Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

Transcription

1 Lessons learned: Sinkholing the Zeroaccess botnet Ross Gibb Attack Investigations Team Symantec Security Response AIT - Zeroaccess 1

2 Agenda 1 Introduction to Zeroaccess 2 Details of the P2P protocol 3 The sinkhole operation 4 Results of the sinkhole operation 5 Next steps AIT - Zeroaccess 2

3 Zeroaccess (ZA) Introduction Zeroaccess is a botnet, also known as Sirefef or ZAccess or Zerokit First appeared in Summer 2011 Two major versions Version 1, rootkit, TCP P2P (2011) Version 2, user mode, UDP P2P (2012) Infected computers exclusively use the peer-to-peer (P2P) network to distribute payloads Can be thought of as a framework to load any module/malware Infection vectors include social engineering, exploit kits, and other downloaders Pay Per Install (PPI) and revenue sharing model Primary revenue is through click-fraud Malicious payloads use their own C&C infrastructure AIT - Zeroaccess 3

4 ZA Size Counts are of average daily unique infected hosts, measured in May 2013 Networks are subdivided into 32-bit and 64-bit client networks; no internetwork / cross-port communication ZA v1 (TCP) All Networks 30K ZA v2 (UDP) Network 1 UDP ports (32-bit) / (64-bit) Network 2 UDP ports (32-bit) / (64-bit) M What would a sinkhole of Zeroaccess look like? AIT - Zeroaccess 4

5 ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP UDP Internal List of Peers Bot B IP th IP 3 Refresh Internal List AIT - Zeroaccess 5

6 ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP UDP Request: IP list and file meta-data (getl+) 3 4 Response: IP list and file meta-data (retl+) Bot A s IP (newl) (16) (16) (16) (16) (16) 8 times How many bots could receive Bot A s IP address? i billion More than the entire IPv4 address space i AIT - Zeroaccess 6

7 ZA Could the P2P network be sinkholed? Identified weaknesses Relatively small fixed length internal peer list (256 IPs) Unsolicited P2P messages are accepted from any IP IP list in P2P messages is not digitally signed, only payload file meta data is digitally signed Any IP address can be introduced into a remote peer s internal peer list AIT - Zeroaccess 7

8 ZA Challenges to sinkholing Sinkhole 1 newl (with S s IP) Public Peer 1 3 getl 2 retl (with S s IP) NAT Internal peer list Sinkhole IP 1 Sinkhole IP 2 Sinkhole IP th IP newl (Public Peer IP) newl (Public Peer IP) Public Peer 2 Takes a very large amount of continuous bandwidth Public Peer 3 IP churn makes it difficult to know all the public peers (super nodes) Zeroaccess author could use newl s in the same way to retake public peers Difficult to run in a network simulation prior to deployment AIT - Zeroaccess 8

9 ZA Sinkholing Plan Internal List of Peers newl (with A s IP) newl (with A s IP) newl (with A s IP) 1 getl 4 getl 2 Public Peer 1 IP Sinkhole Public Peer Farm 2 A IP IP 256 th IP NAT 3 retl (with A s IP) Sinkhole Farm A Sinkhole B 5 retl (with B s IP) retl (with B s IP) retl (with B s IP) retl (with B s IP) getl (sinkhole servers) Sinkholed Internal List of Peers Sinkhole B IP 1 Sinkhole B IP AIT - Zeroaccess 9

10 ZA The sinkhole master plan Preconditions to launching the sinkhole operation Simulate infected peers to understand runtime behaviour Test sinkholing infected computers on a private LAN with various NAT devices Test against the live P2P live as much as possible without actually sinkholing Expected results Infected peers behind NAT devices are sinkholed and the payloads can no longer be updated All infected machines can be identified for remediation AIT - Zeroaccess 10

11 ZA The best laid plans of mice and men From April to June 2013, the simulation and testing of the sinkhole plan progressed On June 29, 2013, new P2P code was distributed to Zeroaccess version 2 network 2 ZA v2 (UDP) Network 1 UDP ports (32-bit) / (64-bit) Network 2 UDP ports (32-bit) / (64-bit) The update made P2P Network 2 much more resilient to sinkholing Reduction in instruction set (newl dropped) Introduction of secondary internal peer list (holds ~16M IPs) Altered run-time peer communication (secondary peer list for redundancy, and connection state table) AIT - Zeroaccess 11

12 ZA Sinkhole results P2P sinkhole of Network 1 initiated on July, Available targets June 29, 2013, protocol update reduced possible targets to ~900,000 Sinkhole results week of July 17 July 23 (in avg. daily IPs) Botnet size: 797,235 Number of bots sinkholed: 460,000 High sinkhole count for 24 hour period 495,610 Average proportion of botnet sinkholed: 58.7% AIT - Zeroaccess 12

13 ZA Graph of botnet size Botnet size Botnet size AIT - Zeroaccess 13

14 ZA Graph of sinkhole size Sinkholed Sinkholed AIT - Zeroaccess 14

15 Worldwide Infections of Zeroaccess (Approx 800K Daily) AIT - Zeroaccess 15

16 ZA Next steps Continue to work with ISP s and CERTs to clean up infections Continue monitoring P2P networks (sinkholed and not), as well as payload infrastructure Continue with other avenues of investigation AIT - Zeroaccess 16

17 ZA Questions Ross Gibb Attack Investigations Team (AIT) Symantec Security Response Culver City, California AIT - Zeroaccess 17

18 Thank you! Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. AIT - Zeroaccess 18