The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

The Bot Stops Here:
Removing the BotNet Threat
Eric Vanderburg
JurInnov, Ltd.
April 25, 2012

© 2012 JurInnov Ltd. All Rights Reserved.

Presentation Overview
• The Internet is always attacking you but are you
attacking the Internet?
• Botnet overview
• Defining the threat
• Command and Control servers
• Propagation
• Detection
• Prevention
• Response
1

Botnet Overview
• Bot
– Program that performs automated tasks
– Remote controlled
– AKA: zombie or drone

• Botnet – collection of bots remotely controlled
and working together to perform tasks
• Bot herder – bot master

2

Facts
• 40% of infected machines have 1 or more bots
• Zeus bot is responsible for losses greater than
$100 million

2011 Damballa threat report

SC Magazine, April 2012

3

Why are universities particularly susceptible?
• Lack of control over machines
• Silos for research or classroom projects
• A culture of information sharing with minimal
boundaries and controls
• Heavy recreational use of network resources
including P2P, chat, IRC, games, and social
networking.
• Ideal target for attackers
– many hosts
– large Internet pipe
– Mail and other tempting services
4

Threat defined – What is done with botnets?
• DDoS
• Spam
• Distribute copyrighted material
– Torrents

• Data mining
• Hacking
• Spread itself

5

2007
Zeus
• Phishing w/ customizable data
2007
collection Cutwail
methods
• 2008 DDoS
Spam, C&C
• Web based Mariposa (Butterfly)
2003
RBot
1999
Pretty Park
• • Harvests email addresses
Rented TDSS
• Stealthy and difficultspace for
2008 botnet to detect
• Encrypts
• Used IRC for C&C & updates itself
• Rootkit
2004
PolyBot
• Sold andSetsDDoS, and theft is rented
“licensed” to hackers
•spam, up a proxy that of
1999& email harvesting
SubSevenAdmin shell access
•
• ICQ
• data theft Email
Delivery: information
for personal for anonymous web
to other
Used IRC GTBot • Builds on AgoBot
for C&C
2005
MyTob
2000
• •DoS
•
Polymorphs through encrypted Delivery:
• • Bounce (relay)• IRC traffic Keylogger, • Delivery:access MSN, P2P, USB
Keylogger
• DDoS,
web form Phishing, Social
Networking
•
• • Portshell access encapsulation webcam capture Delivery: Trojan embedded
Admin scan
collection,
• Delivery: email spam using in software
• DDoS
MyDoom w/ own SMTP server
• Delivery: email

History

1999 2000

2002

2003

2004

2005

2006

2007

2008

2009

2002
SDBot
2009
Koobface
2006
Rustock
• Keylogger
2002
AgoBot
•
• 2007 DDoS Installs pay-per-install
Spam, Storm
• Delivery: WebDav and
• Modular design
• •Uses rootkit tomalware
hide
MSSQL vulnerabilities,
Spam • Delivery: Social Networking
2003
SpyBot
• DDoS
• Encrypts spam in TLS
DameWare remote mgmt
Dynamic
• • Builds on SDBot
Hides with rootkit tech • •Robust C&C fast flux C&C DNS
network (over
software, password guessing detection
• Malware re-encoded twice/hr
• • Customizable to avoid
Turns off antivirus
on common MS ports & web form Defends itself with DDoS
•2500 domains)
• • DDoS,host file
Modifies Keylogger,
• •Delivery: email
common backdoors
collection, (Kazaa, Grokster,
• Delivery: P2P clipboard logging, Sold and “licensed”
• Delivery: Email enticement for
webcam capture
BearShare, Limewire)
free music
• Delivery: SDBot + P2P

6

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

• Exploit
–
–
–
–
–

Malicious code
Unpatched vulnerabilities
Trojan
Password guessing
Phish

• Rally - Reporting in
– Log into designated IRC channel and PM master
– Make connection to http server
– Post data to FTP or http form
7

Clean
up

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

Agobot host control commands

• Preserve
– Alter A/V dll’s
– Modify Hosts file to prevent A/V
updates
– Remove default shares (IPC$,
ADMIN$, C$)
– Rootkit
– Encrypt
– Polymorph
– Retrieve Anti-A/V module
– Turn off A/V or firewall services
– Kill A/V, firewall or debugging processes

8

<preserve>
<pctrl.kill “Mcdetect.exe”/>
< pctrl.kill “avgupsvc.exe”/>
< pctrl.kill “avgamsvr.exe”/>
< pctrl.kill “ccapp.exe”/>
</preserve>

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

Execute

Report

Clean
up

• Inventory
– determine capabilities such as RAM, HDD, Processor,
Bandwidth, and pre-installed tools

• Await instructions from C&C server
• Update
– Download payload/exploit
– Update C&C lists

9

Life Cycle
Exploit

Rally

Preserve

Inventory

Await
instructions

Update

• Execute commands
–
–
–
–
–
–
–

DDoS
Spam
Harvest emails
Keylog
Screen capture
Webcam stream
Steal data

• Report back to C&C server
• Clean up - Erase evidence
10

Execute

Report

Clean
up

Propagation
• Scan for windows shares and guess passwords
($PRINT, C$, D$, E$, ADMIN$, IPC$) – find
usernames, guess passwords from list
– Remember to use strong passwords
Agobot propagation functions

11

Propagation
• Use backdoors from common trojans
• P2P – makes files available with enticing names
hoping to be downloaded. File names consist of
celebrity or model names, games, and popular
applications
• Social networking – Facebook posts or messages
that provides a link (Koobface worm)

12

Propagation
• SPIM
– Message contact list
– Send friend requests to contacts from email lists or
harvested IM contacts from the Internet

• Email
– Harvests email addresses from ASCII files such as
html, php, asp, txt and csv
– uses own SMTP engine and guesses the mail server by
putting mx, mail, smpt, mx1, mail1, relay or ns in
front of the domain name.
13

Command and Control
• C&C or C2
• Networked with redundancy
• Dynamic DNS with short TTL for C&C IP
(weakness is the DNS, not the C&C server)
• Daily rotating encrypted C&C hostnames
• Alternate control channels (Ex: Researchers in
2004 redirected C&C to monitoring server)

14

Command and Control
– Web or FTP server
• instructions in a file users download
• Bots report in and hacker uses connection log to know which
ones are live
• Bots tracked in URL data
• Commands sent via push or pull method

– Peer-to-peer – programming can be sent from any
peer and discovery is possible from any peer so the
network can be disrupted without the C&C server.
– Social networking
– Instant Messaging
15

Botnet commands - Agobot
• Commands are
sent as
PRIVMSG,
NOTICE or
TOPIC IRC
messages

16

Detecting bots
• Monitor port statistics on network equipment and
alert when machines utilize more than average
– Gather with SNMP, netflow, or first stage probes (sniffers)
attached to port mirrored ports on switches.

• Wireshark
• Real time netflow analyzer- Solarwinds free netflow
tool
• Small Operation Center or MRTG – free
SNMP/syslog server with dashboard
• SNARE – event log monitoring (Linux & Windows
agents)
17

Detecting bots - Stager
• Stager (Latest version
4.1)
– Monitors network
statistics using netflow
based on nfdump .

https://trac.uninett.no/stager

18

Detecting bots - Firewall
• ASDM –
Cisco ASA
and PIX

19

Detecting bots - Darknet
• Network telescope (darknet) – collector on an
unused network address space that monitors
whatever it receives but does not communicate
back.
• Most traffic it receives is illegitimate and it can
find random scanning worms and internet
backscatter (unsolicited commercial or network
control messages).
• How to set up a darknet
http://www.team-cymru.org/Services/darknets.html
20

Detecting C&C
• Ourmon (linux/FreeBSD tool) – detects network
anomalies and correlate it with IRC channel traffic.
• Stats generated every 30sec
• Application layer analytics
• Claims from ourmon.sourceforge.net/
–
–
–
–
–
–
–
–

Monitor TCP (syndump), and UDP (udpreport) flows
Log all DNS query responses network wide
Measure basic network traffic statistically
Catch "unexpected" mail relays
Catch botnets
Spot infections with random "zero-day" malware
Spot attacks from the inside or outside
See what protocols are taking up the most bandwidth
21

Prevention – Vulnerability scanning
• Vulnerability scanning – scan and fix vulnerabilities
found. Identify and protect machines that could be
potential bots.
– Nexpose
• Free for up to 32 IP

– OpenVAS (Vulnerability Assessment System)
• Linux
• VM available (resource intensive)

– Greenbone Desktop Suite (uses OpenVAS)
• Windows XP/Vista/7

– MBSA (Microsoft Baseline Security Analyzer)
– Secunia PSI (local Windows machine scanning only)
22

Prevention – A/V and Anti-malware
•
•
•
•
•
•
•

AVG (Grisoft) – free for home use
Ad-aware (Lavasoft) - free
Repelit (itSoftware)
McAfee
Microsoft Security Essentials (free up to 10 PCs)
Symantec
Spybot Search and Destroy - free

23

Prevention
• Personal firewall
• Firewall
– SmoothWall
– M0n0wall

• IPS/IDS
– Snort – Network IDS
• BASE – web front-end for Snort

– OSSEC – Host IDS

• Web filtering
• SPAM filtering (incoming & outgoing)
• Disable VPN split tunnel
24

Prevention
• Read only virtual desktops
• Software
– Software restrictions and auditing
– Sandbox software before deployment

• Patch management
• NAC (Network Access Control) – A/V & patches

25

Response
• Incident response
– Determine scope
– Determine if it constitutes a breach and therefore
notification
– Analyze - Is any evidence needed?
• Toolkit
– Process Monitor
– Rootkit Revealer
– Hiren BootCD 15.1 has a variety of tools
(http://www.hiren.info/pages/bootcd)

– Clean the device
26

Thanks
Enjoy the summit
Acknowledgements:
• Bot command tables obtained from “An Inside Look at Botnets” by

Vinod Yegneswaran
• The programs depicted in this presentation are owned by their
respective authors
27

The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

More Related Content

What's hot (20)

Similar to The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg (20)

More from Eric Vanderburg (20)

Recently uploaded (20)

The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Security Summit - Eric Vanderburg

Editor's Notes