PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)
Jul 15, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Plan Introdu tion PostNet Results Real LifePostNet : A new era of resilient Botnetdgoulet�ev0ke.net, ju�klipix.orgHa kFest 2011November 6, 2010
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real Life1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifePlan1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHa kUSShameless PlugHa kUS2 : 1-2-3 Avril 2011Se urity ContestCTFWebReverse Engineering - Binary Exploitation| moredgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHEAD�{0}Point of OriginThe idea :1 Two years ago : Stealth, Autonomous, Adaptative andDe entralized2 After that : Reality Che k, we had a life...3 Opportunity : Se urity lass during our master4 Birth of PostNetdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHEAD�{0}Point of OriginThe idea :1 Two years ago : Stealth, Autonomous, Adaptative andDe entralized2 After that : Reality Che k, we had a life...3 Opportunity : Se urity lass during our master4 Birth of PostNetNow the story... Thanks Morpheusdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHEAD�{0}Ops Sword�sh vs War Games 2Botnet main ara teristi s (or problems)BotnetsRendez-vous point for data (order, update, ...)Dynami peer listNodes trustEn ryption (Communi ation Proto ol, Data)Peer hierar hydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHEAD�{0}ExamplesStorm : Rendez-vous point using the Kademlia routing proto olWaleda : Hierar hi al using proxy servers to relay dataRusto k : Using TLS for SPAMCon� ker : Well... razy as helldgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeHEAD�{0}Now what?How an we get better ?
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifePlan1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eConferen e room in 5 min (�M.G. S ott)De�nitionsDe entralized : Rendez-vous point are not �xed and potentiallydistributedNon-P2P : No dire t targeted data ex hange between peersCommon P2P Botnet : Botnet using rendez-vous points and dynami peer listdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for you
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for youSSL : PKI, Signature
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for youSSL : PKI, SignatureYeah I know : CVE-2009-2510, CVE-2009-2408
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eLet's play Global Thermonu lear WarDNS : Fast-�ux, MTU fun bytes : Covert ChannelSMTP : Overlay NetworkSSL : Trust and ... Trustand let's introdu e ...
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eCreed's thoughtun ertainty - (un-surtn-ti)
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eCreed's thoughtun ertainty - (un-surtn-ti)No knowledge and no guarantee on where my data is
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eDwight's theoryProbability of having a ertain m in peer listLet αm be the number of m in a peer list at time t:P tn(m) =αm|M|Probability of getting a broad ast message for a ertain n : P(n)P(n) =
k∑i=1 ( i
∏j=0(1− P jn(m))
)P in(m)where k is the fet h timedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeThe O� eJim's PrankNew probability P tn(m′) after a he poisoning atta kLet αp be the number of poison m :P tn(m′) =
αp|M|
× 0 +|M| − αp
|M|P tn(m)
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningSkynet : The AwakeningSo what the f*&?$ is PostNet ?
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningPostNet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningCon eptsMailboxContains a list of mailsEx hanged via UDPEverytime a mailbox is ex hanged, the TTL of ea h message isde rementedMail Contains the a tual message, a destination and a TTLThe destination an be uni ast or broad ast (in ase of a CCorder)Peer listContains a list of peer addresses and portsEx hanged via dire t UDP pa ketsdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningPostNet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningEntitiesM : MothershipsDire tly rea hable (publi address)Store mailboxesEx hange mailboxes with other MEx hange a hes with other MA ept mail fet h from Z and MZ : ZombiesBehind a NAT gatewayFet h mail from a random M in a hedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningPostNet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifePlan1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeLe salon des tables
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeLe salon des tablesSybil Atta kThe simple on ept of inserting a bogus peer to disrupt the botnet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeLe salon des tablesCa he Poisoning Sybil Atta kPostNet was tested for these s enarios :Persistant atta k not in botnetNon-persistant in botnetPersistant in botnet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeLe salon des tablesFarnsworth's labOur in-vitro botnet testing gears :30 Virtual Ma hinesEa h VM : Ubuntu 8.04, OpenVZEa h VM : One networkEa h VM : 10 VZ ma hines NATtedTotal : 330 Nodes on 2 physi al ma hinesThe two blades were HOT!dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeLe salon des tablesBotnet SettingsMailbox are ex hanged every 90 se ondsCa hes are ex hanged every 45 se ondsMails are fet hed every 15 se ondsThe experiment runs for 800 se onds
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeL'hotel des hambresFormal Graph
0
0.2
0.4
0.6
0.8
1
0 100 200 300 400 500 600 700 800
Num
ber
of r
each
ed m
achi
nes
Time (Seconds)
Theoretical CC Message Propagation
TheoreticalTheoretical 3 sybils
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeL'hotel des hambres
0
50
100
150
200
250
300
0 100 200 300 400 500 600 700 800
Num
ber
of r
each
ed m
achi
nes
Time (Seconds)
CC Message Propagation
TheoreticalTheoretical 3 Sybils persist not in
no Sybil3 Sybils persist not in botnet3 Sybils non persist in botnet
3 Sybils persist in botnet
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifePlan1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeOperation TakedownHow botnets get takedownDomain names takedownCoordinated servers takedownFor a ademi s : Sybil atta ks
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeOperation TakedownWhat an't be doneDeep pa ket inspe tion on publi networksLegal fake bot : that's illegal...Client ode inje tion
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeOperation TakedownWhat an't be doneDeep pa ket inspe tion on publi networksLegal fake bot : that's illegal...Client ode inje tionLa sé urité 'est de l'inje tion de ode, LastCall
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kPolymorphi entropi en rypted forgery... blablablaBinary defenseOn-the-�y ode de ryptionPa king : UPX, Themida, VMProte t, and friendsAnti-debugging : ptra e dete tion, IsDebuggerPresent()...Polymorphismdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kNetwork obfus ation fortress... blablablaCovert hannels : TCP IDs, DNS �elds, ICMP, et Proxies : widely used to prote t the C&CDNS Fast-Flux : moving rendez-vous pointP2P : zombies ommuni ate with ea h other
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kWarningTHE NEXT SLIDE CONTAINS ABUZZWORD
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kGhostnetBotnet with a spe i� targetStealthness, Stealth, Stealthier, Cool and StealthBuilt spe i� ally for a targetOrigin : Atta ks against the Dalai Lama's o� e
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kWhat about Stuxnet ?Targetted atta ksHigh level of sophisti ation : 0day, signed driversLots of men powerO�ine propagation
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto oldgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator waydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptiondgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : Trustdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)(void *) botnet1 : denied, no hierar hydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)(void *) botnet1 : denied, no hierar hyNo Fra king P2P and DNSdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?AntiTRUST : Adding a new M1 C&C hooses a random publi ly a essible zombie2 It multi asts(random(M)) a time window and hallenges3 Triangular Q & AIn theory no signature needed... in theory
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Don't pani it's overSee you in the Q&A room
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Questions
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Debrie�ng room
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Plan Introdu tion PostNet Results Real LifeNow What ?Believe us
dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet
Related Documents
