FORDHAM UNIVERSITY
THE JESUIT UNIVERSITY OF NEW YORK
Croatia Botnet
Shannon Ortiz
Director of IT Security
Fordham University
What is a Croatia Botnet?
Croatia
Officially the Republic of Croatia, is a country in Central Europe and
Southeastern Europe at the crossroads of the Pannonian Plain, the
Balkans and the Adriatic Sea.
Botnet
Collection of software agents, or robots, that run autonomously and
automatically. The term is most commonly associated with
malicious software, but it can also refer to a network of computers
using distributed computing software.
Croatia Botnet
A botnet with the command and control center in Croatia that crippled
the Fordham University Internet link in May 2010.
Fordham IT 2 July 2010
What happened BEFORE the attack?
Several incidents of unexplained network anomalies
• May 20th, 2010 – 1:30 p.m. Duration: 10 minutes
• May 21st, 2010 – 3 occurrences between 1:00 p.m. – 2:00 p.m.
• May 25th, 2010 – 3:55 p.m. Duration: 5 minutes
Degradation of Lincoln Center Internet link
Slowness to and from Lincoln Center
Excessive connections (200,000+) on the firewall
Firewall CPU pinned at 100%
Dropped packets
Rose Hill Intermapper showed all Lincoln Center Devices down
Fordham IT 3 July 2010
Was that the attack? Not exactly…
The events of May 20th – 25th may have
just been tests
The actual attack started on May 26th,
2010 ~9:30 a.m.
Fordham IT 4 July 2010
Who was doing what & what was found?
Network and Computer Services were working together very closely
looking at:
• Network switches and routers
• Firewalls
• XO (LC Internet link)
• New BGP routers
Each incident exhibited the same behavior
UISO was approached by Frank Sirianni at 12:30 p.m. on May 26th
The link to XO at Lincoln Center was disabled
All bad traffic was redirected to Rose Hill (not an LC problem)
Fordham IT 5 July 2010
What happened next?
David Whitney relayed his suspicions of an “attack” to the UISO
Using OmniPeek we were able to identify a “top talker”
A rule was pushed on the firewall to block this top talker but the firewall could
not handle the load
A decision was made to disable the RH link while a solution was found – all
internal traffic was working fine
Around 2:00 p.m. the idea to block the top talker was discussed and
implemented
• A QOS policy was set to direct all traffic destined for the top talker to
127.0.0.1 (localhost). In other words all traffic was dead-ended to the
infected machines themselves
Attempts to block at our ISP took too long and ultimately would be costly
Fordham IT 6 July 2010
Tell me more about this top talker
A snippet of 31.18 minutes of traffic of the RH Internet link
revealed an IP that used 86% of the bandwidth during that time
A lookup of that IP address, 85.94.76.155, showed the origin to
be Croatia
Historically, MANY cyber attacks have come from countries like
Croatia, China, Russia, Ghana and Ukraine
Remember we’re paranoid and sometimes we’re right
48 IP addresses were found to be communicating with this
address
Most of the traffic was large in size and encrypted – what does
that mean for us?
Fordham IT 7 July 2010
What was done next?
Each IP owner and location was identified
Each port was disabled from the network
Every machine was scanned and cleaned
All results were filtered through the UISO and approvals were
given to re-activate the network connections
But not always turned back on…
Machines that turned up negative results were rescanned by
request of the UISO BUT this time with additional tools
EVERY identified machine was infected with a Trojan (harmful
software disguised to look legitimate (eg. Trojan.FakeAV))
Once reported back clean, approval was given to re-activate the
network connections
Fordham IT 8 July 2010
We are done!... Or are we?
Not quite.
What have we learned?
Fordham IT 9 July 2010
Lessons Learned
The UISO needs to be involved earlier
We need more Defense-In-Depth
• We need to re-evaluate our EndPoint Security
• Symantec alone is NOT sufficient
• A different tools or additional tools are a MUST
– We ended up using MalwareBytes, IObit Security 360 and
ComboFix (all free tools)
Need EndPoint Remediation Tools (scan, detect and clean)
IDS/IPS will help
More central logging and a Security Event Manager may help
with event correlation
Desktops are just as important as our servers
Vulnerability assessments are required for our desktops
Fordham IT 10 July 2010
Key Lesson Learned
Need an Internal Incident Response Plan
• One with better ground rules to react
• Pre-arranged communication plans
• Codification of standard operating procedures for
incident handling
Please remember to follow the documented Fordham
Incident Response Plan vetted by the ISAB and
Legal Counsel
Fordham IT 11 July 2010
Botnet Motivation
$$$$ Money, Money, Money $$$$
According to Verisign iDefense, Botnet Rentals start at $8.94 and average at $67.20 for a 24
hour rental.
http://www.zdnet.co.uk/news/security-threats/2010/05/25/botnet-price-for-hourly-hire-on-par-
with-cost-of-two-pints-40089028/
Three non-skilled programmers were the “hackers” behind the Mariposa 12.7 million PC
botnet which infected ½ of the Fortune 1,000 companies and more than 40 banks. The
worm was spread via removable drives, MSN Messenger and peer-to-peer programs and
targeted XP and older machines.
http://www.zdnet.co.uk/news/security-management/2010/03/03/mariposa-botnet-spain-makes-
three-arrests-40067866/
Fordham IT 12 July 2010
Let the UISO help, get us involved… EARLY!
If you see something… say something!!!
Let us accept the responsibility and be the goons.
If you’re not sure ask us.
Fordham IT 13 July 2010
Factoids (Did you know 37% of statistics are made up?)
Key highlights of the Secunia Half Year Report 2010 are:
Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the
more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.
A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account
on average for 38 percent of all vulnerabilities disclosed per year.
In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user
PC almost doubled from 220 to 420, and based on the data of the first six months of 2010,
the number is expected to almost double again in 2010 to 760.
During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009
has already been reached.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24
3rd party programs installed than in the 26 Microsoft programs installed. It is expected that
this ratio will increase to 4.4 in 2010.
http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf
Fordham IT 14 July 2010
Think I’m kidding?
Date: Sat, 10 Jul 2010 16:17:04 GMT
From: "Webmail Support Team"
Subject: University Support Last Warning!!!
University Support Last Warning!!!
University Webmaster
DEAR USER,
This mail is to inform all our students, individual or staff that we will be upgrading our site in a couple of days from now, So you as a
Subscriber of our site, you are required to send us your Email account details so as to enable us know if you are still making use
of your mail box. Further be informed that we will be deleting all mail account that is not functioning so as to create more space
for our new users. So you are to send us your mail account details which are as follows:
*Login URL:
*User name:
*Password:
*Date of birth:
Failure to do this will immediately render your email address deactivated from our database.
Copyright (c) 2010 The University Webmail Support Team.
Fordham IT 15 July 2010
Be like the UISO
Fordham IT 16 July 2010
Questions?
Q&A
Fordham IT 17 July 2010