Presentation is loading. Please wait.

Presentation is loading. Please wait.

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Page 1 Top Botnets and how MAEC can help keep you out of their clutches  Robert.

Similar presentations


Presentation on theme: "The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Page 1 Top Botnets and how MAEC can help keep you out of their clutches  Robert."— Presentation transcript:

1 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Page 1 Top Botnets and how MAEC can help keep you out of their clutches  Robert A. Martin, Principal Engineer, MITRE Corporation

2 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Top 5 Bots by Class RankFamily 1Zeus 2Koobface 3Rimecud 4Alureon 5Carberp RankFamily 1Rustock 2Pushdo 3Grum 4Bobax 5Storm Data Theft BotsSpam Bots

3 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Data Theft Bots - Zeus Aliases Zbot Wsnpoem Notable Attributes Based on widely distributed crimeware ($4000*) Rootkit functionality Supports dynamic web-page injection Takes screenshots and HTML scrapes of target sites Has ability to kill target system Types of Data Stolen Trusted web site certificates (X.509 PKI) Cached web browser passwords Cookies FTP and POP account credentials Banking login credentials Related Reading Security Fix: Zeus Trojan Infiltrates Bank Security Firm Security Fix: PC Invader Costs Ky. County $415,000 *Source:

4 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Data Theft Bots - Koobface Aliases Hiloti Facebook.331 Notable Attributes Propagates through social networks (e.g. Facebook) Uses cookies of existing sessions Posts malicious status updates Sends malicious messages to friends Multi-component based Latest variant targets Mac OS X, Linux Types of Data Stolen Windows digital product IDs Internet profiles credentials FTP credentials IM application credentials Related Reading Koobface Mac Security Threat Described 10 things you didn't know about the Koobface gang

5 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Data Theft Bots - Rimecud Aliases Buzus Palevo.ann SillyFDC Boaxxe Notable Attributes Based on crimeware kit Propagates via IM, P2P and removable drives Multi-component based UDP-based C2 Types of Data Stolen Keystrokes System login credentials Stored FireFox/IE credentials Related Reading US Leads in Botnet Infections Encyclopedia entry: Worm:Win32/Rimecud.B

6 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Data Theft Bots - Alureon Aliases Zlob Femab DnsChange Tidserv TDSS Notable Attributes Rootkit functionality Infects MBR Supports dynamic web-page injection Used for click fraud & other purposes SSL-based C2 Types of Data Stolen URLs visited Strings from search engine queries Related Reading MS Restart Issues Are the Result of Rootkit Infection MS Restart Issues Are the Result of Rootkit Infection Alureon Evolves to 64 Bit

7 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Data Theft Bots – Carberp Aliases Agent-OZL Zbot IRCNite Notable Attributes Rootkit functionality Does not require admin privileges to run Also, makes no changes to the registry Supports control of HTTPS/EV-SSL traffic Removes other malware Types of Data Stolen System login credentials Windows clipboard data Windows product key Banking credentials (w/SSL) Related Reading Fresh Trojan Carberp Reported To Be Evolving Carberp: Quietly replacing Zeus as the financial malware of choice Carberp: Quietly replacing Zeus as the financial malware of choice

8 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Spam Bots - Rustock Aliases Costrat Mailbot.c!Rootkit Meredrop RKRustok Notable Attributes Rootkit functionality Capable of TLS encryption for sent Uses Encrypted HTTP for C2 Around since 2006 Estimated Spam Volume 46 billion messages/day* Related Reading Rustock botnet responsible for 40% of spam Rustock Botnet Switches Techniques *Source =

9 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Spam Bots – Pushdo Aliases Cutwail Pandex Mutant Notable Attributes Rootkit functionality Uses Encrypted HTTP for C2 Estimated Spam Volume 8 billion messages/day* Related Reading Pushdo / Cutwail - An Indepth Analysis Insights into the Pushdo/Cutwail Infrastructure *Source =

10 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Spam Bots – Grum Aliases Tedroo Notable Attributes Rootkit functionality Performs DNS MX lookups to send spam Estimated Spam Volume 18.4 billion messages/day* Related Reading ‘Grum’ Botnet Leads Spam Charge ‘Grum’ Botnet Leads Spam Charge Grum and Rustock botnets drive spam to new levels *Source =

11 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Spam Bots – Bobax Aliases Kraken Bobic Oderoor Cotmonger Hacktool.spammer Notable Attributes Uses unencrypted HTTP for C2 Estimated Spam Volume 2 billion messages/day* Related Reading Kraken botnet re-emerges nodes strong Security Fix - The Storm Worm's Family Tree *Source =

12 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Spam Bots – Storm Aliases Nuwar Peacomm Zhelatin Notable Attributes Likely modified version of ‘original’ Storm worm from 2008 Removes P2P functionality Rootkit functionality Estimated Spam Volume 2.2 billion messages/day* Related Reading Infamous Storm botnet rises from the grave A Breeze of Storm *Source =

13 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. & Bots Malware Attribute Enumeration and Characterization (MAEC)

14 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Why Do We Need to Develop Standards for Malware? Multiple layers of protection Lots of products Inconsistent reports There’s an arms race

15 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Correlate, Integrate, Automate Threats Vulnerabilities Detection Response Platforms

16 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Background Oct 2005 CME public announcement and website Jan CME IDs assigned Feb 2005 CME Submission Server Oct 2004 Initial CME discussions at VB Conference Nimda or I-Worm or Readme? Feb 2007 DHS SwA Forum Malware WG Dec 2009 MAEC public website Jun 2010 Initial MAEC Schema Rise of New Threats Symantec Global Internet Security Threat Report, Volume XIII, 4/2008

17 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Malware Attribute Enumeration and Characterization (MAEC) Focus on attributes and behaviors, not intent and malware families Focus on attributes and behaviors, not intent and malware families

18 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC Use Cases ■Operational ■Analysis –Help Guide Analysis Process –Standardized Tool Output –Malware Repositories Tool

19 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC Overview

20 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & MSM Standards CAPEC CPE OVAL CEE Low-level Actions Mid-level Behaviors High-level Mechanisms CVE The platform(s) targeted by a malware action. The vulnerabilities targeted by a malware behavior. The attack pattern(s) exhibited by a malware mechanism or behavior. The host-based object(s) created or modified by a malware action. The event(s) associated with a malware action.

21 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus – Host Based Detection I Zeus Binary Malware Analysis Engine Anubis CWSandbox ThreatExpert Etc. Engine Output Sandbox -> MAEC Translator Host-based Scanner

22 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC Output MAEC & Zeus – Host Based Detection II Real World Example Page 22 Zeus Binary Anubis Sandbox Anubis Output* *http://anubis.iseclab.org/?action=result&task_id=1167a57d1aa 905e949df5d5478ab23bf9 Anubis  MAEC Translator Script MAEC  OVAL Translator Script OVAL Output

23 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC Schema Overview – Initial Release Page 23 ActionTypeBehaviorTypeObjectType …

24 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus: Profiling C2 MAEC Mechanism: C2 MAEC Behavior: Get Configuration MAEC Behavior: Beacon MAEC Behavior: Receive Command MAEC Behavior: Send Data

25 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus C2 I Mechanism: C2 Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command Behavior: Send Data MAEC Behavior: C2 Get Configuration Protocol: HTTP Encryption Type: RC4/custom MAEC Action: http_get MAEC Object: http_connection Method: GET Parameter: /config.bin Response: HTTP/ OK Response Body: Response Content Length: 1212 bytes MAEC Object: tcp_connection External IP: xxx.xxx.xxx.xxx External Port: 80

26 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus C2 II Mechanism: C2 Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command Behavior: Send Data MAEC Behavior: C2 Beacon Protocol: HTTP Encryption Type: RC4/custom Frequency: 1/20 minutes MAEC Action: http_post MAEC Object: http_connection Method: POST POST Data: Parameter:.*/gate.php Response: HTTP/ OK Response Body: Response Content Length: 44 bytes MAEC Object: tcp_connection External IP: xxx.xxx.xxx.xxx External Port: 80

27 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus C2 III Mechanism: C2 Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command Behavior: Send Data MAEC Behavior: C2 Receive Command Protocol: HTTP Encryption Type: RC4/custom Supported Commands: reboot, kos, shutdown, bc_add, bc_del, block_url, unblock_url, block_fake, getfile, getcerts, resetgrab, upcfg, rename_bot … MAEC Action: decode_http_response MAEC Object: http_connection Response Body: Response Content Length: > 44 bytes MAEC Object: tcp_connection External IP: xxx.xxx.xxx.xxx External Port: 80

28 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. MAEC & Zeus C2 IV Mechanism: C2 Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command Behavior: Send Data MAEC Behavior: C2 Send Data Protocol: HTTP Encryption Type: RC4/custom MAEC Action: http_post MAEC Object: http_connection Method: POST POST Data: Parameter:.*/gate.php Response: HTTP/ OK MAEC Object: tcp_connection External IP: xxx.xxx.xxx.xxx External Port: 80

29 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Emerging Collaboration ■Related MSM Efforts –There is significant overlap between MAEC, CAPEC, and CEE in describing observed actions, objects, and states. –As such, we’re working on developing a common schematic structure of observables for use in these efforts: ■Others –Feature requests on Handshake group, discussion list ■Anubis & ThreatExpert translators are being developed as a result of a user request ■We encourage submission of any other such requests Page 29

30 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. ■Request to join: ■Archives available MAEC Community: Discussion List Page 30

31 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. ■MITRE hosts a social networking collaboration environment: https://handshake.mitre.org https://handshake.mitre.org ■Supplement to mailing list to facilitate collaborative schema development MAEC Community: MAEC Development Group on Handshake Page 31

32 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Future Development Plans ■Expand MAEC coverage of network attributes –Possible focus: bots/botnets ■Create RDF/OWL ontology based on MAEC schema ■Revise schema to better support characterization of relationships between actions/behaviors ■Implement common observables schema –Based on MAEC/CAPEC/CEE collaboration ■Encourage and invite more participation in the development process –MAEC Website: (contains MAEC Discussion list sign-up)http://maec.mitre.org –MAEC Handshake Group Page 32

33 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Summary ■MAEC is attempting to address many of the issues that are integral to accurate and unambiguous communication about malware ■The adoption of MAEC will facilitate new methods of correlation and automation against malware ■MAEC is an open, collaborative effort. It needs expertise and input from various parties in order to be successful Page 33


Download ppt "The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS. Page 1 Top Botnets and how MAEC can help keep you out of their clutches  Robert."

Similar presentations


Ads by Google