Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presented by Ryan Genato
Mar 23, 2016
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna
Presented by Ryan Genato
Overview
Introduction to Botnets, Torpig Domain Flux and “Your Botnet is My Botnet” Analysis of Torpig Network What Do You Do With 70,000 Computers? Conclusions and Future Work
Introduction – Terminology
Bot – An application that performs some action or set of actions on behalf of a remote controller
Botnet – A network of infection machines controlled by a malicious entity
Command and Control (C&C) Channel – Used to send commands to bots, and obtain results and status messages
Introduction – Mebroot
Rootkit distributed by Neosploit exploit kit Spread via drive-by-downloads: hidden iframe on
website executes obfuscated JavaScript to download Mebroot on victim’s machine
Mebroot overwrites the master boot record of the machine, circumventing most anti-virus tools (back then)
Introduction – Torpig
Once Mebroot has taken hold it loads the Torpig modules from Mebroot C&C server
Torpig contacts its own C&C server for updates and to send victim information
Introduction – Torpig
What kind of information does Torpig record?• Monitoring popular applications• “Man-in-the-browser” attacks
Introduction – Domain Flux
Correspondence with C&C server is achieved through domain flux – using a domain generation algorithm to “rotate” through rendezvous points
Advantages:• No single point of failure (fast flux)• Robustness
Disadvantages• Deterministic (this implementation)• If someone can reverse engineer your DGA, they can
anticipate future domain addresses…
Your Botnet Is My Botnet
And that’s exactly what they did!
Reverse engineering the DGA came up with a three week span of unregistered domains
Buy the domains, act as the C&C center, hijack the entire botnet (sinkholing)• Contrast to passive
analysis and previous active analysis attempts
Gathering Data
The C&C center hijack lasted for ten days• What happened to the three weeks of domains?
A couple numbers:• Observed a total of 182,800 peers on the Torpig
botnet, 70,000 at peak activity• Recorded 1,247,642 unique IP addresses• Logged 8,310 accounts from 410 institutions• 1,660 credit cards
Data Analysis + Handling
173,686 unique passwords recorded, 40% cracked in less than 75 minutes
28% of users exhibited password reuse Working with FBI and National Cyber-Forensics to
repatriate the stolen information• Need a reputable organization to work things out
What Do You Do With 70,000 Computers?
Take down the government!• 70,000 users, average 435
kbps (in 2008) = 17 Gbps• 5,635 users to take down
fbi.gov and justice.gov• 10 Gbps to take down
Wikileaks Distributed password
cracking
Conclusions and Future Work
Victims of botnets pick easy to crack passwords• Better user education, higher password standards
Botnets operating with an HTTP C&C center can be hijacked for periods of time• There is no “off” switch• Improved domain generation algorithms (top Twitter)
Works Referenced
Chen, Adrian. "The Evil New Tactic Behind Anonymous' Massive Megaupload Revenge Attack." Gawker. N.p., 19 Jan. 2012. Web. 23 Jan. 2012.
Greulich, Andreas. "Torpig/Mebroot Reverse Code Engineering." . N.p., 18 Apr. 2009. Web. 23 Jan. 2012.
Howard, Rick. Cyber Fraud: Tactics, Techniques and Procedures. N.p.: Auerbach Publications, 2009.
Kemmerer, Richard A. "How to Steal a Botnet and What Can Happen When You Do ." YouTube. N.p., n.d. Web. 23 Jan. 2012. <http://www.youtube.com/watch?v=2GdqoQJa6r4>.
Richard, Matt, and Michael Ligh. "making fun of your malware." Defcon 17. N.p., n.d. Web. 23 Jan. 2012.
Stone-Gross, Brett, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, and Martin Szydlowski. "Your botnet is my botnet: Analysis of a botnet takeover." Proceedings of the 16th ACM conference on Computer and communications security. N.p.: ACM, 2009. 635-47.
Vaughn-Nichols, Stephen J. "DDoS: How to take down WikiLeaks, MasterCard or any other Web site." ZDNet. N.p., 9 Dec. 2010. Web. 23 Jan. 2012.
Questions?