32
Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST [email protected] Thursday, August 29, 13

Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST [email protected]

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Leveraging Honest Users:Stealth Command-and-Control of Botnets

Diogo MónicaINESC-ID/IST

[email protected]

Thursday, August 29, 13

Page 2: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Summary

• Motivation

• Problem statement

• Stealth C&C using browsers

• Final remarks

Thursday, August 29, 13

Page 3: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Motivation

• Botnets continue to evolve

• New strategies must be employed to avoid takedown and detection

• Our objective is to explore new directions future C&C infrastructure might take

Thursday, August 29, 13

Page 4: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Problem Statement

• Create a botnet that:

• Avoids infiltration, size estimation

• Reduces the likelihood of detection of individual bots

• Maintains Botmaster anonymity

Thursday, August 29, 13

Page 5: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Assumptions

• Pre-existing population of infected hosts

• Trust anchor in the binary (public key)

• Bots can receive commands from bot master through some open port

Thursday, August 29, 13

Page 6: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Basic Architecture

• No active participation from bots in a botmaster owned C&C

• Bots passively listen for commands

• Commands are signed by the botmaster and pushed out to all the bots

Thursday, August 29, 13

Page 7: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Basic Architecture

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bots

BM

Thursday, August 29, 13

Page 8: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Basic Architecture

• No C&C means:

• no infiltration

• no size estimation

Thursday, August 29, 13

Page 9: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Problems

• Command dissemination

• Botmaster doesn’t know IPs of bots

• Direct dissemination exposes the botmaster

• Disseminating commands takes too long

• Information retrieval

• Bots don’t know the IP of the botmaster

Thursday, August 29, 13

Page 10: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Command Dissemination

• Expendable layer of hosts

• No knowledge about the botmaster

• Do the “heavy lifting” of disseminating commands for the botmaster

Thursday, August 29, 13

Page 11: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Browsers!

• Browsers were created/optimized to do large number of requests per second

• Available crypto libraries in Javascript

• HTML5 brings new capabilities to the table

Thursday, August 29, 13

Page 12: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

“Honest” intermediate layer

• Botmaster deploys (or infects) website with malicious code

Botmaster

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bots

Vulnerable Web App

Web Users

Thursday, August 29, 13

Page 13: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

“Honest” intermediate layer

• Command dissemination is not done by botmaster

• Reduces the vulnerability to detection

• Visitors of the infected website propagate commands

• Dissemination speed increase x #Web Users

• Detecting the existence of a bot is difficult

• Commands are received but not acknowledged

Thursday, August 29, 13

Page 14: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

“Honest” intermediate layer

• Replaying the commands will only further spread the botmaster’s orders

• Intermediate layer is expendable and can expire quickly

• Once the page is closed, all traces of “infection” of the web-browser disappear

• It is hard for researchers to find the original malicious page

Thursday, August 29, 13

Page 15: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Analysis of Command Dissemination

• We created Javascript PoC

• Measured the number of AJAX requests per second

• Used EasyXDM to bypass Same-Origin-Policy

• Implemented public-key signatures for commands in Javascript

Thursday, August 29, 13

Page 16: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Analysis of Command Dissemination

• N = #bots

• S = #ips in the address space

• r = #requests / second a browser can make

• d = #days the malicious website is active

• v = #visitors per day the website receives

• m = #minutes a user spends on the website

Thursday, August 29, 13

Page 17: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Analysis of Command Dissemination

• N = 150000 bots

• S = 3086889768 (2^32 - Bogons)

• r = 250 requests/second

• d = 1day

Thursday, August 29, 13

Page 18: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Analysis of Command Dissemination

30,000500 5000 10,000 15,000 20,000 25,000

1

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

Number of Hosts

Perc

enta

ge o

f bots

%

● 10 minutes

▲ 15 minutes

■ 20 minutes

20 minutesw/ cooperation

S

M

B

Thursday, August 29, 13

Page 19: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Getting Visitors

• Create malicious website

• Advertise through spam email, twitter, search engine poisoning, abuse URL shortener, etc

• Infect existing website:

• XSS or SQL injection sufficient to get malicious code on legitimate websites

• Keeping users on the websites

• Tabnabbing, clickjacking

Thursday, August 29, 13

Page 20: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

• Botmasters want to send stolen data upstream (credit-cards, email accounts, SSN’s, etc)

• Our command dissemination infrastructure isolates each bot for robustness and stealthiness, but makes it difficult to create an upstream channel

Thursday, August 29, 13

Page 21: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

• For spamming-only botnets a simple solution, send information encoded along with spam

• All information is encrypted with the botmaster’s public key, ensuring confidentiality of data

• The bot only has to do one thing: send spam

Thursday, August 29, 13

Page 22: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

• Does not expose the botmaster

• Stealth operation

• Only the botmaster can extract data from the bots

Thursday, August 29, 13

Page 23: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

• Botmaster creates website private/public key-pair and signs it with it’s own public key

• The malicious code sent to the browsers includes this key-pair

• Browsers can prove themselves as originating from a “legitimate” dissemination website

Thursday, August 29, 13

Page 24: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

Bot Master (bm)

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bot

Dissemination Website(W)

Dissemination Layer Host

1

2

Kbm, K-1w, {Kw}K-1

bm, {C}K-1bm

Kbm{Kw}K-1bm, {M}K-1

w

1

2

1

Thursday, August 29, 13

Page 25: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

BotDissemination

Layer Host

Dst IP, {C}K-1bmMessage M

{Kw}K-1bm, {M}K-1

w

M'

AckMessage M'

Thursday, August 29, 13

Page 26: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Information Upstream

Encrypted finger

Dissemination Layer Host

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Command Dissemination

ABCD

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

2 134

N/A

{A}Kbm {A}Kbm,{B}Kbm,{C}Kbm

1

2 4

{A}Kbm,{B}Kbm3

Thursday, August 29, 13

Page 27: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Accessing the overlay

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Bots

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Encrypted fingerset by D1

Encrypted finger set by D2

0x72e4b76 0xc52b7d0 0x80762b8 0xde3254e

Dissemination Layer Hosts

D1 D2

Thursday, August 29, 13

Page 28: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Overlay connectivity

Thursday, August 29, 13

Page 29: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Accessing the overlay

• Botmaster randomly scans the internet until it finds one host.

• Uses the encrypted fingers of this host to start crawling through the overlay.

• But...

Thursday, August 29, 13

Page 30: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Accessing the overlay

BM

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

q

0x72e4b76 0xc52b7d0

0x80762b8 0xde3254e

• Botmaster still needs to bounce through some nodes to guarantee anonymity when retrieving data

Thursday, August 29, 13

Page 31: Leveraging Honest Users - machine learning – covert.io Honest... · 2020. 7. 24. · Leveraging Honest Users: Stealth Command-and-Control of Botnets Diogo Mónica INESC-ID/IST diogo.monica@ist.utl.pt

Final remarks

• Stealth C&C using browsers are feasible

• Increasing role of browsers in the malware landscape

• We should focus some IDS effort on the browsers

• We aren’t good enough at detecting malicious websites

Thursday, August 29, 13