Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Over the last decade botnets survived by adopting a sequence of
increasingly sophisticated strategies to evade detection and take
overs, and to monetize their infrastructure. At the same time, the
success of privacy infrastructures such as Tor opened the door to
illegal activities, including botnets, ransomware, and a marketplace
for drugs and contraband. We contend that the next waves of botnets
will extensively attempt to subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively
investigate the design and mitigation of such botnets. We first,
introduce OnionBots, what we believe will be the next generation of
resilient, stealthy botnets. OnionBots use privacy infrastructures for
cyber attacks by completely decoupling their operation from the
infected host IP address and by carrying traffic that does not leak
information about its source, destination, and nature. Such bots live
symbiotically within the privacy infrastructures to evade detection,
measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with
an adequate self-healing network maintenance scheme, that is simple to
implement, OnionBots can achieve a low diameter and a low degree and
be robust to partitioning under node deletions. We develop a
mitigation technique, called SOAP, that neutralizes the nodes of the
basic OnionBots. In light of the potential of such botnets, we
believe that the research community should proactively develop
detection and mitigation methods to thwart OnionBots, potentially
making adjustments to privacy infrastructure.


Amirali Sanatinia

June 30, 2015


  1. OnionBots:  Subver0ng  Privacy  Infrastructure   for  Cyber  A:acks   Amirali

     Sana0nia    Guevara  Noubir       College  of  Computer  and  Informa0on  Science   Northeastern  University,  Boston,  MA   1  
  2. Mo0va0on   •  Abusing  privacy  infrastructure     –  Tor

     Hidden  Services   •  Recent  examples  of  abuse  of  privacy  infrastructure  and   technology   –  Silk  road,  cryptolocker,  Zeus  64,  Chewbacca  botnet   •  Infected  devices  can  setup  a  botnet  through  Tor   Hidden  Services   –  No  nodes  know  the  IP/loca0on  of  others   –  C&C  can  be  anywhere   2  
  3. Outline   •  Evolu0on  of  botnets  and  their  shortcomings  

    •  Review  of  Tor  and  Hidden  Services   •  OnionBots   – Life  Cycle   – C&C  Communica0on   – Dynamic  Distributed  Self  Repairing  (DDSR)   – Sybil  Onion  A:ack  Protocol  (SOAP)   3  
  4. Evolu0on  of  Botnets   •  Popular  for  denial  of  service

     a:acks,  spam,  click   frauds,  bitcoin  mining,  stealing  sensi0ve   informa0on,  and  other  malicious  ac0vi0es   •  Communica0ons  between  botmaster  &  bots  (C&C)   –  Centralized  -­‐>  P2P;  HTTP  or  IRC;     –  Fast  Flux,  Double  Flux  to  randomize  the  IP  addresses   –  Domain  Genera0on  Algorithms  (DGA)   •  Various  technical  mi0ga0ons   –  Limited  by  problems  of  jurisdic0on     4  
  5. Centralized   •  Easy  to  build  and  maintain   • 

    Single  point  of  failure   •  Does  not  scale   •  Easy  to  detect  and  mi0gate   •  Analysis  of  traffic   •  Clustering  of  the  hosts   5  
  6. Fast-­‐flux   •  Mapping  numerous  IP  addresses  associated  with  

    a  single  fully  qualified  domain  name  (FQDN)   •   Single-­‐flux   –  mul0ple  nodes  registering  and  de-­‐registering  as  the   DNS  A  record   •  Double-­‐flux   –  More  sophis0cated   –  mul0ple  nodes  registering  and  de-­‐registering  as  the   DNS  Name  Server  (NS)  record   •  Can  be  neutralized  by  taking  over  the  domain     6  
  7. DGA   •  Periodically  genera0ng  domain  names,  used   as

     rendezvous  point   •  Once  a  sample  is  obtained  it  becomes  easier   to  block   •  Conficker.a  and  .b  are  prime  examples   •  E.g.,    zffezlkgfnox.net   •  Can  be  blocked  using  pa:erns  in  the  domains   7  
  8. Tor   •  Most  widely  used  anonymity-­‐network   •  Based

     on  onion  rou0ng  of  packets   •  Hidden  services  (HS)  provides  anonymity  for   the  servers   •  Silkroad  and  Cryptolocker  are  prime  examples   •  It  is  possible  to  block  access  to  a  single  HS   with  sufficient  resources   8  
  9. Tor  Hidden  Services   9  

  10. Tor  Hidden  Services   10  

  11. OnionBot:  a  Crypto-­‐based  P2P  Botnet   •  Typical  botnet  lifecycle

      –  Infec0on:  phishing,  spam,  remote  exploits,  drive-­‐by-­‐download   or  zero-­‐day  vulnerabili0es     –  Rally  or  bootstrapping:  join  the  botnet   –  Wait  for  commands   –   Execu0on   •  OnionBot  key  features   –  Similar  lifecycle   –  Fully  decoupled  from  IP  addresses:  only  .onion  addresses   –  Self-­‐healing  P2P  network  on  top  of  Tor   –  Temporarily  knowledge  of  neighbors  .onion  addresses   –  Indis0nguishable  traffic:  control,  data,  src/dst,  from  random   –  Access  for  botmaster  from  any  bot  through  hidden  services     11  
  12. Botnet  as  a  Service   •  Provide  a  stealthy  virtual

     machine   – Time  limited  access  tokens  from  botmaster   – Accessible  though  HiddenServices   •  Payment  with  Bitcoins  +  mixing     12  
  13. C&C  Communica0ons  in  OnionBot   •  All  bots  know  OnionBot

     master’s  public  key   •  Communicate  through  flooding  over  P2P  net   •  Unicast  communica0ons  are  indis0nguishable   from  random  noise  (Elligator  crypto  keys)   •  Bots  periodically  change  their  .onion  address   •  Bots  report  .onion  address  key-­‐seed  to   botmaster   13  
  14. Maintaining  the  OnionBot  Graph   •  Dynamic  Distributed  Self  Repairing

     (DDSR)   – Based  on  Neighbors  of  Neighbor  technique  +   pruning  +  forgemng   – When  a  node  is  deleted,  each  pair  of  its  neighbors   will  form  an  edge   – To  maintain  a  low  degree,  a  node  deletes  the   highest  degree  node  from  its  peer  list   – New  .onion  address  is  generated  based  on  a   secret  key  and  0me   14  
  15. Pruning  vs  No-­‐Pruning   15  

  16. DDSR  in  Ac0on   16  

  17. DDSR  Proper0es   •  Low  diameter,  degree,  resiliency  to  nodes

     dele0ons,     17  
  18. Targe0ng  OnionBots   •  Denial  of  Service  a:ack  against  .onion

     addresses   •  Does  not  scale   •  Needs  prior  knowledge  of  the  .onion  domains   •  More  long  term  approaches:   – CAPTCHAs   – Thro:ling  entry  guards   – Reusing  failed  par0al  circuits   18  
  19. Sybil  Onion  A:ack  Protocol  (SOAP)     •     

  20. Conclusion   •  Next  Genera0on  of  Botnets:   – Subvert  privacy

     infrastructures   – Strong  cryptographic  blocks   – Resilient  and  dependable  network  forma0ons  and   maintenance   – Tor  for  hiding  the  traffic   – Bitcoin  for  anonymous  payments   20  
  21. 21  

  22. Interests  in  OnionBots     22