Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Next Gen Botnet C&C

Next Gen Botnet C&C



September 30, 2015


  1. Botnets The future of Command and Control

  2. Obligatory XKCD

  3. What is Command and Control (C&C) Command and control servers

    are centralized machines that are able to send commands and receive output of machines that are part of a botnet.
  4. What is Command and Control (C&C) Command and control servers

    are centralized machines that are able to send commands and receive output of machines that are part of a botnet. Command and control is the act of communicating with a botnet. Ideally, the control mechanism should provide three things: Anonymity, Security, and Resilience.
  5. The first Botnets: IRC Still in wide use today. DorkBot,

    IRCBot.HI, RageBot and Phorpiex are some examples. Only as anonymous as the IRC server’s ISP. Can be trivially blocked by blocking IRC; so fails resilience test.
  6. The first Botnets: P2P Very few botnets still use P2P

    Basically each bot connects to another, to another, in a mesh layout. Still, generally requires some kind of directory server. More anonymous than IRC, but can be trivially blocked by port blocking and packet inspection.
  7. The first Botnets: HTTP About a third of botnets use

    HTTP Bots connect to a webserver. Not overly anonymous, and relatively easy to take out. Blacklist the IP and/ or domain, and use ISP logs to take action against operators.
  8. Modern Botnets: DGA DGA is a relatively new technique Generating

    the domain on the fly means it’s not tied to a specific host or IP. Similar to how RSA SecureID works. eg c37d819d0c4c16865e9519478897d5d4.com If the generation algorithm is cracked, all future domains can be blacklisted.
  9. Security. You’re doing it wrong.

  10. Modern Botnets: DGA redirect A new spin on DGA is

    implemented by malware including newer versions of Vawtrak. It uses DGA to get a domain, which then redirects to tor2web. A directory server is returned by the tor2web address. This allows the operators to hide behind the tor anonymity network. Tor2web becomes a single point of failure. Block it. Done.
  11. So how do we make it better?

  12. DGA of Onion Addresses An onion address is the first

    half of a SHA-1 of the public key. Need to generate that public key on the fly. First attempt; Hand the client the private key. • Generate a public key and hash based on a timestamp. • Connect to that onion. Sign the response with a second private key. • … • Profit. This approach is susceptible to impersonation, as the client will inherently have the private key. That being said, they would require an order of magnitude more servers than the bot herder.
  13. DGA of Onion Addresses Second Attempt, and credit to Julien

    Savoie, who came up with this idea. Generate onion addresses similar to the algorithm eschallot, scallion, and other vanity onion generators use. • The modulus is shared between private and public key. • The private key has a private exponent. • The public key has a public exponent. • Do DGA on e. ◦ 0xffffff + timestamp (rounded to nearest hour) (+1 if even) • … • Profit. The procedural generation of e allows multiple public keys for any given private key that changes at a known interval.
  14. Blocking DGA of .onion addresses There are a few approaches;

    • One would be a blacklist of the descriptors, if the algorithm generating them was reverse-engineered. • Another would be requiring a fixed value of e. This has been suggested before to deal with vanity onions. It is extremely unlikely to happen. • On the user's machine, an antivirus provider could feasibly block connections, and provide a scary “Opt-in to the darknet” button hidden away in the back of a config page.
  15. Blocking DGA of .onion addresses Other than that, you’d have

    to block TOR. Ask the Chinese government how easy that is...
  16. Anonymity Security Resilience The cornerstones of a successful Command and

    Control network.
  17. Let’s build a bulletproof C&C system. As it’s very difficult

    to unmask users, even for three letter agencies, TOR is fairly safe for sending commands, even if posted on the public internet. Security. That is, how secure is your command and control channel? Signed commands. Done. Resilience. How hard is it to take down your C&C system?
  18. Resilience How do you build a resilient C&C system? They

    already did.
  19. Resilience Social media is… • Ubiquitously available • Unlikely to

    be blocked at a massive scale The question is, how do you usurp their service? The key is, to yell things in public where everyone can see but no one will notice.
  20. DGA on a hashtag #winning #notreally The first, and obvious

    solution. A bot can look up #0421008445828ce or @b46f496700a5fa65e and run whatever commands are there. … But this is easy to combat. ([a-fA-F\d]{16})
  21. Hiding in plain sight Social networks deal with millions of

    messages per hour, and we want to hide in plain sight. The key is, writing a message (or a series of messages) that can't be detected automatically in a way that can be easily found.
  22. Where do we tweet? A completely random, unpredictable set of

    words that are publicly accessible. Trending hashtags.
  23. What does the bot look for? A bot has to

    know what to look for in a predictable yet not searchable way. Encode binary data in a markov chain of tweets which are syntactically valid, though often meaningless. @jzsavoie: “Bit pricey for the reality on deanonymizing hidden service website for me” @jzsavoie: “snooping, it's not a patched rabbit hole. And still an exit node problem."
  24. Markov Chains Take all tweets of a certain criteria (now

    trending for example) Analyze patterns in words. Regurgitate those patterns but encode a passphrase @jzsavoie: “Bit pricey for the reality on deanonymizing hidden service website for me” 010010101100 @jzsavoie: “snooping, it's not a patched rabbit hole. And still an exit node problem." 0000100010111
  25. Steganography Use the least significant bit of each pixel to

    encode data or commands. Use the profile picture, or a linked picture.
  26. Steganography Worst case, social networks begin randomizing the least significant

    bits. If that happened, one could simply encode data across many tweets. Or encode data in punctuation. There’s no shortage of ways to hide data.
  27. Is this happening now? How would you know? More importantly…

    how would you combat it?
  28. Questions / Heckling Botnets actually can melt steel beams. #conficker

    Email / XMPP: evan@evandentremont.com