Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Discovering a botnet from Russia (With love)

advertisement 
Discovering a botnet from Russia (With love)
Damien Aumaitre - damien.aumaitre@sogeti.com
Christophe Devaux - christophe.devaux@sogeti.com
Julien Lenoir - julien.lenoir@sogeti.com
Sogeti/ESEC
Botnets: a happy family
Architecture
Business model
Conclusion
Plan
1
Botnets: a happy family
2
Architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
2/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Contents
1
Botnets: a happy family
What is a botnet?
How do you join a botnet?
Context of the analysis
2
Architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
3/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Denition
Wikipedia: the term botnet refers to a set of zombie machines
exploited for malicious purposes.
Denition
Machines that are compromised without user's knowledge
One or several control servers
Hacked or rented from a bullet-proof host
Sogeti/ESEC
Discovering a botnet from Russia (With love)
4/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
What are they meant for?
Distributed Denial of Service
Spam
Click fraud
Blackhat SEO (spam indexing)
Theft of personal data
Sogeti/ESEC
Discovering a botnet from Russia (With love)
5/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
The largest botnets
Sogeti/ESEC
bots
spams (per day)
detection date
Conficker
9 000 000
10 000 000 000
octobre 2008
Kraken
495 000
9 000 000 000
avril 2008
Srizbi
450 000
60 000 000 000
juin 2007
Rustock
150 000
30 000 000 000
juin 2008
Cutwail
125 000
16 000 000 000
mars 2007
Storm
85 000
3 000 000 000
janvier 2007
Discovering a botnet from Russia (With love)
6/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Contents
1
Botnets: a happy family
What is a botnet?
How do you join a botnet?
Context of the analysis
2
Architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
7/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Malware distribution server
"Candy-box"
USB flash drive
Fake software
Spam
Exploit
LA
UN
infection
E
AR
LW NET
MA OT
B
CH
ER
BOTNET
payload
Clean machine
Infected machine
Zombie machine
TIME
Sogeti/ESEC
Discovering a botnet from Russia (With love)
8/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Infection
Several possible sources
Infected USB ash drive
software (codecs, keygens,
...) on the Internet
Fake
Emails that contain malware as
an attached le
Vulnerabilities (exploit for
MS08-067, ...)
Malware installation often implies several phases
Sogeti/ESEC
Discovering a botnet from Russia (With love)
9/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Launcher
Characteristics
Small executable in charge of downloading the
real
malware
Generally knows the address for several Candy-boxes
Several launchers can be combined (Russian dolls)
Advantage
The use of a launcher allows the malware that will infect the machines to
be easily modied over time (update mechanism)
Sogeti/ESEC
Discovering a botnet from Russia (With love)
10/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Contents
1
Botnets: a happy family
What is a botnet?
How do you join a botnet?
Context of the analysis
2
Architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
11/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Analysis of an infected laptop
Retrieve malware
Infect a controlled workstation (in a virtual machine)
Observe malware in-vivo
Peculiarities of the malware
Very basic
Very recent control server (5 days old at the beginning of the
analysis)
Patriotic
Sogeti/ESEC
Discovering a botnet from Russia (With love)
12/46
Botnets: a happy family
Architecture
Business model
Conclusion
What is a botnet?
How do you join a botnet?
Context of the analysis
Patriotism. . .
Sogeti/ESEC
Discovering a botnet from Russia (With love)
13/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Contents
1
Botnets: a happy family
2
Architecture
Components
Psyche the spammer
Putmuk the FTP accounts thief
The banker
FakeAlert the scareware provider
Evolution of binary protections
Overall architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
14/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Psyche the spammer
Main role
Send spam
Actions
Registers as a Windows service
Uses rootkit techniques to hide (NtIllusion)
Connects to a control server
How it works
Every time the machine starts, the malware updates its conguration and
launches a spam campaign
Sogeti/ESEC
Discovering a botnet from Russia (With love)
15/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
How it works
Zombie computer
connection
Controller
configuration
text to send
emails to spam
SPAMS
Sogeti/ESEC
results
Discovering a botnet from Russia (With love)
16/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Communication protocol
Protocol
Encrypted protocol (XOR with
Poshel-ka tina hui drug aver )
Two kinds of datagrams (sent and received)
Received datagram
Order
Encrypted data
Sent datagram
Machine identier
Session identier
Encrypted response data
Sogeti/ESEC
Discovering a botnet from Russia (With love)
17/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Received orders
Orders
0: Ping
Sogeti/ESEC
2: Execute a shellcode
6: Receive the text to spam
7: Receive the conguration le
8: Receive a list of emails and SMTP servers
order number
data size
encrypted data
Discovering a botnet from Russia (With love)
18/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Order 6: the text to spam
Sogeti/ESEC
Discovering a botnet from Russia (With love)
19/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Statistics
Statistics
About 10 GB of emails logged on the server within 5 days
1 GB = 34 000 000 unique emails
Rate
2 800 000 spams/hour
Sogeti/ESEC
Discovering a botnet from Russia (With love)
20/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Putmuk the FTP accounts thief
Main role
Decrypts passwords stored by FTP clients and exltrates them
Targeted FTP clients (13)
VanDyke SecureFX
Ipswitch WS FTP
FTPWare CoreFTP
FileZilla
Rhino Software FTP Voyager
Total Commander
BulletProof FTP Client
GlobalSCAPE CuteFTP
...
Sogeti/ESEC
Discovering a botnet from Russia (With love)
21/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Administration interface: 995 accounts in queue
Sogeti/ESEC
Discovering a botnet from Russia (With love)
22/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Administration interface: checking FTP accounts
Sogeti/ESEC
Discovering a botnet from Russia (With love)
23/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
The banker
Main role
Retrieve bank information
Browser Helper Object
(plug-in) for Internet Explorer
BHO 3-in-1
Keylogger
Hook HTML forms
Injection of HTML elds on banking sites
Sogeti/ESEC
Discovering a botnet from Russia (With love)
24/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Injection of HTML elds on banking sites
Source:
Sergei Shevchenko
ThreatExpert Blog
Sogeti/ESEC
Discovering a botnet from Russia (With love)
25/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Example of exltrated data
[http://www.nytimes.com/auth/login?URI=http://]
USERID=KEYSREAD:myaccount
[http://www.nytimes.com/auth/login?URI=http://]
PASSWORD=KEYLOGGED:mypassword KEYSREAD:mypassword
[http://www.nytimes.com/auth/login]
The New York Times > Log In
is_continue=true
URI=http://
OQ=
OP=
USERID=myaccount
PASSWORD=mypassword
SAVEOPTION=YES
Submit2=Log+In
Sogeti/ESEC
Discovering a botnet from Russia (With love)
26/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Limbo: BHO banker generator
Client generator (malware)
Automatically generates malware using a conguration le
Has many functionalities (keylogger, HTML injection, data capture,
etc.)
Server application
Administration interface (PHP/MySQL) ready to deploy
Gathers exltrated information
Sorts and formats the data
Sogeti/ESEC
Discovering a botnet from Russia (With love)
27/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Limbo 2: Generation of malware
Sogeti/ESEC
Discovering a botnet from Russia (With love)
28/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
FakeAlert the scareware provider
Roles
Trick the user into buying a fake anti-virus
Steal his bank information
How it works
Simulates many viral infections
Modies the appearance of known websites to signal a viral infection
Simulates fatal errors in Windows (Blue Screen Of Death)
Sogeti/ESEC
Discovering a botnet from Russia (With love)
29/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Example
Sogeti/ESEC
Discovering a botnet from Russia (With love)
30/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Example
Sogeti/ESEC
Discovering a botnet from Russia (With love)
31/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Contents
1
Botnets: a happy family
2
Architecture
Components
Psyche the spammer
Putmuk the FTP accounts thief
The banker
FakeAlert the scareware provider
Evolution of binary protections
Overall architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
32/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Evolution of binary protections
Packer
UPX
UPX
UPX / FSG
Code
encryption
None
XOR
with a byte
Per parts
XTEA
String
encryption
XOR
with a byte
XOR
with a string
Various operations
with a string
Protection
Simple Anti-Debug
Anti-Debug
Anti-Dump
Anti-Debug
Anti-Dump
Advanced
protection
None
Anti-Heuristics
Anti-VM
2 weeks
Sogeti/ESEC
Discovering a botnet from Russia (With love)
33/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Contents
1
Botnets: a happy family
2
Architecture
Components
Psyche the spammer
Putmuk the FTP accounts thief
The banker
FakeAlert the scareware provider
Evolution of binary protections
Overall architecture
3
Business model
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
33/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Statistics
Some numbers...
2 weeks of observation
1 000 000 000 sent spams
Around 100 new FTP accounts per day
2 new versions of Putmuk
6 months of development
Sogeti/ESEC
Discovering a botnet from Russia (With love)
34/46
Botnets: a happy family
Architecture
Business model
Conclusion
Components
Evolution of binary protections
Overall architecture
Hosted by Hivelocity
(NOC4Hosts)
"Candy-box"
(xx.50.109.2)
redirects
malware
FTP accounts log
(xx.199.248.58)
Pirated websites
using stolen
FTP accounts
Pirated websites for
selling pills
SPAMS
infected computer
Psyche controller
(xx.50.120.87, xx.50.125.72, ...)
SPAMS
Pirated websites
for storing images
HGNI
Bank information log
(xxx.51.231.110)
spammed computer
Sogeti/ESEC
Discovering a botnet from Russia (With love)
35/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
Contents
1
Botnets: a happy family
2
Architecture
3
Business model
Who's in charge?
Outline
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
36/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
Investigation
Sources of information
Malware
Control servers (FTP log, spam controller, ...)
Internet
Sogeti/ESEC
Discovering a botnet from Russia (With love)
37/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
HGNI?
Figure: content of an SQL table on the FTP log server
Sogeti/ESEC
Discovering a botnet from Russia (With love)
38/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
HGNI?
last
from the FTP log server
root pts/1 Thu Oct 30 23:36 - 00:47 (01:11) maskalev.radiocom.net.ua
root pts/0 Thu Oct 30 23:10 - 01:51 (02:41) xx.xxx.xxx.xx
root pts/0 Fri Oct 24 01:27 - 03:48 (02:20) xx.xxx.xxx.xx
reboot system boot Wed Oct 15 20:31 - 22:15 (29+02:44) 2.6.18-6-486
root pts/0 Wed Oct 15 16:56 - down (03:33) xx.xxx.xxx.xx
root pts/0 Tue Oct 14 14:41 - 14:52 (00:11) maskalev.radiocom.net.ua
root pts/0 Sun Oct 12 02:45 - 02:57 (00:12) xx.xxx.xxx.xx
root pts/0 Fri Oct 3 17:45 - 20:38 (02:53) maskalev.radiocom.net.ua
banner on maskalev.radiocom.net.ua
220 This is internal hgni's ftp server
Sogeti/ESEC
Discovering a botnet from Russia (With love)
39/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
HGNI?
Sogeti/ESEC
Discovering a botnet from Russia (With love)
40/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
HGNI
Who is it?
A person (or group of people) named HGNI controls the botnet
Characteristics
Limited technical skills
Recruit developers on the Russian Software Developer Network
Roles of managers/investors
Can be easily contacted through ICQ (not trying to hide)
Sogeti/ESEC
Discovering a botnet from Russia (With love)
41/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
Contents
1
Botnets: a happy family
2
Architecture
3
Business model
Who's in charge?
Outline
4
Conclusion
Sogeti/ESEC
Discovering a botnet from Russia (With love)
42/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
Selling spam
Sogeti/ESEC
Discovering a botnet from Russia (With love)
43/46
Botnets: a happy family
Architecture
Business model
Who's in charge?
Outline
Conclusion
Financial overview
Costs
Malware development
Developers' salaries
Purchase of Limbo
Access to malware distributer
Servers rental
Sources of prot
Selling spam
Selling condential data
Selling fake anti-viruses
Using stolen bank information
Sogeti/ESEC
Discovering a botnet from Russia (With love)
44/46
Botnets: a happy family
Architecture
Business model
Conclusion
Conclusion
This botnet
Several components to maximize prots
Rapid evolution
Rudimentary but rather ecient
Control servers are easy to identify but still online
Conclusion
Requires minimal investment
Becomes lucrative quickly
The end is not yet in sight. . .
Sogeti/ESEC
Discovering a botnet from Russia (With love)
45/46
Botnets: a happy family
Architecture
Business model
Conclusion
Any questions?
?
Thank you for your attention
Sogeti/ESEC
Discovering a botnet from Russia (With love)
46/46
Related documents
Motivation behind botnets
Motivation behind botnets
Jason and Abhishek`s presentation on botnets
Jason and Abhishek`s presentation on botnets
A Framework for P2P Botnets Speaker: Chi-Sheng Chen Date:2010/11/16
A Framework for P2P Botnets Speaker: Chi-Sheng Chen Date:2010/11/16
Botnets - Information Security Group
Botnets - Information Security Group
Measuring Botnet Populations
Measuring Botnet Populations
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Malware Botnet and DDoS Md. Safiqul Islam Internetworking
Sogeti USA is a leading provider of technology and software testing,
Sogeti USA is a leading provider of technology and software testing,
BotnetPres
BotnetPres
Download
advertisement