Over the last decade botnets survived by adopting a sequence of increasingly sophisticated strategies to evade detection and take overs, and to monetize their infrastructure. At the same time, the success of privacy infrastructures such as Tor opened the door to illegal activities, including botnets, ransomware, and a marketplace for drugs and contraband. We contend that the next waves of botnets will extensively attempt to subvert privacy infrastructure and cryptographic mechanisms. In this work we propose to preemptively investigate the design and mitigation of such botnets. We first, introduce OnionBots, what we believe will be the next generation of resilient, stealthy botnets. OnionBots use privacy infrastructures for cyber attacks by completely decoupling their operation from the infected host IP address and by carrying traffic that does not leak information about its source, destination, and nature. Such bots live symbiotically within the privacy infrastructures to evade detection, measurement, scale estimation, observation, and in general all IP-based current mitigation techniques. Furthermore, we show that with an adequate self-healing network maintenance scheme, that is simple to implement, OnionBots can achieve a low diameter and a low degree and be robust to partitioning under node deletions. We develop a mitigation technique, called SOAP, that neutralizes the nodes of the basic OnionBots. In light of the potential of such botnets, we believe that the research community should proactively develop detection and mitigation methods to thwart OnionBots, potentially making adjustments to privacy infrastructure.

1. OnionBots:
Subver0ng
Privacy
Infrastructure
for
Cyber
A:acks
Amirali
Sana0nia
Guevara
Noubir
College
of
Computer
and
Informa0on
Science
Northeastern
University,
Boston,
MA
1

2. Mo0va0on
• Abusing
privacy
infrastructure
– Tor
Hidden
Services
• Recent
examples
of
abuse
of
privacy
infrastructure
and
technology
– Silk
road,
cryptolocker,
Zeus
64,
Chewbacca
botnet
• Infected
devices
can
setup
a
botnet
through
Tor
Hidden
Services
– No
nodes
know
the
IP/loca0on
of
others
– C&C
can
be
anywhere
2

3. Outline
• Evolu0on
of
botnets
and
their
shortcomings
• Review
of
Tor
and
Hidden
Services
• OnionBots
– Life
Cycle
– C&C
Communica0on
– Dynamic
Distributed
Self
Repairing
(DDSR)
– Sybil
Onion
A:ack
Protocol
(SOAP)
3

4. Evolu0on
of
Botnets
• Popular
for
denial
of
service
a:acks,
spam,
click
frauds,
bitcoin
mining,
stealing
sensi0ve
informa0on,
and
other
malicious
ac0vi0es
• Communica0ons
between
botmaster
&
bots
(C&C)
– Centralized
-­‐>
P2P;
HTTP
or
IRC;
– Fast
Flux,
Double
Flux
to
randomize
the
IP
addresses
– Domain
Genera0on
Algorithms
(DGA)
• Various
technical
mi0ga0ons
– Limited
by
problems
of
jurisdic0on
4

5. Centralized
• Easy
to
build
and
maintain
• Single
point
of
failure
• Does
not
scale
• Easy
to
detect
and
mi0gate
• Analysis
of
traffic
• Clustering
of
the
hosts
5

6. Fast-­‐flux
• Mapping
numerous
IP
addresses
associated
with
a
single
fully
qualified
domain
name
(FQDN)
•
Single-­‐flux
– mul0ple
nodes
registering
and
de-­‐registering
as
the
DNS
A
record
• Double-­‐flux
– More
sophis0cated
– mul0ple
nodes
registering
and
de-­‐registering
as
the
DNS
Name
Server
(NS)
record
• Can
be
neutralized
by
taking
over
the
domain
6

7. DGA
• Periodically
genera0ng
domain
names,
used
as
rendezvous
point
• Once
a
sample
is
obtained
it
becomes
easier
to
block
• Conficker.a
and
.b
are
prime
examples
• E.g.,
zffezlkgfnox.net
• Can
be
blocked
using
pa:erns
in
the
domains
7

8. Tor
• Most
widely
used
anonymity-­‐network
• Based
on
onion
rou0ng
of
packets
• Hidden
services
(HS)
provides
anonymity
for
the
servers
• Silkroad
and
Cryptolocker
are
prime
examples
• It
is
possible
to
block
access
to
a
single
HS
with
sufficient
resources
8

9. Tor
Hidden
Services
9

10. Tor
Hidden
Services
10

11. OnionBot:
a
Crypto-­‐based
P2P
Botnet
• Typical
botnet
lifecycle
– Infec0on:
phishing,
spam,
remote
exploits,
drive-­‐by-­‐download
or
zero-­‐day
vulnerabili0es
– Rally
or
bootstrapping:
join
the
botnet
– Wait
for
commands
–
Execu0on
• OnionBot
key
features
– Similar
lifecycle
– Fully
decoupled
from
IP
addresses:
only
.onion
addresses
– Self-­‐healing
P2P
network
on
top
of
Tor
– Temporarily
knowledge
of
neighbors
.onion
addresses
– Indis0nguishable
traffic:
control,
data,
src/dst,
from
random
– Access
for
botmaster
from
any
bot
through
hidden
services
11

12. Botnet
as
a
Service
• Provide
a
stealthy
virtual
machine
– Time
limited
access
tokens
from
botmaster
– Accessible
though
HiddenServices
• Payment
with
Bitcoins
+
mixing
12

13. C&C
Communica0ons
in
OnionBot
• All
bots
know
OnionBot
master’s
public
key
• Communicate
through
flooding
over
P2P
net
• Unicast
communica0ons
are
indis0nguishable
from
random
noise
(Elligator
crypto
keys)
• Bots
periodically
change
their
.onion
address
• Bots
report
.onion
address
key-­‐seed
to
botmaster
13

14. Maintaining
the
OnionBot
Graph
• Dynamic
Distributed
Self
Repairing
(DDSR)
– Based
on
Neighbors
of
Neighbor
technique
+
pruning
+
forgemng
– When
a
node
is
deleted,
each
pair
of
its
neighbors
will
form
an
edge
– To
maintain
a
low
degree,
a
node
deletes
the
highest
degree
node
from
its
peer
list
– New
.onion
address
is
generated
based
on
a
secret
key
and
0me
14

15. Pruning
vs
No-­‐Pruning
15

16. DDSR
in
Ac0on
16

17. DDSR
Proper0es
• Low
diameter,
degree,
resiliency
to
nodes
dele0ons,
17

18. Targe0ng
OnionBots
• Denial
of
Service
a:ack
against
.onion
addresses
• Does
not
scale
• Needs
prior
knowledge
of
the
.onion
domains
• More
long
term
approaches:
– CAPTCHAs
– Thro:ling
entry
guards
– Reusing
failed
par0al
circuits
18

19. Sybil
Onion
A:ack
Protocol
(SOAP)
•
19

20. Conclusion
• Next
Genera0on
of
Botnets:
– Subvert
privacy
infrastructures
– Strong
cryptographic
blocks
– Resilient
and
dependable
network
forma0ons
and
maintenance
– Tor
for
hiding
the
traffic
– Bitcoin
for
anonymous
payments
20

21. 21

22. Interests
in
OnionBots
22