MSIT 458 – The Chinchillas

Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their writers’ ability to predict methods of evasion. Botnet creators are aware of the taxonomies created by organizations to detect, prevent and remove botnets. Therefore, systems will always be at risk because attacks can be orchestrated in new, dangerous and undetectable ways. 2

Detection Considering that so many bots now use ubiquitous protocols such as HTTP, the importance of detection is overshadowed by the importance of countermeasure and mitigation Example: Various bots are capable of auto- updates, so a detected bot could easily morph to a version that has no current method of removal or suppression (ie. Kraken) 3

Detection (cont’d) Trend Micro goes so far as to say that botnets are “easy to expose when they attack other hosts”. Botnet creators now commonly use methods to make attacking behavior less anomalous. – Infrequent, smaller data transfers – Use of ubiquitous, generally trusted protocols like HTTP 4

Attacking Behavior Many common attacking behaviors have not been addressed in the taxonomy: Frequent infection of new hosts through social networking and other websites. Also spread by flash drive use and open shared network drives. Stealing sensitive information by injecting malicious web code or redirecting to malicious web sites Installing fake anti-virus software to provoke the need to purchase bogus malware repair tools Rootkit techniques used to load bot code into system memory, hide files and hide registry keys Setting systems up to download new malware once it has been developed 5

The IPv6 Opportunity The next version of the Internet Protocol is enabled by default on Windows Vista, Server 2003 and later operating systems IPv6 is not widely monitored yet, and is tunneled without inspection in IPv4 IPv6 also enables direct access into a network from the Internet and has means to easily discover neighbors and network IP addresses These features will support improved evasion, P2P infection, attacks, and C&C Trend Micro underestimates the potential of IPv6 despite its existence since 1996 or earlier 6

Command and Control C & C is moving away from plain text IRC to proprietary encrypted protocols that are not recognized by network monitoring tools – “International Foundation for Information Processing, 2009” Trend Micro notes the existence of commands that are included in plain text HTTP URLs. Commands can easily be moved to an encrypted payload that is interpreted by a server side script 7

Command and Control (cont’d) Trend Micro fails to describe at least two other methods of C&C that are now widely used in place of IRC and HTTP – Social networking sites can host text command messages but are rarely blocked due to their entertainment and relationship building qualities – Steganography is used to hide messages in other content such as images or streaming media 8

The Conficker Dilemma Even if people did follow Trend Micro’s recommendations, highly evolved worms like Conficker use many means such as multiple attack vectors not described in the taxonomy Conficker propagates via LANs, network shares, and removable media, so it will still propagate even if some of the vectors are secured Conficker also downloads new versions that evade detection and exploit new vulnerabilities before all bot hosts can be fixed 9

The Conficker Dilemma (cont’d) 10 Image source: Microsoft