Your Botnet is My Botnet : Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Presented by Ryan Genato

Overview

Introduction to Botnets, Torpig Domain Flux and “Your Botnet is My Botnet” Analysis of Torpig Network What Do You Do With 70,000 Computers? Conclusions and Future Work

Introduction – Terminology

Bot – An application that performs some action or set of actions on behalf of a remote controller

Botnet – A network of infection machines controlled by a malicious entity

Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages

Introduction – Mebroot

Rootkit distributed by Neosploit exploit kit Spread via drive-by-downloads: hidden iframe on

website executes obfuscated JavaScript to download Mebroot on victim’s machine

Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)

Introduction – Torpig

Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server

Torpig contacts its own C&C server for updates and to send victim information

Introduction – Torpig

What kind of information does Torpig record?• Monitoring popular applications• “Man-in-the-browser” attacks

Introduction – Domain Flux

Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points

Advantages:• No single point of failure (fast flux)• Robustness

Disadvantages• Deterministic (this implementation)• If someone can reverse engineer your DGA, they can

anticipate future domain addresses…

Your Botnet Is My Botnet

And that’s exactly what they did!

Reverse engineering the DGA came up with a three week span of unregistered domains

Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing)• Contrast to passive

analysis and previous active analysis attempts

Gathering Data

The C&C center hijack lasted for ten days• What happened to the three weeks of domains?

A couple numbers:• Observed a total of 182,800 peers on the Torpig

botnet, 70,000 at peak activity• Recorded 1,247,642 unique IP addresses• Logged 8,310 accounts from 410 institutions• 1,660 credit cards

Data Analysis + Handling

173,686 unique passwords recorded, 40% cracked in less than 75 minutes

28% of users exhibited password reuse Working with FBI and National Cyber-Forensics to

repatriate the stolen information• Need a reputable organization to work things out

What Do You Do With 70,000 Computers?

Take down the government!• 70,000 users, average 435

kbps (in 2008) = 17 Gbps• 5,635 users to take down

fbi.gov and justice.gov• 10 Gbps to take down

Wikileaks Distributed password

cracking

Conclusions and Future Work

Victims of botnets pick easy to crack passwords• Better user education, higher password standards

Botnets operating with an HTTP C&C center can be hijacked for periods of time• There is no “off” switch• Improved domain generation algorithms (top Twitter)

Works Referenced

Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan. 2012. Web. 23 Jan. 2012.

Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr. 2009. Web. 23 Jan. 2012.

Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009.

Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan. 2012. <http://www.youtube.com/watch?v=2GdqoQJa6r4>.

Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan. 2012.

Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM, 2009. 635-47.

Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec. 2010. Web. 23 Jan. 2012.

Questions?