Presentation on theme: "Botconomics – Mastering the Underground Economy of Botnets. LACNIC May, 2008 Kleber Carriello de Oliveira Consulting Engineer Arbor Networks."— Presentation transcript:
Botconomics – Mastering the Underground Economy of Botnets. LACNIC May, 2008 Kleber Carriello de Oliveira Consulting Engineer Arbor Networks
Page 2 - Company Confidential Agenda Malware, Botnets & DDoS An Underground Economy: Botconomics Questions & Answers
Page 3 - Company Confidential Whats in a Denial of Service (DoS) Attack? # About an hour and 15 minutes duration # Misuse Null TCP 6 # IP Protocol 6, TCP # No Flags - Null TCP 0.0.0.0/0 # Very well distributed or Source-spoofed IPs 0-65535 # Very well distributed source ports xx.xx.X.X/32 # Surprise, undernet IRC Server… 6667 # 6667 IRC Source: ISC
Page 4 - Company Confidential Threat Time Line: NBA is Another Layer of Defense Time Discover Vulnerability AV/IDS Available New Version Advisory Patch PATCH MANAGEMENT NETWORK ADMISSION Network Behavioral Analysis with PEAKFLOW X zero-day Exploit Variant Released Reverse Engineer/ new exploit
Page 5 - Company Confidential Anti-Virus and IDS Detection Rates Projected that between 75k-250k new malware families or variants release in 2006 (one released every 1-3 minutes) Source: Internet Malware Classification and Analysis; University of Michigan & Arbor Networks, Inc., 2007 Some samples still not detected a year after collection of malware. Almost half the samples in the small dataset undetected, and one quarter in the large AV fails to detect malware between 20% and 62% of the time!
Page 6 - Company Confidential Though Necessary, AV Performance Poor Research puts most AV performance very low – ~38 AV products (open source & commercial) – Average 28-32% hit on for newer threats – AV Vendors change heuristics to improve results - but raises false-positives rate – Why? Signature 1: 1000100010011111 New variant: 1000100010010001 - No AV Match Minor obfuscation techniques Packers Polymorphic; e.g., recompile – Getting better; more behavior-based functions, less static file analysis – Behavior-based solutions augment Cisco CSA, Sana Security host behavior (file, process, network state) NBA, Network Behavioral Analysis coupled with threat feeds (e.g., Arbors ATF & Peakflow X)
Page 7 - Company Confidential Bots: Putting the (D) in (D)DoS Got bot? A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm. Communicates with a handler or controller via public IRC servers or other compromised systems. A botmaster or botherder commands bots to perform any of an number of different functions. System of bots and controller(s) is referred to as a botnet or zombie network.
Page 8 - Company Confidential Internet Backbone B UK Broadband US Corp US Broadband B JP Corp. Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network (botnet) Controller Connects Botnet master Issues attack Command BM C&C Bots attack Bye Bye! Anatomy of a DDoS Attack
Page 9 - Company Confidential Anatomy of Botnet Construction Exploit vector (e.g., TCP/135) Second stage functions (e.g., TFTP, FTP, HTTP) to download bot software, C&C instructions Bot is executed, connected to C&C infrastructure – often IRC, identified by DNS – Bot connects to channel (e.g., USA|743634) of C&C – Passwords often required – C&C often employs encryption, anti-cloaking techniques
Page 10 - Company Confidential Malware Delivery Traditionally, worms with self propagation vector, not remote control function Last real virus - Melissa; 1999 Today email and other application-level functions laden with Trojans Now delivered via web sites - drive-by installs – Projected 1 in 10 web sites hosts malicious content – Web-based deliver means outpacing email, viruses, etc.. – Example: Dolphin stadium web site compromised to host malicious content just before Super Bowl in early 2007 – iframe functions popular today Interesting read: The Ghost in the Browser – http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf Clever new attacks include multi-layer attacks: – Compromise – Grab proxy IP; arpspoof, proxy – iframe insertion, local malware delivery, etc..
Page 11 - Company Confidential Upon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar 126.96.36.199 : www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net Engineering Malware: disable updates, speed tests.. Engineer around current AV DBs Disable auto-update functions Evaluate connectedness of asset Employ
Page 12 - Company Confidential Sophisticated Botnet Management & Statistics Graphical user interface Performance Statistics
Page 13 - Company Confidential Reflective Amplification Attacks r v Response vrQuery Attacker - a Victim - v Resolver - r A botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity. Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response
Page 14 - Company Confidential Application of Anti-Spoofing Measures Still not ubiquitous deployment - far from (hence effectiveness of reflective attacks) Largest deployment burden – hardware support – configuration management – Authoritative IP ownership repository Loose-mode RPF likely creates false sense of protection Should assume slightly more clueful respondent pool than in general, so actual numbers likely less
Page 15 - Company Confidential Attack Scale Still Increasing Considerably Proliferation of broadband connectivity Increased virulence of attack vectors Sophistication of bot management software 01 - 03 data projections based on public and private information regarding prominent attacks Largest attacks (22 & 24 Gbps) reported by large content provider and hosting providers Both >20 Gbps attacks reported to have been DNS reflective amplification attacks Most backbone link speeds have 10G maximum capacity today
Page 16 - Company Confidential 1 2 3 4 5 6 ISP A T1 AGG RTR T1 Transit ISP GE Target 3 Mbps DDoS - teeny tiny attack - well, to Transit ISP, not ISP A 512k Attack DDoS Attacks: Taking Advantage of Our Broadband Botnets take advantage of our unlimited broadband pipes and PCs for amplification attacks and brute-force flooding attacks ISPs are taken offline in the process of trying to mitigate these attacks. Target Gone Collateral Damage ISP n Much BIGGER Attack
Page 17 - Company Confidential DNS Attacks - When & What? OCT 2002JUN 2004OCT 2004JAN-FEB 2006NOV 2004NOV 2002FEB 2007 Root Server Attacked Duration:1 hour Multi-modal: smurf, ICMP, port 53 7 Root Servers appear unreachable Impact: No noticeable user effect Root Server Attacked Duration:1 hour Multi-modal: smurf, ICMP, port 53 7 Root Servers appear unreachable Impact: No noticeable user effect UltraDNS TLD Servers Attacked Duration: 24 hours + ICMP 0,8 and then port Easily filtered -- uses pure volume of packets to disable Results in 2-way traffic load Impact: No noticeable user effect UltraDNS TLD Servers Attacked Duration: 24 hours + ICMP 0,8 and then port Easily filtered -- uses pure volume of packets to disable Results in 2-way traffic load Impact: No noticeable user effect Akamai attacked Duration: 4 hours No mitigation possible Port 53, UDP, valid queries Multi-millions queries per second Impact: Global Impact Akamai attacked Duration: 4 hours No mitigation possible Port 53, UDP, valid queries Multi-millions queries per second Impact: Global Impact DDoS for hire (extortion) The golden age for worms/trojans The perfect DNS DDoS in the wild No protocol based defense or mitigation Attack on Bandwidth, not applications or servers - 11 Gbps+ Impact: Significant collateral damage DDoS for hire (extortion) The golden age for worms/trojans The perfect DNS DDoS in the wild No protocol based defense or mitigation Attack on Bandwidth, not applications or servers - 11 Gbps+ Impact: Significant collateral damage January-February.com,.net (Verisign),.org (UltraDNS) Utilized open recursive servers Average attack 7-10 Gbps TLD Operators have no successful defense Impact: Considerable user impact January-February.com,.net (Verisign),.org (UltraDNS) Utilized open recursive servers Average attack 7-10 Gbps TLD Operators have no successful defense Impact: Considerable user impact G, L & M Root Servers, Other TLDs (UltraDNS)? Utilized large bogus DNS UDP queries from many bots Aggregate attacks 10 Gbps+ Mitigate: Special Hardware Impact: 90% Traffic dropped localized user impact G, L & M Root Servers, Other TLDs (UltraDNS)? Utilized large bogus DNS UDP queries from many bots Aggregate attacks 10 Gbps+ Mitigate: Special Hardware Impact: 90% Traffic dropped localized user impact NOV 2006 UUNet Attack - 2nd Level DNS UDP/53, auth servers for bank.foo Spoofed source IPs - 800 Kpps Impact: End-user/customer Mitigated with Cisco Guard-XT Collateral damage: 2x.gov & 2 7206s in network path UUNet Attack - 2nd Level DNS UDP/53, auth servers for bank.foo Spoofed source IPs - 800 Kpps Impact: End-user/customer Mitigated with Cisco Guard-XT Collateral damage: 2x.gov & 2 7206s in network path Root & TLD Attacks Spoofed source IPs Large Bogus Queries 10+ Gbps Regionalized User Impact Root & TLD Attacks Spoofed source IPs Large Bogus Queries 10+ Gbps Regionalized User Impact
Page 18 - Company Confidential Botconomics Amalgamation:: botnets && economics == botconomics Botconomics: its all about the $$$$
Page 19 - Company Confidential Three Tiers of Cyber Criminals Script Kiddies Political/Ego-driven; improve halo reputation Organized Crime Economically Motivated - all about the $$$ Cyber Terrorism Cyber Espionage; Asymmetric Warfare
Page 20 - Company Confidential Religious, Political Estonia Denmark Cartoon Rage Ego-driven (gaming, IRC) Extortion (SuperBowl, World Cup - can your bookie afford to be offline?) $2B US Each - $48B Market Player SLAs Lift email, targeted spam, spear phishing (>90% spam through bots) An Underground Economy: Botconomics
Page 21 - Company Confidential Botconomics: Botnets are a business worth protecting Jersey Joe (2005) http://tinyurl.com/2yoyfd Whats easier: One wallet in the subway 100 credit cards online? CC forums Lift CD Keys Used to build cheap systems; cant patch -> quickly compromised Is that webcam running? Bogus e-file sites - proxy transaction, switch direct deposit bank account numbers - could be into a stolen account to extract via wire transfer, ATM transaction, etc.. Miscreants likely patch more systems than typical end users per automation Rbots use still cameras or webcams to capture video and still images(!) - transmit them to a drop site
Page 22 - Company Confidential Botconomics: Identity Theft & Fraud Global organized crime How many people here: Have every bought anything online? Bank online? Have a credit card Have a mortgage or pay rent? Were in the military Have ever been to a medical office? If you said yes to any of the above, youre at risk full creds But whod be dumb enough to fill this out? Hey Kleber, quick question for you. IF…..??
Page 23 - Company Confidential Botconomics: It doesnt matter if you dont use your credit card on line! The databases that contain all your in-person credit card transactions is where the money is. Hits close to home. But what do you do with 46 Million stolen credit card data sets? Sell them - individual, bundle, wholesale Use them to buy stuff online (e.g., movietickets.com) CC Forums - brokerage houses, printed cards.. Buy stuff Get cash advances Need to monetize Item Advertised Price (US $) US-based credit card with card verification value$1 - $6 UK-based credit card with card verification value$2 - $12 List of 29,000 emails$5 Online banking account with a $9,900 balance$300 Yahoo Mail cookie exploit -- facilitates full access when successful$3 Valid Yahoo and Hotmail email cookies$3 Compromised computer$6 - $20 Phishing Web site hosting - per site$3 - 5 Verified PayPal account with balance (balance varies)$50 - $500 Unverified PayPal account with balance (balance varies)$10 - $50 Skype account$12 World of Warcraft account - one month duration$10 Source: Symantec Internet Security Threat Report - March 2007 Item Advertised Price (US $) US-based credit card with card verification value$1 - $6 UK-based credit card with card verification value$2 - $12 List of 29,000 emails$5 Online banking account with a $9,900 balance$300 Yahoo Mail cookie exploit -- facilitates full access when successful$3 Valid Yahoo and Hotmail email cookies$3 Compromised computer$6 - $20 Phishing Web site hosting - per site$3 - 5 Verified PayPal account with balance (balance varies)$50 - $500 Unverified PayPal account with balance (balance varies)$10 - $50 Skype account$12 World of Warcraft account - one month duration$10 Source: Symantec Internet Security Threat Report - March 2007
Page 24 - Company Confidential Botconomics: Increase in Sophistication and Marketing Key loggers – Gotta get those full creds Drop Sites Click Fraud Bot trading & Marketing –.net -.$.05 –.gov - $1.00 – nasa.gov - $.05 Better Marketing by the Botherders – Excellent ping & uptime – Rotating IP addresses – Different ISPs – Intuitive User Interface – SLAs - 100 percent uptime guarantee!
Page 26 - Company Confidential From Arbors BLOG
Page 27 - Company Confidential The Phish…. Build the phishing site, host on bot; perhaps proxy actual site Spam the phish message - perhaps targeted (spear) - Go to: – https://online.wellsfargo.com/signon/ Throw the spoils on a couple of drop sites - more bots Use the spoils to transfer money directly, use to transfer money internationally, etc..
Page 28 - Company Confidential Wheres the Money Going? Funding an online dating service for al-Qaeda? investigators say they found some 37,000 stolen credit card numbers. Alongside each credit card record was other information on the ID theft victims, such as the account holder's address, date of birth, credit balances and limits...jihadists might need for their battle against the American and allied forces in Iraq, including global positioning satellite (GPS) devices, night-vision goggles, sleeping bags, telephones, survival knives and tents.
Page 29 - Company Confidential Operation Spamalot On Friday, Dec. 15, 2006, shares in Apparel Manufacturing Associates, Inc. (APPM) closed at $.06, with a trading volume of 3,500 shares. After a weekend spam campaign distributed emails proclaiming, "Huge news expected out on APPM, get in before the wire, We're taking it all the way to $1.00," trading volume on Monday, Dec. 18, 2006, hit 484,568 shares with the price spiking to over 19 cents a share. Two days later the price climbed to $.45. By Dec. 27, 2006, the price was back down to $.10 on trading volume of 65,350 shares. Apparel Manufacturing Associates, Inc. (APPM) On Dec. 19, 2006, trading in Goldmark Industries, Inc. (GDKI), closed at $.17 on trading volume of 126,286 shares. On Dec. 20, 2006, the spam campaign started, with e-mail proclaiming "GDKI IS MAKING EVERYONE BANK!," and setting a 5-day price target of $2. By Dec. 28, 2006, spam emails boasted of the price spike that had already been achieved -- "$.28 (Up 152% in 2 days!!!)" -- and promised a 5-day price target of $1. That same day, GDKI closed at $.35 on a volume of more than 5 million shares. By January 9, 2007, the closing share price was back down to $.15.Goldmark Industries, Inc. (GDKI) Attack Vector?
Page 30 - Company Confidential Good News? The financial losses are at a point where industry must invest - obvious from Financials to LEOs discernible uptick in activity US $ - Billions Time - Losses Annually Factored Losses, Tolerance Threshold Cyber Crime Losses Traditional Fraud ~$20B US
Page 31 - Company Confidential Arbors Worldwide Infrastructure Security Report Demographics: 70 self-classified tier-1, tier-2, and hybrid IP network operators in North America, Europe & Asia Key Findings: Most significant operational threats are: #1 Botnets, #2 DDoS Frequency, size and complexity of attacks are growing 22 & 24 Gbps attacks reported More Application Layer attacks ISPs finish the job DDoS Managed Services activity grows 800% Less than 2% reported to Law Enforcement
Page 32 - Company Confidential Detection without mitigation - hrmm… DDoS Mitigation Techniques Good & bad news – Bad: SPs still effectively complete attack (protect network availability) – Good: More mitigation solution deployment (scrub- ARBOR TMS, flow spec, etc..) and service offerings - nearly 10x increase percentage wise, even with wider respondent pool Cant win bandwidth game (e.g., consider Storm with reflective amplification) New mitigation infrastructure only applies to MS customers Mitigation highly fragmented - little incentive to follow-up with ingress (or even upstream/ adjacent) network for host cleanup - malicious activity recurrence factor considerable
Page 33 - Company Confidential Netflow + DPI The system talk with the scrub to clean the traffic Mitigation process is started Inteligent Mitigation Flows sent to the collector system System detects the attack Inject BGP route (off- ramping) Scrub inspects each packet against its rules and network behavior Peakflow SP TMS Peakflow SP
Page 34 - Company Confidential Attack Scale & Frequency Attacks from perspective of single ISP and single attack vector, thus aggregate for many is likely to be much higher Cross-correlation of targets and times provides considerable insight Doesnt necessarily matter - scale all about perspective Estonia Attacks 4 Mpps aggregate at peak
Page 35 - Company Confidential Even Cyber Criminals Take Some Time Off Data derived from Arbor products deployed in 70% of worlds ISPs
Page 36 - Company Confidential Attack on Russia - Arbors Global Visibility Detect multi-ISP distributed attack
Page 37 - Company Confidential A Solution: Network Behavioral Analysis (NBA) Network transactional information + control plane data enables baselines (statistical and relational) that allow abnormalities to be identified Network-based mitigation can be performed based upon NBA Even to detect zero-day threats (e.g., many families have same network behavioral fingerprint but different payload) Based on compound temporal functions, as well as single packet transactions (e.g., know botnet C&C, UN Exported Restricted Nations, known malware distribution sites, etc..)
Page 38 - Company Confidential Behavioral Fingerprinting Unique variants require new virus detection definitions: – packers – polymorphism, recompile – minor obfuscation techniques for known packers – strings E.g., 580+ Agobot variants Fingerprinting behaviors allows for more generalized detection mechanisms – file status – process state – network transactions Host and network-based detection models that employ relational modeling and network behavioral analysis provide substrate for zero-day threat identification
Page 39 - Company Confidential Threat Modeling and Instrumentation Sample: Blaster Worm Instrumentation of propagation and exploit vectors, with other second stage functions and modeling network transactions allows development of compound temporal network transactional signatures TCP/135 SYN (40), ACK (40), RPC BIND (112), RPC Req. (1744) FIN(40): 1 Microflow: 5 packets 1984B 2 RSTs ----->>> Subsequent: TCP/4444 N packets/bytes, subsequent to TCP/135 activity, from vulnerable Host, etc.. Single stage threats much simpler (e.g., SYN to known botnet C&C) TCP/135 SYN (40), ACK (40), RPC BIND (112), RPC Req. (1744) FIN(40): 1 Microflow: 5 packets 1984B 2 RSTs ----->>> Subsequent: TCP/4444 N packets/bytes, subsequent to TCP/135 activity, from vulnerable Host, etc.. Single stage threats much simpler (e.g., SYN to known botnet C&C)
Page 40 - Company Confidential Internet Backbone B UK Broadband US Corp US Broadband B Anti-Bot/Spam.com Provider B B The Peaceful Village B B B B B B Systems Become Infected Bots connect to a C&C to create an overlay network (botnet) Controller Connects Botnet master Issues attack Command BM Bots attack Bye Bye! Think of the Possibilities Phishing Site Phishing Site Drop Site Drop Site C&C Spam Relay Spam Relay Open Proxy Open Proxy Phishing Data CD Keys Keylogger Personal ID Video Email CC & PW Financial data CD Keys Keylogger Personal ID Video Email CC & PW Financial data
Page 41 - Company Confidential Miscreant Feuding - Bot on Bot Attacks http://asert.arbor.net http://asert.arbor.net Mpack & Storm (Trojan.Srizbi) Upon compromise by MPack malware is downloaded, checks for other root kits and uninstalls Storm folks get perturbed, attack MPack malware distribution sites
Page 42 - Company Confidential Conclusions Its all about layered [network] security - there IS NO silver bullet Behavioral models coupled with real-time threat intelligence (e.g., Arbors ATLAS) can minimize threats; provide gap insurance and help hardening and prevention Enable account transaction alerting and keep an eye on those credit reports…