Más contenido relacionado La actualidad más candente (20) Similar a Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg (20) Más de Eric Vanderburg (20) Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg1. Eradicate the Bots in the
Belfry
Eric Vanderburg
JurInnov, Ltd.
October 26, 2012
© 2012 JurInnov Ltd. All Rights Reserved.
2. Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defining the threat
• Command and Control servers
• Propagation
• Detection
• Prevention
• Response
1
© 2012 JurInnov Ltd. All Rights Reserved.
3. Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone
• Botnet – collection of bots remotely controlled
and working together to perform tasks
• Bot herd – a subset of the botnet that is allocated
to an entity or project
• Bot herder – bot master
2
© 2012 JurInnov Ltd. All Rights Reserved.
4. Threat defined
•
•
•
•
Over 200 million bots worldwide
12% of bots active
Half a million infected each day to maintain herd
Botnets rented: ($90/day, $15/hr DDoS bot)
3
© 2012 JurInnov Ltd. All Rights Reserved.
5. Threat defined – What is done with botnets?
•
•
•
•
•
•
DDoS
Spam
Distribute copyrighted material
Data mining
Hacking /Hacktivism
Fraud
– Click fraud
– Ebay feedback
– Pump & Dump
• Covert communication
4
© 2012 JurInnov Ltd. All Rights Reserved.
6. Criminal approach
• Data collection
– Collect financial data (file scan, HTML injection)
– Harvest usernames and passwords
• Monetization
– Raid accounts
– Fraud
• Laundering
– Recruit money mules
– Bounce money from account to account
5
© 2012 JurInnov Ltd. All Rights Reserved.
7. 2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butterfly)
2003
RBot
1999
Pretty Park
• • Harvests email addresses
Rented TDSS
• Stealthy and difficultspace for spam,
2008 botnet to detect
• Encrypts
• Used IRC for C&C & updates itself
• Rootkit
2004
PolyBot
• Sold andSets andatheft hackers rented
“licensed” to of personal
•DDoS, up proxy that is
1999& email harvesting
SubSevenAdmin shell access
•
• ICQ
• data theft Email
Delivery:
for information anonymous web
to other for
Used IRC GTBot • Builds on AgoBot
for C&C
2005
MyTob
2000
• •DoS
•
Polymorphs through encrypted Delivery:
• • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB
Keylogger
• DDoS,
web form Phishing, Social
Networking
•
• • Portshell access encapsulation webcam capture Delivery: Trojan embedded
Admin scan
collection,
• Delivery: email spam using in software
• DDoS
MyDoom w/ own SMTP server
• Delivery: email
History
1999 2000
2002
2003
2004
2005
2006
2007
2008
2009
2002
SDBot
2009
Koobface
2006
Rustock
• Keylogger
2002
AgoBot
•
• 2007 DDoS Installs pay-per-install
Spam, Storm
• Delivery: WebDav and
• Modular design
• •Uses rootkit tomalware
hide
MSSQL vulnerabilities,
Spam • Delivery: Social Networking
2003
SpyBot
• DDoS
• Encrypts spam in TLS
DameWare remote mgmt
Dynamic
• • Builds on SDBot
Hides with rootkit tech • •Robust C&C fast flux C&C DNS
network (over
software, password guessing detection
• Malware re-encoded twice/hr
• • Customizable to avoid
Turns off antivirus
on common MS ports & web form Defends itself with DDoS
•2500 domains)
• • DDoS,host file
Modifies Keylogger,
• •Delivery: email
common backdoors
collection, (Kazaa, Grokster,
• Delivery: P2P clipboard logging, Sold and “licensed”
• Delivery: Email enticement for
webcam capture
BearShare, Limewire)
free music
• Delivery: SDBot + P2P
6
© 2012 JurInnov Ltd. All Rights Reserved.
8. Customizing a bot with AgoBot GUI
Example of AgoBot GUI to customize the bot
© 2012 JurInnov Ltd. All Rights Reserved.
10. Life Cycle
Exploit
Rally
Preserve
Inventory
Await
instructions
Update
Execute
Report
Clean
up
• Preserve
– Alter A/V dll’s
<preserve>
<pctrl.kill “Mcdetect.exe”/>
– Modify Hosts file to prevent A/V
< pctrl.kill “avgupsvc.exe”/>
updates
< pctrl.kill “avgamsvr.exe”/>
– Remove default shares (IPC$,
< pctrl.kill “ccapp.exe”/>
ADMIN$, C$)
</preserve>
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes
9
© 2012 JurInnov Ltd. All Rights Reserved.
11. Life Cycle
Exploit
Rally
Preserve
Inventory
Await
instructions
Update
Execute
Agobot host control commands
Command
harvest.cdkeys
harvest.emails
harvest.emailshttp
harvest.aol
harvest.registry
harvest.windowskeys
pctrl.list
pctrl.kill
pctrl.listsvc
pctrl.killsvc
pctrl.killpid
inst.asadd
inst.asdel
inst.svcadd
inst.svcdel
Description
Return a lsit of CD keys
Return a list of emails
Return a list of emails via HTTP
Return a list of AOL specific information
Return registry information for a specific registry path
Return Windows registry information
Return list of all processes
Kill specified processes set from a service file
Return a list of all services that are running
Delete/stop a specified service
Kill specified process
Add an autostart entry
Delete an autostart entry
Adds a service to SCM
Delete a service from SCM
10
© 2012 JurInnov Ltd. All Rights Reserved.
Report
Clean
up
14. Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions
13
© 2012 JurInnov Ltd. All Rights Reserved.
15. Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)
14
© 2012 JurInnov Ltd. All Rights Reserved.
16. Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet
• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.
15
© 2012 JurInnov Ltd. All Rights Reserved.
17. Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels
• Average lifespan: 2 months
16
© 2012 JurInnov Ltd. All Rights Reserved.
18. Command and Control
• IRC
• Peer-to-peer – programming can be sent from
any peer and discovery is possible from any peer
so the network can be disrupted without the C&C
server.
• Social networking
• Instant Messaging
17
© 2012 JurInnov Ltd. All Rights Reserved.
19. Command and Control
• Web or FTP server
– Instructions in a file users download
– Bots report in and hacker uses connection log to know
which ones are live
– Bots tracked in URL data
– Commands sent via pull instead of push
• No constant connection
• Check-in might match signature
– Better scalability – web server can handle more
connections than IRC
– Port 80 not blocked and not unusual activity
18
© 2012 JurInnov Ltd. All Rights Reserved.
20. Trends
• Hackers
– Mostly about money instead of notoriety (hacktivism
excluded)
– Staying under the radar
• Smaller herds
• Fewer propagation methods
• Web based C&C
• Government and Terrorist
– Aimed at taking down critical services or disrupting
business
19
© 2012 JurInnov Ltd. All Rights Reserved.
21. Detecting bots
• Monitor port statistics on network equipment
and alert when machines utilize more than
average
– Gather with SNMP, netflow, or first stage probes
(sniffers) attached to port mirrored ports on switches.
• Firewall statistics
• IPS/IDS reports
20
© 2012 JurInnov Ltd. All Rights Reserved.
22. Baseline
• Document
– Network Schematic
– Server roles
•
•
•
•
Destination IP addresses
Ports
Protocols
Volume of data and directionality
21
© 2012 JurInnov Ltd. All Rights Reserved.
23. Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-one – DDoS, Syslog, data repository, email
server
– One-to-many – web server, email server, SPAM
bot, warez, port scanning
– Many-to-many – P2P, virus infection
– One-to-one – normal communication, targeted attack
22
© 2012 JurInnov Ltd. All Rights Reserved.
25. Wireshark
• Filtering
– Frame contains “search term”
• Flow – sequence of packets comprising a single
communication segment.
– EX: Connection, Negotiation, File Request, File
delivery, checksum, acknowledgment, termination
– Flow record – subset of information from a flow such
as source and destination IP, protocol, date or time
24
© 2012 JurInnov Ltd. All Rights Reserved.
26. Networkminer
• Traffic analysis tool
• Graphical breakdown of…
–
–
–
–
–
–
Hosts
Images
Files
Email
DNS
Sessions
25
© 2012 JurInnov Ltd. All Rights Reserved.
27. Detecting bots
• Real time netflow analyzer- Solarwinds free
netflow tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• Rootkit tools: Rootkit Revealer, GMER
• Event log monitoring – Zenoss, Alien
Vault, Nagios, Splunk, Graylog
26
© 2012 JurInnov Ltd. All Rights Reserved.
28. Event Logging
• Placement
–
–
–
–
–
–
–
–
Perimeter
VLAN or Workgroup
Wireless
Choke points – maximize collection capacity within
budget and ability to process and analyze
Minimize duplication
Sync time
Normalize
Secure collector transmission pathways
27
© 2012 JurInnov Ltd. All Rights Reserved.
29. Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatever it receives but does not communicate
back.
• Most traffic it receives is illegitimate and it can
find random scanning worms and internet
backscatter (unsolicited commercial or network
control messages).
• How to set up a darknet
http://www.team-cymru.org/Services/darknets.html
28
© 2012 JurInnov Ltd. All Rights Reserved.
30. Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec
• Application layer analytics
• Claims from ourmon.sourceforge.net/
–
–
–
–
–
–
–
–
Monitor TCP (syndump), and UDP (udpreport) flows
Log all DNS query responses network wide
Measure basic network traffic statistically
Catch "unexpected" mail relays
Catch botnets
Spot infections with random "zero-day" malware
Spot attacks from the inside or outside
See what protocols are taking up the most bandwidth
29
© 2012 JurInnov Ltd. All Rights Reserved.
31. Detection – A/V and Anti-malware
•
•
•
•
•
•
•
AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itSoftware)
McAfee
Microsoft Security Essentials (free up to 10 PCs)
Symantec
Spybot Search and Destroy - free
30
© 2012 JurInnov Ltd. All Rights Reserved.
32. Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP
– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)
31
© 2012 JurInnov Ltd. All Rights Reserved.
34. SIEM
• Security Information and Event Management
–
–
–
–
–
–
–
–
Log aggregation
Correlation
Normalization
Alerting
Dashboards
Views
Compliance reports
Retention
33
© 2012 JurInnov Ltd. All Rights Reserved.
35. Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployment
• Patch management
• NAC (Network Access Control) – A/V & patches
34
© 2012 JurInnov Ltd. All Rights Reserved.
36. Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze - Is any evidence needed?
– Clean the device
• After-action review
– Define improvement actions
– Assign responsibilities for actions
– Follow-up
35
© 2012 JurInnov Ltd. All Rights Reserved.
37. Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by
Vinod Yegneswaran
• The programs depicted in this presentation are owned by their
respective authors
36
© 2012 JurInnov Ltd. All Rights Reserved.