Lessons learned: Sinkholing the Zeroaccess botnet Ross Gibb Attack Investigations Team Symantec Security Response AIT - Zeroaccess 1
Agenda 1 Introduction to Zeroaccess 2 Details of the P2P protocol 3 The sinkhole operation 4 Results of the sinkhole operation 5 Next steps AIT - Zeroaccess 2
Zeroaccess (ZA) Introduction Zeroaccess is a botnet, also known as Sirefef or ZAccess or Zerokit First appeared in Summer 2011 Two major versions Version 1, rootkit, TCP P2P (2011) Version 2, user mode, UDP P2P (2012) Infected computers exclusively use the peer-to-peer (P2P) network to distribute payloads Can be thought of as a framework to load any module/malware Infection vectors include social engineering, exploit kits, and other downloaders Pay Per Install (PPI) and revenue sharing model Primary revenue is through click-fraud Malicious payloads use their own C&C infrastructure AIT - Zeroaccess 3
ZA Size Counts are of average daily unique infected hosts, measured in May 2013 Networks are subdivided into 32-bit and 64-bit client networks; no internetwork / cross-port communication ZA v1 (TCP) All Networks 30K ZA v2 (UDP) Network 1 UDP ports 16471 (32-bit) / 16470 (64-bit) Network 2 UDP ports 16464 (32-bit) / 16465 (64-bit) 1.6-1.8M What would a sinkhole of Zeroaccess look like? AIT - Zeroaccess 4
ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP 16471 UDP 16471 Internal List of Peers Bot B IP 1.2.250.252 256 th IP 3 Refresh Internal List AIT - Zeroaccess 5
ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP 16471 UDP 16471 Request: IP list and file meta-data (getl+) 3 4 Response: IP list and file meta-data (retl+) Bot A s IP (newl) (16) (16) (16) (16) (16) 8 times How many bots could receive Bot A s IP address? i 8 1 16 4.5billion More than the entire IPv4 address space i AIT - Zeroaccess 6
ZA Could the P2P network be sinkholed? Identified weaknesses Relatively small fixed length internal peer list (256 IPs) Unsolicited P2P messages are accepted from any IP IP list in P2P messages is not digitally signed, only payload file meta data is digitally signed Any IP address can be introduced into a remote peer s internal peer list AIT - Zeroaccess 7
ZA Challenges to sinkholing Sinkhole 1 newl (with S s IP) Public Peer 1 3 getl 2 retl (with S s IP) NAT Internal peer list Sinkhole IP 1 Sinkhole IP 2 Sinkhole IP 3 256 th IP newl (Public Peer IP) newl (Public Peer IP) Public Peer 2 Takes a very large amount of continuous bandwidth Public Peer 3 IP churn makes it difficult to know all the public peers (super nodes) Zeroaccess author could use newl s in the same way to retake public peers Difficult to run in a network simulation prior to deployment AIT - Zeroaccess 8
ZA Sinkholing Plan Internal List of Peers newl (with A s IP) newl (with A s IP) newl (with A s IP) 1 getl 4 getl 2 Public Peer 1 IP Sinkhole Public Peer Farm 2 A IP IP 256 th IP NAT 3 retl (with A s IP) Sinkhole Farm A Sinkhole B 5 retl (with B s IP) retl (with B s IP) retl (with B s IP) retl (with B s IP) getl (sinkhole servers) Sinkholed Internal List of Peers Sinkhole B IP 1 Sinkhole B IP 2 127.0.0.1 127.0.0.2 127.0.0.253 AIT - Zeroaccess 9
ZA The sinkhole master plan Preconditions to launching the sinkhole operation Simulate infected peers to understand runtime behaviour Test sinkholing infected computers on a private LAN with various NAT devices Test against the live P2P live as much as possible without actually sinkholing Expected results Infected peers behind NAT devices are sinkholed and the payloads can no longer be updated All infected machines can be identified for remediation AIT - Zeroaccess 10
ZA The best laid plans of mice and men From April to June 2013, the simulation and testing of the sinkhole plan progressed On June 29, 2013, new P2P code was distributed to Zeroaccess version 2 network 2 ZA v2 (UDP) Network 1 UDP ports 16471 (32-bit) / 16470 (64-bit) Network 2 UDP ports 16464 (32-bit) / 16465 (64-bit) The update made P2P Network 2 much more resilient to sinkholing Reduction in instruction set (newl dropped) Introduction of secondary internal peer list (holds ~16M IPs) Altered run-time peer communication (secondary peer list for redundancy, and connection state table) AIT - Zeroaccess 11
ZA Sinkhole results P2P sinkhole of Network 1 initiated on July, 15 2013 Available targets June 29, 2013, protocol update reduced possible targets to ~900,000 Sinkhole results week of July 17 July 23 (in avg. daily IPs) Botnet size: 797,235 Number of bots sinkholed: 460,000 High sinkhole count for 24 hour period 495,610 Average proportion of botnet sinkholed: 58.7% AIT - Zeroaccess 12
2013-08-02 2013-08-04 2013-08-06 2013-08-08 2013-08-10 2013-08-12 2013-08-14 2013-08-16 2013-08-18 2013-08-20 2013-08-22 2013-08-24 2013-08-26 2013-08-28 2013-08-30 2013-09-01 2013-09-03 2013-09-05 2013-09-07 2013-09-09 2013-09-11 2013-09-13 2013-09-15 2013-09-17 ZA Graph of botnet size 820000 Botnet size 800000 780000 760000 740000 720000 700000 Botnet size 680000 660000 640000 620000 AIT - Zeroaccess 13
ZA Graph of sinkhole size 600000 Sinkholed 500000 400000 300000 Sinkholed 200000 100000 0 AIT - Zeroaccess 14
Worldwide Infections of Zeroaccess (Approx 800K Daily) AIT - Zeroaccess 15
ZA Next steps Continue to work with ISP s and CERTs to clean up infections Continue monitoring P2P networks (sinkholed and not), as well as payload infrastructure Continue with other avenues of investigation AIT - Zeroaccess 16
ZA Questions Ross Gibb ross_gibb@symantec.com Attack Investigations Team (AIT) Symantec Security Response Culver City, California AIT - Zeroaccess 17
Thank you! Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. AIT - Zeroaccess 18