Botnets-Battling the Borg if the Internet by niusheng11


									Botnets: Battling the
Borg of the Internet

   Corey Nachreiner, CISSP
   Network Security Analyst
       November 2007
Botnets: The Borg of the Internet

                      •   Alien race that forcefully
                          assimilated others into
                          their collective.
                      •   All controlled remotely by
                          one leader, the hive

                      One of the Enterprise’s
                        biggest threats.
Why Talk About Botnets?
Bot Statistics Suggest Assimilation

•   In 2006, Microsoft’s Malicious Software Removal Tool (MSRT) found
    backdoor trojans on 62% of the 5.7 million computers it scanned. The
    majority of these were bots.
•   Commtouch found, 87% of all email sent over the Internet during 2006 was
    spam. Botnets generated 85% of that spam.
•   Commtouch’s GlobalView™ Reputation Service identifies between 300,000
    and 500,000 newly active zombies per day, on average.
•   ISPs rank zombies as the single largest threat facing network services and
    operational security*.
                             * Worldwide Infrastructure Security Report, Arbor Networks, September 2007.

 What is a Botnet?

 Blackhat Bot Creation

 Bot Harvesting 101

 Bot Powered Attacks

 Future of Botnets

Avoid Assimilation: Botnet Defense
What is a Botnet?
    What is a Botnet?
    Botnet Lingo Defined

A Botnet is a network of compromised computers under the
control of a remote attacker. Botnets consist of:

•   Botherder
    The attacker controlling the malicious network (also called a Botmaster).
•   Bot
    A compromised computers under the Botherders control (also called
    zombies, or drones).
•   Bot Client
    The malicious trojan installed on a compromised machine that connects it to
    the Botnet.
•   Command and Control Channel (C&C)
    The communication channel the Botherder uses to remotely control his or
    her bots.
What is a Botnet?
Visualizing a Botnet
What is a Botnet?
The C&C Makes a Big Difference

•   Theoretically, a botherder can use any communication or networking protocol
    he likes for his C&C server.
•   Today, botherders primarily rely these three protocols for their C&C:
    •   Internet Relay Chat (IRC) Protocol
    •   Hyper-Text Transfer Protocol (HTTP)
    •   Peer-to-Peer (P2P) networking protocols.
    What is a Botnet?
    Internet Relay Chat (IRC) Botnets

Until recently, IRC-based botnets were by far the most prevalent
type exploited in the wild.

Benefits of IRC to botherder:
•    Well established and understood protocol
•    Freely available IRC server software
•    Interactive, two-way communication
•    Offers redundancy with linked IRC servers
•    Most blackhats grow up using IRC.
    What is a Botnet?
    Internet Relay Chat (IRC) Botnets (cont.)

Botherders are migrating away from IRC botnets because
researchers know how to track them.

•    Centralized server
•    IRC is not that secure by default
•    Security researchers understand IRC too.

Common IRC Bots:
•    SDBot
•    Rbot (Rxbot)
•    Gaobot
   What is a Botnet?
   HTTP Botnet Diagram

   HTTP Post Command
      to C&C URL

  Polling Method
Registration Method
    What is a Botnet?
    HTTP Botnets

Botherders are shifting to HTTP-based botnets that serve a
single purpose.

Benefits of HTTP to botherder:
•   Also very robust with freely available server software
•   HTTP acts as a “covert channel” for a botherder’s traffic
•   Web application technologies help botherders get organized.
•   Still a Centralized server
•   Easy for researchers to analyze.
Recent HTTP Bots:
•   Zunker (Zupacha): Spam bot
•   BlackEnergy: DDoS bot
What is a Botnet?
P2P Botnet Diagram
    What is a Botnet?
    P2P Botnets

P2P communication channels offer anonymity to botherders a
and resiliency to botnets.

Benefits of P2P to botherder:
•   Decentralized; No single point of failure
•   Botherder can send commands from any peer
•   Security by Obscurity; There is no P2P RFC
•   Other peers can potentially take over the botnet
P2P Bots:
•   Phatbot: AOL’s WASTE protocol
•   Storm: Overnet/eDonkey P2P protocol
Blackhat Bot
 Blackhat Bot Creation
 Three Steps to Building a Bot Client

The best way to understand malware is to see real world
examples in action.

Steps include:
• Find bot source code
• Configure and compile the source code
• Pack & crypt the bot client (optional)
Blackhat Bot Creation
1) Find Source Code

IRC bot source code is easy to find
•   Just Google it. 
•   Underground forums sell / trade / share IRC botnet source.

HTTP botnet kits are harder to find

P2P bot source is rare commodity

       I’ll focus on recent IRC bot source code
Blackhat Bot Creation
A Quick Tour of IRC Bot Source

                                 •   Very Organized

                                 •   Modular design

                                 •   Script kiddie
Blackhat Bot Creation
2) Configuring Your Bot Client
Blackhat Bot Creation
3) Pack & Crypt Bot Client
Bot Harvesting 101
 Bot Harvesting 101
 From Zero to Zombie Army in Three Steps

1. Prepare your C&C Channel
2. Draft your first zombie recruit
3. Leverage that zombie to help recruit more.
  Bot Harvesting 101
  Preparing Your C&C

"By failing to prepare you are preparing to fail."
                                                 — Benjamin Fanklin
The Basics
  • Install your IRC Server
  • Make sure its settings match your bot client
  • Join your bot channel first to gain “ops.”
Extra Credit
   • Modify your IRC server and channel to protect your botnet.
Bot Harvesting 101
Drafting Your First Zombie Recruit

Like making your first million, drafting that first zombie victim is
   always the hardest.

Time to dust off your “l33t H@x0r” skills…
   • Spam bot client attached to email
   • Seed it as a fake, P2P music download
   • Manually exploit remote vulnerabilities
   • Host bot client of malicious Drive-by Download site
   • Etc…
Bot Harvesting 101
Drafting Your First Zombie Recruit

           DEMO: Recruiting our first victim
             with a Drive-by Download
  Bot Harvesting 101
  Leverage Your Bot to Recruit an Army

It only takes one seed to start a forest.

Now you have your first bot, you can leverage it to automate the attack
process and recruit more victims. Some popular automated harvesting
attacks include:
   • Scan for local files shares
   • Send malicious, booby-trapped spam
   • SPIM
   • Seeding fake P2P shares
   • Hosting a malicious web sites
   • Scanning for USB shares
   • Automated vulnerability scanning (Massscan)
 Bot Harvesting 101
 Scanning for Well-Known Vulnerabilities

Some common exploits in IRC bots:
  • Windows DCOM RPC Interface buffer overflow
  • Windows LSASS buffer overflow
  • MS SQL Server buffer overflow
  • Windows UPnP buffer overflow
  • Windows Workstation service buffer overflow
  • MS Webdav buffer overflow
  • Windows ASN.1 integer overflow
  • Windows Server Service (NetAPI) buffer overflow
  • Symantec AV Remote Management buffer overflow
  • RealVNC password bypass vulnerability
  Botherder can add new exploits as they come out
Bot Harvesting 101
Scanning in Action

   Video DEMO:
      What happens if a botherder named “Spike” leverages his first bot to
      scan a network of unpatched machines?
Bot Powered
  Botnet Powered Attacks
  The Ultimate Blended Threat

Botnets are like the Swiss Army knife of the malware world and
botherders have many blades to choose from.

You can separate a botnets many attacks into two general categories:

   1. Attacks targeted toward the bot-infected victims
   2. Attacks targeted toward others on the Internet
Botnet Powered Attacks
Targeting Your Bots
    Q: A botherder has full control of each bot machine.
    What can you do to them?

•    Install more malware                   •   Enable various network services
     • Adware                                   •   HTTP server
     • Spyware                                  •   FTP / TFTP server
     • Ransomware                               •   Sock proxy
•    Steal sensitive data                       •   HTTP or HTTPS proxy
     •   CD Keys                            •   Man-in-the-Middle (MitM) attacks.
     •   Emails and email addresses             •   Redirect TCP traffic
     •   Various login credentials              •   Redirect GRE traffic (PPTP VPN)
     •   Password storage files             •   Gain backdoor access
     •   Any file on the victim’s machine

A: Once he has control of your computer, a
botherder can do anything you can.
Botnet Powered Attacks
Targeting Your Bots (cont.)

•   Spy on victims
    • Keylog
    • Packet sniff
    • Capture screenshots
    • Capture webcam images and video

    Video DEMO:
       Spike exploits Rxbot spying techniques.
       (i.e. stupid script kiddie tricks)
    Botnet Powered Attacks
    Targeting the World
With full control of a massive army of machines, the only limit to
a botherder’s attack potential is his imagination.

•   Distributed Denial of Service (DDoS) Attacks
    •   BlueSecurity
    •   Estonia
    •   Extortion of small businesses
•   Spamming
    •   Email spam
    •   SPIM
    •   Forum spam
Botnet Powered Attacks
Targeting the World (cont.)

•   Phishing
    •   Use bots as malicious phishing web servers
    •   Use bots to spam phishing emails
•   Click Fraud / Poll Manipulation
•   ID Theft
•   And more…
The Future of
    The Future of Botnets?
    Storm: A Sign of Things to Come

What started as an indistinct, unimpressive email worm,
has grown into one of the more successful botnets ever

Short History:
•    Started as basic email worm
•    Uses smart social engineering techniques
•    Didn’t appear “wide-spread” early on
•    However, Storm was quietly recruiting zombie machines
The Future of Botnets?
Storm: A Sign of Things to Come

What’s futuristic about Storm:
•   First real successful P2P Botnet
•   Changes tactics and technology regularly, Polymorphic.
•   Mature kernel rootkit technology
•   Incorporates “Attack back” logic
•   Uses “Fast Flux DNS” to hide.
    The Future of Botnets?
    What’s Futuristic About Storm

How big is the Storm botnet:
•   Estimates range from 160,000 to 50 million?
•   Brandon Enright says Storm is dwindling
•   No one really knows for sure.

Latest developments:
•   Storm being segmented with 40-byte keys
•   Neuters AV rather than killing it
•   Sending Pump and Dump stock spam
•   Recent Halloween ecard.
Avoid Assimilation:
 Botnet Defense
 Avoid Assimilation: Botnet Defense
 Resistance is Not Futile

Three categories of Botnet Defense:

   1. Keeping bot clients off your network
   2. Bot detection and mitigation
   3. Protecting your network from external botnet attacks.
    Avoid Assimilation: Botnet Defense
    Preventing Bot Infections

Protecting your network from a botnet’s many attack vectors
requires “Defense in Depth.”

•    Use a Firewall
•    Patch regularly and promptly
•    Use AntiVirus (AV) software
•    Deploy an Intrusion Prevention System (IPS)
•    Implement application-level content filtering
•    Define a Security Policy and share it with your users systematically

    Avoid Assimilation: Botnet Defense
    Bot Search and Destroy

There is no infallible defense, so prepare for the worst.

•    Egress filter with your firewall
     Egress filtering allows you to muzzle some bots by preventing them from
     reaching their C&C.
•    Monitor your network traffic regularly
     •   Establish a recognized baseline
     •   Use graphically traffic monitors
     •   “Ourmon” is a nice free tool that can help you detect bots.
•    Stay current with botnet evolutions.
  Avoid Assimilation: Botnet Defense
  Surviving External Botnet Attacks

Even if you succeed at keeping bot infections off your network,
you still have to contend with external botnets targeting you for

How do you survive Distributed Denial of Service attacks?
   •   DDoS mitigation products only work so well
   •   Multiple ISP connections only help a little
   •   In the end, we need ISPs to help solve this problem.

How do your survive Spam and Phishing emails?
   •   Some spam blocking products well
       •   Commtouch offers a unique solution.
 Avoid Assimilation: Botnet Defense
 Share Your Knowledge

We will only defeat the ever-changing botnet threat if we come
together as a security community, and share our information as
far and wide as possible.

Download WatchGuard’s free botnet educational series:

Login: botnetvideos
Password: Fr3e_V1de0s
1)    Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems,
      Michael Cross. Botnets: The Killer Web App. Syngress Publishing, 2007.
2)    Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007
3)    Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat
      DC, March 2007.
4)    Dr. Jose Nazario. Analyzing and Understanding Botnets. Arbor Networks, 2007.
5)    Arbor Networks. Worldwide Infrastructure Security Report. September 2007.
6)    Phillip Poras, Hassen Saidi, Vinod Yegneswaran. A Multi-perspective Analysis of the Storm
      (Peacomm) Worm. SRI International, October 2007.
7)    Frank Boldewin. Peacomm.C: Cracking the nutshell. September 2007.
8)    Andre Fucs, Augusto Paes de Barros, Victor Pereira. New Botnet Trends and Threats.
      Blackhat, Europe 2007.
9)    Commtouch. Q3 2007 Email Threats Trend Report. October 2007.
10)   Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007
11)   Gadi Evron. Estonia: Information Warfare and Lessons Learned. Blackhat, Las Vegas 2007.
12)   Matthew Braverman of the Microsoft Antimalware team. Malicious Software Removal Tool:
      Progress Made, Trends Observed. Microsoft, November 2006.
13)   Dr. Alan Solomon, Gadi Evron. The World of Botnets. Virus Bulletin, September 2006.
14)   Paul Baucher, Thorsten Holz, Markkus Kotter, Georg Wicherski. Know Your Enemy: Tracking
      Botnets. Honeynet Project. March, 2005
Thank You!

To top