08 storm leet
TRANSCRIPT
-
7/31/2019 08 Storm LEET
1/23
Pi1 - Laboratory for DependableDistributed Systems
Measurements and Mitigationof Peer-to-Peer-based Botnets
Thorsten Holz, Moritz Steiner, Frederic Dahl,Ernst Biersack, and Felix Freiling
A Case Study on Storm Worm
-
7/31/2019 08 Storm LEET
2/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Outline
Introduction Botnet Tracking for peer-to-peer botnets
Inside Storm Worm (briefly) Tracking Storm Worm
Measurement results Conclusion
-
7/31/2019 08 Storm LEET
3/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Introduction
Most work in the past focussing on bots withcentralcommand & control server Commonly IRC and HTTP
Peer-to-peer botnets are out there Most media attention for Storm
But others are out there, e.g., Nugache Basic question: How can we track P2P botnets
and learn more about them?
-
7/31/2019 08 Storm LEET
4/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Botnet Trackin
Class of botnets considered1. Peer-to-peer network architecture
2. Content-based publish / subscribe-style
communication
3. Unauthenticated communication
-
7/31/2019 08 Storm LEET
5/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Botnet Trackin
Class of botnets considered1. Peer-to-peer network architecture
2. Content-based publish / subscribe-style
communication
3. Unauthenticated communication
Very loosely coupledcommunication
Consumer does not know who published info Provider does not know who received info
-
7/31/2019 08 Storm LEET
6/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Botnet Trackin
Extension of botnet tracking methodology(ESORICS05) for peer-to-peer botnets
1. Exploiting the P2P bootstrapping process
2. Infiltration and analysis
3. Mitigation
Goal: automation as good as possible
-
7/31/2019 08 Storm LEET
7/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Inside Storm
Propagation is purely based on spam / socialengineering linking to web sites
See work by Kreibich et al. With the help of spamtraps, we can obtain copies
of these propagation mails
Client honeypots analyze mails, click on links, andget infected (like normal user would)
We can obtain new samples in an automated way
-
7/31/2019 08 Storm LEET
8/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Network-level behavior First versions: Overnet (Kademlia-based DHT)
Obfuscation was added in October 2007 Called Stormnet in the following
Seems to change from DHT to linked list Lightning talk by David Dagon? :-)
Inside Storm
-
7/31/2019 08 Storm LEET
9/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Inside Storm
Bot communication (simplified, valid for Overnet) Infected machine searches for specific keys
within the network
Botmaster knows in advance which keys aresearched for publishes commands there
rendezvous points
-
7/31/2019 08 Storm LEET
10/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Inside Storm
Bot communication (simplified, valid for Overnet) Infected machine searches for specific keys
within the network
Botmaster knows in advance which keys aresearched for publishes commands there
rendezvous points
-
7/31/2019 08 Storm LEET
11/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Authentication
challenge1: 0x55018273response1: 0x6bd87335XOR: 0x3ED9F146
challenge2: 0x387fa822response2: 0x06a65964XOR: 0x3ED9F146
challenge3: 0xf00e5810response3: 0xced7a956XOR: 0x3ED9F146
-
7/31/2019 08 Storm LEET
12/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Ke Search
-
7/31/2019 08 Storm LEET
13/23
-
7/31/2019 08 Storm LEET
14/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Modes
69.41.162.69
HTTP
Gateways
TCPundOvernet
216.255.189.210
Controller
Spam/DoS-Bots
Two different modes: NAT or public IP address
Actually Storm Worm is hybrid networkwith P2P component for lookup
-
7/31/2019 08 Storm LEET
15/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets
UNIVERSITTMANNHEIM
InfiltrationAlgorithm 1: send thread (is executed once per crawl)
Data: peer: struct{IP address, port number, DHT ID}Data: shared list Peers = list ofpeer elements
/* the list of peers filled by the receive thread and worked on by the send thread */Data: int position = 0/* the position in the list up to which the peers have already been queried */
Data: list ids = list of 16 properly chosen DHT ID elementsPeers.add(seed); /* initialize the list with the seed peer */1
while position< size(Peers) do2for i=1 to 16do3
dest DHT ID = Peers[position].DHT ID ids[i]; /* normalize bucket to peers position */4
send route requests(dest DHT ID) to Peers[position];5
position++;6
Algorithm 2: receive thread (waits for the route response messages)
Data: message mess = route response messageData: peer: struct{IP address, port number, DHT ID}Data: shared list Peers = list ofpeer elements
/* the list shared with the send thread */
while true do1 wait for (mess = route response) message; foreach peer mess do2
ifpeer / Peers then3Peers.add(peer);4
Crawler algorithm, adopted version of
KAD crawler by Steiner et al.
-
7/31/2019 08 Storm LEET
16/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets
UNIVERSITTMANNHEIM
Results
0
5000
10000
15000
20000
25000
30000
35000
40000
12-15 12-22 12-29 01-05 01-12 01-19 01-26 02-02
storm
bots
date
US
IN
--
TR
Number of bots in Stormnet, split by geo-location
-
7/31/2019 08 Storm LEET
17/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets
UNIVERSITTMANNHEIM
S in On Content
Sybil attack Introduce 224 peers into botnet
First 24 bit of DHT ID are different, rest is fixed We inject into DHT and can observe route /publish request messages
We can now monitor requests within the wholenetwork (and observe many other researchers)
-
7/31/2019 08 Storm LEET
18/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets
UNIVERSITTMANNHEIM
Results
0
1000
2000
3000
4000
5000
6000
7000
8000
11-24 12-08 12-22 01-05 01-19 02-02
date
ip addresseshashes
Search activity in Stormnet
-
7/31/2019 08 Storm LEET
19/23Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based Botnets
UNIVERSITTMANNHEIM
Results
0
100
200
300
400
500
11-24 12-08 12-22 01-05 01-19 02-02
date
ip addresseshashes
Publish activity in Stormnet
-
7/31/2019 08 Storm LEET
20/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Miti ation
Eclipsing content (special form of Sybil attack)
To eclipse keyword K, position certain numberof sybils closely around K (in terms of XOR)
Poison regular peers routing table Attract routerequest messages for K
Does not work in practice since content is
spread through entire hash space, notrestricted to zone around K
Works for KAD as shown by Steiner et al.
-
7/31/2019 08 Storm LEET
21/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Miti ation
Polluting content Prevent peers from retrieving search results forK by publishing large number of files using K
Overwrite content previously published as K Storm bots continuously publish arms race
First crawl network, then publish files to peershaving at least 4 first bits in common with K Publish takes 5 seconds; 400 / 2200 peers accept
R l
-
7/31/2019 08 Storm LEET
22/23
Thorsten Holz LEET08 - Measurements and Mitigation of Peer-to-Peer-based BotnetsUNIVERSITT
MANNHEIM
Results
0 10 20 30 40 50 60 70 800
20
40
60
80
100
minutes
results
storm
pollution
start of pollution
stop of pollution
0 10 20 30 40 50 60 70 80 90 1000
0.5
1
1.5
2x 10
4
minutes
result
s
storm
pollutionstart of pollution
stop of pollution
standardsearch
exhaustivesearch
-
7/31/2019 08 Storm LEET
23/23
Thorsten Holz
http://pi1.informatik.uni-mannheim.de/[email protected]
Pi1 - Laboratory for Dependable
Distributed Systems
Acknowledgments:
Thanks to network staff and anonymous reviewers
More info: http://honeyblog.org
http://pi1.informatik.uni-mannheim.de/fast-fluxhttp://pi1.informatik.uni-mannheim.de/fast-fluxmailto:[email protected]:[email protected]://www-pi1.informatik.uni-mannheim.de/http://www-pi1.informatik.uni-mannheim.de/