Virus Bulletin 2015: Anonymizing VPN Services as a Botnet Monetization Strategy - Analyzing The Bunitu Botnet

Transcript

1. Anonymizing VPN Services as a Botnet Monetization Strategy Analyzing The

   Bunitu Botnet

2. Researchers Hasherezade (@hasherezade), Malwarebytes Sergei Frankoff (@herrcore), Sentrant

3. What is a Proxy Botnet Proxy Botnet - Used to

   bypass the traffic - Covers up the IP of the user - Network of infected computers - Used for cybercrime Proxy botnets

4. What is a Proxy Botnet Infected Proxy Bot Internet Proxy

   Client Botnet Controller Proxy Traffic Proxy Traffic Proxy Available Proxy Available

5. Monetizing Proxy Botnets • Advertising Fraud • Re-packaged and sold

   as VPN/Proxy service

6. Prior Work: Monetization Via Ad-Fraud stopmalvertising.com (March, 2014) - hii

   ad-fraud proxy

7. Prior Work: Monetization Via Ad-Fraud hii ad-fraud proxy registration protocol

8. Prior Work: Monetization Via Proxy Sales Kaspersky Research (June 27,

   2011) - TDSS Proxy For Hire

9. Bunitu Ad-fraud Proxy botnet

10. Bunitu Overview 2013-12-25 : b0a91e1f91078bad48252edc989e868e : mlicnai.dll ... 2015-09-16 :

    85ae39ee4fed066797fed137fc1fc332 : naukgol.dll

11. Bunitu Proxy Services - Standard HTTP proxy and SOCKS proxy

    services are started by Bunitu on random high ports, client registers them to C&C#1 - Tunnel is operated via C&C#2 – uses it’s own protocol to wrap and bypass the traffic Two types of proxy: Standard and Tunnel

12. Bunitu Standard Proxy Infected Proxy Bot Internet Proxy Client Bunitu

    C2 Proxy Traffic Proxy Traffic Register Proxy Proxy Available

13. Bunitu Tunneled Proxy Infected Host (Proxy) Internet Proxy Client Bunitu

    C2 Proxy Traffic Proxy Traffic Register Proxy Proxy Available Proxy Traffic

14. Bunitu Trojan overview Droppers’ Gallery https://github.com/hasherezade/bunitu_tests/wiki/Bunitu-Gallery Constant naming convention: [a-z]{7}.dll

    Always a DLL installed by dedicated dropper

15. Bunitu Installation The standard proxy services require inbound connections. There

    is no privilege elevation exploit to silence this. The installer often crashes at the end

16. Bunitu Host Persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run

17. Bunitu BotID HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ BotID = fb1b7067d66fc09daddf During installation an

    unique bot ID is generated, and stored in the registry

18. Bunitu C2 Server Domains C2 domains are hard coded in

    binary. IPs these domains resolve to must be XOR with key to get real IPs. key

19. Bunitu Standard Proxy Registration Protocol

20. Bunitu Standard Proxy Registration Protocol 00010100 00010000 00000000 = header

    (hardcoded) 67 ab = socks proxy port (little endian -> 0xab67 = 43879) a0 32 = http proxy port (little endian -> 0x32ab = 12971) 05 00 = hard coded value 3a = minutes since last reboot
 02 = hours since last reboot fb1b7067d66fc09daddf = botID
 8d f0 = hard coded unique to each version of the malware

21. Bunitu Tunneled Proxy Protocol

22. Bunitu Tunneled Proxy Protocol - Registration 0e 00 = Length

    of the message (little endian) -> 0x00e0 -> 14 fb 1b 70 67 d6 6f c0 9d = bot ID, truncated (without last WORD) 21 04 00 00 = command (0x0421) *start the proxy*

23. Bunitu Tunneled Proxy Protocol - Initialization 2e 00 = Length

    of the message (little endian) -> 0x002e -> 46 fb 1b 70 67 = bot ID, truncated (without last WORD) 01 00 00 01 = command *test given domain* 4c 16 23 3c = session constant 01 = number of queries google.com = domain to test 50 00 = port to query (little endian) 0x0050 -> 80 After registration C&C tests a bot by ordering it to query Googlele

24. Bunitu Tunneled Proxy Protocol - Request 47 04 = Length

    of the message (little endian) -> 0x0447 -> 1095 fd e0 43 fd = bot ID, truncated (without last WORD) 03 02 02 02 = command *HTTP request* d0 43 00 00 = proxy client ID GET / … = request data C&C orders a bot to perform a GET request

25. Bunitu Tunneled Proxy Protocol - Response 90 05 = Length

    of the message (little endian) -> 0x0590 -> 1424 fd e0 43 fd = bot ID, truncated (without last WORD) 03 02 02 02 = command *HTTP request* d0 43 00 00 = proxy client ID HTTP /1.1 … = response data Bot performs ordered request, packs it in the internal protocol and sends back to the C&C

26. A proxy but for what? Who is using this and

    why?

27. Proxy Honeypot 1. Reimplement proxy registration protocol in script 2.

    Find a good proxy intercept tool (mitmproxy) 3. Build our own proxy honeypot 4. : ))

28. Bunitu Proxy Traffic

29. Bunitu Proxy Traffic… So Bad Crime Forums crdclub.so, verified.mn, etc

    Testing Stolen Credentials paypal, alibaba.com, royalbank.com, etc Building Fake Dating Profiles jdate.com, datehookup.com, match.com, etc.

30. Bunitu Link to VIP72

31. What is VIP72

32. What is VIP72 VIP72 VPN Client

33. Confirming VIP72 Resale of Bunitu Proxy Services

34. Other VPN Services Involved Observations from PL client

35. Other Anonymizing VPN Services Involved Client’s browser using Polish locale

    (code: pl)

36. Other Anonymizing VPN Services Involved Users often start surfing by

    checking their new IP address

37. Distributors (Theory) Infected Proxy Bot Distributor (ie. VIP72) Bunitu C2

    (Middleman) 1) Register the bot 4) Send command from the distributor 3) Send commands to my bots 2) Notify appropriate distributor (based on bot’s geolocation)

38. Risks on both ends Infected machine owner: • can be

    framed in a crime; • have resources used without the permission Proxy Customer: • vulnerable for data theft and privacy violation; • his/her traffic may be poisoned on the way

39. The (lack of) Evolution in Bunitu/VIP72 We first published a

    report on this malware on August 5, 2015 there has been no change from either VIP72 or Bunitu

40. Building On Our Research All of our tools are available

    on GitHub!

41. Building On Our Research https://github.com/hasherezade/bunitu_tests/wiki

42. Contact Us Hasherezade (@hasherezade), Malwarebytes Sergei Frankoff (@herrcore), Sentrant

43. Image Attribution • desktop computer by Creative Stall from the

    Noun Project • Cloud by Golden Roof from the Noun Project • Skull and Crossbones by Ricardo Moreira from the Noun Project • Surveillance by Luis Prado from the Noun Project • about by Amr Fakhri from the Noun Project