1

Paper ReviewAn Empirical Study of HTTP-based Financial

Botnets

Raymond

2

Outline• Introduction• Methodology and Emulation Environment• Comparative Analysis of Various Bots • Analytical Observations• Challenges• Solution and Conclusion

3

Introduction

4

Botnet• A botnet is a collection of infected machines

(bots) controlled by a bot herder through a C&C server

C&Cserver

malware

malware

malware

Bot herder

5

Financial Botnets• This breed of botnets is designed and deployed to

conduct financial crimes such as online fraud, money laundering, and identity theft by infecting a large number of end-user systems across the globe.

6

232 devices are infected per minute

• An RSA study further disclosed that every minute on the Internet approximately 232 computers are being infected with malware globally.

7

Spread bots 1/3• There are several ways to spread bots but

phishing and drive-by download attacks are the two most prominent ones

8

Spread bots 1/3 

Phishing• attack are executed through emails embedded

with malicious links that are distributed to a large set of users.

• This attack exploits the users’ gullibility using social engineering tricks.

• Upon clicking a web link, the user’s browser is redirected to a malicious domain which serves malware.

9

Spread bots 1/3 drive-by download

• an attacker compromises a high-traffic website and injects code that points to a malicious domain.

10

Spread bots 2/3 • On visiting a malicious domain, a Browser Exploit

Pack (BEP), an automated framework consisting several exploits, fingerprints the browsers environment, and if found vulnerable, an appropriate exploit is served to compromise the machine.

11

Spread bots 3/3

12

Botnets have Become Bigger and Better

Statistic shows the total number of bots present in the various families of botnets when taken down by FBI in different takedown operations.

13

Top 4 Financial Botnets

• A Kaspersky study [9] found that the top 4 financial botnets are Zeus (variants), SpyEye, Carberp and Citadel.

14

Top 4 Financial Botnets

• Carberp botnet caused approximately close to $250 million in losses

• Citadel botnet caused $500 million losses to companies and organizations across the globe.

• Earlier versions of Zeus and SpyEye botnets collectively stole $100 million from target organizations

15

Methodology and Emulation

Environment

16

Test Step• 1.we used an infiltration technique where we

joined the botnet environment to better understand its behavior

• 2.We conducted several tests using active and passive approaches for investigating infections:o Continuous monitoring and traffic analysiso Reverse engineering and behavior analysiso Penetration testing

17

anti anti-VM bot• do something made the VMware machines

behave like a standard operating systemo ex:

• VMWare support tools were not installed• kernel debugging was turned off• the Media Access Control (MAC) address was modified• Desktop Management Information (DMI) related to Basic Input

Output System (BIOS) and certain components of operating system (VM) were modified

18

19

Comparative Analysis of Various Bots

20

Protocol

21

Anti-sandbox

22

Exploitation

Mutex object can be used to determine whether the system is already infected or not, and detecting the presence of virtual machines, traffic analyzers, Anti-Viruses(AV) in the system.

the PDEF+ component is designed to check the effectiveness of bots in bypassing anti-virus systems running on the client side

23

Spreading

24

Remote Manage

25

Defensive Mechanisms

Socks Proxybot herders can restrict source direct access to the C&C panels offer vertify method, if bot match, it allow the bot to download configuration file limit source of incoming http request

Domain Generation Algorithmsgenerate pseudorandom domain names, Advantage is that use DGAs to strengthen their C&C communication channels so that fingerprinting of C&C servers becomes more difficult

26

Module

• This design shows that the bots can be extended by building additional plugins that can be incorporated directly to execute extended code in the infected system. o For example,

• the malware author can design a new plugin for a specific bot and use the C&C panel to update the bot by sending an updated configuration having a new plugin listed in it. When the bot gets updated, the new pluginsimply executes.

27

Data Exfiltration

28

Data Exfiltration

• Man-in-the-Browser Attackso MitB is capable of manipulating the communication flow of various

browser componentso most common MitB attack techniques based on hooking used by bots:

• Form-grabbing• WebInjects• WebFakes.

29

Man-in-the-Browser Attacks

30

DDoS

31

Best Botnet

32

Analytical Observations

33

Analytical Observations

• Malware authors are developing more sophisticated botnet designs by reusing and modifying existing botnet source codes.

34

Analytical Observations

• Communication channels of HTTP-based financial botnets are secured using gates

35

Analytical Observations

• Use of DGAs as a C&C communication mechanism has increased in last few years and we expect this trend to continue in the future

36

Analytical Observations

• the bots primarily target browsers to steal sensitive information pertaining to critical websites. Almost every HTTP-based botnet performs browser hooking to carry out nefarious tasks.

37

Analytical Observations

• distribution using automated exploit frameworks called browser exploit packs which exploit a specific vulnerability in browser components and download bots onto the user systems without their knowledge

38

Analytical Observations

• well-defined development APIs and plugin architecture frameworks which can be used to extend the functionalities of bots.

39

Analytical Observations

• use Windows built-in cryptographic APIs with custom encryption routines to avoid detection and further complicate any analysis.

40

Challenges

41

Challenges• HTTPS is an end-to-end security solution that

protects from Man-in-the-Middle (MitM) attack but it does not provide any protection against MitB attacks

42

Challenges• TFA does not protect from MitB attacks

o TFA raises the bar with respect to the ease of use of stolen authentication data, but TFA neither prevents the theft nor eliminates the data’s value.

43

Challenges• Developing signatures for IPS/IDS  for bot

detections fail to stop unknown malware (financial botnets) running in the wild. The thriving botnet ecosystem is proof of that

44

Solution and Conclusion

45

SolutionsTo defend against WebInject attacks

• One solution is to build an HTML/JavaScript-based webpage verification system that detects modifications that have happened when webpages are rendered in the browser.

46

SolutionsTo foil Form-grabbing attacks

• data is encrypted before it is exfiltrated by the bot from the infected system.

47

Solutionsto overcome malware detection VM

• building next-generation complete emulated environments by simulating the physical hardware including CPU, memory, etc.

48

Solutionsto protect enterprises against unknown

attacks

• data mining and machine learning can play a vital role ,but such solutions are still not able to cope with existing and emerging threats.

49

SolutionsOther

• understanding how one bot detects the presence of other boto ex:o if mutex names are used by SpyEye to detect Zeus bots, the same

patterns can be fed to end-user security solutions (anti-virus engines) to detect and eradicate the bots

50

SolutionsThe most important way

• Technology alone cannot protect users from all types of malicious attacks.

• Improved user education which instructs the user to understand the importance of safe surfing habits, best and secure ways to perform online banking, avoid visiting the destinations which they are not sure of, etc.

51

Q & A