Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg

  • 494 views
Uploaded on

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
494
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Eradicate the Bots in the Belfry Eric Vanderburg JurInnov, Ltd. October 26, 2012 © 2012 JurInnov Ltd. All Rights Reserved.
  • 2. Presentation Overview • The Internet is always attacking you but are you attacking the Internet? • Botnet overview • Defining the threat • Command and Control servers • Propagation • Detection • Prevention • Response 1 © 2012 JurInnov Ltd. All Rights Reserved.
  • 3. Botnet Overview • Bot – Program that performs automated tasks – Remote controlled – AKA: zombie or drone • Botnet – collection of bots remotely controlled and working together to perform tasks • Bot herd – a subset of the botnet that is allocated to an entity or project • Bot herder – bot master 2 © 2012 JurInnov Ltd. All Rights Reserved.
  • 4. Threat defined • • • • Over 200 million bots worldwide 12% of bots active Half a million infected each day to maintain herd Botnets rented: ($90/day, $15/hr DDoS bot) 3 © 2012 JurInnov Ltd. All Rights Reserved.
  • 5. Threat defined – What is done with botnets? • • • • • • DDoS Spam Distribute copyrighted material Data mining Hacking /Hacktivism Fraud – Click fraud – Ebay feedback – Pump & Dump • Covert communication 4 © 2012 JurInnov Ltd. All Rights Reserved.
  • 6. Criminal approach • Data collection – Collect financial data (file scan, HTML injection) – Harvest usernames and passwords • Monetization – Raid accounts – Fraud • Laundering – Recruit money mules – Bounce money from account to account 5 © 2012 JurInnov Ltd. All Rights Reserved.
  • 7. 2007 Zeus • Phishing w/ customizable data 2007 collection Cutwail methods • 2008 DDoS Spam, C&C • Web based Mariposa (Butterfly) 2003 RBot 1999 Pretty Park • • Harvests email addresses Rented TDSS • Stealthy and difficultspace for spam, 2008 botnet to detect • Encrypts • Used IRC for C&C & updates itself • Rootkit 2004 PolyBot • Sold andSets andatheft hackers rented “licensed” to of personal •DDoS, up proxy that is 1999& email harvesting SubSevenAdmin shell access • • ICQ • data theft Email Delivery: for information anonymous web to other for Used IRC GTBot • Builds on AgoBot for C&C 2005 MyTob 2000 • •DoS • Polymorphs through encrypted Delivery: • • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB Keylogger • DDoS, web form Phishing, Social Networking • • • Portshell access encapsulation webcam capture Delivery: Trojan embedded Admin scan collection, • Delivery: email spam using in software • DDoS MyDoom w/ own SMTP server • Delivery: email History 1999 2000 2002 2003 2004 2005 2006 2007 2008 2009 2002 SDBot 2009 Koobface 2006 Rustock • Keylogger 2002 AgoBot • • 2007 DDoS Installs pay-per-install Spam, Storm • Delivery: WebDav and • Modular design • •Uses rootkit tomalware hide MSSQL vulnerabilities, Spam • Delivery: Social Networking 2003 SpyBot • DDoS • Encrypts spam in TLS DameWare remote mgmt Dynamic • • Builds on SDBot Hides with rootkit tech • •Robust C&C fast flux C&C DNS network (over software, password guessing detection • Malware re-encoded twice/hr • • Customizable to avoid Turns off antivirus on common MS ports & web form Defends itself with DDoS •2500 domains) • • DDoS,host file Modifies Keylogger, • •Delivery: email common backdoors collection, (Kazaa, Grokster, • Delivery: P2P clipboard logging, Sold and “licensed” • Delivery: Email enticement for webcam capture BearShare, Limewire) free music • Delivery: SDBot + P2P 6 © 2012 JurInnov Ltd. All Rights Reserved.
  • 8. Customizing a bot with AgoBot GUI Example of AgoBot GUI to customize the bot © 2012 JurInnov Ltd. All Rights Reserved.
  • 9. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report • Exploit – – – – – Malicious code Unpatched vulnerabilities Trojan Password guessing Phish • Rally - Reporting in – Log into designated IRC channel and PM master – Make connection to http server – Post data to FTP or http form 8 © 2012 JurInnov Ltd. All Rights Reserved. Clean up
  • 10. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up • Preserve – Alter A/V dll’s <preserve> <pctrl.kill “Mcdetect.exe”/> – Modify Hosts file to prevent A/V < pctrl.kill “avgupsvc.exe”/> updates < pctrl.kill “avgamsvr.exe”/> – Remove default shares (IPC$, < pctrl.kill “ccapp.exe”/> ADMIN$, C$) </preserve> – Rootkit – Encrypt – Polymorph – Retrieve Anti-A/V module – Turn off A/V or firewall services – Kill A/V, firewall or debugging processes 9 © 2012 JurInnov Ltd. All Rights Reserved.
  • 11. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Agobot host control commands Command harvest.cdkeys harvest.emails harvest.emailshttp harvest.aol harvest.registry harvest.windowskeys pctrl.list pctrl.kill pctrl.listsvc pctrl.killsvc pctrl.killpid inst.asadd inst.asdel inst.svcadd inst.svcdel Description Return a lsit of CD keys Return a list of emails Return a list of emails via HTTP Return a list of AOL specific information Return registry information for a specific registry path Return Windows registry information Return list of all processes Kill specified processes set from a service file Return a list of all services that are running Delete/stop a specified service Kill specified process Add an autostart entry Delete an autostart entry Adds a service to SCM Delete a service from SCM 10 © 2012 JurInnov Ltd. All Rights Reserved. Report Clean up
  • 12. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up • Inventory – determine capabilities such as RAM, HDD, Processor, Bandwidth, and pre-installed tools • Await instructions from C&C server • Update – Download payload/exploit – Update C&C lists 11 © 2012 JurInnov Ltd. All Rights Reserved.
  • 13. Life Cycle Exploit Rally Preserve Inventory Await instructions Update • Execute commands – – – – – – – DDoS Spam Harvest emails Keylog Screen capture Webcam stream Steal data • Report back to C&C server • Clean up - Erase evidence 12 © 2012 JurInnov Ltd. All Rights Reserved. Execute Report Clean up
  • 14. Propagation • Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list – Remember to use strong passwords Agobot propagation functions 13 © 2012 JurInnov Ltd. All Rights Reserved.
  • 15. Propagation • Use backdoors from common trojans • P2P – makes files available with enticing names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications • Social networking – Facebook posts or messages that provides a link (Koobface worm) 14 © 2012 JurInnov Ltd. All Rights Reserved.
  • 16. Propagation • SPIM – Message contact list – Send friend requests to contacts from email lists or harvested IM contacts from the Internet • Email – Harvests email addresses from ASCII files such as html, php, asp, txt and csv – uses own SMTP engine and guesses the mail server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name. 15 © 2012 JurInnov Ltd. All Rights Reserved.
  • 17. Command and Control • C&C or C2 • Networked with redundancy • Dynamic DNS with short TTL for C&C IP (weakness is the DNS, not the C&C server) • Daily rotating encrypted C&C hostnames • Alternate control channels • Average lifespan: 2 months 16 © 2012 JurInnov Ltd. All Rights Reserved.
  • 18. Command and Control • IRC • Peer-to-peer – programming can be sent from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server. • Social networking • Instant Messaging 17 © 2012 JurInnov Ltd. All Rights Reserved.
  • 19. Command and Control • Web or FTP server – Instructions in a file users download – Bots report in and hacker uses connection log to know which ones are live – Bots tracked in URL data – Commands sent via pull instead of push • No constant connection • Check-in might match signature – Better scalability – web server can handle more connections than IRC – Port 80 not blocked and not unusual activity 18 © 2012 JurInnov Ltd. All Rights Reserved.
  • 20. Trends • Hackers – Mostly about money instead of notoriety (hacktivism excluded) – Staying under the radar • Smaller herds • Fewer propagation methods • Web based C&C • Government and Terrorist – Aimed at taking down critical services or disrupting business 19 © 2012 JurInnov Ltd. All Rights Reserved.
  • 21. Detecting bots • Monitor port statistics on network equipment and alert when machines utilize more than average – Gather with SNMP, netflow, or first stage probes (sniffers) attached to port mirrored ports on switches. • Firewall statistics • IPS/IDS reports 20 © 2012 JurInnov Ltd. All Rights Reserved.
  • 22. Baseline • Document – Network Schematic – Server roles • • • • Destination IP addresses Ports Protocols Volume of data and directionality 21 © 2012 JurInnov Ltd. All Rights Reserved.
  • 23. Quick and Fast Rules • Compromised hosts generally send out more information • Patterns (sending perspective) – Many-to-one – DDoS, Syslog, data repository, email server – One-to-many – web server, email server, SPAM bot, warez, port scanning – Many-to-many – P2P, virus infection – One-to-one – normal communication, targeted attack 22 © 2012 JurInnov Ltd. All Rights Reserved.
  • 24. Wireshark Packet list  Packet details  Packet bytes  23 © 2012 JurInnov Ltd. All Rights Reserved.
  • 25. Wireshark • Filtering – Frame contains “search term” • Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request, File delivery, checksum, acknowledgment, termination – Flow record – subset of information from a flow such as source and destination IP, protocol, date or time 24 © 2012 JurInnov Ltd. All Rights Reserved.
  • 26. Networkminer • Traffic analysis tool • Graphical breakdown of… – – – – – – Hosts Images Files Email DNS Sessions 25 © 2012 JurInnov Ltd. All Rights Reserved.
  • 27. Detecting bots • Real time netflow analyzer- Solarwinds free netflow tool • Small Operation Center or MRTG – free SNMP/syslog server with dashboard • Rootkit tools: Rootkit Revealer, GMER • Event log monitoring – Zenoss, Alien Vault, Nagios, Splunk, Graylog 26 © 2012 JurInnov Ltd. All Rights Reserved.
  • 28. Event Logging • Placement – – – – – – – – Perimeter VLAN or Workgroup Wireless Choke points – maximize collection capacity within budget and ability to process and analyze Minimize duplication Sync time Normalize Secure collector transmission pathways 27 © 2012 JurInnov Ltd. All Rights Reserved.
  • 29. Detecting bots - Darknet • Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back. • Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages). • How to set up a darknet http://www.team-cymru.org/Services/darknets.html 28 © 2012 JurInnov Ltd. All Rights Reserved.
  • 30. Detecting C&C • Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic. • Stats generated every 30sec • Application layer analytics • Claims from ourmon.sourceforge.net/ – – – – – – – – Monitor TCP (syndump), and UDP (udpreport) flows Log all DNS query responses network wide Measure basic network traffic statistically Catch "unexpected" mail relays Catch botnets Spot infections with random "zero-day" malware Spot attacks from the inside or outside See what protocols are taking up the most bandwidth 29 © 2012 JurInnov Ltd. All Rights Reserved.
  • 31. Detection – A/V and Anti-malware • • • • • • • AVG (Grisoft) – free for home use Ad-aware (Lavasoft) - free Repelit (itSoftware) McAfee Microsoft Security Essentials (free up to 10 PCs) Symantec Spybot Search and Destroy - free 30 © 2012 JurInnov Ltd. All Rights Reserved.
  • 32. Prevention – Vulnerability scanning • Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose • Free for up to 32 IP – OpenVAS (Vulnerability Assessment System) • Linux • VM available (resource intensive) – Greenbone Desktop Suite (uses OpenVAS) • Windows XP/Vista/7 – MBSA (Microsoft Baseline Security Analyzer) – Secunia PSI (local Windows machine scanning only) 31 © 2012 JurInnov Ltd. All Rights Reserved.
  • 33. Prevention • • • • • Firewall IPS/IDS Web filtering SPAM filtering (incoming & outgoing) Disable VPN split tunnel 32 © 2012 JurInnov Ltd. All Rights Reserved.
  • 34. SIEM • Security Information and Event Management – – – – – – – – Log aggregation Correlation Normalization Alerting Dashboards Views Compliance reports Retention 33 © 2012 JurInnov Ltd. All Rights Reserved.
  • 35. Prevention • Read only virtual desktops • Software – Software restrictions and auditing – Sandbox software before deployment • Patch management • NAC (Network Access Control) – A/V & patches 34 © 2012 JurInnov Ltd. All Rights Reserved.
  • 36. Response • Incident response – Determine scope – Determine if it constitutes a breach and therefore notification – Analyze - Is any evidence needed? – Clean the device • After-action review – Define improvement actions – Assign responsibilities for actions – Follow-up 35 © 2012 JurInnov Ltd. All Rights Reserved.
  • 37. Thanks Enjoy the summit Acknowledgements: • Bot command tables obtained from “An Inside Look at Botnets” by Vinod Yegneswaran • The programs depicted in this presentation are owned by their respective authors 36 © 2012 JurInnov Ltd. All Rights Reserved.