Post on 18-Sep-2020
Leveraging Honest Users:Stealth Command-and-Control of Botnets
Diogo MónicaINESC-ID/IST
diogo.monica@ist.utl.pt
Thursday, August 29, 13
Summary
• Motivation
• Problem statement
• Stealth C&C using browsers
• Final remarks
Thursday, August 29, 13
Motivation
• Botnets continue to evolve
• New strategies must be employed to avoid takedown and detection
• Our objective is to explore new directions future C&C infrastructure might take
Thursday, August 29, 13
Problem Statement
• Create a botnet that:
• Avoids infiltration, size estimation
• Reduces the likelihood of detection of individual bots
• Maintains Botmaster anonymity
Thursday, August 29, 13
Assumptions
• Pre-existing population of infected hosts
• Trust anchor in the binary (public key)
• Bots can receive commands from bot master through some open port
Thursday, August 29, 13
Basic Architecture
• No active participation from bots in a botmaster owned C&C
• Bots passively listen for commands
• Commands are signed by the botmaster and pushed out to all the bots
Thursday, August 29, 13
Basic Architecture
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bots
BM
Thursday, August 29, 13
Basic Architecture
• No C&C means:
• no infiltration
• no size estimation
Thursday, August 29, 13
Problems
• Command dissemination
• Botmaster doesn’t know IPs of bots
• Direct dissemination exposes the botmaster
• Disseminating commands takes too long
• Information retrieval
• Bots don’t know the IP of the botmaster
Thursday, August 29, 13
Command Dissemination
• Expendable layer of hosts
• No knowledge about the botmaster
• Do the “heavy lifting” of disseminating commands for the botmaster
Thursday, August 29, 13
Browsers!
• Browsers were created/optimized to do large number of requests per second
• Available crypto libraries in Javascript
• HTML5 brings new capabilities to the table
Thursday, August 29, 13
“Honest” intermediate layer
• Botmaster deploys (or infects) website with malicious code
Botmaster
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bots
Vulnerable Web App
Web Users
Thursday, August 29, 13
“Honest” intermediate layer
• Command dissemination is not done by botmaster
• Reduces the vulnerability to detection
• Visitors of the infected website propagate commands
• Dissemination speed increase x #Web Users
• Detecting the existence of a bot is difficult
• Commands are received but not acknowledged
Thursday, August 29, 13
“Honest” intermediate layer
• Replaying the commands will only further spread the botmaster’s orders
• Intermediate layer is expendable and can expire quickly
• Once the page is closed, all traces of “infection” of the web-browser disappear
• It is hard for researchers to find the original malicious page
Thursday, August 29, 13
Analysis of Command Dissemination
• We created Javascript PoC
• Measured the number of AJAX requests per second
• Used EasyXDM to bypass Same-Origin-Policy
• Implemented public-key signatures for commands in Javascript
Thursday, August 29, 13
Analysis of Command Dissemination
• N = #bots
• S = #ips in the address space
• r = #requests / second a browser can make
• d = #days the malicious website is active
• v = #visitors per day the website receives
• m = #minutes a user spends on the website
Thursday, August 29, 13
Analysis of Command Dissemination
• N = 150000 bots
• S = 3086889768 (2^32 - Bogons)
• r = 250 requests/second
• d = 1day
Thursday, August 29, 13
Analysis of Command Dissemination
30,000500 5000 10,000 15,000 20,000 25,000
1
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
Number of Hosts
Perc
enta
ge o
f bots
%
● 10 minutes
▲ 15 minutes
■ 20 minutes
20 minutesw/ cooperation
S
M
B
Thursday, August 29, 13
Getting Visitors
• Create malicious website
• Advertise through spam email, twitter, search engine poisoning, abuse URL shortener, etc
• Infect existing website:
• XSS or SQL injection sufficient to get malicious code on legitimate websites
• Keeping users on the websites
• Tabnabbing, clickjacking
Thursday, August 29, 13
Information Upstream
• Botmasters want to send stolen data upstream (credit-cards, email accounts, SSN’s, etc)
• Our command dissemination infrastructure isolates each bot for robustness and stealthiness, but makes it difficult to create an upstream channel
Thursday, August 29, 13
Information Upstream
• For spamming-only botnets a simple solution, send information encoded along with spam
• All information is encrypted with the botmaster’s public key, ensuring confidentiality of data
• The bot only has to do one thing: send spam
Thursday, August 29, 13
Information Upstream
• Does not expose the botmaster
• Stealth operation
• Only the botmaster can extract data from the bots
Thursday, August 29, 13
Information Upstream
• Botmaster creates website private/public key-pair and signs it with it’s own public key
• The malicious code sent to the browsers includes this key-pair
• Browsers can prove themselves as originating from a “legitimate” dissemination website
Thursday, August 29, 13
Information Upstream
Bot Master (bm)
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bot
Dissemination Website(W)
Dissemination Layer Host
1
2
Kbm, K-1w, {Kw}K-1
bm, {C}K-1bm
Kbm{Kw}K-1bm, {M}K-1
w
1
2
1
Thursday, August 29, 13
Information Upstream
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
BotDissemination
Layer Host
Dst IP, {C}K-1bmMessage M
{Kw}K-1bm, {M}K-1
w
M'
AckMessage M'
Thursday, August 29, 13
Information Upstream
Encrypted finger
Dissemination Layer Host
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Command Dissemination
ABCD
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
2 134
N/A
{A}Kbm {A}Kbm,{B}Kbm,{C}Kbm
1
2 4
{A}Kbm,{B}Kbm3
Thursday, August 29, 13
Accessing the overlay
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Bots
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Encrypted fingerset by D1
Encrypted finger set by D2
0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e
Dissemination Layer Hosts
D1 D2
Thursday, August 29, 13
Overlay connectivity
Thursday, August 29, 13
Accessing the overlay
• Botmaster randomly scans the internet until it finds one host.
• Uses the encrypted fingers of this host to start crawling through the overlay.
• But...
Thursday, August 29, 13
Accessing the overlay
BM
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
q
0x72e4b76 0xc52b7d0
0x80762b8 0xde3254e
• Botmaster still needs to bounce through some nodes to guarantee anonymity when retrieving data
Thursday, August 29, 13
Final remarks
• Stealth C&C using browsers are feasible
• Increasing role of browsers in the malware landscape
• We should focus some IDS effort on the browsers
• We aren’t good enough at detecting malicious websites
Thursday, August 29, 13
Thank you
Questions?diogo.monica@ist.utl.pt
Thursday, August 29, 13