Presentation on theme: "Your Botnet is My Botnet: Analysis of a Botnet Takeover"— Presentation transcript:
1 Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni VignaPresented by Ryan Genato
2 Overview Introduction to Botnets, Torpig Domain Flux and “Your Botnet is My Botnet”Analysis of Torpig NetworkWhat Do You Do With 70,000 Computers?Conclusions and Future Work
3 Introduction – Terminology Bot – An application that performs some action or set of actions on behalf of a remote controllerBotnet – A network of infection machines controlled by a malicious entityCommand and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messagesRespectfully lifted from Kemmerer’s presentation of the paper, a 2009 Google Tech Talk
5 Introduction – TorpigOnce Mebroot has taken hold it loads the Torpig modules from Mebroot C&C serverTorpig contacts its own C&C server for updates and to send victim information
6 Introduction – Torpig What kind of information does Torpig record? Monitoring popular applications“Man-in-the-browser” attacks31 applications were targeted, including the Service Control Manager, web browsers, FTP clients, clients, instant messengers, and system programs (cmd.exe)Man in the browser attacks would start by waiting for the victim to navigate to a website found in the configuration file, and then inject HTML onto the target page that would ask the user for sensitive information. But because it would be injected onto a legitimate page, it is hard to detect and many users would simply enter in the data. A funny story that was reported is that with PayPal, users would volunteer their sensitive information AND THEN send an to PayPal asking, “didn’t I already give you this information?”
7 Introduction – Domain Flux Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous pointsAdvantages:No single point of failure (fast flux)RobustnessDisadvantagesDeterministic (this implementation)If someone can reverse engineer your DGA, they can anticipate future domain addresses…Fast flux had bots connecting to a single domain address, which was useful in that the domain could be mapped to a set of IP addresses, but was still a single point of failure.
8 Your Botnet Is My Botnet And that’s exactly what they did!Reverse engineering the DGA came up with a three week span of unregistered domainsBuy the domains, act as the C&C center, hijack the entire botnet (sinkholing)Contrast to passive analysis and previous active analysis attempts
9 Gathering Data The C&C center hijack lasted for ten days What happened to the three weeks of domains?A couple numbers:Observed a total of 182,800 peers on the Torpig botnet, 70,000 at peak activityRecorded 1,247,642 unique IP addressesLogged 8,310 accounts from 410 institutions1,660 credit cardsAfter ten days, a new Mebroot binary was distributed that included an updated DGA for Torpig. The reason why this worked was because the team at UCSB only hijacked the Torpig C&C center. The Mebroot DGA had not yet been cracked, and so the criminals still had control of Mebroot and were able to regain control of the botnet. Why they took ten days? Maybe to figure out who was hijacking them.
10 Data Analysis + Handling 173,686 unique passwords recorded, 40% cracked in less than 75 minutes28% of users exhibited password reuseWorking with FBI and National Cyber- Forensics to repatriate the stolen informationNeed a reputable organization to work things out
11 What Do You Do With 70,000 Computers? Take down the government!70,000 users, average 435 kbps (in 2008) = 17 Gbps5,635 users to take down fbi.gov and justice.gov10 Gbps to take down WikileaksDistributed password cracking
12 Conclusions and Future Work Victims of botnets pick easy to crack passwordsBetter user education, higher password standardsBotnets operating with an HTTP C&C center can be hijacked for periods of timeThere is no “off” switchImproved domain generation algorithms (top Twitter)When the team at UCSB was removed of their control of the Torpig network, it was because the DGA they had reverse engineered had been replaced by a new algorithm. It was later found that this algorithm used the daily top Twitter comment in its calculating of the next domain, making the DGA non-deterministic. Torpig went through a series of new DGAs as the old ones got cracked, which illustrates the constant struggle between attackers and defenders.
13 Works ReferencedChen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan Web. 23 JanGreulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr Web. 23 JanHoward, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009.Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan <http://www.youtube.com/watch?v=2GdqoQJa6r4>.Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 JanStone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM,Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec Web. 23 Jan