A DIY Botnet Tracking System
Upcoming SlideShare
Loading in...5
×
 

A DIY Botnet Tracking System

on

  • 2,900 views

A talk on large-scale tracking botnets using automation.

A talk on large-scale tracking botnets using automation.

Delivered in : OWASP China 2009 & Internet Security Forum 2009

Statistics

Views

Total Views
2,900
Views on SlideShare
2,887
Embed Views
13

Actions

Likes
0
Downloads
44
Comments
0

3 Embeds 13

http://www.slideshare.net 7
http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • What are we going to learn? - How to track botnet How to make sense of data How to automate it How are we going to learn it? Through practical scenarios explanation How are we going to use it? - Explain through demos on how to use
  • How many of you are familiar with botnets and zombies?
  • How did people get to this conclusion? Analyzing the binaries. Of course, the way for you to get more information, is to be part of the botnet and analyze its patterns, logs – first hand.
  • If you want to know when it happens, and how it happens, you have to be part of it to know. Analyzing click logs aren’t the only way.
  • If you want to see the latest spam templates and where they are spamming, the place where the spam is sent is from the bots in the botnet. Huge profit for sending ads that no one are interested in.
  • Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
  • Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
  • Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
  • Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
  • 1. What if the botnet operator sends a message to you?! They won't, unless it's a small botnet. (It's on the rise. Torpig. ) Otherwise, they will only automatically ping you. Just pong them. If they PING :113355 Then you PONG :113355 2. Username, host, mode, password, channel, server. Does the order matter in which I send? How about timing? For ordering, theoretically yes. But it's not that strict. The password is required, nick too, first. Then the channel goes the last. Normally, you authenticate yourself before doing anything, right? The same goes for botnet access control designs. 3. The botnet operator is sending me commands my software and even I do not recognize. What should I do? Employ "the rule of silence". Just don't say anything stupid. The internet is a best-effort place, so connection is not expected realtime or blackholed packets. Keep silence, and you will blend into the real bots. Botnets now are quite smart and if you send any commands that isn't whitelist, you immediately get an IP/NICK ban.
  • Commands, understand and help document unseen commands for security researchers. HTTP urls, especially those with .exe .bat, these are likely to be malware binaries. Generally other HTTP urls could be phishing sites. Conversation logs. Inexperienced operators might treat it safe to talk on their botnet, revealing information. Other timing relation information. You might discover patterns or even preemptive 0-day attacks.
  • If you got malware, you can then feed this malware into the system again analyzing. It mustn't point to the same botnet (FireEye blog), or perhaps it's some new interesting exploits. Now, you got a feedback loop. You get a malware and spy a botnet, and get a malware from the botnet and spy on yet another botnet.

A DIY Botnet Tracking System A DIY Botnet Tracking System Presentation Transcript

  • Internet Security Forum 2009 趙嘉言 , Eric Chio “Log0” Internet Security Forum 2009
  • 何方神圣
    • 微软 , 软件设计工程师
    • Forefront Protection for SharePoint 2010
    • 僵尸网络、蜜罐、相关的文章 http://onhacks.org
    • 惡意網站資料庫 http://www.badurls.cn
    Internet Security Forum 2009
  • 基本概念
    • 学甚麽
    • 怎麽学
    • 如何用
    Internet Security Forum 2009 View slide
  • 研究报告在哪 ?
    • 忙于研究
    • 建立社区 (www.badurls.cn)
    • 听清楚 哦 ,免得跟不上 哦
    • 这是针对个人的用户
      • 没钱,一个人都可以做! =]
    Internet Security Forum 2009 View slide
  • Internet Security Forum 2009
  • 首先 …
    • 在我们深入探讨之前,让我们一起暸解一下为甚麽这样做 。
    Internet Security Forum 2009
  • 僵尸网络是甚麽来的?
    • 僵尸 (Zombie) 是被远方入侵并控制了的电脑,即「肉鸡」。
    • 僵尸网络 (Botnet) 就是同一个组织裡头的僵尸及操控者,「肉鸡群」。
    Internet Security Forum 2009
  • 动机
    • 兴趣  十年前吧
    • $$$
      • 银行户口
      • 个人资料
    • 政治动机
    Internet Security Forum 2009
  • 事实 1 – 有政治动机的 DDoS
    • 四个月前,南韩和美国的多个网页受到 DDoS 攻击
      • 超过 16 万 的僵尸
    • 爱沙呢亚 (Estonia)
    • Titan Rain
    • Moonlight Maze
    Reference : ShadowServer - http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710 Internet Security Forum 2009
  • 事实 2 – 点击骗 案
    • Click Fraud
    • 2009 第 3 季
    • 42.6 % 所有点击骗 案
      • 北美、英国、越南、德国
    Reference : ClickForensics.- http://www.allbusiness.com/technology/software-services-applications-online/13282309-1.html Internet Security Forum 2009
  • 事實 3 – 垃圾郵件
    • Junk Mail
    • 所有的垃圾邮件的 87.9%
    • 其中一個,每日 4 億 多垃圾郵件
    Reference : Symantec MessageLabs - http://www.spamfighter.com/News-13296-Botnets-Generate-879-of-Total-Spam-Messages.htm Internet Security Forum 2009
  • 关系
    • 杀毒软件
    • 浏览器
    • 第一手资料
    • 预防
    • 資料庫
    Internet Security Forum 2009
    • 好,回到原来问题…
    Internet Security Forum 2009
  • 结构 Internet Security Forum 2009
  • 收集恶意软件 Internet Security Forum 2009
  • 分析恶意软件 Internet Security Forum 2009
  • 監控惡意軟件 Internet Security Forum 2009
  • 结构 Internet Security Forum 2009
  • Internet Security Forum 2009
  • 收集恶意软件 Internet Security Forum 2009
  • 收集恶意软件
    • 恶意软件 ( Malicious binary )
    • 蜜罐 (Honeypot, Honeyclients)
    • 研究人员
    • 写了数篇教学 http://onhacks.org
      • “ 谁在入侵我的系统 ?”
    Internet Security Forum 2009
  • Internet Security Forum 2009
  • 分析恶意软件 Internet Security Forum 2009
  • 分析一个恶意软件 Internet Security Forum 2009
  • 分析多个恶意软件
    • For 恶意软件 in 恶意软件 列 :
    • End for
    Internet Security Forum 2009
  • 分析多个恶意软件 For 恶意软件 in 恶意软件 列 : End for Internet Security Forum 2009
  • 一些小事
    • 始动虚拟机…
    • 监控软件…
    Internet Security Forum 2009
  • 一些小事
    • 在虚拟机执行恶意软件…
    • 运行时间…
    • 反调式 (Anti-debug) 、反虚拟 (Anti-virtualization) …
    Internet Security Forum 2009
    • 现在我们有分析多个恶意软件的架构了…
    Internet Security Forum 2009
  • 需要甚麽
    • 登录资料
    • 不同的僵尸网络 (Botnet) :
      • IRC
      • HTTP
      • P2P
      • 其他
    • 用 TCPDUMP
    Internet Security Forum 2009
  • 需要甚麽
    • IRC 登录资料
    Internet Security Forum 2009
  • 需要甚麽 - IRC
    • IP 地址
    • 端口
    • 登录资料
      • NICK
      • PASS
      • MODE
      • USERHOST
      • JOIN
    Internet Security Forum 2009
  • 需要甚麽 - HTTP
    • URL
    • /p0rnPussy/stat.php?id=xMSEJWEVA_3ERIEOP&build_id=EF2A8A
    • JPEG header files (Monkif/DIKhora)
    • Twitter status
    • Google Groups posts
    Internet Security Forum 2009
  • 需要甚麽 – IRC
    • 例子
    Internet Security Forum 2009
  • Internet Security Forum 2009
  • 監控惡意軟件 Internet Security Forum 2009
  • 如何加入僵尸网络
    • IRC 的步骤:
    • 连到地址
    • 输入登录资料
    • 记录
    • HTTP 的步骤:
    • 连到网址
    • 记录
    Internet Security Forum 2009
  • 一些小事
    • 回应命令 (Botnet commands)…
    • 登录资料顺序…
    • 回应控制员 (Botnet Operator)…
    Internet Security Forum 2009
  • Internet Security Forum 2009
    • 终于加入了僵尸网络大家庭!
    Internet Security Forum 2009
  • 做甚麽
    • “ 沉默是金”
    • 找寻:
      • 指令
      • URL
      • 执行档
      • 未有见过 / 规律的
    Internet Security Forum 2009
  • 数据循环 Internet Security Forum 2009
  • Internet Security Forum 2009
  • 收集恶意软件 Internet Security Forum 2009
  • 分析恶意软件 Internet Security Forum 2009
  • 監控惡意軟件 Internet Security Forum 2009
  • 结构 Internet Security Forum 2009
    • 讲了这么多…
    Internet Security Forum 2009
  • 关系
    • 杀毒软件
    • 浏览器
    • 第一手资料
    • 预防
    • 資料庫
    Internet Security Forum 2009
  • 总结 – 工具
    • 1. 把恶意软件放在一个资料夹分析
    • 2. 移到虚拟机去执行
    • 3. 回收记录
    • 4. 执行分析程式来抽取登录资料
    • 5. 始动一个线程 / 进程 来监控僵尸网络
    • 6. 记录所有资料,再汇入到系统之中再用
    Internet Security Forum 2009
  • 总结
    • 分析恶意软件 – 成功渗透
    • 渗透僵尸网络 – 得到数据
    • 分析记录 – 得到资料
    • 研究僵尸网络 – 得到新资讯
    Internet Security Forum 2009
  • 代码
    • 将会发报 http://onhacks.org
    • Linux, 现在 . =(
      • 只依靠 /usr/bin/mkisofs
    Internet Security Forum 2009
  • 安全研究 社区
    • www.badurls.cn
    • 建立一个恶意 URL 资料库,针对中国状况
    • 需要  你   的专业知识!
    Internet Security Forum 2009
    • 谢谢大家!
    更多资讯,请到: http://onhacks.org 研究毒網,请到: http://www.badurls.cn Eric Chio “Log0”, 安全研究爱好者 . 博客 : http://onhacks.org 电邮 : ckieric@gmail.com Internet Security Forum 2009 Thank you OWASP China and CISRG for organizing!
  • 參考
    • Fireeye Malware Intelligence lab : blog.fireeye.com
    Internet Security Forum 2009
  • Internet Security Forum 2009
  • Internet Security Forum 2009
  • 大公司 …
    • 志願組織 如 ShadowServer 每天都在監控網絡狀況
    • 比較有規模的公司如微軟和 Arbor Networks 都每天在監控網絡
    Internet Security Forum 2009
  • 监控流程 Internet Security Forum 2009
  • 而你 ... 就可以去…
    • www.badurls.cn  new!
    • malwaredomainlist.com
    • kafan.cn 有個毒網分析板,專門討論毒網
    • mwsl.org.cn
    • malwareurl.com
    • vurl.mysteryfcm.co.uk
    Internet Security Forum 2009