Tuesday, July 19, 2011

Criminal Activity On Peer-To-Peer (P2P) Networks

Criminal activity on peer-to-peer (P2P) networks are usually associated with sharing of illegal such as copyrighted or offensive material (music, movies, snuff films or pornography). There are a number of cases when a law enforcement agencies successfully taken down the sites such as the case with Elite Torrents group (Charles Montaldo, 2005). But recently different peer-to-peer protocols such BitTorrent and Kad are being used to command and control an army of digital zombies (botnet). Botnet, controlled by a botmaster, can be used to attacks such as spam and denial of service.
As bots are getting more and more sophisticated allowing the controller to capture keystrokes, take screen shots, send spam and participate in denial of service attacks, and much harder to detect due to inclusion of rootkit capabilities, “the most significant feature, however, is the inclusion of peer-to-peer technology in the latest version of the botnet's code” (Peter Bright, 2011). Moreover, some bots allow controllers to “sublet”, for a price, an IP address to be used as anonymous proxy.
Peer-to-peer technology allows hacker to eliminate a “single point of failure” - a single (sometimes multiple) Internet Relay Chat (IRC) server or a Really Simple Syndication (RSS) feed to command the botnet. Over the years, there were a number of attempts by a botnet developers to develop the next generation utilizing peer-to-peer control mechanism such as “Slapper, Sinit, Phatbot and Nugache have implemented different kinds of P2P control architectures” (Ping Wang, Sherri Sparks, Cliff C. Zou, 2007), each with its weaknesses. For example, Sinit bot used random probing techniques to discover other Sinit infected machines which resulted in easily detected network traffic. Insecure implementation of authentication mechanism made Slapper easy to hijack. Whereas Nugache contained a list of static IP addresses used as initial seed (David Dittrich, Steven Dietrich 2008) (David Dittrich, Steven Dietrich 2009).
Modern implementation of the bots utilizing peer-to-peer protocol with combination of encryption (based on TLS/SSL) of the network traffic, public-key based authentication mechanism, randomly used ports with protocol mimicking to avoid anomalies detection on the network level and prevent hijacking of the botnet network by competing botmasters and law enforcement agencies. The TDL4 (or Alureon) dubbed as “the ‘indestructible’ botnet” and it is running on over 4.5 million infected computers at the time of writing (Sergey Golovanov, Igor Soumenkov 2011).
To make botnet more resilient, a hierarchical structure is used with each servant (a hybrid of bot and server) communicates with a small subset of bots, and each not contains a small list of other peers (in case servant is not available). The servants themselves are rotated (dynamic) and updated periodically to prevent capturing and disturbing the botnet network. Locally, the malware uses rootkit functionality to avoid detection by anti-viruses. For example, Alureon botnet “infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system” (Peter Bright 2011), meaning that rootkit is loaded before operating system and an antivirus software.
Forensic investigation of crime involved advanced peer-to-peer botnet involves a combination of reverse engineering, operating system and network forensic. For example, TDL4 infects victims MBR which, up on investigation, immediately identify the presence of the rootkit. Moreover, a presence of certain files (recoverable from offline forensic image) such as cfg.ini and ktzerules in certain locations could indicate infection. On a network level, upon infection the malware downloads and “installs nearly 30 additional malicious programs, including fake antivirus programs, adware, and the Pushdo spambot” (Sergey Golovanov, Igor Soumenkov 2011) making it possible to monitor and detect the botnet activity.


No comments:

Post a Comment