BladeRunner Adventures in Tracking Botnets Jason Jones and Marc Eisenbarth
BladeRunner - Adventures in Botnet Tracking
Jan 15, 2015
This presentation explores the 'adventurous' side of botnet tracking based on ongoing, in-depth research conducted within the world-renowned ASERT team at Arbor Networks. This research was originally presented at AusCERT14 by ASERT's Jason Jones and Marc Eisenbarth.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
BladeRunner Adventures in Tracking Botnets
Jason Jones and Marc Eisenbarth
2
Agenda • Who Are We? • ASERT Background • BladeRunner
– Background – Redesign – Malware Tracked – Results – Future Work
• Conclusions
3
Who Am I (Jason)? • Sr. Security Research Analyst for Arbor Networks’ ASERT
– Previously of TippingPoint DVLabs • Speaker at
– BlackHatUSA 2012 – InfoSec Southwest 2013 – Usenix LEET13 – Botconf 2013 – AusCERT
• Research interests – IP reputation – Malware clustering – Data mining dns / malware / target data
4
Who is Marc? • Manager of ASERT Research Team / ASERT Architect
– Previously of TippingPoint DVLabs • Speaker at
– Shmoocon – Usenix LEET12 – InfoSec Southwest 2013 – BotConf – AusCERT * 2
5
ASERT
• Arbor Security Engineering & Response Team – Active Threat Feed – ATLAS Intelligence Feed – Malware Reverse Engineering – Threat Intelligence
6
ASERT • ASERT Malware Corral
– Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods
• Currently pulling in between 50 -100k samples / day – Biggest problem is figuring out what to run
• 665 Unique family names tagged in 2014 – DDoS, Bankers, Droppers, RATs, Advanced Threats, etc. – 161 different family phone homes tagged
7
MCorral
BladeRunner
9
Background • Started by Jose Nazario in 2006 • Original version focused on IRC bots • Only tracked DDoS commands • Presented at
– VirusBulletin Conference 2006 – BlackHat DC 2007 – http://www.arbornetworks.com/asert/2012/02/ddos-attacks-
in-russia/ – HITBKUL 2012
10
Background • Started tracking HTTP bots
– Use os.system calls to curl -_- – Was not enjoyable to read and write
• Track binary protocol bots – Uses “replay” – good to avoid time-consuming protocol
reversing, but…. – If sample made successful conn, send packet back to CnC – No connection in Mcorral = CnC was considered “dead” – DynDNS-based malware tends to only be up for small, random
periods. Lots missed
11
Redesign - Goals • Lack of flexibility, lack of tracking led to redesign • Most important requirement: *has* to do everything old
version did and “more” • Track non-DDoS commands • Support non-DDoS Malware • Automatically expire CnC • Have “conversations” with CnC
– No replay – Respond to all commands until termination
12
Redesign - Architecture • Three separate pieces
– Data model • Our system uses Django-based ORM • Postgres backend • Considering alt storage methods for handling “big data”
– Harvesters • Pull tagged connections from our analysis system • Use VirusTotal Intelligence Hunting • Configuration extractors
– “Replicants” aka fake bots
13
Redesign - Architecture
Replicated Malware
14
15
Replicated Malware
• Sixteen separate malware families re-implemented – Ten HTTP-based
• Four implement some form of encryption / obfuscation – One plain-text binary protocol – Five binary protocol with some form of encryption
• More time consuming to reimplement binary protocols • Even more time consuming to reverse custom crypto
• No IRC bots
16
My standard reversing process…
17
DirtJumper Family / Variants
18
DirtJumper Drive
h-ps://www.arbornetworks.com/asert/2013/06/dirtjumpers-‐ddos-‐engine-‐gets-‐a-‐tune-‐up-‐with-‐new-‐drive-‐variant/
19
Drive2
h-ps://www.arbornetworks.com/asert/2013/08/dirtjumper-‐drive-‐shiEs-‐into-‐a-‐new-‐gear/
20
Drive3
h-ps://www.arbornetworks.com/asert/2014/03/drive-‐returns-‐with-‐new-‐tacFcs-‐and-‐new-‐a-acks/
21
Athena HTTP
h-ps://www.arbornetworks.com/asert/2013/11/athena-‐a-‐ddos-‐malware-‐odyssey/
22
Madness
• Super-awesome Base64-encoded secrecy • Most interesting strings in the binary are Base64-encoded • Sometimes the author forgets to strip symbols from his binaries J • Sometimes botnet ops give you their FTP creds in a file download J • https://www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/
23
Madness
• Bad admins give you download and execute containing their hosting site credentials J – And that gets you their admin panel credentials
• Poor guy has a small botnet L • Appears to be the “cracked” version available in forums
24
Solarbot
• RC4 using s parameter as key • NULL-delimited commands • Commands are byte values • Later discovered leaked cracked builder + panel
– http://www.sendspace.com/file/nm5isp • Really? Blocking Scrabble?
– “Blacklist: https://scrabblefb-live2.sn.eamobile.com”
25
DarkComet
h-ps://www.arbornetworks.com/asert/2012/03/its-‐not-‐the-‐end-‐of-‐the-‐world-‐darkcomet-‐misses-‐by-‐a-‐mile/
Results!
26
27
Results - Overview • In production for over a year • Provided a wealth of intelligence around attacks
– What kinds of attacks are most popular • Collected over 270,000 attack commands • Stores information on over 3500 C2
– Almost 1100 have been active at some point • Since Jan 2014, data harvested from 1996 unique MD5
– Number of C2 with double-digit sample associations
28
Results - Locations
29
Results - Locations
30
Results - Locations
31
Results - Locations
32
Results - Locations
33
Results - Locations
34
Results - Locations
35
Results - Locations
36
Results - Locations
37
Results - Locations
38
Results - Locations
39
Results - Locations
40
Results - Locations
41
Results - Locations
42
Results - Locations
43
Results - Locations
44
Results – Downloaded Malware (1)
45
Results – Downloaded Malware (2)
46
Results – CnC Relationships via pDNS (1)
47
Results – CnC Relationships via pDNS (2)
48
Results – CnC Relationships via pDNS (3)
h-ps://www.virustotal.com/en/ip-‐address/31.170.164.5/informaFon/
49
Results – CnC Relationships via Targets (1)
50
Results – CnC Relationships via Targets (2)
• Many Drive/Drive2 CnC share similar targets • Coupling similarity in targets with pDNS gives
– Many co-located in same /24 – Some on exact same IP
• Some targets have multiple CnC on multiple botnets targeting – Speaks to larger campaign against a site
51
Results – Geo-Political Activity (1)
• Russia / ex-Soviet Bloc area very active – Russian Gov’t related sites attacked – Azerbaijan / Dagestan-related event attacks – Anti-Gov’t sites attacked – Ukraine sees lots of attacks, is definitely not
weak ;) • Corruption exposure sites attacked
52
Results – Geo-Political Activity (2)
53
Results – Geo-Political Activity (3) • Sochi Olympics
– Expected target given some recent RU laws + global appeal of the event
– Drive3 started targeting a few days before the games began – Success story since we were able to use the intel for mitigation – Shocker was that it consisted of compromised sites as C2 – Hosters were able to get the majority of the C2 cleaned very fast
54
Results – Geo-Political Activity (4) • Numerous DDoS attacks launched during Crimea situation
– Local Crimean gov’t sites – UA gov’t sites – RU gov’t sites – Referendum Voting sites
• Attacks had varying success • Attacks still ongoing due to political unrest
55
Results – Retaliation DDoS
• Stelios / Maverick gets dox’d on paste sites – http://pastebin.ca/2457696
• Multiple CnC start launching attacks against paste sites – Specifically targeted pastes with dox – Hired externally, did not use own CnC for the attacks
• Listed as owner of ddos-service.cc – steliosmaver.ru Athena HTTP CnC possible backend
56
Results – Protecting Targets
• Major reason why ASERT tracks botnets is for protection + intelligence – Not for sale – Not for ambulance chasing
• Multiple instances of Arbor customers being attacked – Know the attack + botnet = easy to tailor protection
• Share data with those that have the power to take down
Parting Words
57
58
Wrap-Up • BladeRunner-like systems produce useful threat intelligence
– Botnet size can matter, especially in DDoS – Find some actual new-to-you underground forums via DDoS targets ;)
• Everyone should be doing it on some level – Goal is to provide a blueprint and a starting point to help that become a
reality • All the data makes for pretty pictures J • Need better handling of larger datasets • Add more custom command parsers
– Files – Generic “Commands”
59
Future Work • More bots
– Andromeda – Bankers (web-injects , configs)
• Data Mining – GraphDB – Currently investigating TitanGraph – Correlate with other internal data sources – Maltego modules via Canari
• Code availability – Config extraction – Fake bots
60
Moar Future Work
• Dynamically spin up EC2/Rackspace/Etc. instances for proxy-ing on demand – Seen a few geo-blocking DDoS CnC, but not
many – Also helps keep botnet IP space large and
dynamic to avoid blacklisting • Alternatives to Django/ORM
– I like it, but…
61
How Do I Get This Data? • Most people can’t get all of it
– As mentioned previously, not for sale • Hosters / those with power/willingness to take C2’s down • We freely share with CERTs / LE (EuroPol/FBI/equivs)
– Not in the business of takedowns • Full-time job with amount of data processed • Legal morass
– If you are one of those and are interested please contact us • Work for ASERT ;)
62
Code Availability
• Code *almost* ready yet ready for public release L • Still work to be done with cleaving out of our
infrastructure • Goal is to get standalone pieces of many fake bots to
allow people to integrate into their own backends and systems
• Targeting July 2014 • https://github.com/arbor/
Questions/Comments/Feedback • [email protected] / [email protected] • @jasonljones / http://www.arbornetworks.com/asert/ • http://jasonjon.es/research/
63
Thank You!
Related Documents
