1. 463.4 Botnets Computer Security II CS463/ECE424 University of Illinois

2. Discussion in two parts – Motives and analysis techniques – Architectures and strategies Overview 2

3. 463.5.1 Motives and Analysis Techniques for Botnets

4. A botnet is a collection of compromised machines (bots) remotely controlled by an attacker They are used for various forms of illegal activity Why the need for compromised machines? – Save money on provisioning – Obscure controlling party by the use of stepping stones Why the need for multiple compromised machines? – Defending against multiple machines is harder: DDoS and dynamic blacklisting What are Botnets? 4

5. An “underground” market is one that operates outside of government regulation, often dealing in illegal goods or services Examples: drugs, prostitution The underground cyber-markets are ones where underground commerce is carried out over the Internet Underground Cyber-Markets 5

6. What’s the Supply and Demand? 6 [FranklinPPS07]

7. IETF protocol for message exchange IRC client connects to a server identifying itself with a nickname (“nick”) and joins a channel Client can broadcast on the channel or deliver messages privately on the channel Channel manager may supply supplementary services to users Internet Relay Chat (IRC) Channels 7

8. Connect buyers and sellers Control botnet Broadcast nature of IRC aids untraceable communication IRC Roles for Botnets 8

9. Extortion – Cryptoviral extortion – DoS Fraud (viz. identity theft) – Bank accounts – Credit cards SPAM – Direct advertising – Fraud Targeted Applications 9

10. Buyers: seek to make money off scams Carders: provide credit card data Cashiers: provide ways to convert these to cash Droppers: enable pick-ups of merchandise purchased with credit cards Rippers: take payment without providing service Operators: channel owners who provide integrity services like “verified status” Roles of Participants 10

11. Buyer 11 need fresh US Fullz Msg Me Fast If U have Am Payin E-gold. i buy uk cc's..prv me only serios ppl 4 good dill. Looking to buy HSBC debit with pins and CC's......

12. Carder 12 selling US (Visa, Master) $2, UK (Barclay) $3. e-gold only selling us, uk fresh fulls (master & visa) $10. I accept paypal or e-gold Am Selling US, UK Mastercard, Visa, and American Express Fulls, Fresh and 100% valid, WIth DOB, SSN, DL.

13. Cashier 13 i Cash Out Wells fargo, Boa, Nation Wide, Chase, WachoviA, WaMu, Citibank, Halifax Msg me. I Cashout Skimmed Dumps + Pins 30/70 % Split i Take 30% You Take 70%. can cashout cvv's via WU terminal agent. 500-700 $ per cvv's pvt me for more info.

14. Dropper 14 i drop in usa i can pick any name. F@!k drops man, I ship to my friends house, no fee. u will lose ur friends soon! ^^ I guess some friends are expendable!

15. Ripper 15 Selling software to verify your cvv2. Great for carders, payment is $10. Selling database of 350,000 cvv2! msg me fast for good deal!!!

16. Operator 16 If you want verified status msg me, cost is $50. To become verified pm any @op.

17. Market Demand and Activity Markets are active: ~64,000 msgs / day Large volume of sensitive data –4k SSNs, $55 million in vulnerable accounts [FranklinPPS07] 17

18. Pricing Sale ads often dominate want ads Lower barrier to entry – even for n00bs 18

19. Pricing Pricing for compromised hosts varies Significant demand for root access 19

20. Making Money with SPAM IronPort claimed that, as of 2006, 80% of SPAM was sent by bots – Direct Advertising – Penny Stocks – Click-fraud – Phishing Services Available in Market 1)Mailers 2)Targeting Mailing Lists 3)Scam Hosting Infrastructure 4)Phishing Pages [IronPort06] 20

21. E-gold (Nevis, Lesser Antilles) was fined $3.7 million for “conspiracy to engage in money laundering” and the “operation of an unlicensed money transmitting business”. Western Union requires in country initiation and transfers over $1K require Passport, SSN, Drivers License # Drops provide an out-of-band approach Colorful strategies: touts, gambling, Lindens, etc. How Do I Get My (Stolen) Money? 21

22. Examine source code Attract compromise with a honeypot – Honeynet project Observe public communications and collect statistics – By manual analysis – Using attribute searches – Using machine learning Compromise a bot and observe its activities Analyzing Bots 22

23. Reading List 23 [FranklinPPS07] An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, CCS 2007. [ThomasA07] Kurt Thomas and David Albrecht, Cashing Out: Exploring Underground Economies, Manuscript 2007. 23

24. Assuming an IRC channel, speculate on strategies for reducing the effectiveness of the underground cyber-market. How far can/should a honeynet go to gather information about malware? Discussion 24

25. 463.5.2 Botnet Architectures and Strategies

26. Bot code is installed on compromised machines using many different techniques – Scan for victims with vulnerabilities Horizontal scans across an address range Vertical scans across a range of ports – Look for backdoors or vulnerable software Bagel and MyDoom worms left backdoors that allow arbitrary code to be executed on the machine – Hide bot code in legitimate files placed in open file shares and on peer-to-peer networks – Send spam email with attachments infected with bot code Botnet Recruitment/Propagation 26

27. After a computer has been compromised, the bot has several goals – Fortify the system against other malicious attacks – Disable anti-virus software – Harvest sensitive information The attacker issues commands to the bots – Download updates to the bot code – Download patches to prevent other botnets from capturing the machine – Participate in the botnet “work”: send spam and phishing emails, contribute to DDoS attack, etc. Botnet Maintenance/Control 27

28. IRC Botnet in a DDoS Attack [CookeJM05] 28

29. Architecture, Botnet control mechanisms, Host control mechanisms, Propagation mechanisms, Target exploits and attack mechanisms, Malware delivery mechanisms, Obfuscation methods, and Deception strategies. Case Study: Agobot 29 [BarfordY07]

30. Source code was released publically around 2002. IRC-based command and control DoS attack library Limited polymorphic obfuscations Harvests Paypal passwords, AOL keys, etc. Defends compromised system Anti-disassembly mechanisms Built with good SE practices Architecture 30

31. Botnet Control Mechanisms 31

32. Host Control Mechanisms 32

33. Propagation Mechanisms 33

34. 1. Bagle scanner: scans for back doors left by Bagle variants on port 2745. 2. Dcom scanners (1/2): scans for the well known DCE-RPC buffer overflow. 3. MyDoom scanner: scans for back doors left by variants of the MyDoom worm on port 3127. 4. Dameware scanner: scans for vulnerable versions of the Dameware network administration tool. 5. NetBIOS scanner: brute force password scanning for open NetBIOS shares. 6. Radmin scanner: scans for the Radmin buffer overflow. 7. MS-SQL scanner: brute force password scanning for open SQL servers. 8. Generic DDoS module Exploits and Attack Mechanisms Part 1 of 2 34

35. Exploits and Attack Mechanisms Part 2 of 2 35

36. Argobot first exploits a vulnerability and uses this to open a shell on the remote host. The encoded malware binary is then uploaded using either HTTP or FTP. This separation enables an encoder to be used across exploits thereby streamlining the codebase and potentially diversifying the resulting bit streams. Malware Delivery Mechanisms 36

37. A limited set of operations provide some ability to diversify the transfer file – POLY TYPE XOR, – POLY TYPE SWAP (swap consecutive bytes) – POLY TYPE ROR (rotate right) – POLY TYPE ROL (rotate left) Obfuscation Mechanisms 37

38. Deception refers to the mechanisms used to evade detection once a bot is installed on a target host. These mechanisms are also referred to as rootkits. Deception Mechanisms Part 1 of 2 38

39. In Agobot the following defenses are included: – Testing for debuggers such as OllyDebug, SoftIce and procdump, – Testing for VMWare, – Killing anti-virus processes, and – Altering DNS entries of anti-virus software companies to point to localhost. Deception Mechanisms Part 2 of 2 39

40. Original command-and-control mechanism – Internet Relay Chat (IRC) channels – Centralized control structure Improved command-and-control mechanism – Peer-to-peer (P2P) networks – Decentralized control structure – More difficult to dismantle than IRC botnets Beyond Agobot Evolving Botnet Structure 40

41. While IRC bots simply connect to their IRC server, P2P bots must follow a series of steps to connect with their P2P network The initial P2P bot code contains a list of possible peers and code that attempts to connect the bot with the P2P network After the bot joins the network, the peer list is updated Then the bot searches the network and downloads the secondary injection code (code that instructs the bot to send spam or perform other malicious activities) P2P Botnets 41

42. First major botnet to employ peer-to-peer command-and- control structure Appeared in 2006, gained prominence in January 2007 MS estimated 500,000 bots as of September 2007 Recruits new bots using a variety of attack vectors – Email messages with executable attachments – Email messages with links to infected sites – E-card spam Uses computing power of compromised machines – Sends and relays SPAM – Hosts the exploits and binaries – Conducts DDoS attacks on anti-spam websites and security researchers probing the botnet Case Study: Storm Worm 42

43. “230 dead as storm batters Europe,” “A killer at 11, he’s free at 21 and kill again!,” “British Muslims Genocide,” “Naked teens attack home director,” “Re: Your text,” “Russian missile shot down USA satellite,” “US Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.” Social Engineering with Email Headers 43

44. Effectiveness of Storm 44 [Smith08]

45. 1.Victim downloads and runs Trojan executable file Kernel mode driver component wincom32.sys Initialization file component peers.ini Malware inserts itself into services.exe process 2.Malware connects with peers on P2P network Uses initial list of 146 peers to connect to P2P network Updates peer list with close peers Searches for encrypted URL of payload 3.Malware downloads full payload Decrypts URL of payload Downloads code that sends spam, participates in DDoS attacks, etc. 4.Malware executes code under the control of the botnet Bots can periodically search the P2P network for code updates Storm Worm Botnet Infection Process 45

46. Control Architecture 46

47. Overnet is a P2P protocol based on the Kademlia algorithm It was created from file sharing community eDonkey2000 Overnet and eDonkey2000 had an estimated total of 645,000 users as of 2006 Both were shut down by legal actions of RIAA in 2006 Overnet Protocol 47

48. Kademlia, and hence also Overnet and Storm, are DHT protocols DHT network manages a collection of nodes that store (key, value) pairs DHT can support large scale storage in a robust decentralized system Key concepts – Key space partitioning – Overlay network Distributed Hash Tables (DHT) 48

49. Botnet variations make signature-based detection difficult – New email subject lines and file attachment names – Re-encoded malware binary twice per hour Anti-malware Response – Microsoft Malicious Software Removal Tool patch issued in September 2007 Correlated with 20% drop in size of the Storm Worm botnet Shows that aggressive removal of bots from botnet can make a significant impact on the size of the botnet Storm Worm Botnet Anti-malware Response 49

50. [CookeJM05] The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets, Evan Cooke, Farnam Jahanian, and Danny McPherson. Steps to Reducing Unwanted Traffic on the Internet Workshop, SRUTI 2005. [BarfordY07] An Inside Look at Botnets, Paul Barford and Vinod Yegneswaran. Advances in Computer Security, Springer 2007. [Smith08] A Storm (Worm) Is Brewing, Brad Smith. IEEE Computer, vol. 41, no. 2, pp. 20-22, Feb. 2008. Reading List 50

51. Botnets seem like a major challenge today. How long do you think they will continue as a problem? Storm represents a cross-over between the file sharing community and the underground cyber- market (viz. SPAM). Conjecture on similar synergies that might emerge in the future. Discussion 51