Your SlideShare is downloading. ×



Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Transcript

    • 1. “ Botconomics” – Mastering the Underground Economy of Botnets. LACNIC May, 2008 Kleber Carriello de Oliveira Consulting Engineer Arbor Networks
    • 2. Agenda
      • Malware, Botnets & DDoS
      • An Underground Economy: “Botconomics”
      • Questions & Answers
    • 3. What’s in a Denial of Service (DoS) Attack? </attack> <attack id=&quot;122002&quot; start=&quot;2006-10-14 02:21:47&quot; stop=&quot;2006-10-14 03:36:11&quot; > # About an hour and 15 minutes duration <severity importance=&quot;1&quot; lrm=&quot;0.9077&quot; red_rate=&quot;1e+06&quot; unit=&quot;pps&quot;/> <type class=&quot;3&quot; subclass=&quot;5&quot; /> # Misuse Null TCP <direction type=&quot;Incoming&quot; name=&quot;anonymous&quot; gid=&quot;756&quot;/> <protocols> 6 </protocols> # IP Protocol 6, TCP <tcpflags></tcpflags> # No Flags - Null TCP <source> <ips> </ips> # Very well distributed or Source-spoofed IPs <ports> 0-65535 </ports> # Very well distributed source ports </source> <dst> <ips> xx.xx.X.X/32 </ips> # Surprise, undernet IRC Server… <ports> 6667 </ports> # 6667 IRC </dst> <infrastructure num_routers=&quot;19&quot; num_interfaces=&quot;52&quot; sum_bps=&quot;622878440000&quot; sum_pps=&quot;15571961000&quot; max_bps=&quot;1980325333&quot; max_pps=&quot;6188517&quot; /> </attack> Source: ISC
    • 4. Threat Time Line: NBA is Another Layer of Defense Time Discover Vulnerability AV/IDS Available New Version Advisory Patch PATCH MANAGEMENT NETWORK ADMISSION Network Behavioral Analysis with PEAKFLOW X zero-day Exploit Variant Released Reverse Engineer/ new exploit
    • 5. Anti-Virus and IDS Detection Rates
      • Projected that between 75k-250k new malware families or variants release in 2006 (one released every 1-3 minutes)
      • Source: Internet Malware Classification and Analysis ; University of Michigan & Arbor Networks, Inc., 2007
      • Some samples still not detected a year after collection of malware.
      • Almost half the samples in the small dataset undetected, and one quarter in the large
      • AV fails to detect malware between 20% and 62% of the time!
    • 6. Though Necessary, AV Performance Poor
      • Research puts most AV performance very low
        • ~38 AV products (open source & commercial)
        • Average 28-32% hit on for newer threats
        • AV Vendors change heuristics to improve results - but raises false-positives rate
        • Why?
          • Signature 1: 1000100010011111
          • New variant: 1000100010010001 - No AV Match
          • Minor obfuscation techniques
          • Packers
          • Polymorphic; e.g., recompile
        • Getting better; more behavior-based functions, less static file analysis
        • Behavior-based solutions augment
          • Cisco CSA, Sana Security host behavior (file, process, network state)
          • NBA, Network Behavioral Analysis coupled with threat feeds (e.g., Arbor’s ATF & Peakflow X)
    • 7. Bots: Putting the ‘(D)’ in (D)DoS
      • “ Got bot?”
        • A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm.
        • Communicates with a handler or controller via public IRC servers or other compromised systems.
        • A botmaster or botherder commands bots to perform any of an number of different functions.
        • System of bots and controller(s) is referred to as a botnet or zombie network.
    • 8. Anatomy of a DDoS Attack Internet Backbone B UK Broadband US Corp US Broadband B JP Corp. Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network ( botnet ) Controller Connects Botnet master Issues attack Command BM C&C Bots attack Bye Bye!
    • 9. Anatomy of Botnet Construction
      • Exploit vector (e.g., TCP/135)
      • Second stage functions (e.g., TFTP, FTP, HTTP) to download bot software, C&C instructions
      • Bot is executed, connected to C&C infrastructure
        • often IRC, identified by DNS
        • Bot connects to channel (e.g., USA|743634) of C&C
        • Passwords often required
        • C&C often employs encryption, anti-cloaking techniques
    • 10. Malware Delivery
      • Traditionally, worms with self propagation vector, not remote control function
      • Last real virus - Melissa; 1999
      • Today email and other application-level functions laden with Trojans
      • Now delivered via web sites - drive-by installs
        • Projected 1 in 10 web sites hosts malicious content
        • Web-based deliver means outpacing email, viruses, etc..
        • Example: Dolphin stadium web site compromised to host malicious content just before Super Bowl in early 2007
        • iframe functions popular today
          • <iframe src=&quot;; width=&quot;460&quot; height=&quot;60&quot;...></iframe>
      • Interesting read: The Ghost in the Browser
      • Clever new attacks include multi-layer attacks:
        • Compromise
        • Grab proxy IP; arpspoof, proxy
        • iframe insertion, local malware delivery, etc..
    • 11. Engineering Malware: disable updates, speed tests..
      • Engineer around current AV DBs
      • Disable auto-update functions
      • Evaluate connectedness of asset
      • Employ
      Upon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar :
    • 12. Sophisticated Botnet Management & Statistics
      • Graphical user interface
      • Performance Statistics
    • 13. Reflective Amplification Attacks Attacker - a Victim - v Resolver - r A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity. Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response r v Response v r Query
    • 14. Application of Anti-Spoofing Measures
      • Still not ubiquitous deployment - far from (hence effectiveness of reflective attacks)
      • Largest deployment burden
        • hardware support
        • configuration management
        • Authoritative IP ownership repository
      • ‘ Loose-mode RPF’ likely creates false sense of protection
      Should assume slightly more clueful respondent pool than in general, so actual numbers likely less
    • 15. Attack Scale Still Increasing Considerably
      • Proliferation of broadband connectivity
      • Increased virulence of attack vectors
      • Sophistication of bot management software
      • ‘ 01 - ‘03 data projections based on public and private information regarding prominent attacks
      • Largest attacks (22 & 24 Gbps) reported by large content provider and hosting providers
      • Both >20 Gbps attacks reported to have been DNS reflective amplification attacks
      • Most backbone link speeds have 10G maximum capacity today
    • 16. DDoS Attacks: Taking Advantage of Our Broadband
      • Botnets take advantage of “our” unlimited broadband pipes and PCs for amplification attacks and brute-force flooding attacks
      • ISPs are taken offline in the process of trying to mitigate these attacks.
      1 2 3 4 5 6 ISP A T1 AGG RTR T1 Transit ISP GE Target 3 Mbps DDoS - teeny tiny attack - well, to Transit ISP, not ISP A 512k Attack Target Gone Collateral Damage ISP n Much BIGGER Attack
    • 17. DNS Attacks - When & What? OCT 2002 JUN 2004 OCT 2004 JAN-FEB 2006 NOV 2004 NOV 2002 FEB 2007 Root Server Attacked Duration:1 hour Multi-modal: smurf, ICMP, port 53 “ 7” Root Servers appear unreachable Impact: No noticeable user effect UltraDNS TLD Servers Attacked Duration: 24 hours + ICMP 0,8 and then port Easily filtered -- uses pure volume of packets to disable Results in 2-way traffic load Impact: No noticeable user effect Akamai attacked Duration: 4 hours No mitigation possible Port 53, UDP, valid queries Multi-millions queries per second Impact: Global Impact DDoS for hire (extortion) The golden age for worms/trojans The perfect DNS DDoS in the wild No protocol based defense or mitigation Attack on Bandwidth, not applications or servers - 11 Gbps+ Impact: Significant collateral damage January-February .com, .net (Verisign), .org (UltraDNS) Utilized open recursive servers Average attack 7-10 Gbps TLD Operators have no successful defense Impact: Considerable user impact G, L & M Root Servers, Other TLDs (UltraDNS)? Utilized large bogus DNS UDP queries from many bots Aggregate attacks 10 Gbps+ Mitigate: Special Hardware Impact: 90% Traffic dropped localized user impact NOV 2006 UUNet Attack - 2nd Level DNS UDP/53, auth servers for Spoofed source IPs - 800 Kpps Impact: End-user/customer Mitigated with Cisco Guard-XT Collateral damage: 2x .gov & 2 7206s in network path Root & TLD Attacks Spoofed source IPs Large Bogus Queries 10+ Gbps Regionalized User Impact
    • 18. Botconomics
      • Amalgamation:: botnets && economics == botconomics
      • Botconomics: it’s all about the $$$$
    • 19. Three Tiers of Cyber Criminals Script Kiddies Political/Ego-driven; improve halo reputation Organized Crime Economically Motivated - all about the $$$ Cyber Terrorism Cyber Espionage; Asymmetric Warfare
    • 20.
      • Religious, Political
        • Estonia
        • Denmark Cartoon Rage
      • Ego-driven (gaming, IRC)
      • Extortion (SuperBowl, World Cup - can your bookie afford to be offline?)
        • $2B US Each - $48B Market
        • Player SLAs
      • Lift email, targeted spam, spear phishing (>90% spam through bots)
      An Underground Economy: “Botconomics”
    • 21. Botconomics: Botnets are a business worth protecting
      • Jersey Joe (2005)
      • What’s easier:
        • One wallet in the subway
        • 100 credit cards online?
      • CC forums
      • Lift CD Keys
        • Used to build cheap systems; can’t patch -> quickly compromised
      • Is that webcam running?
      • Bogus e-file sites - proxy transaction, switch direct deposit bank account numbers - could be into a stolen account to extract via wire transfer, ATM transaction, etc..
      • Miscreants likely patch more systems than typical end users per automation
      • Rbots use still cameras or webcams to capture video and still images(!) - transmit them to a drop site
    • 22. Botconomics: Identity Theft & Fraud
      • Global organized crime
      • How many people here:
        • Have every bought anything online?
        • Bank online?
        • Have a credit card
        • Have a mortgage or pay rent?
        • Were in the military
        • Have ever been to a medical office?
        • If you said yes to any of the above, you’re at risk
      But who’d be dumb enough to fill this out? ‘ full creds’ Hey Kleber, quick question for you. IF…..??
    • 23. Botconomics: It doesn’t matter if you don’t use your credit card on line!
      • The databases that contain all your in-person credit card transactions is where the money is.
      • Hits close to home.
      • But what do you do with 46 Million stolen credit card
      • data sets?
      • Sell them - individual, bundle, wholesale
      • Use them to buy stuff online (e.g.,
      • CC Forums - brokerage houses, printed cards..
        • Buy stuff
        • Get cash advances
        • Need to monetize
      • Item Advertised Price (US $)
      • US-based credit card with card verification value $1 - $6
      • UK-based credit card with card verification value $2 - $ 12
      • List of 29,000 emails $5
      • Online banking account with a $9,900 balance $300
      • Yahoo Mail cookie exploit -- facilitates full access when successful $3
      • Valid Yahoo and Hotmail email cookies $3
      • Compromised computer $6 - $ 20
      • Phishing Web site hosting - p er site $3 - 5
      • Verified PayPal account with balance (balance varies) $50 - $ 500
      • Unverified PayPal account with balance (balance varies) $10 - $ 50
      • Skype account $12
      • World of Warcraft account - o ne month duration $10
      • Source: Symantec Internet Security Threat Report - March 2007
    • 24. Botconomics: Increase in Sophistication and Marketing
      • Key loggers
        • Gotta get those “full creds”
      • Drop Sites
      • Click Fraud
      • Bot trading & Marketing
        • .net - .$.05
        • .gov - $1.00
        • - $.05
      • “ Better Marketing by the Botherders”
        • Excellent ping & uptime
        • Rotating IP addresses
        • Different ISPs
        • Intuitive User Interface
        • SLAs - 100 percent uptime guarantee!
    • 25. Botconomics: Closing the Loop
      • Phishing Systems
        • Command & Control
        • Hosting phishing sites
        • Lift email addresses
        • Spam phishing messages
        • Drop Sites
        • All bots!
      • Botnet Defense Systems
        • Attack anti-phishing, anti-spam and anti-botnet companies
          • BlueSecurity
          • CastleCops
      [19/Feb/2007:15:10:18 +0000] &quot;GET / HTTP/1.1&quot; 200 497 &quot; &quot; &quot;Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] &quot;GET / HTTP/1.1&quot; 200 497 &quot; &quot; &quot;Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] &quot;GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.0&quot; 200 497 &quot;-&quot; &quot;Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] &quot;GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.1&quot; 200 497 &quot;-&quot; &quot;Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] &quot;GET / HTTP/1.1&quot; 200 497 &quot; &quot; &quot;Mozilla/4.0 (compatible)”
    • 26. From Arbor’s BLOG
    • 27. The Phish….
      • Build the phishing site, host on bot; perhaps proxy actual site
      • Spam the phish message - perhaps targeted (spear)
      • ハ - Go to:
        • <a href=&quot;;></a><br>
      • Throw the spoils on a couple of drop sites - more bots
      • Use the spoils to transfer money directly, use to transfer money internationally, etc..
    • 28. Where’s the Money Going?
      • Funding an “online dating service for al-Qaeda?
      • “ investigators say they found some 37,000 stolen credit card numbers. Alongside each credit card record was other information on the ID theft victims, such as the account holder's address, date of birth, credit balances and limits.”
      • “ ..jihadists might need for their battle against the American and allied forces in Iraq, including global positioning satellite (GPS) devices, night-vision goggles, sleeping bags, telephones, survival knives and tents.”
    • 29. Operation Spamalot
      • ・ On Friday, Dec. 15, 2006, shares in Apparel Manufacturing Associates, Inc. (APPM) closed at $.06, with a trading volume of 3,500 shares. After a weekend spam campaign distributed emails proclaiming, &quot;Huge news expected out on APPM, get in before the wire, We're taking it all the way to $1.00,&quot; trading volume on Monday, Dec. 18, 2006, hit 484,568 shares with the price spiking to over 19 cents a share. Two days later the price climbed to $.45. By Dec. 27, 2006, the price was back down to $.10 on trading volume of 65,350 shares.
      • On Dec. 19, 2006, trading in Goldmark Industries, Inc. (GDKI) , closed at $.17 on trading volume of 126,286 shares. On Dec. 20, 2006, the spam campaign started, with e-mail proclaiming &quot;GDKI IS MAKING EVERYONE BANK!,&quot; and setting a 5-day price target of $2. By Dec. 28, 2006, spam emails boasted of the price spike that had already been achieved -- &quot;$.28 (Up 152% in 2 days!!!)&quot; -- and promised a 5-day price target of $1. That same day, GDKI closed at $.35 on a volume of more than 5 million shares. By January 9, 2007, the closing share price was back down to $.15.
      Attack Vector?
    • 30. Good News?
      • The financial losses are at a point where industry must invest - obvious from Financials to LEOs discernible uptick in activity
      US $ - Billions Time - Losses Annually Factored Losses, Tolerance Threshold Cyber Crime Losses Traditional Fraud ~$20B US
    • 31. Arbor’s Worldwide Infrastructure Security Report
      • Demographics:
        • 70 self-classified tier-1, tier-2, and hybrid IP network operators in North America, Europe & Asia
      • Key Findings:
        • Most significant operational threats are:
          • #1 Botnets, #2 DDoS
        • Frequency, size and complexity of attacks are growing
          • 22 & 24 Gbps attacks reported
          • More Application Layer attacks
        • ISPs finish the job
        • DDoS Managed Services activity grows 800%
        • Less than 2% reported to Law Enforcement
    • 32. DDoS Mitigation Techniques
      • Good & bad news
        • Bad: SPs still effectively complete attack (protect network availability)
        • Good: More mitigation solution deployment (scrub- ARBOR TMS, flow spec, etc..) and service offerings - nearly 10x increase percentage wise, even with wider respondent pool
      • Can’t win bandwidth game (e.g., consider Storm with reflective amplification)
      • New mitigation infrastructure only applies to MS customers
      • Mitigation highly fragmented - little incentive to follow-up with ingress (or even upstream/ adjacent) network for host cleanup - malicious activity recurrence factor considerable
      Detection without mitigation - hrmm…
    • 33.
      • Netflow + DPI
      Inteligent Mitigation The system talk with the scrub to clean the traffic Mitigation process is started Flows sent to the collector system System detects the attack Inject BGP route (off-ramping) Scrub inspects each packet against its rules and network behavior Peakflow SP TMS Peakflow SP
    • 34. Attack Scale & Frequency
      • Attacks from perspective of single ISP and single attack vector , thus aggregate for many is likely to be much higher
      • Cross-correlation of targets and times provides considerable insight
      • Doesn’t necessarily matter - scale all about perspective
      Estonia Attacks 4 Mpps aggregate at peak
    • 35. Even Cyber Criminals Take Some Time Off
      • Data derived from Arbor products deployed in 70% of world’s ISPs
    • 36. Attack on Russia - Arbor’s Global Visibility Detect multi-ISP distributed attack
    • 37. A Solution: Network Behavioral Analysis (NBA)
      • Network transactional information + control plane data enables baselines (statistical and relational) that allow abnormalities to be identified
      • Network-based mitigation can be performed based upon NBA
      • Even to detect zero-day threats (e.g., many families have same network behavioral fingerprint but different payload)
      • Based on compound temporal functions, as well as single packet transactions (e.g., know botnet C&C, UN Exported Restricted Nations, known malware distribution sites, etc..)
    • 38. Behavioral Fingerprinting
      • Unique variants require new virus detection definitions:
        • packers
        • polymorphism, recompile
        • minor obfuscation techniques for known packers
        • strings
      • E.g., 580+ Agobot variants
      • Fingerprinting behaviors allows for more generalized detection mechanisms
        • file status
        • process state
        • network transactions
      • Host and network-based detection models that employ relational modeling and network behavioral analysis provide substrate for zero-day threat identification
    • 39. Threat Modeling and Instrumentation
      • Sample: Blaster Worm
      Instrumentation of propagation and exploit vectors, with other second stage functions and modeling network transactions allows development of ‘ compound temporal network transactional signatures’
      • TCP/135
      • SYN (40), ACK (40), RPC BIND (112), RPC Req. (1744) FIN(40):
      • 1 Microflow:
        • 5 packets
        • 1984B
      • 2 RSTs
      • ----->>>
      • Subsequent: TCP/4444
      • N packets/bytes, subsequent to TCP/135 activity, from vulnerable
      • Host, etc..
      • Single stage threats much simpler (e.g., SYN to known botnet C&C)
    • 40. Think of the Possibilities Internet Backbone B UK Broadband US Corp US Broadband B Anti-Bot/ Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network ( botnet ) Controller Connects Botnet master Issues attack Command BM Bots attack Bye Bye! Phishing Site Phishing Site Drop Site Drop Site C&C Spam Relay Spam Relay Open Proxy Open Proxy Phishing Data CD Keys Keylogger Personal ID Video Email CC & PW Financial data
    • 41. Miscreant Feuding - Bot on Bot Attacks
      • Mpack & Storm (Trojan.Srizbi)
      • Upon compromise by MPack malware is downloaded, checks for other root kits and uninstalls
      • Storm folks get perturbed, attack MPack malware distribution sites
    • 42. Conclusions
      • It’s all about layered [network] security - there IS NO silver bullet
      • Behavioral models coupled with real-time threat intelligence (e.g., Arbor’s ATLAS) can minimize threats; provide gap insurance and help hardening and prevention
      • Enable account transaction alerting and keep an eye on those credit reports…
    • 43.  
    • 44. EOF Kleber Carriello de Oliveira [email_address]