Zombie or not to be:Trough the meshes of Botnets
-Guillaume Lovet
Agenda
• Presentation objectives
• Introduction: a quick overview of Botnets
• Attack scenarios
• Protecting from Botnets
• Q&A
Presentation objectives
• Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future
• Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network
Introduction
• A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server.
• Botnets have existed for years
• Recent raise of their activity
• High deleterious potential and obvious financial value
Botnets are the number 1 Internet security threat today
Threats posed by botnets
• Critical data compromise
• Proxying (attacks, spam, phish)
• Hosting of illegal content
• Seeding new malwares
• Distributed denial of service
Scenario 1: The worm in the fruit
• Multiple infection vectors for bots to intrude in the corporate network:– Typical: Email, Webpage, IM systems– Bypassing gateways: CD (c.f. W32/YsRailee.A-tr),
Laptops (c.f. W32/Dumador.DH)
• Once a bot is inside:– Connect back to master server– Receive the order to spread inside the corp. net– Exfiltrate critical data
Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough
Scenario 2: The Cyberterrorist strike
• Botnets are a perfect base to launch Distributed Denial of Service attacks
• Effectively protecting against DDoS is not trivial
• Companies which offer online services lose massive amounts of money if DDoSed (e.g. ebay)
Blackmail & Racket
• Ransom is officially deemed “security consulting costs”
Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability
One future possible scenario:The double-strike seed
• Factors to create a successful worldwide virus outbreak:– Size of the seeding vector– Length of the “Opportunity Window”
• Botnet A seeds: the new malware is mass-mailed
• Botnet B extends the opportunity window: DDoS update servers of AV vendors
Conclusion: Tight update policies are not enough
Protecting from Botnets
• Some security policies eradicate or mitigate the impact of Botnets on the company’s resources
• Protection must be twofold
• From the “inside” to be immune to:– Data exfiltration– Being a vector of cyber-criminal activities (roots of the
problem)
• From the “outside” to be immune to:– Intrusion– DoS attacks
Protecting from bots inside the corporate network Pt I: Security 101
• Use appropriate and consistent firewall rules
– Goal: cut communication to the master server
– Default rule for both inbound and outbound connections: Deny
– Allow only needed services for outbound connections (e.g.:HTTP, SMTP, SSH)
– Enforce the use a HTTP proxy, so that port 80 is closed for users.
– Will not always be sufficient, because of an expected diversification of bot/master protocols: e.g. W32/Dumador.DH is a “full HTTP” bot
Alternate Master/Slave communication channel
Alternate Master/Slave communication channel
Alternate Master/Slave communication channel
Protecting from bots inside the corporate network Pt II: Spot em’
• Is my network hosting bots?– Sniffing outbound traffic on the gateway for keywords
used in Bot/Master communications:• .login• .scan• .status• .sysinfo
– Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts
– Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating
Protecting from bots outside the corporate network
• Sums up to protect against known types of attacks, bots only being a vector for those:
– DDoS: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users
– Spam: Antispam & RBL
– Phish: AV integrated to email gateways
– Malware mass-mailing: "push update" AV technology (c.f. MyTob's case) combined with a 0-hour detection solution
Questions?
Contact:[email protected]