Title | Your Botnet is My Botnet: Analysis of a Botnet Takeover [link] | ||
Author | Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna | From | UCSB |
Publishing | CCS ’09 | Year | 2009 |
Abstract | Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims. In this paper, we report on our efforts to take control of the Torpig botnet and study its operations for a period of ten days. During this time, we observed more than 180 thousand infections and recorded almost 70 GB of data that the bots collected. While botnets have been “hijacked” and studied previously, the Torpig botnet exhibits certain properties that make the analysis of the data particularly interesting. First, it is possible (with reasonable accuracy) to identify unique bot infections and relate that number to the more than 1.2 million IP addresses that contacted our command and control server. Second, the Torpig botnet is large, targets a variety of applications, and gathers a rich and diverse set of data from the infected victims. This data provides a new understanding of the type and amount of personal information that is stolen by botnets. | ||
Summary |
1. Introduction (Approach)
2. Torpig Infrastructure and background (1) Background
(2) Domain Flux
(3) Taking control of the botnet
3. Botnet analysis
(1) Stolen Data
(2) Botnet Size
|
||
Note | It is a quite interesting paper because it contains live analysis of sensitive data harvested from the machines infected by real botnets on the fly. Also it is impressive to perform active infiltration impersonating C&C server in order to take over a botnet. This paper discusses one of the notorious botnets, Torpig, which was widely prevalent over the world back in 2009. The authors tried to reach comprehensive understanding on Torpig including infection path, static and dynamic analysis by reversing, relevant analysis of collected/stolen data from diverse perspectives. |
Tag: Malware
Malware and its Use of Implemented Anonymous Networks
The anonymous networks below are implemented ones, which might be used as hiding malware trace.
a. 토르 네트워크에 접속하려는 자는 우선 디렉토리 노드에서 노드 리스트를 받아 선택한다.
b. 경로에 참여하는 노드 (선택된 노드)는 디피-헬만 키 교환 알고리즘을 통해 세션 키를 생성한다. (TLSv1 상에서)
c. 각 노드는 공개키 스키마를 이용해 라우팅 정보를 포함해 모든 데이터를 암호화한다.
중간 노드는 트래픽이 온 바로 이전 노드와 트래픽을 전송할 바로 다음 노드만 알고 있다. 따라서 마지막 노드를
제외한 노드는 트래픽을 추적할 수 없다.
d. 접속자는 사용할 경로를 여러 개 생성한 다음 이전 세션이 종료되면 다른 경로를 택해 전송한다.
a. The directory node provides node list to originator to choose nodes.
b. Each participating node does Diffie-Hellman key exchange to create session key. (over TLSv1)
c. Each node encrypts all data including routing information with public key scheme.
The node only understands the previous node which this traffic comes from and the next node which it goes to.
Therefore, there is no way to trace the traffic back except exit node.
d. The originator creates several circuits to make use of, and change a new chain when old session is over.
Freenet is a separate network that runs over the Internet. However, other than tor, its content can be accessed only through Freenet including: Freesites (websites on Freenet), in-Freenet chat forums (FMS, Sone, etc), files shared within Freenet, and in-Freenet email.
It has a large distributed database. Thus the more popular a file or page, the more widely it will be cached and the faster it will download. With an appropriate key, Freenet returns the proper file which a user have requested. Here is the location to store data: C:\Users\[UserID]\AppData\Local\Freenet\datastore. There is little or no control over what is stored in the datastore folder as you might imagine.
There are four different keys associated with contents, and you have to get access to them with fproxy.
Gnunet은 2001년도에 시작한 프로젝트로 안전한 p2p 네트워크를 목적으로 하고 있다. ECRS라는 컨텐츠 인코딩 방식을 사용하며 검열에 대응한 파일 공유 기법이다. 정식 웹사이트에서는 중앙 데이터베이스를 사용하지 않은 안전한 개별 간 네트워킹 프레임워크를 사용한다고 소개한다.
Gnunet은 주로 파일 공유를 목적으로 하며 실제 웹을 통한 접속은 tor를 이용하라고 권고한다. 파일 공유, 검색, 분배, 캐싱 등을 익명으로 할 수 있도록 설계한 대표적인 익명 네트워크다.
Gnunet has started in late 2001. It also aims to implement for secure peer-to-peer networking. It uses improved content encoding: ECRS or the encoding for censorship resistant sharing. Accroding to Gnunet official website, it is a framework for secure peer-to-peer networking that does not use any centralized database.
Gnunet mainly focuses on anonymous censorship-resistant file-sharing, which provides anonymity by
. making messages originating from a peer indistinguishable from messages that the peer is routing
. acting as routers and use link-encrypted connections with stable bandwidth utilization
It is similar to tor, but limited to share files anonymously, searching, swarming, and caching.
I2P has begun in 2003, which is an anonymizing network, a low latency mix network. According to the original designers, the goal is to to produce a low latency, fully distributed, autonomous, scalable, anonymous, resilient, and secure network. All data is wrapped with several layers of encryption. (End-to-End) This is called Garlic Routing. I2P is made up of a set of nodes (“routers”) with a number of unidirectional inbound and outbound virtual paths (“tunnels”).
The network is both distributed and dynamic, with no trusted parties and no centralized resources. Moreover it has its own internal network database (using a modification of the Kademlia algorithm) for distributing routing and contact information securely.
Experiment on overwritten data location from a victim
3.20 대란이라고 일컫을 만큼 파괴력이 강한 악성코드가 금융기관과 방송매체를 강타했다.
많은 전문가와 전문기관에서 이미 악성코드에 관한 분석 레포트를 내놓고 있지만, 정작 어느정도의 피해를 하드디스크에 가했는지에 대한 내용은 없는 것 같아 간단히 포스팅한다. 매우 간단한 실험이지만 데이터 복구에 도움이 되지 않을까 생각한다.
This posting deals with simple analysis on the location of overwritten area for exploited machine. I hope this could be helpful to preform recovery process.
* 단계 (Steps)
(1) VMware 가상 이미지 할당 (10기가), 단일 volume
(2) Windows XP SP3 설치
(3) 감염직전 Snapshot 확보
(4) 감염후 자동종료
(5) 개별 이미지 변환
(6) 두 이미지 바이너리 비교분석
(1) Creates virtual image with the size of 10GB virtual disk (VMware)
(2) Installs Windows XP SP3
(3) Takes a snapshot before malware infection
(4) Takes un-bootable image after infection
(5) Converts each image to raw one.
(6) Compares two binaries
* 결과 (Results)
(1) 바이너리 비교 시간 때문에 우선 첫 100MB를 비교해 본 결과 덮어쓴 영역이 일정 간격으로 되풀이되고 있었다.
신기하게도 그 간격은 처음부터 0x330D9FFF (816MB)까지는 0x1BD000 (1,780KB)와 0x3F6000 (4,056KB)이 번갈아 가면서 덮어쓰고 있었고 0xFFFFFFFF (4GB)까지는 이 둘을 합한 0x5B3000 (5,836KB)마다 한 번씩 나타났다. 길이는 정확히 0x19000(100KB)를 유지하고 있었다. 하지만 4GB 이후 영역부터 마지막까지는 모두 합쳐 10회 이하로 나타났고 길이도 이보다 짧게 나타났다.
Looking into the first 100MB due to time-consuming comparison, I found there is a constant distance to the next overwritten area. The periodic distance is 0x1BD000(1,780KB) and 0x3F6000(4,056KB) from the first address to 0x330D9FFF(816MB) but 0x5B3000(5,836KB) in betwen the address 0x5B3000 and
0xffffffff(4GB). The length of repetitive strings “PRINCIPPES” maintains 0x19000(100KB) to be exact.
After that address, the string has seen less than 10 times with shorter length.
![]() |
The table shows periodic distance is 0x1BD000(1,780KB) and 0x3F6000(4,056KB) in the address range of 0x00000000 ~ 0x330D9FFF (816MB) |
![]() |
The table shows periodic distance is 0x5B3000(5,836KB) in the address range of 0x330DA000 ~ 0xFFFFFFFF (4GB) |
(2) 악성코드(MD5: 9263E40D9823AECF9388B64DE34EAE54)는 맨 처음 MBR 영역을 “PRINCIPPES”로 덮어쓴다. 다른 문자열도 존재하나 이번 실험에서는 HITA..는 한 번도 나오지 않았다. MBR 바로 다음은 주소 0x7000에 있는 VBR 영역이다.
The malware(MD5: 9263E40D9823AECF9388B64DE34EA
It did only 480 bytes, while MBR accounted for 512 bytes. Then the first VBR(Volume boot record)
was overwritten, where is normally located in 0x7000. No area overwritten with “HITA..” was shown.
![]() |
Destructed MBR |
![]() |
Destructed data |