Brett Stone-Gross

SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets

Centralized botnets are easy targets for takedown efforts by computer security researchers and law enforcement. Thus, botnet controllers have sought new ways to harden the infrastructures of their botnets. In order to meet this objective, some botnet operators have (re)designed their botnets to use Peer-to-Peer (P2P) infrastructures. Many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure. However, P2P botnets are subject to unique classes of attacks, such as node enumeration and poisoning. In this paper, we introduce a formal graph model to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets. We apply our model to current P2P botnets to assess their resilience against attacks. We provide assessments on the sizes of all eleven active P2P botnets, showing that some P2P botnet families contain over a million bots. In addition, we have prototyped several mitigation strategies to measure the resilience of existing P2P botnets. We believe that the results from our analysis can be used to assist security researchers in evaluating mitigation strategies against current and future P2P botnets.

The Underground Economy of Fake Antivirus Software

Fake antivirus (AV) programs have been utilized to defraud millions ofcomputer users into paying as much as one hundred dollars for a phony softwarelicense. As a result, fake AV software has evolved into one of the most lucrativecriminal operations on the Internet. In this paper, we examine the operations of threelarge-scale fake AV businesses, lasting from three months to more than two years.More precisely, we present the results of our analysis on a trove of data obtainedfrom several backend servers that the cybercriminals used to drive their scam operations.Our investigations reveal that these three fake AV businesses had earned acombined revenue of more than

FIRE: FInding Rogue nEtworks

130 million dollars. A particular focus of our analysisis on the financial and economic aspects of the scam, which involves legitimatecredit card networks as well as more dubious payment processors. In particular, wepresent an economic model that demonstrates that fake AV companies are activelymonitoring the refunds (chargebacks) that customers demand from their credit cardproviders. When the number of chargebacks increases in a short interval, the fakeAV companies react to customer complaints by granting more refunds. This lowersthe rate of chargebacks and ensures that a fake AV company can stay in businessfor a longer period of time. However, this behavior also leads to unusual patternsin chargebacks, which can potentially be leveraged by vigilant payment processorsand credit card companies to identify and ban fraudulent firms.

Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus

For many years, online criminals have been able to conduct their illicit activities by masquerading behind disreputable Internet Service Providers (ISPs). For example, organizations such as the Russian Business Network (RBN), Atrivo (a.k.a., Intercage), McColo, and most recently, the Triple Fiber Network (3FN) operated with impunity, providing a safe haven for Internet criminals for their own financial gain. What primarily sets these ISPs apart from others is the significant longevity of the malicious activities on their networks and the apparent lack of action taken in response to abuse reports. Interestingly, even though the Internet provides a certain degree of anonymity, such ISPs fear public attention. Once exposed, rogue networks often cease their malicious activities quickly, or are de-peered (disconnected) by their upstream providers. As a result, the Internet criminals are forced to relocate their operations. In this paper, we present FIRE, a novel system to identify and expose organizations and ISPs that demonstrate persistent, malicious behavior. The goal is to isolate the networks that are consistently implicated in malicious activity from those that are victims of compromise. To this end, FIRE actively monitors botnet communication channels, drive-by-download servers, and phishing web sites. This data is refined and correlated to quantify the degree of malicious activity for individual organizations. We present our results in real-time via the website maliciousnetworks.org. These results can be used to pinpoint and to track the activity of rogue organizations, preventing criminals from establishing strongholds on the Internet. Also, the information can be compiled into a null-routing blacklist to immediately halt traffic from malicious networks.

Analysis of a Botnet Takeover

Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable. Through a detailed analysis of this new Zeus variant, we demonstrate the high resilience of state of the art peer-to-peer botnets in general, and of peer-to-peer Zeus in particular.

Two years of short URLs internet measurement: security threats and countermeasures

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program designed to harvest sensitive information (such as bank account and credit-card data) from its victims. In this article, the authors report on their efforts to take control of the Torpig botnet and study its operations for a period of 10 days. During this time, they observed more than 180,000 infections and recorded almost 70 Gbytes of data that the bots collected. They also report on what happened in the year that has passed since they lost control of the Torpig botnet.

MIST: Cellular data network measurement for mobile applications

URL shortening services have become extremely popular. However, it is still unclear whether they are an effective and reliable tool that can be leveraged to hide malicious URLs, and to what extent these abuses can impact the end users. With these questions in mind, we first analyzed existing countermeasures adopted by popular shortening services. Surprisingly, we found such countermeasures to be ineffective and trivial to bypass. This first measurement motivated us to proceed further with a large-scale collection of the HTTP interactions that originate when web users access live pages that contain short URLs. To this end, we monitored 622 distinct URL shortening services between March 2010 and April 2012, and collected 24,953,881 distinct short URLs. With this large dataset, we studied the abuse of short URLs. Despite short URLs are a significant, new security risk, in accordance with the reports resulting from the observation of the overall phishing and spamming activity, we found that only a relatively small fraction of users ever encountered malicious short URLs. Interestingly, during the second year of measurement, we noticed an increased percentage of short URLs being abused for drive-by download campaigns and a decreased percentage of short URLs being abused for spam campaigns. In addition to these security-related findings, our unique monitoring infrastructure and large dataset allowed us to complement previous research on short URLs and analyze these web services from the users perspective.

Peering through the iframe

The rapid growth in the popularity of cellular networks has led to aggressive deployment and a rapid expansion of mobile services. Services based on the integration of cellular networks into the Internet have only recently become available, but are expected to become very popular. One current limitation to the deployment of many of these services is poor or unknown network performance, particularly in the cellular portion of the network. Our goal in this paper is to motivate and present the Mobile Internet Services Test (MIST) platform, a new distributed architecture to measure and characterize cellular network performance as experienced by mobile devices. We have used MIST to conduct preliminary measurements; evaluate MIST’s effectiveness; and motivate further measurement research.

Malware in IEEE 802.11 wireless networks

Drive-by-download attacks have become the method of choice for cyber-criminals to infect machines with malware. Previous research has focused on developing techniques to detect web sites involved in drive-by-download attacks, and on measuring their prevalence by crawling large portions of the Internet. In this paper, we take a different approach at analyzing and understanding drive-by-download attacks. Instead of horizontally searching the Internet for malicious pages, we examine in depth one drive-by-download campaign, that is, the coordinated efforts used to spread malware. In particular, we focus on the Mebroot campaign, which we periodically monitored and infiltrated over several months, by hijacking parts of its infrastructure and obtaining network traces at an exploit server. By studying the Mebroot drive-by-download campaign from the inside, we could obtain an in-depth and comprehensive view into the entire life-cycle of this campaign and the involved parties. More precisely, we could study the security posture of the victims of drive-by attacks (e.g., by measuring the prevalence of vulnerable software components and the effectiveness of software updating mechanisms), the characteristics of legitimate web sites infected during the campaign (e.g., the infection duration), and the modus operandi of the miscreants controlling the campaign.

VeriKey: A Dynamic Certificate Verification System for Public Key Exchanges

Malicious software (malware) is one of the largest threats facing the Internet today. In recent years, malware has proliferated into wireless LANs as these networks have grown in popularity and prevalence. Yet the actual effects of malware-related network traffic in open wireless networks has never been examined. In this paper, we provide the first study to quantify the characteristics of malware on wireless LANs. We use data collected from the large wireless LAN deployment at the 67th IETF meeting in San Diego, California as a case study. The measurements in this paper demonstrate that even a single infected host can have a dramatic impact on the performance of a wireless network.