Black Market Botnets Black Market Botnets Nathan Nathan Friess Friess John John Aycock Aycock Ryan Vogt Ryan Vogt Department of Computer Science Department of Computer Science University of Calgary University of Calgary Canada Canada
Black Market BotnetsBlack Market BotnetsNathan Nathan FriessFriess
John John AycockAycock
Ryan VogtRyan Vogt
Department of Computer ScienceDepartment of Computer Science
University of CalgaryUniversity of Calgary
CanadaCanada
BotnetsBotnets : Current Scenario: Current Scenario
�� Infect computersInfect computers�� Spam attachments/links, driveSpam attachments/links, drive--by downloadsby downloads
�� Control victimControl victim�� Spam Spam botnetsbotnets
�� Gather dataGather data�� Key loggers, monitor network trafficKey loggers, monitor network traffic
““ InterestingInteresting ”” DataData
�� Identity: Passwords, PINs, SSNIdentity: Passwords, PINs, SSN
�� Financial: Credit Cards, Tax ReturnsFinancial: Credit Cards, Tax Returns
�� Corporate SecretsCorporate Secrets�� Design Documentation, SchematicsDesign Documentation, Schematics
�� Financial ReportsFinancial Reports
�� Personal SecretsPersonal Secrets�� Latest gossip on celebritiesLatest gossip on celebrities
�� Illegal Files, Terrorist PlansIllegal Files, Terrorist Plans
Our PredictionOur Prediction
�� More types of data will be stolen and used More types of data will be stolen and used for profitfor profit
Our PredictionOur Prediction
�� More types of data will be stolen and used More types of data will be stolen and used for profitfor profit
The Business CaseThe Business Case
Celebrity Secrets
Trade Secrets
Love Letters???
Vol
ume
Passwords
Credit Cards
Available Data
GoziGozi : A First Step: A First Step
�� February 2007February 2007
�� Monitor HTTP POST requests (even SSL)Monitor HTTP POST requests (even SSL)
�� Upload POST data to central serverUpload POST data to central server
�� Customers search for data (based on web Customers search for data (based on web site, form fields, etc.) and pay to downloadsite, form fields, etc.) and pay to download
�� DoesnDoesn’’t upload local filest upload local files
�� Limited searching capabilitiesLimited searching capabilities
Black Market BotnetsBlack Market Botnets
Victim
Botmaster
Adversary
Black Market BotnetsBlack Market Botnets
Botnet
Victim
Botmaster
Adversary
Basic Architecture
Black Market BotnetsBlack Market Botnets
Botnet
Victim
Botmaster
Search
PortalAdversary
Basic Architecture
Black Market BotnetsBlack Market Botnets
Botnet
Victim
Botmaster
Search
PortalAdversary
“Bunnies”
Basic Architecture
Black Market BotnetsBlack Market Botnets
Botnet
Victim
Botmaster
Search
PortalAdversary
Basic Architecture
Black Market BotnetsBlack Market Botnets
Botnet
Victim
Botmaster
Adversary
Advanced Architecture
Black Market BotnetsBlack Market Botnets
Botnet Auction
Network
Victim
Botmaster
Adversary
Advanced Architecture
Black Market BotnetsBlack Market Botnets
Botnet Auction
Network
Victim
Botmaster
Adversary
Advanced Architecture
Black Market BotnetsBlack Market Botnets
Botnet Auction
Network
Victim Adversary
Botmaster
Advanced Architecture
Interesting Document Interesting Document IndicatorsIndicators
�� Document Types: .TAXDocument Types: .TAX
�� Financial Data: SpreadsheetsFinancial Data: Spreadsheets
�� Specific Vocabulary:Specific Vocabulary:
Technical Terms, PoetryTechnical Terms, Poetry
�� Activity: Recently Edited, ViewedActivity: Recently Edited, Viewed
Auction InfrastructureAuction Infrastructure
�� eBayeBay�� Hide document fragmentsHide document fragments
using using steganographysteganography
�� Legitimate cover for fundLegitimate cover for fundtransfertransfer
�� DonDon’’t really need to ship a physical productt really need to ship a physical product
�� Existing model: drug traffickingExisting model: drug trafficking
Additional MarketsAdditional Markets
�� Victims pay Victims pay botmasterbotmaster to not publish to not publish documents: Bidding Warsdocuments: Bidding Wars
�� PrePre--seed seed botnetbotnet with customer querieswith customer queries
�� Allow customers to write scripts to search Allow customers to write scripts to search for specific datafor specific data
DefensesDefenses
�� Avoid being infectedAvoid being infected
�� Limit document exposureLimit document exposure�� Keep archived files offlineKeep archived files offline
�� Hide documents using Hide documents using steganographysteganography
DefensesDefenses
�� Digital Rights ManagementDigital Rights Management
�� Investigate leaksInvestigate leaks�� Fingerprint documents, trace back to Fingerprint documents, trace back to
infected computerinfected computer
�� Follow money trail, trace back to Follow money trail, trace back to botmasterbotmaster
�� Actively attack document gatheringActively attack document gathering�� Insert useless documents into Insert useless documents into botnetbotnet
ConclusionsConclusions
�� Valuable data is available in Valuable data is available in botnetsbotnets
�� It is already possible to connect data and It is already possible to connect data and customerscustomers
�� A black market for data can exist, even if A black market for data can exist, even if botmastersbotmasters dondon’’t know what is in demandt know what is in demand
Black Market BotnetsBlack Market BotnetsNathan Nathan FriessFriess
John John AycockAycock
Ryan VogtRyan Vogt
Department of Computer ScienceDepartment of Computer Science
University of CalgaryUniversity of Calgary
CanadaCanada