Presentation on theme: "Botnets: Battling the Borg of the Internet Corey Nachreiner, CISSP Network Security Analyst November 2007."— Presentation transcript:
Botnets: Battling the Borg of the Internet Corey Nachreiner, CISSP Network Security Analyst November 2007
Botnets: The Borg of the Internet Alien race that forcefully assimilated others into their collective. All controlled remotely by one leader, the hive queen. One of the Enterprises biggest threats.
Why Talk About Botnets? Bot Statistics Suggest Assimilation In 2006, Microsofts Malicious Software Removal Tool (MSRT) found backdoor trojans on 62% of the 5.7 million computers it scanned. The majority of these were bots. Commtouch found, 87% of all sent over the Internet during 2006 was spam. Botnets generated 85% of that spam. Commtouchs GlobalView Reputation Service identifies between 300,000 and 500,000 newly active zombies per day, on average. ISPs rank zombies as the single largest threat facing network services and operational security*. * Worldwide Infrastructure Security Report, Arbor Networks, September 2007.
Agenda Future of Botnets Bot Powered Attacks Bot Harvesting 101 Blackhat Bot Creation What is a Botnet? Avoid Assimilation: Botnet Defense
What is a Botnet?
What is a Botnet? Botnet Lingo Defined A Botnet is a network of compromised computers under the control of a remote attacker. Botnets consist of: Botherder The attacker controlling the malicious network (also called a Botmaster). Bot A compromised computers under the Botherders control (also called zombies, or drones). Bot Client The malicious trojan installed on a compromised machine that connects it to the Botnet. Command and Control Channel (C&C) The communication channel the Botherder uses to remotely control his or her bots.
What is a Botnet? Visualizing a Botnet
What is a Botnet? The C&C Makes a Big Difference Theoretically, a botherder can use any communication or networking protocol he likes for his C&C server. Today, botherders primarily rely these three protocols for their C&C: Internet Relay Chat (IRC) Protocol Hyper-Text Transfer Protocol (HTTP) Peer-to-Peer (P2P) networking protocols.
What is a Botnet? Internet Relay Chat (IRC) Botnets Until recently, IRC-based botnets were by far the most prevalent type exploited in the wild. Benefits of IRC to botherder: Well established and understood protocol Freely available IRC server software Interactive, two-way communication Offers redundancy with linked IRC servers Most blackhats grow up using IRC.
What is a Botnet? Internet Relay Chat (IRC) Botnets (cont.) Botherders are migrating away from IRC botnets because researchers know how to track them. Drawbacks: Centralized server IRC is not that secure by default Security researchers understand IRC too. Common IRC Bots: SDBot Rbot (Rxbot) Gaobot
What is a Botnet? HTTP Botnet Diagram HTTP Post Command to C&C URL Polling Method Registration Method
What is a Botnet? HTTP Botnets Botherders are shifting to HTTP-based botnets that serve a single purpose. Benefits of HTTP to botherder: Also very robust with freely available server software HTTP acts as a covert channel for a botherders traffic Web application technologies help botherders get organized. Drawbacks: Still a Centralized server Easy for researchers to analyze. Recent HTTP Bots: Zunker (Zupacha): Spam bot BlackEnergy: DDoS bot
What is a Botnet? P2P Botnet Diagram
What is a Botnet? P2P Botnets P2P communication channels offer anonymity to botherders a and resiliency to botnets. Benefits of P2P to botherder: Decentralized; No single point of failure Botherder can send commands from any peer Security by Obscurity; There is no P2P RFC Drawbacks: Other peers can potentially take over the botnet P2P Bots: Phatbot: AOLs WASTE protocol Storm: Overnet/eDonkey P2P protocol
Blackhat Bot Creation
Blackhat Bot Creation Three Steps to Building a Bot Client The best way to understand malware is to see real world examples in action. Steps include: Find bot source code Configure and compile the source code Pack & crypt the bot client (optional)
Blackhat Bot Creation 1) Find Source Code IRC bot source code is easy to find Just Google it. Underground forums sell / trade / share IRC botnet source. HTTP botnet kits are harder to find P2P bot source is rare commodity Ill focus on recent IRC bot source code
Blackhat Bot Creation A Quick Tour of IRC Bot Source Very Organized Modular design Script kiddie ready
Blackhat Bot Creation 2) Configuring Your Bot Client
Bot Harvesting 101 From Zero to Zombie Army in Three Steps 1. Prepare your C&C Channel 2. Draft your first zombie recruit 3. Leverage that zombie to help recruit more.
Bot Harvesting 101 Preparing Your C&C "By failing to prepare you are preparing to fail." Benjamin Fanklin The Basics Install your IRC Server Make sure its settings match your bot client Join your bot channel first to gain ops. Extra Credit Modify your IRC server and channel to protect your botnet.
Bot Harvesting 101 Drafting Your First Zombie Recruit Like making your first million, drafting that first zombie victim is always the hardest. Time to dust off your l33t skills… Spam bot client attached to Seed it as a fake, P2P music download Manually exploit remote vulnerabilities Host bot client of malicious Drive-by Download site Etc…
Bot Harvesting 101 Drafting Your First Zombie Recruit DEMO: Recruiting our first victim with a Drive-by Download
Bot Harvesting 101 Leverage Your Bot to Recruit an Army It only takes one seed to start a forest. Now you have your first bot, you can leverage it to automate the attack process and recruit more victims. Some popular automated harvesting attacks include: Scan for local files shares Send malicious, booby-trapped spam SPIM Seeding fake P2P shares Hosting a malicious web sites Scanning for USB shares Automated vulnerability scanning (Massscan)
Bot Harvesting 101 Scanning for Well-Known Vulnerabilities Some common exploits in IRC bots: Windows DCOM RPC Interface buffer overflow Windows LSASS buffer overflow MS SQL Server buffer overflow Windows UPnP buffer overflow Windows Workstation service buffer overflow MS Webdav buffer overflow Windows ASN.1 integer overflow Windows Server Service (NetAPI) buffer overflow Symantec AV Remote Management buffer overflow RealVNC password bypass vulnerability Botherder can add new exploits as they come out
Bot Harvesting 101 Scanning in Action Video DEMO: What happens if a botherder named Spike leverages his first bot to scan a network of unpatched machines?
Bot Powered Attacks
Botnet Powered Attacks The Ultimate Blended Threat Botnets are like the Swiss Army knife of the malware world and botherders have many blades to choose from. You can separate a botnets many attacks into two general categories: 1. Attacks targeted toward the bot-infected victims 2. Attacks targeted toward others on the Internet
Botnet Powered Attacks Targeting Your Bots Install more malware Adware Spyware Ransomware Steal sensitive data CD Keys s and addresses Various login credentials Password storage files Any file on the victims machine Enable various network services HTTP server FTP / TFTP server Sock proxy HTTP or HTTPS proxy Man-in-the-Middle (MitM) attacks. Redirect TCP traffic Redirect GRE traffic (PPTP VPN) Gain backdoor access A: Once he has control of your computer, a botherder can do anything you can. Q: A botherder has full control of each bot machine. What can you do to them?
Botnet Powered Attacks Targeting Your Bots (cont.) Spy on victims Keylog Packet sniff Capture screenshots Capture webcam images and video Video DEMO: Spike exploits Rxbot spying techniques. (i.e. stupid script kiddie tricks)
Botnet Powered Attacks Targeting the World With full control of a massive army of machines, the only limit to a botherders attack potential is his imagination. Distributed Denial of Service (DDoS) Attacks BlueSecurity Estonia Extortion of small businesses Spamming spam SPIM Forum spam
Botnet Powered Attacks Targeting the World (cont.) Phishing Use bots as malicious phishing web servers Use bots to spam phishing s Click Fraud / Poll Manipulation ID Theft And more…
The Future of Botnets?
The Future of Botnets? Storm: A Sign of Things to Come What started as an indistinct, unimpressive worm, has grown into one of the more successful botnets ever seen. Short History: Started as basic worm Uses smart social engineering techniques Didnt appear wide-spread early on However, Storm was quietly recruiting zombie machines 230 dead as storm batters Europe.
The Future of Botnets? Storm: A Sign of Things to Come Whats futuristic about Storm: First real successful P2P Botnet Changes tactics and technology regularly, Polymorphic. Mature kernel rootkit technology Incorporates Attack back logic Uses Fast Flux DNS to hide.
The Future of Botnets? Whats Futuristic About Storm How big is the Storm botnet: Estimates range from 160,000 to 50 million? Brandon Enright says Storm is dwindling No one really knows for sure. Latest developments: Storm being segmented with 40-byte keys Neuters AV rather than killing it Sending Pump and Dump stock spam Recent Halloween ecard.
Avoid Assimilation: Botnet Defense
Avoid Assimilation: Botnet Defense Resistance is Not Futile Three categories of Botnet Defense: 1. Keeping bot clients off your network 2. Bot detection and mitigation 3. Protecting your network from external botnet attacks.
Avoid Assimilation: Botnet Defense Preventing Bot Infections Protecting your network from a botnets many attack vectors requires Defense in Depth. Use a Firewall Patch regularly and promptly Use AntiVirus (AV) software Deploy an Intrusion Prevention System (IPS) Implement application-level content filtering Define a Security Policy and share it with your users systematically USER EDUCATION IS VITAL!
Avoid Assimilation: Botnet Defense Bot Search and Destroy There is no infallible defense, so prepare for the worst. Egress filter with your firewall Egress filtering allows you to muzzle some bots by preventing them from reaching their C&C. Monitor your network traffic regularly Establish a recognized baseline Use graphically traffic monitors Ourmon is a nice free tool that can help you detect bots. Stay current with botnet evolutions.
Avoid Assimilation: Botnet Defense Surviving External Botnet Attacks Even if you succeed at keeping bot infections off your network, you still have to contend with external botnets targeting you for attack. How do you survive Distributed Denial of Service attacks? DDoS mitigation products only work so well Multiple ISP connections only help a little In the end, we need ISPs to help solve this problem. How do your survive Spam and Phishing s? Some spam blocking products well Commtouch offers a unique solution.
Avoid Assimilation: Botnet Defense Share Your Knowledge We will only defeat the ever-changing botnet threat if we come together as a security community, and share our information as far and wide as possible. Download WatchGuards free botnet educational series: FTP: ftp.watchguard.comftp.watchguard.com Login: botnetvideos Password: Fr3e_V1de0s or
References: 1)Craig A. Schiller, Jim Binkley, David Harley, Gadi Evron, Tony Bradley, Carsten Willems, Michael Cross. Botnets: The Killer Web App. Syngress Publishing, )Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, )Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat DC, March )Dr. Jose Nazario. Analyzing and Understanding Botnets. Arbor Networks, )Arbor Networks. Worldwide Infrastructure Security Report. September )Phillip Poras, Hassen Saidi, Vinod Yegneswaran. A Multi-perspective Analysis of the Storm (Peacomm) Worm. SRI International, October )Frank Boldewin. Peacomm.C: Cracking the nutshell. September )Andre Fucs, Augusto Paes de Barros, Victor Pereira. New Botnet Trends and Threats. Blackhat, Europe )Commtouch. Q Threats Trend Report. October )Brandon Enright, UCSD ACT/Network Operations. Exposing the Stormworm. Toorcon, )Gadi Evron. Estonia: Information Warfare and Lessons Learned. Blackhat, Las Vegas )Matthew Braverman of the Microsoft Antimalware team. Malicious Software Removal Tool: Progress Made, Trends Observed. Microsoft, November )Dr. Alan Solomon, Gadi Evron. The World of Botnets. Virus Bulletin, September )Paul Baucher, Thorsten Holz, Markkus Kotter, Georg Wicherski. Know Your Enemy: Tracking Botnets. Honeynet Project. March, 2005