tumbling down the rabbit hole - usenix
TRANSCRIPT
![Page 1: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/1.jpg)
Tumbling Down the Rabbit Hole:
Exploring the Idiosyncrasies of Botmaster Systems in a Multi-Tier
Botnet Infrastructure
Chris NunneryGreg Sinclair
Brent ByungHoon Kang [ University of North Carolina at Charlotte ]
Wednesday, April 28, 2010
![Page 2: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/2.jpg)
Forensic investigation of botmaster components
Interpreting functionality and management using network traces and file-system artifacts
Obtained through ISP cooperation
Our Work
Wednesday, April 28, 2010
![Page 3: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/3.jpg)
Refine notions of how advanced botnets are deployed and managed
Reveal mechanisms and techniques to perform malicious activities
Expose the systems in the highest tiers, providing a complete view of Waledac’s infrastructure
Purpose
Wednesday, April 28, 2010
![Page 4: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/4.jpg)
Overview
Context
Topology
Components and Deployment
Activities, Operations, and Management
Wednesday, April 28, 2010
![Page 5: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/5.jpg)
Waledac: a successor to Storm
Emerged mid-2008
Multi-tier architecture, single-tier peering
Leveraged for spamming, data harvesting, and phishing
Context
Wednesday, April 28, 2010
![Page 6: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/6.jpg)
Botmaster-deployed systems (1:6* ratio):UTS (single system)
TSLs
Infected-host tiers (1:7* ratio)Repeater LayerSpammer Layer
Waledac’s Components
*on averageWednesday, April 28, 2010
![Page 7: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/7.jpg)
Topology4 layers, 2 sections
Wednesday, April 28, 2010
![Page 8: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/8.jpg)
Infected-Host Tierslayers 3 and 4
RolesLocal data harvesting, spammingHTTP proxying, fast-flux DNS
CommunicationHTTP-based, similar to StormLimited P2P functionalityCertificates + AES
Wednesday, April 28, 2010
![Page 9: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/9.jpg)
TSLslayer 2
PurposeHide UTS from RepeatersInitiate targeted spam campaigns
ConfigurationCentOSntp, BIND, PHP, nginx, proxychains src (package archives) and pack (specific configs)php_mailer
Wednesday, April 28, 2010
![Page 10: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/10.jpg)
UTSlayer 1
PurposeAutonomous C&CCredentials repositoryHosts binaries and bootstrap listsMonitors population, vitality statisticsAffiliates interface (FairMoney)Interacts with underground 3rd parties (spamit.com, j-roger.com)
ConfigurationCentOSFlat-files, no central DBCLI
Wednesday, April 28, 2010
![Page 11: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/11.jpg)
ERP- Executable Request ProxyIs a repeater hosting a particular file?
DR - Domain ResponseCan a repeater resolve hellohello123.com?A fast-flux domain without a .com TLD entry
Audit Methodology@UTS layer
HTTP/1.1 200 OKServer: nginx/0.8.5Date: Fri, 28 Aug 2009 09:26:11 GMTContent-Type: application/octet-streamConnection: closeContent-Length: 2Last-Modified: Sun, 26 Jul 2009 10:49:55 GMTAccept-Ranges: bytes
MZ
requestGET /readme.exe HTTP/1.0 Host: 99.56.197.58
reply
Wednesday, April 28, 2010
![Page 12: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/12.jpg)
crypt.j-roger.com and cservice.j-roger.com
UTS sends a POST to:/api/apicrypt2/[16 hexadecimal digit hash]...followed by a binary to repack
Repacked binaries returned in ~4 seconds
157 binaries repacked during a 2-hour observation
Third-Party Repacking@UTS layer
Wednesday, April 28, 2010
![Page 13: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/13.jpg)
Monitoring @UTS
Wednesday, April 28, 2010
![Page 14: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/14.jpg)
nginx Config@TSL layer
/mr.txt - list of repeater nodes; used for targeted spam proxying
/pr/ - partnerka; interface to obtain binaries; access affiliates program
/lm/ - access to the UTS control scripts
Wednesday, April 28, 2010
![Page 15: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/15.jpg)
The FairMoney system
Developers create multiple versions of binaries with different affiliate IDs
Distribution (URLs) handled by 3rd parties
Pricing based on downloads and lifetime
Affiliatespartnerka
Wednesday, April 28, 2010
![Page 16: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/16.jpg)
Differentiated spammingHigh and Low quality (HQS/LQS)Authenticated and targeted v. bulk
Data harvestingNetwork traffic (winpcap)HDD Scanning (email regex)
Activitiesmalicious throughput
Wednesday, April 28, 2010
![Page 17: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/17.jpg)
Differentiated Spamming
HQS (High Quality Spam)Utilizes credentials to send authenticated mail(SMTP-AUTH)‘test’ campaign
LQS (Low Quality Spam)Autonomous, bulk, sent by spammer tierTransmission success statistics are reported
Wednesday, April 28, 2010
![Page 18: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/18.jpg)
LQSlow quality spam
Wednesday, April 28, 2010
![Page 19: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/19.jpg)
HQShigh quality spam
Wednesday, April 28, 2010
![Page 20: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/20.jpg)
Differentiated Spamming
3rd-Party Repacking
Node Auditing
Challenging Notions
Wednesday, April 28, 2010
![Page 21: Tumbling Down the Rabbit Hole - USENIX](https://reader030.vdocuments.mx/reader030/viewer/2022012201/61de32da87e9d9415c444599/html5/thumbnails/21.jpg)
Questions
Wednesday, April 28, 2010