Transcript Document
BOTNETS & TARGETED MALWARE Fernando Uribe Fernando Uribe Email:[email protected] IT trainer and Consultant for over 15 years specializing in Cyber security. INTRODUCTION Bot, Standing for Robot, is the name given to malware which I installed on vulnerable devices and used to receive commands. Once a vulnerable machine is infected with a bot, it can also be called a “Zombie”; since the bot lies dormant WHAT IS A BOT? When one has multiple zombie machines under a single controller, it’s known as a botnet. Botnets can be used for good, like web crawling or search engine indexing. Majority of the time botnets are used for Distributed denial of service attack. DDOS is when a target is being attack by multiple zombie machines simultaneously. Usually bots are controlled through an IRC channel via a command and control program. People whom operate bonnets are usually called bot herder WHAT IS A BOTNET? There are several phases to this: Setup of command and control Release bot to infect Have zombie propagate Bots connect to C&C ready to receive instructions Command is given to attack target Bots attack said target HOW DO BOTNETS GET CREATED? Attackers may use various tools, one example is poison ivy, or they may create their own. SETUP OF COMMAND AND CONTROL This could be done via social engineering, phishing, fake websites. RELEASE BOT TO INFECT Depending on the bot, this could occur in similar ways of worm infection or malware installation. PROPAGATE Think “ET phone home!” the bots try to connect to the programmed irc channel and report status CONNECT TO C&C The command is for a coordinated and automated attack of a target. COMMAND SENT Once the bots receive the command, they start the attack till told otherwise. Usually a DDOS ATTACK ORDERED Few ways to recognize a possible DDOS attack Websites unavailable Specific site not available Network access bogged down Increase of spam received in large amounts RECOGNIZING DOS Ways to Detect : Activity Profiling Changepoint Detection Wavelet-Based signal analysis DETECTING DDOS This is the average packet rate for network flow It’s made up continuous packets with like fields An attack if identified when activity level increases ACTIVITY PROFILING Points out the change traffic during attack Identifies difference in actual vs. expected traffic Can also be use to identify scanning activities within your network CHANGEPOINT DETECTION Analyzes input signal when it comes to spectral components They give you concurrent time and how often description By analyzing the spectral data one can determine the presence of an anomaly So they help you get the time when anomalies may have occurred WAVE SIGNAL ANALYSIS 2 examples of methods to mitigate a DDOS: Load Balancing Throttling ONCE WE KNOW WE MITIGATE ATTACK RFC 3704 filtering Black hole filtering Cisco IPS Source ip reputation filtering DDOS prevention offering from ISP or DDOS service DEFENDING AGAINST BOTNETS Also knows as Ingress filtering for multihomed networks You're basically filtering out address space originating from internet that is using private IP addresses Remember that private IP are not routable on public networks RFC 3704 FILTERING Drops packets at routing level Normally, hen a packet did not reach its destination it sends a request to resend, which would continue the attack. Simply drops packet, but does not inform source BLACK HOLE FILTERING Used by cisco IPS Database that deems whether an ip or service are to be a possible threat CISCO IPS SOURCE IP REPUTATION FILTERING Helps prevent ip spoofing at the isp level Uses DHCP snooping to make sure host use ip addresses assigned to them Creates a white list in a way, of what ip address can access your network DDOS PREVENTION FROM ISP Different method for malware attacks, where an individual or entity are specifically targeted. Usually malware uses a “artillery” approach, to hit and infect as many as possible. Main objectives could be to obtain access to sensitive information, or disruption. TARGETED MALWARE Attackers use all the tricks in the book fake emails, malware filled websites. They research their victims, to be able to extract information With the information gathered, a greater social engineering attack Can be successfully completed Since the attacks are targeted to a smaller audience, it sometimes slip through the cracks due to them not getting reported HOW IT WORKS Stuxnet worm Specifically targets industrial control systems Hotord Trojan and Ginwui4 Both used in corporate espionage EXAMPLES OF TARGETED MALWARE Some methods of detecting and mitigating malware: Heuristics Multi-layered pattern scanning Traffic-origin scanning Behavior observation DETECT AND MITIGATE THANK YOU