israel security report final -...

8/7/2019 Israel Security Report Final -

http://slidepdf.com/reader/full/israel-security-report-final- 1/62

2008 0155

2009 3

Survey on Information Security Situation in IsraelCountermeasures against Bots in Israel



GGG lllooo bbb aaa lllCCCooo nnn nnn LLLT T T

Survey o Agai

Countermeasuresst Bots in Israel

0



1

Table of Contents

Page

Overview, Vocabulary 3-4

Introduction 5-6

Chapter 1: Status of Bots Today 7-8

Chapter 2: Statistics 9-12

Chapter 3: Damages 13-19 3.1 BotNet Damage examples 14

3.1.1 Phishing Attack on Bank Leumi 14-153.1.2 Estonia Case 153.1.3 International Corporation 16-173.1.4 International Affects 17-18

Chapter 4: Damage Amount by Bots 19-20

Chapter 5: Countermeasures 21-27 5.1 Prevention 215.2 Public Policies 21

5.3 Government & Military Organization 22-245.4 The Law in Israel 245.5 The Spam Law 24-255.6 Private Sector 265.7 Net work Security: Vulnerability and Disclosure Policy 26-27

Chapter 6: Researches 28-40 6.1 Bots & BotNet 28-296.2 Wide-scale BotNet Detection and Characterization 29-306.3 Is Your PC Secretly Running Nuclear Simulation? 31-336.4 DDoS Attacks Prevention by Packets Encapsulation 34-356.5 Survey on Detection of Covert Channels through VPN 36-376.6 Covert Timing Channel 37-38

Chapter 7: Trends 39-527.1 The IUCC/IDC Internet Telescope 39-427.2 False Positive 42-487.3 Multifunctional Bots 487.4 Peer-to-Peer 497.5 Common Content 497.6 Blogs and Personalized Internet Pages 49-50

7.7 Vertical Text Spam 507.8 Mobile Application 51



2

7.9 Sandboxing 517.10 The Development of BotNets in the Future 52

Chapter 8: Trends of Security Products 53-58

8.1 Mi5 Networks 538.2 Checkpoint 548.3 Commtouch Ltd. 558.4 BEYOND SECURITY LTD. 568.5 PINEAPP LTD. 568.6 Applicure Technologies Ltd. 568.7 Beefence 578.8 RadWare Ltd. 57-58

Bibliography 59



3

Overview

Vocabulary

BotNet Malware made up from a network of bots. The BotNet is amalicious Bot program aimed to inflict large scale damage toorganizations and end users. The BotNet is an expensive“ Agen” or a product handed by the manufacturer to thebuyer/attacker in order to be deployed at any given time bythe Bot Herder.

Zombie The computer in which the BotNet has been implantedwithout the owner’s agreement or knowledge.

Malware Any computer program which is aimed to inflict damage ontothe unsuspecting user and is spread e.g. either actively –through spam email, or passively – through infected websitesand social networks.

STRIDE Abbreviation of the threats assessed during programmingand processing applications:

S poofing is stealing the computer’s identity.

T ampering is data modification.

R epudiation is renouncing any liability for the act.

I nformation disclosure is data leakage.

D DoS = Distributed Denial of Service occurs when a server isbombarded by too much traffic or data and crashes,therefore denying service to the users.

E levation of Privilege (EoP) gives access to unauthorized datastorage.

Threat Modeling The steps taken during programming to mitigate damagescaused by STRIDE.



4

Bot Herder A “middleman” used by the attacker to deploy the BotNet.

Downloader Site The prewritten link of the BotNet program from which theBot gets updates and orders.

P2P In order to inflict large scale damage, the attacker expandsbandwidth by eliminating the need for Command & Control“Brain” and deploying zombies connected Peer-to-Peer .

Sandboxing Containment of a malicious Bot for mitigation and study.

White listing Preapproved list of IPs.

Fuzzing Testing for security holes.

Mitigation The evolving nature of the BotNet and the ingenuity of theattackers mean that total prevention or blocking is virtuallyimpossible, therefore most solutions apply mitigation.

Zero-Hour Detection

The fast pace in which the malicious “Agent” is spread andtransforms requires Real-Time detection and solution.

False Positive Using P2P for BotNet purposes means Denial of Service of agenuine end-user.

Trojan horse Backdoor to the target’s computer.

Phishing Online Internet fraud. Retrieving passwords and personalinformation through fake proposals and duplicate legitimateapproaches.

Click Fraud E-crime related to E-commerce, where the vendor pays per-click on advertising and the Bot imitates an end user.



5

Introduction

The BotNet is the modern cyber warfare. Unlike hacking, which targets specific

users or websites, the BotNet is aimed to inflict massive damage to multiple

users in a short space of time.

It is used for extortion, espionage, political activism, military domination and

even as doomsday weaponry. The BotNet can be used to damage the targets

reputation or to inflict financial damage directly or indirectly.

The BotNet is multitasking and can change its objectives while activated. In order

to cause DDoS, the Zombie computer inhibiting the BotNet will send spam on

command. If the purpose of the intruder is to eavesdrop, then the BotNet will

function as a Trojan horse.

However, one should draw a bold line between hacking or defacing of websites

and the use of BotNet. The latter is expensive and not commonly used by the

usual hacker. Breaking a website’s code or even crashing a server does not

necessitate special resources. To inflict harm on a sole target requires only a

single hacker. Even to make a grandiose statement, one only needs to convene a

group of driven youths or fundamentalists who break into the targets codes and

deface a website (see the Bank of Israel case study in chapter 1.6.). Planting an

“Agent” in thousands of Zombie computers requires resources and usually some

financial gain which will at least cover the cost of operation. On the other hand,

this can be a pawn to be used in the hands of power players with deep pockets

or financial backing.

Ways of spreading BotNet are also diverse. Malware can be planted in spam, in

text files, in image files, in voice files and on websites. Transplanting the BotNet

into the zombie has no immediate effect on the end user. Some service providers

choose not to divulge the list of zombies sitting on their platform, and others

wish not to know of the active or non-active zombies. Their platitude is derived



7

1. Status of Bots Today

Recently published in Israel was the opinion of Mr. Cohen and Mr. Cruman, headsof the technology department at IBM about BotNet.

Their opinion about the status of Bots today is that “BotNet is adding yet another

trick to its vast repertoire. In the past, the malware would check the process file

name against an internal list and deleted the ones that match the list. Now it

would rather leave processes running and just patch entry points of loading

processes that might pose a threat to it. Then, when processes such as anti-virus

programs run, they simply return a value of 0”.

According to Mr. Cohen, “BotNet enables the operation of the P.C. to work

normally even though a strong malware like BotNet sits quietly in the

background, the owner of the system is not aware of it. Malware starts

operating only when it gets orders from its operator. This is far less suspicious

than a process that gets terminated suddenly from the outside, which means itwill not alarm users due to the fact that anti-virus software is not running. The

technique is designed to fool the network access control systems, which bar

insecure clients from registering on a network by checking to see whether a

client is running anti-virus software and whether it’s patched. According to the

expert, the anti-virus is running but it’s brain-dead. It’s worse than shutting it off,

as it opens the door for Storm bots to waltz past even networks considered

being hardened with network access control”.

“The BotNet is the latest evidence of why Storm is the scariest and most

substantial threat security researchers have ever seen. Storm is patient, its

resilient, its adaptive in that it can defeat anti-virus products in multiple ways

(programmatically, it changes its signature every 30 minutes), it’s invisible

because it comes with a built in root kit, and hides at the kernel level, and its

clever enough to change every few weeks”.



8

It has its own mythology, composed of up to 50 million zombie PCs, it has as

much power as a supercomputer, it has brute strength to crack Department of

Defense encryption schemes and with this power it terrifies the researchers of this field and the administrators in charge of network security.

On the other hand, those who know how to watch it are guarding their techniques.

They’re afraid of retaliation. They fear that if they disclose their unique means of

finding information on Storm, the BotNet herder will change tactics yet again and

the window into Storm will slam shut.

According to other experts that are quoted in the newspaper, the BotNet’s

strength is exaggerated in the sense of the amount of systems which are infected,

or its capabilities to become supercomputer and the fact that it fights back and

punishes instantaneously. They claim is fiction, however, they still agree it has a

lot of power.

Mr. Cohen concludes when it comes to the war of good guys (security

researchers) versus bad guys (BotNet herders), BotNets have won. He indicates

the case of Blue Security Israeli-based startup whose aggressive anti-spam

measures in May 2006 drew a counterattack from spammers that were so

vicious; it forced the company out of business. “Blue Security did a really good

job of fighting,” said Mr. Cohen. “So [the attackers] did a DDoS and took it off the

Net for awhile. Blue Security went to the best anti-DDoS technology on earth.

The next onslaught came and Blue Securities defenses worked. So the BotNetherder stole two other people’s BotNets. With three BotNets, the attack worked,

to the point where the ISP said, I’m not going to let you take down my entire ISP

to protect you, you’re on your own. And Blue Security is now out of business.”



9

2. Statistics

Most statistics reports are slanted and show overwhelming data of infected

Zombies or BotNet attacks. Internet security companies have a given stake in

showing the increasing dangers on the one hand, and success in detecting and

blocking on the other hand.

Every single day, new vulnerabilities are discovered and published (One of the

Israeli security companies alone reports 5 - 10 new vulnerabilities in various

systems every day).

We found that companies are reluctant to reveal the cyber attacks and there is

no official publication specifically on Israeli BotNet attack.

Government resources Tehila report 14,000 BotNets and alike attackes yearly on

the government and semi government sites.

Below are some graphs which show international BotNet attacks brought by an

Israeli software security copmpany’s servers.



10



11



12

A general picture of worldwide active Zombie attacks:

Israeli software security companies accumulate statistics about general cyber attacksall over the world. Following some details of second quarter 2008:



13

3. Damages

Organized crime has applied its resources to the Internet first and foremost to

realize the rather fast, anonymous and unregulated financial gain integral to E-

Crime. The damages inflicted through BotNet operation are diverse. There are

direct damages and collateral damages. The initial act of tampering with bank

accounts after obtaining passwords via phishing and Trojan horse tools is as

simple as any bank robbery. Accessing sensitive information has two potential

financial gains for BotNet operators. Industrial espionage and selling data to

rivals can be just as lucrative as threatening with extortion. All these operations

still require foot soldiers to activate the chosen BotNet application and execute

the transaction.

The vast success of this type of E-Crime is due to the ever growing global

community turning to E-Commerce and online banking. Banks nowadays rely

heavily on online transactions, so a breach in their security means a loss of

potential business. This is the next layer of damage caused by BotNet. Thereputation of any business is a gainful asset which, when impaired, can have

lasting consequences. Even service providers avoid divulging the BotNet activity

and some Internet Service Providers (ISP) prefer not to get hold of the available

Zombie list so as not to expose their vulnerability. Blacklisting and blocking

legitimate ISP and users is another costly risk. Unless the attack might cause a

total crash or has multiple targets, there is little chance that the end users will be

notified of its occurrence.

The cost of blocking attacks and scanning for new malwares means even more

financial burden. Website owners, large or small, find the need to add layers of

security to their existing firewall.



15

The security department managed to locate the impersonator’s location and

managed to remove him from the net. The bank immediately contacted all the

customers that entered their identification and asked them to change all theirpasswords and to go over their Accounts to see if anything was done that had

not been done by them. The bank also published a note to all its’ customers that

it is not accustomed to ask for identification on the web and this type of request

is a fraud and done to gain control over the customer’s details using an

impersonated web page of the bank.

In order to prevent these types of attacks, the bank issued new regulations for

transfers of funds to a third party through the Internet. According to the bank,

their quick reaction and attempts to catch the intruder reduced the damage to

only tens of customers out of thousands that were exposed to this phenomenon,

and due to its’ actions, none of the customers were damaged due to this attack.

3.1.2 Estonia Case

An additional important case that occurred in Estonia, put the BotNet on the

map in April 2007 as the next Cyber Warfare weapon. Estonia was the

battleground of the biggest cyberspace attack which lasted for 3 weeks, allegedly

triggered by the removal of a Soviet statue. Russia was the immediate suspect

during the 2007 attack, and has seemingly used the same scheme against

Georgia during the outbreak of fighting in August 2008. The Estonian caserecorded the use of about 1 million worldwide Zombies which inflicted a vast

DDoS to government and corporate websites. This attack was extremely effective

due to Estonia's high Internet exposure and usage. It is the first country to allow

online voting for its’ Parliament. According to updated FBI reports, 108 countries

hold Cyber Warfare capabilities.



16

3.1.3 International Corporation

The police authorities revealed that Three Israelis from north of Israel who

were suspected to be part of an international crime organization stole moneyfrom banks in different countries. The headquarters of the organization was

based in Germany where the investigation started. They used the BotNet

technology by which they stole the customers’ identifications. The Israeli police

said that the crime organization acted out of Israel.

Another example where Israeli Technology was involved was a BotNet attack by

hackers which was discovered on September 4, 2007 on the site of eBay

members (the global purchase store site). This attack, which used brute-force,

was for the purpose of uncovering valid account log-in information. The

preparations for the attack against eBay started about a month before the actual

attack. The attack began with hackers compromising third-party websites using a

technique called SQL (Structured Query Language) Injection. Extra code was

dynamically added to the main page of these websites using a hidden IFRAME

tag which loaded a malicious web page. This page contained a VBScript file that

used AJAX to download and save a file called MISuvstm.exe into the Windows

system folder. Once this file was downloaded, it attached itself to the Windows

Explorer process and went hunting for a further Trojan, which was the basis for a

Distributed Denial-of-Service (DDoS) attack on eBay itself. The attack used eBay’s

own Application Programming Interfaces to guess eBay users’ passwords by

brute-force. According to the information published, attackers changed one

user’s eBay identity and sent out at least 25 e-mails to individuals in the UnitedKingdom who were attempting to sell Sony laptop computers. The compromised

account, which retained the original user’s high eBay rating, offered the sellers

more money than they asked for in exchange for the laptops being shipped “as

soon as possible.” The technology of the Israeli company Aladdin’s got involved

in this attack. Aladdin first found out about the eBay attacks using its software

scanning product that runs ISPs that detect and block attempted IFRAME

redirections. Furthermore Aladdin’s technology of two-factor authentication is a



18

currently a handful of online vigilante groups which try to fill the void created by

the shortage in law enforcement manpower. One such group operates from

Britain and is called Spamhaus.org. Another group fighting BotNet is

Shadowserver.org which is run by proactive security professional, one of whomis an advisor to Cisco Systems.



4. Damage Amo

Following is a table that

cost of the spam damage

The table is based on nu

they receive daily and

information and the calcu

Calculate: how much doe

Number of employees:

Average annual salary:

Average daily email per

Average % of spam fro

Time to delete (second

Direct lost productivityannually):

Direct lost productivity(days annually):

Cost per-recipient per-

Direct lost productivityenterprise:

Time wasted per respo

nt By Bots

an Israeli company developed to calculat

to enterprises.

ber of employees, their salary, the numbe

verage spam they receive. We entered

lator calculated the following results:

spam cost your enterprise?

Top of Form50

Em

$ 50000

-recipient: 50

Me

total email: 20

%

Bottom of Form

): 5

Se

per employee (hours 5.07 H

to the enterprise 31.69

D

ear: $ 120.64

costs to the$ 6032

se (minutes): 5

19

estimated

r of e-mails

ome basic

ployees

ssages

conds

urs

ys

inutes



Response rate:

Additional lost producti

(days annually):

Overall cost of respondi

Cost of 1MB storage (ar

Average size of spam m

Storage cost per-emplo

Overall storage annual

Total annual cost for th

Financial damages are th

and end users on the oth

and its cost for securitdominance can be under

defending against it are t

treated with the same sec

% 1

vity to the enterprise 19.01

ng to spam: $ 3655.85

chiving): $ 0.60

essage: 16

yee: $ 35.04

ost to enterprise: $ 1752

e organization: $ 11439.85

main interest of large corporations on th

er. In some cases, the industry publishes th

. However, the governmental and secrined by BotNet attacks. Deploying Cyber

e work of governmental and secret agencie

recy as any other doomsday weapon.

20

ays

b

one hand

eir damage

t agenciesarfare and

s which are



21

5. Countermeasures

The statistics unequivocally show that no one is completely immune against

becoming a zombie or being a target of a BotNet attack. This situation requires

mitigation, the purpose of which is minimizing the breaches and the damages.

5.1 Prevention

The aim of the BotNet is making the fight against security breaches futile. As

many firewalls are added to block attacks, there are just as many breaches

written into the programs. Security experts all agree that prevention of BotNet

proliferation is impossible. First the harm is already done and until the Zombie is

activated, no one, including the Zombie itself, can tell what it was infected by.

Second, the use of P2P increases the bandwidth and the spreading rate. Finally,

there are too many breaches from which the malicious entities can infiltrate.

These facts should not, however, create a feeling of surrender, as the entire

academic world that works in this field as well as many security companies, are

developing new technologies to prevent the possible infiltration of Bots.

5.2 Public Policies

The Israeli government is taking various countermeasures to protect its

computer systems from Bots and other malicious attacks using different security

technologies and imposing on the Law Ministry and the Ministry for Trade and

Commerce and the police authorities to take different measures to prevent

attacks also on the private sector.



22

5.3 Government & Military Organization

There are two main organizations in the Israeli government which are in charge

of the national Internet security. One is dedicated to all the strategic and

national security sites and is called “The Director of Security of the Defense

Establishment” and is a part of the Ministry of Defense. The second is the

Government’s ISP “Tehila” and is part of the Treasury Ministry.

Tehila was established in order to control all the e-government in Israeli

government.

Further, the Israeli government nominated a Ministerial Committee which is asteering committee to initiate laws, regulations and rules to determine the

countermeasures that Israel will take to prevent cyber attack. This Committee

established in each Ministry a special committee to take countermeasures to

prevent any attack on the specific office. In addition, the steering committee

nominated a special committee which controls the total countermeasures which

are taken within the government framework.

CERT (Computer Emergency Response Team) was established in Israel in 2005 as

a government body which is aimed to give service on cyber attacks. The CERT is

part of the Tehila project and works in cooperation with the international

information security parallel world. The site provides information for

professionals in the field of information security and citizens interested in

learning how to protect their home computer from viruses and attacks on their

network.

In 2006, a former manager of Israeli CERT started a mailing list where people not

necessarily involved with the vetted, trusted or closed circles of cyber crime

fighting could share information and be informed of threats. The BotNets mailing

list was aimed to get people involved, engaged and aware of cyber crimes.



23

His main objective was to provide the public an open mailing list where anyone

can join in and report a BotNet command and control (C&C) server that they

might see.

The mailing list server targets were to create:* A place where one can discuss detection techniques.

* A place where one can report the BotNets.

* A place where all relevant private groups will get reports.

* A place where the relevant ISP will be automatically notified.

* A place where action taken on the reports will be seen.

The main concept behind the BotNets mailing list is to provide information and

sharing cyber information online. He thought that sharing the resources could

change the tide of the cyber crime war. One of the strategies that could help is

public information sharing of “lesser evils” already in the public domain.

He thought that to fight a war, one needs to be involved and engaged. It is a fact

that while much progress was made in the efforts to fight cyber crime, there was

nearly no effect what-so-ever against the criminals and the attackers. They

maintained their business and the industry kept writing analysis.

The former manager of Israeli CERT decided to revive the BotNet mailing list. He

says the list was fairly successful two years ago, but quickly lost steam, because

some researchers didn't feel confident in sharing their information in a public

setting. Since he revived the list in September 2008, researchers have been

actively sharing raw data with other list members.

“We have better tools, we’re better organized, we know what we’re doing, but

still we have not really made a dent,” he said. “There have been some arrests,

we’ve taken down some operations, but what it comes down to is that the

criminals are still making money.”

The communities that are currently active are closed and by their nature more

secretive. Less information gets out and less information is shared because



24

people who should be trusted cannot find the right groups or it’s too difficult to

find an information sharing group.

The ultimate goal of the mailing list is to get more IT administrators and security

researchers involved in combating cybercrime, get them to care about the

problem and get them organized.

5.4 The law in Israel

The Israeli government initiated laws against cyber attackers as a tool for

countermeasures.

In 1995, The Computer Law was adopted in Israel, and prohibits cyber attacks

and prescribes punishment for this type of crime of 3 to 5 years imprisonment.

Following are the details:

o Disruption or Interruption of a computer or computer content. This is

equivalent to breaking and entering, and includes falsifying, transferring,

storing information or output, writing software related to this information orusing such software;

o Infiltrating computer materials illegally;

o Infiltrating computer content with the intent of breaking the law;

o Anything pertaining to computer viruses;

o Denial of Service;

o Writing and distribution of Trojan Horses.

5.5. The Spam Law

The Israeli Parliament approved at the end of May 2008 an amendment to the

Israeli Communication Law also referred to as “The Anti Spam Law”. This

amendment prohibits various sorts of spam: e-mail, fax messages, short text

messages (such as cellular SMS) and automatic dialing systems, if they intend toinduce the recipient to spend money.



25

The strict demand requirement for prior consent in the law is mitigated by two

exemptions. An advertiser may send a one-time unsolicited offer to businesses

to accept further commercial messages. An advertiser may also send unsolicitedcommercial messages if the receiver of the message is a client or a potential

client of the sender, if the message refers to a product or a service similar to

products or services purchased by the client in the past from the sender, and if

the receiver is given proper opportunity to refuse any further messages.

Furthermore, the advertiser must conspicuously indicate that the message is

commercial in nature and that the receiver has a right to refuse any further

messages. The advertiser must also provide clear contact details for sending

refusal notices.

The Anti Spam Law became effective in December 2008. Failure to comply with it

will subject spammers and senders of commercial offers to statutory damages of

up to NIS 1,000 (approximately US $300) per one message. The amendment also

indicates that a class action may be brought against infringers.

The amendment allows civil actions to be taken against the spammer, regardless

of the criminal charges. However, the amendment doesn’t refer to spammers

residing abroad. The offender targeted by the amendment is not only the sender

of the spam but the advertiser sending unsolicited mail that stands to gain from

the action.

The law requires that parties sending information receive prior authorization

from the legal parties. The police authority has established a special unit to

follow up and enforce this law.



26

5.6 Private Sector

Many organizations expect more than just an Anti-Spam and Anti-Virus solution.

They require a sophisticated tool that provides customization rules and control

over incoming and outgoing mail, footnotes, attachments, notifications,

forwarding and more. Furthermore, they require that a policy be enforced

throughout the whole organization, groups and even the specific users.

Organizations also expect such a system to be in synchronization with their

existing active directory or other Lightweight Directory Access Protocol (LDAP)

servers. As a result, software security Israeli companies are researching and

developing software as countermeasures for cyber attack. The Academic sector

in Israel, takes part in the Research and development which is also detailed in

Chapter 6.

5.7 Net work Security: Vulnerability and Disclosure Policy.

Following is a research which deals with the social aspect of cyber attack:

* Network Security: Vulnerability and Disclosure Policy.

This research was carried out by, Dr. Chaim Freshman and others, with

cooperation between Tel Aviv University and Michigan State University.

This work deals with the dilemma of software companies that find bugs in their

software. The dilemma is, should the company disclose the bug and issue an up-date for it, if this is done, then the disclosure itself could facilitate reverse

engineering and vulnerability to hackers. Should the disclosure be mandatory?

The researchers indicate in their research that BotNet programs enable

attackers to link infected computers into a powerful network that can be used to

steal sensitive data, as well as money from online bank and stock brokerages

accounts. The amazing details that these researchers bring are that in January



27

2007, Internet experts estimated that “BotNet” programs – sophisticated

programs that install themselves on unprotected personal computers – were

present in more than 10 percent of the 650 million computers worldwide that

are connected to the Internet. More than this, they cite another research projectthat has been done by America Online and the National Cyber Security Alliance

(2004), which found that 80 percent of the computers in the US are infected

with Spyware. According to this work, in spite of the huge efforts and

investigations into writing more secure code, it is virtually impossible to design

software that is free of vulnerabilities. The researchers are not sure that all the

efforts of the software companies which continue to try to discover

vulnerabilities after the software has been licensed and sold. In order to update

the software to overcome the vulnerability, the release of updates enables

hackers to “reverse engineer” and find out how to exploit the vulnerabilities.

The reverse engineering increases the probability of attack.

The main issue that the paper discusses is how to motivate investment in

product security by investigating how a decline in the number of vulnerabilities

and an increase in the probability that the firm will identify vulnerabilities before

hackers affect disclosure policy, price and profits. An additional subject which is

raised in this work is the mandatory disclosure of vulnerabilities and bug bounty

programs. The researchers find that mandatory disclosure is not necessarily

welfare improving. Mandatory disclosure improves welfare only when the

probability of attack is very high and the expected damage is relatively small.

When both the probability of attack and the expected damage are moderate,

mandatory disclosure is welfare reducing since a non-disclosure policy

maximizes welfare. Mandatory disclosure has no effect since the firm will

disclose vulnerability even without regulatory intervention.



28

6. Researches

The BotNet community is comprised of black hats, trying to outwit the security

experts, and on the flip side, researchers who try to probe the malware. The R&D

of BotNet is putting out fires on a daily basis, but they also are developing

technologies for the long range.

6.1 Bots & BotNet This research was carried out by, Barak Nirenberg at the Technion, Israel

Institute of Technology.

The project, completed just a few months ago, started by defining Bots and

BotNet. The Bots are software applications that run automated tasks over the

Internet. Typically, bots perform tasks that are both simple and structurally

repetitive, at a much higher rate than would be possible for a human alone. The

largest use of Bots is in web spidering, in which an automated script fetches,

analyzes and files information from web servers at many times the speed of a

human.

The BotNet is the technique allowing the Bots’ masters to control remotely a

large number of infected machines in a single operation, thus creating the

BotNets. According to researchers, the characteristics of the BotNet are that it

runs autonomously and automatically. The BotNet is often associated with

malicious software, but it can also refer to the network of computers using

distributed computing software. It is interesting to note that the Bot creators

evolved their Bots to use Dynamic DNS (DDNS) in order to find their C&C server.

The DDNS is a service which is mostly offered for free on the Internet that allows

a user to own a constant DNS name that will be translated to a specific IP



30

description of how BotNets function. Malicious BotNets are networks of “Bots”,

compromised hosts that are remotely controlled by a master host via one or

more controller hosts. The master host is the computer used by the perpetrator

and is used to issue commands that are relayed to the bots via the controllers.The controllers are often Internet Relay Chat servers, which are normally used

for relaying messages among client terminals. Controllers are often created from

compromised hosts that perform a coordinating role for the BotNet. The

purposes of using BotNets vary and most of them are related to illegitimate

activity. Some of their uses include launching Distributed Denial-of-Service

(DDoS) attacks, sending spam, Trojan and phishing email, illegally distributing

pirated media, serving phishing sites, performing click fraud, and stealing

personal information. They are also the sources of massive exploitive activity as

they recruit new vulnerable systems to expand their reach. BotNets have

developed several techniques in their malware and infrastructure that make

them resistant to typical mitigation techniques. All this is a threat to the Internet

as well as enterprise networks. The threats undermine the reliability and utility

of the Internet for commerce and critical applications. At the beginning, the

majority of BotNets were traditionally based on Internet Relay Chat. This was

due to the ability of IRC to easily scale to thousands of clients. There are existing

cases of other types of BotNet detection systems based on HTTP, DNS, and peer-

to-peer models.

The advantages of their system are many. The major ones are that the system:

a. is entirely passive and therefore invisible to the operator,

b. has a false positive rate of less than 2%,

c. helps identify BotNets that are most affecting real users (and customers),

d. can detect BotNets that use encrypted communications.

The system helps quantify the size of BotNets, and identify and characterize their

activities without joining the BotNet.



31

The contribution of this work is the development of an anomaly-based passive

analysis algorithm that has been able to detect IRC BotNet controllers achieving

less than 2% false positive rate. The algorithm is able to detect IRC BotNet

controllers running on any random port without the need for known signaturesor captured binaries. Even though this analysis is tuned to Internet Relay Chat -

based BotNets, the researchers believe BotNets will continue to require

inventory management as well as a command and control structure that allows

the BotNets to be detected using similar methods. There are some distinct

advantages to this type of BotNet detection:

a. Network data analysis is entirely passive, so it is invisible to the BotNets,

b. It does not interfere with network operations,

c. It does not run any risk of contributing to the problem, and

d. It is able to show the dynamics of BotNet activity by detecting activities

that have been most effective in targeting the specific customer sets.

6.3 Is Your PC Secretly Running Nuclear Simulation?

This research was carried out by Yoav Atsion, at The Hebrew University,

Jerusalem.

One of the main targets of Bot’s intruders is to create immense computing

power for different malicious purposes, such as breaking strong cryptography or

stealing information or any other target that needs immense commuting power.This computing power will be able to create Zombie armies for propagating spam

or launching DDoS attacks. In some cases, it is possible to create the illusion that

the CPU is not being used and in this case, the owner will not know that his

computer has been recorded and is transmitting data to a third party.

The researchers found that all major operating systems today with the possible

exception Mac OS X are vulnerable to such attacks, due to the usage of the CPU



32

and how it prioritizes competing processes. The researchers call the BotNet

attack “cheat attack” as it is a process whereby large percentages of the CPU are

hijacked and every operating system there is scheduled to obey a third party, but

when listing the active process, it will not show that the CPU’s resources arebeing used at all, which will make it difficult to detect the attack. The success of

the intruder of such attempts depends on knowing the resources allocated and

how much competing process is used.

It is not customary to measure CPU usage directly but rather by sampling it

periodically using clock interrupts. Periodic clock interrupts are a basic design

feature in all major operating systems. According to the researchers, operating

systems are reactive by nature. Most of the time the operating systems just wait

for an interrupt to happen, when it does, they handle it and return to wait for

the next interrupt. But they also have a proactive component, where they need

to take the initiative for research purposes, it is sufficient to focus on:

Making scheduling decisions and performing a context switch from one

process to another.

Sampling the running process for accounting purposes.

Noting the passage of time in order to support a timer service such as

waking up a process that requested to sleep for some time.

Importantly, all of these activities are typically tied to the same clock interrupts.

This overloading can be exploited by a simple attack that uses the timer to

ensure that a process always starts to run just after a clock tick, but stopping it

before the next tick. As a result, the process is never billed, because it is never

the process that was sampled by a clock tick. The most problematic factor that

arises from this process is that the attack process becomes essentially invisible.

The most basic defense one has against malicious programs is seeing them run

using a monitoring tool. If the system doesn’t account for the CPU usage of the

attacking process, it won’t show up on the monitors. Even worse, the attack

actually leads to miscounting, where another process is billed for CPU time usedby the cheating process. As a result, even if the system administrators suspect



33

something, they will suspect the wrong processes. The cheating process can

further disguise its’ tracks by controlling the amount of CPU it uses so as not to

have too great an impact on system performance.

Even though great efforts were made to overcome the cheating process, the

researchers found that the threat of it is still very real. These kinds of attacks can

infect over 10 million computers combining such worms with the cheating attack

that can be used to create an ad-hoc supercomputer, and run a computational

payload on massive resources in minimal time. There are two ways to account

for CPU usage: one is by direct measurement, and the second by sampling. Even

some systems that actually perform accurate measurements do not use this

information for scheduling. The researchers explain that some systems like Linux

2.6 and the ULE scheduler for FreeBSD have problematic prioritization practices

regarding interactive processes that further increase their vulnerability. They

analyzed their results on different operating systems such as Windows XP, Solaris

and others beside Linux 2.4 and 2.6. The result of this research was run alone on

each system to get a reference value, and was then executed alongside the

cheater to examine the cheater’s effect on the counting application’s throughput

of the operating system. There is a simple, low cost solution.

The solution is to implement the system in Linux, which is complete and based

on accurate billing. The explanation of the “cheat” which has been discussed

above seems simple by using the prioritization of processes that use less of the

CPU. The idea is to avoid the accounting, and then enjoy the resulting high

priority. The mechanism of billing works on the long and short term, a process

that runs for a short period, each time which is scheduled will typically not be

billed, processes that use more CPU time have a higher chance of being

interrupted and billed.



34

6.4 DDoS Attacks Prevention by Packets Encapsulation

This research was carried out by Dr. Avital Yachin, at Technion, Israel Institute of

Technology.

Dr. Yachin based his method on research by Gal Badishi and Dr. Idit Keidar of the

Technion Electrical Engineering Faculty, and Amir Herzberg of the Computer

Science Department at Bar-Ilan University.

The researcher in this project demonstrated a method of defending computer

systems from attacks by creating a packet level authentication mechanism. Each

packet is encapsulated with a secret key known only to the sender and receiver.

Un-authorized packets are filtered right about the NDIS (The Network Driver

Interface Specification) level before they reach the TCP (Transmission Control

Protocol) stack. This ensures much lower resource consumption compared to a

decision on higher levels.

The proposed solution is general and is not restrictive to specific IP addresses or

TCP/UDP ports. In addition, no modifications are required for existing application

and the protection mechanism is totally transparent for them. The suggested

version supports UDP packets encapsulation only in a Windows environment, but

the same concept may be applied to any other protocols and operating systems.

The researcher emphasizes that although consuming the network bandwidth of acomputer system, flooding can take the Internet service down, so it still requires

either a high bandwidth from the attacker side or a very large net of remote

controlled agents. Instead of flooding a computer system (such as a web server),

an attacker may bring a service down by simply consuming the system resources

(CPU power and memory). A simple example of attack on a web server can be

rapid requests for a specific web page (browser refresh). Since the web server



36

6.5 Survey on Detection of Covert Channels through VPN

This research was carried out by, Isakov Yehiel at Technion Israel Institute of

Technology.

The main point of this work is to understand the subject of “covert

communications”. As the Internet infrastructure gets more complicated, new

attacks and means of defense are devised in order to protect organizations from

unauthorized access and data leakage. One good solution is covert

communications, which remains the least understood subject with the least

coverage in popular culture. According to the researcher, one of the reasonsmight be that the requirements for understanding this subject are above average

ability in understanding how to hack into a non-secure system. One needs a

thorough understanding of network protocols, statistics, probability and even

machine-learning in order to deal with this subject and understand the true

nature of the whole idea of covert channel as an invisible means of

communications. This is something that cannot be detected through usual

techniques and needs the use of much deeper detection techniques, techniques

that operate on a basic level of communications. Actually, covert channels are

reminiscent of the techniques of hiding the information within audio, video,

textual and pictorial content (steganography). While steganography requires

some form of content to serve as cover, covert channel requires some network

protocol to serve as a carrier. Due to these similarities, some of the techniques

used to discover steganographical content might be applied in order to discover

covert channels. One must remember that since we focus on covert channels

through VPNs, there are only a few specific techniques that the adversary can

use in order to create a covert channel. The researcher has two different

definitions for explaining the cover communication of this technology. One of

these definitions is more formal but the second indicates that any information

channel can be exploited by a process to transfer information in a manner that

violates the systems security policy. According to the researcher, there are two

types of covert channel, one involved with writing by the sender and writing by



37

the receiver and one involving the sender signaling information by modulating

the use of resources (like inter-packet delays and packet transmission rate) over

time so that the receiver can observe it and decode the information.

6.6 Covert Timing Channel

This research was carried out by, Jonathan Avidal and Oren Ben Simon, at

Technion Israel Institute of Technology.

The main target of this project is to create a secret channel which will be difficult

to detect even for a person who knows the algorithm. For this purpose, the

researchers tried to imitate the usual traffic that passes through the channel and

to make minimum change to it. They composed algorithms with new principals

which help prevent the channel reveal. Apparently, the new channel, which was

built by the researcher, is active but should be passive as much as possible.

The secret channel is a hidden channel which uses mutual sources for

transferring information among different bodies in the system by using a secret

channel to computers that can communicate one with the other, and a third

party does not know about its existence. The target of this kind of channel is to

send secret information or to hide sending additional information, sending

password or cryptographic keys or even hide illegal information and so on.

This project deals with a situation when there are two computers’ networks

which are far away from each other and are connected through UDP/IP

communication. The researchers assume that in one of the networks exists a

Trojan horse which tries to transfer secret information from the secret network

to a hostile body which is located on the Internet. The researchers also assume in

their project that the Trojan horse is put into the communication channel and

controls the information transfer, which means that the Trojan horse is able to



38

use the communication channel from one computer network to another

computer network to transfer information to a hostile body.

The researcher divided the secret channel into two kinds:1. Storage channels that transfer information between two processes by storing

the information in a disc that is common to both of them.

2. Timing channels which means information that is transferred between two

computers by modulation of time responding to the common by one process

that broadcasts and respond interpretation by the receiver.

For example, change of the reaction time of cache or the change of the time

space between two IP messages.

This project will concentrate on the construction of secret channels which is

based on time and size. In this category, we can find two kinds of channels:

1. Active channels that creates new information packages.

2. Passive channels which create manipulations on existing information

packages.



39

Chapter 7: Trends

The BotNet trends include two parts. One is the technology which comes to

prevent and control and detect the BotNet intrusion, and second, products

which includes Israeli products which were developed in Israeli universities or

the companies. In companies, we can find some research that is completed and

being marketed .

7 .1 The IUCC/IDC Internet Telescope

This research was carried out by, Efi Arazi, at Israel Inter-University Computation

Center (IUCC).

An Internet Telescope is a tool that monitors the backscatter of spoofed IP traffic

destined to what is known as “Internet dark address space”. It is aimed for

BotNet attacks which are done on some IP address but with the attack

originating from totally random, spoofed IP addresses. When the victim attempts

to reply to some of these attack packets (SYN, ICMP, etc.), the response will go

back to what it assumes is the originating IP address. Some of those replies will

go back to “Internet dark address space”. Dark IP address is space that is globally

routable, but currently there are no computers in this network. In other words,there should never be any packets destined to this particular network.

This technology has assigned a /16 (former Class B - with 65,536 IP addresses),

which is “dark space”, as a place where the researchers have been able to install

a network monitor, which receives “backscatter” packets from all over the

Internet. There are other Internet telescopes out there like the one at SWITCH.

CAIDA was the first to document it and present analysis numbers and has done

some more recent research in this area.



40

Attacks seen

The packets that are received by the telescope can be roughly categorized into 4

categories:

1. Host/Port scanning : Host/Port scanning is usually programs that are used by

hackers to learn about the computers and ports that are open in the network

(and possibly available for compromise). In this case, the Telescope would

capture the packets of the scanners. A worm attack is a program that exploits a

bug in the operating system to install a virus, which in turn, will try to spread and

infect other machines on the network. The Telescope would capture the packets

sent by an infected machine in their attempt to infect a new machine in the

Telescope “dark space” network.

2. Backscatter from spoofed DDOS attacks throughout the world : A Denial of

Service attack, is an attack where a hacker tries to consume network resources,

by sending lots of traffic to a specific victim. The Telescope can monitor which

networks in the global Internet are under attack by spoofed, random packets.

We can understand this better with an example. Consider the case where victim

Y, somewhere in the Internet, is under a spoofed TCP SYN attack. The victim

responds with SYN-ACK to the spoofed source address. Since the source was

randomly spoofed, it most probably would also send a SYN-ACK response to the

Riverhead-IUCC monitor network. Hence, the monitor should capture a SYN-ACK

packet from the victim. Since, the monitor network is a /16 (of which there are

65,536 such /16s networks in the Internet), we end up capturing 1/65536th of

the volume of the spoofed attack (assuming the spoofing was indeed random).The rate of the attack seen by the telescope is actually a lower bound on the

actual attack rate. This is because the telescope receives the rate that the victim

can still handle (i.e., we see SYN-ACK packets only to the part of traffic that the

victim can still handle and provide an answer to the SYN received; if the

computer is overloaded, then SYN packets will be ignored by the victim).



41

3. Configuration Mistakes: a flow that lives for a very short time, and that cannot

be categorized to one of the above categories is basically labeled as

configuration mistakes of one of the computers in the Internet.

4.

Others : a long flow that could not be categorized to any of the above groupings.

In general, the distribution of packets into these four categories is as follows:

Attacks not seen

By far, not all DDOS attacks can be seen by a Network Telescope. Those that

cannot be seen are:

1. Bogon attacks: A bogon attack is an attack that comes with a source IP that

should never appear in the Internet global routing tables. A list of bogons is

available from Team CYMRU. IUCC filters out some but not all of the bogons so in

general, the Network Telescope will not see bogon attacks.

2. uRPF filtering: Even spoofed attacks may not reach a Network Telescope if they

are stopped along the way via a method known as Reverse Path Forwarding

filtering.

3. Non-spoofed attacks: An attacker can always attack a victim directly, using any

number of attack tools to try to overwhelm the resources of the victim. In

general, these types of attacks would be easy to backtrack and to determine who

the attacker was, so we assume most attacks are no longer of this type .

Internet telescope packet distribution

Type of packet percentage

Host/port scanning 92%

DDOS backscatter 5%

Configuration mistakes 2%

Others 1%



42

4. BotNet attacks: Since attacking with an identifiable IP would lead to backtracking,

attackers now use what is known as a BotNet or Zombies attack. By infecting

many PCs and using them as a proxy for launching their attack, attackers are able

to hide their identity. Since a BotNet attack is in general, not spoofed, a NetworkTelescope would not see such an attack. There have been cases of BotNet

attacks with spoofed IP addresses but the attacker then takes the chance that

some of the attack packets might be filtered by uRPF checking. It is assumed,

that most attacks these days on the Internet are launched by BotNets.

Results

The dominate source port for traffic that is classified as DDOS. This is the port

that the victim was attacked with the dominate destination port of traffic that

reached the telescope.

1. Information on the traffic characteristic, especially ports. We output the top ten

destination ports and source ports in regards to viewed spoofed attacks for every

day of the last week.

2. A daily list of Machba systems that have been determined to have a worm or

been infected. Infected systems are those that have been seen to be scanning

consecutive IP addresses, whereas a worm is defined as probing a specific list of

predefined ports on random IPs.

7.2 False Positive

(By Mr. Michael Shafir)

False Positives of Alarm generated by security devices signaling a security threat

that isn’t one at all is a common phenomenon in many current web security

solutions. It is a false detection or false alarm, and in proactive devices, it can

result in total blocking of a user or users to a website.



43

False Positives can be generated in different ways. Intrusion Detection Systems

(IDSs), for example, generate logs to alarm administrators of illegal attempts to

enter a website. Such logs, in addition to real alarms, contain false alarms thatoverwhelm the administrator. In contradiction to the passive nature of most IDSs,

application security solutions are usually proactive. This means that they are

designed to block access to a website and in the case of a “False Positive” may

block legitimate users from accessing a website.

The reason that False Positives occur is simply that security solutions are

automated and have only limited intelligence capabilities. Most solutions have a

database of known attacks and are constantly comparing incoming traffic to this

database, trying to identify an attack. This opens the door to False Positives since

often the security system views traffic differently than the target system. This

may be because of different protocols and operating systems, as well as

encryption or fragmented streams. Even harmless requests may be misjudged

as . What is the effect of False Positives on a website? - “malicious” when there is

an unusually high and unexpected volume of traffic.

There is a much more important issue than why False Positives are generated.

More importantly, what is more harmful, a successful attack or False Positives?

An immediate answer may be that a successful attack is more harmful. It seems

logical. However, further analysis reveals that in fact False Positives pose a

greater threat. The reason lies in the fact that organizations can evaluate

damages resulting from malicious activities and can quantify them. However,

damages that occur from a False Positive created by a third-party are much more

difficult to predict and protect against.

Let’s look at an example. In most legal systems, if the facts in a case are

ambiguous, the legal system would tend towards letting a suspect go, letting a

guilty person walk free rather than finding an innocent person guilty. For



44

lawmakers, it has long been clear that such a False Positive (finding an innocent

person guilty) causes more damage to society than freeing a guilty person.

The problem of False Positives on the Internet is mainly a result of the way

security companies have approached the problem. Current security solutions

have looked at how to identify the malicious activities and stop them. In order to

do that, these solutions rely on a database with examples of illegal traffic. They

try to match incoming traffic against the database and thus look for attacks.

There are many problems with this logic. First, they are unable to detect attacks

that are not registered in the database. It may be a new kind of attack or a new

version of an old attack. Second, and much more worrisome, are the False

Positives they create.

Let’s examine this issue from another perspective. Let's say that there is a

terrorist who is threatening to start shooting in a crowd of people. The

authorities want to eliminate this threat but they will not shoot into the crowd

because they may cause innocent bystanders to be hit, i.e., it will create False

Positives. So we arrive back to the question of what is less harmful, a successful

attack or a False Positive? Now the answer is clearer. Every law enforcement

agency would choose to let the terrorist get away and then pursue him later

rather than harm innocent people.

Now the question arises of why not adopt this attitude with web security

solutions? Instead of wasting time, money and resources on trying to identify

“bad” traffic, it would be much more effective to protect the site with positive

rather than negative logic. Instead of looking at what is not allowed, one should

be looking to “understand” only what is allowed. This means that the web

security solution “understands” what kind of traffic can be forwarded to the site

and can automatically block all traffic that is not allowed. True, this is a more

complicated solution since it requires the security solution to be much more

sophisticated and equipped with more advanced logic. However, this way of

protecting the website has many advantages over the older methods since, when



45

applied intelligently, it can eliminate “False Positives” and protect the site

against both unknown and known threats.

Although “positive logic” security solutions represent a better way of protecting

websites against current and future generations of attacks, such solutions fall

short of delivering all of the benefits and still create some of the problems of

older methods, specifically False Positives.

Let’s take an example from the real world. Some current application security

solutions parse a retrieved page from a web server, dynamically creating a URL

list from that page. The user should then request the objects as listed on that

HTTP page.

“Direct access browsing”

Direct access browsing refers to the direct access of a web object or objects

which are not listed on that HTTP page. At first thought, this may appear to be

acceptable and not a security issue, but further analysis reveals the problematic

nature of the approach. Let’s take for example, a case where a user is given a

URL link from a search engine into a page deep in the site, or where the user has

bookmarked a link that is not the home page. In this case, the security solution

working with this logic may block the user as if he is attacking, since it cannot

track the users’ actions. While this is not an attack, the security solution may

assume it is and may create a False Positive response.

Another issue that can cause False Positives is the use of proxies between the

user and the website. In this case, the requested page may be stored in the

cache, sometimes for quite a long time (usually only static HTTP pages or

objects). The requested objects would not be retrieved from the origin site and

therefore will not be part of the “tracking list” on the security system. “False

Positives” may be generated and the user's requests may be blocked by the

system. In the worst case scenario, the user will be added to the Access Control



46

List (ACL), thereby blocking his IP address completely for future access. From

that user's point of view, the site is dead or is under a Denial of Service attack.

In order to eliminate this problem, some current application security solutions

require that the “Meta cache” in the entire site’s HTTP page headers will be

disabled, forcing all traffic through the web server alone. If this is the case, what

is the point of having a reverse proxy or cache server at all if the site’s content is

forced to bypass them? In fact, by eliminating the caches and proxies, you are

actually paralyzing the network’s shock absorbers and may be forced to deal

with huge amounts of redundant traffic.

How can you avoid both application attacks and “False Positives” at the same

time ?

There is another issue that we have to bring up. One of the greatest security

threats website operators face today are attacks that use perfectly legitimate

traffic as the means of attack. This kind of attack is called a “Fake-Legitimate”

attack. To illustrate this, we can take an example from the “real” world. Let's say

that there are a certain number of good quality fake tickets to a sports event.

The guards at the entrances to this event will have the difficult job not only of

admitting those who have a valid ticket, but also to look at each and every ticket

and try to judge if it is a real one or a forgery.

The problem with these kinds of attacks is that the security system will need to

intelligently differentiate between legitimate and “Fake-Legitimate” traffic. This

requires very sophisticated intelligence as well as fast processing. Today’s

firewalls and other security systems cannot perform this task. Therefore, they

cannot protect the sites from these kinds of attacks. Current solutions try to

combat them but lack the tools to do that effectively. As a consequence, these

systems create “False Positives” in the process.

It is clear that conventional IDS's do not stand a chance in the fight against

either “Fake-Legitimate” attacks or False Positives. These kinds of systems use a



47

signature database of known threats against which they check incoming traffic.

This has serious drawbacks, since the method cannot protect against attacks for

which it does not have a record. It also can generate many False Positives while it

fails to discriminate between legitimate and malicious traffic.

There are also security systems in the market that attempt to detect attacks by

identifying traffic anomalies. While the theory is good, one of the major

drawbacks of such systems is that they find it difficult to differentiate between

legitimate traffic surges and attacks. Such surges can be created by an

advertisement that just ran on TV or a breaking story in the press. Thus, they

often create False Positives by inaccurately identifying such surges as attacks.

Another highly problematic area with today’s passive security solutions is

incident logging. How many times will the network administrator react to false

alarms before he will start to ignore them altogether? Our experience has shown

that within three to four weeks, administrators virtually ignore all alarms since

they are constantly bombarded with false ones. Instead of getting numerous

false and minor alarms, they would rather use their time more efficiently. For the

enterprise, this is a waste of time and resources . Also one of the weaknesses

with most third-party anti-spam technologies: they are good at identifying junk

mail based on blacklists, content, and other cues. But filters that catch all spam

often snare a fair bit of legitimate email as well, can you accept that ? How long?

(I bet, no more than few hours).

The weakness of current IDSs/IPSs is clear. Not only do they need to be able to

inspect over 600 known attack signatures with minimum delay, they need to

reconstruct fragmented streams to avoid partial stream views. Most of the

systems on the market resort to some sort of corner-cutting and are applying

“statistics-based inspections” instead of inspecting every single packet.

For security systems to create false alarms and logs is one thing. But there is amuch more serious problem with active security systems. They can actually block



48

the traffic to the site. The problem starts when such systems start creating False

Positives and thus block legitimate users. In a case where a person is regarded by

the security system as an attacker and cannot get into his bank account, this will

create a bad impression of the bank. Because of such possibilities, banks prefer

to undergo an attack rather than block a legitimate user. False Positives are

therefore unacceptable.

As mentioned in my previous article, “ Are Web Applications Trojan horses”, a

new security approach is needed, one that can effectively detect and protect

against application layer attacks and at the same time, stay free from “False

Positives” and be intelligent enough to automatically learn to protect against

both unknown and known attacks and effectively bar False Negatives. This is the

only way to provide the highest level of security to web applications.

7.3 Multifunctional Bots

The arsenal of malware is in a steady state of growth. Not only do the

manufacturers of malware get more and more inventive, they regress to using

old methods when it suits them. When a new technology or a new trend is

available for the public, it already has an innate hindrance that opens the

backdoor to wrong doers. The bigger the trend, the stronger the attraction is to

cash in on it illegally. Knowing that it is only a matter of time until the security

breach has been spotted, it is a matter of real-time solutions to distinguishbetween solving the problem at hand and being exposed to the accomplishment

of the attack. Once the Botnet has been successful in breaching the system it was

sent to, the ingenuity of the attacker has given it the ability to multitask. Hence,

it can financially harm its current host in one of the ways outlined above; it can

spread itself further to harm other connected users sitting on the network, being

a Botnet as opposed to just a Bot; or it can just sit stealthily for as long as its

handler wants.



49

7.4 Peer-to Peer

Bandwidth is one of the Internet’s restrictions. Botnet operators and writers

have reined potential bandwidth underlying in Peer-to-Peer (P2P) power. When

the Bot was dependant on a single Command and Control (C&C), the attacks

were limited to the bandwidth and access of its local infrastructure. Utilizing an

army or Zombie connected through P2P is a stealth way to waiver the need of

C&C and enjoys greater access and longer time of response until the attack isidentified and blocked.

7.5 Common Content

Due to the fact that most security solutions for protection against malicious virus

are equipped with tracing and blocking of image embedded malware capabilities,

spammers have devised clever ways of utilizing common and legitimate content

which filters through. The disclaimer message at the end of an email can be one

such common content. The content based filter tags this as a non malicious

message and allows the infiltration. This method is also aimed to trick the end

user, whose mind will rest at ease after seeing the disclaimer text. If the end user

allows viewing of infected images or clicks on the malicious link, the perpetrator

will also receive confirmation of his attack, which puts the end user at higher risk

of future attacks.

7.6 Blogs and Personalized Internet Pages

The growing popularity of blogs has turned them into a target for Botnetsemination. The big platforms fall on victims first, but the awareness grew, the



50

attention switched to less popular blog platforms. Some subject lines used

randomly chosen words or misspelled subject lines to evade filtering.

Facebook is also vulnerable to BotNet attacks due to the fact that it providesaccess to inside files. Facebook uses two methods to identify and authenticate

users: cookies, which contain session information, and hidden form IDs that are

supposed to ensure that forms come from the user. With either a cookie or

knowledge of a user’s form ID, an attacker can impersonate a victim. A cookie’s

session information would allow an attacker to construct XMLHttp requests and

assume all the same privileges as the user. This is due to the fact that a BotNet

attack will have access to all files on the computer, including cookies files on the

computer. Israeli researchers have come to the conclusion in a research carried

out at the Technion, Computer Science Department, that this type of

Personalized Internet Pages demonstrates huge potential to distribute different

viruses including Botnets and others. (According to these researchers, just in

Facebook there are 124,000,000 users registered as of September 10, 2008).

Despite the enormous potential to distribute different viruses, these networks

were not used as a tool to distribute warms and viruses until recently, where a

new warm by the name Koobface started attacking the Internet Personalized

pages, it distributes itself and endangered all such pages. (The research is in

Hebrew)

7.7 Vertical Text Spam

Experimenting with new methods to bypass tracing has proven effective when

trying to evade the Zero Hour Detection of an attack. Playing with the display is

one of the earliest methods of convolution, yet the use of Asian languages has an

added value. Filters have difficulty due to the writing’s double-byte character

and the fact that the sentences have no spacing between words. The latest twist

was embedding Chinese content with vertical orientation.



51

7.8 Mobile Applications

Wi-Fi has made surfing the web much more accessible via laptop computers,

PDAs, Smartphone and 3G cell phones. There have been mobile malware attacks

in the past two years; however, they have been restricted to spreading viruses as

there hasn’t been a new method of money making schemes through cellular

communication. The same protections are vital on laptops and PDAs, especially

since they have turned into tools of the trade and sometimes contain even more

sensitive data.

7.9 Sandboxing

In the constant chase after development of malware, when the black hats listed

all researchers in the programming of Botnet and made special effort to exclude

them from being targets of active malware, the researchers devised ways to get

the Botnet to activate without harming the host computer. When the malware is

quarantined in what is referred to as a “Sandbox”, it operates under the

impression that it has reached its unsuspecting user, when in fact it is being

probed and explored by security experts. Every finding is diagnosed andpublished for immediate practice. That is the nature of the online service and

forum that supplement all three solutions discussed in this paper.



52

7.10 The Development of BotNets in the Future

According to a survey that was carried out by different providers for Tier 1 andTier 2, a few interesting conclusions were reached that can indicate how

“tomorrows” BotNets will look.

The number of BotNets increases daily but their size decreases. A few years ago,

we could have identified BotNets that incorporated 80,000-140,000 computers;

today, this number has decreased to a few thousand or even hundreds. This

phenomenon can be explained due to the fact that smaller BotNets are harder toidentity and much easier to sell or rent. An additional reason derives from the

fact that almost every computer today has wideband and therefore a few

hundred computers with 1Mbps can saturate the OC-3 (OC-3 link) connection

that serves many networks.

It is certain that BotNets are a desired product in the market, and many people

are willing to pay in order to purchase BotNet. When there is a demand from the

market, there is also supply, so we can expect BotNets to continue to develop

and to be a very serious threat on today’s computers.



53

Chapter 8: Trends of Security Products

Following is the trends of security products of Bots developed by Israelicompanies, of which their technology is used by different companies around theworld.

8.1 Mi5 Networks

Mi5 takes a different approach to detecting and blocking bots. Instead of just

relying on IP blacklists, or desktop signature detection, Mi5 has developed a

series of patent-pending algorithms that use a combination of cues to detect andblock Bots. The technology looks inside the company’s network for C&C

communication, IP scanning, spamming and other BotNet activity, and develops

a “confidence score” for the traffic coming off Bot infected PCs.

As soon as some activity is detected, Mi5 technology, the WebGate flags the PC

as “suspected.” Once enough of Mi5’s algorithm triggers have been tripped, and

when Mi5 is confident the machine has an active Bot on it, the WebGate flagsthe PC as “active” and blocks outbound Bot communications. But since typically

only 5-15% of Bot infected PCs are active at any one point in time, Mi5 goes one

step further, marking PCs that had active Bot activity that are no longer

communicating as “Inactive.” With that information, they can prioritize the

cleanup work and focus on the active Bots first.

Mi5’s WebGate appliances not only block incoming Bot and Trojan infections, but

also track the spread of BotNet infections throughout the organization, and

prevent Bots from sending any data back out of the organization.

This company’s BotNet capabilities are included with every Webgate appliance,

so it is not needed to separate point solutions to tackle the BotNet problem in

the enterprise.



54

8.2 CheckPoint

Checkpoint is developing technology for securing the network infrastructure.

They develop firewall security products which give security features such as

integrated intrusion prevention, virtualization, gateway anti-virus, anti-spam,

web content filtering, as well as IPSec and SSL VPN remote access for computers

and mobile devices. CheckPoint also offers standalone intrusion prevention and

SSL VPN solutions as part of the unified security architecture. With a unified

architecture, our network security solutions provide core technologies that

enable you to deploy a consistent, high level of security throughout your entire

organization.

Their technology: IPS-1 is an intrusion prevention product. It is a dedicated

intrusion detection and prevention system (IDS/IPS) that helps organizations

secure their enterprise network, and protect servers and critical data against

worms, automated malware such as BotNet, and blended threats both known

and unknown. This solution is a turnkey appliance and also software that can run

on open servers.

The technology has:

Hybrid Detection Engine which can leverage multiple detection and analysis

techniques to prevent network—and application-layer attacks.

Attack Confidence Indexing which provides block only known, legitimate

attacks thus ensures protection without impacting business operations. Multi-alert Correlation identifies patterns in alert activity that would

otherwise be reported as separate, unrelated events.

Dynamic Worm Mitigation identifies and blocks rapidly propagating worms.

Efficient management overcomes data overload with tools that provide

direct, graphical focus only on important security events associated with

critical business systems



55

8.3 CommTouch Ltd.

Commtouch developed security technologies for the e-mail communication

which has become on one hand the most widespread form of communication, on

the other, means to break into computers, spread BotNets and other malicious

spam. Their development is a spam and Zero-Hour™ virus outbreak protection.

Their main two products are:

1. Their Anti-Spam Solution is a technology that gives real-time protection from

new outbreaks. It captures spam in high rates. The technology is specially

developed to no false positives.

2. Another product Commtouch developed is the Zero-Hour™ Virus Protection

which is aimed at detecting new virus outbreaks. This product is a signature-

less technology which blocks suspect messages in a rapid manner.

8.4 BEYOND SECURITY LTD.

This company developed a tool to uncover security holes in servers, expose

vulnerabilities in the corporate network, check computer systems for the

possibility of hostile external attacks and audit vendor products for security holes.

The company’s first product is a security portal on the Internet that researches

security vulnerabilities and issues update of security alerts. It provides warnings

and then provides solutions to these vulnerabilities.

The company developed an automated scanning engine. This product scans the

organization’s network and simulates attacks originating from either the internal

or the external network. It then gives a report of the security vulnerabilities of

the organization and gives possible solutions to fix those vulnerabilities. The

engine of the product is updated on regular basis for the recent security

vulnerabilities.



56

8.5 PINEAPP LTD.

This company develops technology to secure networks and email systems from

attacks such as Botnet, spam and other malicious attacks.

The company developed three solutions:

1. Mail-SeCure is an email perimeter security protection. This technology

combines a three-tier engine with a threat filtering suite. The engine consistsof a multi-layered Anti-Virus, Zero-Hour detection engine and a multi-

layered Anti-Spam engine with Image-based Spam detection technology.

2. Mail-SeCure, an email perimeter security appliance that protects from

targeted and non-targeted email-related threats.

3. Surf-SeCure is an in-line real-time filtering system that protects the

organization from threats, such as Viruses & Spyware, enforcing the

organization’s surfing policy, using content filtering tools such as URL

database, Active Content Recognition.

8.6 Applicure Technologies Ltd.

This company develops multi-platform web application security software

products to protect websites and web applications from external and internal

attacks. The company studies hacker behavior and based on these studies their

solution identifies attacks such as BotNet, SQL Injection, Cross-Site Scripting and

many other application level and stops them before they reach the website or

application.



58

network and server threats including Zero-Day attacks such as BotNets and

Trojan horse without requiring human intervention.



Bibliography

Articles and Essays1. “The End of Spam”, Globes, July 7, 2008

2. “The trouble with threat modeling” by Adam Shostack , a Series of Blogs, 2008.

3. “Cyber Assaults on Estonia Typify a New Battle Tactic” , The Washington Post ,May 19, 07.

4. “Digital Fears Emerge After Data Siege in Estonia” , The New York Times , May 24,

2007.

5. “Hundreds of sites infected with dynamic malware” , ZDNet , Jan 18, 2008.

6. “The Art of Cyber Warfare” , Part 1: The Digital Battlefield, Tech News World , Apr29, 2008.

7. “The Art of Cyber Warfare ”, Part 2: Digital Defense, Tech News World , Apr 30,2008.

8. “Hackers Inc” , NRG, Jan 8, 2007.

9. “Threat Modeling, Once Again” by Larry Osterman , a Series of Blogs, 2007.

10. “Enemies Upon You” , Network, Information Week , Dec 10, 2007.

11. “Attack of the Bots ”, Wired , Nov 2006.

12. “Gone Spear-Phishin” , The New York Times , Dec 4, 2005

Personal Interviews1. Commtouch CTO & President , Amir Lev.

2. Beyond Security CEO, Aviram Jenik.

3. PineApp CEO, Hezi Erez.

israel security report final -...

Documents