Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Recent Advanced Botnets - MegaD & Waledac What is Botnet? Bots: compromised hosts, “Zombies” Botnets: networks of bots that are under the control of a human operator (botmaster) (generally looks like) Worm + C&C channel Command and Control Channel Disseminate the botmasters’ commands to their bot armies Communication (IRC, HTTP, … (can be encrypted)) Worm 2010/10/22 Attack (DoS, spamming, phishing site, …) Propagation (vulnerabilities, file sharing, P2P, …) Speaker: Li-Ming Chen 2 Lifecycle of a Typical Botnet Infection Uses of Botnets: • Phishing attacks • Spam • ID/information theft • DDoS • Distributing other malwares 2010/10/22 Speaker: Li-Ming Chen 3 Why is Botnet so Daunting? Underground Economics! Multilayered/Multifunction C&C Architecture Botnet structures change (e.g., P2P) Always behind the mirror Fast-flux Secure Comm.! (hide C&C servers or other bots behind an ever-changing network) Multi-vector exploitation + Social Engineering Tech. 2010/10/22 Speaker: Li-Ming Chen 4 Overview MegaD (aka Ozdok) Waledac Analysis method Architecture Operation/Malicious Activities Analysis method Architecture Operation/Malicious Activities Summary & Discussion 2010/10/22 Speaker: Li-Ming Chen 5 Paper Reference MegaD Chia Yuan Cho, Juan Caballero, Chris Grier, Vern Paxson, and Dawn Song, “Insights from the Inside: A View of Botnet Management from Infiltration,” in Proc. USENIX LEET, 2010. Waledac Greg Sinclair, Chris Nunnery, and Brent ByungHoon Kang, “The Waledac Protocol: The How and Why,” in Proc. MALWARE, 2009. Chris Nunnery, Greg Sinclair, and Brent ByungHoon Kang, “Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier Botnet Infrastructure,” in Proc. USENIX LEET, 2010. 2010/10/22 Speaker: Li-Ming Chen 6 MegaD MegaD (aka Ozdok) http://en.wikipedia.org/wiki/Mega-D_botnet A mass spamming botnet, appeared 2007 1/3 of worldwide spam at its peak!! Resilience – survived two major takedown attempts 2010/10/22 2008/12, US FTC + Marshal Software (McColo ISP shutdown) 2009/11, Takedown effort by FireEye Speaker: Li-Ming Chen 7 MegaD C&C Servers & Dialogs A MegaD bot interacts during its lifetime with 4 types of C&C servers Master Servers (MS) Drop Servers (DS) Template Servers (TS) SMTP Servers (SS) 2 different “sequences of commands” (dialog) issued by MS are observed Spam Dialog (launch spam campaigns) Download Dialog (update a new binary code) 2010/10/22 Speaker: Li-Ming Chen 8 MegaD – Spam Dialog 2010/10/22 (1) request a command (2) test spam-sending capability (3) MS engages the bot in an elaborate preparation phase to obtain information about the infected host (4) get a spam template (5) start spam When it finishes, it (bot) reinitiates the spam dialog Speaker: Li-Ming Chen 9 MegaD – Download Dialog 2010/10/22 (1) request a command (2) test spam-sending capability (3, 4, 5) MS orders the bot to download a new binary from a DS and execute it Speaker: Li-Ming Chen 10 MegaD C&C Servers Function How to connect/locate Master Servers (MS) Distribute commands, pull-based (reply with both auth info. and a general command) Domain name hardcoded in the bot binary Drop Servers (DS) Distribute new binaries MS indicates a URL specifying a file to download Template Servers (TS) Distribute spam templates MS specifies the address and port of the TS (1) test spam-sending capability (2) notify an SMTP server after template downloading and prior to commencing to spam (1) MS specifies the server’s hostname (2) Embedded in the spam template SMTP Servers (SS) 2010/10/22 Speaker: Li-Ming Chen 11 Infiltrating MegaD Goal Monitor MegaD’s malicious activities (spam only!) Discover complete C&C architecture Techniques: Milker [11, 12] – a bot emulator w/o malicious side effects Google hacking – a trick to discover MS *Honeypot [11] Juan Caballero et al., “Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering,” in Proc. ACM CCS, 2009. [12] Juan Caballero et al., “Binary code extraction and interface identification for security applications,” in Proc. NDSS, 2010. 2010/10/22 Speaker: Li-Ming Chen 12 Milker (Observation) MegaD only carries out spams Milkers: Templates fully describe the botnet’s spam operation C&C Milker: periodically query a MS for commands Template Milker: periodically query a TS for templates IP address diversity: Tor (onion network) Pre-requisites: MegaD’s protocol grammar [11] Encryption/decryption functions used by MegaD [12] 2010/10/22 Speaker: Li-Ming Chen 13 Google Hacking Google hacking is just a “trick” Intuition: MegaD MSes listen at TCP port 80 or 443 Camouflaged as normal web servers by crafting response to “GET /” leverage the ubiquity of search engines locating web servers on port 80/443 around the Internet Hyperlink to a MicroSoft webpage The camouflage content gets added to the search engineer’s database just google the “distinguishable elements” to locate that MSes 2010/10/22 4 results on 4 unique hostnames with no false positive Speaker: Li-Ming Chen 14 Google Hack Returns 4 Unique Results (MegaD crafted response) (copy from author’s slides) 2010/10/22 Speaker: Li-Ming Chen 15 Insights from Infiltration Takedown and Reconstruction View of Complete C&C Architecture Template Milking & Botnet Management 2010/10/22 Speaker: Li-Ming Chen 16 FireEye’s Takedown Effort (infiltration begin) (FireEye takedown the MS-S1 and SS1) (Spam: 4% 0% (11/6) 17% (16 days later)) Finding: Template contents remain unchanged for 1 week after takedown Lack of backup domains and ISPs/infrastructure Time taken to setup new infrastructure = 1 week 2010/10/22 Speaker: Li-Ming Chen 17 MegaD’s Takedown Recovery 11/13, templates updated to point to new SS2 & MS-S2 Recovery: X O (1) Resilience: remnant servers redirect remaining bots to new C&C servers (2) New bots: push out new MegaD binaries! 2010/10/22 16 days after takedown, MegaD’s spam exceeded pre-takedown level Speaker: Li-Ming Chen 18 MegaD’s C&C Architecture Q: multiple botmaster? 1/29, MS-D1 by google hacking, and led to others A: maybe.. (evidence #1) 1/17 11/13 11/13 (TS server replacement) X TS2 443 10/27~2/18 (always on) 2010/10/22 2/17 Speaker: Li-Ming Chen 1/24 12/10~ 1/14 X TS3 443 12/22~ 2/2 19 Template Milking & Botnet Management Collect 271K templates from the 7 TSes over 4 months Template: Template + element database Each data element has a set of values in the template polymorphic Template’s change shows that how botmaster manages the botnet 2010/10/22 Speaker: Li-Ming Chen 20 Changes in Template Structure Plot occurrences of unique data elements across all template servers It’s an evidence (#2) of separate management! (only 2 days templates from TS7) (element ID) 2010/10/22 Speaker: Li-Ming Chen 21 Changes in Polymorphic Data Elements 3 types of (element) polymorphism been identified Single-set polymorphic (fixed set) Multi-set polymorphic (manually updated by botmaster) e.g., URL, BODY_HTML Every-set polymorphic (auto-updated by TS) e.g., DOMAINS, IMG, LINK Every-set Multi-set 2010/10/22 Speaker: Li-Ming Chen 22 Changes in Polymorphic Data Elements (cont’d) Update rate for multi-set polymorphic elements is also an evidence (#3) of separate management! Days between dynamic subject updates, {DIKSBJ} Groups: Group 1 Arch: no TS replacement. Template: specific structure, infrequent updates. 2010/10/22 Group 2 Arch: TS replacement. Template: specific structure, frequent updates. Speaker: Li-Ming Chen 23 Conclusion (MegaD) MegaD infiltration over 4 months Techniques: Milker + Google Hacking Insights: Rich view of the MegaD C&C architecture How the botnet actually recovers from a takedown Evidence of distinct botmaster management groups 2010/10/22 But they share the same SMTP server Speaker: Li-Ming Chen 24 Overview MegaD (aka Ozdok) Waledac Analysis method Architecture Operation/Malicious Activities Analysis method Architecture Operation/Malicious Activities Summary & Discussion 2010/10/22 Speaker: Li-Ming Chen 25 Waledac Waledac (possible successor to the Stome botnet) http://en.wikipedia.org/wiki/Waledac_botnet Appeared in late 2008 A spam-generating phishing infrastructure with fastflux functionality • 3 Symantec’s blog and a technical report http://www.symantec.com/connect/blogs/paper-waledac • Trend Micro’s report http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating_the _waledac_botnet_v2.pdf 2010/10/22 Speaker: Li-Ming Chen 26 Analysis Method Not use infiltration Methods: Binary analysis Have file system data from higher tiers of the botnet Network traffic traces analysis 2010/10/22 Speaker: Li-Ming Chen 27 Waledac Hierarchy Botmaster Botmaster-owned infrastructure UTS (Upper-Tier Server) TSL (just the name of the Window registry entry) Infected host systems (C&C servers) Repeater Spammer w/o NAT, Single tier peering (Bots) Nodes behind NAT 2010/10/22 Speaker: Li-Ming Chen 28 Lower Layer: Infected Host Systems An infected victim decides itself as a: Spammer: if it is unreachable by other nodes (private IP) Repeater: if it has non-private IP address Tasks: spamming, local data harvesting (e.g., email addresses) More tasks: HTTP proxying, fast-flux DNS Bootstrap (after compromise…): Waledac binary contains a bootstrap IP list and a URL (fast-flux) Locate neighboring repeaters Join/registration (through each tier to the head-end C&C server) Get section key for future communication 2010/10/22 Speaker: Li-Ming Chen 29 Botnet Communication Security: 5 types of encoding scheme: P2P (repeater tier only): Each bot maintains a “fresh” repeater nodes list “Single tier peering” reduces the overall traffic handling requirements for the higher tiers 2010/10/22 Speaker: Li-Ming Chen 30 Botnet Communication Command and Control: Fast-flux: Request and reply both use “symmetric” XML format 9 unique commands been identified A repeater may act as a DNS server for supporting Waledac fast-flux network It will respond to DNS queries from both lower bots and other nodes in the Internet Spammers retrieve commands in a pull-based scheme 2010/10/22 Speaker: Li-Ming Chen 31 TSL Hide UTS from repeaters & Initiate target spam campaigns (Guess) servers in TSL tier: X (1) self-organizing, information sharing O (2) independently report to a central server TSL Configuration: CentOS ntp, BIND (a DNS server), PHP, nginx (a http server), … phpmailer 2010/10/22 Speaker: Li-Ming Chen 32 UTS (Upper-Tier Server) Purpose: Autonomous C&C Credential repository Provide repacking Maintain binaries and bootstrap lists service Audit, monitors population, vitality statistics Interact with underground 3rd parties (spamit.com, j-roger.com) UTS Configuration: CentOS PHP, CLI (command line interface), flat-files, no central DB… 2010/10/22 Speaker: Li-Ming Chen 33 Malicious Activities Differentiated spamming Low Quality Spam (buck spam through spammers) High Quality Spam (authenticated & targeted) Data harvesting Network traffic (winpcap) HDD Scanning (email) 2010/10/22 Speaker: Li-Ming Chen 34 High Quality Spam (HQS) (Collected from bots) 3rd party collaboration (test credentials before real spam) 2010/10/22 Speaker: Li-Ming Chen 35 Conclude (Waledac) Hierarchical C&C architecture (multi-service tiers) Repeater single tier peering HQS authenticated spam Node auditing 2010/10/22 Speaker: Li-Ming Chen 36 Overview MegaD (aka Ozdok) Waledac Analysis method Architecture Operation/Malicious Activities Analysis method Architecture Operation/Malicious Activities Summary & Discussion 2010/10/22 Speaker: Li-Ming Chen 37 Summary MegaD Multifunction C&C Architecture Takedown & Recovery Waledac Multilayered C&C Architecture + P2P Botnet Infrastructure Advanced spam technique and botnet management 2010/10/22 Speaker: Li-Ming Chen 38 Botnet Detection Target: Bots, whole botnet, C&C servers, botmaster!! Solutions: BotHunter detect bot’s lifecycle BotSniffer detect spatial-temporal properties of C&C BotMinner monitor malicious activities and C&C communication, and co-inference Temporal persistence characteristic of a single bot Infiltration BotGrep detect P2P structure of botnet … 2010/10/22 Speaker: Li-Ming Chen 39 Discussion Things make botnet detection more challenging Pull-based C&C communication Fast-flux Encryption/polymorphism Proprietary C&C techniques and architecture Problems: Forensics – identify botmaster bots botnet or botnet bots 2010/10/22 Speaker: Li-Ming Chen 40