Más contenido relacionado La actualidad más candente (20) Similar a The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg (20) Más de Eric Vanderburg (20) The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg1. The Bot Stops Here:
Removing the BotNet Threat
Eric Vanderburg
JurInnov, Ltd.
April 25, 2012
© 2012 JurInnov Ltd. All Rights Reserved.
2. Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defining the threat
• Command and Control servers
• Propagation
• Detection
• Prevention
• Response
1
© 2012 JurInnov Ltd. All Rights Reserved.
3. Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone
• Botnet – collection of bots remotely controlled
and working together to perform tasks
• Bot herder – bot master
2
© 2012 JurInnov Ltd. All Rights Reserved.
4. Facts
• 40% of infected machines have 1 or more bots
• Zeus bot is responsible for losses greater than
$100 million
2011 Damballa threat report
SC Magazine, April 2012
3
© 2012 JurInnov Ltd. All Rights Reserved.
5. Why are universities particularly susceptible?
• Lack of control over machines
• Silos for research or classroom projects
• A culture of information sharing with minimal
boundaries and controls
• Heavy recreational use of network resources
including P2P, chat, IRC, games, and social
networking.
• Ideal target for attackers
– many hosts
– large Internet pipe
– Mail and other tempting services
4
© 2012 JurInnov Ltd. All Rights Reserved.
6. Threat defined – What is done with botnets?
• DDoS
• Spam
• Distribute copyrighted material
– Torrents
• Data mining
• Hacking
• Spread itself
5
© 2012 JurInnov Ltd. All Rights Reserved.
7. 2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butterfly)
2003
RBot
1999
Pretty Park
• • Harvests email addresses
Rented TDSS
• Stealthy and difficultspace for
2008 botnet to detect
• Encrypts
• Used IRC for C&C & updates itself
• Rootkit
2004
PolyBot
• Sold andSetsDDoS, and theft is rented
“licensed” to hackers
•spam, up a proxy that of
1999& email harvesting
SubSevenAdmin shell access
•
• ICQ
• data theft Email
Delivery: information
for personal for anonymous web
to other
Used IRC GTBot • Builds on AgoBot
for C&C
2005
MyTob
2000
• •DoS
•
Polymorphs through encrypted Delivery:
• • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB
Keylogger
• DDoS,
web form Phishing, Social
Networking
•
• • Portshell access encapsulation webcam capture Delivery: Trojan embedded
Admin scan
collection,
• Delivery: email spam using in software
• DDoS
MyDoom w/ own SMTP server
• Delivery: email
History
1999 2000
2002
2003
2004
2005
2006
2007
2008
2009
2002
SDBot
2009
Koobface
2006
Rustock
• Keylogger
2002
AgoBot
•
• 2007 DDoS Installs pay-per-install
Spam, Storm
• Delivery: WebDav and
• Modular design
• •Uses rootkit tomalware
hide
MSSQL vulnerabilities,
Spam • Delivery: Social Networking
2003
SpyBot
• DDoS
• Encrypts spam in TLS
DameWare remote mgmt
Dynamic
• • Builds on SDBot
Hides with rootkit tech • •Robust C&C fast flux C&C DNS
network (over
software, password guessing detection
• Malware re-encoded twice/hr
• • Customizable to avoid
Turns off antivirus
on common MS ports & web form Defends itself with DDoS
•2500 domains)
• • DDoS,host file
Modifies Keylogger,
• •Delivery: email
common backdoors
collection, (Kazaa, Grokster,
• Delivery: P2P clipboard logging, Sold and “licensed”
• Delivery: Email enticement for
webcam capture
BearShare, Limewire)
free music
• Delivery: SDBot + P2P
6
© 2012 JurInnov Ltd. All Rights Reserved.
9. Life Cycle
Exploit
Rally
Preserve
Inventory
Await
instructions
Update
Execute
Report
Clean
up
Agobot host control commands
• Preserve
– Alter A/V dll’s
– Modify Hosts file to prevent A/V
updates
– Remove default shares (IPC$,
ADMIN$, C$)
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes
8
© 2012 JurInnov Ltd. All Rights Reserved.
<preserve>
<pctrl.kill “Mcdetect.exe”/>
< pctrl.kill “avgupsvc.exe”/>
< pctrl.kill “avgamsvr.exe”/>
< pctrl.kill “ccapp.exe”/>
</preserve>
12. Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions
11
© 2012 JurInnov Ltd. All Rights Reserved.
13. Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)
12
© 2012 JurInnov Ltd. All Rights Reserved.
14. Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet
• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.
13
© 2012 JurInnov Ltd. All Rights Reserved.
15. Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels (Ex: Researchers in
2004 redirected C&C to monitoring server)
14
© 2012 JurInnov Ltd. All Rights Reserved.
16. Command and Control
– Web or FTP server
• instructions in a file users download
• Bots report in and hacker uses connection log to know which
ones are live
• Bots tracked in URL data
• Commands sent via push or pull method
– Peer-to-peer – programming can be sent from any
peer and discovery is possible from any peer so the
network can be disrupted without the C&C server.
– Social networking
– Instant Messaging
15
© 2012 JurInnov Ltd. All Rights Reserved.
17. Botnet commands - Agobot
• Commands are
sent as
PRIVMSG,
NOTICE or
TOPIC IRC
messages
16
© 2012 JurInnov Ltd. All Rights Reserved.
18. Detecting bots
• Monitor port statistics on network equipment and
alert when machines utilize more than average
– Gather with SNMP, netflow, or first stage probes (sniffers)
attached to port mirrored ports on switches.
• Wireshark
• Real time netflow analyzer- Solarwinds free netflow
tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• SNARE – event log monitoring (Linux & Windows
agents)
17
© 2012 JurInnov Ltd. All Rights Reserved.
19. Detecting bots - Stager
• Stager (Latest version
4.1)
– Monitors network
statistics using netflow
based on nfdump .
https://trac.uninett.no/stager
18
© 2012 JurInnov Ltd. All Rights Reserved.
20. Detecting bots - Firewall
• ASDM –
Cisco ASA
and PIX
19
© 2012 JurInnov Ltd. All Rights Reserved.
21. Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatever it receives but does not communicate
back.
• Most traffic it receives is illegitimate and it can
find random scanning worms and internet
backscatter (unsolicited commercial or network
control messages).
• How to set up a darknet
http://www.team-cymru.org/Services/darknets.html
20
© 2012 JurInnov Ltd. All Rights Reserved.
22. Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec
• Application layer analytics
• Claims from ourmon.sourceforge.net/
–
–
–
–
–
–
–
–
Monitor TCP (syndump), and UDP (udpreport) flows
Log all DNS query responses network wide
Measure basic network traffic statistically
Catch "unexpected" mail relays
Catch botnets
Spot infections with random "zero-day" malware
Spot attacks from the inside or outside
See what protocols are taking up the most bandwidth
21
© 2012 JurInnov Ltd. All Rights Reserved.
23. Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP
– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)
– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7
– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)
22
© 2012 JurInnov Ltd. All Rights Reserved.
24. Prevention – A/V and Anti-malware
•
•
•
•
•
•
•
AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itSoftware)
McAfee
Microsoft Security Essentials (free up to 10 PCs)
Symantec
Spybot Search and Destroy - free
23
© 2012 JurInnov Ltd. All Rights Reserved.
25. Prevention
• Personal firewall
• Firewall
– SmoothWall
– M0n0wall
• IPS/IDS
– Snort – Network IDS
• BASE – web front-end for Snort
– OSSEC – Host IDS
• Web filtering
• SPAM filtering (incoming & outgoing)
• Disable VPN split tunnel
24
© 2012 JurInnov Ltd. All Rights Reserved.
26. Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployment
• Patch management
• NAC (Network Access Control) – A/V & patches
25
© 2012 JurInnov Ltd. All Rights Reserved.
27. Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze - Is any evidence needed?
• Toolkit
– Process Monitor
– Rootkit Revealer
– Hiren BootCD 15.1 has a variety of tools
(http://www.hiren.info/pages/bootcd)
– Clean the device
26
© 2012 JurInnov Ltd. All Rights Reserved.
28. Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by
Vinod Yegneswaran
• The programs depicted in this presentation are owned by their
respective authors
27
© 2012 JurInnov Ltd. All Rights Reserved.
Notas del editor 40% fact: http://www.damballa.com/downloads/r_pubs/Damballa_Threat_Report-First_Half_2011.pdfZeus bot stat: http://krebsonsecurity.com/2012/03/microsoft-takes-down-dozens-of-zeus-spyeye-botnets/ http://pages.cs.wisc.edu/~pb/botnets_final.pdf