Botcoin: Monetizing Stolen

CyclesUC San Diego and George Mason University

Presented By: Amanda Watson

CSCI 780: Advanced Network Security

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Bots Send spam, commit click fraud, DOS attacks, steal

user data

Botmaster: uses bots to extract value from the above actions

Botnet: compromised computers under the control of the botmaster

Demand for a bot determines the value

Security evolution depends on the demand

Bitcoin Mining Repeatedly computing the SHA-256 cryptographic

hash function over a large range of values

State-Space search

Can be conducted in parallel

Botmaster can add bitcoin mining to the current activities of his botnet without interfering with the others

Pro: Potentially lucrative depending on the number of bots

Con: Easier to detect than other activities

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Related Work Analysis of the transactions in the Bitcoin network

Measures activity

Tests the limits of anonymity

Analysis of the silk road (underground drug market)

Shutdown October 13, 2013

Bitcoin mining can be “gamed” by an appropriately powerful adversary

Can disrupt the Bitcoin economy

Profitable malware

Pay-per-install, fake anti-virus, click fraud

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Bitcoin Proposed by Satoshi Nakamoto in 2008

Not backed by any government

Purely a peer to peer virtual currency

Bitcoins are acquired through mining

Transactions are public through the blockchain

Public ledger maintained by a peer-to-peer network

Bitcoin 1Bitcoin = $402.53

Bitcoin Mining Miner receives valid transactions through the

peer-to-peer network

Group them into blocks

set of transactions

header containing a hash of the previous block and a nonce

Compute a SHA-256 hash value of the block

If the value has the correct number of leading zeros

Miner passes it on to others to verify

Coinbase: pays transaction fees and the block reward

If the value does not have the correct number of leading zeros

Repeat the process

Pooled Mining Combine the mining power of many individual

miner and payout a small amount for work completed

Pool server manages pending transaction

Provides starting point to workers

Workers mine the blocks

Report results to the server

Botnet Mining Use a existing or newly created botnet to mine for

bitcoins

Direct Pool Mining

Distribute a mining executable with a wrapper script that specifies mining parameters

Generally banned for mining pools

Proxied Pool Mining

Proxy connections through a controlled server

Requires additional infrastructure

Dark Pool Mining

Botmaster maintains a pool server

Bots connect to his pool

Limited to the number of bots he controls

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Methodology Goals:

Identify mining malware

Identify size of infected population

Identify the value of the bitcoins extracted

Methodology

Identify Mining Malware

Extract Mining Credentials

Estimate Earnings

Estimate Infected Population

Identify Pool Proxies

Identifying Mining Malware All mining malware uses the HTTP-based getwork

protocol

Use this to identify mining malware with a network trace

To get the network traffic of various malware

Execute the binaries in a malware execution environment

Use data for public and private sandboxes that provides information and logs of the actions of the binaries

If the binary is requesting access to a bitcoin pool server, it is being used for bitcoin mining

Extracting Mining Credentials Mining software is generally generic

Credentials are passed on command line

Extract the credentials:

Command-line arguments

Extract the credentials from the packaged binary

HTTP basic authentication

Extract credentials from a network trace

Command-and-control channel

Credentials are contained in a Dropbox or Pastebin file

Reverse engineer the malware and use memory snapshots from the de-obfuscated the payload

Pool operators

Public pool operators provide lists of user names and wallet addresses

Earnings Mapping miners to wallet addresses

Contact the pool operators to ask for the information

Publicly visible pool statistics

Some pools provide public leaderboards

Blockchain analysis

All transactions are visible

Knowing the payout address allows estimates for a specific miner

Clustering wallet addresses

Botmasters may use different addresses for different campaigns

Addresses used as inputs to the same transaction will be controlled by the same user

This allows us to cluster addresses used by a single botmaster

Estimating Infected Population Contact anti-virus software vendors to obtain

mining malware data

Ei : estimated bot population

Ii : number of infections in country i per vender

Mi : number of machines in country i per vendor

Ti : number of machines in country i

This is the expected lower bound

Computers without antivirus for the vendors are not counted

Estimates are only for specific binaries

Identifying Pool Proxies Cross-login test

Credentials can be hidden by an HTTP proxy

Create miner accounts in major mining pools

If the miner account can connect to the suspected bitcoin mining proxy, then it should be used for bitcoin mining

Passive DNS The lifetime of a dark mining pool depends on the

lifetime of the botnet

Use passive DNS data from the ISC Security Information Exchange

Block Reversal A pool will provide the same coinbase across similar

workers

This allows us to match possible bots to a pool

Leaked Data

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

DLoad.asia(Redem and Darksons) Began mining in 2011

Ended in November of 2012

Earnings

Darksons : 2,403 BTC

Redem : over 10,000 BTC

Over 100,000 IP’s

Population - number of infections

ZeroAccess 9,000,000 infected PC’s

Began December 2011

Earnings : 400 BTC

Began mining through proxy servers, now a part of Eligus

Population - number of infections

BMControl Began mining in September 2012

Part of Eligus

Earnings

Adds 16,000 new bots per day

Average mining rate/ bot : 3.75MH/sec

Now mines for Litecoin

Population - number of infections

FeodalCash Began mining in May 2013

Part of Eligus

Earnings : 168 BTC

Population - 62,500 infections at its peak

Fareit Bots Began mining April 9, 2013

Used a pool proxy with the Black Hole exploit kit

Earnings : 265 BTC

Population - 12,500 infections

Zenica Earnings

312,000 or more active IP’s

170 BTC in 3 months

Population

Prevalent in Southeast Asia

Vietnam and Thailand account for 70% of sampled infections

HitmanUK Botmaster launched a DDoS attacked after the

pool blacklisted the botnet

Paralyzed the pool

Prevented mining for a few hours

Pool operator then let the botmaster back in

Began in February 2013

Earnings : 4 BTC

Adds 16,000 new bots per day

Average mining rate/ bot : 3.75MH/sec

Xfhp.ru Miner Uses Zbot to download the Bitcoin mining plugin

Population

Southeast Asia

South America

Skype Miner Used Skype and social engineering to distribute

bot

Sent a compromised skype message

If the message was clicked then the victim would be taken to a webpage that downloaded an executable and attempted to install the Bitcoin mining malware

Began mining in July 2012

Earnings : 250

Miscellaneous There are many small mining operations

Outline

Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Mining Revenue Depends on hashing and network difficulty

Daily Revenue:

MH – million SHA-256 computations

8.22 x 10-12 MH/sec

Botnet Costs Cost of acquiring bots

Cost associated with the monetization scheme

More information is needed for non-acquisition costs:

Infrastructure

Development

Day to day operation

Profitability Varies based on exchange rates

3 classes of profitability

Absolutely profitable: revenue exceeds cost for a botnet solely for mining

Marginally profitable: revenue exceeds additional cost for an established botnet adding mining

Unprofitable: mining does not cover additional costs

Bitcoin is expected to remain profitable for large botnets

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Conclusion

It is possible to track the earning of botnets because Bitcoin transactions are public

Larger botnets have earned sizable amounts of Bitcoins and have been in operations for years

Most of these are found in geographic locations with lower costs of bots

Developed a method to trace mining pool malware even when proxy server are used to hide the pool

Outline Introduction

Related Work

Background

Methodology

Analysis

Discussion

Conclusion

Epilogue

Litecoin Decentralized virtual currency based on bitcoin

1 litecoin = $4.19

4 times faster to produce a block when mining

Lessens the effect of specialized hardware

Questions?