Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads.
There are three main causes of ineffective takedowns:
The organizations performing botnet takedowns do so in a haphazard manner.
The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware.
The takedowns do not result in the arrest of the malware actor.
So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
1. Why Botnet Takedowns Never Work,
Unless It’s a SmackDown!
-Brian Foster, CTO Damballa
1
2. The Old Security Stack
INFECTION RISK BUSINESS RISK
Prevention Detection
Response
ATTACK INFECTION DAMAGE Forensics
Firewall
IDS/IPS
Web Security
Email Security
Sandboxing
Host AV/IPS/FW
Resource intensive, inefficient manual
investigation efforts.
“Is this alert real or a false positive?”
ALERT & LOGS
SOC
SIEM
Single Pane of Glass
2
3. The New Security Stack
INFECTION RISK BUSINESS RISK
Prevention Detection
Response
ATTACK INFECTION DAMAGE Forensics
NGFW
Endpoint
Containment
Sandboxing
Email Gateway
ALERT & LOGS
SOC
SIEM
Single Pane of Glass
LEGACY
Host AV/IPS/FW
Damballa fills
the security
gap between
failed
prevention and
your incident
response
3
17. Notos’ Components
Results
Conclusions and Future Work
Zone Based Clusters
1
7
Network and Zone Profile Clustering
Reputation Function
2nd Level Clustering Split Due to Zone Properties
[A]: ns6.b0e.ru 218.75.144.6
...
188.240.164.122.dalfihom.cn 218.75.144.6
0743f9.tvafifid.cn 218.75.144.6
ns5.bg8.ru 218.75.144.6
097.groxedor.cn 218.75.144.6
adelaide.zegsukip.cn 218.75.144.6
07d2c.fpibucob.cn 218.75.144.6
0c9.xyowijam.cn 218.75.144.6
ns6.b0e.ru 218.75.144.6
0678fc.yxbocws.cn 218.75.144.6
ns1.loverspillscalm.com 218.75.144.6
09071.tjqsjfz.cn 218.75.144.6
0de1f.wqutoyih.cn 218.75.144.6
katnzvv.cn 218.75.144.6
...
[B]: e752.p.akamaiedge.net
72.247.179.52
...
e882.p.akamaiedge.net 72.247.179.182
e707.g.akamaiedge.net 72.247.179.7
e867.g.akamaiedge.net 72.247.179.167
e747.p.akamaiedge.net 72.247.179.47
e732.g.akamaiedge.net 72.247.179.32
e932.g.akamaiedge.net 72.247.179.232
e752.p.akamaiedge.net 72.247.179.52
e729.g.akamaiedge.net 72.247.179.29
e918.p.akamaiedge.net 72.247.179.218
e831.p.akamaiedge.net 72.247.179.131
e731.p.akamaiedge.net 72.247.179.31
...
25
18. RZA - Motivation
• Takedowns are: ad-hoc, of arguable success, are
performed without oversight
• System goal: add rhyme/reason to takedowns
– evaluate previous takedown attempts, and
– recommend and inform on/for future takedowns
18
19. RZA - Datasets
• Large passive DNS (pDNS) database
– pDNS stores historic assignments btw IPs/domains
– ~3 years of visibility
• Implement RHDN/RHIP operations
–
–
• Source: major NA ISP, other customers
• Data also in Hadoop for large-scale processing
• Malware MD5 <-> domain name mapping
19
20. RZA - Overview
Infrastructure
Enumeration
Domains
Domain
Reputation
Di
Dm
Domain &
MD5
Association
Low Reputation
Domains
Malware
Interrogation
pDNS
Malware
DB
3
MD5s
Ds: seed domains
De: enumerated domains
D
r
: low reputation domains
RZA
Enumerated
Domains
Malware-related
Domains
Interrogated
Domains
Postmortem
Report
Takedown
Recommendation
1
2
4
5a
5b
Malware Backup Plan
De
Ds
Dr
Dm: malware-related domains
Di: malware interrogation domains
20
21. RZA – Malware Interrogation
• Manipulate fundamental protocol packets to
convince malware its primary network asset is
unavailable
– DNS and TCP
– Easy to add additional protocols
• If malware is presented with unavailable
infrastructure:
– Retries hardcoded IPs/domains,
– Tries to reach a finite set of IPs/domains, or
– Tries to reach an infinite set of IPs/domains (DGA/P2P)
21
27. RZA – Malware Interrogation
• Game malware to
present primary
infrastructure failure
• DNS/TCP packet
manipulation
(NXDomain/TCP RST)
• Automatically
determine backup
behaviors
G1 G2
...
VM1 VM2
...
Gn
VMn
Gnull
VM
0
Host
Internet
27
28. RZA – Malware Interrogation
• Simple heuristics to determine malware behavior
• Fake domain-level and IP-level takedowns
– Forge all non-white DNS responses -> NXDomain
• Alexa top 10K
– Forge all non-white TCP connections -> TCP reset
• IPs derived from Alexa top 10K
• Five analysis scenarios:
– Vanilla run
– DNS whitelist for time t
– DNS whitelist for time 2t
– IP whitelist for time t
– IP whitelist for time 2t
28
29. RZA – Takedown Recommendation
Enumerate
Infrastructure
Interrogate
Malware
No
Behavioral
Changes
Finite
Domains/
IPs
DGA
Input: {Ds}
Input: {De U Di}
Classify
Malware
Behavior
P2P
1.) Revoke D
1.) Counter P2P
2.) Revoke D
1.) Reverse engineer DGA
2.) TLD cooperation
3.) Revoke D
29
30. Target Which Sets?
De
Di
Ds
Dm
Dr
Ds: seed domains
De: enumerated domains
D
r
: low reputation domains
Dm: malware-related domains
Di: malware interrogation domains
30
31. RZA – Studies
• Postmortem study: analysis of Kelihos, ZeuS, and
3322.org/Nitol takedowns
– Use lookup volume to show activity to
infrastructure
• Takedown study: analysis of 45 active botnet C&Cs
– Can we take them down?
31
35. RZA – Takedown Study
• Of the 45 botnets:
– 2 had DGA-based backup mechanism
– 1 had P2P-based backup mechanism
– 42 susceptible to DNS-only takedown
35
36. Policy Discussion
• Current drawbacks to takedowns
– ad-hoc
– Little oversight
– Arguable success
• All point to need for central authority
– ICANN’s UDRP/URS as example frameworks
• Criteria for takedown
• More eyes = more successes
• Test with new TLDs (much like w/ URS)
Damballa Enables Organizations to:
Rapidly identify active threats
With 100% certainty
Without triage efforts or delays
Independent of having a malware sample
Regardless of malware type, infection vector or source
As a Breach Resistant Organization You Can:
Quickly and efficiently stop real losses
Find previously undetected threats
Remove the threats that can cause losses NOW
Increase efficiency, and effectiveness by eliminating alert chasing
Dramatically reduce overall risk