Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
•Descargar como PPTX, PDF•
2 recomendaciones•663 vistas
Why Botnet Takedowns Never Work, Unless It’s a SmackDown! If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads. There are three main causes of ineffective takedowns: The organizations performing botnet takedowns do so in a haphazard manner. The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware. The takedowns do not result in the arrest of the malware actor. So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (10)
Similar a Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
Similar a Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown! (20)
Más de EC-Council
Más de EC-Council (20)
Último
Último (20)
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
- 1. Why Botnet Takedowns Never Work, Unless It’s a SmackDown! -Brian Foster, CTO Damballa 1
- 2. The Old Security Stack INFECTION RISK BUSINESS RISK Prevention Detection Response ATTACK INFECTION DAMAGE Forensics Firewall IDS/IPS Web Security Email Security Sandboxing Host AV/IPS/FW Resource intensive, inefficient manual investigation efforts. “Is this alert real or a false positive?” ALERT & LOGS SOC SIEM Single Pane of Glass 2
- 3. The New Security Stack INFECTION RISK BUSINESS RISK Prevention Detection Response ATTACK INFECTION DAMAGE Forensics NGFW Endpoint Containment Sandboxing Email Gateway ALERT & LOGS SOC SIEM Single Pane of Glass LEGACY Host AV/IPS/FW Damballa fills the security gap between failed prevention and your incident response 3
- 5. 5 Predictive Security Analytics Platform Connection Query • Indicators of Compromise • Threat Actors / Intent Case Analyzer Platform File Request • Zero Day Files • Suspicious HTTP Content Domain Fluxing Automation Execution Peer-To-Peer • Automated Malicious Activity • Observed Evasion Tactics Data Transferred PCAPs Communication Success Malicious File Availability Sequence of Events Importance of Endpoint Malware Family Intent Severity AV Coverage Damage Potential • Observed Activity • Device Properties • Threat Sophistication • Threat Intent 9 Risk Profilers Prioritized Risk of Confirmed Infections 8 Detection Engines Rapid Discovery & Validation of Infections 5
- 6. Network Data qrl89y666z.tang.la p5ctnvqyd3.myftp.org 5opskttv3y.serveblog.net tzeh62imx.informatix.com.ru 0zd2bwqqyu.no-ip.info 2ndk2swdma.madhacker.biz pe4d0t35bs.no-ip.info 5c0x3re4vr.zapto.org seqkhgd4pj.logout.us zkycgbn8es.serveblog.net a4669k3.spacetechnology.net s45223a.tang.la 0098.no-ip.info Sbdat.servevlog.net 0few3kd4yv.mooo.info … 6
- 7. Network Data qrl89y666z.tang.la p5ctnvqyd3.myftp.org 5opskttv3y.serveblog.net tzeh62imx.informatix.com.ru 0zd2bwqqyu.no-ip.info 2ndk2swdma.madhacker.biz pe4d0t35bs.no-ip.info 5c0x3re4vr.zapto.org seqkhgd4pj.logout.us zkycgbn8es.serveblog.net a4669k3.spacetechnology.net s45223a.tang.la 0098.no-ip.info Sbdat.servevlog.net 0few3kd4yv.mooo.info … Numbers 30 Billion per day. 8 Trillion per year. DNS Records ISPs Telcos Enterprises 7
- 8. Network Data Numbers 100 Thousand per day. 36.5 Million per year. Malware samples Enterprises. Industry sharing/feeds. 8
- 9. Supervised Learning Y-Axis – Total malware samples looking up the domain. X-Axis – Total blacklisted domains on BGP prefix. 9
- 10. Supervised Learning Y-Axis – Total malware samples looking up the domain. X-Axis – Total blacklisted domains on BGP prefix. 1 0
- 11. Supervised Learning Y-Axis – Total malware samples looking up the domain. X-Axis – Total blacklisted domains on BGP prefix. 1 1
- 12. Unsupervised Learning Y-Axis – n-grams. X-Axis – Entropy. 1 2
- 13. Unsupervised Learning Y-Axis – n-grams. X-Axis – Entropy. 1 3
- 14. Domain Name Reputation • message-tvit.com – 172.16.32.193 • artizondigital.com – 10.10.9.1 • ubibar.ubi.com – 192.168.7.4 • www.benjaminsparkmemorialchapel.ca - 172.16.1.45 • player-update.info – 10.1.3.156 • king-orbit.com – 192.1168.24.19 4
- 15. Domain Name Reputation • message-tvit.com - .08 • artizondigital.com - .87 • ubibar.ubi.com - .93 • www.benjaminsparkmemorialchapel.ca - .78 • player-update.info - .05 • king-orbit.com - .12 1 5
- 16. Notos 1 6
- 17. Notos’ Components Results Conclusions and Future Work Zone Based Clusters 1 7 Network and Zone Profile Clustering Reputation Function 2nd Level Clustering Split Due to Zone Properties [A]: ns6.b0e.ru 218.75.144.6 ... 188.240.164.122.dalfihom.cn 218.75.144.6 0743f9.tvafifid.cn 218.75.144.6 ns5.bg8.ru 218.75.144.6 097.groxedor.cn 218.75.144.6 adelaide.zegsukip.cn 218.75.144.6 07d2c.fpibucob.cn 218.75.144.6 0c9.xyowijam.cn 218.75.144.6 ns6.b0e.ru 218.75.144.6 0678fc.yxbocws.cn 218.75.144.6 ns1.loverspillscalm.com 218.75.144.6 09071.tjqsjfz.cn 218.75.144.6 0de1f.wqutoyih.cn 218.75.144.6 katnzvv.cn 218.75.144.6 ... [B]: e752.p.akamaiedge.net 72.247.179.52 ... e882.p.akamaiedge.net 72.247.179.182 e707.g.akamaiedge.net 72.247.179.7 e867.g.akamaiedge.net 72.247.179.167 e747.p.akamaiedge.net 72.247.179.47 e732.g.akamaiedge.net 72.247.179.32 e932.g.akamaiedge.net 72.247.179.232 e752.p.akamaiedge.net 72.247.179.52 e729.g.akamaiedge.net 72.247.179.29 e918.p.akamaiedge.net 72.247.179.218 e831.p.akamaiedge.net 72.247.179.131 e731.p.akamaiedge.net 72.247.179.31 ... 25
- 18. RZA - Motivation • Takedowns are: ad-hoc, of arguable success, are performed without oversight • System goal: add rhyme/reason to takedowns – evaluate previous takedown attempts, and – recommend and inform on/for future takedowns 18
- 19. RZA - Datasets • Large passive DNS (pDNS) database – pDNS stores historic assignments btw IPs/domains – ~3 years of visibility • Implement RHDN/RHIP operations – – • Source: major NA ISP, other customers • Data also in Hadoop for large-scale processing • Malware MD5 <-> domain name mapping 19
- 20. RZA - Overview Infrastructure Enumeration Domains Domain Reputation Di Dm Domain & MD5 Association Low Reputation Domains Malware Interrogation pDNS Malware DB 3 MD5s Ds: seed domains De: enumerated domains D r : low reputation domains RZA Enumerated Domains Malware-related Domains Interrogated Domains Postmortem Report Takedown Recommendation 1 2 4 5a 5b Malware Backup Plan De Ds Dr Dm: malware-related domains Di: malware interrogation domains 20
- 21. RZA – Malware Interrogation • Manipulate fundamental protocol packets to convince malware its primary network asset is unavailable – DNS and TCP – Easy to add additional protocols • If malware is presented with unavailable infrastructure: – Retries hardcoded IPs/domains, – Tries to reach a finite set of IPs/domains, or – Tries to reach an infinite set of IPs/domains (DGA/P2P) 21
- 22. 22
- 23. 23
- 24. 24
- 25. 25
- 26. 26
- 27. RZA – Malware Interrogation • Game malware to present primary infrastructure failure • DNS/TCP packet manipulation (NXDomain/TCP RST) • Automatically determine backup behaviors G1 G2 ... VM1 VM2 ... Gn VMn Gnull VM 0 Host Internet 27
- 28. RZA – Malware Interrogation • Simple heuristics to determine malware behavior • Fake domain-level and IP-level takedowns – Forge all non-white DNS responses -> NXDomain • Alexa top 10K – Forge all non-white TCP connections -> TCP reset • IPs derived from Alexa top 10K • Five analysis scenarios: – Vanilla run – DNS whitelist for time t – DNS whitelist for time 2t – IP whitelist for time t – IP whitelist for time 2t 28
- 29. RZA – Takedown Recommendation Enumerate Infrastructure Interrogate Malware No Behavioral Changes Finite Domains/ IPs DGA Input: {Ds} Input: {De U Di} Classify Malware Behavior P2P 1.) Revoke D 1.) Counter P2P 2.) Revoke D 1.) Reverse engineer DGA 2.) TLD cooperation 3.) Revoke D 29
- 30. Target Which Sets? De Di Ds Dm Dr Ds: seed domains De: enumerated domains D r : low reputation domains Dm: malware-related domains Di: malware interrogation domains 30
- 31. RZA – Studies • Postmortem study: analysis of Kelihos, ZeuS, and 3322.org/Nitol takedowns – Use lookup volume to show activity to infrastructure • Takedown study: analysis of 45 active botnet C&Cs – Can we take them down? 31
- 35. RZA – Takedown Study • Of the 45 botnets: – 2 had DGA-based backup mechanism – 1 had P2P-based backup mechanism – 42 susceptible to DNS-only takedown 35
- 36. Policy Discussion • Current drawbacks to takedowns – ad-hoc – Little oversight – Arguable success • All point to need for central authority – ICANN’s UDRP/URS as example frameworks • Criteria for takedown • More eyes = more successes • Test with new TLDs (much like w/ URS)
- 37. Thank you Brian.foster@damballa.com (310) 514-7485 37
Notas del editor
- Damballa Enables Organizations to: Rapidly identify active threats With 100% certainty Without triage efforts or delays Independent of having a malware sample Regardless of malware type, infection vector or source As a Breach Resistant Organization You Can: Quickly and efficiently stop real losses Find previously undetected threats Remove the threats that can cause losses NOW Increase efficiency, and effectiveness by eliminating alert chasing Dramatically reduce overall risk