109 research outputs found
Master of puppets: analyzing and attacking a botnet for fun and profit
A botnet is a network of compromised machines (bots),
under the control of an attacker. Many of these machines
are infected without their owners’ knowledge, and botnets
are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending
on its topology, a botnet can have zero or more
command and control (C&C) servers, which are centralized
machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted
bots.
In this paper, we present a comprehensive analysis of
the command and control infrastructure of one of the
world’s largest proprietary spamming botnets between
2007 and 2012: Cutwail/Pushdo. We identify the key
functionalities needed by a spamming botnet to operate
effectively. We then develop a number of attacks against
the command and control logic of Cutwail that target
those functionalities, and make the spamming operations
of the botnet less effective. This analysis was made possible
by having access to the source code of the C&C software,
as well as setting up our own Cutwail C&C server,
and by implementing a clone of the Cutwail bot. With the
help of this tool, we were able to enumerate the number
of bots currently registered with the C&C server, impersonate
an existing bot to report false information to the
C&C server, and manipulate spamming statistics of an arbitrary
bot stored in the C&C database. Furthermore, we
were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our
results may be used by law enforcement and practitioners
to develop better techniques to mitigate and cripple other
botnets, since many of findings are generic and are due to
the workflow of C&C communication in general.First author draf
Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit
A botnet is a network of compromised machines (bots), under the control of an
attacker. Many of these machines are infected without their owners' knowledge,
and botnets are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending on its
topology, a botnet can have zero or more command and control (C&C) servers,
which are centralized machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted bots.
In this paper, we present a comprehensive analysis of the command and control
infrastructure of one of the world's largest proprietary spamming botnets
between 2007 and 2012: Cutwail/Pushdo. We identify the key functionalities
needed by a spamming botnet to operate effectively. We then develop a number of
attacks against the command and control logic of Cutwail that target those
functionalities, and make the spamming operations of the botnet less effective.
This analysis was made possible by having access to the source code of the C&C
software, as well as setting up our own Cutwail C&C server, and by implementing
a clone of the Cutwail bot. With the help of this tool, we were able to
enumerate the number of bots currently registered with the C&C server,
impersonate an existing bot to report false information to the C&C server, and
manipulate spamming statistics of an arbitrary bot stored in the C&C database.
Furthermore, we were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our results may be used by law
enforcement and practitioners to develop better techniques to mitigate and
cripple other botnets, since many of findings are generic and are due to the
workflow of C&C communication in general
De-anonymizing BitTorrent Users on Tor
Some BitTorrent users are running BitTorrent on top of Tor to preserve their
privacy. In this extended abstract, we discuss three different attacks to
reveal the IP address of BitTorrent users on top of Tor. In addition, we
exploit the multiplexing of streams from different applications into the same
circuit to link non-BitTorrent applications to revealed IP addresses.Comment: Poster accepted at the 7th USENIX Symposium on Network Design and
Implementation (NSDI '10), San Jose, CA : United States (2010
OnionBots: Subverting Privacy Infrastructure for Cyber Attacks
Over the last decade botnets survived by adopting a sequence of increasingly
sophisticated strategies to evade detection and take overs, and to monetize
their infrastructure. At the same time, the success of privacy infrastructures
such as Tor opened the door to illegal activities, including botnets,
ransomware, and a marketplace for drugs and contraband. We contend that the
next waves of botnets will extensively subvert privacy infrastructure and
cryptographic mechanisms. In this work we propose to preemptively investigate
the design and mitigation of such botnets. We first, introduce OnionBots, what
we believe will be the next generation of resilient, stealthy botnets.
OnionBots use privacy infrastructures for cyber attacks by completely
decoupling their operation from the infected host IP address and by carrying
traffic that does not leak information about its source, destination, and
nature. Such bots live symbiotically within the privacy infrastructures to
evade detection, measurement, scale estimation, observation, and in general all
IP-based current mitigation techniques. Furthermore, we show that with an
adequate self-healing network maintenance scheme, that is simple to implement,
OnionBots achieve a low diameter and a low degree and are robust to
partitioning under node deletions. We developed a mitigation technique, called
SOAP, that neutralizes the nodes of the basic OnionBots. We also outline and
discuss a set of techniques that can enable subsequent waves of Super
OnionBots. In light of the potential of such botnets, we believe that the
research community should proactively develop detection and mitigation methods
to thwart OnionBots, potentially making adjustments to privacy infrastructure.Comment: 12 pages, 8 figure
Spying the World from your Laptop -- Identifying and Profiling Content Providers and Big Downloaders in BitTorrent
This paper presents a set of exploits an adversary can use to continuously
spy on most BitTorrent users of the Internet from a single machine and for a
long period of time. Using these exploits for a period of 103 days, we
collected 148 million IPs downloading 2 billion copies of contents. We identify
the IP address of the content providers for 70% of the BitTorrent contents we
spied on. We show that a few content providers inject most contents into
BitTorrent and that those content providers are located in foreign data
centers. We also show that an adversary can compromise the privacy of any peer
in BitTorrent and identify the big downloaders that we define as the peers who
subscribe to a large number of contents. This infringement on users' privacy
poses a significant impediment to the legal adoption of BitTorrent
Fast Inverse Model Transformation: Algebraic Framework for Fast Data Plane Verification
Data plane verification (DPV) analyzes routing tables and detects routing
abnormalities and policy violations during network operation and planning.
Thus, it has become an important tool to harden the networking infrastructure
and the computing systems building on top. Substantial advancements have been
made in the last decade and state-of-the-art DPV systems can achieve sub-us
verification for an update of a single forwarding rule.
In this paper, we introduce fast inverse model transformation (FIMT), the
first theoretical framework to systematically model and analyze centralized DPV
systems. FIMT reveals the algebraic structure in the model update process, a
key step in fast DPV systems. Thus, it can systematically analyze the
correctness of several DPV systems, using algebraic properties. The theory also
guides the design and implementation of NeoFlash, a refactored version of Flash
with new optimization techniques. Evaluations show that NeoFlash outperforms
existing state-of-the-art centralized DPV systems in various datasets and
reveal insights to key techniques towards fast DPV.Comment: 12 pages pre-referenc
One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users
Tor is a popular low-latency anonymity network. However, Tor does not protect
against the exploitation of an insecure application to reveal the IP address
of, or trace, a TCP stream. In addition, because of the linkability of Tor
streams sent together over a single circuit, tracing one stream sent over a
circuit traces them all. Surprisingly, it is unknown whether this linkability
allows in practice to trace a significant number of streams originating from
secure (i.e., proxied) applications. In this paper, we show that linkability
allows us to trace 193% of additional streams, including 27% of HTTP streams
possibly originating from "secure" browsers. In particular, we traced 9% of Tor
streams carried by our instrumented exit nodes. Using BitTorrent as the
insecure application, we design two attacks tracing BitTorrent users on Tor. We
run these attacks in the wild for 23 days and reveal 10,000 IP addresses of Tor
users. Using these IP addresses, we then profile not only the BitTorrent
downloads but also the websites visited per country of origin of Tor users. We
show that BitTorrent users on Tor are over-represented in some countries as
compared to BitTorrent users outside of Tor. By analyzing the type of content
downloaded, we then explain the observed behaviors by the higher concentration
of pornographic content downloaded at the scale of a country. Finally, we
present results suggesting the existence of an underground BitTorrent ecosystem
on Tor
Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences
In this survey, we first briefly review the current state of cyber attacks,
highlighting significant recent changes in how and why such attacks are
performed. We then investigate the mechanics of malware command and control
(C2) establishment: we provide a comprehensive review of the techniques used by
attackers to set up such a channel and to hide its presence from the attacked
parties and the security tools they use. We then switch to the defensive side
of the problem, and review approaches that have been proposed for the detection
and disruption of C2 channels. We also map such techniques to widely-adopted
security controls, emphasizing gaps or limitations (and success stories) in
current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages.
Listing abstract compressed from version appearing in repor
- …