Botnet and Code Injection Attack

Document Sample
Botnet and Code Injection Attack Powered By Docstoc
					Botnet and Code Injection Attack

          S.C. Leung

    CERT Teams in Asia Pacific                                         CERT Teams around the World
    亞太區其他協調中心                                                                    全球其他協調中心
                         CERT                                               CERT
                                  CERT                               CERT
                CERT                                                                CERT
            CERT      APCERT
                      APCERT                                           FIRST
                                                                       FIRST               CERT

                                                                       Virus & Security
                Law Enforcement
                                                                       Research Centre

                                         Local Enterprise &
                                           Internet Users

                     ISP                                                Software Vendorr
                   互聯網供應商                                                  軟件供應商

Page ! 2                                         大學

 Botnet and Code Injection Attack
    " Cyberspace – the New Business Platform for Whom?
           " Incentives of Cyber Attack
           " The Underground Economy

    " Botnet – Attacker’s infrastructure
    " Code Injection & SQL Injection Attack
    " Protection Strategies

Page ! 3
Cyberspace - the New Business Platform
               for Whom?
     Cybercrime for Sale
"     Services:
      DDoS attacks
      The price usually depends on the attack time:
                   1 hour - US$10-20 (depends on the seller)
                   2 hours - US$20-40
                   1 day - US$100
                   + 1 day - From US$200 (depends on the complexity of the job)
      It is worth highlighting that they normally offer 10 minutes testing, this means that if you are interested, you tell them the server
      and they will perform a DoS attack for 10 minutes, so that you can evaluate the ‘service’.
      Spam Hosting: US$200
      Dedicated spam server US$500
               +10,000,000 Mails per day US$600
      SMS spam (per message) US$0.2
      ICQ (1,000,000) US$150

      Mailing lists for spam: (US$)
      1,000,000 100 100 100 100
      3,000,000 200 200 200 200
      5,000,000 300 300 300 -
      8,000,000 500 500 500 -
      16,000,000 900 - - -
      32,000,000 1500 - - -

      Hiding of executable files. To avoid antivirus programs and firewalls (They guarantee that the files won’t be detected even by
      the antivirus updates of the date of purchase): From US$1 to US$5 per executable file (cheap, isn’t it?)
      Accounts FTP accounts: US$1 per account
      50MB of Limbo Trojan logs US$30 (contains email accounts, bank account #, credit card #, etc. A percentage is guaranteed)
      Icq numbers: fromUS$1 to US$10 (depending on the ICQ number)
      RapidShare premium accounts: 1 month - US$5
               2 months - US$8
               3 months - US$12
               6 months - US$18
               1 year - US$28
    Page ! 5
      Online Shops accounts (,, ALL RUSSIAN): US$50 each.
 Incentives of Cyber Attacks
                        #   Incentives: Financial, political, or for fun

 Achievement,                "   Piracy: theft of CD Keys

 Financial,                  "   Theft of Personal Information and Identification
                                 (SSN, id, password, cc #.)
 Fun, Interest,              "   Spam: paid spam relays
 Political, Religion,        "   Phishing attacks: paid web hosting
 Revenge                     "   Spyware/adware installation: pay per installation
                             "   Click fraud: pay per click
                             "   DDoS: extortion or competitor service site attack
                             "   Blackmail / Ransomware
                                   #   encrypts hard drive data $ demand ransom

Page ! 6
Visibility of Malware vs. Malicious Intent

                                             Mass mailing virus                                 highly profitable
                                                                       Worms by                 cybercrime
           Visibility and malicious intent

                                                 Visib                 hacking


                                             Fame and Glory                  tent
                                                                     io us in


                                                                                                      Source: GOVCERT.NL

Page ! 7
Botnet - Attackers’ IT Infrastructure
Botnet (roBot Network)

                                                      Up: Data
                                   Bot Herder         Down: Command/Update

                 C&C                C&C                         C&C
                                                                       Up: Data
                                                                       Down: Command/Update

           bot      bot      bot   bot        bot         bot         bot

             Spam                                        DDoS attack

                          victim         victim

Page ! 9                                               Wikipedia not totally correct in “botnet”,
                                                    Botnet is much more than DDOS platform.
 Botnet Fire Power in Real Fight

 #     Estonia DDOS (2007-May )
            "   58 Estonia web sites encountered DDOS attack from thousands of botnet computers

            "   Response to Estonia relocating a Soviet-era memorial

 #     CNN DDOS (2008-Apr)
            "   CNN filtered traffic in response to attempts to disruption, causing some Asian users impacted

            "   Response to CNN report on Tibet

 #     Lithuania mass defacement (2008-Jul)
            "   300 Web sites defaced with pro-Russian slogans

            "   Response to a law outlawing Soviet symbols in Lithuania

Page ! 10
Malware 2.0

! Evade detection                    ! Command and control
  – Keep low profile (see figure)     – Receive data from victim
  – Encrypt or encode
                                      – Command victim action
  – Keep on changing; use rootkit
    technology                        – Malware update

  – Targeted attack                     • Patch / Upgrade
  – Terminate security software         • AV detection signature
  – Test against known AV software

Page ! 11
Attackers Expand the Botnet Colony

        Maximizing malware attack surface
 Legitimate sites compromised to host malware

Page ! 13
Legitimate site with embedded third party information serving

! Embedded Third Party information (and Banner Ad) on a web page is
  something hard to control by web master
  – Travel site, music service site have many banner ads
  – News site subscribes third party financial information from example

Page ! 14
 Redirection of attacks
 #     Exploits imported from other servers via iframes, redirects

            Malicious Web server                                      Exploit server                                Malicious Web server

                                                                  r                    Re
                                                          e   rve                           dir
                                                     it s                                       ec   ted
                                                xplo                                                       to
                                           oE                                                                 E
                                     e   dt                                                                       xpl
                                 ec t                                                  Se                                  s er             Web request
                              dir                                                         rve                                     v er
        Web request         Re                       ge                                       E   xpl
                                                   pa                                                oit
                                             oit                                                         pag
                                      E   xpl                                                               e


Page ! 15
 Web-borne Malware Infection

 #     ScanSafe Report 2008 (May-07 to May-08)                                Web Attack 2008 H1 (ScanSafe)         5%
        "   66% malware comes from legitimate sites
        "   Web-Borne Malware Up 278%                                                             12%

             • 76% SQL injection

 #     Websense Report Jan 2008                                                                         SQL injection
                                                                                                        Stolen FTP

        #   51% points of infection were compromised
            legitimate sites

Page ! 16
Bulletproof hosting

  #         Guarantee access to their network
            "   gain access to network with trusted BGP Peers so as to get their
                network existence announced
            "   use other ‘friendly’ service providers to host their service
                #   good bandwidth and lax control

            #   A report “Atrivo - Cyber Crime USA“ in 2008 disclosed that the network
                service provider Atrivo (or Intercage) failed to respond to abuses from
                hostings inside their network.

Page ! 17
Code Injection
 iFrame (掛馬)

 #     Trustworthy web site having a vulnerability compromised, with web page
       injected an “invisible” script.
            "   e.g.
       <iframe width=1 height=1 src="">

            "   Visitor of the web page is redirected transparently to another web site
                which hosts malicious script.
        <script src=></script>

 #     Attraction to hackers:
            "   Better reach to victims
            "   Easier management
            "   More difficult for investigation
Page ! 19
Code Injection
- No visible injected code on web page
                                 Web page Looks fine on the face

    Embedded malicious scripts
       is seen when examined
Page ! 20
 Code injection : Evasion of detection

 #     Code obfuscation
            "   Evade signature-based detection
            "   Mind these functions: eval(), arguments.callee()

Page ! 21
SQL Injection
HTTP Request/Response
- Static Webpage

            1. Request Webpage

(Client)     4. Send Webpage

                                 Web Server

Page ! 23
HTTP Request/Response
Dynamic Webpage
                        User input

                              Dynamic content
                           depending on user input

Page ! 24
HTTP Request/Response
Dynamic Webpage

            1. Request Webpage

                                              2. Request Data
 User                             Request      3. Load Data
(Client)     4. Send Webpage

                                 Web Server

Page ! 25
HTTP Request/Response

            1. Request Webpage

                                               2. Request Data
 User                             Request       3. Load Data
(Client)     4. Send Webpage

                                 Web Server
                5. Submit                                         Server
              Form with Data
                                  Form Data     6. Store Data
                                 via CGI/ASP
                                 /PHP/JSP…      7. Load Data
             8. Send Webpage
                With Results
Page ! 26
 SQL Injection

 #     What is "SQL Injection" ?
            "   web application which create SQL command on the fly         Sign up for Hahoo!

            "   but invalidated user input may cause the execution of   Already have a Hahoo! ID?
                unintended code.
            #   Example: SQL command with user input                    Hahoo! ID
                                                                        dummy' AND 1=0; DROP USERS
                SELECT passwd FROM USERS WHERE uname = '$INPUT';

            "   Hacker:
                 "   $INPUT=“dummy' AND 1=0; DROP USERS”
                               always false
            "   System sees:
                 #   SELECT passwd FROM USERS
                     WHERE uname = ‘dummy' AND 1=0; DROP USERS;’

Page ! 27
Live Demo
Using SQL Injection to implant and execute a file
    Root Cause of Injection
No validation and sanitization in user inputs
Code / SQL Injection

            1. Request Webpage

                                               2. Request Data
 User                             Request       3. Load Data
(Client)     4. Send Webpage

                5. Submit                                        Database
                                 Web Server
              Form with Data                                      Server
              + Malformed
                 String            Process
                                  Form Data     6. Store Data
                                 via CGI/ASP   + SQL Attack

Page ! 30
More Attacker Tactics
 Redirect users to fake plug-in/codec sites

! Surge in Facebook Malware

  – Malware spoof as user’s friend,
    sending a message with an
    URL pertaining to be a
    YouTube movie

  – URL brings user to a fake
    YouTube site
  – “Flash_update.exe”      

Page ! 32
Password Reset Attack, and Search Query Poisoning

Page ! 33
Protection Strategies
    Hit criminals' critical infrastructure

   # Trace the supply chain of criminals (Law Enforcement)

   # Bring down their infrastructure (ISP, DNR)
            – C&C, Malicious web sites, fake domain names
            – Domain name registry manage domain registration abuse
            – ISP unplug malware hosting networks

   # Bring down spam borne attacks
            – Corps and ISPs to adopt Port 25 management (blocks SMTP); force
              spammer to use credentials but is more accountable (advocated by
              APWG, CERT)
Page ! 35
  Botnet Take Down
            FBI “Operation Bot Roast” identified 1M+. Arrested 3 persons,
            including spam king Robert Soloway (47mth imprisonment)

               Atrivo/Intercage, malware hosting in USA

                   McColo, a hosting provider in USA unplugged.
                   Spam volume dropped by 2/3.

                     ICANN de-accredit EstDomains - whose CEO convicted for
                     credit card fraud, money laundering, and document forgery.

Page ! 36
   Client Defense

   "        Malicious web site
            "   Browsers add anti-malware, anti-phishing features
                 "   IE, Mozillia, Opera; add Netcraft toolbar if you want
                 "   Mind your browser and plug-ins

   "        Malware morph so fast to be detected
            "   Still requires baseline defence (anti-malware, firewall, patching) –
                though insufficient
            "   Blacklist falls; Whitelist approach proposed but open to debate

   "        Detect botnet
            "   Monitor OUTGOING network traffic for botnet

Page ! 37
Coping with morphing malware

"   Malware morph so fast
    to be detected
    "   Sandbox: malware
        analysis by behaviour

"   Use Whitelist approach
    instead of Blacklist

"   Security awareness
    comes into play $ more

Page ! 38
Google Safe Browsing

  Firefox and Flock browser now incorporate Google safety alert.

Page ! 39
   Server Defense

 "     Minimize and guard all entry points

 "     Close all flaws in application
            "   Hackers look into applications. Network filtering
                firewall are blind in application attacks

 "     Back to Basic – Treat ALL User Inputs EVIL!
            "   Validate all inputs in web applications
            "   Runtime Vulnerability Assessment
            "   Application Firewall: modsecurity, URLScan

Page ! 40
Prevention and Detection of Code/SQL Injection

1.          Code-Level
              •   Coding Practice, Code Scanning
              •   This is ultimate defense
2.          Database-Level:
              •   Minimum privilege of database user account
              •   Avoid some commands
3.          Vulnerability Scanning
              •   scan for SQL injection vulnerabilities
4.          Application Firewall / HTTP Filtering
              •   Use modsecurity and URLscan to block sensitive commands

Page ! 41
Prevention and Detection of Code Injection

            1. Request Webpage

                                               2. Request Data
 User                             Request       3. Load Data
(Client)     4. Send Webpage

                5. Submit                                        Database
                                 Web Server
              Form with Data                                      Server
              + Malformed
                 String            Process
                                  Form Data     6. Store Data
                                 via CGI/ASP   + SQL Attack

Page ! 42    Firewall            Code review       validation
                                 of web apps
HKCERT Guideline

! SQL 資料隱碼防護指引

Page ! 43

S.C. Leung (梁兆昌)