1 / 39

Botcoin: Monetizing Stolen Cycles

Botcoin: Monetizing Stolen Cycles. UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security. Outline. Introduction Related Work Background Methodology Analysis Discussion Conclusion Epilogue. Bots.

Télécharger la présentation

Botcoin: Monetizing Stolen Cycles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Botcoin: Monetizing Stolen Cycles UC San Diego and George Mason University Presented By: Amanda Watson CSCI 780: Advanced Network Security

  2. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  3. Bots • Send spam, commit click fraud, DOS attacks, steal user data • Botmaster: uses bots to extract value from the above actions • Botnet: compromised computers under the control of the botmaster • Demand for a bot determines the value • Security evolution depends on the demand

  4. Bitcoin Mining • Repeatedly computing the SHA-256 cryptographic hash function over a large range of values • State-Space search • Can be conducted in parallel • Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others • Pro: Potentially lucrative depending on the number of bots • Con: Easier to detect than other activities

  5. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  6. Related Work • Analysis of the transactions in the Bitcoin network • Measures activity • Tests the limits of anonymity • Analysis of the silk road (underground drug market) • Shutdown October 13, 2013 • Bitcoin mining can be “gamed” by an appropriately powerful adversary • Can disrupt the Bitcoin economy • Profitable malware • Pay-per-install, fake anti-virus, click fraud

  7. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  8. Bitcoin • Proposed by Satoshi Nakamoto in 2008 • Not backed by any government • Purely a peer to peer virtual currency • Bitcoins are acquired through mining • Transactions are public through the blockchain • Public ledger maintained by a peer-to-peer network

  9. Bitcoin • 1Bitcoin = $402.53

  10. Bitcoin Mining • Miner receives valid transactions through the peer-to-peer network • Group them into blocks • set of transactions • header containing a hash of the previous block and a nonce • Compute a SHA-256 hash value of the block • If the value has the correct number of leading zeros • Miner passes it on to others to verify • Coinbase: pays transaction fees and the block reward • If the value does not have the correct number of leading zeros • Repeat the process

  11. Pooled Mining • Combine the mining power of many individual miner and payout a small amount for work completed • Pool server manages pending transaction • Provides starting point to workers • Workers mine the blocks • Report results to the server

  12. Botnet Mining • Use a existing or newly created botnet to mine for bitcoins • Direct Pool Mining • Distribute a mining executable with a wrapper script that specifies mining parameters • Generally banned for mining pools • Proxied Pool Mining • Proxy connections through a controlled server • Requires additional infrastructure • Dark Pool Mining • Botmaster maintains a pool server • Bots connect to his pool • Limited to the number of bots he controls

  13. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  14. Methodology • Goals: • Identify mining malware • Identify size of infected population • Identify the value of the bitcoins extracted • Methodology • Identify Mining Malware • Extract Mining Credentials • Estimate Earnings • Estimate Infected Population • Identify Pool Proxies

  15. Identifying Mining Malware • All mining malware uses the HTTP-based getwork protocol • Use this to identify mining malware with a network trace • To get the network traffic of various malware • Execute the binaries in a malware execution environment • Use data for public and private sandboxes that provides information and logs of the actions of the binaries • If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining

  16. Extracting Mining Credentials • Mining software is generally generic • Credentials are passed on command line • Extract the credentials: • Command-line arguments • Extract the credentials from the packaged binary • HTTP basic authentication • Extract credentials from a network trace • Command-and-control channel • Credentials are contained in a Dropbox or Pastebin file • Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload • Pool operators • Public pool operators provide lists of user names and wallet addresses

  17. Earnings • Mapping miners to wallet addresses • Contact the pool operators to ask for the information • Publicly visible pool statistics • Some pools provide public leaderboards • Blockchain analysis • All transactions are visible • Knowing the payout address allows estimates for a specific miner • Clustering wallet addresses • Botmasters may use different addresses for different campaigns • Addresses used as inputs to the same transaction will be controlled by the same user • This allows us to cluster addresses used by a single botmaster

  18. Estimating Infected Population • Contact anti-virus software vendors to obtain mining malware data • Ei : estimated bot population • Ii : number of infections in country i per vender • Mi : number of machines in country i per vendor • Ti : number of machines in country i • This is the expected lower bound • Computers without antivirus for the vendors are not counted • Estimates are only for specific binaries

  19. Identifying Pool Proxies • Cross-login test • Credentials can be hidden by an HTTP proxy • Create miner accounts in major mining pools • If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining • Passive DNS • The lifetime of a dark mining pool depends on the lifetime of the botnet • Use passive DNS data from the ISC Security Information Exchange • Block Reversal • A pool will provide the same coinbase across similar workers • This allows us to match possible bots to a pool • Leaked Data

  20. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  21. DLoad.asia(Redem and Darksons) • Began mining in 2011 • Ended in November of 2012 • Earnings • Darksons : 2,403 BTC • Redem : over 10,000 BTC • Over 100,000 IP’s • Population - number of infections

  22. ZeroAccess • 9,000,000 infected PC’s • Began December 2011 • Earnings : 400 BTC • Began mining through proxy servers, now a part of Eligus • Population - number of infections

  23. BMControl • Began mining in September 2012 • Part of Eligus • Earnings • Adds 16,000 new bots per day • Average mining rate/ bot : 3.75MH/sec • Now mines for Litecoin • Population - number of infections

  24. FeodalCash • Began mining in May 2013 • Part of Eligus • Earnings : 168 BTC • Population - 62,500 infections at its peak

  25. Fareit Bots • Began mining April 9, 2013 • Used a pool proxy with the Black Hole exploit kit • Earnings : 265 BTC • Population - 12,500 infections

  26. Zenica • Earnings • 312,000 or more active IP’s • 170 BTC in 3 months • Population • Prevalent in Southeast Asia • Vietnam and Thailand account for 70% of sampled infections

  27. HitmanUK • Botmaster launched a DDoS attacked after the pool blacklisted the botnet • Paralyzed the pool • Prevented mining for a few hours • Pool operator then let the botmaster back in • Began in February 2013 • Earnings : 4 BTC • Adds 16,000 new bots per day • Average mining rate/ bot : 3.75MH/sec

  28. Xfhp.ru Miner • Uses Zbot to download the Bitcoin mining plugin • Population • Southeast Asia • South America

  29. Skype Miner • Used Skype and social engineering to distribute bot • Sent a compromised skype message • If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware • Began mining in July 2012 • Earnings : 250

  30. Miscellaneous • There are many small mining operations

  31. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  32. Mining Revenue • Depends on hashing and network difficulty • Daily Revenue: • MH – million SHA-256 computations • 8.22 x 10-12 MH/sec

  33. Botnet Costs • Cost of acquiring bots • Cost associated with the monetization scheme • More information is needed for non-acquisition costs: • Infrastructure • Development • Day to day operation

  34. Profitability • Varies based on exchange rates • 3 classes of profitability • Absolutely profitable: revenue exceeds cost for a botnet solely for mining • Marginally profitable: revenue exceeds additional cost for an established botnet adding mining • Unprofitable: mining does not cover additional costs • Bitcoin is expected to remain profitable for large botnets

  35. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  36. Conclusion • It is possible to track the earning of botnets because Bitcoin transactions are public • Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years • Most of these are found in geographic locations with lower costs of bots • Developed a method to trace mining pool malware even when proxy server are used to hide the pool

  37. Outline • Introduction • Related Work • Background • Methodology • Analysis • Discussion • Conclusion • Epilogue

  38. Litecoin • Decentralized virtual currency based on bitcoin • 1 litecoin = $4.19 • 4 times faster to produce a block when mining • Lessens the effect of specialized hardware

  39. Questions?

More Related