0
Eradicate the Bots in the
Belfry
Eric Vanderburg
JurInnov, Ltd.
October 26, 2012

© 2012 JurInnov Ltd. All Rights Reserved...
Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defin...
Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone

• Botnet – colle...
Threat defined
•
•
•
•

Over 200 million bots worldwide
12% of bots active
Half a million infected each day to maintain he...
Threat defined – What is done with botnets?
•
•
•
•
•
•

DDoS
Spam
Distribute copyrighted material
Data mining
Hacking /Ha...
Criminal approach
• Data collection
– Collect financial data (file scan, HTML injection)
– Harvest usernames and passwords...
2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butt...
Customizing a bot with AgoBot GUI

Example of AgoBot GUI to customize the bot
© 2012 JurInnov Ltd. All Rights Reserved.
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

• Exploit
–
–
–
–
–

Maliciou...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Preserve
– Alter ...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Agobot host control commands
Command
...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Inventory
– deter...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

• Execute commands
–
–
–
–
–
–
–

DDoS
Spam
Ha...
Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passw...
Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded....
Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts fro...
Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, ...
Command and Control
• IRC
• Peer-to-peer – programming can be sent from
any peer and discovery is possible from any peer
s...
Command and Control
• Web or FTP server
– Instructions in a file users download
– Bots report in and hacker uses connectio...
Trends
• Hackers
– Mostly about money instead of notoriety (hacktivism
excluded)
– Staying under the radar
• Smaller herds...
Detecting bots
• Monitor port statistics on network equipment
and alert when machines utilize more than
average
– Gather w...
Baseline
• Document
– Network Schematic
– Server roles

•
•
•
•

Destination IP addresses
Ports
Protocols
Volume of data a...
Quick and Fast Rules
• Compromised hosts generally send out more
information
• Patterns (sending perspective)
– Many-to-on...
Wireshark

Packet list 

Packet details 
Packet bytes 
23
© 2012 JurInnov Ltd. All Rights Reserved.
Wireshark
• Filtering
– Frame contains “search term”

• Flow – sequence of packets comprising a single
communication segme...
Networkminer
• Traffic analysis tool
• Graphical breakdown of…
–
–
–
–
–
–

Hosts
Images
Files
Email
DNS
Sessions

25
© 20...
Detecting bots
• Real time netflow analyzer- Solarwinds free
netflow tool
• Small Operation Center or MRTG – free
SNMP/sys...
Event Logging
• Placement
–
–
–
–
–
–
–
–

Perimeter
VLAN or Workgroup
Wireless
Choke points – maximize collection capacit...
Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatev...
Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats...
Detection – A/V and Anti-malware
•
•
•
•
•
•
•

AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itSo...
Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect ma...
Prevention
•
•
•
•
•

Firewall
IPS/IDS
Web filtering
SPAM filtering (incoming & outgoing)
Disable VPN split tunnel

32
© 2...
SIEM
• Security Information and Event Management
–
–
–
–
–
–
–
–

Log aggregation
Correlation
Normalization
Alerting
Dashb...
Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployme...
Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze...
Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by

Vinod Yegnesw...
Upcoming SlideShare
Loading in...5
×

Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg

520

Published on

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "Eradicate the Bots in the Belfry" at the Information Security Summit.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
520
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg"

  1. 1. Eradicate the Bots in the Belfry Eric Vanderburg JurInnov, Ltd. October 26, 2012 © 2012 JurInnov Ltd. All Rights Reserved.
  2. 2. Presentation Overview • The Internet is always attacking you but are you attacking the Internet? • Botnet overview • Defining the threat • Command and Control servers • Propagation • Detection • Prevention • Response 1 © 2012 JurInnov Ltd. All Rights Reserved.
  3. 3. Botnet Overview • Bot – Program that performs automated tasks – Remote controlled – AKA: zombie or drone • Botnet – collection of bots remotely controlled and working together to perform tasks • Bot herd – a subset of the botnet that is allocated to an entity or project • Bot herder – bot master 2 © 2012 JurInnov Ltd. All Rights Reserved.
  4. 4. Threat defined • • • • Over 200 million bots worldwide 12% of bots active Half a million infected each day to maintain herd Botnets rented: ($90/day, $15/hr DDoS bot) 3 © 2012 JurInnov Ltd. All Rights Reserved.
  5. 5. Threat defined – What is done with botnets? • • • • • • DDoS Spam Distribute copyrighted material Data mining Hacking /Hacktivism Fraud – Click fraud – Ebay feedback – Pump & Dump • Covert communication 4 © 2012 JurInnov Ltd. All Rights Reserved.
  6. 6. Criminal approach • Data collection – Collect financial data (file scan, HTML injection) – Harvest usernames and passwords • Monetization – Raid accounts – Fraud • Laundering – Recruit money mules – Bounce money from account to account 5 © 2012 JurInnov Ltd. All Rights Reserved.
  7. 7. 2007 Zeus • Phishing w/ customizable data 2007 collection Cutwail methods • 2008 DDoS Spam, C&C • Web based Mariposa (Butterfly) 2003 RBot 1999 Pretty Park • • Harvests email addresses Rented TDSS • Stealthy and difficultspace for spam, 2008 botnet to detect • Encrypts • Used IRC for C&C & updates itself • Rootkit 2004 PolyBot • Sold andSets andatheft hackers rented “licensed” to of personal •DDoS, up proxy that is 1999& email harvesting SubSevenAdmin shell access • • ICQ • data theft Email Delivery: for information anonymous web to other for Used IRC GTBot • Builds on AgoBot for C&C 2005 MyTob 2000 • •DoS • Polymorphs through encrypted Delivery: • • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB Keylogger • DDoS, web form Phishing, Social Networking • • • Portshell access encapsulation webcam capture Delivery: Trojan embedded Admin scan collection, • Delivery: email spam using in software • DDoS MyDoom w/ own SMTP server • Delivery: email History 1999 2000 2002 2003 2004 2005 2006 2007 2008 2009 2002 SDBot 2009 Koobface 2006 Rustock • Keylogger 2002 AgoBot • • 2007 DDoS Installs pay-per-install Spam, Storm • Delivery: WebDav and • Modular design • •Uses rootkit tomalware hide MSSQL vulnerabilities, Spam • Delivery: Social Networking 2003 SpyBot • DDoS • Encrypts spam in TLS DameWare remote mgmt Dynamic • • Builds on SDBot Hides with rootkit tech • •Robust C&C fast flux C&C DNS network (over software, password guessing detection • Malware re-encoded twice/hr • • Customizable to avoid Turns off antivirus on common MS ports & web form Defends itself with DDoS •2500 domains) • • DDoS,host file Modifies Keylogger, • •Delivery: email common backdoors collection, (Kazaa, Grokster, • Delivery: P2P clipboard logging, Sold and “licensed” • Delivery: Email enticement for webcam capture BearShare, Limewire) free music • Delivery: SDBot + P2P 6 © 2012 JurInnov Ltd. All Rights Reserved.
  8. 8. Customizing a bot with AgoBot GUI Example of AgoBot GUI to customize the bot © 2012 JurInnov Ltd. All Rights Reserved.
  9. 9. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report • Exploit – – – – – Malicious code Unpatched vulnerabilities Trojan Password guessing Phish • Rally - Reporting in – Log into designated IRC channel and PM master – Make connection to http server – Post data to FTP or http form 8 © 2012 JurInnov Ltd. All Rights Reserved. Clean up
  10. 10. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up • Preserve – Alter A/V dll’s <preserve> <pctrl.kill “Mcdetect.exe”/> – Modify Hosts file to prevent A/V < pctrl.kill “avgupsvc.exe”/> updates < pctrl.kill “avgamsvr.exe”/> – Remove default shares (IPC$, < pctrl.kill “ccapp.exe”/> ADMIN$, C$) </preserve> – Rootkit – Encrypt – Polymorph – Retrieve Anti-A/V module – Turn off A/V or firewall services – Kill A/V, firewall or debugging processes 9 © 2012 JurInnov Ltd. All Rights Reserved.
  11. 11. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Agobot host control commands Command harvest.cdkeys harvest.emails harvest.emailshttp harvest.aol harvest.registry harvest.windowskeys pctrl.list pctrl.kill pctrl.listsvc pctrl.killsvc pctrl.killpid inst.asadd inst.asdel inst.svcadd inst.svcdel Description Return a lsit of CD keys Return a list of emails Return a list of emails via HTTP Return a list of AOL specific information Return registry information for a specific registry path Return Windows registry information Return list of all processes Kill specified processes set from a service file Return a list of all services that are running Delete/stop a specified service Kill specified process Add an autostart entry Delete an autostart entry Adds a service to SCM Delete a service from SCM 10 © 2012 JurInnov Ltd. All Rights Reserved. Report Clean up
  12. 12. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up • Inventory – determine capabilities such as RAM, HDD, Processor, Bandwidth, and pre-installed tools • Await instructions from C&C server • Update – Download payload/exploit – Update C&C lists 11 © 2012 JurInnov Ltd. All Rights Reserved.
  13. 13. Life Cycle Exploit Rally Preserve Inventory Await instructions Update • Execute commands – – – – – – – DDoS Spam Harvest emails Keylog Screen capture Webcam stream Steal data • Report back to C&C server • Clean up - Erase evidence 12 © 2012 JurInnov Ltd. All Rights Reserved. Execute Report Clean up
  14. 14. Propagation • Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list – Remember to use strong passwords Agobot propagation functions 13 © 2012 JurInnov Ltd. All Rights Reserved.
  15. 15. Propagation • Use backdoors from common trojans • P2P – makes files available with enticing names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications • Social networking – Facebook posts or messages that provides a link (Koobface worm) 14 © 2012 JurInnov Ltd. All Rights Reserved.
  16. 16. Propagation • SPIM – Message contact list – Send friend requests to contacts from email lists or harvested IM contacts from the Internet • Email – Harvests email addresses from ASCII files such as html, php, asp, txt and csv – uses own SMTP engine and guesses the mail server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name. 15 © 2012 JurInnov Ltd. All Rights Reserved.
  17. 17. Command and Control • C&C or C2 • Networked with redundancy • Dynamic DNS with short TTL for C&C IP (weakness is the DNS, not the C&C server) • Daily rotating encrypted C&C hostnames • Alternate control channels • Average lifespan: 2 months 16 © 2012 JurInnov Ltd. All Rights Reserved.
  18. 18. Command and Control • IRC • Peer-to-peer – programming can be sent from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server. • Social networking • Instant Messaging 17 © 2012 JurInnov Ltd. All Rights Reserved.
  19. 19. Command and Control • Web or FTP server – Instructions in a file users download – Bots report in and hacker uses connection log to know which ones are live – Bots tracked in URL data – Commands sent via pull instead of push • No constant connection • Check-in might match signature – Better scalability – web server can handle more connections than IRC – Port 80 not blocked and not unusual activity 18 © 2012 JurInnov Ltd. All Rights Reserved.
  20. 20. Trends • Hackers – Mostly about money instead of notoriety (hacktivism excluded) – Staying under the radar • Smaller herds • Fewer propagation methods • Web based C&C • Government and Terrorist – Aimed at taking down critical services or disrupting business 19 © 2012 JurInnov Ltd. All Rights Reserved.
  21. 21. Detecting bots • Monitor port statistics on network equipment and alert when machines utilize more than average – Gather with SNMP, netflow, or first stage probes (sniffers) attached to port mirrored ports on switches. • Firewall statistics • IPS/IDS reports 20 © 2012 JurInnov Ltd. All Rights Reserved.
  22. 22. Baseline • Document – Network Schematic – Server roles • • • • Destination IP addresses Ports Protocols Volume of data and directionality 21 © 2012 JurInnov Ltd. All Rights Reserved.
  23. 23. Quick and Fast Rules • Compromised hosts generally send out more information • Patterns (sending perspective) – Many-to-one – DDoS, Syslog, data repository, email server – One-to-many – web server, email server, SPAM bot, warez, port scanning – Many-to-many – P2P, virus infection – One-to-one – normal communication, targeted attack 22 © 2012 JurInnov Ltd. All Rights Reserved.
  24. 24. Wireshark Packet list  Packet details  Packet bytes  23 © 2012 JurInnov Ltd. All Rights Reserved.
  25. 25. Wireshark • Filtering – Frame contains “search term” • Flow – sequence of packets comprising a single communication segment. – EX: Connection, Negotiation, File Request, File delivery, checksum, acknowledgment, termination – Flow record – subset of information from a flow such as source and destination IP, protocol, date or time 24 © 2012 JurInnov Ltd. All Rights Reserved.
  26. 26. Networkminer • Traffic analysis tool • Graphical breakdown of… – – – – – – Hosts Images Files Email DNS Sessions 25 © 2012 JurInnov Ltd. All Rights Reserved.
  27. 27. Detecting bots • Real time netflow analyzer- Solarwinds free netflow tool • Small Operation Center or MRTG – free SNMP/syslog server with dashboard • Rootkit tools: Rootkit Revealer, GMER • Event log monitoring – Zenoss, Alien Vault, Nagios, Splunk, Graylog 26 © 2012 JurInnov Ltd. All Rights Reserved.
  28. 28. Event Logging • Placement – – – – – – – – Perimeter VLAN or Workgroup Wireless Choke points – maximize collection capacity within budget and ability to process and analyze Minimize duplication Sync time Normalize Secure collector transmission pathways 27 © 2012 JurInnov Ltd. All Rights Reserved.
  29. 29. Detecting bots - Darknet • Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back. • Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages). • How to set up a darknet http://www.team-cymru.org/Services/darknets.html 28 © 2012 JurInnov Ltd. All Rights Reserved.
  30. 30. Detecting C&C • Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic. • Stats generated every 30sec • Application layer analytics • Claims from ourmon.sourceforge.net/ – – – – – – – – Monitor TCP (syndump), and UDP (udpreport) flows Log all DNS query responses network wide Measure basic network traffic statistically Catch "unexpected" mail relays Catch botnets Spot infections with random "zero-day" malware Spot attacks from the inside or outside See what protocols are taking up the most bandwidth 29 © 2012 JurInnov Ltd. All Rights Reserved.
  31. 31. Detection – A/V and Anti-malware • • • • • • • AVG (Grisoft) – free for home use Ad-aware (Lavasoft) - free Repelit (itSoftware) McAfee Microsoft Security Essentials (free up to 10 PCs) Symantec Spybot Search and Destroy - free 30 © 2012 JurInnov Ltd. All Rights Reserved.
  32. 32. Prevention – Vulnerability scanning • Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose • Free for up to 32 IP – OpenVAS (Vulnerability Assessment System) • Linux • VM available (resource intensive) – Greenbone Desktop Suite (uses OpenVAS) • Windows XP/Vista/7 – MBSA (Microsoft Baseline Security Analyzer) – Secunia PSI (local Windows machine scanning only) 31 © 2012 JurInnov Ltd. All Rights Reserved.
  33. 33. Prevention • • • • • Firewall IPS/IDS Web filtering SPAM filtering (incoming & outgoing) Disable VPN split tunnel 32 © 2012 JurInnov Ltd. All Rights Reserved.
  34. 34. SIEM • Security Information and Event Management – – – – – – – – Log aggregation Correlation Normalization Alerting Dashboards Views Compliance reports Retention 33 © 2012 JurInnov Ltd. All Rights Reserved.
  35. 35. Prevention • Read only virtual desktops • Software – Software restrictions and auditing – Sandbox software before deployment • Patch management • NAC (Network Access Control) – A/V & patches 34 © 2012 JurInnov Ltd. All Rights Reserved.
  36. 36. Response • Incident response – Determine scope – Determine if it constitutes a breach and therefore notification – Analyze - Is any evidence needed? – Clean the device • After-action review – Define improvement actions – Assign responsibilities for actions – Follow-up 35 © 2012 JurInnov Ltd. All Rights Reserved.
  37. 37. Thanks Enjoy the summit Acknowledgements: • Bot command tables obtained from “An Inside Look at Botnets” by Vinod Yegneswaran • The programs depicted in this presentation are owned by their respective authors 36 © 2012 JurInnov Ltd. All Rights Reserved.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×