Embed Size (px)
DESCRIPTION
DIMVA 2010 talk. Skype is one of the most used P2P applications on the Internet: VoIP calls, instant messaging, SMS and other features are provided at a low cost to millions of users. Although Skype is a closed source application, an API allows developers to build custom plugins which interact over the Skype network, taking advantage of its reliability and capability to easily bypass firewalls and NAT devices. Since the protocol is completely undocumented, Skype traffic is particularly hard to analyze and to reverse engineer. We propose a novel botnet model that exploits an overlay network such as Skype to build a parasitic overlay, making it extremely difficult to track the botmaster and disrupt the botnet without damaging legitimate Skype users. While Skype is particularly valid for this purpose due to its abundance of features and its widespread installed base, our model is generically applicable to distributed applications that employ overlay networks to send direct messages between nodes (e.g., peer-to-peer software with messaging capabilities). We are convinced that similar botnet models are likely to appear into the wild in the near future and that the threats they pose should not be underestimated. Our contribution strives to provide the tools to correctly evaluate and understand the possible evolution and deployment of this phenomenon.
Citation preview
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Take a deep breath: a Stealthy, Resilient andCost-Effective Botnet Using Skype
Antonio Nappa - Universita degli studi di MilanoAristide Fattori - Universita degli studi di Milano
Marco Balduzzi - Eurecom, Sophia-Antipolis, FranceMatteo Dell’Amico - Eurecom, Sophia-Antipolis, France
Lorenzo Cavallaro - Vrije Universiteit Amsterdam, The Nederlands
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Introduction
Botnets are something that spreads along with “social software”(IRC, MSN, Skype, P2P clients, Facebook, Twitter).
We observed the evolution of the botnet phenomenon and weindividuate Skype as a possibile target to easily create a new botnetcommand and control channel.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Why Skype?
We choose Skype because it is a widespread application, it hasabout 400 million of registered users and a daily presence of 50million of users. Furthermore we choose it because it has a lot ofappealing functionalities (bypass NAT and firewalls, encryptedcommunications).
We wanted to proof that is cost-effective and fast to build a botnetwith this application API in order to validate our model.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Advantages
Our solution is cost-effective because it is easy to deploy and has a lot ofgood functionalities (NAT and firewall passthrough, P2P structure)
Botnet traffic indistiguishable from ordinary traffic
No bottlenecks nor single point of failure
Resiliency as the loss of one or many bots influences theinfrastructure only slightly.
Dynamic and transparent routing based on the Skype’s Usernames.
We take advantage of Skype’s protection measures and P2P routingalgorithms.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Supernodes
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Botnet
We propose a novel botnet model that exploits an overlay network suchas Skype to build a parasitic overlay.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Our Model
The parasitic overlay model is a botnet built on top of an instantmessaging infrastructure using its features for non-standard operations.
Our model is generic and can be shaped on different applications thatsupport instant messaging.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Features
it is hard to set bots and regular Skype traffic apart
the lack of hierarchical structure allows to use any controlled nodeas an entry point for the master
the policy adopted for registering new nodes makes itcost-unattractive to obtain a comprhensive list of all the bots.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Communication protocol
To bootstrap each infected node sends a startup messages to itsGate Nodes embedded in the binary.
The Gate Nodes are in contact with other nodes and the Master.
The startup messages flows through the Gate Nodes and reach theMaster.
The Master answers to the infected node with a new set ofneighbors.
When the infected node has its new set of neighbors is able tocommunicate.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Communication protocol (2)
In our botnet messages exchanged between bots and the master flowthrough the network as legitimate messages
Usage of encryption to obtain unicast, multicast and broadcastcommunication
Gnutella-like message passing procedure
Ability to react in case of a total takeover of the Gate Nodes
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Experiments
We evaluated our model through accurate simulations recreating differentbotnet magnitudes and connectivity states (alive neighbors per node).
The average distance between a node and the botmaster grows slowlywith respect to the number of nodes in the botnet.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Experiments (2) - Proof of Concept
We created a small real-world scenario to verify our simulations results:
PoC bot written in Python through Skype4Py libraries
∼ 40 hosts geographically distributed between France and Italy
bootstrapping phase test, validation and measurements
communication model test, validation and measurements
We observed that the real-world scenario is compliant with the simulatedone.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Limitations
One important limitation of our Skype botnet is the possibility of anexternal attacker to perpetrate a replay attack.This attack is done by repeatedly delivering announce messages toprogressively obtain neighbor nodes lists during the bootstrap phase toobtain a map of the botnet.One possible mitigation is to limit the number of neighbor nodes sent tonew bots within a defined temporal window.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Discussion
The availability of the API that can interact with Skype with full privilegeraises security issues.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Countermeasures
We developed a host-based countermeasure that intercepts thecommunications between the Skype API and a plugin, acting as a proxy.With this technique we are able to recognize every command issued by aplugin and we aim to find malicious command sequences. At the momentthe rate of false positive is quite high. We are working on new heuristicsto reduce this rate.
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
IntroductionAdvantages
Skype SupernodesBotnet
Our ModelFeatures
Communication protocolExperimentsLimitations
Countermeasures
Questions
A.Nappa, A.Fattori, M.Balduzzi, M.Dell’Amico, L.Cavallaro A Stealthy, Resilient and Cost-Effective Botnet using Skype
