• 検索結果がありません。

Topology Construction

ドキュメント内 Countermeasures Against Malware Constructing Botnets (ページ 134-139)

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

r: Reachability I(r,t=14min) °: ER Graph

: BA Graph +: WS Graph

(a) Random failures

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

r: Reachability I(r,t=14min) °: ER Graph

: BA Graph +: WS Graph

(b) Selective failures

Figure. 6.6: Effects of node failures (Black solid lines are for the cases without node failures, while red dash-lines are for cases suffering from node failures)

6.6. Topology Construction 121

Everytime a new smartphoneBnew is compromised, it is forced to execute the four steps shown in Figure 6.7 to join the botnet:

(1) It actively connects to the helper server and registers itself by uploading its phone number bnew.

(2) The helper server will reply to it with a unique handshake signature snew and a neighbor list L. The handshake signature snew is used later by other bots to make neighbors with Bnew, which will be described in the next two steps. The neighbor list L contains dmN nodes that are randomly selected from the previously registered bots. Here, the symbols d, m, N denote the the expected average degree of the botnet, the number of already registered bots and the expected population of the botnet, respectively. Each nodeBj ∈Lrecords two pieces of information: the phone number bj and the handshake signaturesj assigned to it. The server will refuse to accept new registrations immediately when the botnet population (i.e., the number of registered nodes) reaches N.

(3) After receiving the reply from the helper server, Bnew begins to make neighbors with the nodes inLone after another. For each nodeBj ∈L,Bnewsends it the handshake signature sj via SMS.

(4) When Bj receives this message, it will first compare the handshake signature within this message with the signature it keeps. If they match, Bj knows that itself has been assigned to Bnew as its neighbor. It then replies to Bnew with a message randomly selected from the user’s mailbox. A fixed length of characters at a specified location in this message will be used as the secret key to encrypt the future command forwardings between Bnew and Bj. As each pair of neighbors uses an individualized key, the same command forwarded between different nodes will appear in different forms after encryption, which greatly increases the stealthiness of the botnet.

Theorem 6.3. The topology of the botnet constructed based on the above scheme is a uniform random graph.

Proof. Assume Bi is the i-th node that registers on the helper server. Then, for each earlier registered nodeBj thatj < i, it is selected as a neighbor ofBiwith the probability

Figure. 6.7: Construction protocol

1

i1 · d(iN1) = Nd, i.e., the probability that in the final botnet graph Bi is connected with Bj (j < i) is Nd. On the other hand, for each latter registered nodes Bk, k > i,Bi will be selected as its neighbor with the probability k11 · d(kN1) = Nd, i.e., the probability that in the final graph Bi is connected with Bk (k > i) is also Nd. Thereby, we obtain the conclusion that the final topology is our desired uniform random graph. In addition, the average degree is d.

For this construction mechanism, we have to pay attention to two points. Firstly, we introduce a centralized helper server, which is the single failure point of the whole botnet. Once the defenders discover this server, they can easily deploy some filtering signatures on gateways of the cellular network to capture compromised phones that try to connect to this server. The botmaster may take the following measures to reduce this side effect:

(1) Besides cellular networks that are controlled by telecom operators, there still exist many WiFi networks that are outside of their control. There is no way to rapidly and uniformly deploy some security systems in these networks. Therefore, infected phones should first try to use WiFi to communicate with the helper server, which greatly in-creases their stealthiness.

(2) Set a time limit for the botnet construction. When the time limit expires, the botmaster should stop the construction and remove the server immediately even if the botnet population does not reach the expected value. After all, the shorter this phrase lasts, the more secure the botnet becomes.

(3) Because network intrusion-detection systems pay less attention to HTTP packets, the communications between bots and the helper server should leverage HTTP protocol.

6.6. Topology Construction 123

In addition, all these communications should be encrypted to prevent man-in-the-middle attacks.

(4) Use multiple helper servers instead of just one.

The second point we have to consider is that those randomly selected neighbors according to our protocol may be far apart in the world and even in different nations.

Command forwardings between these nodes are prone to being detected because SMS messages are usually sent to local friends. We discuss possible means to bypass this problem below.

Firstly, because malware could use some tricks to send and receive messages without prompting users or leaving any trace in message boxes on many platforms (e.g., Android according to our test), the only chance for end users to detect those malicious messages is to check the detailed checklists of their SMS usage, which are issued by the provider.

However, users usually do not request these checklists if there’s no exception in their monthly bills for SMS. Therefore, the malicious message-sending and receiving can easily escape from being detected by users, provided that they do not cause any exception in the bills. According to our survey, most operators (e.g., China Mobile, Japanese Softbank) provide some kinds of inter-network SMS packages, which mean a phone can send a sufficient or even unlimited number of messages to the phones of the same provider by just paying a fixed amount of money per month. The locations of the phones are trivial in these cases. However, if the sender and the receiver are of different operators, sending messages can be very expensive, especially when the operators are in different countries. Therefore, so long as we guarantee that all the neighbors belong to the same provider, they can avoid producing abnormal SMS bills that can draw the attention of users. For this purpose, when a new smartphone joins the botnet, the helper server should randomly select bots of the same provider to create the neighbor list in Step (2).

By doing so, the botmaster will obtain independent sub-botnets for different providers’

networks and the topology of each sub-botnet is still the uniform random graph. When the botmaster issues a new command, he has to select one node in each sub-botnet to start the command propagation.

Figure. 6.8: A sample topology that considers the bot locations during its construction

Although the above measure protects the stealthiness of the proposed C&C against end users, the operator may still discover abnormal message sending between remote nodes in his network because all the SMS messages are under his monitoring. Targeting this problem, we have to re-organize the bots based on their locations. As we know, a phone number usually contains an area code that can indicate the location (i.e., city most of the time) of this phone. Therefore, when a new bot registers itself, the helper server can easily determine its city by using a database that maps area codes to cities.

We then make the helper server randomly select registered bots from the same city to create the neighbor list. In addition, with a small and fixed probability, the helper server will randomly select another bot from other cities to join the neighbor list. By doing so, we will obtain a topology such as the sample in Figure 6.8: within any city, bots form a local botnet that is a uniform random graph, and on the city level, if we regard each local botnet as a node, they are also connected as a uniform random graph. This means that the commands from botmaster can be propagated efficiently both intra-city and inter-city. What’s more, each bot may send SMS messages to at most one bot that is in

ドキュメント内 Countermeasures Against Malware Constructing Botnets (ページ 134-139)