1. Peer-to-Peer BotnetsSecurity & Communication65963 David Dias68208 Artur Balanuta 68210 Drio NascimentoNetworks and Systems Security 1

2. OverviewCommunication & OrganizationThe GodfatherDemoConclusions Basic Concepts: Bot/Zombie Botnet Bot Master Can be used for: DDoS Spam Phishing Emails Click-fraud Stealing Personal Data Networks and Systems Security 2 3. OverviewCommunication & OrganizationThe GodfatherDemoConclusions Facts and Figures1 trilion monthly spam messages by the end of March 2012Source: Annual McAffee Threats Report, First Quarter 2012 Networks and Systems Security 3 4. OverviewCommunication & OrganizationThe GodfatherDemoConclusionsFacts and FiguresMore 5 Million Infections during Q1 2012Cutwail Botnet: 2 million new infectionsGrum botnet: 18% of spam (18 billion/day) sent out across theworldColumbia, Japan, Poland, Spain and USA have the largest botnetincreaseIndonesia, Portugal and South Korea continued to decline Networks and Systems Security 4 5. Overview 1. PropagationCommunication & Organization 2. OrganizationThe Godfather i. C2 Centralizedii.UnstructuredDemoiii. P2P Overlay NetworkConclusions Networks and Systems Security 5 6. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii.Unstructured Demo iii. P2P Overlay Network ConclusionsPropagation Phishing Scams (Ex. SPAM) Social Engineering (Ex. Facebook) DNS Poisoning Infected Mobile Storage (Ex. USB Flashdrives) App Infection (Ex. Android/IOS) Polluted Files (Ex. Infected Torrents) Etc6Networks and Systems Security 7. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii.Unstructured Demo iii. P2P Overlay Network Conclusions Centralized Command and Control Single point of control Direct control of zombies Easy to detect using traffic analysis7Networks and Systems Security 8. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii.Unstructured Demo iii. P2P Overlay Network Conclusions Unstructured Control Unknown botnet size Bots disseminate commands between themselves Huge latency => poor performance Small eficiency (Broadcast messages) Parts of the network may beunreachable without us knowingNetworks and Systems Security 8 9. Overview 1. Propagation Communication & Organization 2. Organization The Godfather i. C2 Centralized ii.Unstructured Demo iii. P2P Overlay Network Conclusions P2P Overlay Network Bots join a P2P Network Communicate through DHT Botmaster can act as normal bot Botmaster can enter and exitfrom several pointsNetworks and Systems Security 9 10. Overview Communication & Organization The Godfather Demo ConclusionsOur solution?Networks and Systems Security 10 11. OverviewCommunication & OrganizationThe GodfatherDemoConclusions P2P - DHT Pastry Secure communication Safe Peer Entry Renting Model Avoid Crawlers and Sybil Attacks Networks and Systems Security 11 12. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions5. Monetize modelPeer entry - BotMaster - Relay DHT- Peer BootStrap List193.166.136.25:8080105.157.88.127:8081 Networks and Systems Security 12 13. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions5. Monetize modelUnstructured Network Networks and Systems Security 13 14. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions5. Monetize model Networks and Systems Security 14 15. Overview 1. Peer EntryCommunication & Organization 2. Secure Dissemination of botmasterThe Godfather Commands 3. Peer-to-peer Trust SystemDemo 4. Proof-of-workConclusions5. Monetize model Networks and Systems Security 15 16. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusionsSecure dissemination of orders Networks and Systems Security 16 17. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusionsSecure dissemination of orders Networks and Systems Security 17 18. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusionsSecure dissemination of orders Networks and Systems Security 18 19. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The GodfatherPeer-to-peer Trust SystemProof-of-work DemoMonetize model ConclusionsPeer-to-peer traffic obfuscationNetworks and Systems Security 19 20. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusionsPeer-to-Peer TrustAccomplice List Limited Size Sorted by CreditsOld peers have priorityDifficult to crawl older bots Networks and Systems Security 20 21. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusions Peer-to-Peer Trust Send CommandSend Commands Preference to avoid key ExchangesSigned by Master or Client Random Send Credits LoseNew>3 invalidEarn CreditsExpelled from List It doesnt avoid Sybil Attacks Networks and Systems Security 21 22. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The GodfatherPeer-to-peer Trust SystemProof-of-work DemoMonetize model ConclusionsProof-of-WorkNetworks and Systems Security 22 23. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusions Mafia Proof-of-WorkSam wants add Tom to his Accomplice List, they must show that they work to Mafia SamTomNode ID Public Key Last 128 bits of puzzle solution are the cipher secret.Options: Brute-force 128 bits (we will need to check sending message to Sam again) Solve the puzzle 16 bits Networks and Systems Security 23 24. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The GodfatherPeer-to-peer Trust SystemProof-of-work DemoMonetize model ConclusionsProof-of-WorkNetworks and Systems Security 24 25. Overview Peer Entry Communication & Organization Secure Dissemination of botmaster Commands The GodfatherPeer-to-peer Trust SystemProof-of-work DemoMonetize model ConclusionsBit Attemps% TotalTime Avg8 12247.6522 ms1629 486 44.991 sec248 327 66949.636 min322 147 milion 49.9825 hours649.22337 x 1018 50%12 306 411 years Average key difficulty is half of size 23.75 attemps / mili secound Java is slowNetworks and Systems Security 25 26. Overview Communication & Organization The Godfather Demo Conclusions Prices on DarknetCitadel (Zeus variant, financial botnet):US$2,399$125 for rent botnet builder and administration panel$395 for automatic updates for antivirus evasionDarkness (DDoS)From $450 until $1.000Networks and Systems Security 26 27. Overview Peer EntryCommunication & Organization Secure Dissemination of botmaster CommandsThe GodfatherPeer-to-peer Trust System Proof-of-workDemo Monetize modelConclusions Monetization ModelBotmaster Generate Private/Public Key + Signed CertificateAttacker sign the command with his private keySend the signed command + signatureBot check the certificate signature, attack and forward the message Networks and Systems Security 27 28. OverviewCommunication & OrganizationThe GodfatherDemoConclusionsSolution Architecture Peer-to-Peer DHT with signed commands Certificate generator Cipher messages transfer Twitter Bootstrapper Cryptopuzzle generator and solver Reputation Accomplice List Networks and Systems Security 28 29. OverviewCommunication & OrganizationThe GodfatherDemoConclusions Networks and Systems Security 29 30. Overview Communication & Organization The Godfather Demo ConclusionsDemo Time!Networks and Systems Security 30 31. OverviewCommunication & OrganizationThe GodfatherDemoConclusionsConclusions Networks and Systems Security 31 32. Overview Communication & Organization The Godfather Demo Conclusions Keeping both low level of traffic and guaranteesecure connections its hard in botnets Attacks such as DoS are easy to perform Botnet detection systems evolved, trust mechanismsare required All will be released with researching purpose in mindNetworks and Systems Security 32 33. Thank you! Q&A Networks and Systems Security 33