A DIY Botnet Tracking System

2,381 views
2,284 views

Published on

A talk on large-scale tracking botnets using automation.

Delivered in : OWASP China 2009 & Internet Security Forum 2009

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,381
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
47
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • What are we going to learn? - How to track botnet How to make sense of data How to automate it How are we going to learn it? Through practical scenarios explanation How are we going to use it? - Explain through demos on how to use
  • How many of you are familiar with botnets and zombies?
  • How did people get to this conclusion? Analyzing the binaries. Of course, the way for you to get more information, is to be part of the botnet and analyze its patterns, logs – first hand.
  • If you want to know when it happens, and how it happens, you have to be part of it to know. Analyzing click logs aren’t the only way.
  • If you want to see the latest spam templates and where they are spamming, the place where the spam is sent is from the bots in the botnet. Huge profit for sending ads that no one are interested in.
  • Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
  • Decide to analyze afterwards, or analyze 1-by-1 on the fly. We will analyze 1-by-1 on the fly.
  • Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
  • Yea, I know sec geeks love practical, but we cannot ignore theoretical aspects as well. I'll explain. There were a lot of subtleties in that for loop. I'll mention a few, the interested ones can look for my paper for exact details and how I address them one by one. 1. How to start a VM? What VM I used? I use VirtualBox. The VirtualBox has a VBoxManage command line tool to control VMs, very powerful, everything on GUI can be done with it. 2. How to start monitoring tools? In our case, we only need wireshark to capture network traffic. Start OUTSIDE of host to prevent Kernel object tampering, or start INSIDE to prevent HTTPS. 3. How to transfer the malware? General. Write a client and server, putting the client on Guest. When the Guest gets a file, it will automatically execute it. For any VM that can attach CD/DVD, like VirtualBox, attach a .iso that autoruns the malicious binary. 4. How long should the malware execute? 1 ~ 5 min. Some malware just wait, wait, wait forever. Or it is a downloader, and it is slow to get the real malware. Depending on if you are distributed and how much time you have ( usually run behind the scenes ), let it run for some 5 minutes. It isn't a CD, so it should do OK. 5. How about anti-debugging / anti-virtualizing malware? Out of scope, not discussed here. Provided resources and explanations how th ey work on my blog. "Detecting Virtualbox"
  • 1. What if the botnet operator sends a message to you?! They won't, unless it's a small botnet. (It's on the rise. Torpig. ) Otherwise, they will only automatically ping you. Just pong them. If they PING :113355 Then you PONG :113355 2. Username, host, mode, password, channel, server. Does the order matter in which I send? How about timing? For ordering, theoretically yes. But it's not that strict. The password is required, nick too, first. Then the channel goes the last. Normally, you authenticate yourself before doing anything, right? The same goes for botnet access control designs. 3. The botnet operator is sending me commands my software and even I do not recognize. What should I do? Employ "the rule of silence". Just don't say anything stupid. The internet is a best-effort place, so connection is not expected realtime or blackholed packets. Keep silence, and you will blend into the real bots. Botnets now are quite smart and if you send any commands that isn't whitelist, you immediately get an IP/NICK ban.
  • Commands, understand and help document unseen commands for security researchers. HTTP urls, especially those with .exe .bat, these are likely to be malware binaries. Generally other HTTP urls could be phishing sites. Conversation logs. Inexperienced operators might treat it safe to talk on their botnet, revealing information. Other timing relation information. You might discover patterns or even preemptive 0-day attacks.
  • If you got malware, you can then feed this malware into the system again analyzing. It mustn't point to the same botnet (FireEye blog), or perhaps it's some new interesting exploits. Now, you got a feedback loop. You get a malware and spy a botnet, and get a malware from the botnet and spy on yet another botnet.
  • A DIY Botnet Tracking System

    1. 1. Internet Security Forum 2009 趙嘉言 , Eric Chio “Log0” Internet Security Forum 2009
    2. 2. 何方神圣 <ul><li>微软 , 软件设计工程师 </li></ul><ul><li>Forefront Protection for SharePoint 2010 </li></ul><ul><li>僵尸网络、蜜罐、相关的文章 http://onhacks.org </li></ul><ul><li>惡意網站資料庫 http://www.badurls.cn </li></ul>Internet Security Forum 2009
    3. 3. 基本概念 <ul><li>学甚麽 </li></ul><ul><li>怎麽学 </li></ul><ul><li>如何用 </li></ul>Internet Security Forum 2009
    4. 4. 研究报告在哪 ? <ul><li>忙于研究 </li></ul><ul><li>建立社区 (www.badurls.cn) </li></ul><ul><li>听清楚 哦 ,免得跟不上 哦 </li></ul><ul><li>这是针对个人的用户 </li></ul><ul><ul><li>没钱,一个人都可以做! =] </li></ul></ul>Internet Security Forum 2009
    5. 5. Internet Security Forum 2009
    6. 6. 首先 … <ul><li>在我们深入探讨之前,让我们一起暸解一下为甚麽这样做 。 </li></ul>Internet Security Forum 2009
    7. 7. 僵尸网络是甚麽来的? <ul><li>僵尸 (Zombie) 是被远方入侵并控制了的电脑,即「肉鸡」。 </li></ul><ul><li>僵尸网络 (Botnet) 就是同一个组织裡头的僵尸及操控者,「肉鸡群」。 </li></ul>Internet Security Forum 2009
    8. 8. 动机 <ul><li>兴趣  十年前吧 </li></ul><ul><li>$$$ </li></ul><ul><ul><li>银行户口 </li></ul></ul><ul><ul><li>个人资料 </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>政治动机 </li></ul>Internet Security Forum 2009
    9. 9. 事实 1 – 有政治动机的 DDoS <ul><li>四个月前,南韩和美国的多个网页受到 DDoS 攻击 </li></ul><ul><ul><li>超过 16 万 的僵尸 </li></ul></ul><ul><li>爱沙呢亚 (Estonia) </li></ul><ul><li>Titan Rain </li></ul><ul><li>Moonlight Maze </li></ul>Reference : ShadowServer - http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20090710 Internet Security Forum 2009
    10. 10. 事实 2 – 点击骗 案 <ul><li>Click Fraud </li></ul><ul><li>2009 第 3 季 </li></ul><ul><li>42.6 % 所有点击骗 案 </li></ul><ul><ul><li>北美、英国、越南、德国 </li></ul></ul>Reference : ClickForensics.- http://www.allbusiness.com/technology/software-services-applications-online/13282309-1.html Internet Security Forum 2009
    11. 11. 事實 3 – 垃圾郵件 <ul><li>Junk Mail </li></ul><ul><li>所有的垃圾邮件的 87.9% </li></ul><ul><li>其中一個,每日 4 億 多垃圾郵件 </li></ul>Reference : Symantec MessageLabs - http://www.spamfighter.com/News-13296-Botnets-Generate-879-of-Total-Spam-Messages.htm Internet Security Forum 2009
    12. 12. 关系 <ul><li>杀毒软件 </li></ul><ul><li>浏览器 </li></ul><ul><li>第一手资料 </li></ul><ul><li>预防 </li></ul><ul><li>資料庫 </li></ul><ul><li>… </li></ul>Internet Security Forum 2009
    13. 13. <ul><li>好,回到原来问题… </li></ul>Internet Security Forum 2009
    14. 14. 结构 Internet Security Forum 2009
    15. 15. 收集恶意软件 Internet Security Forum 2009
    16. 16. 分析恶意软件 Internet Security Forum 2009
    17. 17. 監控惡意軟件 Internet Security Forum 2009
    18. 18. 结构 Internet Security Forum 2009
    19. 19. Internet Security Forum 2009
    20. 20. 收集恶意软件 Internet Security Forum 2009
    21. 21. 收集恶意软件 <ul><li>恶意软件 ( Malicious binary ) </li></ul><ul><li>蜜罐 (Honeypot, Honeyclients) </li></ul><ul><li>研究人员 </li></ul><ul><li>写了数篇教学 http://onhacks.org </li></ul><ul><ul><li>“ 谁在入侵我的系统 ?” </li></ul></ul>Internet Security Forum 2009
    22. 22. Internet Security Forum 2009
    23. 23. 分析恶意软件 Internet Security Forum 2009
    24. 24. 分析一个恶意软件 Internet Security Forum 2009
    25. 25. 分析多个恶意软件 <ul><li>For 恶意软件 in 恶意软件 列 : </li></ul><ul><li>End for </li></ul>Internet Security Forum 2009
    26. 26. 分析多个恶意软件 For 恶意软件 in 恶意软件 列 : End for Internet Security Forum 2009
    27. 27. 一些小事 <ul><li>始动虚拟机… </li></ul><ul><li>监控软件… </li></ul>Internet Security Forum 2009
    28. 28. 一些小事 <ul><li>在虚拟机执行恶意软件… </li></ul><ul><li>运行时间… </li></ul><ul><li>反调式 (Anti-debug) 、反虚拟 (Anti-virtualization) … </li></ul>Internet Security Forum 2009
    29. 29. <ul><li>现在我们有分析多个恶意软件的架构了… </li></ul>Internet Security Forum 2009
    30. 30. 需要甚麽 <ul><li>登录资料 </li></ul><ul><li>不同的僵尸网络 (Botnet) : </li></ul><ul><ul><li>IRC </li></ul></ul><ul><ul><li>HTTP </li></ul></ul><ul><ul><li>P2P </li></ul></ul><ul><ul><li>其他 </li></ul></ul><ul><li>用 TCPDUMP </li></ul>Internet Security Forum 2009
    31. 31. 需要甚麽 <ul><li>IRC 登录资料 </li></ul>Internet Security Forum 2009
    32. 32. 需要甚麽 - IRC <ul><li>IP 地址 </li></ul><ul><li>端口 </li></ul><ul><li>登录资料 </li></ul><ul><ul><li>NICK </li></ul></ul><ul><ul><li>PASS </li></ul></ul><ul><ul><li>MODE </li></ul></ul><ul><ul><li>USERHOST </li></ul></ul><ul><ul><li>JOIN </li></ul></ul>Internet Security Forum 2009
    33. 33. 需要甚麽 - HTTP <ul><li>URL </li></ul><ul><li>/p0rnPussy/stat.php?id=xMSEJWEVA_3ERIEOP&build_id=EF2A8A </li></ul><ul><li>JPEG header files (Monkif/DIKhora) </li></ul><ul><li>Twitter status </li></ul><ul><li>Google Groups posts </li></ul>Internet Security Forum 2009
    34. 34. 需要甚麽 – IRC <ul><li>例子 </li></ul>Internet Security Forum 2009
    35. 35. Internet Security Forum 2009
    36. 36. 監控惡意軟件 Internet Security Forum 2009
    37. 37. 如何加入僵尸网络 <ul><li>IRC 的步骤: </li></ul><ul><li>连到地址 </li></ul><ul><li>输入登录资料 </li></ul><ul><li>记录 </li></ul><ul><li>HTTP 的步骤: </li></ul><ul><li>连到网址 </li></ul><ul><li>记录 </li></ul>Internet Security Forum 2009
    38. 38. 一些小事 <ul><li>回应命令 (Botnet commands)… </li></ul><ul><li>登录资料顺序… </li></ul><ul><li>回应控制员 (Botnet Operator)… </li></ul>Internet Security Forum 2009
    39. 39. Internet Security Forum 2009
    40. 40. <ul><li>终于加入了僵尸网络大家庭! </li></ul>Internet Security Forum 2009
    41. 41. 做甚麽 <ul><li>“ 沉默是金” </li></ul><ul><li>找寻: </li></ul><ul><ul><li>指令 </li></ul></ul><ul><ul><li>URL </li></ul></ul><ul><ul><li>执行档 </li></ul></ul><ul><ul><li>未有见过 / 规律的 </li></ul></ul>Internet Security Forum 2009
    42. 42. 数据循环 Internet Security Forum 2009
    43. 43. Internet Security Forum 2009
    44. 44. 收集恶意软件 Internet Security Forum 2009
    45. 45. 分析恶意软件 Internet Security Forum 2009
    46. 46. 監控惡意軟件 Internet Security Forum 2009
    47. 47. 结构 Internet Security Forum 2009
    48. 48. <ul><li>讲了这么多… </li></ul>Internet Security Forum 2009
    49. 49. 关系 <ul><li>杀毒软件 </li></ul><ul><li>浏览器 </li></ul><ul><li>第一手资料 </li></ul><ul><li>预防 </li></ul><ul><li>資料庫 </li></ul><ul><li>… </li></ul>Internet Security Forum 2009
    50. 50. 总结 – 工具 <ul><li>1. 把恶意软件放在一个资料夹分析 </li></ul><ul><li>2. 移到虚拟机去执行 </li></ul><ul><li>3. 回收记录 </li></ul><ul><li>4. 执行分析程式来抽取登录资料 </li></ul><ul><li>5. 始动一个线程 / 进程 来监控僵尸网络 </li></ul><ul><li>6. 记录所有资料,再汇入到系统之中再用 </li></ul>Internet Security Forum 2009
    51. 51. 总结 <ul><li>分析恶意软件 – 成功渗透 </li></ul><ul><li>渗透僵尸网络 – 得到数据 </li></ul><ul><li>分析记录 – 得到资料 </li></ul><ul><li>研究僵尸网络 – 得到新资讯 </li></ul>Internet Security Forum 2009
    52. 52. 代码 <ul><li>将会发报 http://onhacks.org </li></ul><ul><li>Linux, 现在 . =( </li></ul><ul><ul><li>只依靠 /usr/bin/mkisofs </li></ul></ul>Internet Security Forum 2009
    53. 53. 安全研究 社区 <ul><li>www.badurls.cn </li></ul><ul><li>建立一个恶意 URL 资料库,针对中国状况 </li></ul><ul><li>需要  你   的专业知识! </li></ul>Internet Security Forum 2009
    54. 54. <ul><li>谢谢大家! </li></ul>更多资讯,请到: http://onhacks.org 研究毒網,请到: http://www.badurls.cn Eric Chio “Log0”, 安全研究爱好者 . 博客 : http://onhacks.org 电邮 : ckieric@gmail.com Internet Security Forum 2009 Thank you OWASP China and CISRG for organizing!
    55. 55. 參考 <ul><li>Fireeye Malware Intelligence lab : blog.fireeye.com </li></ul>Internet Security Forum 2009
    56. 56. Internet Security Forum 2009
    57. 57. Internet Security Forum 2009
    58. 58. 大公司 … <ul><li>志願組織 如 ShadowServer 每天都在監控網絡狀況 </li></ul><ul><li>比較有規模的公司如微軟和 Arbor Networks 都每天在監控網絡 </li></ul>Internet Security Forum 2009
    59. 59. 监控流程 Internet Security Forum 2009
    60. 60. 而你 ... 就可以去… <ul><li>www.badurls.cn  new! </li></ul><ul><li>malwaredomainlist.com </li></ul><ul><li>kafan.cn 有個毒網分析板,專門討論毒網 </li></ul><ul><li>mwsl.org.cn </li></ul><ul><li>malwareurl.com </li></ul><ul><li>vurl.mysteryfcm.co.uk </li></ul>Internet Security Forum 2009

    ×