ENEE 757 CMSC 818V. Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park

Transcription

1 21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park Today s Lecture Where we ve been AuthenDcaDon and access control Network security Exploits Worms DDoS Where we re going today Botnets Where we re going next Spam 2 1

2 Botnets Bot Short for robot Autonomous programs performing tasks Benign bots First bots were programs used to react automadcally to events in Internet Relay Chat (IRC) Early definidon of bot: An IRC user who is actually a program. On IRC, typically the robot provides some useful service. Examples are NickServ, which tries to prevent random users from adopdng nicks already claimed by others Malicious bots Typically form large networks, called botnets Botnets are resilient to takedown efforts 3 Botnet History How did we get here? Early 1990s: IRC bots automated management of IRC channels : Distributed DoS tools (distribudon) Trinoo, TFN2k, Stacheldraht : Trojan Horse (remote control) BackOrifice, BackOrifice2k, SubSeven 2001 today: Worms (spreading) Code Red, Blaster, Sasser 4 2

3 Botnet ApplicaJons Spam More on this in next lecture Proxying For phishing or scam pages Denial of service InformaDon theb Examples: financial informadon (e.g. credit card numbers), login credendals Click fraud Mine Bitcoin 5 InformaJon TheM Via HTML InjecJon Domains of interest stored in bot s configuradon file When domain of interest visited Bot modifies the HTML displayed in the user s browser to include phishing form Behavior is configurable via trigger pages and URLs on injecdon servers 6 3

4 Example Phishing Page Torpig Botnet, Example Phishing Page Gameover Zeus Botnet,

5 Botnet Bootstrapping Hosts infected by one of Network worm (vulnerability exploits) aeachment (social engineering) Popular sobware infected with parasidc virus (e.g. on file sharing sites) Drive- by- downloads (malicious web sites exploidng browser vulnerabilides) ExisDng backdoor (from previous infecdon) 9 Botnet CoordinaJon Worker bots receive commands from a botmaster via a command- and- control channel Possible commands: What aeack to conduct (e.g. send spam, DDoS) and what hosts to aeack How/where to propagate New configuradon files Sobware updates Worker bots report informadon to the botmaster Financial/personal informadon harvested Acknowledgments for acdons performed 10 5

6 Botnet Architectures Centralized IRC server (Internet relay chat) Web server (HTTP) MulDple controllers for robustness Peer- to- peer: self organizing Each host can be a worker or a proxy; decided dynamically MulD- level hierarchies possible 11 Centralized Botnet 12 6

7 Example - Agobot [Courtesy of Paul Barford] First discovered in 2002 also called Gaobot, Phatbot 20,000+ of C++, modular design + open source Modules Command and control: IRC based ProtecDon: encrypted code, polymorphism, and- disassembly code Growth: address scanning w/growing collecdon of sobware exploits (i.e., to be mounted against other machines) DDoS aeacks: > 10 different variedes HarvesDng: send back local PayPal info, 100 s of variants 13 Botnet EvoluJon IRC server Oben easy to take down certain hard- coded IP (dynamic DNS) Traffic easier to detect (switch to HTTP) HTTP RotaDng domains (rendez- vous points) ComputaDon based on current date Hard to take down many domains, must also do it quickly Must reverse engineer domain generadon algorithm 14 7

8 Botnet EvoluJon Fast flux Network of bots with fast changing DNS records Many IP addresses for single DNS name (A records) Advanced type also change NS records (double flux) Used to hide mother- ship (content) behind proxy network 15 Double Flux Source: hep:// 16 8

9 Example: Torpig Botnet Trojan horse Distributed via the Mebroot malware plasorm Injects itself into 29 different applicadons as DLL Steals sensidve informadon (passwords, HTTP POST data) HTTP injecdon for phishing Uses encrypted HTTP as C&C protocol Uses domain flux to locate C&C server Mebroot Spreads via drive- by downloads SophisDcated rootkit (overwrites master boot record) Has its own C&C channel 17 Torpig Domain Flux Each bot has Same domain generadon algorithm (DGA) Three fixed domains to be used if all else fails DGA generates Weekly domain name (wd) Daily domain name (dd) Every 20 minutes bot aeempts to connect (in order) to wd.com, wd.net, wd.biz if all three fail, then dd.com, dd.net, dd.biz if they also fail, then the three fixed domains Botmaster typically registered wd.com (and wd.net) 18 9

10 Sinkholing Torpig C&C Overview [Stone- Gross et al., 2009] Reverse engineered name generadon algorithm and C&C protocol Observed that domains for 01/25 02/15 unregistered Registered these domains ourselves Unfortunately, Mebroot pushed new Torpig binary on 02/04 Researchers controlled the botnet for ~10 days Data 8.7 GB Apache logs 69 GB pcap data (contains stolen informadon) 19 Sinkholing Torpig C&C Purchased hosdng from two different hosdng providers known to be unresponsive to complaints Registered wd.com and wd.net with two different registrars One was suspended 01/31 due to abuse complaint Set up Apache web servers to receive bot requests Recorded all network traffic AutomaDcally downloaded and removed data from our hosdng providers Enabled hosts a week early immediately received data from 359 infected machines 20 10

11 Data CollecJon Principles Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to vicdms and targets of aeacks would be minimized always responded with okn message never sent new/blank configuradon file removed data from servers regularly stored data offline in encrypted form Principle 2: the sinkholed botnet should collect enough informadon to enable nodficadon and remediadon of affected pardes worked with law enforcement (FBI and DoD Cybercrime units) worked with bank security officers worked with ISPs 21 Size EsJmaJon Count number of infecdons usually based on unique IP addresses problemadc: DHCP and NAT effects (we saw 1.2M unique IPs) our count based on header informadon: ~180K hosts (nids) seen Average 4,690 new IPs Average 705 new nids 22 11

12 Size EsJmaJon CummulaDve number of infecdons linear for unique IP addresses decayed quickly for unique nids more than 75% of unique nids were observed in first 48 hours 23 Peer- to- Peer Botnets No centralized server Worker bots contact each other in a peer- to- peer (P2P) fashion Each bot knows of a few peers Some workers may become proxies and build a hierarchical structure May also fall back on DGA as a recovery mechanism Two possible mechanisms for allowing bots to contact each other Structured protocol: use distributed hash table (DHT) Unstructured protocol: messages propagate via gossip among peers 24 12

13 Peer RelaJonships in Gameover Zeus [Dell SecureWorks, 2012] 25 Sources Various slides from Christopher Kruegel 26 13

14 Review of Lecture What did we learn? Botnet architectures and mechanisms Paper discussion: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis MC2 Seminar by Engin Kirda: Dec 4, 5pm, 1115 CSI Register at heps://talks.cs.umd.edu/talks/819 Discussion lead: Carl Scribe: Octavian What s next? Spam 27 14