Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presented by Ryan Genato
Overview Introduction to Botnets, Torpig Domain Flux and “Your Botnet is My Botnet” Analysis of Torpig Network What Do You Do With 70,000 Computers? Conclusions and Future Work
Introduction – Terminology Bot – An application that performs some action or set of actions on behalf of a remote controller Botnet – A network of infection machines controlled by a malicious entity Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages Respectfully lifted from Kemmerer’s presentation of the paper, a 2009 Google Tech Talk
Introduction – Mebroot Rootkit distributed by Neosploit exploit kit Spread via drive-by-downloads: hidden iframe on website executes obfuscated JavaScript to download Mebroot on victim’s machine Mebroot overwrites the master boot record of the machine, circumventing most anti- virus tools (back then) Neosploit – a exploit toolkit similar to Zeus or Zbot. Essentially allowed customization over different malware deployments, with different deliverables. “Script kiddie” level ease and customization that they charged $$$ for – Torpig being one of their many clients.
Introduction – Torpig Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server Torpig contacts its own C&C server for updates and to send victim information
Introduction – Torpig What kind of information does Torpig record? Monitoring popular applications “Man-in-the-browser” attacks 31 applications were targeted, including the Service Control Manager, web browsers, FTP clients, e-mail clients, instant messengers, and system programs (cmd.exe) Man in the browser attacks would start by waiting for the victim to navigate to a website found in the configuration file, and then inject HTML onto the target page that would ask the user for sensitive information. But because it would be injected onto a legitimate page, it is hard to detect and many users would simply enter in the data. A funny story that was reported is that with PayPal, users would volunteer their sensitive information AND THEN send an e-mail to PayPal asking, “didn’t I already give you this information?”
Introduction – Domain Flux Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points Advantages: No single point of failure (fast flux) Robustness Disadvantages Deterministic (this implementation) If someone can reverse engineer your DGA, they can anticipate future domain addresses… Fast flux had bots connecting to a single domain address, which was useful in that the domain could be mapped to a set of IP addresses, but was still a single point of failure.
Your Botnet Is My Botnet And that’s exactly what they did! Reverse engineering the DGA came up with a three week span of unregistered domains Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing) Contrast to passive analysis and previous active analysis attempts
Gathering Data The C&C center hijack lasted for ten days What happened to the three weeks of domains? A couple numbers: Observed a total of 182,800 peers on the Torpig botnet, 70,000 at peak activity Recorded 1,247,642 unique IP addresses Logged 8,310 accounts from 410 institutions 1,660 credit cards After ten days, a new Mebroot binary was distributed that included an updated DGA for Torpig. The reason why this worked was because the team at UCSB only hijacked the Torpig C&C center. The Mebroot DGA had not yet been cracked, and so the criminals still had control of Mebroot and were able to regain control of the botnet. Why they took ten days? Maybe to figure out who was hijacking them.
Data Analysis + Handling 173,686 unique passwords recorded, 40% cracked in less than 75 minutes 28% of users exhibited password reuse Working with FBI and National Cyber- Forensics to repatriate the stolen information Need a reputable organization to work things out
What Do You Do With 70,000 Computers? Take down the government! 70,000 users, average 435 kbps (in 2008) = 17 Gbps 5,635 users to take down fbi.gov and justice.gov 10 Gbps to take down Wikileaks Distributed password cracking
Conclusions and Future Work Victims of botnets pick easy to crack passwords Better user education, higher password standards Botnets operating with an HTTP C&C center can be hijacked for periods of time There is no “off” switch Improved domain generation algorithms (top Twitter) When the team at UCSB was removed of their control of the Torpig network, it was because the DGA they had reverse engineered had been replaced by a new algorithm. It was later found that this algorithm used the daily top Twitter comment in its calculating of the next domain, making the DGA non-deterministic. Torpig went through a series of new DGAs as the old ones got cracked, which illustrates the constant struggle between attackers and defenders.
Works Referenced Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan. 2012. Web. 23 Jan. 2012. Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr. 2009. Web. 23 Jan. 2012. Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009. Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan. 2012. <http://www.youtube.com/watch?v=2GdqoQJa6r4>. Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan. 2012. Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM, 2009. 635-47. Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec. 2010. Web. 23 Jan. 2012.
Questions?