ByungHoon Kang, Ph.D. UC Berkeley Center for

ByungHoon Kang, Ph.D. UC Berkeley Center for Secure Information Systems, Associate Professor at AIT Dept., Volgenau School of IT and Engineering, George Mason University. http://csis.gmu.edu/hoonkang A Network of Compromised Computers on the Internet IP location of the Waledac botnet.
  Networks of compromised machines under the control of hacker, “bot-­‐master”.   Used for a variety of malicious purposes: •  Sending Spam/Phishing Emails •  Launching Denial of Service attacks •  Hosting Servers (e.g., Malware download site) •  Proxying Services (e.g., FastFlux network) •  Information Harvesting (credit card, bank credentials, passwords, sensitive data.)  
After resolving the IP address for the IRC server, bot-­‐infected machines CONNECT to the server, JOIN a channel, then wait for commands.  
The botmaster sends a command to the channel. This will tell the bots to perform an action.  
The IRC server sends (broadcasts) the message to bots listening on the channel.  
The bots perform the command.   In this example: attacking / scanning CNN.COM.   Unfortunately, the detection, analysis and mitigation of these botnets has proven to be quite challenging,  
Supported by a thriving underground economy,   professional quality sophistication in creating malware codes   highly adaptive to existing mitigation efforts such as taking down of central control server. 8
  Traditional botnet communication   Central IRC server for Command & Control (C &C )   Single point of mitigation: ▪  C&C Server can be taken down or blacklisted   Botnets with peer to peer C & C   No single point of failure.   E.g., Waldedac, Storm, and Nugache   Multi-­‐layered Architecture to obfuscate and hide control servers in upper tiers. Each Supernode (server) publishes its location (IP address) under the key 1 and key2   Subcontrollers search for key 1   Subnodes (worker)
search for key 2 to open connection to the Supernodes. => Synchronous C&C  
  Virus Scanner at Local Host   Polymorphic binaries against signature scanning   Not installed even though it is almost free.   Rootkit   Network Intrusion Detection Systems   Keeping states for network flows,   Deep packet inspection is expensive.   Deployed at LAN, and Not scalable to ISP-­‐level.   Requires Well-­‐Trained Net-­‐Security SysAdmin. Conficker infections are still increasing after one year!!! There are millions of computers on the Internet that do not have virus scanner nor IDS 12
  Creating new analysis and de-­‐obfuscation methods to rapidly expose the botnets’ C&C protocols in a timely manner   In-­‐depth analysis to explore the fundamental limits and weaknesses of the advanced botnet architecture,   Designing an effective enumerator (or “mapping” of bot networks) to locate the bot-­‐infected hosts on the Internet. 16
 
 
Used for spam blocking, firewall configuration, DNS rewriting, and alerting sys-­‐admins regarding local infections. Fundamentally differs from existing Intrusion Detection System (IDS) approaches   IDS protects local hosts within its perimeter (LAN),   An enumerator would identify both local as well as remote infections.  
Identifying remote infections is crucial,   There are numerous computers on the Internet that are not under the protection of IDS-­‐based systems. 17
 
167.176.16.8 | FDIC-­‐GOV -­‐ Federal Deposit Insurance Corporation  
166.94.230.201 | FFX-­‐CNTY -­‐ Fairfax County Dept of Information Technology  
156.74.250.7 | SEATTLE -­‐ City of Seattle, Dept. of Admin. Services  
137.49.172.135 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 137.99.175.202 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 137.99.187.121 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 137.99.32.135 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.137.111 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.144.216 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.145.134 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.145.24 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.145.62 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.150.98 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 148.166.151.137 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 157.252.144.52 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 157.252.170.218 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 67.221.76.116 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 67.221.76.78 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology 67.221.77.52 | CT-­‐ED-­‐NET -­‐ State of Connecticut Dept of InformationTechnology  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
34 HARVARD -­‐ Harvard University 21 BOSTONU-­‐AS -­‐ Boston University 19 WASHINGTON-­‐AS -­‐ University of Washington 19 COLUMBIA-­‐GW -­‐ Columbia University 18 UIUC -­‐ University of Illinois 16 UTEXAS -­‐ University of Texas at Austin 16 UCSD -­‐ University of California at San Diego 16 PURDUE -­‐ Purdue University 15 UCLA -­‐ University of California, Los Angeles 15 UCDAVIS-­‐CORE -­‐ University of California at Davis 15 CSUNET-­‐NW -­‐ California State University Network 15 CPPNET -­‐ California State Polytechnic University -­‐ Pomona 13 UNC-­‐CH -­‐ University of North Carolina at Chapel Hill 13 UMICH-­‐AS-­‐5 -­‐ University of Michigan 12 YALE-­‐AS -­‐ Yale University 12 BINGHAMTON-­‐U -­‐ Binghamton University 11 GU -­‐ Georgetown University 11 FSU-­‐AS -­‐ Florida State University 10 TULANE -­‐ Tulane University 9 WISC-­‐MADISON-­‐AS -­‐ University of Wisconsin Madison …… 8 STANFORD -­‐ Stanford University …… 2 UCB -­‐ University of California at Berkeley ……  
141.161.110.2 | GU -­‐ Georgetown University 141.161.133.154 | GU -­‐ Georgetown University 141.161.133.73 | GU -­‐ Georgetown University 141.161.136.106 | GU -­‐ Georgetown University 141.161.136.142 | GU -­‐ Georgetown University 141.161.141.180 | GU -­‐ Georgetown University 141.161.17.102 | GU -­‐ Georgetown University 141.161.213.91 | GU -­‐ Georgetown University 141.161.8.211 | GU -­‐ Georgetown University 141.161.8.215 | GU -­‐ Georgetown University 141.161.8.232 | GU -­‐ Georgetown University  
161.253.24.149 | GWU -­‐ The George Washington University  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
129.174.184.26 | GEORGE-­‐MASON-­‐UNIV -­‐ George Mason University 129.174.188.53 | GEORGE-­‐MASON-­‐UNIV -­‐ George Mason University 141.161.124.113 | GU -­‐ Georgetown University 141.161.124.169 | GU -­‐ Georgetown University 141.161.124.237 | GU -­‐ Georgetown University 141.161.124.72 | GU -­‐ Georgetown University 141.161.127.75 | GU -­‐ Georgetown University 141.161.133.130 | GU -­‐ Georgetown University 141.161.133.154 | GU -­‐ Georgetown University 141.161.136.142 | GU -­‐ Georgetown University 141.161.213.91 | GU -­‐ Georgetown University  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
22 AS9452 Korea University,R 17 AS9274 Pusan National University,R 16 AS10197 Chonnam National University,R 14 AS9488 Seoul National University, R  14 AS9321 Hanyang University,R 14 AS4665 Yonsei University,R 14 AS18158 Chungbuk National University,R 13 AS9317 Inha University,R 12 AS9686 SungKyunKwan University (SKKU),R 7 AS9970 Korea University of Technology and Education,R 7 AS23714 Keimyung University,R 7 AS18298 Chungnam National University,R 6 AS9708 Pukyong National University,R 6 AS3784 Pohang University of Science and Technology,R 4 AS9769 Sejong University,R 4 AS9459 Konkuk University,R 4 AS18038 Korea National University of Education,R 4 AS17870 Kyung Hee University,R 4 AS17862 Kangwon National University,R 3 AS9782 WooSong University,R 3 AS9777 Gyeongju University,R 3 AS23552 Korea Nazarene University,R 3 AS18170 Changwon National University,R 3 AS17856 Konyang University,R  
 
 
 
 
 
 
 
 
 
 
 
 
 
147.46.111.25,Seoul,KR,AS9488 Seoul National University,R 147.46.146.114,Seoul,KR,AS9488 Seoul National University,R 147.46.157.198,Seoul,KR,AS9488 Seoul National University,R 147.46.159.147,Seoul,KR,AS9488 Seoul National University,R 147.46.161.248,Seoul,KR,AS9488 Seoul National University,R 147.46.165.151,Seoul,KR,AS9488 Seoul National University,R 147.46.176.13,Seoul,KR,AS9488 Seoul National University,R 147.46.197.104,Seoul,KR,AS9488 Seoul National University,R 147.46.232.143,Seoul,KR,AS9488 Seoul National University,R 147.46.51.52,Seoul,KR,AS9488 Seoul National University,R 147.46.65.217,Seoul,KR,AS9488 Seoul National University,R 147.46.68.98,Seoul,KR,AS9488 Seoul National University,R 147.47.211.63,Seoul,KR,AS9488 Seoul National University,R 147.47.237.147,Seoul,KR,AS9488 Seoul National University,R  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
143.248.118.18,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 143.248.17.184,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 143.248.22.146,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 143.248.6.121,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 143.248.65.109,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 143.248.65.150,Daejeon,KR,AS1781 Korea Advanced Institute of Science and Technology,S 147.43.32.155,Daejeon,KR,AS7564 Korea Atomic Energy Research Institute,R 147.43.32.155,Daejeon,KR,AS7564 Korea Atomic Energy Research Institute,S 147.43.32.42,Daejeon,KR,AS7564 Korea Atomic Energy Research Institute,S 152.99.203.162,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.203.165,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.203.168,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.203.169,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.203.174,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.203.176,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.211.160,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.211.170,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.212.160,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.212.170,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.213.134,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S 152.99.214.134,Daejeon,KR,AS17841 MIC E-­‐GOVERNMENT,S  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
15 AS9488 Seoul National University,S  13 AS10052 Kyungpook National Univ.,S 11 AS9572 Hankuk University of Foreign Studies Computer Center,S 11 AS18158 Chungbuk National University,S 10 AS9452 Korea University,S 9 AS18028 GyeongSang National University,S 6 AS9321 Hanyang University,S 6 AS17862 Kangwon National University,S 5 AS9970 Korea University of Technology and Education,S 5 AS4665 Yonsei University,S 5 AS23989 Dongguk Univ. at Gyeongju,S 5 AS17615 Cheongju University,S 5 AS10197 Chonnam National University,S 4 AS9775 Hannam University,S 4 AS9459 Konkuk University,S 4 AS9317 Inha University,S 4 AS7560 Chonbuk National University,S 4 AS23714 Keimyung University,S 4 AS18164 Mokpo National University,S 4 AS17609 Silla Univ.,S 3 AS9978 The University of Seoul,S  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
3 AS9274 Pusan National University,S 3 AS38668 Konkuk University Hospital,S 3 AS23983 Daejeon University,S 3 AS18026 Cheju University,S 3 AS10159 HANKUK Aviation University,S 3 AS10156 Seoul National University of Education,S 2 AS9955 CHEONAN University,S 2 AS9686 SungKyunKwan University (SKKU),S 2 AS9271 Wonkwang University,S 2 AS18023 Korea Maritime University,S 2 AS17868 Hyupsung University,S 1 AS9962 Sunchon National University,S 1 AS9782 WooSong University,S 1 AS9769 Sejong University,S 1 AS9708 Pukyong National University,S 1 AS9637 Dankook University,S 1 AS38131 Mokpo National Maritime University,S 1 AS23552 Korea Nazarene University,S 1 AS18337 KyungSan University,S 1 AS18327 Jinju International University,S 1 AS18320 Gwangju National University of Education,S 1 AS18170 Changwon National University,S 1 AS17870 Kyung Hee University,S 1 AS17603 Kumoh National University Technology,S 1 AS10073 Korea National Open University,S
  Need to know the method and protocols for how a bot communicates with its peers.   Using sand-­‐box technique   Run bot binary in a controlled environment   Network behaviors are captured/analyzed   Investigating the binary code itself   Reversing the binary into high level codes   C&C Protocol knowledge and operation details can be accurately obtained   Enumeration Methods   Crawling   Infilitration (Joining as routing nodes)   Sinkholing   Takedown (Obtaining botmaster’s log)  
Given network protocol knowledge, crawlers: 1.  collect list of initial bootstrap peers into queue 2.  choose a peer node from the queue 3.  send to the node look-­‐up or get-­‐peer requests 4.  add newly discovered peers to the queue 5.  repeat 2-­‐5 until no more peer to be contacted  
 
Can’t enumerate a node behind NAT/Firewall Would miss bot-­‐infected hosts at home/office!   Given P2P protocol knowledge that bot uses,   A collection of “routing-­‐only” nodes that   Act as peer in the P2P network, but   Controlled by us, the defender   Our PPM nodes can observe the traffic from the peer infected hosts.   PPM node can be contacted by the infected hosts behind NAT/Firewall. PPM
Crawler
PPM
PPM
Spammer
Repeater
TSL
UTS
 
 
Botnet is resilient, not invulnerable! Three phase attack: 1. Introduce fake repeaters to cull nodes under our control 2.  Synchronized TSL take down 3. Deletion of ALL known fast-­‐flux domains from TLD  
 
Coordination of all three phases is critical. In Feb 2010, Microsoft implemented these take-­‐down steps, published in IEEE Malware 2009 “Waledac Protocol:How and Why”, G Sinlclair, C Nunnery, B. Kang Audit Methodology @ UTS layer "   ERP-­‐ Executable Request Proxy "  Is a repeater hosting a particular file?  
 
!
!
request
GET /readme.exe HTTP/1.0
Host: 99.56.197.58
reply
HTTP/1.1 200 OKServer: nginx/0.8.5Date: Fri, 28
Aug 2009 09:26:11 GMTContent-Type: application/
octet-streamConnection: closeContent-Length:
2Last-Modified: Sun, 26 Jul 2009 10:49:55
GMTAccept-Ranges: bytesMZ!
"   DR -­‐ Domain Response "  Can a repeater resolve hellohello123.com? "  A fast-­‐flux domain without a .com TLD entry Third-­‐Party Repacking@UTS layer "   crypt.j-­‐roger.com and cservice.j-­‐roger.com " 
UTS sends a POST to: /api/apicrypt2/[16 hexadecimal digit hash]
" 
" 
...followed by a binary to repack Repacked binaries returned in ~4 seconds 157 binaries repacked during a 2-­‐hour observation Affiliates “partnerka” "   The FairMoney system "   Developers create multiple versions of binaries with different affiliate IDs "   Distribution (URLs) handled by 3rd parties "   Pricing based on downloads and lifetime Activities -­‐ malicious throughput "   Differentiated spamming "   High and Low quality (HQS/LQS) "   Authenticated and targeted v. bulk "   Data harvesting "   Network traffic (winpcap) "   HDD Scanning (email regex) "   HQS (High Quality Spam) "   Utilizes credentials to send authenticated mail
(SMTP-­‐AUTH) "   ‘test’ campaign "   LQS (Low Quality Spam) "   Autonomous, bulk, sent by spammer tier "   Transmission success statistics are reported