Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Virus Bulletin 2015: Anonymizing VPN Services a...

hasherezade
October 01, 2015

Virus Bulletin 2015: Anonymizing VPN Services as a Botnet Monetization Strategy - Analyzing The Bunitu Botnet

hasherezade

October 01, 2015
Tweet

More Decks by hasherezade

Other Decks in Research

Transcript

  1. What is a Proxy Botnet Proxy Botnet - Used to

    bypass the traffic - Covers up the IP of the user - Network of infected computers - Used for cybercrime Proxy botnets
  2. What is a Proxy Botnet Infected Proxy Bot Internet Proxy

    Client Botnet Controller Proxy Traffic Proxy Traffic Proxy Available Proxy Available
  3. Bunitu Proxy Services - Standard HTTP proxy and SOCKS proxy

    services are started by Bunitu on random high ports, client registers them to C&C#1 - Tunnel is operated via C&C#2 – uses it’s own protocol to wrap and bypass the traffic Two types of proxy: Standard and Tunnel
  4. Bunitu Standard Proxy Infected Proxy Bot Internet Proxy Client Bunitu

    C2 Proxy Traffic Proxy Traffic Register Proxy Proxy Available
  5. Bunitu Tunneled Proxy Infected Host (Proxy) Internet Proxy Client Bunitu

    C2 Proxy Traffic Proxy Traffic Register Proxy Proxy Available Proxy Traffic
  6. Bunitu Installation The standard proxy services require inbound connections. There

    is no privilege elevation exploit to silence this. The installer often crashes at the end
  7. Bunitu C2 Server Domains C2 domains are hard coded in

    binary. IPs these domains resolve to must be XOR with key to get real IPs. key
  8. Bunitu Standard Proxy Registration Protocol 00010100 00010000 00000000 = header

    (hardcoded) 67 ab = socks proxy port (little endian -> 0xab67 = 43879) a0 32 = http proxy port (little endian -> 0x32ab = 12971) 05 00 = hard coded value 3a = minutes since last reboot
 02 = hours since last reboot fb1b7067d66fc09daddf = botID
 8d f0 = hard coded unique to each version of the malware
  9. Bunitu Tunneled Proxy Protocol - Registration 0e 00 = Length

    of the message (little endian) -> 0x00e0 -> 14 fb 1b 70 67 d6 6f c0 9d = bot ID, truncated (without last WORD) 21 04 00 00 = command (0x0421) *start the proxy*
  10. Bunitu Tunneled Proxy Protocol - Initialization 2e 00 = Length

    of the message (little endian) -> 0x002e -> 46 fb 1b 70 67 = bot ID, truncated (without last WORD) 01 00 00 01 = command *test given domain* 4c 16 23 3c = session constant 01 = number of queries google.com = domain to test 50 00 = port to query (little endian) 0x0050 -> 80 After registration C&C tests a bot by ordering it to query Googlele
  11. Bunitu Tunneled Proxy Protocol - Request 47 04 = Length

    of the message (little endian) -> 0x0447 -> 1095 fd e0 43 fd = bot ID, truncated (without last WORD) 03 02 02 02 = command *HTTP request* d0 43 00 00 = proxy client ID GET / … = request data C&C orders a bot to perform a GET request
  12. Bunitu Tunneled Proxy Protocol - Response 90 05 = Length

    of the message (little endian) -> 0x0590 -> 1424 fd e0 43 fd = bot ID, truncated (without last WORD) 03 02 02 02 = command *HTTP request* d0 43 00 00 = proxy client ID HTTP /1.1 … = response data Bot performs ordered request, packs it in the internal protocol and sends back to the C&C
  13. Proxy Honeypot 1. Reimplement proxy registration protocol in script 2.

    Find a good proxy intercept tool (mitmproxy) 3. Build our own proxy honeypot 4. : ))
  14. Bunitu Proxy Traffic… So Bad Crime Forums crdclub.so, verified.mn, etc

    Testing Stolen Credentials paypal, alibaba.com, royalbank.com, etc Building Fake Dating Profiles jdate.com, datehookup.com, match.com, etc.
  15. Distributors (Theory) Infected Proxy Bot Distributor (ie. VIP72) Bunitu C2

    (Middleman) 1) Register the bot 4) Send command from the distributor 3) Send commands to my bots 2) Notify appropriate distributor (based on bot’s geolocation)
  16. Risks on both ends Infected machine owner: • can be

    framed in a crime; • have resources used without the permission Proxy Customer: • vulnerable for data theft and privacy violation; • his/her traffic may be poisoned on the way
  17. The (lack of) Evolution in Bunitu/VIP72 We first published a

    report on this malware on August 5, 2015 there has been no change from either VIP72 or Bunitu
  18. Image Attribution • desktop computer by Creative Stall from the

    Noun Project • Cloud by Golden Roof from the Noun Project • Skull and Crossbones by Ricardo Moreira from the Noun Project • Surveillance by Luis Prado from the Noun Project • about by Amr Fakhri from the Noun Project