BladeRunner Adventures in Tracking Botnets

Jason Jones and Marc Eisenbarth

2  

Agenda •  Who Are We? •  ASERT Background •  BladeRunner

–  Background –  Redesign –  Malware Tracked –  Results –  Future Work

•  Conclusions

3  

Who Am I (Jason)? •  Sr. Security Research Analyst for Arbor Networks’ ASERT

–  Previously of TippingPoint DVLabs •  Speaker at

–  BlackHatUSA 2012 –  InfoSec Southwest 2013 –  Usenix LEET13 –  Botconf 2013 –  AusCERT

•  Research interests –  IP reputation –  Malware clustering –  Data mining dns / malware / target data

4  

Who is Marc? •  Manager of ASERT Research Team / ASERT Architect

–  Previously of TippingPoint DVLabs •  Speaker at

–  Shmoocon –  Usenix LEET12 –  InfoSec Southwest 2013 –  BotConf –  AusCERT * 2

5  

ASERT

• Arbor Security Engineering & Response Team – Active Threat Feed – ATLAS Intelligence Feed – Malware Reverse Engineering –  Threat Intelligence

6  

ASERT •  ASERT Malware Corral

–  Malware storage + processing system –  Processing occurs via sandbox, static methods –  Tagging via behavioral and static methods

•  Currently pulling in between 50 -100k samples / day –  Biggest problem is figuring out what to run

•  665 Unique family names tagged in 2014 –  DDoS, Bankers, Droppers, RATs, Advanced Threats, etc. –  161 different family phone homes tagged

7  

MCorral

BladeRunner

9  

Background • Started by Jose Nazario in 2006 • Original version focused on IRC bots • Only tracked DDoS commands • Presented at

–  VirusBulletin Conference 2006 –  BlackHat DC 2007 –  http://www.arbornetworks.com/asert/2012/02/ddos-attacks-

in-russia/ –  HITBKUL 2012

10  

Background •  Started tracking HTTP bots

–  Use os.system calls to curl -_- –  Was not enjoyable to read and write

•  Track binary protocol bots –  Uses “replay” – good to avoid time-consuming protocol

reversing, but…. –  If sample made successful conn, send packet back to CnC –  No connection in Mcorral = CnC was considered “dead” –  DynDNS-based malware tends to only be up for small, random

periods. Lots missed

11  

Redesign - Goals •  Lack of flexibility, lack of tracking led to redesign •  Most important requirement: *has* to do everything old

version did and “more” •  Track non-DDoS commands •  Support non-DDoS Malware •  Automatically expire CnC •  Have “conversations” with CnC

–  No replay –  Respond to all commands until termination

12  

Redesign - Architecture •  Three separate pieces

–  Data model •  Our system uses Django-based ORM •  Postgres backend •  Considering alt storage methods for handling “big data”

–  Harvesters •  Pull tagged connections from our analysis system •  Use VirusTotal Intelligence Hunting •  Configuration extractors

–  “Replicants” aka fake bots

13  

Redesign - Architecture

Replicated Malware

14  

15  

Replicated Malware

• Sixteen separate malware families re-implemented –  Ten HTTP-based

• Four implement some form of encryption / obfuscation –  One plain-text binary protocol –  Five binary protocol with some form of encryption

• More time consuming to reimplement binary protocols • Even more time consuming to reverse custom crypto

• No IRC bots

16  

My standard reversing process…

17  

DirtJumper Family / Variants

18  

DirtJumper Drive

h-ps://www.arbornetworks.com/asert/2013/06/dirtjumpers-­‐ddos-­‐engine-­‐gets-­‐a-­‐tune-­‐up-­‐with-­‐new-­‐drive-­‐variant/    

19  

Drive2

h-ps://www.arbornetworks.com/asert/2013/08/dirtjumper-­‐drive-­‐shiEs-­‐into-­‐a-­‐new-­‐gear/    

20  

Drive3

h-ps://www.arbornetworks.com/asert/2014/03/drive-­‐returns-­‐with-­‐new-­‐tacFcs-­‐and-­‐new-­‐a-acks/    

21  

Athena HTTP

h-ps://www.arbornetworks.com/asert/2013/11/athena-­‐a-­‐ddos-­‐malware-­‐odyssey/    

22  

Madness

•  Super-awesome Base64-encoded secrecy •  Most interesting strings in the binary are Base64-encoded •  Sometimes the author forgets to strip symbols from his binaries J •  Sometimes botnet ops give you their FTP creds in a file download J •  https://www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/

23  

Madness

•  Bad admins give you download and execute containing their hosting site credentials J –  And that gets you their admin panel credentials

•  Poor guy has a small botnet L •  Appears to be the “cracked” version available in forums

24  

Solarbot

•  RC4 using s parameter as key •  NULL-delimited commands •  Commands are byte values •  Later discovered leaked cracked builder + panel

–  http://www.sendspace.com/file/nm5isp •  Really? Blocking Scrabble?

–  “Blacklist: https://scrabblefb-live2.sn.eamobile.com”

25  

DarkComet

h-ps://www.arbornetworks.com/asert/2012/03/its-­‐not-­‐the-­‐end-­‐of-­‐the-­‐world-­‐darkcomet-­‐misses-­‐by-­‐a-­‐mile/    

Results!

26  

27  

Results - Overview •  In production for over a year •  Provided a wealth of intelligence around attacks

–  What kinds of attacks are most popular •  Collected over 270,000 attack commands •  Stores information on over 3500 C2

–  Almost 1100 have been active at some point •  Since Jan 2014, data harvested from 1996 unique MD5

–  Number of C2 with double-digit sample associations

28  

Results - Locations

29  

Results - Locations

30  

Results - Locations

31  

Results - Locations

32  

Results - Locations

33  

Results - Locations

34  

Results - Locations

35  

Results - Locations

36  

Results - Locations

37  

Results - Locations

38  

Results - Locations

39  

Results - Locations

40  

Results - Locations

41  

Results - Locations

42  

Results - Locations

43  

Results - Locations

44  

Results – Downloaded Malware (1)

45  

Results – Downloaded Malware (2)

46  

Results – CnC Relationships via pDNS (1)

47  

Results – CnC Relationships via pDNS (2)

48  

Results – CnC Relationships via pDNS (3)

h-ps://www.virustotal.com/en/ip-­‐address/31.170.164.5/informaFon/    

49  

Results – CnC Relationships via Targets (1)

50  

Results – CnC Relationships via Targets (2)

• Many Drive/Drive2 CnC share similar targets • Coupling similarity in targets with pDNS gives

– Many co-located in same /24 – Some on exact same IP

• Some targets have multiple CnC on multiple botnets targeting – Speaks to larger campaign against a site

51  

Results – Geo-Political Activity (1)

• Russia / ex-Soviet Bloc area very active – Russian Gov’t related sites attacked – Azerbaijan / Dagestan-related event attacks – Anti-Gov’t sites attacked – Ukraine sees lots of attacks, is definitely not

weak ;) • Corruption exposure sites attacked

52  

Results – Geo-Political Activity (2)

53  

Results – Geo-Political Activity (3) •  Sochi Olympics

–  Expected target given some recent RU laws + global appeal of the event

–  Drive3 started targeting a few days before the games began –  Success story since we were able to use the intel for mitigation –  Shocker was that it consisted of compromised sites as C2 –  Hosters were able to get the majority of the C2 cleaned very fast

54  

Results – Geo-Political Activity (4) •  Numerous DDoS attacks launched during Crimea situation

–  Local Crimean gov’t sites –  UA gov’t sites –  RU gov’t sites –  Referendum Voting sites

•  Attacks had varying success •  Attacks still ongoing due to political unrest

55  

Results – Retaliation DDoS

• Stelios / Maverick gets dox’d on paste sites –  http://pastebin.ca/2457696

• Multiple CnC start launching attacks against paste sites –  Specifically targeted pastes with dox –  Hired externally, did not use own CnC for the attacks

•  Listed as owner of ddos-service.cc –  steliosmaver.ru Athena HTTP CnC possible backend

56  

Results – Protecting Targets

• Major reason why ASERT tracks botnets is for protection + intelligence –  Not for sale –  Not for ambulance chasing

• Multiple instances of Arbor customers being attacked –  Know the attack + botnet = easy to tailor protection

• Share data with those that have the power to take down

Parting Words

57  

58  

Wrap-Up •  BladeRunner-like systems produce useful threat intelligence

–  Botnet size can matter, especially in DDoS –  Find some actual new-to-you underground forums via DDoS targets ;)

•  Everyone should be doing it on some level –  Goal is to provide a blueprint and a starting point to help that become a

reality •  All the data makes for pretty pictures J •  Need better handling of larger datasets •  Add more custom command parsers

–  Files –  Generic “Commands”

59  

Future Work •  More bots

–  Andromeda –  Bankers (web-injects , configs)

•  Data Mining –  GraphDB – Currently investigating TitanGraph –  Correlate with other internal data sources –  Maltego modules via Canari

•  Code availability –  Config extraction –  Fake bots

60  

Moar Future Work

• Dynamically spin up EC2/Rackspace/Etc. instances for proxy-ing on demand – Seen a few geo-blocking DDoS CnC, but not

many – Also helps keep botnet IP space large and

dynamic to avoid blacklisting • Alternatives to Django/ORM

–  I like it, but…

61  

How Do I Get This Data? •  Most people can’t get all of it

–  As mentioned previously, not for sale •  Hosters / those with power/willingness to take C2’s down •  We freely share with CERTs / LE (EuroPol/FBI/equivs)

–  Not in the business of takedowns • Full-time job with amount of data processed • Legal morass

–  If you are one of those and are interested please contact us •  Work for ASERT ;)

62  

Code Availability

• Code *almost* ready yet ready for public release L • Still work to be done with cleaving out of our

infrastructure • Goal is to get standalone pieces of many fake bots to

allow people to integrate into their own backends and systems

• Targeting July 2014 •  https://github.com/arbor/

Questions/Comments/Feedback •  jasonjones@arbor.net / meisenbarth@arbor.net •  @jasonljones / http://www.arbornetworks.com/asert/ •  http://jasonjon.es/research/

63  

Thank You!