Learning Center
Plans & pricing Sign in
Sign Out

Cyber Attack Trend and Botnet


									                  Cyber Attack Trend and Botnet

                                     S.C. Leung
                                      CISSP CISA CBCP


 Botnet and Cyber Attack Trends
  Botnet Attack Trends
       Commercialization of Cyber Crime
       Professionalization of Cyber Crimeware
       Social Engineering always cool – Waledac botnet
       Following the Social Network Services – Koobface botnet
       Delivering via Web attack & Search Engine – Gumblar botnet
       Following the Money – Banking Trojans like Zeus botnet
       Building the Survival Kit – Conficker botnet

  Defending against Botnet

Page  2
Botnet (roBot Network)
= infrastructure of controlled victim computers (bots)

                                                     Up: Data
                                    Bot Herder       Down: Command/Update

                   C&C               C&C                     C&C
                                                                     Up: Data
                                                                     Down: Command/Update

             bot     bot      bot   bot        bot     bot         bot

               Spam,                                   DDoS attack
                           victim         victim
Page  3

           1. Commercialization of Cyber Crime
Product and Service Delivery for Profit

 What do attackers want now?

 What are their product and services?
  – Products
    • Personal credentials, CCN, SSN,
      software CD keys
    • Tools to exploit, tools to hide malware

  – Service subscription:
    • spam, phishing, DDoS
    • botnet (  now closed)

Page  5

           2. Professionalization of Cyber Crimeware
Professionalization of Cyber Crimeware

 Division of Labour, R&D and Outsourcing                              Botnet is a sign of
                                                                        maturity of the
 Malware development, Botnet optimization                              infrastructure for
  – Malware good at detection evasion                                   underground economy
  – Malware targeting identifying and terminating security software    – Service delivery
  – Multi-language support
                                                                       – Maintenance
  – Remote administration support
  – Signing and encryption
                                                                       – Long term control

 IT Infrastructure
  – Hosting – network, web hosting at hacker friendly environment
      •    where there is great bandwidth
      •    where legislation is lax
      •    where user awareness is low
  – Domain - registration, domain hosting
      •    where take down procedure is lengthy

Page  7

           3. Social Engineering always cool

           Waledac Botnet
Waledac Botnet

 Spreading by
  – Spam emails employ social engineering extensively
      •     contain link to iFrame embedded malicious website, tricking user to install the malware
 Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)

 Has sound infrastructure

uses Nginx web server                                         uses Double Fast Flux DNS

                                                                The DNS records are
                                                                changing all the time

                                                                 The DNS servers are
                                                                changing all the time

Page  9

Waledac – Fast-flux

                       Bot hosts can be dynamically assigned in real time

Page  10
Waledac theme – eCard
social engineering – follow the talks of the town

Page  11

Waledac Themes
social engineering – follow the talks of the town

              on your


Page  12
 Waledac Service and Feature

 Impact
 – open a back door on the compromised computer
 – steal personal information
 – spam contacts in address book
 – turn zombie into web server, web proxy, DNS and spam template relays

 Major web server service
  – Pharmacy
  – serving malware

 Page  13

             4. Following the Social Network Services
Koobface (koob-face)

 A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo

 Spreading
 – Spoof a friend and send a message
   ““Hello; You must see it!!!
     LOL”   with a URL
 – URL brings user to a fake YouTube
   site, luring to install a file
 – Upon execution, victim is infected.
 Impact
 – Poison all user search (Google,
   Ask, Yahoo and Bing) to
   malicious site

Page  15

Koobface: Twitter campaign

 Infected PCs with Koobface
  sent out Tweets with
  malicious URL

Page  16
A Botnet uses Twitter as Command Channel
 Bots subscribe to RSS feed to get command
 A Tweet like this
  –   “aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS

 Base64 decode the tweet, we got 2 tiny URLs

 The tiny URLs translated to:

  – URLs are encoded file. When decoded and unzipped,
    giving malware files which were found to be poorly
    detected by VirusTotal as malware

 Page  17

         5. Delivering via Web attack & Search Engine
         Gumblar Botnet
Gumblar Botnet: Impact

 Web site is a delivery channel of malware
  – Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites
  – Botnet connect to two domains for download: “” / “”

 Two Botnets formed: one for web sites and one for infected client PCs

 Impacts
  – Client PCs: install backdoor in victims’ computers that connect to C&C
      •     steal FTP credentials from the victims’ computers
      •     Man in the browser attack: monitor traffic to and from the browser:
            – Replace Google search results with links pointing to malicious websites
            – Redirect from e-commerce or banking site to phishing web sites

  – Web sites: compromise any websites owned or operated by the victims
      •     distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities

Page  19

Gumblar Botnet: Obfuscation

 Web pages injected obfuscated scripts, which vary from site to site, or page to page


Page  20
                                               <script src=//></script>
Gumblar Botnet: Detection and Take down

 Blocking – block the two C&C sites: “” and “”
 Checking (not 100% accurate)

Page  21

        6. Following the Money
Botnet targeting Banks

 What I have seen on a Zeus Botnet C&C Management interface
  – Bot administration features:

      •     Screenshot (save to html without image)

      •     Fake redirect (redirect to a prepared fake bank webpage)

      •     Html inject (hijack the login session and inject new field)


      •     Log the visiting information of each banking site, record the input string (text or
            post URL)

      •     An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn

            – if the value is yes, mostly with comment, the comment logged the a/c information,
              e.g. transfer limit.

Page  23

Fake Redirect login page

                                                                            Source: Computer Associate
Page  24

Hacker’s ideal operation

 Intercept transaction

 Change amount and change
  destination to attacker account
  and send to the bank

 Change the display to user as
  if his transaction was executed
  – Calculate the “should be
    amount” and rewrites the
    remaining total to screen

Page  25

Man in the Browser (MITB)

 Install software/plugin inside the browser
 Hooking key OS and web browser APIs and proxying data

 Advantage
  – No encryption barrier as in proxy                                  Web App
  – SSL Padlock is unaffected for modified content
  – Direct access to Data                                                MITB
    • Freely alter the web page displayed to the customer
    • Freely modify the requests sent back to the bank.
  – Direct interface to web browser & application                           :
    • Can create additional commands (GET/POST/PUT)                         :
  – Extremely stealthy
    • Client hard to detect, since network is not interfered, web
       address, digital certificates are all correct                   Winsock
    • Bank sees the customer real IP address
  – Faster real time response so can break 2FA

Page  26
Limbo 2 - HTML Injection

 Limbo 2 Trojan kit
 Some variants inject fake
  fields into the online
  banking forms that the
  browser displays to the

 The additional fields are
  designed to collect
  details to help an
  attacker to impersonate
  the victim and/or
  compromise victim's
                                 What is the use of getting the additional info?

                                                                    Source: ThreatExpert
Page  27

Inserting transaction (when login)

 Login                                                   Shadow Login
                                      Trojan kick up
                                     shadow login at
                                        the back

                 PIN + OTP                                    PIN + OTP

                                                           Insert a new window

                                       PIN + OTP2
            Hacker use OTP2                  Submit           “Not successful.
            to authenticate a                                   Please retry”

Page  28
HKMA Circular 2009-07-13

 The HKMA noticed that the recent fraudulent technique adopted by fraudsters is
  believed to involve infecting the customer's personal computer (PC) with Trojan
  horse programs to hijack the Internet banking login credentials of customers
  (including one-time passwords for two-factor authentication) during the
  Internet banking login process.

 The hijacked login credentials were used by the fraudsters to conduct high-risk
  Internet banking transactions such as making fund transfer to an unregistered
  third-party account.

Page  29

        7. Building the Survival Kit
        Conficker Botnet
Conficker - Propagation Mechanism

Page  31                                                       Source: Cisco 2009 MidYear Report

Conficker – a model for sustainable botnet

 Designed to survive in disaster - What if the C&C are taken down?
  – Conficker.B - Domain generation for malware update
    • Active since Nov 2008, generating 250 domains/day in 5 TLDs for update

  – Conficker’s natural predator: the Conficker Working Group
    • Alliance of ICANN, domain registries and IT industry worked together to pre-empt
      – Pre-register domains
      – Redirect traffic to sinkholes to study the behavious

  – Conficker.C improved
    • Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in
      random (Some are existing domains)  making it harder to preempt the domains
    • improved authentication and encryption  so you cannot infiltrate into Conficker.C
      botnet easily
    • uses P2P for update as well – peers can update each other with the right
    • Blocks more security vendors web site

Page  32
Collaborative Effort Works!

 Conficker Working Group lead a concerted effort
                                                                       No infection
   – ICANN organized all registries to pre-empt the registration,
     handle affected domains
   – Researches generated the list of generated domain and affected
     domains to provide transparency
   – Some worked out an EyeChart for easy detection
   – Security vendors developed detection and removal tools

   –   Check affected domains in April list for suspicious content
   –   Put idle domains in close observation
   –   Exchange intelligence on the progress
   –   Coordinate with CNCERT/CC on an HK IP address owned by a       Conficker.A/B
       mainland web hosting provider

Page  33

Conficker – a model for sustainable Botnet

 Everyone watching the domain generation, but nothing happened there

 Since Conficker has dual update mechanisms -- domain generation and
  P2P, it takes the liberty to use any one at any time. Conficker had
  succeeded to evolve by P2P channel.

 We still have a long way to close it down.

Page  34
        Defending against Botnets

Enhance Response
           Conficker Working Group approach works! ICANN and others are
            collaborating more to speed up the take down.
            –   Sharing of intelligence
            –   Speed up takedown
            –   Preempt future attacks

           HKCERT
            –   Proactive Discovery of malicious site in Hong Kong (with limited resources)
            –   Awareness education for service providers: HKCERT organized with OGCIO
                and HKPF “ISP Symposium” in May 2009
            –   Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme
                “Combating Cyber Crime” in July 2009

           HKMA & Banks
            –   HKMA circular
            –   Banks tighten their procedure for high risk transaction and fraud detection

Page  36
   Defense against Botnet

           Botnet is malware
           3 Baseline Defense is necessary though insufficient
            – Protection from malware
                • Note browsers plugins can be malicious or weakness point
            – Personal Firewall
            – Update patches
           Server defense
            – Install minimum modules on server. Do not use it to browse Internet
            – Keep patching update
            – Protect from web attacks
                • Application Firewall
                • See SQL Injection Defence Guideline published by HKCERT

Page  37

Monitor software patch level and take prompt
 Secunia Personal Software
  – Scan for installed Windows
    software and their patch
    level, with threat level
  – Provide link to download
    available patch or

Page  38
Monitor software update

 Update Notifier
  – scanning for installed Windows software
    and display list of updates
  – verifying the software against malware
    (best effort with current AV software only,
    so it is no better than VirusTotal)

Page  39

Safe Browsers

 Browsers add anti-malware, anti-phishing features
  – IE, Mozillia, Opera; add Netcraft toolbar if you want
  – Minimize your browser and plug-ins
 Firefox and Flock browser now incorporate Google safety alert
 New browser use sandbox approach: Chrome

Page  40
Detecting Botnet
Next presentation


               S.C. Leung (梁兆昌)
Building up a Botnet

 Having the Malware to infect user machines
  – Detection evasion advancement
  – Control and update
 Getting a Channel to Deliver the Malware
  – Spam: Social Engineering                                             Waledac
  – Legitimate Web Server  redirecting users to Exploit servers         Gumblar
  – Social Network  redirecting users to Exploit servers
  – Exploit servers hosting the malware
 Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash,
  etc.) of the victim machine
 Controlling the victim PCs
  – Botnet Command and Control Centre
 Providing resilience in case of take down by law enforcement
  – Fast Flux DNS: to make the structure more dynamic
  – Disaster Recovery: find way to recover

Page  43

To top