Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg

Eradicate the Bots in the
Belfry
Eric Vanderburg
JurInnov, Ltd.
October 26, 2012

© 2012 JurInnov Ltd. All Rights Reserved.

Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defining the threat
• Command and Control servers
• Propagation
• Detection
• Prevention
• Response
1

Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone

• Botnet – collection of bots remotely controlled
and working together to perform tasks
• Bot herd – a subset of the botnet that is allocated
to an entity or project
• Bot herder – bot master
2

Threat defined
•
•
•
•

Over 200 million bots worldwide
12% of bots active
Half a million infected each day to maintain herd
Botnets rented: ($90/day, $15/hr DDoS bot)

3

Threat defined – What is done with botnets?
•
•
•
•
•
•

DDoS
Spam
Distribute copyrighted material
Data mining
Hacking /Hacktivism
Fraud
– Click fraud
– Ebay feedback
– Pump & Dump

• Covert communication
4

Criminal approach
• Data collection
– Collect financial data (file scan, HTML injection)
– Harvest usernames and passwords

• Monetization
– Raid accounts
– Fraud

• Laundering
– Recruit money mules
– Bounce money from account to account
5

2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butterfly)
2003
RBot
1999
Pretty Park
• • Harvests email addresses
Rented TDSS
• Stealthy and difficultspace for spam,
2008 botnet to detect
• Encrypts
• Used IRC for C&C & updates itself
• Rootkit
2004
PolyBot
• Sold andSets andatheft hackers rented
“licensed” to of personal
•DDoS, up proxy that is
1999& email harvesting
SubSevenAdmin shell access
•
• ICQ
• data theft Email
Delivery:
for information anonymous web
to other for
Used IRC GTBot • Builds on AgoBot
for C&C
2005
MyTob
2000
• •DoS
•
Polymorphs through encrypted Delivery:
• • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB
Keylogger
• DDoS,
web form Phishing, Social
Networking
•
• • Portshell access encapsulation webcam capture Delivery: Trojan embedded
Admin scan
collection,
• Delivery: email spam using in software
• DDoS
MyDoom w/ own SMTP server
• Delivery: email

History

1999 2000

2002

2003

2004

2005

2006

2007

2008

2009

2002
SDBot
2009
Koobface
2006
Rustock
• Keylogger
2002
AgoBot
•
• 2007 DDoS Installs pay-per-install
Spam, Storm
• Delivery: WebDav and
• Modular design
• •Uses rootkit tomalware
hide
MSSQL vulnerabilities,
Spam • Delivery: Social Networking
2003
SpyBot
• DDoS
• Encrypts spam in TLS
DameWare remote mgmt
Dynamic
• • Builds on SDBot
Hides with rootkit tech • •Robust C&C fast flux C&C DNS
network (over
software, password guessing detection
• Malware re-encoded twice/hr
• • Customizable to avoid
Turns off antivirus
on common MS ports & web form Defends itself with DDoS
•2500 domains)
• • DDoS,host file
Modifies Keylogger,
• •Delivery: email
common backdoors
collection, (Kazaa, Grokster,
• Delivery: P2P clipboard logging, Sold and “licensed”
• Delivery: Email enticement for
webcam capture
BearShare, Limewire)
free music
• Delivery: SDBot + P2P

6

Customizing a bot with AgoBot GUI

Example of AgoBot GUI to customize the bot

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

• Exploit
–
–
–
–
–

Malicious code
Unpatched vulnerabilities
Trojan
Password guessing
Phish

• Rally - Reporting in
– Log into designated IRC channel and PM master
– Make connection to http server
– Post data to FTP or http form
8

Clean
up

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Preserve
– Alter A/V dll’s
<preserve>
<pctrl.kill “Mcdetect.exe”/>
– Modify Hosts file to prevent A/V
< pctrl.kill “avgupsvc.exe”/>
updates
< pctrl.kill “avgamsvr.exe”/>
– Remove default shares (IPC$,
< pctrl.kill “ccapp.exe”/>
ADMIN$, C$)
</preserve>
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes

9

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Agobot host control commands
Command
harvest.cdkeys
harvest.emails
harvest.emailshttp
harvest.aol
harvest.registry
harvest.windowskeys
pctrl.list
pctrl.kill
pctrl.listsvc
pctrl.killsvc
pctrl.killpid
inst.asadd
inst.asdel
inst.svcadd
inst.svcdel

Description
Return a lsit of CD keys
Return a list of emails
Return a list of emails via HTTP
Return a list of AOL specific information
Return registry information for a specific registry path
Return Windows registry information
Return list of all processes
Kill specified processes set from a service file
Return a list of all services that are running
Delete/stop a specified service
Kill specified process
Add an autostart entry
Delete an autostart entry
Adds a service to SCM
Delete a service from SCM

10

Report

Clean
up

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Inventory
– determine capabilities such as RAM, HDD, Processor,
Bandwidth, and pre-installed tools

• Await instructions from C&C server
• Update
– Download payload/exploit
– Update C&C lists

11

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

• Execute commands
–
–
–
–
–
–
–

DDoS
Spam
Harvest emails
Keylog
Screen capture
Webcam stream
Steal data

• Report back to C&C server
• Clean up - Erase evidence
12

Execute

Report

Clean
up

Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions

13

Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)

14

Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet

• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.
15

Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels
• Average lifespan: 2 months

16

Command and Control
• IRC
• Peer-to-peer – programming can be sent from
any peer and discovery is possible from any peer
so the network can be disrupted without the C&C
server.
• Social networking
• Instant Messaging

17

Command and Control
• Web or FTP server
– Instructions in a file users download
– Bots report in and hacker uses connection log to know
which ones are live
– Bots tracked in URL data
– Commands sent via pull instead of push
• No constant connection
• Check-in might match signature

– Better scalability – web server can handle more
connections than IRC
– Port 80 not blocked and not unusual activity
18

Trends
• Hackers
– Mostly about money instead of notoriety (hacktivism
excluded)
– Staying under the radar
• Smaller herds
• Fewer propagation methods
• Web based C&C

• Government and Terrorist
– Aimed at taking down critical services or disrupting
business
19

Detecting bots
• Monitor port statistics on network equipment
and alert when machines utilize more than
average
– Gather with SNMP, netflow, or first stage probes
(sniffers) attached to port mirrored ports on switches.

• Firewall statistics
• IPS/IDS reports

20

Baseline
• Document
– Network Schematic
– Server roles

•
•
•
•

Destination IP addresses
Ports
Protocols
Volume of data and directionality

21

Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-one – DDoS, Syslog, data repository, email
server
– One-to-many – web server, email server, SPAM
bot, warez, port scanning
– Many-to-many – P2P, virus infection
– One-to-one – normal communication, targeted attack
22

Wireshark

Packet list 

Packet details 
Packet bytes 
23

Wireshark
• Filtering
– Frame contains “search term”

• Flow – sequence of packets comprising a single
communication segment.
– EX: Connection, Negotiation, File Request, File
delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such
as source and destination IP, protocol, date or time

24

Networkminer
• Traffic analysis tool
• Graphical breakdown of…
–
–
–
–
–
–

Hosts
Images
Files
Email
DNS
Sessions

25

Detecting bots
• Real time netflow analyzer- Solarwinds free
netflow tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• Rootkit tools: Rootkit Revealer, GMER
• Event log monitoring – Zenoss, Alien
Vault, Nagios, Splunk, Graylog

26

Event Logging
• Placement
–
–
–
–
–
–
–
–

Perimeter
VLAN or Workgroup
Wireless
Choke points – maximize collection capacity within
budget and ability to process and analyze
Minimize duplication
Sync time
Normalize
Secure collector transmission pathways
27

Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatever it receives but does not communicate
back.
• Most traffic it receives is illegitimate and it can
find random scanning worms and internet
backscatter (unsolicited commercial or network
control messages).
• How to set up a darknet
http://www.team-cymru.org/Services/darknets.html
28

Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec
• Application layer analytics
• Claims from ourmon.sourceforge.net/
–
–
–
–
–
–
–
–

Monitor TCP (syndump), and UDP (udpreport) flows
Log all DNS query responses network wide
Measure basic network traffic statistically
Catch "unexpected" mail relays
Catch botnets
Spot infections with random "zero-day" malware
Spot attacks from the inside or outside
See what protocols are taking up the most bandwidth
29

Detection – A/V and Anti-malware
•
•
•
•
•
•
•

AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itSoftware)
McAfee
Microsoft Security Essentials (free up to 10 PCs)
Symantec
Spybot Search and Destroy - free

30

Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP

– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)

– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7

– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)
31

Prevention
•
•
•
•
•

Firewall
IPS/IDS
Web filtering
SPAM filtering (incoming & outgoing)
Disable VPN split tunnel

32

SIEM
• Security Information and Event Management
–
–
–
–
–
–
–
–

Log aggregation
Correlation
Normalization
Alerting
Dashboards
Views
Compliance reports
Retention
33

Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployment

• Patch management
• NAC (Network Access Control) – A/V & patches

34

Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze - Is any evidence needed?
– Clean the device

• After-action review
– Define improvement actions
– Assign responsibilities for actions
– Follow-up
35

Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by

Vinod Yegneswaran
• The programs depicted in this presentation are owned by their
respective authors
36

Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (15)

Semelhante a Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg

Semelhante a Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg (20)

Mais de Eric Vanderburg

Mais de Eric Vanderburg (20)

Último

Último (20)

Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg