Post on 16-Apr-2017
© 2012 JurInnov Ltd. All Rights Reserved.
Eradicate the Bots in the Belfry
Eric VanderburgJurInnov, Ltd.
October 26, 2012
© 2012 JurInnov Ltd. All Rights Reserved.
2
Presentation Overview
• The Internet is always attacking you but are you attacking the Internet?
• Botnet overview• Defining the threat• Command and Control servers• Propagation• Detection• Prevention• Response
© 2012 JurInnov Ltd. All Rights Reserved.
3
Botnet Overview
• Bot– Program that performs automated tasks– Remote controlled– AKA: zombie or drone
• Botnet – collection of bots remotely controlled and working together to perform tasks
• Bot herd – a subset of the botnet that is allocated to an entity or project
• Bot herder – bot master
© 2012 JurInnov Ltd. All Rights Reserved.
4
Threat defined
• Over 200 million bots worldwide• 12% of bots active• Half a million infected each day to
maintain herd• Botnets rented: ($90/day, $15/hr DDoS
bot)
© 2012 JurInnov Ltd. All Rights Reserved.
5
Threat defined – What is done with botnets?• DDoS• Spam• Distribute copyrighted material• Data mining• Hacking /Hacktivism• Fraud– Click fraud– Ebay feedback– Pump & Dump
• Covert communication
© 2012 JurInnov Ltd. All Rights Reserved.
6
Criminal approach
• Data collection– Collect financial data (file scan, HTML
injection)– Harvest usernames and passwords
• Monetization– Raid accounts– Fraud
• Laundering– Recruit money mules– Bounce money from account to account
© 2012 JurInnov Ltd. All Rights Reserved.
7
History1999 Pretty Park• Used IRC for C&C &
updates• ICQ & email harvesting• DoS
1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access
2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email
2002 SDBot• Keylogger• Delivery: WebDav and
MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors
2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,
Grokster, BearShare, Limewire)
2003 SpyBot• Builds on SDBot• Customizable to avoid
detection• DDoS, Keylogger, web form
collection, clipboard logging, webcam capture
• Delivery: SDBot + P2P
2003 RBot• Encrypts itself• Admin shell access2004 PolyBot
• Builds on AgoBot• Polymorphs through
encrypted encapsulation
2005 MyTob• DDoS, Keylogger, web form
collection, webcam capture• Delivery: email spam using
MyDoom w/ own SMTP server
2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over
2500 domains)• Delivery: email
2007 Storm• Spam• Dynamic fast flux C&C DNS• Malware re-encoded
twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email enticement
for free music
2007 Zeus• Phishing w/ customizable
data collection methods• Web based C&C• Stealthy and difficult to
detect• Sold and “licensed” to
hackers for data theft• Delivery: Phishing, Social
Networking
2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email
2008 Mariposa (Butterfly)• Rented botnet space for
spam, DDoS, and theft of personal information
• Delivery: MSN, P2P, USB
2008 TDSS• Sets up a proxy that is
rented to other for anonymous web access
• Delivery: Trojan embedded in software
2009 Koobface• Installs pay-per-install
malware• Delivery: Social
Networking
20091999 2003 2005 200820042000 2006 20072002
© 2012 JurInnov Ltd. All Rights Reserved.
Customizing a bot with AgoBot GUI
Example of AgoBot GUI to customize the bot
© 2012 JurInnov Ltd. All Rights Reserved.
9
Life Cycle
• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish
• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.
10
Life Cycle
• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V
updates– Remove default shares (IPC$,
ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>
© 2012 JurInnov Ltd. All Rights Reserved.
11
Life CycleExploit Rall
yPreserv
eInventor
y Await
instructions
Update Execute Report Clea
n up
Agobot host control commandsCommand Description
harvest.cdkeys Return a lsit of CD keysharvest.emails Return a list of emailsharvest.emailshttp Return a list of emails via HTTPharvest.aol Return a list of AOL specific information
harvest.registryReturn registry information for a specific registry path
harvest.windowskeys Return Windows registry informationpctrl.list Return list of all processespctrl.kill Kill specified processes set from a service filepctrl.listsvc Return a list of all services that are runningpctrl.killsvc Delete/stop a specified servicepctrl.killpid Kill specified processinst.asadd Add an autostart entryinst.asdel Delete an autostart entryinst.svcadd Adds a service to SCMinst.svcdel Delete a service from SCM
© 2012 JurInnov Ltd. All Rights Reserved.
12
Life Cycle
• Inventory– determine capabilities such as RAM, HDD,
Processor, Bandwidth, and pre-installed tools• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.
13
Life Cycle
• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data
• Report back to C&C server• Clean up - Erase evidence
Exploit Rally
Preserve
Inventory
Await instruction
sUpdat
e Execute Report Clean up
© 2012 JurInnov Ltd. All Rights Reserved.
14
Propagation
• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords
Agobot propagation functions
© 2012 JurInnov Ltd. All Rights Reserved.
15
Propagation
• Use backdoors from common trojans• P2P – makes files available with enticing
names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications
• Social networking – Facebook posts or messages that provides a link (Koobface worm)
© 2012 JurInnov Ltd. All Rights Reserved.
16
Propagation
• SPIM– Message contact list– Send friend requests to contacts from email
lists or harvested IM contacts from the Internet
• Email– Harvests email addresses from ASCII files such
as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail
server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.
© 2012 JurInnov Ltd. All Rights Reserved.
17
Command and Control
• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames• Alternate control channels • Average lifespan: 2 months
© 2012 JurInnov Ltd. All Rights Reserved.
18
Command and Control
• IRC• Peer-to-peer – programming can be sent
from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server.
• Social networking• Instant Messaging
© 2012 JurInnov Ltd. All Rights Reserved.
19
Command and Control
• Web or FTP server – Instructions in a file users download– Bots report in and hacker uses connection log
to know which ones are live– Bots tracked in URL data– Commands sent via pull instead of push
• No constant connection• Check-in might match signature
– Better scalability – web server can handle more connections than IRC
– Port 80 not blocked and not unusual activity
© 2012 JurInnov Ltd. All Rights Reserved.
20
Trends
• Hackers– Mostly about money instead of notoriety
(hacktivism excluded)– Staying under the radar
• Smaller herds• Fewer propagation methods• Web based C&C
• Government and Terrorist– Aimed at taking down critical services or
disrupting business
© 2012 JurInnov Ltd. All Rights Reserved.
21
Detecting bots
• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage
probes (sniffers) attached to port mirrored ports on switches.
• Firewall statistics• IPS/IDS reports
© 2012 JurInnov Ltd. All Rights Reserved.
22
Baseline
• Document– Network Schematic– Server roles
• Destination IP addresses• Ports• Protocols• Volume of data and directionality
© 2012 JurInnov Ltd. All Rights Reserved.
23
Quick and Fast Rules
• Compromised hosts generally send out more information
• Patterns (sending perspective)– Many-to-one – DDoS, Syslog, data repository,
email server– One-to-many – web server, email server, SPAM
bot, warez, port scanning– Many-to-many – P2P, virus infection– One-to-one – normal communication, targeted
attack
© 2012 JurInnov Ltd. All Rights Reserved.
24
Wireshark
Packet list
Packet details
Packet bytes
© 2012 JurInnov Ltd. All Rights Reserved.
25
Wireshark
• Filtering– Frame contains “search term”
• Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request,
File delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such as source and destination IP, protocol, date or time
© 2012 JurInnov Ltd. All Rights Reserved.
26
Networkminer
– Hosts– Images– Files– Email– DNS– Sessions
• Traffic analysis tool• Graphical breakdown of…
© 2012 JurInnov Ltd. All Rights Reserved.
27
Detecting bots
• Real time netflow analyzer- Solarwinds free netflow tool
• Small Operation Center or MRTG – free SNMP/syslog server with dashboard
• Rootkit tools: Rootkit Revealer, GMER• Event log monitoring – Zenoss, Alien
Vault, Nagios, Splunk, Graylog
© 2012 JurInnov Ltd. All Rights Reserved.
28
Event Logging
• Placement– Perimeter– VLAN or Workgroup– Wireless– Choke points – maximize collection capacity
within budget and ability to process and analyze
– Minimize duplication– Sync time– Normalize– Secure collector transmission pathways
© 2012 JurInnov Ltd. All Rights Reserved.
29
Detecting bots - Darknet
• Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back.
• Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages).
• How to set up a darknet http://www.team-cymru.org/Services/darknets.html
© 2012 JurInnov Ltd. All Rights Reserved.
30
Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec• Application layer analytics• Claims from ourmon.sourceforge.net/
– Monitor TCP (syndump), and UDP (udpreport) flows– Log all DNS query responses network wide – Measure basic network traffic statistically – Catch "unexpected" mail relays – Catch botnets – Spot infections with random "zero-day" malware– Spot attacks from the inside or outside – See what protocols are taking up the most bandwidth
© 2012 JurInnov Ltd. All Rights Reserved.
31
Detection – A/V and Anti-malware
• AVG (Grisoft) – free for home use• Ad-aware (Lavasoft) - free• Repelit (itSoftware)• McAfee• Microsoft Security Essentials (free up to
10 PCs)• Symantec• Spybot Search and Destroy - free
© 2012 JurInnov Ltd. All Rights Reserved.
32
Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose
• Free for up to 32 IP– OpenVAS (Vulnerability Assessment System)
• Linux• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)
© 2012 JurInnov Ltd. All Rights Reserved.
33
Prevention
• Firewall• IPS/IDS• Web filtering• SPAM filtering (incoming & outgoing)• Disable VPN split tunnel
© 2012 JurInnov Ltd. All Rights Reserved.
34
SIEM
• Security Information and Event Management– Log aggregation– Correlation– Normalization– Alerting– Dashboards– Views– Compliance reports– Retention
© 2012 JurInnov Ltd. All Rights Reserved.
35
Prevention
• Read only virtual desktops• Software– Software restrictions and auditing– Sandbox software before deployment
• Patch management• NAC (Network Access Control) – A/V &
patches
© 2012 JurInnov Ltd. All Rights Reserved.
36
Response
• Incident response – Determine scope– Determine if it constitutes a breach and
therefore notification– Analyze - Is any evidence needed?– Clean the device
• After-action review– Define improvement actions– Assign responsibilities for actions– Follow-up
© 2012 JurInnov Ltd. All Rights Reserved.
37
Thanks
Enjoy the summit
Acknowledgements:• Bot command tables obtained from “An Inside Look at
Botnets” by Vinod Yegneswaran• The programs depicted in this presentation are owned by
their respective authors