Transcript What is Botnet?

Recent Advanced Botnets
- MegaD & Waledac
What is Botnet?



Bots: compromised hosts, “Zombies”
Botnets: networks of bots that are under the control of a
human operator (botmaster)
(generally looks like) Worm + C&C channel
 Command and Control Channel
 Disseminate the botmasters’ commands to their bot armies
Communication (IRC, HTTP, … (can be encrypted))
Worm
2010/10/22
Attack
(DoS, spamming, phishing site, …)
Propagation
(vulnerabilities, file sharing, P2P, …)
Speaker: Li-Ming Chen
2
Lifecycle of a Typical Botnet Infection
Uses of Botnets:
• Phishing attacks
• Spam
• ID/information theft
• DDoS
• Distributing other malwares
2010/10/22
Speaker: Li-Ming Chen
3
Why is Botnet so Daunting?
Underground Economics!
Multilayered/Multifunction
C&C Architecture
Botnet structures
change (e.g., P2P)
Always behind
the mirror
Fast-flux
Secure Comm.!
(hide C&C servers
or other bots behind
an ever-changing
network)
Multi-vector exploitation
+ Social Engineering Tech.
2010/10/22
Speaker: Li-Ming Chen
4
Overview

MegaD (aka Ozdok)




Waledac




Analysis method
Architecture
Operation/Malicious Activities
Analysis method
Architecture
Operation/Malicious Activities
Summary & Discussion
2010/10/22
Speaker: Li-Ming Chen
5
Paper Reference

MegaD


Chia Yuan Cho, Juan Caballero, Chris Grier, Vern Paxson, and
Dawn Song, “Insights from the Inside: A View of Botnet
Management from Infiltration,” in Proc. USENIX LEET, 2010.
Waledac


Greg Sinclair, Chris Nunnery, and Brent ByungHoon Kang, “The
Waledac Protocol: The How and Why,” in Proc. MALWARE, 2009.
Chris Nunnery, Greg Sinclair, and Brent ByungHoon Kang,
“Tumbling Down the Rabbit Hole: Exploring the Idiosyncrasies of
Botmaster Systems in a Multi-Tier Botnet Infrastructure,” in Proc.
USENIX LEET, 2010.
2010/10/22
Speaker: Li-Ming Chen
6
MegaD

MegaD (aka Ozdok)


http://en.wikipedia.org/wiki/Mega-D_botnet
A mass spamming botnet, appeared 2007

1/3 of worldwide spam at its peak!!

Resilience – survived two major takedown attempts


2010/10/22
2008/12, US FTC + Marshal Software (McColo ISP shutdown)
2009/11, Takedown effort by FireEye
Speaker: Li-Ming Chen
7
MegaD C&C Servers & Dialogs

A MegaD bot interacts during its lifetime with 4 types
of C&C servers





Master Servers (MS)
Drop Servers (DS)
Template Servers (TS)
SMTP Servers (SS)
2 different “sequences of commands” (dialog) issued
by MS are observed


Spam Dialog (launch spam campaigns)
Download Dialog (update a new binary code)
2010/10/22
Speaker: Li-Ming Chen
8
MegaD – Spam Dialog
2010/10/22

(1) request a command

(2) test spam-sending
capability

(3) MS engages the bot in an
elaborate preparation phase
to obtain information about
the infected host

(4) get a spam template

(5) start spam

When it finishes, it (bot) reinitiates the spam dialog
Speaker: Li-Ming Chen
9
MegaD – Download Dialog
2010/10/22

(1) request a command

(2) test spam-sending
capability

(3, 4, 5) MS orders the bot to
download a new binary from
a DS and execute it
Speaker: Li-Ming Chen
10
MegaD C&C Servers
Function
How to connect/locate
Master Servers
(MS)
Distribute commands, pull-based
(reply with both auth info. and a
general command)
Domain name hardcoded in the
bot binary
Drop Servers
(DS)
Distribute new binaries
MS indicates a URL specifying a
file to download
Template Servers
(TS)
Distribute spam templates
MS specifies the address and
port of the TS
(1) test spam-sending capability
(2) notify an SMTP server after
template downloading and prior
to commencing to spam
(1) MS specifies the server’s
hostname
(2) Embedded in the spam
template
SMTP Servers
(SS)
2010/10/22
Speaker: Li-Ming Chen
11
Infiltrating MegaD

Goal



Monitor MegaD’s malicious activities (spam only!)
Discover complete C&C architecture
Techniques:



Milker [11, 12] – a bot emulator w/o malicious side effects
Google hacking – a trick to discover MS
*Honeypot
[11] Juan Caballero et al., “Dispatcher: Enabling active botnet infiltration using automatic protocol
reverse-engineering,” in Proc. ACM CCS, 2009.
[12] Juan Caballero et al., “Binary code extraction and interface identification for security applications,”
in Proc. NDSS, 2010.
2010/10/22
Speaker: Li-Ming Chen
12
Milker

(Observation) MegaD only carries out spams


Milkers:




 Templates fully describe the botnet’s spam operation
C&C Milker: periodically query a MS for commands
Template Milker: periodically query a TS for templates
IP address diversity: Tor (onion network)
Pre-requisites:


MegaD’s protocol grammar [11]
Encryption/decryption functions used by MegaD [12]
2010/10/22
Speaker: Li-Ming Chen
13
Google Hacking

Google hacking is just a “trick”

Intuition:

MegaD MSes listen at TCP port 80 or 443

Camouflaged as normal web servers by crafting response to
“GET /”


 leverage the ubiquity of search engines locating web servers
on port 80/443 around the Internet


Hyperlink to a MicroSoft webpage
The camouflage content gets added to the search engineer’s
database
 just google the “distinguishable elements” to locate that MSes

2010/10/22
4 results on 4 unique hostnames with no false positive
Speaker: Li-Ming Chen
14
Google Hack Returns 4 Unique Results
(MegaD crafted response)
(copy from author’s slides)
2010/10/22
Speaker: Li-Ming Chen
15
Insights from Infiltration

Takedown and Reconstruction

View of Complete C&C Architecture

Template Milking & Botnet Management
2010/10/22
Speaker: Li-Ming Chen
16
FireEye’s Takedown Effort
(infiltration begin)

(FireEye takedown the MS-S1 and SS1)
(Spam: 4%  0% (11/6)  17% (16 days later))
Finding:



Template contents remain unchanged for 1 week after takedown
Lack of backup domains and ISPs/infrastructure
Time taken to setup new infrastructure = 1 week
2010/10/22
Speaker: Li-Ming Chen
17
MegaD’s Takedown Recovery
11/13, templates updated to
point to new SS2 & MS-S2

Recovery:
X

O

(1) Resilience: remnant servers redirect remaining bots to new
C&C servers
(2) New bots: push out new MegaD binaries!

2010/10/22
16 days after takedown, MegaD’s spam exceeded pre-takedown
level
Speaker: Li-Ming Chen
18
MegaD’s C&C Architecture
Q: multiple botmaster?
1/29,
MS-D1 by google hacking,
and led to others
A: maybe.. (evidence #1)
1/17
11/13
11/13
(TS server replacement)
X
TS2
443
10/27~2/18
(always on)
2010/10/22
2/17
Speaker: Li-Ming Chen
1/24
12/10~
1/14
X
TS3
443
12/22~
2/2
19
Template Milking & Botnet Management


Collect 271K templates from
the 7 TSes over 4 months
Template:


Template + element database
Each data element has a set of
values in the template


 polymorphic
Template’s change shows
that how botmaster manages
the botnet
2010/10/22
Speaker: Li-Ming Chen
20
Changes in Template Structure


Plot occurrences of unique data elements across all
template servers
 It’s an evidence (#2) of separate management!
(only 2 days templates
from TS7)
(element ID)
2010/10/22
Speaker: Li-Ming Chen
21
Changes in Polymorphic Data Elements

3 types of (element) polymorphism been identified


Single-set polymorphic (fixed set)
Multi-set polymorphic (manually updated by botmaster)


e.g., URL, BODY_HTML
Every-set polymorphic (auto-updated by TS)

e.g., DOMAINS, IMG, LINK
Every-set
Multi-set
2010/10/22
Speaker: Li-Ming Chen
22
Changes in Polymorphic Data Elements
(cont’d)

Update rate for multi-set polymorphic elements is
also an evidence (#3) of separate management!
Days between dynamic subject updates, {DIKSBJ}

Groups:

Group 1
Arch: no TS replacement.
Template: specific structure,
infrequent updates.
2010/10/22
Group 2
Arch: TS replacement.
Template: specific structure,
frequent updates.
Speaker: Li-Ming Chen
23
Conclusion (MegaD)

MegaD infiltration over 4 months

Techniques:


Milker + Google Hacking
Insights:



Rich view of the MegaD C&C architecture
How the botnet actually recovers from a takedown
Evidence of distinct botmaster management groups

2010/10/22
But they share the same SMTP server
Speaker: Li-Ming Chen
24
Overview

MegaD (aka Ozdok)




Waledac




Analysis method
Architecture
Operation/Malicious Activities
Analysis method
Architecture
Operation/Malicious Activities
Summary & Discussion
2010/10/22
Speaker: Li-Ming Chen
25
Waledac

Waledac (possible successor to the Stome botnet)

http://en.wikipedia.org/wiki/Waledac_botnet

Appeared in late 2008
A spam-generating phishing infrastructure with fastflux functionality

• 3 Symantec’s blog and a technical report
http://www.symantec.com/connect/blogs/paper-waledac
• Trend Micro’s report
http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/infiltrating_the
_waledac_botnet_v2.pdf
2010/10/22
Speaker: Li-Ming Chen
26
Analysis Method

Not use infiltration

Methods:

Binary analysis

Have file system data from higher tiers of the botnet

Network traffic traces analysis
2010/10/22
Speaker: Li-Ming Chen
27
Waledac Hierarchy

Botmaster

Botmaster-owned infrastructure



UTS (Upper-Tier Server)
TSL (just the name of the Window registry entry)
Infected host systems


(C&C servers)
Repeater
Spammer
w/o NAT,
Single tier peering
(Bots)
Nodes behind NAT
2010/10/22
Speaker: Li-Ming Chen
28
Lower Layer: Infected Host Systems

An infected victim decides itself as a:

Spammer: if it is unreachable by other nodes (private IP)


Repeater: if it has non-private IP address


Tasks: spamming, local data harvesting (e.g., email addresses)
More tasks: HTTP proxying, fast-flux DNS
Bootstrap (after compromise…):




Waledac binary contains a bootstrap IP list and a URL
(fast-flux)
Locate neighboring repeaters
Join/registration (through each tier to the head-end C&C
server)
Get section key for future communication
2010/10/22
Speaker: Li-Ming Chen
29
Botnet Communication

Security: 5 types of encoding scheme:

P2P (repeater tier only):


Each bot maintains a “fresh” repeater nodes list
“Single tier peering” reduces the overall traffic handling
requirements for the higher tiers
2010/10/22
Speaker: Li-Ming Chen
30
Botnet Communication

Command and Control:



Fast-flux:



Request and reply both use “symmetric” XML format
9 unique commands been identified
A repeater may act as a DNS server for supporting
Waledac fast-flux network
It will respond to DNS queries from both lower bots and
other nodes in the Internet
Spammers retrieve commands in a pull-based
scheme
2010/10/22
Speaker: Li-Ming Chen
31
TSL

Hide UTS from repeaters & Initiate target spam
campaigns

(Guess) servers in TSL tier:
X

(1) self-organizing, information sharing
O

(2) independently report to a central server

TSL Configuration:

CentOS

ntp, BIND (a DNS server), PHP, nginx (a http server), …

phpmailer
2010/10/22
Speaker: Li-Ming Chen
32
UTS (Upper-Tier Server)

Purpose:






Autonomous C&C
Credential repository
Provide
repacking
Maintain binaries and bootstrap lists
service
Audit, monitors population, vitality statistics
Interact with underground 3rd parties (spamit.com, j-roger.com)
UTS Configuration:


CentOS
PHP, CLI (command line interface), flat-files, no central DB…
2010/10/22
Speaker: Li-Ming Chen
33
Malicious Activities

Differentiated spamming



Low Quality Spam (buck spam through spammers)
High Quality Spam (authenticated & targeted)
Data harvesting


Network traffic (winpcap)
HDD Scanning (email)
2010/10/22
Speaker: Li-Ming Chen
34
High Quality Spam (HQS)
(Collected
from bots)
3rd party
collaboration
(test credentials
before real spam)
2010/10/22
Speaker: Li-Ming Chen
35
Conclude (Waledac)

Hierarchical C&C architecture (multi-service tiers)

Repeater  single tier peering

HQS  authenticated spam

Node auditing
2010/10/22
Speaker: Li-Ming Chen
36
Overview

MegaD (aka Ozdok)




Waledac




Analysis method
Architecture
Operation/Malicious Activities
Analysis method
Architecture
Operation/Malicious Activities
Summary & Discussion
2010/10/22
Speaker: Li-Ming Chen
37
Summary

MegaD



Multifunction C&C Architecture
Takedown & Recovery
Waledac


Multilayered C&C Architecture + P2P Botnet Infrastructure
Advanced spam technique and botnet management
2010/10/22
Speaker: Li-Ming Chen
38
Botnet Detection

Target:


Bots, whole botnet, C&C servers, botmaster!!
Solutions:







BotHunter  detect bot’s lifecycle
BotSniffer  detect spatial-temporal properties of C&C
BotMinner  monitor malicious activities and C&C
communication, and co-inference
Temporal persistence characteristic of a single bot
Infiltration
BotGrep  detect P2P structure of botnet
…
2010/10/22
Speaker: Li-Ming Chen
39
Discussion

Things make botnet detection more challenging





Pull-based C&C communication
Fast-flux
Encryption/polymorphism
Proprietary C&C techniques and architecture
Problems:


Forensics – identify botmaster
bots  botnet or botnet  bots
2010/10/22
Speaker: Li-Ming Chen
40