View
2.015
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "The Bot Stops Here: Removing the BotNet Threat" at the Public and Higher Ed Security Summit.
Citation preview
© 2012 JurInnov Ltd. All Rights Reserved.
The Bot Stops Here:Removing the BotNet Threat
Eric VanderburgJurInnov, Ltd.April 25, 2012
© 2012 JurInnov Ltd. All Rights Reserved.
2
Presentation Overview
• The Internet is always attacking you but are you attacking the Internet?
• Botnet overview• Defining the threat• Command and Control servers• Propagation• Detection• Prevention• Response
© 2012 JurInnov Ltd. All Rights Reserved.
3
Botnet Overview
• Bot– Program that performs automated tasks– Remote controlled– AKA: zombie or drone
• Botnet – collection of bots remotely controlled and working together to perform tasks
• Bot herder – bot master
© 2012 JurInnov Ltd. All Rights Reserved.
4
Facts
• 40% of infected machines have 1 or more bots
• Zeus bot is responsible for losses greater than $100 million
2011 Damballa threat report
SC Magazine, April 2012
© 2012 JurInnov Ltd. All Rights Reserved.
5
Why are universities particularly susceptible?
• Lack of control over machines• Silos for research or classroom projects• A culture of information sharing with minimal
boundaries and controls• Heavy recreational use of network resources
including P2P, chat, IRC, games, and social networking.
• Ideal target for attackers – many hosts– large Internet pipe– Mail and other tempting services
© 2012 JurInnov Ltd. All Rights Reserved.
6
Threat defined – What is done with botnets?
• DDoS• Spam• Distribute copyrighted material– Torrents
• Data mining• Hacking• Spread itself
© 2012 JurInnov Ltd. All Rights Reserved.
7
History1999 Pretty Park• Used IRC for C&C &
updates• ICQ & email harvesting• DoS
1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access
2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email
2002 SDBot• Keylogger• Delivery: WebDav and
MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors
2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,
Grokster, BearShare, Limewire)
2003 SpyBot• Builds on SDBot• Customizable to avoid
detection• DDoS, Keylogger, web form
collection, clipboard logging, webcam capture
• Delivery: SDBot + P2P
2003 RBot• Encrypts itself• Admin shell access2004 PolyBot
• Builds on AgoBot• Polymorphs through
encrypted encapsulation
2005 MyTob• DDoS, Keylogger, web form
collection, webcam capture• Delivery: email spam using
MyDoom w/ own SMTP server
2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over
2500 domains)• Delivery: email
2007 Storm• Spam• Dynamic fast flux C&C DNS• Malware re-encoded
twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email enticement
for free music
2007 Zeus• Phishing w/ customizable
data collection methods• Web based C&C• Stealthy and difficult to
detect• Sold and “licensed” to
hackers for data theft• Delivery: Phishing, Social
Networking
2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email
2008 Mariposa (Butterfly)• Rented botnet space for
spam, DDoS, and theft of personal information
• Delivery: MSN, P2P, USB
2008 TDSS• Sets up a proxy that is
rented to other for anonymous web access
• Delivery: Trojan embedded in software
2009 Koobface• Installs pay-per-install
malware• Delivery: Social
Networking
20091999 2003 2005 200820042000 2006 20072002
© 2012 JurInnov Ltd. All Rights Reserved.
8
Life Cycle
• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish
• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form
Exploit Rally
Preserve
Inventory
Await instruction
s
Update Execute Report Clea
n up
© 2012 JurInnov Ltd. All Rights Reserved.
9
Life Cycle
• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V
updates– Remove default shares (IPC$,
ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes
Exploit Rally
Preserve
Inventory
Await instruction
s
Update Execute Report Clea
n up
<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>
Agobot host control commands
© 2012 JurInnov Ltd. All Rights Reserved.
10
Life Cycle
• Inventory– determine capabilities such as RAM, HDD,
Processor, Bandwidth, and pre-installed tools
• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists
Exploit Rally
Preserve
Inventory
Await instruction
s
Update Execute Report Clea
n up
© 2012 JurInnov Ltd. All Rights Reserved.
11
Life Cycle
• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data
• Report back to C&C server• Clean up - Erase evidence
Exploit Rally
Preserve
Inventory
Await instruction
s
Update Execute Report Clea
n up
© 2012 JurInnov Ltd. All Rights Reserved.
12
Propagation
• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords
Agobot propagation functions
© 2012 JurInnov Ltd. All Rights Reserved.
13
Propagation
• Use backdoors from common trojans• P2P – makes files available with enticing
names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications
• Social networking – Facebook posts or messages that provides a link (Koobface worm)
© 2012 JurInnov Ltd. All Rights Reserved.
14
Propagation
• SPIM– Message contact list– Send friend requests to contacts from email
lists or harvested IM contacts from the Internet
• Email– Harvests email addresses from ASCII files
such as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail
server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.
© 2012 JurInnov Ltd. All Rights Reserved.
15
Command and Control
• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames• Alternate control channels (Ex:
Researchers in 2004 redirected C&C to monitoring server)
© 2012 JurInnov Ltd. All Rights Reserved.
16
Command and Control
– Web or FTP server • instructions in a file users download• Bots report in and hacker uses connection log to
know which ones are live• Bots tracked in URL data• Commands sent via push or pull method
– Peer-to-peer – programming can be sent from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server.
– Social networking– Instant Messaging
© 2012 JurInnov Ltd. All Rights Reserved.
17
Botnet commands - Agobot
• Commands are sent as PRIVMSG, NOTICE or TOPIC IRC messages
© 2012 JurInnov Ltd. All Rights Reserved.
18
Detecting bots
• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage probes
(sniffers) attached to port mirrored ports on switches.
• Wireshark• Real time netflow analyzer- Solarwinds free
netflow tool• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard• SNARE – event log monitoring (Linux & Windows
agents)
© 2012 JurInnov Ltd. All Rights Reserved.
19
Detecting bots - Stager
• Stager (Latest version 4.1) – Monitors network
statistics using netflow based on nfdump .
https://trac.uninett.no/stager
© 2012 JurInnov Ltd. All Rights Reserved.
20
Detecting bots - Firewall
• ASDM – Cisco ASA and PIX
© 2012 JurInnov Ltd. All Rights Reserved.
21
Detecting bots - Darknet
• Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back.
• Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages).
• How to set up a darknet http://www.team-cymru.org/Services/darknets.html
© 2012 JurInnov Ltd. All Rights Reserved.
22
Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec• Application layer analytics• Claims from ourmon.sourceforge.net/
– Monitor TCP (syndump), and UDP (udpreport) flows– Log all DNS query responses network wide – Measure basic network traffic statistically – Catch "unexpected" mail relays – Catch botnets – Spot infections with random "zero-day" malware– Spot attacks from the inside or outside – See what protocols are taking up the most bandwidth
© 2012 JurInnov Ltd. All Rights Reserved.
23
Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose
• Free for up to 32 IP
– OpenVAS (Vulnerability Assessment System)• Linux• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)
© 2012 JurInnov Ltd. All Rights Reserved.
24
Prevention – A/V and Anti-malware
• AVG (Grisoft) – free for home use• Ad-aware (Lavasoft) - free• Repelit (itSoftware)• McAfee• Microsoft Security Essentials (free up to
10 PCs)• Symantec• Spybot Search and Destroy - free
© 2012 JurInnov Ltd. All Rights Reserved.
25
Prevention
• Personal firewall• Firewall
– SmoothWall– M0n0wall
• IPS/IDS– Snort – Network IDS
• BASE – web front-end for Snort
– OSSEC – Host IDS
• Web filtering• SPAM filtering (incoming & outgoing)• Disable VPN split tunnel
© 2012 JurInnov Ltd. All Rights Reserved.
26
Prevention
• Read only virtual desktops• Software– Software restrictions and auditing– Sandbox software before deployment
• Patch management• NAC (Network Access Control) – A/V &
patches
© 2012 JurInnov Ltd. All Rights Reserved.
27
Response
• Incident response – Determine scope– Determine if it constitutes a breach and
therefore notification– Analyze - Is any evidence needed?
• Toolkit – Process Monitor– Rootkit Revealer– Hiren BootCD 15.1 has a variety of tools
(http://www.hiren.info/pages/bootcd)
– Clean the device
© 2012 JurInnov Ltd. All Rights Reserved.
28
Thanks
Enjoy the summit
Acknowledgements:• Bot command tables obtained from “An Inside Look at
Botnets” by Vinod Yegneswaran• The programs depicted in this presentation are owned by
their respective authors