The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

© 2012 JurInnov Ltd. All Rights Reserved.

The Bot Stops Here:Removing the BotNet Threat

Eric VanderburgJurInnov, Ltd.April 25, 2012


2

Presentation Overview

• The Internet is always attacking you but are you attacking the Internet?

• Botnet overview• Defining the threat• Command and Control servers• Propagation• Detection• Prevention• Response


3

Botnet Overview

• Bot– Program that performs automated tasks– Remote controlled– AKA: zombie or drone

• Botnet – collection of bots remotely controlled and working together to perform tasks

• Bot herder – bot master


4

Facts

• 40% of infected machines have 1 or more bots

• Zeus bot is responsible for losses greater than $100 million

2011 Damballa threat report

SC Magazine, April 2012


5

Why are universities particularly susceptible?

• Lack of control over machines• Silos for research or classroom projects• A culture of information sharing with minimal

boundaries and controls• Heavy recreational use of network resources

including P2P, chat, IRC, games, and social networking.

• Ideal target for attackers – many hosts– large Internet pipe– Mail and other tempting services


6

Threat defined – What is done with botnets?

• DDoS• Spam• Distribute copyrighted material– Torrents

• Data mining• Hacking• Spread itself


7

History1999 Pretty Park• Used IRC for C&C &

updates• ICQ & email harvesting• DoS

1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access

2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email

2002 SDBot• Keylogger• Delivery: WebDav and

MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors

2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,

Grokster, BearShare, Limewire)

2003 SpyBot• Builds on SDBot• Customizable to avoid

detection• DDoS, Keylogger, web form

collection, clipboard logging, webcam capture

• Delivery: SDBot + P2P

2003 RBot• Encrypts itself• Admin shell access2004 PolyBot

• Builds on AgoBot• Polymorphs through

encrypted encapsulation

2005 MyTob• DDoS, Keylogger, web form

collection, webcam capture• Delivery: email spam using

MyDoom w/ own SMTP server

2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over

2500 domains)• Delivery: email

2007 Storm• Spam• Dynamic fast flux C&C DNS• Malware re-encoded

twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email enticement

for free music

2007 Zeus• Phishing w/ customizable

data collection methods• Web based C&C• Stealthy and difficult to

detect• Sold and “licensed” to

hackers for data theft• Delivery: Phishing, Social

Networking

2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email

2008 Mariposa (Butterfly)• Rented botnet space for

spam, DDoS, and theft of personal information

• Delivery: MSN, P2P, USB

2008 TDSS• Sets up a proxy that is

rented to other for anonymous web access

• Delivery: Trojan embedded in software

2009 Koobface• Installs pay-per-install

malware• Delivery: Social

Networking

20091999 2003 2005 200820042000 2006 20072002


8

Life Cycle

• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish

• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form

Exploit Rally

Preserve

Inventory

Await instruction

s

Update Execute Report Clea

n up


9

Life Cycle

• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V

updates– Remove default shares (IPC$,

ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes

Exploit Rally

Preserve

Inventory

Await instruction

s


n up

<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>

Agobot host control commands


10

Life Cycle

• Inventory– determine capabilities such as RAM, HDD,

Processor, Bandwidth, and pre-installed tools

• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists

Exploit Rally

Preserve

Inventory

Await instruction

s


n up


11

Life Cycle

• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data

• Report back to C&C server• Clean up - Erase evidence

Exploit Rally

Preserve

Inventory

Await instruction

s


n up


12

Propagation

• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords

Agobot propagation functions


13

Propagation

• Use backdoors from common trojans• P2P – makes files available with enticing

names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications

• Social networking – Facebook posts or messages that provides a link (Koobface worm)


14

Propagation

• SPIM– Message contact list– Send friend requests to contacts from email

lists or harvested IM contacts from the Internet

• Email– Harvests email addresses from ASCII files

such as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail

server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.


15

Command and Control

• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP

(weakness is the DNS, not the C&C server)

• Daily rotating encrypted C&C hostnames• Alternate control channels (Ex:

Researchers in 2004 redirected C&C to monitoring server)


16

Command and Control

– Web or FTP server • instructions in a file users download• Bots report in and hacker uses connection log to

know which ones are live• Bots tracked in URL data• Commands sent via push or pull method

– Peer-to-peer – programming can be sent from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server.

– Social networking– Instant Messaging


17

Botnet commands - Agobot

• Commands are sent as PRIVMSG, NOTICE or TOPIC IRC messages


18

Detecting bots

• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage probes

(sniffers) attached to port mirrored ports on switches.

• Wireshark• Real time netflow analyzer- Solarwinds free

netflow tool• Small Operation Center or MRTG – free

SNMP/syslog server with dashboard• SNARE – event log monitoring (Linux & Windows

agents)


19

Detecting bots - Stager

• Stager (Latest version 4.1) – Monitors network

statistics using netflow based on nfdump .

https://trac.uninett.no/stager


20

Detecting bots - Firewall

• ASDM – Cisco ASA and PIX


21

Detecting bots - Darknet

• Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back.

• Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages).

• How to set up a darknet http://www.team-cymru.org/Services/darknets.html

http://www.team-cymru.org/Services/darknets.html




22

Detecting C&C

• Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic.

• Stats generated every 30sec• Application layer analytics• Claims from ourmon.sourceforge.net/

– Monitor TCP (syndump), and UDP (udpreport) flows– Log all DNS query responses network wide – Measure basic network traffic statistically – Catch "unexpected" mail relays – Catch botnets – Spot infections with random "zero-day" malware– Spot attacks from the inside or outside – See what protocols are taking up the most bandwidth

http://ourmon.sourceforge.net/


23

Prevention – Vulnerability scanning

• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose

• Free for up to 32 IP

– OpenVAS (Vulnerability Assessment System)• Linux• VM available (resource intensive)

– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7

– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)


24

Prevention – A/V and Anti-malware

• AVG (Grisoft) – free for home use• Ad-aware (Lavasoft) - free• Repelit (itSoftware)• McAfee• Microsoft Security Essentials (free up to

10 PCs)• Symantec• Spybot Search and Destroy - free


25

Prevention

• Personal firewall• Firewall

– SmoothWall– M0n0wall

• IPS/IDS– Snort – Network IDS

• BASE – web front-end for Snort

– OSSEC – Host IDS

• Web filtering• SPAM filtering (incoming & outgoing)• Disable VPN split tunnel

http://www.smoothwall.org/

http://m0n0.ch/wall/

http://www.snort.org/

http://base.secureideas.net/about.php

http://www.ossec.net/


26

Prevention

• Read only virtual desktops• Software– Software restrictions and auditing– Sandbox software before deployment

• Patch management• NAC (Network Access Control) – A/V &

patches


27

Response

• Incident response – Determine scope– Determine if it constitutes a breach and

therefore notification– Analyze - Is any evidence needed?

• Toolkit – Process Monitor– Rootkit Revealer– Hiren BootCD 15.1 has a variety of tools

(http://www.hiren.info/pages/bootcd)

– Clean the device


28

Thanks

Enjoy the summit

Acknowledgements:• Bot command tables obtained from “An Inside Look at

Botnets” by Vinod Yegneswaran• The programs depicted in this presentation are owned by

their respective authors

Technology

The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg