Botnets: Battling the Borg of the Internet Corey Nachreiner, CISSP Network Security Analyst November 2007 Botnets: The Borg of the Internet • Alien race that forcefully assimilated others into their collective. • All controlled remotely by one leader, the hive queen. One of the Enterprise’s biggest threats. Why Talk About Botnets? Bot Statistics Suggest Assimilation • In 2006, Microsoft’s Malicious Software Removal Tool (MSRT) found backdoor trojans on 62% of the 5.7 million computers it scanned. The majority of these were bots. • Commtouch found, 87% of all email sent over the Internet during 2006 was spam. Botnets generated 85% of that spam. • Commtouch’s GlobalView™ Reputation Service identifies between 300,000 and 500,000 newly active zombies per day, on average. • ISPs rank zombies as the single largest threat facing network services and operational security*. * Worldwide Infrastructure Security Report, Arbor Networks, September 2007. Agenda What is a Botnet? Blackhat Bot Creation Bot Harvesting 101 Bot Powered Attacks Future of Botnets Avoid Assimilation: Botnet Defense What is a Botnet? What is a Botnet? Botnet Lingo Defined A Botnet is a network of compromised computers under the control of a remote attacker. Botnets consist of: • Botherder The attacker controlling the malicious network (also called a Botmaster). • Bot A compromised computers under the Botherders control (also called zombies, or drones). • Bot Client The malicious trojan installed on a compromised machine that connects it to the Botnet. • Command and Control Channel (C&C) The communication channel the Botherder uses to remotely control his or her bots. What is a Botnet? Visualizing a Botnet What is a Botnet? The C&C Makes a Big Difference • Theoretically, a botherder can use any communication or networking protocol he likes for his C&C server. • Today, botherders primarily rely these three protocols for their C&C: • Internet Relay Chat (IRC) Protocol • Hyper-Text Transfer Protocol (HTTP) • Peer-to-Peer (P2P) networking protocols. What is a Botnet? Internet Relay Chat (IRC) Botnets Until recently, IRC-based botnets were by far the most prevalent type exploited in the wild. Benefits of IRC to botherder: • Well established and understood protocol • Freely available IRC server software • Interactive, two-way communication • Offers redundancy with linked IRC servers • Most blackhats grow up using IRC. What is a Botnet? Internet Relay Chat (IRC) Botnets (cont.) Botherders are migrating away from IRC botnets because researchers know how to track them. Drawbacks: • Centralized server • IRC is not that secure by default • Security researchers understand IRC too. Common IRC Bots: • SDBot • Rbot (Rxbot) • Gaobot What is a Botnet? HTTP Botnet Diagram HTTP Post Command to C&C URL Polling Method Registration Method What is a Botnet? HTTP Botnets Botherders are shifting to HTTP-based botnets that serve a single purpose. Benefits of HTTP to botherder: • Also very robust with freely available server software • HTTP acts as a “covert channel” for a botherder’s traffic • Web application technologies help botherders get organized. Drawbacks: • Still a Centralized server • Easy for researchers to analyze. Recent HTTP Bots: • Zunker (Zupacha): Spam bot • BlackEnergy: DDoS bot What is a Botnet? P2P Botnet Diagram What is a Botnet? P2P Botnets P2P communication channels offer anonymity to botherders a and resiliency to botnets. Benefits of P2P to botherder: • Decentralized; No single point of failure • Botherder can send commands from any peer • Security by Obscurity; There is no P2P RFC Drawbacks: • Other peers can potentially take over the botnet P2P Bots: • Phatbot: AOL’s WASTE protocol • Storm: Overnet/eDonkey P2P protocol Blackhat Bot Creation Blackhat Bot Creation Three Steps to Building a Bot Client The best way to understand malware is to see real world examples in action. Steps include: • Find bot source code • Configure and compile the source code • Pack & crypt the bot client (optional) Blackhat Bot Creation 1) Find Source Code IRC bot source code is easy to find • Just Google it. • Underground forums sell / trade / share IRC botnet source. HTTP botnet kits are harder to find P2P bot source is rare commodity I’ll focus on recent IRC bot source code Blackhat Bot Creation A Quick Tour of IRC Bot Source • Very Organized • Modular design • Script kiddie ready Blackhat Bot Creation 2) Configuring Your Bot Client Blackhat Bot Creation 3) Pack & Crypt Bot Client Bot Harvesting 101 Bot Harvesting 101 From Zero to Zombie Army in Three Steps 1. Prepare your C&C Channel 2. Draft your first zombie recruit 3. Leverage that zombie to help recruit more. Bot Harvesting 101 Preparing Your C&C "By failing to prepare you are preparing to fail." — Benjamin Fanklin The Basics • Install your IRC Server • Make sure its settings match your bot client • Join your bot channel first to gain “ops.” Extra Credit • Modify your IRC server and channel to protect your botnet. Bot Harvesting 101 Drafting Your First Zombie Recruit Like making your first million, drafting that first zombie victim is always the hardest. Time to dust off your “l33t H@x0r” skills… • Spam bot client attached to email • Seed it as a fake, P2P music download • Manually exploit remote vulnerabilities • Host bot client of malicious Drive-by Download site • Etc… Bot Harvesting 101 Drafting Your First Zombie Recruit DEMO: Recruiting our first victim with a Drive-by Download Bot Harvesting 101 Leverage Your Bot to Recruit an Army It only takes one seed to start a forest. Now you have your first bot, you can leverage it to automate the attack process and recruit more victims. Some popular automated harvesting attacks include: • Scan for local files shares • Send malicious, booby-trapped spam • SPIM • Seeding fake P2P shares • Hosting a malicious web sites • Scanning for USB shares • Automated vulnerability scanning (Massscan) Bot Harvesting 101 Scanning for Well-Known Vulnerabilities Some common exploits in IRC bots: • Windows DCOM RPC Interface buffer overflow • Windows LSASS buffer overflow • MS SQL Server buffer overflow • Windows UPnP buffer overflow • Windows Workstation service buffer overflow • MS Webdav buffer overflow • Windows ASN.1 integer overflow • Windows Server Service (NetAPI) buffer overflow • Symantec AV Remote Management buffer overflow • RealVNC password bypass vulnerability Botherder can add new exploits as they come out Bot Harvesting 101 Scanning in Action Video DEMO: What happens if a botherder named “Spike” leverages his first bot to scan a network of unpatched machines? Bot Powered Attacks Botnet Powered Attacks The Ultimate Blended Threat Botnets are like the Swiss Army knife of the malware world and botherders have many blades to choose from. You can separate a botnets many attacks into two general categories: 1. Attacks targeted toward the bot-infected victims 2. Attacks targeted toward others on the Internet Botnet Powered Attacks Targeting Your Bots Q: A botherder has full control of each bot machine. What can you do to them? • Install more malware • Enable various network services • Adware • HTTP server • Spyware • FTP / TFTP server • Ransomware • Sock proxy • Steal sensitive data • HTTP or HTTPS proxy • CD Keys • Man-in-the-Middle (MitM) attacks. • Emails and email addresses • Redirect TCP traffic • Various login credentials • Redirect GRE traffic (PPTP VPN) • Password storage files • Gain backdoor access • Any file on the victim’s machine A: Once he has control of your computer, a botherder can do anything you can. Botnet Powered Attacks Targeting Your Bots (cont.) • Spy on victims • Keylog • Packet sniff • Capture screenshots • Capture webcam images and video Video DEMO: Spike exploits Rxbot spying techniques. (i.e. stupid script kiddie tricks) Botnet Powered Attacks Targeting the World With full control of a massive army of machines, the only limit to a botherder’s attack potential is his imagination. • Distributed Denial of Service (DDoS) Attacks • BlueSecurity • Estonia • Extortion of small businesses • Spamming • Email spam • SPIM • Forum spam Botnet Powered Attacks Targeting the World (cont.) • Phishing • Use bots as malicious phishing web servers • Use bots to spam phishing emails • Click Fraud / Poll Manipulation • ID Theft • And more… The Future of Botnets? The Future of Botnets? Storm: A Sign of Things to Come What started as an indistinct, unimpressive email worm, has grown into one of the more successful botnets ever seen. Short History: • Started as basic email worm • Uses smart social engineering techniques • Didn’t appear “wide-spread” early on • However, Storm was quietly recruiting zombie machines The Future of Botnets? Storm: A Sign of Things to Come What’s futuristic about Storm: • First real successful P2P Botnet • Changes tactics and technology regularly, Polymorphic. • Mature kernel rootkit technology • Incorporates “Attack back” logic • Uses “Fast Flux DNS” to hide. The Future of Botnets? What’s Futuristic About Storm How big is the Storm botnet: • Estimates range from 160,000 to 50 million? • Brandon Enright says Storm is dwindling • No one really knows for sure. Latest developments: • Storm being segmented with 40-byte keys • Neuters AV rather than killing it • Sending Pump and Dump stock spam • Recent Halloween ecard. Avoid Assimilation: Botnet Defense Avoid Assimilation: Botnet Defense Resistance is Not Futile Three categories of Botnet Defense: 1. Keeping bot clients off your network 2. Bot detection and mitigation 3. Protecting your network from external botnet attacks. Avoid Assimilation: Botnet Defense Preventing Bot Infections Protecting your network from a botnet’s many attack vectors requires “Defense in Depth.” • Use a Firewall • Patch regularly and promptly • Use AntiVirus (AV) software • Deploy an Intrusion Prevention System (IPS) • Implement application-level content filtering • Define a Security Policy and share it with your users systematically USER EDUCATION IS VITAL! Avoid Assimilation: Botnet Defense Bot Search and Destroy There is no infallible defense, so prepare for the worst. • Egress filter with your firewall Egress filtering allows you to muzzle some bots by preventing them from reaching their C&C. • Monitor your network traffic regularly • Establish a recognized baseline • Use graphically traffic monitors • “Ourmon” is a nice free tool that can help you detect bots. • Stay current with botnet evolutions. Avoid Assimilation: Botnet Defense Surviving External Botnet Attacks Even if you succeed at keeping bot infections off your network, you still have to contend with external botnets targeting you for attack. How do you survive Distributed Denial of Service attacks? • DDoS mitigation products only work so well • Multiple ISP connections only help a little • In the end, we need ISPs to help solve this problem. How do your survive Spam and Phishing emails? • Some spam blocking products well • Commtouch offers a unique solution. Avoid Assimilation: Botnet Defense Share Your Knowledge We will only defeat the ever-changing botnet threat if we come together as a security community, and share our information as far and wide as possible. Download WatchGuard’s free botnet educational series: FTP: ftp.watchguard.com Login: botnetvideos Password: Fr3e_V1de0s or FTP://botnetvideos:Fr3e_V1de0s@ftp.watchguard.com References: 1) Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. Botnets: The Killer Web App. Syngress Publishing, 2007. 2) Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007 3) Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat DC, March 2007. 4) Dr. Jose Nazario. Analyzing and Understanding Botnets. Arbor Networks, 2007. 5) Arbor Networks. Worldwide Infrastructure Security Report. September 2007. 6) Phillip Poras, Hassen Saidi, Vinod Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm. SRI International, October 2007. 7) Frank Boldewin. Peacomm.C: Cracking the nutshell. September 2007. 8) Andre Fucs, Augusto Paes de Barros, Victor Pereira. New Botnet Trends and Threats. Blackhat, Europe 2007. 9) Commtouch. Q3 2007 Email Threats Trend Report. October 2007. 10) Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, 2007 11) Gadi Evron. Estonia: Information Warfare and Lessons Learned. Blackhat, Las Vegas 2007. 12) Matthew Braverman of the Microsoft Antimalware team. Malicious Software Removal Tool: Progress Made, Trends Observed. Microsoft, November 2006. 13) Dr. Alan Solomon, Gadi Evron. The World of Botnets. Virus Bulletin, September 2006. 14) Paul Baucher, Thorsten Holz, Markkus Kotter, Georg Wicherski. Know Your Enemy: Tracking Botnets. Honeynet Project. March, 2005 Q&A… Thank You!
Pages to are hidden for
"Botnets-Battling the Borg if the Internet"Please download to view full document