Botnets - Attacks and Defense - ACM SIG

Report
Botnets: Attacks and Defense
by Sammie Bush and Lance Pendergrass
Basic Definitions
• Botnet - network of compromised machines
that can be remotely controlled by an attacker
• Bot, “zombie” - an unwillingly infected host
• Command & Control (C&C) - some channel or
structure acting as a handler in relaying
commands and updates to the bots
• Botmaster, Bot-herder - person(s)
anonymously controlling the botnet via C&C
Motivation
•
•
•
•
•
Notoriety versus Long-Term Control
Survivability
DDoS / Extortion
Spam
Identity Theft
• keylogging
• traffic captures
•
•
•
•
•
Click Fraud / Poll Manipulation
Bitcoin Mining – involuntary cloud computing
Distributed Storage – warez, malware
Search Engine Optimization (SEO) poisoning
Blackmarket Services for Rent
C&C relaying instructions to launch DDoS attack
Typical Lifecycle
• Creation / Testing
• Infection
•
•
•
•
•
•
•
•
Software Vulnerability
Drive-By Download
Trojan Horse (email attachment, pirated software)
Usually followed by rootkit, infecting system restore
Rallying – contacting C&C
Potential Propagation
Waiting
Executing Instructions
IRC Botnets
•
•
•
•
•
Historically most common
Centralized topology
Support large number of connections
Traffic not as common, easily blocked
Server often hosted in public network such as
Efnet, Undernet
HTTP Botnets
•
•
•
•
•
Typically allowed through firewalls
Server easily hidden in plain view
Https support trivial, difficult to inspect
Doesn’t scale as well, easy to overload server
Covert channels: DNS, ICMP, SSL, RSS feed, IM
HTTP communications channel with C&C
Decentralized P2P Botnets
•
•
•
•
•
Lack single point of failure, no centralized C&C
Often seeded with initial nodes to contact
Download list or learn current peers
Common for nodes to relay/proxy traffic
Typically make use of existing P2P protocols:
BitTorrent, eDonkey/Overnet, Kademlia DHT
Evasion Techniques
•
•
•
•
•
•
•
Multiple Failover C&C servers
Dynamic DNS
Domain Generation Algorithms (DGA)
Fast-Flux / Internal Round-Robin Proxies
Protocol / IPv6 tunneling
Botmaster concealment: SOCKS, TOR, BNC’s
Polymorphism / Obfuscation
Defense
•
•
•
•
•
•
•
•
•
•
OS / Software Updates
Antivirus / IDS Signatures
Network Baselines / Anomaly Detection
Firewall Rules
Domain seizure / Contact ISP Hosting C&C
Agent masquerading / Honeypots
MitM Attacks against HTTPS communication
Sinkholing – analyzing DGA, capturing C&C
Reverse Engineering – IDA Pro, OllyDbg, Wireshark
Botmaster Traceback
Select History
• Agobot (2002 ) – first to use modular design, staged payloads
• Sinowal (2005) – 1.2 million bots, rootkit/MBR, banking credential
thief
• Zeus (2007) – targets banking info, estimated $12.5mil loss,
RC4/XOR encoded traffic, source code leaked in 2011 leading to
many variants, custom kits for sale in blackhat forums
• Storm (2007) – estimated at 1-5mil bots, p2p topology, made use of
Fast-Flux technique, IPS rivaling many supercomputers, reputation
for launching DDoS defensive measures against researchers
• SpyEye (2009) – predecessor / competitor to Zeus, Zeus removal,
financial MitM attacks, credential theft
• TDL-4 / Alureon (2011) – 4.5mil bots, MBR rootkit, encrypted p2p
communication, removes rival malware, variant implements
malicious DHCP/DNS server, used for spamming, DDoS, proxies
DIY HTTP Based Botnet Kit (1)
DIY HTTP Based Botnet Kit (1)
Cythosia Botnet Kit, AJAX Webpanel, SOCKSv5 Proxy, DDoS
Cythosia cont.
Skynet C&C (Zues variant, 2013) – generated over $1mil in Bitcoins
Sources
• Network and System Security, 2ed [2013] – John Vacca
http://www.amazon.com/Network-System-Security-SecondVacca/dp/012416689X/
• http://www.fortinet.com/sites/default/files/whitepapers/Ana
tomy-of-a-Botnet-WP.pdf
• https://www.sans.org/readingroom/whitepapers/malicious/byob-build-botnet-33729
• http://threatpost.com/peer-to-peer-botnets-resilient-totakedown-attempts/100851
Sources
• http://countermeasures.trendmicro.eu/history-of-the-botnetwhite-paper/
• http://threatpost.com/coming-better-ways-count-andcounter-botnets-050212/76516
• http://arstechnica.com/security/2013/04/a-beginners-guideto-building-botnets-with-little-assembly-required/
• http://www.wired.com/wiredsmallbizprogram/howto-28.html
• https://community.rapid7.com/community/infosec/blog/2012
/12/06/skynet-a-tor-powered-botnet-straight-from-reddit

similar documents