Embed Size (px)
Citation preview
MURI Kickoff Welcome!MURI Kickoff Welcome!
• First, introductions… all around
• Some context and expectations We’re going to give some informal presentations about our plans
» Project just started, so few results yet Each will have a leader, but this is a collaborative effort so
expect everyone to chime in Please ask questions and give feedback anytime We’ll try to keep to schedule, but we can go where you want
Rough scheduleRough schedule
• 10:00-10:30 UCB/UCSD Project overview/programatics• 10:30-11:00 Botfarm and dynamic containment• 11:00-11:30 Automated binary analysis • 11:30-12:00 NLP of underground communications
• 12:00-1:30 Lunch
• 1:30-3:30 Wenke et al. (GATech/Umich/UCSB/Stanford)• 3:30-4:00 Break• 4:00-5:00 Feedback/brainstorming
3
Infiltration of Botnet Command & Control and
Support Ecosystems
MURI Kickoff 2009
PIs: Stefan Savage, Geoff Voelker (UCSD)Vern Paxson, Dawn Song and Dan Klein (UC Berkeley)
Key threat transformations Key threat transformations of the 21of the 21stst century century
• Efficient large-scale compromises Internet communications model Software homogeneity User naïveity/fatigue
• Control networks Cheap scalability for criminal applications
(e.g. spam, info theft, DDoS, etc) Platform economy
• Profit-driven applications Commodity resources
(IP, bandwidth, storage, CPU) Unique resources
(PII/credentials, data exfiltration)
4
PhilosophyPhilosophy
• Need to understand and impact botnets from “the inside” instead of simply via their external actions
• Address real adversary – real bots and real botmasters
• Botnet infiltration (SIGINT) Intelligence collection (what is the botnet doing?) Command injection (tell botnet to do this) Botnet disruption (shutdown and/or takeover botnet)
• Ecosystem intelligence (HUMINT) Data mining/NLP on underground Web/chat to infer social relationships
in the botnet ecosystem Who is supplying which resources, what are stress points, points of
attribution, etc
Botnet infiltrationBotnet infiltration
• Key idea: distributed C&C is a vulnerability Botnet authors like de-centralized communications for
scalability and resilience, but… … to do so, they trust their bots to be good actors If you can modify the right bots you can observe and influence
actions of the botnet via their communications
• We have done this once Infiltrated Storm P2P botnet Able to track everything botnet did and influence their actions But… one off, and hard to scale
6Kanich, Kreibich, Levchenko, Enright, Paxson, Voelker and Savage, Spamalytics: an Empirical Analysis of Spam Marketing Conversion, ACM CCS 2008
Botnet infiltration challengesBotnet infiltration challenges
• Obtaining and grooming bots (tricky in practice)• Safe execution environment
Must run bots, but contain their negative side-effects Fine-grained containment control via network, VMs, etc (informed by
past work on Potemkin/GQ honeyfarms) Especially must control scope of our “attacks”
• C&C extraction from botnet binaries Extract C&C protocol w/o extensive manual reverse-engineering Use to feed containment, attacks and C&C proxy
• Attack development and testing Passive, cooperatively active, adversarially active
• Legal/Policy issues
Ecosystem intelligenceEcosystem intelligence
• Key idea: botmasters and bot support ecosystem (clients, authors, cashiers, etc) social graph is implicit in underground communications
Underground forums, chat, etc Marketing, sales, requests, complaints, side-deals, etc By extracting this graph can relate actors to actions
• We have done something similar once Analyzed 9mos of #ccpower underground IRC data Extracted buyer/seller and pricing relationships Manual, error prone, no notion of specific actor
Franklin, Perrig, Paxson and Savage, An Inquiry in the Nature and Causes of the Wealth of Internet Miscreants,
ACM CCS 2007
• Pidgen/slang content (Eblish/ )• Extracting structure from short free-form agrammatical
elements• Identity aliasing and multiple identities/pseudonyms• Matching across multiple sources• Limited ground truth knowledge• Access to data
Ecosystem intelligence Ecosystem intelligence challengeschallenges
WU confirmercan confirm males and females have drops in usa AM VERIFIED MSG ME
i am boa cashout
have wells and boa logins and i need to good drop man .......ripper f#@! off
Have dropper for bots, all ie sploits
whos a good reg for fluxing?
Goal/evaluationGoal/evaluation
• Botnet infiltration Can safely execute new botnet software, while still becoming
members of live botnets Can efficiently extract botnet C&C Can decode and interpret all commands, inject new commands
(acted upon) and exploit bot vulnerabilities sucessfully Validate that attacks only impact bots inside containment
• Ecosystem intelligence Identify actor identities/attributes, inter-actor relationships, identify
supply chain relationships, transactions, and roles Validate automated mapping to human domain expert assessment Correlate with external ground-truth data from other studies
Milestones for this yearMilestones for this year
• Design work and prototype infrastructure for botfarm containment/grooming, demonstrate safe hosting of many bot families
• Prototype binary C&C extractor on one or more bots, output to feed containment network proxy (interpret C&C)
• Design work on ecosystem intelligence effort, dataset gathering and gathering of some “ground-truth” data (via botnet output, domain registration, spam campaigns, etc)
Other sponsors/supportersOther sponsors/supporters
• Funding and in-kind (data, equipment, access)
• Several more who decline to be identified (industry)
Education elementsEducation elements
• Student training in research Already have ~10 students involved in different aspects of
project (including 3 undergrads)
• Class integration Network security courses at Berkeley and UCSD Internet Crime course at UCSD
• Workforce development Talks/tutorials to industry Input to defense contractors in this space
Project managementProject management
• Tightly integrated group (many have 3-5yrs of experience working w/each other)
• Communication via weekly teleconference, students on IM, physical student exchanges
• Lead on each campus (Stefan, Vern) responsible for local organization issues, but we cross lines routinely
• We attempt to centralize sensitive 3rd-party data and protect it there (tricky issues wrt dual NDA negotiation)
• Advance legal review on any issues of risk• Educational issues delegated to each PI, excepting
distributed courses
Questions?Questions?
