1 / 15

www.iti.uiuc.edu

Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign. June 2006. www.iti.uiuc.edu. Introduction. Assumptions Paradigm shifts in eCommerce Growth and changes in malware Future trends of botnets Fundamental flaws in our current system

jaimin
Download Presentation

www.iti.uiuc.edu

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnets: Proactive System Defense John C. A. Bambenek University of Illinois – Urbana-Champaign June 2006 www.iti.uiuc.edu

  2. Introduction • Assumptions • Paradigm shifts in eCommerce • Growth and changes in malware • Future trends of botnets • Fundamental flaws in our current system • Remediation of the core vulnerabilities • Cost justification

  3. Assumptions • Focus on financial transactions; DDoS is painful but small in damage possibilities and exposes botnet once DDoS begins. • Consumer doesn’t directly pay for fraud loses. Banks and merchants do. • Consumers, as a rule, aren’t qualified or motivated to sufficiently harden their own machines. • Corporations have other means of protection available to them, focus effort on consumers.

  4. Paradigm Shifts in eCommerce • ~1993 – Web browsers and Web servers invented • (instant information access) • ~1995 – eBay, Amazon begin era of eCommerce • (money transactions over internet) • ~2003 – Spyware, Phishing, Identity theft • (“Hackers” in it for money) • All had “reactive” responses to paradigm shifts, adapted current/old technologies to new needs. • We’ve not had a fundamental examination of how we do business online. • We are playing the information security game on the hackers terms, not ours.

  5. Growth and Change in Malware Development • In the beginning there were viruses… • 2003 saw the beginning of spyware, phishing, botnets, etc. as an outgrowth of spamming outfits, not hacking outfits. (“Spamford Wallace” fined $4m for spyware operations)1 • Slow development in botnet technology (2 years to start to see real use of encryption). • Spyware, Phishing, Botnets still growing despite the increase of money being spent to remediate the problem.

  6. Growth in Phishing, Malware Number of trojans intercepted by Kaspersky Labs.2 • About 10-15k new bot machines per day. Dropped to 5k after SP2 release for only a few months.3 • Only 4-6 days until exploit released, yet 40-60 days for patch.4 • Money being involved means more players developing the malware and trying to deploy it. • Why do they keep growing? Because it keeps working. • We haven’t eliminated the real problem.

  7. Botnets and Theft • Zotob/Mytob/Rbot creators developed software to maintain control of computers for financial gain. • Authors forwarded credit card information stolen to a credit card fraud ring. • Oct. 2005, botnet with 1.5 million hosts found and shut down.5 • Hackers were caught trying a DDoS extortion scheme, however software also has a keylogger. Financial information likely also compromised. • Most botnet software includes keyloggers that will steal financial information and send either via IRC or e-mail.

  8. Future Trends of Botnets • Botnet operators want to remain online and in control of machines as long as possible. • More encryption • More mimicking of “normal” traffic • Can still detect by looking for “bad IPs” • Possible detection by outbound connection monitoring (PrivacyGuard, etc)

  9. Future Botnet Evolution? • Future paradigm shift? Using allowable and ordinary communication to hide botnet control messages. • Using gmail as a botnet control protocol • Known good IP space • XML makes it easy to develop bots to interact with it (i.e. read messages with RSS) • **Can use SSL** • Will be invisible to network inspection • Use for economic warfare?

  10. Fundamental Flaws in our Current System • Financial information (i.e. CC numbers) are entered in the clear on untrustworthy machines. • Financial transactions generally only require one-factor authentication. • We have a weak and de facto national ID system, only a 9-digit number needed to assume someone’s identity. • Anti-Virus/Spyware assumes all software is safe until proven otherwise. ~20% of malware is not detected.6 • We must wait until exploitation to make signatures.

  11. Remediation • Financial & Identity information should be encrypted before it gets to the PC. (i.e. Smart Cards) • Anti-Virus/Spyware should go to a “deny all” default policy, develop a “trusted” software model. (i.e. “signed software”) • Develop free consensus-based hardening scripts for consumer PCs, let ISPs, banks, etc, distribute. Stronger automatic updating. • Develop ways to remotely validate a machine is “safe” before allowing a transaction.

  12. Remediation (2) • Should not exclude continuing other host-based and network-based detection schemes. • Needs to be convenient and “free” for user. • Creates a defense-in-depth environment of PCs. Hackers will have a harder time undermining several layers of protection instead of having to just undermine one non-effective one. • It will be “expensive” to do all of these, but its worth the cost.

  13. Cost Justification • Estimated $24 billion USD (.2% GDP) assets already at risk from stolen identities of US consumers (low-balled estimate)7 • Real vulnerability is more like: $110 billion ( .9% GDP)8 • If stolen identities were used for economic warfare instead of simple theft, damage would be much higher (run on the bank, dramatic loss of confidence in eCommerce…) • Changes the security dynamics and forces hackers to adapt to us.

  14. Conclusion • The core vulnerabilities with eCommerce have not yet been adequately addressed (insecure PCs, one-factor auth, use of old technologies and methods…) • Fraud and identity theft will continue to be primary drivers of botnet growth and development until those problems are addressed. • If left unchecked, botnets will become harder to near-impossible to detect on the network. • Proactive steps will put the “bad guys” on defense, great return on security investment. • Get “institutional players” and money out of the botnet business. • Apply defense-in-depth to consumer PCs.

  15. References • The Register, May 5th, 2006. (http://www.theregister.co.uk/2006/05/05/ftc_spyware_lawsuits/) • Viruslist, “Malware Evolution: 2005”, February 8th, 2006. (http://www.viruslist.com/en/analysis?pubid=178949694) • Symantec, March 5th, 2005 (http://www.symantec.com/small_business/library/article.jsp?aid=symantec_research) • Ullrich, J. “The Disappearing Patch Window”. (http://isc.sans.org/presentations/MITSecCampISCPresentation.pdf) • Internet Storm Center, October 10th, 2005. (http://isc.sans.org/diary.php?storyid=778) • Internet News (citing Gartner) June 13th, 2006 (http://www.internetnews.com/security/article.php/3613236) • Bambenek, J. (http://handlers.dshield.org/jbambenek/keylogger.html) • Unpublished study by John Bambenek and Agnieszka Klus

More Related