server  Torpig contacts its own C&C server for updates and to send victim information

6 Introduction – Torpig  What kind of information does Torpig record? Monitoring popular applications “Man-in-the-browser” attacks

7 Introduction – Domain Flux  Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points  Advantages: No single point of failure (fast flux) Robustness  Disadvantages Deterministic (this implementation) If someone can reverse engineer your DGA, they can anticipate future domain addresses…

8 Your Botnet Is My Botnet  And that’s exactly what they did!  Reverse engineering the DGA came up with a three week span of unregistered domains  Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing) Contrast to passive analysis and previous active analysis attempts

9 Gathering Data  The C&C center hijack lasted for ten days What happened to the three weeks of domains?  A couple numbers: Observed a total of 182,800 peers on the Torpig botnet, 70,000 at peak activity Recorded 1,247,642 unique IP addresses Logged 8,310 accounts from 410 institutions 1,660 credit cards

10 Data Analysis + Handling  173,686 unique passwords recorded, 40% cracked in less than 75 minutes  28% of users exhibited password reuse  Working with FBI and National Cyber- Forensics to repatriate the stolen information Need a reputable organization to work things out

11 What Do You Do With 70,000 Computers?  Take down the government! 70,000 users, average 435 kbps (in 2008) = 17 Gbps 5,635 users to take down fbi.gov and justice.gov 10 Gbps to take down Wikileaks  Distributed password cracking

12 Conclusions and Future Work  Victims of botnets pick easy to crack passwords Better user education, higher password standards  Botnets operating with an HTTP C&C center can be hijacked for periods of time There is no “off” switch Improved domain generation algorithms (top Twitter)

13 Works Referenced  Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan Web. 23 Jan  Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering.". N.p., 18 Apr Web. 23 Jan  Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications,  Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do." YouTube. N.p., n.d. Web. 23 Jan  Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan  Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM,  Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec Web. 23 Jan

14 Questions?


Download ppt "Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer,"

Similar presentations


Ads by Google