eradicate the bots in the belfry - information security summit - eric vanderburg

© 2012 JurInnov Ltd. All Rights Reserved.

Eradicate the Bots in the Belfry

Eric VanderburgJurInnov, Ltd.

October 26, 2012


2

Presentation Overview

• The Internet is always attacking you but are you attacking the Internet?

• Botnet overview• Defining the threat• Command and Control servers• Propagation• Detection• Prevention• Response


3

Botnet Overview

• Bot– Program that performs automated tasks– Remote controlled– AKA: zombie or drone

• Botnet – collection of bots remotely controlled and working together to perform tasks

• Bot herd – a subset of the botnet that is allocated to an entity or project

• Bot herder – bot master


4

Threat defined

• Over 200 million bots worldwide• 12% of bots active• Half a million infected each day to

maintain herd• Botnets rented: ($90/day, $15/hr DDoS

bot)


5

Threat defined – What is done with botnets?• DDoS• Spam• Distribute copyrighted material• Data mining• Hacking /Hacktivism• Fraud– Click fraud– Ebay feedback– Pump & Dump

• Covert communication


6

Criminal approach

• Data collection– Collect financial data (file scan, HTML

injection)– Harvest usernames and passwords

• Monetization– Raid accounts– Fraud

• Laundering– Recruit money mules– Bounce money from account to account


7

History1999 Pretty Park• Used IRC for C&C &

updates• ICQ & email harvesting• DoS

1999 SubSeven• Used IRC for C&C• Keylogger• Admin shell access

2000 GTBot• Bounce (relay) IRC traffic• Port scan• DDoS• Delivery: email

2002 SDBot• Keylogger• Delivery: WebDav and

MSSQL vulnerabilities, DameWare remote mgmt software, password guessing on common MS ports & common backdoors

2002 AgoBot• Modular design• DDoS• Hides with rootkit tech• Turns off antivirus• Modifies host file• Delivery: P2P (Kazaa,

Grokster, BearShare, Limewire)

2003 SpyBot• Builds on SDBot• Customizable to avoid

detection• DDoS, Keylogger, web form

collection, clipboard logging, webcam capture

• Delivery: SDBot + P2P

2003 RBot• Encrypts itself• Admin shell access2004 PolyBot

• Builds on AgoBot• Polymorphs through

encrypted encapsulation

2005 MyTob• DDoS, Keylogger, web form

collection, webcam capture• Delivery: email spam using

MyDoom w/ own SMTP server

2006 Rustock• Spam, DDoS• Uses rootkit to hide• Encrypts spam in TLS• Robust C&C network (over

2500 domains)• Delivery: email

2007 Storm• Spam• Dynamic fast flux C&C DNS• Malware re-encoded

twice/hr• Defends itself with DDoS• Sold and “licensed”• Delivery: Email enticement

for free music

2007 Zeus• Phishing w/ customizable

data collection methods• Web based C&C• Stealthy and difficult to

detect• Sold and “licensed” to

hackers for data theft• Delivery: Phishing, Social

Networking

2007 Cutwail• Spam, DDoS• Harvests email addresses• Rootkit• Delivery: Email

2008 Mariposa (Butterfly)• Rented botnet space for

spam, DDoS, and theft of personal information

• Delivery: MSN, P2P, USB

2008 TDSS• Sets up a proxy that is

rented to other for anonymous web access

• Delivery: Trojan embedded in software

2009 Koobface• Installs pay-per-install

malware• Delivery: Social

Networking

20091999 2003 2005 200820042000 2006 20072002


Customizing a bot with AgoBot GUI

Example of AgoBot GUI to customize the bot


9

Life Cycle

• Exploit– Malicious code– Unpatched vulnerabilities– Trojan– Password guessing– Phish

• Rally - Reporting in– Log into designated IRC channel and PM master– Make connection to http server– Post data to FTP or http form

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat

e Execute Report Clean up


10

Life Cycle

• Preserve– Alter A/V dll’s– Modify Hosts file to prevent A/V

updates– Remove default shares (IPC$,

ADMIN$, C$)– Rootkit– Encrypt– Polymorph– Retrieve Anti-A/V module– Turn off A/V or firewall services– Kill A/V, firewall or debugging processes

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat


<preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/></preserve>


11

Life CycleExploit Rall

yPreserv

eInventor

y Await

instructions

Update Execute Report Clea

n up

Agobot host control commandsCommand Description

harvest.cdkeys Return a lsit of CD keysharvest.emails Return a list of emailsharvest.emailshttp Return a list of emails via HTTPharvest.aol Return a list of AOL specific information

harvest.registryReturn registry information for a specific registry path

harvest.windowskeys Return Windows registry informationpctrl.list Return list of all processespctrl.kill Kill specified processes set from a service filepctrl.listsvc Return a list of all services that are runningpctrl.killsvc Delete/stop a specified servicepctrl.killpid Kill specified processinst.asadd Add an autostart entryinst.asdel Delete an autostart entryinst.svcadd Adds a service to SCMinst.svcdel Delete a service from SCM


12

Life Cycle

• Inventory– determine capabilities such as RAM, HDD,

Processor, Bandwidth, and pre-installed tools• Await instructions from C&C server• Update– Download payload/exploit– Update C&C lists

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat



13

Life Cycle

• Execute commands– DDoS– Spam– Harvest emails– Keylog– Screen capture– Webcam stream– Steal data

• Report back to C&C server• Clean up - Erase evidence

Exploit Rally

Preserve

Inventory

Await instruction

sUpdat



14

Propagation

• Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list– Remember to use strong passwords

Agobot propagation functions


15

Propagation

• Use backdoors from common trojans• P2P – makes files available with enticing

names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications

• Social networking – Facebook posts or messages that provides a link (Koobface worm)


16

Propagation

• SPIM– Message contact list– Send friend requests to contacts from email

lists or harvested IM contacts from the Internet

• Email– Harvests email addresses from ASCII files such

as html, php, asp, txt and csv– uses own SMTP engine and guesses the mail

server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name.


17

Command and Control

• C&C or C2• Networked with redundancy• Dynamic DNS with short TTL for C&C IP

(weakness is the DNS, not the C&C server)

• Daily rotating encrypted C&C hostnames• Alternate control channels • Average lifespan: 2 months


18

Command and Control

• IRC• Peer-to-peer – programming can be sent

from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server.

• Social networking• Instant Messaging


19

Command and Control

• Web or FTP server – Instructions in a file users download– Bots report in and hacker uses connection log

to know which ones are live– Bots tracked in URL data– Commands sent via pull instead of push

• No constant connection• Check-in might match signature

– Better scalability – web server can handle more connections than IRC

– Port 80 not blocked and not unusual activity


20

Trends

• Hackers– Mostly about money instead of notoriety

(hacktivism excluded)– Staying under the radar

• Smaller herds• Fewer propagation methods• Web based C&C

• Government and Terrorist– Aimed at taking down critical services or

disrupting business


21

Detecting bots

• Monitor port statistics on network equipment and alert when machines utilize more than average– Gather with SNMP, netflow, or first stage

probes (sniffers) attached to port mirrored ports on switches.

• Firewall statistics• IPS/IDS reports


22

Baseline

• Document– Network Schematic– Server roles

• Destination IP addresses• Ports• Protocols• Volume of data and directionality


23

Quick and Fast Rules

• Compromised hosts generally send out more information

• Patterns (sending perspective)– Many-to-one – DDoS, Syslog, data repository,

email server– One-to-many – web server, email server, SPAM

bot, warez, port scanning– Many-to-many – P2P, virus infection– One-to-one – normal communication, targeted

attack


24

Wireshark

Packet list

Packet details

Packet bytes


25

Wireshark

• Filtering– Frame contains “search term”

• Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request,

File delivery, checksum, acknowledgment, termination

– Flow record – subset of information from a flow such as source and destination IP, protocol, date or time


26

Networkminer

– Hosts– Images– Files– Email– DNS– Sessions

• Traffic analysis tool• Graphical breakdown of…


27

Detecting bots

• Real time netflow analyzer- Solarwinds free netflow tool

• Small Operation Center or MRTG – free SNMP/syslog server with dashboard

• Rootkit tools: Rootkit Revealer, GMER• Event log monitoring – Zenoss, Alien

Vault, Nagios, Splunk, Graylog


28

Event Logging

• Placement– Perimeter– VLAN or Workgroup– Wireless– Choke points – maximize collection capacity

within budget and ability to process and analyze

– Minimize duplication– Sync time– Normalize– Secure collector transmission pathways


29

Detecting bots - Darknet

• Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back.

• Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages).

• How to set up a darknet http://www.team-cymru.org/Services/darknets.html

http://www.team-cymru.org/Services/darknets.html




30

Detecting C&C

• Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic.

• Stats generated every 30sec• Application layer analytics• Claims from ourmon.sourceforge.net/

– Monitor TCP (syndump), and UDP (udpreport) flows– Log all DNS query responses network wide – Measure basic network traffic statistically – Catch "unexpected" mail relays – Catch botnets – Spot infections with random "zero-day" malware– Spot attacks from the inside or outside – See what protocols are taking up the most bandwidth

http://ourmon.sourceforge.net/


31

Detection – A/V and Anti-malware

• AVG (Grisoft) – free for home use• Ad-aware (Lavasoft) - free• Repelit (itSoftware)• McAfee• Microsoft Security Essentials (free up to

10 PCs)• Symantec• Spybot Search and Destroy - free


32

Prevention – Vulnerability scanning

• Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose

• Free for up to 32 IP– OpenVAS (Vulnerability Assessment System)

• Linux• VM available (resource intensive)

– Greenbone Desktop Suite (uses OpenVAS)• Windows XP/Vista/7

– MBSA (Microsoft Baseline Security Analyzer)– Secunia PSI (local Windows machine scanning only)


33

Prevention

• Firewall• IPS/IDS• Web filtering• SPAM filtering (incoming & outgoing)• Disable VPN split tunnel


34

SIEM

• Security Information and Event Management– Log aggregation– Correlation– Normalization– Alerting– Dashboards– Views– Compliance reports– Retention


35

Prevention

• Read only virtual desktops• Software– Software restrictions and auditing– Sandbox software before deployment

• Patch management• NAC (Network Access Control) – A/V &

patches


36

Response

• Incident response – Determine scope– Determine if it constitutes a breach and

therefore notification– Analyze - Is any evidence needed?– Clean the device

• After-action review– Define improvement actions– Assign responsibilities for actions– Follow-up


37

Thanks

Enjoy the summit

Acknowledgements:• Bot command tables obtained from “An Inside Look at

Botnets” by Vinod Yegneswaran• The programs depicted in this presentation are owned by

their respective authors

eradicate the bots in the belfry - information security summit - eric vanderburg

Technology