Upload
kendiv
View
2.303
Download
2
Embed Size (px)
DESCRIPTION
Introduce the Storm worm, analyze the P2P and the Rookit technologies used by storm worm to build up their botnet and hide themselves.
Citation preview
Storm Worm & Botnet
Websense, Inc.
Jun Zhang
Beijing Security Lab.
Aug 2008
Introduction -- What's the Storm Worm
A kind of malicious program
The first storm worm was discovered in late January,2007
The storm is the one of the first malware to use a P2P network which makes Storm more resilient, powerful and hard to be detected.
Spreading method
The primary method of spreading remains social engineering email and Phishing website.
Introduction -- What's the Storm Worm
Storm Features
Based on the P2P and the rootkit technology, the Storm is able to easily resist attempts to shut down the network and has evolved continuously to stay ahead of the Anti-Virus industry and researchers.
Features: Uses P2P network (Overnet/Kademlia) Uses fast-flux DNS for hosting on named sites Binary has gone through many revisions Hides on machine with rootkit technology
Introduction -- What's the Storm Worm
Storm Capabilities
As Storm has evolved, it has gained a number of capabilities to aid it in malicious activity.
Capabilities: Spam Spread ICMP Echo flood TCP SYN flood Proxy connections Download and executed file
Introduction -- What's the Storm Worm
Malicious Activities
The Storm network has been used for many malicious money-marking activities. Spamming Phishing emails DDoS Attack
Example – Sending Spam through Google’s SMTP Server
Introduction -- What's the Storm Worm
Example – Phishing mail
Introduction -- What's the Storm Worm
Core components of Strom P2P-based Botnet Rootkit
Through analyzing the recent Strom, we noticed that the P2P network and the Rootkit are more important for Strom worm.
Most Strom worms use Overnet protocol to construct its botnet, because of the distributed nature of Overnet, there isn’t a central command and control server.
This dynamic nature makes Storm so resilient to attack.
Introduction -- What's the Storm Worm
The nature of Overnet-based P2P botnet is also the primary reason why casual researchers and security enthusiasts often chalk the Storm botnet up as impossible to shut down or to even track or estimate the size of.
Another reason lets Storm avoid being detected is the Rootkit technology. The Rootkit enhances the hiding ability of Storm, using the Roorkit, the Storm can hide itself in file system, conceal running processes and easily bypass the firewall and IDS.
Next, we will focus on the P2P-based botnet and Rootkit, and discuss these with a real Storm we captured.
Storm Worm P2P-based Botnet
Overview
In recent years, P2P technology has been used frequently in Storms and has become more and more popular.
The P2P-based botnet is very hard to be traced and to be shut down, because the botnet has robust network connectivity(This is the nature of P2P network), uses encryption, and controls traffic dispersion.
Each bot in the botnet influences only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster.
Storm Worm P2P-based Botnet
Decentralized Botnet
The latest botnet is a decentralized architecture, not liking the traditional peer-to-peer system.
This kind of botnet does not need a central command and control location;
It can allow the attacker to upgrade and control infected hosts without the botmaster.
Storm Worm P2P-based Botnet
P2P botnet Implementation
The Storm uses a distributed hash table(DHT) based on the Kademlia algorithm and assigns a random 128bit ID to each bot.
The format of the random ID is similar to this:
Normally, The Strom will carry a hard-coded peers list. This list will be used to bootstrap the Botnet.
Storm Worm P2P-based Botnet
Example of peer list
Each line is a single
hex-encoded peer in this format:
<128 bit hash>=<32 bit IP><16 bit port><8 bit peer type>
Storm Worm P2P-based Botnet
How to build up the peer list: Using the system time as a random seed. Depending on the timing seed to generate the 128bit bot ID Randomly picking up the IP/UDP Port from a static array
that was carried by the Strom. Keeping a part of the bot information in the configuration
file.
Storm Worm P2P-based Botnet
Botnet Traffic Analysis
The primary protocol the botnet used is UDP. Each bot will
use UDP protocol to communicate.
Normally, The Strom will include a SMTP component to spread the spam email.
Storm Worm P2P-based Botnet
Spamming – SMTP componentThis figure is
the screen snapshort of
a storm sending the spam
Storm Worm P2P-based Botnet
UDP-based bots conversation
Storm Worm P2P-based Botnet
Security the net-traffic between bots
The Storm uses an XOR encryption algorithm to encrypt the message between the bots and randomly assigns the UDP port for each bots.
These can highly increase the dispersion of UDP port. So it is very hard to trace single bot.
Storm Worm P2P-based Botnet
XOR Encryption Algorithm
This encryption algorithm is very simple but good enough for bypassing IDS or IPS.
Storm Worm P2P-based Botnet
Botnet Messages
To analyse the botnet, I wrote a tool to observe the message between the bots.
Two kinds of Messages: Search:
A bot uses search messages to find resources and other bots based on BotID.
Publicize:
A bot uses publicize messages to report ownership of network resources (BotIDs) so that other bots can find the resource later.
Storm Worm P2P-based Botnet
Search Message
Storm Worm P2P-based Botnet
Publicize Message
Storm Worm P2P-based Botnet
The huge Botnet
The below figure is a part of a real Botnet, I observed more than 5796 infected hosts only in 21 minutes!
Storm Worm – Rootkit Technology
What’s the Rootkit
A rootkit is a set of software applications intending to hide running processes, files or system data from the operating system.
In recent years, rootkits have been used increasingly by malware to help intruders maintain access to systems while avoiding detection.
Rootkits often modify parts of the operating system or install themselves as drivers or kernel modules.
Storm Worm – Rootkit Technology
A real Rootkit used by Strom Worm
We captured this Strom on August. The below is the work-flow of the Rootkit this Storm used.
Storm Worm – Rootkit Technology
The Rootkit’s capabilities: Hide File
Avoid being deleted. ( Hook NtQueryDirectoryFile )
Hide TCP Port
Bypass the firewall. Hook TCP device (Device\Tcp)
Hide Win32 Service (Avoid being detected)
Erase its footprint from the register.
Hook NtEnumerateKey/NtEnumerateValueKey
Inject Code to “services.exe”
In the kernel mode, uses user-mode APC inject the malicious code to "services.exe"
Storm Worm – A Real One
Work-flow of a real Strom.
The white-paper for this Strom can be found:
http://securitylabs.websense.com/content/Assets/Storm_Worm_Botnet_Analysis_-_June_2008.pdf
Any Questions?
The End