Transcript Offense

MSIT 458 – The Chinchillas
Offense Overview
Botnet taxonomies need to be updated
constantly in order to remain “complete” and
are only as good as their writers’ ability to
predict methods of evasion.
Botnet creators are aware of the taxonomies
created by organizations to detect, prevent and
remove botnets.
Therefore, systems will always be at risk because
attacks can be orchestrated in new, dangerous
and undetectable ways.
2
Detection
• Considering that so many bots now use
ubiquitous protocols such as HTTP, the
importance of detection is overshadowed by
the importance of countermeasure and
mitigation
• Example: Various bots are capable of autoupdates, so a detected bot could easily morph
to a version that has no current method of
removal or suppression (ie. Kraken)
3
Detection (cont’d)
• Trend Micro goes so far as to say that botnets
are “easy to expose when they attack other
hosts”.
• Botnet creators now commonly use methods
to make attacking behavior less anomalous.
– Infrequent, smaller data transfers
– Use of ubiquitous, generally trusted protocols like
HTTP
4
Attacking Behavior
Many common attacking behaviors have not been addressed in
the taxonomy:
• Frequent infection of new hosts through social networking
and other websites. Also spread by flash drive use and open
shared network drives.
• Stealing sensitive information by injecting malicious web code
or redirecting to malicious web sites
• Installing fake anti-virus software to provoke the need to
purchase bogus malware repair tools
• Rootkit techniques used to load bot code into system
memory, hide files and hide registry keys
• Setting systems up to download new malware once it has
been developed
5
The IPv6 Opportunity
• The next version of the Internet Protocol is enabled by default
on Windows Vista, Server 2003 and later operating systems
• IPv6 is not widely monitored yet, and is tunneled without
inspection in IPv4
• IPv6 also enables direct access into a network from the
Internet and has means to easily discover neighbors and
network IP addresses
• These features will support improved evasion, P2P infection,
attacks, and C&C
• Trend Micro underestimates the potential of IPv6 despite its
existence since 1996 or earlier
6
Command and Control
• C & C is moving away from plain text IRC to
proprietary encrypted protocols that are not
recognized by network monitoring tools
– “International Foundation for Information
Processing, 2009”
• Trend Micro notes the existence of commands
that are included in plain text HTTP URLs.
Commands can easily be moved to an
encrypted payload that is interpreted by a
server side script
7
Command and Control (cont’d)
• Trend Micro fails to describe at least two other
methods of C&C that are now widely used in
place of IRC and HTTP
– Social networking sites can host text command
messages but are rarely blocked due to their
entertainment and relationship building qualities
– Steganography is used to hide messages in other
content such as images or streaming media
8
The Conficker Dilemma
• Even if people did follow Trend Micro’s
recommendations, highly evolved worms like
Conficker use many means such as multiple attack
vectors not described in the taxonomy
• Conficker propagates via LANs, network shares, and
removable media, so it will still propagate even if
some of the vectors are secured
• Conficker also downloads new versions that evade
detection and exploit new vulnerabilities before all
bot hosts can be fixed
9
The Conficker Dilemma (cont’d)
10
Image source: Microsoft