OnionBots: Subverting Privacy Infrastructure for Cyber Attacks

Over the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively attempt to subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IP-based current mitigation techniques. Furthermore, we show that with an adequate self-healing network maintenance scheme, that is simple to implement, OnionBots can achieve a low diameter and a low degree and be robust to partitioning under node deletions. We develop a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.

[1]  John Lane,et al.  Prime: Byzantine Replication under Attack , 2011, IEEE Transactions on Dependable and Secure Computing.

[2]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[3]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[4]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[5]  Aziz Mohaisen,et al.  Metadata-Driven Threat Classification of Network Endpoints Appearing in Malware , 2014, DIMVA.

[6]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  Nikita Borisov,et al.  Stegobot: A Covert Social Network Botnet , 2011, Information Hiding.

[8]  Cristina Nita-Rotaru,et al.  Closing the Pandora's box: Defenses for thwarting epidemic outbreaks in mobile adhoc networks , 2012, 2012 IEEE 9th International Conference on Mobile Ad-Hoc and Sensor Systems (MASS 2012).

[9]  Wei Jiang,et al.  Botnet: Survey and Case Study , 2009, 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC).

[10]  T. Holz,et al.  Towards Next-Generation Botnets , 2008, 2008 European Conference on Computer Network Defense.

[11]  Baruch Awerbuch,et al.  An on-demand secure routing protocol resilient to byzantine failures , 2002, WiSE '02.

[12]  Aziz Mohaisen,et al.  Measuring Botnets in the Wild: Some New Trends , 2015, AsiaCCS.

[13]  Jon Crowcroft,et al.  A survey and comparison of peer-to-peer overlay network schemes , 2005, IEEE Communications Surveys & Tutorials.

[14]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[15]  Daniel J. Bernstein,et al.  Elligator: elliptic-curve points indistinguishable from uniform random strings , 2013, IACR Cryptol. ePrint Arch..

[16]  Wenke Lee,et al.  Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[17]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[18]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[19]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[20]  Sandeep Yadav,et al.  Detecting algorithmically generated malicious domain names , 2010, IMC '10.

[21]  Pratik Narang,et al.  PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations , 2014, 2014 IEEE Security and Privacy Workshops.

[22]  Gabriel Maciá-Fernández,et al.  Survey and taxonomy of botnet research through life-cycle , 2013, CSUR.

[23]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[24]  Leyla Bilge,et al.  EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[25]  Neil Daswani,et al.  The Anatomy of Clickbot.A , 2007, HotBots.

[26]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[27]  Nicholas Hopper,et al.  Challenges in Protecting Tor Hidden Services from Botnet Abuse , 2014, Financial Cryptography.

[28]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[29]  Shouhuai Xu,et al.  Social Network-Based Botnet Command-and-Control: Emerging Threats and Countermeasures , 2010, ACNS.

[30]  Christopher Krügel,et al.  Overbot: a botnet protocol based on Kademlia , 2008, SecureComm.

[31]  Michele Colajanni,et al.  Cyber Attacks on Financial Critical Infrastructures , 2012, Collaborative Financial Infrastructure Protection.

[32]  Nick Feamster,et al.  Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces , 2010, NSDI.

[33]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[34]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[35]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[36]  Marc Dacier,et al.  A strategic analysis of spam botnets operations , 2011, CEAS '11.

[37]  Moni Naor,et al.  Know thy neighbor's neighbor: the power of lookahead in randomized P2P networks , 2004, STOC '04.

[38]  Michael K. Reiter,et al.  Revisiting Botnet Models and Their Implications for Takedown Strategies , 2012, POST.

[39]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[40]  Arvind Krishnamurthy,et al.  Studying Spamming Botnets Using Botlab , 2009, NSDI.

[41]  Jong Kim,et al.  Fluxing botnet command and control channels with URL shortening services , 2013, Comput. Commun..

[42]  Nicolas Christin,et al.  Security Behavior Observatory: Infrastructure for Long-term Monitoring of Client Machines (CMU-CyLab-14-009) , 2014 .

[43]  Nicolas Christin,et al.  Traveling the silk road: a measurement analysis of a large anonymous online marketplace , 2012, WWW.

[44]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[45]  Van-Hau Pham,et al.  The WOMBAT Attack Attribution Method: Some Results , 2009, ICISS.

[46]  John Aycock,et al.  Army of Botnets , 2007, NDSS.

[47]  Nasir D. Memon,et al.  Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts , 2010, ACSAC '10.

[48]  Sandeep Yadav,et al.  Detecting Algorithmically Generated Domain-Flux Attacks With DNS Traffic Analysis , 2012, IEEE/ACM Transactions on Networking.

[49]  Guevara Noubir,et al.  Wireless spreading of WiFi APs infections using WPS flaws: An epidemiological and experimental study , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[50]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.

[51]  Roberto Perdisci,et al.  From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[52]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[53]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[54]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[55]  Oliver P. Waldhorst,et al.  Decentralized and Autonomous Bootstrapping for IPv6-based Peer-to-Peer Networks , 2009 .

[56]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[57]  Yang Xiao,et al.  Botnet: Classification, Attacks, Detection, Tracing, and Preventive Measures , 2009, EURASIP J. Wirel. Commun. Netw..

[58]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[59]  Marco Balduzzi,et al.  Take a Deep Breath: A Stealthy, Resilient and Cost-Effective Botnet Using Skype , 2010, DIMVA.

[60]  Lei Wu,et al.  Honeypot detection in advanced botnet attacks , 2010, Int. J. Inf. Comput. Secur..

[61]  Herbert Bos,et al.  Large-Scale Analysis of Malware Downloaders , 2012, DIMVA.

[62]  Aziz Mohaisen,et al.  Babble: Identifying malware by its dialects , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[63]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[64]  John McHugh,et al.  Structured Peer-to-Peer Overlay Networks: Ideal Botnets Command and Control Infrastructures? , 2008, ESORICS.

[65]  Alex Biryukov,et al.  Content and Popularity Analysis of Tor Hidden Services , 2013, 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW).

[66]  Malte Möser,et al.  An inquiry into money laundering tools in the Bitcoin ecosystem , 2013, 2013 APWG eCrime Researchers Summit.

[67]  Nicolas Christin,et al.  Building the security behavior observatory: an infrastructure for long-term monitoring of client machines , 2014, HotSoS '14.

[68]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.