Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Bots  Send spam, commit click fraud, DOS attacks, steal user data  Botmaster: uses bots to extract value from the above actions  Botnet: compromised computers under the control of the botmaster  Demand for a bot determines the value  Security evolution depends on the demand

Bitcoin Mining  Repeatedly computing the SHA-256 cryptographic hash function over a large range of values  State-Space search  Can be conducted in parallel  Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others  Pro: Potentially lucrative depending on the number of bots  Con: Easier to detect than other activities

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Related Work  Analysis of the transactions in the Bitcoin network  Measures activity  Tests the limits of anonymity  Analysis of the silk road (underground drug market)  Shutdown October 13, 2013  Bitcoin mining can be “gamed” by an appropriately powerful adversary  Can disrupt the Bitcoin economy  Profitable malware  Pay-per-install, fake anti-virus, click fraud

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Bitcoin  Proposed by Satoshi Nakamoto in 2008  Not backed by any government  Purely a peer to peer virtual currency  Bitcoins are acquired through mining  Transactions are public through the blockchain  Public ledger maintained by a peer-to-peer network

Bitcoin  1Bitcoin = $402.53

Bitcoin Mining  Miner receives valid transactions through the peer-to- peer network  Group them into blocks  set of transactions  header containing a hash of the previous block and a nonce  Compute a SHA-256 hash value of the block  If the value has the correct number of leading zeros  Miner passes it on to others to verify  Coinbase: pays transaction fees and the block reward  If the value does not have the correct number of leading zeros  Repeat the process

Pooled Mining  Combine the mining power of many individual miner and payout a small amount for work completed  Pool server manages pending transaction  Provides starting point to workers  Workers mine the blocks  Report results to the server

Botnet Mining  Use a existing or newly created botnet to mine for bitcoins  Direct Pool Mining  Distribute a mining executable with a wrapper script that specifies mining parameters  Generally banned for mining pools  Proxied Pool Mining  Proxy connections through a controlled server  Requires additional infrastructure  Dark Pool Mining  Botmaster maintains a pool server  Bots connect to his pool  Limited to the number of bots he controls

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Methodology  Goals:  Identify mining malware  Identify size of infected population  Identify the value of the bitcoins extracted  Methodology  Identify Mining Malware  Extract Mining Credentials  Estimate Earnings  Estimate Infected Population  Identify Pool Proxies

Identifying Mining Malware  All mining malware uses the HTTP-based getwork protocol  Use this to identify mining malware with a network trace  To get the network traffic of various malware  Execute the binaries in a malware execution environment  Use data for public and private sandboxes that provides information and logs of the actions of the binaries  If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining

Extracting Mining Credentials  Mining software is generally generic  Credentials are passed on command line  Extract the credentials:  Command-line arguments  Extract the credentials from the packaged binary  HTTP basic authentication  Extract credentials from a network trace  Command-and-control channel  Credentials are contained in a Dropbox or Pastebin file  Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload  Pool operators  Public pool operators provide lists of user names and wallet addresses

Earnings  Mapping miners to wallet addresses  Contact the pool operators to ask for the information  Publicly visible pool statistics  Some pools provide public leaderboards  Blockchain analysis  All transactions are visible  Knowing the payout address allows estimates for a specific miner  Clustering wallet addresses  Botmasters may use different addresses for different campaigns  Addresses used as inputs to the same transaction will be controlled by the same user  This allows us to cluster addresses used by a single botmaster

Estimating Infected Population  Contact anti-virus software vendors to obtain mining malware data  E i : estimated bot population  I i : number of infections in country i per vender  M i : number of machines in country i per vendor  T i : number of machines in country i  This is the expected lower bound  Computers without antivirus for the vendors are not counted  Estimates are only for specific binaries

Identifying Pool Proxies  Cross-login test  Credentials can be hidden by an HTTP proxy  Create miner accounts in major mining pools  If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining  Passive DNS  The lifetime of a dark mining pool depends on the lifetime of the botnet  Use passive DNS data from the ISC Security Information Exchange  Block Reversal  A pool will provide the same coinbase across similar workers  This allows us to match possible bots to a pool  Leaked Data

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

DLoad.asia(Redem and Darksons)  Began mining in 2011  Ended in November of 2012  Earnings  Darksons : 2,403 BTC  Redem : over 10,000 BTC  Over 100,000 IP’s  Population - number of infections

ZeroAccess  9,000,000 infected PC’s  Began December 2011  Earnings : 400 BTC  Began mining through proxy servers, now a part of Eligus  Population - number of infections

BMControl  Began mining in September 2012  Part of Eligus  Earnings  Adds 16,000 new bots per day  Average mining rate/ bot : 3.75MH/sec  Now mines for Litecoin  Population - number of infections

FeodalCash  Began mining in May 2013  Part of Eligus  Earnings : 168 BTC  Population - 62,500 infections at its peak

Fareit Bots  Began mining April 9, 2013  Used a pool proxy with the Black Hole exploit kit  Earnings : 265 BTC  Population - 12,500 infections

Zenica  Earnings  312,000 or more active IP’s  170 BTC in 3 months  Population  Prevalent in Southeast Asia  Vietnam and Thailand account for 70% of sampled infections

HitmanUK  Botmaster launched a DDoS attacked after the pool blacklisted the botnet  Paralyzed the pool  Prevented mining for a few hours  Pool operator then let the botmaster back in  Began in February 2013  Earnings : 4 BTC  Adds 16,000 new bots per day  Average mining rate/ bot : 3.75MH/sec

Xfhp.ru Miner  Uses Zbot to download the Bitcoin mining plugin  Population  Southeast Asia  South America

Skype Miner  Used Skype and social engineering to distribute bot  Sent a compromised skype message  If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware  Began mining in July 2012  Earnings : 250

Miscellaneous  There are many small mining operations

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Mining Revenue  Depends on hashing and network difficulty  Daily Revenue:  MH – million SHA-256 computations  8.22 x MH/sec

Botnet Costs  Cost of acquiring bots  Cost associated with the monetization scheme  More information is needed for non-acquisition costs:  Infrastructure  Development  Day to day operation

Profitability  Varies based on exchange rates  3 classes of profitability  Absolutely profitable: revenue exceeds cost for a botnet solely for mining  Marginally profitable: revenue exceeds additional cost for an established botnet adding mining  Unprofitable: mining does not cover additional costs  Bitcoin is expected to remain profitable for large botnets

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Conclusion  It is possible to track the earning of botnets because Bitcoin transactions are public  Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years  Most of these are found in geographic locations with lower costs of bots  Developed a method to trace mining pool malware even when proxy server are used to hide the pool

Outline  Introduction  Related Work  Background  Methodology  Analysis  Discussion  Conclusion  Epilogue

Litecoin  Decentralized virtual currency based on bitcoin  1 litecoin = $4.19  4 times faster to produce a block when mining  Lessens the effect of specialized hardware

Questions?