PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)

Plan Introdu tion PostNet Results Real LifePostNet : A new era of resilient Botnetdgoulet�ev0ke.net, ju�klipix.orgHa kFest 2011November 6, 2010

dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real Life1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifePlan1 Introdu tionHa kUSHEAD�{0}2 PostNetThe O� eSkynet : The Awakening3 ResultsLe salon des tablesL'hotel des hambres4 Real LifeOperation TakedownBotnet strikes ba kNow What ?dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHa kUSShameless PlugHa kUS2 : 1-2-3 Avril 2011Se urity ContestCTFWebReverse Engineering - Binary Exploitation| moredgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHEAD�{0}Point of OriginThe idea :1 Two years ago : Stealth, Autonomous, Adaptative andDe entralized2 After that : Reality Che k, we had a life...3 Opportunity : Se urity lass during our master4 Birth of PostNetdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHEAD�{0}Point of OriginThe idea :1 Two years ago : Stealth, Autonomous, Adaptative andDe entralized2 After that : Reality Che k, we had a life...3 Opportunity : Se urity lass during our master4 Birth of PostNetNow the story... Thanks Morpheusdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHEAD�{0}Ops Sword�sh vs War Games 2Botnet main ara teristi s (or problems)BotnetsRendez-vous point for data (order, update, ...)Dynami peer listNodes trustEn ryption (Communi ation Proto ol, Data)Peer hierar hydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHEAD�{0}ExamplesStorm : Rendez-vous point using the Kademlia routing proto olWaleda : Hierar hi al using proxy servers to relay dataRusto k : Using TLS for SPAMCon� ker : Well... razy as helldgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeHEAD�{0}Now what?How an we get better ?



Plan Introdu tion PostNet Results Real LifeThe O� eConferen e room in 5 min (�M.G. S ott)De�nitionsDe entralized : Rendez-vous point are not �xed and potentiallydistributedNon-P2P : No dire t targeted data ex hange between peersCommon P2P Botnet : Botnet using rendez-vous points and dynami peer listdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!


Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for you


Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for youSSL : PKI, Signature


Plan Introdu tion PostNet Results Real LifeThe O� eNi e things about the NetDNS : Stateless, -j ACCEPT, MTU bytes of fun and ro k solid!Yeah I know : CVE-2008-1447SMTP : A tually working, Mail waiting for youSSL : PKI, SignatureYeah I know : CVE-2009-2510, CVE-2009-2408


Plan Introdu tion PostNet Results Real LifeThe O� eLet's play Global Thermonu lear WarDNS : Fast-�ux, MTU fun bytes : Covert ChannelSMTP : Overlay NetworkSSL : Trust and ... Trustand let's introdu e ...


Plan Introdu tion PostNet Results Real LifeThe O� eCreed's thoughtun ertainty - (un-surtn-ti)


Plan Introdu tion PostNet Results Real LifeThe O� eCreed's thoughtun ertainty - (un-surtn-ti)No knowledge and no guarantee on where my data is


Plan Introdu tion PostNet Results Real LifeThe O� eDwight's theoryProbability of having a ertain m in peer listLet αm be the number of m in a peer list at time t:P tn(m) =αm|M|Probability of getting a broad ast message for a ertain n : P(n)P(n) =

k∑i=1 ( i

∏j=0(1− P jn(m))

)P in(m)where k is the fet h timedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeThe O� eJim's PrankNew probability P tn(m′) after a he poisoning atta kLet αp be the number of poison m :P tn(m′) =

αp|M|

× 0 +|M| − αp

|M|P tn(m)


Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningSkynet : The AwakeningSo what the f*&?$ is PostNet ?


Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningPostNet


Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningCon eptsMailboxContains a list of mailsEx hanged via UDPEverytime a mailbox is ex hanged, the TTL of ea h message isde rementedMail Contains the a tual message, a destination and a TTLThe destination an be uni ast or broad ast (in ase of a CCorder)Peer listContains a list of peer addresses and portsEx hanged via dire t UDP pa ketsdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet



Plan Introdu tion PostNet Results Real LifeSkynet : The AwakeningEntitiesM : MothershipsDire tly rea hable (publi address)Store mailboxesEx hange mailboxes with other MEx hange a hes with other MA ept mail fet h from Z and MZ : ZombiesBehind a NAT gatewayFet h mail from a random M in a hedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet




Plan Introdu tion PostNet Results Real LifeLe salon des tables


Plan Introdu tion PostNet Results Real LifeLe salon des tablesSybil Atta kThe simple on ept of inserting a bogus peer to disrupt the botnet


Plan Introdu tion PostNet Results Real LifeLe salon des tablesCa he Poisoning Sybil Atta kPostNet was tested for these s enarios :Persistant atta k not in botnetNon-persistant in botnetPersistant in botnet


Plan Introdu tion PostNet Results Real LifeLe salon des tablesFarnsworth's labOur in-vitro botnet testing gears :30 Virtual Ma hinesEa h VM : Ubuntu 8.04, OpenVZEa h VM : One networkEa h VM : 10 VZ ma hines NATtedTotal : 330 Nodes on 2 physi al ma hinesThe two blades were HOT!dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeLe salon des tablesBotnet SettingsMailbox are ex hanged every 90 se ondsCa hes are ex hanged every 45 se ondsMails are fet hed every 15 se ondsThe experiment runs for 800 se onds


Plan Introdu tion PostNet Results Real LifeL'hotel des hambresFormal Graph

0

0.2

0.4

0.6

0.8

1

0 100 200 300 400 500 600 700 800

Num

ber

of r

each

ed m

achi

nes

Time (Seconds)

Theoretical CC Message Propagation

TheoreticalTheoretical 3 sybils


Plan Introdu tion PostNet Results Real LifeL'hotel des hambres

0

50

100

150

200

250

300

0 100 200 300 400 500 600 700 800

Num

ber

of r

each

ed m

achi

nes

Time (Seconds)

CC Message Propagation

TheoreticalTheoretical 3 Sybils persist not in

no Sybil3 Sybils persist not in botnet3 Sybils non persist in botnet

3 Sybils persist in botnet



Plan Introdu tion PostNet Results Real LifeOperation TakedownHow botnets get takedownDomain names takedownCoordinated servers takedownFor a ademi s : Sybil atta ks


Plan Introdu tion PostNet Results Real LifeOperation TakedownWhat an't be doneDeep pa ket inspe tion on publi networksLegal fake bot : that's illegal...Client ode inje tion


Plan Introdu tion PostNet Results Real LifeOperation TakedownWhat an't be doneDeep pa ket inspe tion on publi networksLegal fake bot : that's illegal...Client ode inje tionLa sé urité 'est de l'inje tion de ode, LastCall


Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kPolymorphi entropi en rypted forgery... blablablaBinary defenseOn-the-�y ode de ryptionPa king : UPX, Themida, VMProte t, and friendsAnti-debugging : ptra e dete tion, IsDebuggerPresent()...Polymorphismdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kNetwork obfus ation fortress... blablablaCovert hannels : TCP IDs, DNS �elds, ICMP, et Proxies : widely used to prote t the C&CDNS Fast-Flux : moving rendez-vous pointP2P : zombies ommuni ate with ea h other


Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kWarningTHE NEXT SLIDE CONTAINS ABUZZWORD


Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kGhostnetBotnet with a spe i� targetStealthness, Stealth, Stealthier, Cool and StealthBuilt spe i� ally for a targetOrigin : Atta ks against the Dalai Lama's o� e


Plan Introdu tion PostNet Results Real LifeBotnet strikes ba kWhat about Stuxnet ?Targetted atta ksHigh level of sophisti ation : 0day, signed driversLots of men powerO�ine propagation


Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto oldgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangedgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator waydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptiondgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : Trustdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)dgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)(void *) botnet1 : denied, no hierar hydgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?Resilient botnet (not for spam)What should be doneUn ertainty based proto olRandom peer list ex hangeBinary prote tionring0 a ess : the Governator wayCovert hannel and en ryptionHighly de entralizedProblem 1 : TrustEvolving : MUST hange through time (RFC 4242)(void *) botnet1 : denied, no hierar hyNo Fra king P2P and DNSdgoulet�ev0ke.net, ju�klipix.org Ha kFest 2011PostNet : A new era of resilient Botnet

Plan Introdu tion PostNet Results Real LifeNow What ?AntiTRUST : Adding a new M1 C&C hooses a random publi ly a essible zombie2 It multi asts(random(M)) a time window and hallenges3 Triangular Q & AIn theory no signature needed... in theory


Plan Introdu tion PostNet Results Real LifeNow What ?Don't pani it's overSee you in the Q&A room


Plan Introdu tion PostNet Results Real LifeNow What ?Questions


Plan Introdu tion PostNet Results Real LifeNow What ?Debrie�ng room


Plan Introdu tion PostNet Results Real LifeNow What ?Believe us


Technology

PostNet, une nouvelle ère de Botnet résilient (Julien Desfossez & David Goulet)