turbot - a next generation botnet
DESCRIPTION
Turbot - A Next Generation Botnet presentation as given in Hackito Ergo Sum 2010 in Paris, France. Turbot is a proof-of-concept implementation of a Botnet without a single point of failure over HTTP. Turbot communicates solely via message exchanging on amutual writable resources such as Websites with UserGenerated Content features.TRANSCRIPT
![Page 1: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/1.jpg)
Page 1
Turbot
“Catch me if you can”
Itzik KotlerZiv GadotSecurity Operation Center (SOC)
![Page 2: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/2.jpg)
Agenda
The Motivation The Turbot BotnetDemoAnalysis
![Page 3: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/3.jpg)
Page 3
Motivation
![Page 4: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/4.jpg)
Botnets Communication Future
Page 4
Research scope Botnets communication Investigating futuristic C&C schemes
Methodology In order to understand where botnets
communication is going to we need to understand their existing problems first.
![Page 5: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/5.jpg)
Recent Botnets Dynamics
Recent botnets New botnets are mostly HTTP or P2P Some comes with new techniques
Conficker Conficker A,B,C: HTTP-based
• New 500 domains names are generated every day using PRNG
Conficker D,E : P2PConficker attempts to achieve
SPOF resiliency Blend in common traffic
![Page 6: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/6.jpg)
SPOF Resiliency
Single Point Of Failure (SPOF) The ability to totally shut down the C&C by stopping a
single set of resourcesSPOF Resiliency
A merit of C&C which has or aims of having no SPOF Known technologies
• P2P (decentralized)• Conficker PRNG domain name – failed
![Page 7: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/7.jpg)
Blend into Common Traffic
Use the most common protocols/methods for the C&C
Ultimately• HTTP/HTML• Client initiates requests• Legitimate sites
Advantages Pass organization security policy Firewall/NAT issues Minimizes potential network fingerprint
![Page 8: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/8.jpg)
SPOF Res vs. Blend In
Page 8
P2P Botnets
HTTP Botnets
NG Botnets
Early Botnets
Blending in common traffic
SPO
F Re
silie
ncy
Excellent
Poor Excellent
Trin00(1999)
Agobot(2004)
Storm(2007)
Conficker A,B,C(2008)
Twitter Botnet(2008)
Black Energy 1.7(2007)
Conficker D,E(2009)
PathBot(2004)
Rustock(2006)
Karaken(2008)
Vacuum!
Is it possible?Turbot
![Page 9: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/9.jpg)
Page 9
Turbot Protocol
![Page 10: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/10.jpg)
Introducing: Turbot
Turbot is a proof-of-concept implementation of a botnetwithout a single point of failure over HTTP.
Turbot communicates solely via message exchanging on amutual writeable resources such as Websites with UserGenerated Content features.
Page 10
![Page 11: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/11.jpg)
Internet Clipboard
– Functionality • Copies any data to a specific URL to later paste in a
different host• Also supports files and pictures
– Examples• www.cl1p.net• www.padfly.com• www.pastebin.com
– Accessibility• No CAPTCHA no login, since service needs to be quick
![Page 12: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/12.jpg)
Disposable E-mail Addressing (DEA)
• Functionality – A disposable e-mail address used to avoid spamming– The user can choose any e-mail address within given
domains, provide it, and later fetch e-mail messages
• Examples– www.mailinator.com– www.guerrillamail.com– www.spamex.com
• Accessibility– CAPTCHA, if at all, only when deleting a message– Sending the e-mail message can also be done by Web
services (mostly offering to send large attachments easily )
![Page 13: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/13.jpg)
User Generated Content
• Functionality – User comments mostly in news sites and blogs
• Examples– www.moconews.net– www.sofiaecho.com
• Accessibility– Many services are protected with CAPTCHA, login or active
moderation; however, a significant number are not protected.
– It is expected that the comment be relevant to its location• The message can be encoded in the User Site field (if
supported), or it can be encoded in a link within the message.
![Page 14: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/14.jpg)
and even URL Shortening
• Functionality – Takes a long URL and generates a short one to
replace it.Purposes:
• To prevent broken links in e-mail• To send links in Twitter
• Examples– www.tinyurl.com– www.dwarfurl.com– www.snipurl.com
• Alternative usability– Compression service—a long message encoded as
a URL is compressed to a very short URL.
![Page 15: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/15.jpg)
Resources to Room Division
Page 15
www.cl1p.net
www.mailinator.com
www.pastebin.com
…..
Resource Room
Room Space
![Page 16: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/16.jpg)
A Room Example
Page 16
www.cl1p.net
www.mailinator.com
www.pastebin.com
…..
www.cl1p.net/foobar
Resource Room
Room Set
![Page 17: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/17.jpg)
Private Room
Page 17
www.cl1p.net
www.mailinator.com
www.pastebin.com
…..
Bot Master
Bot
Private Room1.Unknown to others2.Secured
![Page 18: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/18.jpg)
What’s a Private Room?
•A uncast channel between the bot master and a given bot
•Benefits– Allows the bot master to communicate with a single bot
in a given time in a secure channel– Allows the bot master the ability to form a sub-group
within the botnet by communicating a message to a selected number of bots (each in their private room)
– Isolate the bots from each other, a single bot can’t take down the botnet due to lack of knowledge about other bots existence, locations and/or resources
![Page 19: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/19.jpg)
Turbot I/O: Message
Turbot I/O is based on HTTP protocol and it allows writing and reading of messages off resources. Reading is usually a periodicalGET request to the resource/room and parsing of the HTTP responseand Writing is usually a single POST to the resource/room!
Page 19
Bot Master
Mutual Resourcehttp://cl1p.net/foobar
Bot
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP GET
HTTP POST
![Page 20: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/20.jpg)
Negotiating a Private Room
Page 20
Lobby Space Private Room Space
Bot Master
Bot
Private Room Selection
• Bot randomizes a private room• Private room is permanent• Bot puts a handshake message (encrypted with Bot Master public key) Message includes a common secret
1
![Page 21: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/21.jpg)
Negotiating a Private Room
Page 21
Lobby Space Private Room Space
Bot Master
Bot
Invitation publish
• Bot prepares an invitation •Includes private room ID•Encrypted with Bot Master private key
• Bot publish invitation in the lobby• Periodically the Bot ranodomize a room in the lobby• Publish the invitation in that room
2
Private Room Selection
• Bot randomizes a private room• Private room is permanent• Bot puts a handshake BOT HELLO message (encrypted with Bot Master public key)• Message includes a common secret
1
![Page 22: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/22.jpg)
Lobby Space Private Room Space
2
Invitation publish
• Bot prepares an invitation •Invitation includes private room ID•Encrypted with Bot Master private key
• Bot publish invitation in the lobby• Periodically the Bot ranodomize a room in the lobby• Publish the invitation in that room
Negotiating a Private Room
Page 22
Bot Master
Bot
Looking for an invitation
• Bot Master periodically looks for an invitation• Randomize a room in the Lobby• Check for a message in that room
3
Bingo
![Page 23: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/23.jpg)
Negotiating a Private Room
Page 23
Lobby Space Private Room Space
Bot Master
Bot
Looking for an invitation
• Bot Master periodically looks for an invitation• Randomize a room in the Lobby• Check for a message in that room
3
Bingo
Meeting in the Private Room
• Bot Master decrypt message• It fetch the private room ID• It meets the Bot in the private room and completes the handshake
4
![Page 24: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/24.jpg)
Page 24
Turbot Demo
![Page 25: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/25.jpg)
Turbot Project & Source Repository
Written in Python and intend to be tinkered,
modified and generally to be experiment on.
http://code.google.com/p/turbot
![Page 26: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/26.jpg)
Page 26
Turbot Analysis
![Page 27: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/27.jpg)
Technology vs. Problems
Problem Technology
IRC P2P HTTP
Blend in common traffic
Corporate-policy blocking X X V
Network footprint detection V X V
Firewall and NAT issues V X V
SPOF Takedown Actions X V X
Blacklisting (IP,URL) X V X
Turbot
![Page 28: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/28.jpg)
Technology vs. Problems
Problem Technology
IRC P2P HTTP
Blend in common traffic
Corporate-policy blocking X X V
Network footprint detection V X V
Firewall and NAT issues V X V
SPOF Takedown Actions X V X
Blacklisting (IP,URL) X V X
Efficiency
Interrupting communication
Turbot
Problem Technology
IRC P2P HTTP
Blend in common traffic
Corporate-policy blocking X X V
Network footprint detection V X V
Firewall and NAT issues V X V
SPOF Takedown Actions X V X
Blacklisting (IP,URL) X V X
![Page 29: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/29.jpg)
Communication Efficiency
Assuming:• Each Bot posts 1 invitation per hour• Bot-Master scans for 1 room per minute• Botnet size is 10,000• Lobby size is 100,000
Then• Each bot posts 720 message per month• All bots 7,200,000 posts per month• The Bot-master will add new Bot every minunte,
~10,000 per week. Simulator
Page 29
![Page 30: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/30.jpg)
Corporate-Policy Traversal
HTTP is always open Turbot does not use HTTPS Turbot does not use problematic sites (for
example, anonymizers)
No corporate-policy issues are expected
![Page 31: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/31.jpg)
Network Footprint
The usage of HTTP and HTML makes each message a very common one.
Even so, it is possible that the Turbot HTTP implementation will have a unique footprints.
• Example: send “Turbot 1.0” in the “User-Agent” header
Solution:• Turbot should use common libraries such as IE and FF
![Page 32: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/32.jpg)
Firewall/NAT Issues
Turbot doesn’t open a port Turbot always initiate the connection HTTP is the most supported and reliable protocol
No firewall or NAT issues are expected
![Page 33: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/33.jpg)
Takedown Actions
Whole sites – impossible, they are legitimate. Take down the Lobby or the Room Space – too
large Take down the room which there is an activity –
too difficult to identify and be certain
![Page 34: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/34.jpg)
Blacklisting
Turbot spans over many resources. If at all, whole domains of legitimate services will have
to be blocked in order block the botnet. The percent of organizations that can do so is very
small.
![Page 35: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/35.jpg)
Communication Interrupting
Security agents can delete message in the Lobby The Security agents is competing with
• Botnet size – usually more powerful than legitimate network
Page 35
![Page 36: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/36.jpg)
Technology vs. Problems
Problem Technology
IRC P2P HTTP
Blend in common traffic
Corporate-policy blocking X X V
Network footprint detection V X V
Firewall and NAT issues V X V
SPOF Takedown Actions X V X
Blacklisting (IP,URL) X V X
Efficiency
Interrupting communication
Turbot
V
V
V
V
V
V
V
![Page 37: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/37.jpg)
Turbot Demerits
Message time• Messages are fetched by recipient by pulling
from a common resource. • Time depends on the pulling frequency and is
not instant.• Workarounds
– Each message will contain a “next message time”
![Page 38: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/38.jpg)
How Can Turbot Be Stopped?
Adding CAPTCHA or Login to Web services
![Page 39: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/39.jpg)
Page 39
Questions & answers
![Page 40: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/40.jpg)
Page 40
Appendix
![Page 41: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/41.jpg)
Appendix Content
Additional Features• Indirect Access• Handle Bogus Bots
Additional Analysis• Private Channels
Page 41
![Page 42: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/42.jpg)
Indirect Access
Problem
• Slaves accessing the Web leave their identity Solution
• Indirect access using online site translation services
– Examples: Google Translate, Yahoo Bubblefish, Windows Live Translator
![Page 43: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/43.jpg)
Handle Bogus Bots
The attack• Security vendors can create numerous virtual bots to slow
down communication. Solution
• Require each bot to perform an action that will distinguish the majority of the real zombies from the bogus ones.
– Computational work in the form of solving a cryptologic puzzle.– Legal complication – ask the bot to take some verifiable illegal
action which will complicate it. Security vendors cannot allow this.
![Page 44: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/44.jpg)
Private Channels
Turbot is unique in having private channels Pros
• The main reason: part of the no SPOF requirement.• Better control of the Botnet especially when selling/renting.
Cons• Bot-master has to invest labor in the C&C
– Broadcast over Unicast can be simulated
Page 44
![Page 45: Turbot - A Next Generation Botnet](https://reader033.vdocuments.mx/reader033/viewer/2022052620/557624b2d8b42a4e1c8b4f51/html5/thumbnails/45.jpg)
Page 45
The End