OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Transcript

1. OnionBots:  Subver0ng  Privacy  Infrastructure   for  Cyber  A:acks   Amirali

    Sana0nia    Guevara  Noubir       College  of  Computer  and  Informa0on  Science   Northeastern  University,  Boston,  MA   1  

2. Mo0va0on   •  Abusing  privacy  infrastructure     –  Tor

    Hidden  Services   •  Recent  examples  of  abuse  of  privacy  infrastructure  and   technology   –  Silk  road,  cryptolocker,  Zeus  64,  Chewbacca  botnet   •  Infected  devices  can  setup  a  botnet  through  Tor   Hidden  Services   –  No  nodes  know  the  IP/loca0on  of  others   –  C&C  can  be  anywhere   2  

3. Outline   •  Evolu0on  of  botnets  and  their  shortcomings  

   •  Review  of  Tor  and  Hidden  Services   •  OnionBots   – Life  Cycle   – C&C  Communica0on   – Dynamic  Distributed  Self  Repairing  (DDSR)   – Sybil  Onion  A:ack  Protocol  (SOAP)   3  

4. Evolu0on  of  Botnets   •  Popular  for  denial  of  service

    a:acks,  spam,  click   frauds,  bitcoin  mining,  stealing  sensi0ve   informa0on,  and  other  malicious  ac0vi0es   •  Communica0ons  between  botmaster  &  bots  (C&C)   –  Centralized  -­‐>  P2P;  HTTP  or  IRC;     –  Fast  Flux,  Double  Flux  to  randomize  the  IP  addresses   –  Domain  Genera0on  Algorithms  (DGA)   •  Various  technical  mi0ga0ons   –  Limited  by  problems  of  jurisdic0on     4  

5. Centralized   •  Easy  to  build  and  maintain   • 

   Single  point  of  failure   •  Does  not  scale   •  Easy  to  detect  and  mi0gate   •  Analysis  of  traffic   •  Clustering  of  the  hosts   5  

6. Fast-­‐flux   •  Mapping  numerous  IP  addresses  associated  with  

   a  single  fully  qualified  domain  name  (FQDN)   •   Single-­‐flux   –  mul0ple  nodes  registering  and  de-­‐registering  as  the   DNS  A  record   •  Double-­‐flux   –  More  sophis0cated   –  mul0ple  nodes  registering  and  de-­‐registering  as  the   DNS  Name  Server  (NS)  record   •  Can  be  neutralized  by  taking  over  the  domain     6  

7. DGA   •  Periodically  genera0ng  domain  names,  used   as

    rendezvous  point   •  Once  a  sample  is  obtained  it  becomes  easier   to  block   •  Conficker.a  and  .b  are  prime  examples   •  E.g.,    zffezlkgfnox.net   •  Can  be  blocked  using  pa:erns  in  the  domains   7  

8. Tor   •  Most  widely  used  anonymity-­‐network   •  Based

    on  onion  rou0ng  of  packets   •  Hidden  services  (HS)  provides  anonymity  for   the  servers   •  Silkroad  and  Cryptolocker  are  prime  examples   •  It  is  possible  to  block  access  to  a  single  HS   with  sufficient  resources   8  

9. Tor  Hidden  Services   9  

10. Tor  Hidden  Services   10  

11. OnionBot:  a  Crypto-­‐based  P2P  Botnet   •  Typical  botnet  lifecycle

      –  Infec0on:  phishing,  spam,  remote  exploits,  drive-­‐by-­‐download   or  zero-­‐day  vulnerabili0es     –  Rally  or  bootstrapping:  join  the  botnet   –  Wait  for  commands   –   Execu0on   •  OnionBot  key  features   –  Similar  lifecycle   –  Fully  decoupled  from  IP  addresses:  only  .onion  addresses   –  Self-­‐healing  P2P  network  on  top  of  Tor   –  Temporarily  knowledge  of  neighbors  .onion  addresses   –  Indis0nguishable  traffic:  control,  data,  src/dst,  from  random   –  Access  for  botmaster  from  any  bot  through  hidden  services     11  

12. Botnet  as  a  Service   •  Provide  a  stealthy  virtual

     machine   – Time  limited  access  tokens  from  botmaster   – Accessible  though  HiddenServices   •  Payment  with  Bitcoins  +  mixing     12  

13. C&C  Communica0ons  in  OnionBot   •  All  bots  know  OnionBot

     master’s  public  key   •  Communicate  through  flooding  over  P2P  net   •  Unicast  communica0ons  are  indis0nguishable   from  random  noise  (Elligator  crypto  keys)   •  Bots  periodically  change  their  .onion  address   •  Bots  report  .onion  address  key-­‐seed  to   botmaster   13  

14. Maintaining  the  OnionBot  Graph   •  Dynamic  Distributed  Self  Repairing

     (DDSR)   – Based  on  Neighbors  of  Neighbor  technique  +   pruning  +  forgemng   – When  a  node  is  deleted,  each  pair  of  its  neighbors   will  form  an  edge   – To  maintain  a  low  degree,  a  node  deletes  the   highest  degree  node  from  its  peer  list   – New  .onion  address  is  generated  based  on  a   secret  key  and  0me   14  

15. Pruning  vs  No-­‐Pruning   15  

16. DDSR  in  Ac0on   16  

17. DDSR  Proper0es   •  Low  diameter,  degree,  resiliency  to  nodes

     dele0ons,     17  

18. Targe0ng  OnionBots   •  Denial  of  Service  a:ack  against  .onion

     addresses   •  Does  not  scale   •  Needs  prior  knowledge  of  the  .onion  domains   •  More  long  term  approaches:   – CAPTCHAs   – Thro:ling  entry  guards   – Reusing  failed  par0al  circuits   18  

19. Sybil  Onion  A:ack  Protocol  (SOAP)     •     

    19  

20. Conclusion   •  Next  Genera0on  of  Botnets:   – Subvert  privacy

     infrastructures   – Strong  cryptographic  blocks   – Resilient  and  dependable  network  forma0ons  and   maintenance   – Tor  for  hiding  the  traffic   – Bitcoin  for  anonymous  payments   20  

21. 21  

22. Interests  in  OnionBots     22