Your Botnet is My Botnet: Analysis of a Botnet Takeover Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Presentation by Sabrina Wilkes-Morris

Introduction What is a Botnet? It is a network of machines controlled by a “Bot Master”. This network of machines are usually infected by malware and they are used to infect or gain control of other computers on the network.

Malicious code or malware has become one of the most prevalent means of attacking computers on the network. One hacker can take over and gain control of a computer or network.

Rootkit A rootkit is malicious software that is executed when a system boots up. They are very difficult to detect and they allow the installation of hidden files, processes and hidden user accounts.

Once computers are under the control of a botnet, they can be directed to execute commands, scripts and have stolen information sent back to a “Bot Master”. The Bot Master catalogs and saves the information for future use.

A botnet can gain control of hundreds or even thousands of computers on a network. Once computers are under the control of a botnet, they can be directed to execute commands or scripts and have stolen information sent back to a “Bot Master”. The Bot Master catalogs and saves the information for future use.

Background on Torpig Torpig is a Trojan style malware that infects a computer. Once it has been installed on a computer, it steals sensitive information and sends the information to the controller. Torpig works together with Mebroot (a rootkit) to replace the master boot record on a computer.

Browser Hijacking Man in the Browser phishing attack

Domain Flux Torpig Daily Domain Generation Algorithm

Sinkhole Preparation The authors describe how they take over the Botnet They registered domains that a bot would set up service on They purchased service from two hosting providers (.com and .net domains) and set up an apache server Wait for their network to receive requests from botnets Collected over 70GB of stolen data in 10 days

Mebroot is a rootkit that takes control of a machine by replacing the system’s Master Boot Record (MBR). Mebroot injects these modules into a number of applications such as web browsers , FTP clients , email clients , instant messengers and system programs. After the injection, Torpig can inspect all the data. Torpig contacts the Torpig C&C server to upload the data stolen .This communication with the server is also over HTTP.

Mebroot provides functionality to manage, install, uninstall, and activate modules. Immediately after the initial reboot, Mebroot contacts the Mebroot C&C server to obtain malicious modules. These modules are saved in encrypted form in the system32 directory. After the initial update, Mebroot contacts its C&C server periodically, in two-hour intervals.

The C&C server makes a reply to a bot in two ways acknowledge the data ( okn response) The C&C server can send a configuration file to the bot (an okc response). The configuration file is concealed using a simple XOR-11 encoding The configuration file contains new information on updated domains and encryption.

Data Collection by Torpig

Data Collection Bots use the HTTP POST request to communicate. The URL contains the hexadecimal representation of the bot identifier and its header information.

URL Request by Torpig

Domain Generation algorithm Every minute the malware connects to the GMT-time-based server address (.com) sample date = Jan 3, 2012, at 2:30 PM, the malware would connect to 01 03 12 14 30.com. Every time an attacker wants to communicate with their malware, they choose a strike-time and a register the domain corresponding to that strike-time 24 hours before the time is hit.

Botnet Size and IP Count Due to DHCP and NAT, counting infected bots using IP addresses was not completely accurate. 1,247,642 Unique IP addresses were observed over a period of 10 days to have contacted their web server. The median size of Torpig’s population was 49,272

Botnet Size IRC Botnets Mr. Rajab queried the DNS server caches to get an estimate of bots that resolved the name of a C&C server P2P Botnets Mr. Kanich measured the size of the storm network by probing the hash table. They determined this was not the best way to determine size due to many discriminating factors such as application ID’s and the way they were generated.

Botnet Growth

Botnet Growth

Botnet Growth

Top 10 Botnet Growth by Country

New Infections 9,336 bots for 2,753 IP addresses of infected machines

Financial Accounts Stolen by Torpig

Financial Data Symantec reported that the price of credit cards were between $0.10 - $25 . Bank account information was from $10 - $1,000. Which means that Torpig could make between $83K and $8.3 M

Financial Data Stealing Torpig is crafted to obtain information that can be used in the underground market. Bank accounts, credit card numbers and other financial data is of extreme importance to Torpig. 38% of all credentials stolen by Torpig were from the password manager of browsers. Credit card data was also a valuable target for Torpig.

Proxies Torpig opens two ports on the local machine the SOCKS proxy and the HTTP proxy. Proxies could be used to send spam or to allow anonymous navigation

Threat Analysis

Denial of Service Cable and DSL hosts account for 65% of the infected hosts There is a tremendous amount of bandwidth being used by the bot master Corporate networks accounted for 22% of the infected hosts Botnet sizes such as these could cause massive denials-of-service

Password Analysis The Sophos poll revealed that 676 Internet users did not use strong passwords. The Torpig bot validated the poll by comparing the user credentials stolen using the bot. Torpig stole 297,962 user credentials sent by 52,540 machines. 28% of the victims reused their credentials to access 368,501 web sites. 56,000 passwords were recovered in less than 65 minutes

Password strength Single mode Brute force mode - incremental Almost 80,000 Passwords cracked in 90 minutes by John the Ripper password cracker tool.

Botnet size based on IP count is overestimated Conclusions Botnet size based on IP count is overestimated Victims of botnets have machines that are poorly maintained and passwords that are easy to guess Interacting with registrars, victims institutions and law enforcement is a complicated process

Questions?