Study of Peer-to-Peer Network Based Cybercrime Investigation: Application on Botnet Technologies 7 1 0 2 c e by D 0 1 ] Mark Scanlon, B.A. (Hons.), M.Sc. R C . s c [ A thesis submitted to University College Dublin 1 v for the degree of Ph.D. in the College of Science 5 5 4 3 0 . 2 1 7 October 2013 1 : v i X r a School of Computer Science and Informatics Mr. John Dunnion, M.Sc. (Head of School) Under the supervision of Prof. M-Tahar Kechadi, Ph.D. DEDICATION This thesis is dedicated to my wife, Joanne, who has supported, encouraged and motivated me throughout the last nine years and has been especially patient and thoughtful throughout my research. This thesis is also dedicated tomyparents,PhilomenaandLarryScanlon. i CONTENTS Acknowledgements vii ListofTables viii ListofFigures ix ListofAbbreviations xii Abstract xvi ListofPublications xviii 1 Introduction 1 1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 ResearchProblem . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.3 ContributionofthisWork . . . . . . . . . . . . . . . . . . . . . . 4 1.4 LimitationsofthisWork . . . . . . . . . . . . . . . . . . . . . . . 5 1.5 StructureoftheThesis . . . . . . . . . . . . . . . . . . . . . . . . 5 2 DigitalForensicInvestigation;Stateoftheart 7 2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.2 ComputerForensicInvestigation . . . . . . . . . . . . . . . . . . 8 2.2.1 NetworkForensicInvestigation . . . . . . . . . . . . . . 9 2.3 NetworkInvestigationTools . . . . . . . . . . . . . . . . . . . . 10 2.3.1 TCPDump/WinDump . . . . . . . . . . . . . . . . . . . 10 2.3.2 Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 ii 2.3.3 NetworkForensicAnalysisTools . . . . . . . . . . . . . 12 2.3.4 SecurityIncidentandEventManagerSoftware . . . . . 12 2.4 PacketInspectionHardware . . . . . . . . . . . . . . . . . . . . 12 2.5 EvidenceStorageFormats . . . . . . . . . . . . . . . . . . . . . . 13 2.5.1 CommonDigitalEvidenceStorageFormat . . . . . . . 14 2.5.2 RawFormat . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.5.3 AdvancedForensicFormat . . . . . . . . . . . . . . . . 15 2.5.4 GenericForensicZip . . . . . . . . . . . . . . . . . . . . 15 2.5.5 DigitalEvidenceBag(QinetiQ) . . . . . . . . . . . . . . 15 2.5.6 DigitalEvidenceBag(WetStoneTechnologies) . . . . . 16 2.5.7 EnCaseFormat . . . . . . . . . . . . . . . . . . . . . . . 17 2.6 EvidenceHandling . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.6.1 Whatdoes“ForensicallySound”reallymean? . . . . . 18 2.7 CryptographicHashFunctions . . . . . . . . . . . . . . . . . . . 19 2.7.1 CollisionResistance . . . . . . . . . . . . . . . . . . . . . 20 2.7.2 AvalancheEffect . . . . . . . . . . . . . . . . . . . . . . . 21 2.7.3 OverviewofCommonHashingAlgorithms . . . . . . . 21 2.8 CourtAdmissibleEvidence . . . . . . . . . . . . . . . . . . . . . 25 2.8.1 DaubertTest . . . . . . . . . . . . . . . . . . . . . . . . . 25 2.9 LegalConsiderationsofNetworkForensics . . . . . . . . . . . . 27 2.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3 Peer-to-PeerFile-Sharing 29 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.1.1 FinancialImpactonContentProducingIndustry . . . . 30 3.2 LegislativeResponsetoOnlinePiracy . . . . . . . . . . . . . . . 31 3.3 Peer-to-PeerFile-sharingSystemDesign . . . . . . . . . . . . . 33 3.3.1 CentralisedDesign . . . . . . . . . . . . . . . . . . . . . 33 3.3.2 DecentralisedDesign . . . . . . . . . . . . . . . . . . . . 35 3.3.3 HybridDesign . . . . . . . . . . . . . . . . . . . . . . . . 36 3.4 Peer-to-PeerFile-sharingNetworks . . . . . . . . . . . . . . . . 38 3.4.1 Napster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 3.4.2 Gnutella . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.4.3 eDonkey . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 iii 3.4.4 BitTorrent . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3.5 Anti-InfringementMeasures . . . . . . . . . . . . . . . . . . . . 45 3.5.1 AttacksonLeechers . . . . . . . . . . . . . . . . . . . . . 45 3.5.2 Pollution . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.6 ForensicProcess/StateoftheArt . . . . . . . . . . . . . . . . . . 46 3.6.1 NetworkCrawling . . . . . . . . . . . . . . . . . . . . . 46 3.6.2 DeepPacketInspection . . . . . . . . . . . . . . . . . . . 47 3.6.3 IdentifyingCopyrightedContent . . . . . . . . . . . . . 47 3.7 ForensicCounter-measures . . . . . . . . . . . . . . . . . . . . . 48 3.7.1 AnonymousProxies . . . . . . . . . . . . . . . . . . . . 48 3.7.2 EncryptedTraffic . . . . . . . . . . . . . . . . . . . . . . 49 3.7.3 IPBlocking . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.8 MalwareRisksonP2PNetworks . . . . . . . . . . . . . . . . . . 49 3.9 SummaryandDiscussion . . . . . . . . . . . . . . . . . . . . . . 51 3.9.1 WeaknessesofCurrentInvestigativeApproaches . . . 51 4 BotnetInvestigation 52 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.2 BotnetArchitectures . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2.1 Client/ServerBotnetDesign . . . . . . . . . . . . . . . . 55 4.2.2 P2PDesign . . . . . . . . . . . . . . . . . . . . . . . . . . 59 4.2.3 HybridDesign . . . . . . . . . . . . . . . . . . . . . . . . 60 4.3 BotnetLifecycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.3.1 SpreadingandInfectionPhase . . . . . . . . . . . . . . 63 4.3.2 SecondaryCodeInjectionPhase . . . . . . . . . . . . . . 64 4.3.3 CommandandControlPhase . . . . . . . . . . . . . . . 65 4.3.4 AttackPhase . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.3.5 UpdateandMaintenancePhase . . . . . . . . . . . . . . 66 4.4 UndergroundEconomy . . . . . . . . . . . . . . . . . . . . . . . 68 4.4.1 Valuation . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.4.2 Spamming . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.4.3 Phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 4.4.4 ScammingtheScammers . . . . . . . . . . . . . . . . . . 71 4.5 BotnetPoweredAttacks . . . . . . . . . . . . . . . . . . . . . . . 72 iv 4.5.1 Infection . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.5.2 DistributedDenialofServiceAttacks(DDoS) . . . . . . 74 4.5.3 Espionage . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.5.4 Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 4.5.5 ClickthroughFraud . . . . . . . . . . . . . . . . . . . . . 76 4.5.6 CyberWarfare . . . . . . . . . . . . . . . . . . . . . . . . 77 4.6 ExistingDetectionMethods . . . . . . . . . . . . . . . . . . . . . 77 4.6.1 HostBasedApproach . . . . . . . . . . . . . . . . . . . 80 4.6.2 HardwareBasedApproach . . . . . . . . . . . . . . . . 80 4.7 InvestigationTypes . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.7.1 Anatomy . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 4.7.2 Wide-AreaMeasurement . . . . . . . . . . . . . . . . . . 81 4.7.3 Takeover . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 4.7.4 InvestigationObstacles . . . . . . . . . . . . . . . . . . . 83 4.8 CaseStudies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 4.8.1 Nugache . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 4.8.2 Storm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 4.8.3 Waledec . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.8.4 Zeus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 4.8.5 Stuxnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.9 EthicsofBotnetMitigation/Takeover . . . . . . . . . . . . . . . 88 4.10 SummaryandDiscussion . . . . . . . . . . . . . . . . . . . . . . 89 5 ConclusionandDiscussion 90 5.1 AnalysisofOutlinedApproach . . . . . . . . . . . . . . . . . . . 90 5.1.1 Enhancements . . . . . . . . . . . . . . . . . . . . . . . . 91 5.2 FurtherIdeas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 5.2.1 BespokeHardwareDevice . . . . . . . . . . . . . . . . . 92 5.2.2 P2PAudio/VideoReconstruction . . . . . . . . . . . . . 92 5.2.3 UsabilityTest . . . . . . . . . . . . . . . . . . . . . . . . 92 5.2.4 NISTComputerForensicsToolTesting . . . . . . . . . . 93 5.3 FutureVision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 5.3.1 P2PintheCloud . . . . . . . . . . . . . . . . . . . . . . 93 5.3.2 MobileP2P . . . . . . . . . . . . . . . . . . . . . . . . . . 94 v 5.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 A GraphicalResults 96 vi ACKNOWLEDGEMENTS With no doubt, the work on this thesis has been the most challenging endeavour I have undertaken so far. I am thankful to my supervisor, Prof. M-Tahar Kechadi, for his guidance and encouragement. I would like to thank the staff and students in the School of Computer Science and Informatics, University College Dublin for providing me with the opportunity to learn, facilities to perform my research, and a motivating environment that carried me forward through my course work. My gratitude goes to my friends Alan Hannaway, Cormac Phelan, John-Michael Harkness, Michael Whelan, Alex Cronin, Pat Tobin, Jason Farina and Dr. Pavel Gladyshev for many interesting and developing discussions, presentations and collaborations. Many thanks toallmyimmediatefriendsfortheirconstantencouragementandsupport. This work was co-funded by the Irish Research Council (formally the Irish Research Council for Science, Engineering and Technology) and Intel Ireland Ltd., through the Enterprise Partnership Scheme. Amazon Web Services also generouslycontributedtothisresearchwithgrantsfundingthecostsinvolved in experimentation conducted on their cloud infrastructure, including Elastic ComputeCloud(EC2)andRelationalDatabaseService(RDS). vii LIST OF TABLES 2.1 Examplehashsumsfrompopularhashfunctions . . . . . . . 22 4.1 ComparisonofBotnetDetectionTechniques . . . . . . . . . . 80 4.2 ComparisonofBotnetC&CArchitectures . . . . . . . . . . . 89 viii LIST OF FIGURES 2.1 ExampleFrameCaptureofSSHSessionUsingWinDump. . . 11 2.2 ExampleFrameCaptureofSSHSessionUsingEthereal. . . . 11 3.1 CentralisedP2Psystemoverview. . . . . . . . . . . . . . . . . 34 3.2 DecentralisedP2Psystemoverview. . . . . . . . . . . . . . . . 36 3.3 HybridP2Psystemoverview. . . . . . . . . . . . . . . . . . . 37 3.4 Screenshot of Napster. Downloads can be seen at the top, withuploadsatthebottom. . . . . . . . . . . . . . . . . . . . 38 3.5 LimewireScreenshot. . . . . . . . . . . . . . . . . . . . . . . . 39 3.6 GnutellaNodeMap. . . . . . . . . . . . . . . . . . . . . . . . . 40 3.7 VisualisationofaTypicalBitTorrentSwarm . . . . . . . . . . 41 3.8 µTorrentScreenshot. . . . . . . . . . . . . . . . . . . . . . . . . 44 3.9 Flow accuracy results for P2P traffic as a function of the packetdetectionnumber . . . . . . . . . . . . . . . . . . . . . 47 3.10 Kazaaenduserlicenceagreement . . . . . . . . . . . . . . . . 50 4.1 SampleCAPTCHAfromthereCAPTCHAonlineserviceand itsautomatedbookscanningsourcetext . . . . . . . . . . . . 53 4.2 Simple Trojan Horse Architecture Controlling Multiple Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 4.3 SubsevenControlPanel . . . . . . . . . . . . . . . . . . . . . . 55 4.4 CommandandControlServerBotnetNetworkArchitecture . 56 4.5 Evolution of botnet architecture to eliminate single point of failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 ix