Slide 1: Walowdac – Analysis of a Peer-to-Peer Botnet∗
Ben Stock1 , Jan G¨bel1 , Markus Engelberth1 , Felix C. Freiling1 , and Thorsten Holz1,2 o
1
Laboratory for Dependable Distributed Systems University of Mannheim
Secure Systems Lab Technical University Vienna
2
Abstract
A botnet is a network of compromised machines under the control of an attacker. Botnets are the driving force behind several misuses on the Internet, for example spam mails or automated identity theft. In this paper, we study the most prevalent peer-to-peer botnet in 2009: Waledac. We present our infiltration of the Waledac botnet, which can be seen as the successor of the Storm Worm botnet. To achieve this we implemented a clone of the Waledac bot named Walowdac. It implements the communication features of Waledac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. With the help of this tool we observed a minimum daily population of 55,000 Waledac bots and a total of roughly 390,000 infected machines throughout the world. Furthermore, we gathered internal information about the success rates of spam campaigns and newly introduced features like the theft of credentials from victim machines.
Denial of Service (DDoS) attacks threaten every system connected to the Internet. Therefore, it is crucial to explore ways of detecting and mitigating current and new botnets. The first generation of botnets uses a central Command & Control (C&C) server to dispatch commands. This type of botnet is rather wellunderstood [4, 7, 14] and the technique of botnet tracking [7] is now a standard method to mitigate this type of threat. The second generation of botnets tries to avoid a centralized infrastructure by using a peer-to-peer-based communication mechanism [8]. The most prominent example for this class of botnets is the Storm Worm botnet that used a distributed hash table as communication medium. This mechanism offered a rather centralized way to infiltrate and analyze the botnet [10, 11]. The Waledac botnet can be regarded as the successor of Storm Worm. However, Waledac uses a more decentralized store-and-forward communication paradigm and new communication protocols so we had to develop novel techniques to track this botnet.
1
Introduction
Related Work. The communication protocol used by Waledac was already studied by Leder [12] and Sinclair [15]. Symantec [16] and Trend Micro [1] recently released reports about the implemented features of Waledac, including the spam template system, as well as attempts to measure the size of the botnet. A study by ESET [2] estimated the size of the Waledac botnet around 20,000 bots. ∗ Thorsten Holz was supported by the WOMBAT and Another study focussing on Waledac was perFORWARD projects funded by the European Commisformed by Borup [3]. The focus of this work is on sion, and the FIT-IT Trust in IT-Systems (Austria) unthe C&C protocol, the binary obfuscation techder the project TRUDIE (P820854). Botnets, i.e., networks of compromised under the control of an attacker, are nowadays one of the most severe threats in Internet security. With a large number of participating bots, a tremendous number of spam emails can be send out to for example acquire new hosts, or to advertise a diverse set of products. Additionally, Distributed 1
Slide 2: niques, as well as mitigation methods against the 2 Background botnet. The author describes a Sybil attack [6] that we also used to generate the statistical data In this section, we briefly describe the setup of the Waledac botnet and its propagation mechathat we present in this paper. nism. More details of the botnet and the technical aspects of its implementation are available Contributions. In this paper, we present the in different studies [1, 3, 12, 15, 16]. results of yet another analysis of Waledac. Our focus was to try and verify previous measure2.1 Waledac Botnet Structure ments as well as building and refining tools to study the botnet efficiently. In contrast to the The botnet consists of (at least) four different analysis of previous decentralized botnets, a sim- layers, that we describe in the following from ple crawling of active peers was no solution to bottom to top. Figure 1 shows how these laygather in-depth information like the size of the ers are connected and what kind of information botnet. Instead, we implemented a bot clone is exchanged between them. to infiltrate the network and capture all data passing through this system. Furthermore, to measure the size we actively interfered with the Mothership? botnet to inject the IP addresses of our analysis systems, a method not applied before. We collected data about the botnet for almost one month between August 6 and September 1, Commands 2009. Our measurement results reveal that the Fast-Flux Traffic BackendServer Repeaterlists actual size of the botnet is by far bigger than expected, rendering Waledac one of the most efficient spam botnets in the wild. We observed a minimum population of 55,000 bots every day, with almost 165,000 active bots on a typical day. Repeater Repeater In total, we counted more than 390,000 individual bots indicating a similar number of infected machines during the measurement period. While investigating the botnet, we also witnessed several changes the bot master applied to the botnet to introduce new features like the Spammer Uninfected theft of credentials. We started our research with Host version 33 of Waledac and finished our observation with version 46. Thus, the botnet is in Figure 1: Schematic overview of the Waledac active development with frequent updates and botnet hierarchy. changes to the core functionality. Outline. This paper is organized as follows: Section 2 gives a brief background on how the Waledac botnet is structured, the different roles of a bot, and their tasks in the botnet. We present in Section 3 the different experiments we performed while monitoring the botnet and the results we achieved. Finally, we conclude this paper in Section 4. 2 At the lowest level of the botnet hierarchy are the so called Spammers. These systems are used to carry out the spam campaigns. The property that distinguishes Spammers from the other bots in the network, is that they do not have a publicly reachable IP address. That means Spammers are for example located behind NAT routers and therefore cannot be accessed from the Internet directly. The benefit of this prop-
Slide 3: erty is that although Spammers generate the most attraction due to the massive sending of spam emails, they cannot be easily tracked down. At the next level are the so called Repeaters. These are the entry points for any new bot joining the network, as well as, the place to go for every running bot. For this reason only bots that own a publicly reachable IP address can become a Repeater. A Repeater can be considered as a mediator between the first (lowest) and third (backend) layer of the botnet. Spammers contact the Repeaters to acquire new tasks from the bot master or report the success of previous operations. These requests are relayed to the next layer, the so called Backend-Servers. Additionally, the Repeaters act as fast-flux agents for the different Waledac fast-flux domains [9]. That means they also relay HTTP requests of uninfected hosts. The next level consists of the Backend-Servers that answer both the transmitted requests of the Spammers and the fast-flux queries of the Repeaters. As the Backend-Servers are perfectly synchronized and use a webserver software, called nginx, that is mainly used for proxy purposes, the assumption of a single server (mothership) on top of the botnet is obvious. However, only the analysis of one of the Backend-Servers can prove this assumption right. Although in related works Waledac is referred to as a pure peer-to-peer botnet, it uses a centralized structure in the upper layers and only the lower ones (Spammers and Repeaters) make up the peer-to-peer part. For this reason, the Repeaters and the Spammers continuously exchange lists of currently active Repeaters. This ensures that any bot at any time has at least one currently running Repeater in his list to join the botnet. As an additional backup, each bot binary contains a hardcoded fail-over URL which itself is hosted within the fast-flux network of Waledac. This URL points to another list of active Repeaters. Thus, if a bot is unable to contact ten Repeaters consecutively on its local list, it downloads a new list from the fail-over URL. Additionally, Repeaters exchange lists of the currently active Backend-Servers. This list is signed with the private key of the botnet herder, 3
to ensure that no attacker can insert his own Backend-Servers into the botnet.
2.2
Propagation Mechanisms
The Waledac bots themselves do not own any built-in propagation mechanisms. That means, infected hosts do not scan their local network for vulnerable systems. Instead, Waledac propagates with the help of social engineering. Hence, Spammers are frequently instructed to send out emails with URLs pointing to current version of Waledac. To increase the probability of infecting new hosts, the self propagation emails are usually masked as greeting cards that host the malicious binary, similar to Storm Worm [10].
BackendServer
7.) GET /binary.exe
Repeater
6.) GE T/ bin
8.) Waledac Binary
3.) Send Spam
2.) Task?
9.)
4.) Send Spam
Wa le
dac
ary .ex
Uninfected Host
e
1.) Task?
Bin
ary
S 5.)
pam
-Ma
il?
Spammer
Figure 2: Schematic overview of the Waledac infection cycle. Figure 2 visualizes the infection cycle of the Waledac botnet. The number at each line indicates the order in which actions are performed. The infection cycle can be summarized as follows: a Spammer frequently queries one of the active Repeaters for new tasks to perform. These queries are relayed to one of the Backend-Servers, that in turn replies with the current task. In this case, the task is to send
Slide 4: out spam messages for propagation. An uninfected host that receives one of the emails and follows the embedded link issues a request for the current Waledac binary to one of the fastflux agents currently assigned to this domain. Again, one of the Backend-Servers transmits the requested content across the agent back to the requesting host. Depending on the reachability of the freshly infected host, it will either show up as a new Repeater or Spammer.
3
Measurements
For our measurements we ran multiple instances of Walowdac on computers at Mannheim university. Considering the single location, all our results for the size should be seen as lower bounds.
3.1
Methodology: Walowdac
Our main objective while investigating Waledac was to find out more about the actual size of the botnet. As the Spammers are not reachable, just crawling the Repeaters does not provide an accurate size of the botnet. To circumvent this problem and to provide a much more accurate number of bots, we implemented a script to imitate a valid Waledac Repeater. The software implements all communication parts of a Repeater, but answers the requests directly instead of forwarding them. We refer to this script as Walowdac, as it is a low-interaction Waledac clone.
1.) fake peerlist
Walowdac Repeater
In order give a more precise lower bound of the Waledac botnet, we push several IP addresses of hosts running Walowdac into the botnet. This is possible as Repeaters do not validate the list of Repeater IP addresses they receive. Thus, anytime our script connects to a Repeater, it sends a list of its own IP addresses to the Repeater. As a result, the IP addresses of our Walowdac systems are propagated throughout the complete botnet and Spammer systems start to connect to us. Figure 3 depicts the single steps performed to distribute the IP addresses of our fake Repeater. That way, we are able to measure not only the number of Repeaters, but also a large fraction of Spammers. Among the information we store while running our Waledac imitation are timestamps, IP addresses and identification numbers of connecting hosts, Windows and Waledac versions, as well as Spam campaign data distributed through the botnet. With the newer versions of Waledac we also captured stolen credentials of POP3, FTP, and HTTP accounts. During our monitoring period of one month, we collected login data for 128,271 FTP, 93,950 HTTP, and 39,051 POP3 accounts. We have not yet further investigated the stolen credentials, as this is out of the scope of this paper. All bots within the Waledac botnet can be identified by a node ID. This node ID is generated directly after an infection and does not change throughout the lifetime of a bot. Bots embed this node ID in every message they exchange [16] so it is a good candidate to define a uniqueness criterion.
3.2
3. )f ak e
Results
Botnet Size. During the data collection period, we measured 248,983 different node IDs. The maximum number of node IDs on a sinFigure 3: Injecting fake Repeater IP addresses gle day was 102,748 on August 24th. Although into the botnet. the node IDs are randomly generated and should
Spammer
4.) c W onn alo e wd ct t ac o
The results described in this section were gathered between August 6th and September 1st, 2009. For the allocation of IP addresses to countries we used the free version of the GeoIP database maintained by MaxMind [13].
pe er lis
2. )n ew pe er lis t?
t
4
Slide 5: Figure 4: Distribution of running bots according to their location and time on August 24th.
be unique across the botnet, we also monitored several hosts originating in different autonomous systems (AS), using the same node ID. The reason might be collisions in the node ID generation algorithm used by Waledac. With this fact in mind we recalculated the number of bots on August 24th using the node ID and AS as uniqueness criteria, resulting in a total of 164,182 bots. The size of the Waledac botnet we obtained is much higher than previous estimations published by Trend Micro [1] or ESET [2]. Figure 4 shows the hourly number of bots running on August 24th worldwide. For comparison the figure also shows the number of bots located in Central Europe and North America, at the particular hours. The picture also shows the fluctuation (diurnal pattern) of running bots due to the different time zones they are located in [5]. Throughout our measurement period, we monitored at least 55,000 node IDs, i.e. active bots, every day. A cumulative distribution of the bots’ IP addresses is shown in Figure 5. We counted all bots monitored during the whole data collection period and again used the node ID and AS as uniqueness criteria. As a result, we counted a total of 403,685 bots. The distribution is highly non-uniform: The majority of bots are located in the IP address ranges between 58.*–99.* and 186.*–222.*. This does not come as a sur5
Bots' IP addresses (accumulated)
160000 240000 320000 400000
188.0.0.0 58.0.0.0 100.0.0.0
223.0.0.0
0 0.0.0.0
80000
50.0.0.0
100.0.0.0
150.0.0.0
200.0.0.0
250.0.0.0
IP address space
Figure 5: Cumulative distribution of IP addresses infected with Waledac.
prise, as most of these IP addresses are managed by the Regional Internet Registries ARIN and RIPE NCC, which are responsible for the regions North America and Europe, respectively. This fact is also reflected in Table 6a: Most of the Spammers originated in the US or in Central Europe. The distribution of the Repeaters (see Table 6b) is very similar and differs only in the order of the countries. The main difference is that there are more Repeaters in India than in
Slide 6: Table 6: Top countries in which Waledac bots are located.
Country United States United Kingdom France Spain India Other # Bots 67,805 30,347 27,542 23,065 21,503 220,807 Percentage 17.34% 7.76% 7.04% 5.90% 5.50% 56.46% Country United States India France United Kingdom Spain other # Bots 5,048 1,456 1,386 1,348 1,191 15,452 Percentage 19.50% 5.63% 5.36% 5.21% 4.60% 59.70%
(a) Spammers
(b) Repeaters
the United Kingdom and more Spammers in the Listing 1: First packet sent after negotiating the United Kingdom than in India. session key. Waledac Versions and Distribution Campaigns. At the beginning of our measurement phase most of the monitored bots were running Waledac version 34. The bot’s version number is sent in all its communication packets. An example of a so called first packet is shown in Listing 1. These kind of packets are only sent at the bot’s first start after negotiating the session key. The version number is included in the <v>-tag [1, 3, 12, 15, 16]. On July 20, 2009, the botnet was ordered to download and run version 36 of Waledac. However, the command was issued just for a couple of hours, thus, systems not online during this time were unable to update. As a result, even two weeks after the update was issued (July 31st), still more than 30 percent of the bots we monitored were running the old version 34. That means, Waledac bots lack a decent update mechanism, since although bots propagate their running version, they are not updated once the command is no longer issued. On July 25th, we monitored the first version 39 bots connecting to our fake Repeater script. The latest version we monitored was 46, which indicates, that the botnet is still actively developed. With version 36, the collection of user credentials was introduced. Table 1 summarizes the distribution of Waledac versions monitored on two different days. At the end of July, most bots are still running version 34 and 36. With the beginning of September this shifted to almost 60% of the bots running the newest version 46. 6
<lm> <t>f i r s t </t> <v>34</v> <i >4b 5 d a 6 1 f 8 d 1 4 e 5 3 f e 9 2 5 2 6 6 9 4 2 7 7 6 9 5 e </i > <r >0</r> <props> <p n=” l a b e l ”> m i r a b e l l a s i t e </p> <p n=”winver ” >5.1.2600 </p> </props> </lm>
Next to the current version installed on a Waledac bot, bots also send the name of the campaign which distributed the binary. For example, this information is also included in the first packets (see Listing 1) – <p>-tag with attribute n="label". At the beginning of July the biggest campaigns identified were birdie6 and swift, with 12,5 percent of all infected machines. The current campaigns distributing version 46 are called spyware.
OS Version of Infected Machines. Although Waledac bots do not continuously send their operating system version with every packet, but only the first, we managed to capture few of these first packets. However, only about 10 percent of all monitored bots established this initial connection to Walowdac. Thus, the results of this measurement provide a coarse overview of the distribution of the operating systems running on infected machines. Table 2 summarizes the operating system codes found in initial pack-
Slide 7: Table 1: Distribution of Waledac version across all monitored bots at the end of July and beginning of September.
Versionscode < 33 33 34 35 36 37 39 40 41-45 46 31.7.2009 (65,924 Bots) 114 (0.17%) 440 (0.67%) 20,718 (31.43%) 51 (0.08%) 35,572 (53.96%) 2,658 (4.03%) 5,681 (8.62%) 689 (1.05%) 0 (0.00%) 0 (0.00%) 9.9.2009 (74,280 Bots) 86 (0.12%) 270 (0.36%) 9,344 (12.58%) 36 (0.05%) 10,547 (14.20%) 362 (0.49%) 1,650 (2.22%) 69 (0.09%) 8,174 (11.00%) 43,742 (58.89%)
Table 2: Distribution of Windows version codes (June 28th till July 18th.)
code 5.1.2600 6.0.6001 6.0.6000 6.0.6002 5.2.3790 5.0.2195 belongs to XP (32 Bit) Vista (SP1), Server 2008 Vista Vista SP2, Server 2008 (SP2) XP (64 Bit), Server 2003 2000 number 10,899 678 353 78 39 27 percent of bots 90.2% 5.6% 2.9% 0.6% 0.3% 0.2%
ets. Windows XP still makes up most of all mon- end up in a user’s inbox. A recent experiment itored bots, to no surprise. by ESET [2] revealed that on average a Spammer using a normal dial-up account sends about 6,500 emails per hour, resulting in about 150,000 Spam Campaigns. Throughout the analysis spam mails per day. time we monitored different pharmacy and email Taking into account that we monitored at least harvesting campaigns. The harvesting emails 10,000 bots online at any time of day, gives advertised cheap watches with the invitation to Waledac a spam capacity of contact certain emails if interested. Additionally, several Waledac propagation campaigns were ob6, 500 ∗ 24 ∗ 10, 000 ∗ 0.2532 = 394, 992, 000 served. For this purpose, the botnet herder used special events, like Valentines or Independence delivered mails per day. This number is only a Day, to send out masses of spam messages con- rough estimation and corresponds to the emails taining links to Waledac binaries. The same be- actually accepted by the receiving mailservers – theoretically Waledac is able to send more than havior was already observed with Storm. After each spam run a Spammer reports the 1.5 billion spam mails per day. However, this also status of the transaction for each email. The sta- is only valid for 10,000 bots each hour with our tus can either be ERR or OK. Thus, it is possible monitoring showing up to 30,000 bots per hour to determine which mail servers did actually ac- during the daytime. Thus, this number might cept the incoming email and for which addresses very well be tripled. it was rejected. During our monitoring phase we received a total of 662,611,078 notifications, 4 Conclusion of which 167,784,234 were OK. This gives us an average of 25.32% for the delivery of mails to In this paper, we showed that it is possible to inthe recipient’s mailserver. In this scope we did filtrate the Waledac botnet by distributing spenot try to determine how many emails actually cially crafted peerlists to other Repeaters. As 7
Slide 8: European Symposium On Research In Coma result, we were able to also collect data from puter Security (ESORICS), 2005. Spammers connecting to our fake system. That way we were able to capture few of the first pack[8] Julian B. Grizzard, Vikram Sharma, Chris ets send by freshly infected systems. The analNunnery, Brent ByungHoon Kang, and ysis of these packets revealed that most of the David Dagon. Peer-to-Peer Botnets: compromised hosts are running Windows XP as Overview and Case Study. In Hot Topics an operating system. in Understanding Botnets (HotBots), 2007. We showed that current estimations about the size of the Waledac botnet are far too low. [9] Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. Measuring and At peaks we measured more than 160,000 bots, Detecting Fast-Flux Service Networks. In whereas ESET [2] for example counted just 15th Network & Distributed System Security 20,000 bots. With this in mind, we can estiSymposium (NDSS), 2008. mate that the number of spam emails emitted by Waledac is very high, rendering Waledac one [10] Thorsten Holz, Moritz Steiner, Frederic of the most efficient spam botnets currently in Dahl, Ernst Biersack, and Felix Freiling. the wild. The rapid changes to the malware with Measurements and Mitigation of Peer-toPeer-based Botnets: A Case Study on new versions showing up almost every two weeks Storm Worm. In First Workshop on shows that Waledac is still actively developed. Large-Scale Exploits and Emergent Threats (LEET), 2008.
References
[11] Chris Kanich, Kirill Levchenko, Brandon Enright, Geoffrey M. Voelker, and Stefan Savage. The Heisenbot Uncertainty Problem: Challenges in Separating Bots from Chaff. In First Workshop on Large-Scale [2] Sebasti´n Bortnik. a How much spam Exploits and Emergent Threats (LEET), does waledac send?, 2009. Blog: 2008. http://www.eset.com/. [12] Felix Leder. Speaking waledac, 2009. Blog: [3] Lasse Trolle Borup. Peer-to-peer botnets: http://www.honeynet.org/node/348. A case study on waledac. Master’s thesis, Technical University of Denmark, 2009. [13] Maxmind. Geolocation and Online Fraud Prevention. http://www.maxmind.com/. [4] Evan Cooke, Farnam Jahanian, and Danny McPherson. The Zombie Roundup: Under- [14] Moheeb Abu Rajab, Jay Zarfoss, Fabian standing, Detecting, and Disrupting BotMonrose, and Andreas Terzis. A Mulnets. In Steps to Reducing Unwanted Traffic tifaceted Approach to Understanding the on the Internet (SRUTI), 2005. Botnet Phenomenon. In 6th Internet Mea[1] Jonell Baltazar, Joey Costoya, and Ryan Flores. Trend Micro: Infiltrating Waledac Botnet’s Covert Operations, July 2009. surement Conference (IMC), 2006. [5] David Dagon, Cliff Zou, and Wenke Lee. Modeling Botnet Propagation Using Time [15] Greg Sinclair. Waledac’s communcation Zones. In 13th Network and Distributed Sysprotocol, 2009. Blog: http://bit.ly/ tem Security Symposium (NDSS), 2006. MWOA2. [6] John R. Douceur. The Sybil Attack. In [16] Gilou Tenebro. W32.Waledac Threat AnalFirst International Workshop on Peer-toysis. Technical report, Symantec, 2009. Peer Systems (IPTPS), 2002. [7] Felix Freiling, Thorsten Holz, and Georg Wicherski. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In 10th 8
