Upload
bsidesroc
View
205
Download
0
Embed Size (px)
Citation preview
AGENDA
AGENDA
▸ Introduction
▸ Botnet Overview & History
▸ C2 Channels
▸ IRC C2
▸ IRC Inspired C2 Network
▸ Project Goals
▸ Demo
▸ Questions
▸ Special Thanks & References
2
INTRODUCTION
WHOAMI
▸ 4th Year BS/MS Computing Security RIT
▸ Former Tech-Lead and VP of RIT’s Competitive Cybersecurity Club (RC3)
▸ Captain of RIT’s 2015 CPTC Team
▸ Giving my first talk ever!!!!
3
INTRODUCTION
WHAT’S IN SCOPE
▸ Command and Control (C2) Servers
▸ C2 Channels
▸ Server-to-server communication
▸ Client check-in
4
INTRODUCTION
WHAT’S NOT IN SCOPE
▸ Clients in general
▸ Clients managing callback domains
▸ Secure storage of information on clients
▸ Reverse engineering to find callback locations
5
BOTNET OVERVIEW & HISTORY
WHAT ARE BOTNETS
▸ “A botnet is a number of Internet-connected computers communicating with other similar machines in which components located on networked computers communicate and coordinate their actions by command and control (C&C) or by passing messages to one another (C&C might be built into the botnet as P2P).” - Wikipedia
8
BOTNET OVERVIEW & HISTORY
WHAT ARE BOTNETS
▸ In other words, a network of computers that talk to each other or a server, which gives them instructions
▸ Malicious or benign
▸ Malicious: Zeus, the infamous banking malware
▸ Benign: http://setiathome.berkeley.edu/
9
BOTNET OVERVIEW & HISTORY
WHAT ARE USES FOR BOTNETS
▸ DDoS attacks
▸ Email spamming
▸ Seeding torrents from leaked documents
▸ Botnet as a Service (BaaS)
10
BOTNET OVERVIEW & HISTORY
BRIEF BOTNET HISTORY
▸ Bagel, 2004 - 230,000 nodes
▸ Conficker, 2008 - Millions of nodes w/ portion in botnet
▸ Zeus, 2010 - 3,000,000+ in the US
11
BOTNET OVERVIEW & HISTORY
BOTNET TERMS
▸ Bot Master
▸ C2 Server
▸ Relay Node / Stepping Stone
▸ Bot / Zombie
12
BOTNET OVERVIEW & HISTORY
BOT MASTER
C2 SERVER
C2 SERVER
C2 SERVER
RELAY NODE
RELAY NODE
RELAY NODE
RELAY NODE
CLIENT-SERVER ARCHITECTURE
13
BOTBOT BOT BOT BOT BOT BOT BOT BOT
BOTNET OVERVIEW & HISTORY
BOT MASTER
C2 SERVER
C2 SERVER
C2 SERVER
RELAY NODE
RELAY NODE
RELAY NODE
RELAY NODE
CLIENT-SERVER ARCHITECTURE
14
BOTBOT BOT BOT BOT BOT BOT BOT BOT
BOTNET OVERVIEW & HISTORY
BOT / ZOMBIE
▸ The malware that you have installed on the target
▸ Ideally in large numbers
▸ Will execute commands given by the C2 servers
15
BOTNET OVERVIEW & HISTORY
BOT MASTER
C2 SERVER
C2 SERVER
C2 SERVER
RELAY NODE
RELAY NODE
RELAY NODE
RELAY NODE
CLIENT-SERVER ARCHITECTURE
16
BOTBOT BOT BOT BOT BOT BOT BOT BOT
BOTNET OVERVIEW & HISTORY
RELAY NODE / STEPPING STONE
▸ Forwards connections from bots to C2 servers
▸ Protects the real locations of the C2 servers
▸ Could be as simple as a SOCKS proxy
▸ Could be as complex as rotating through known domains
▸ Your bots are tolerant to losing these connections
17
BOTNET OVERVIEW & HISTORY
BOT MASTER
C2 SERVER
C2 SERVER
C2 SERVER
RELAY NODE
RELAY NODE
RELAY NODE
RELAY NODE
CLIENT-SERVER ARCHITECTURE
18
BOTBOT BOT BOT BOT BOT BOT BOT BOT
BOTNET OVERVIEW & HISTORY
C2 SERVER
▸ Holds commands from bot master
▸ Accepts connections from bots and dispenses commands
▸ Holds the files that will be downloaded by the bots
▸ A concept of C2 channels
▸ Different methods of delivering commands
▸ Can have different channels in the same network
19
BOTNET OVERVIEW & HISTORY
BOT MASTER
C2 SERVER
C2 SERVER
C2 SERVER
RELAY NODE
RELAY NODE
RELAY NODE
RELAY NODE
CLIENT-SERVER ARCHITECTURE
20
BOTBOT BOT BOT BOT BOT BOT BOT BOT
BOTNET OVERVIEW & HISTORY
BOT MASTER
▸ The person who controls all of the bots
▸ Inserts commands into C2 servers
▸ Can divide bots into logical groups
▸ Can specify what the bots will do
▸ Limited by the commands and intention of the botnet
21
C2 CHANNELS
C2 CHANNELS
23
▸ A means of transmitting information to bots
▸ Can be done through many different protocols
▸ Attempt to hide in plain sight
▸ Use whatever traffic looks normal
IRC C2
IRC C2
▸ Clients connect to an IRC server
▸ Clients connect to IRC channels to wait for messages from the master
▸ Relies on the IRC infrastructure to deliver the messages
▸ Change channels every so often
26
IRC C2
ADVANTAGES TO USING IRC
▸ Easy setup
▸ Easy command distribution
▸ Send commands in plain English
27
IRC C2
DISADVANTAGES TO USING IRC
▸ Commands in plain English
▸ Unencrypted communications to the IRC server
▸ If bots do not validate user it is easy to RE and inject commands
▸ Relatively easily hijackable
28
IRC INSPIRED C2 NETWORK
IRC INSPIRED C2 NETWORK
▸ Not using IRC
▸ Build a network of C2 servers close to how IRC operates
▸ IRC works as a spanning tree
30
IRC INSPIRED C2 NETWORK
WHY NOT USE IRC’S SPANNING TREE?
▸ The spanning tree poses a redundancy problem
▸ Imagine if you lose a middle branch
▸ Causes network segmentation
▸ 2 sections become disjointed
31
IRC INSPIRED C2 NETWORK
IRC NETWORK MESSAGE PROPAGATION
32
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
33
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
34
MESSAGE MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
35
MESSAGE MESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
36
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
37
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
IRC MESSAGE PROPAGATION
38
MESSAGE MESSAGE
MESSAGE MESSAGEMESSAGE
MESSAGE
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
IRC INSPIRED C2 NETWORK
SOLUTION: PARTIAL MESH
▸ Take the concept of forwarding commands to servers
▸ Ensures that each server will have the same database
▸ If organized correctly, can be tolerant of mild to medium losses
▸ If somebody dismantles 85% of your network, it will be hard to ensure fault tolerance
▸ More practical and realistic than full mesh
45
IRC INSPIRED C2 NETWORK
DESIGN CHOICES
▸ Go is the language of choice
▸ Redundant messages are a problem
▸ Better than implementing a full P2P routing mechanism
▸ Could use BATMAN, but that’s hard with Go?
▸ Partial vs Full Information Chain
▸ Full would increase traffic size
46
IRC INSPIRED C2 NETWORK
ALGORITHM
▸ Server establishes connection with peer C2 server
▸ Command DB updated
▸ Server notifies all other peer servers
47
IRC INSPIRED C2 NETWORK
PEER SERVER CONNECTION
▸ Server contacts other server
▸ Servers validate each other’s authenticity
▸ Maintain comms at periodic interval or constant command channel
48
IRC INSPIRED C2 NETWORK
COMMAND DB UPDATED
▸ Could be done by the Bot Master manually
▸ Could be from an update from a peer server
▸ Server will silently ignore duplicate messages
▸ Server will then notify all other peers
49
IRC INSPIRED C2 NETWORK
SERVER TO SERVER UPDATES
▸ Server will update all other peers that it did not receive and update from
▸ Server will attach a partial information chain
▸ Each update contains a partial information chain
50
IRC INSPIRED C2 NETWORK
PARTIAL INFORMATION CHAIN
▸ Partial information chain contains IDs of each server that the update is being sent to
▸ If the ID is listed as a peer it will not notify that server
▸ Remember that it ignores the updates that it has already received
51
IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
67
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
68
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
1, 2
3, 5
IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
69
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5
4, 6
6
IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
70
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5 6
4, 64, 6 4, 6
6
IRC INSPIRED C2 NETWORK
C2 NETWORK: 6 NODES
71
SERVER 2 SERVER 3
SERVER 5 SERVER 6SERVER 4
SERVER 1
2
3, 5 6
4, 64, 6 4, 6
6
IRC INSPIRED C2
WHERE DOES THE FAULT TOLERANCE COME IN?
▸ The fault tolerance is a combination of things
▸ Server command DB updates and synchronization
▸ Clients having a chain of domains to contact in the C2 network
▸ Clients have the ability to contact any server in the network to receive commands
72
PROJECT GOALS
SHORT TERM GOALS
▸ Server accepts communications from clients
▸ Default channel placement. Only 1 channel support now :(
▸ Server responds to command request for client
▸ Database replication is supported by default
74
PROJECT GOALS
LONG TERM GOALS
▸ TLS Cert generation and validation
▸ Full forwarding and database replication
▸ Web Administration Panel
▸ Dispense modules to clients
▸ HTTP/HTTPS C2
▸ Potential framework for automated deployment
75
PROJECT GOALS
IMPROVEMENTS
▸ Things that definitely need to be changed
▸ Using and actual database rather than data types
▸ Proper client and server ID differences
76
SPECIAL THANKS & REFERENCES
SPECIAL THANKS
▸ Jaime Geiger
▸ Encouraging me to do this talk
▸ Brad Campbell
▸ Introducing me to Golang
▸ Design assistance
▸ General concept checking
80
SPECIAL THANKS & REFERENCES
REFERENCES
▸ Definition of Botnet: https://en.wikipedia.org/wiki/Botnet
▸ Botnet Number Figures: https://en.wikipedia.org/wiki/Botnet#Historical_list_of_botnets
81