1 / 14

Taking Down Botnets: Microsoft and the Rustock Botnet

Taking Down Botnets: Microsoft and the Rustock Botnet. 報告 者:劉旭哲. 95% of all spam are from botnets almost half of that spam comes from a single botnet, Rustock . 39% size from 2.5 million to 1.3 million bots over the same period total amount is down except Rustock

lilith
Download Presentation

Taking Down Botnets: Microsoft and the Rustock Botnet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Taking Down Botnets: Microsoft and the Rustock Botnet 報告者:劉旭哲

  2. 95% of all spam are from botnets • almost half of that spam comes from a single botnet, Rustock. • 39% • size from 2.5 million to 1.3 million bots over the same period • total amount is down except Rustock • reduced their number of bots but increased its volume • 6% increase in spam emails per day

  3. Rustock • 5+ years old • consist of exploit pushers, malware writers, botnet operators, hosting companies, and many sub components of each. • infects a user simply by selling ad space to enterprising 3rd parties. • It will rootkit

  4. C&C • In 2008, IP address inside an executable

  5. even today, many bots don’t use the DNS and relying on a set of IPs. • If you need both a domain name and hosting on an IP (a server), that gives the Internet Good Guys two ways to knock you out • IP routing infrastructure • DNS infrastructure with registrars/registries.

  6. “new” Rustock 1) Miss Accept-Language/Accept-Encoding2) The User-Agent is faked3) The Host 4) The URI5) HTTP/1.1 instead of 1.0.

  7. The botmaster designed his botnet • make it look a little more legitimate than a typical botnet. • By Rustock not making such mistakes, it made itself just slightly more difficult to detect than the above, and indeed as analysts have came out with SpyEye snort sigs, it has been morphing its structure.

  8. the bot is connecting to "go-thailand-now.com". • no A record returned • there were a number of domains hidden inside the malware that would be queried • IP address returned in the A record • a mathematical transform would happen and the bot would connect to a totally different domain.

  9. five other "fake" domains: • godlovesme.org • chernomorsky.name • hollybible.com • hollyjesus.com • muza-flowers.biz.

  10. Login C&C server • all C&C communications are encrypted. • encryption algorithm was RC4

  11. Communications • Client sends kill.txt • Server responses list of processes to kill • Client send information • Bandwidth to server • OS • SMTP(port 25) • is VM • is blacklist on DNS • Server response • Client IP • machine name • taskid

  12. Client sends neutral.txt • Server responses list of domain for spam • Client sends unlucky.txt • Server responses list of SMTP server responses that indicate failure • Client sends tmpcode.bin • Server responses spam content • Client send “–” • Server responses target mail addr

  13. Conclusion • rootkit technology • difficult to detect the infection at the host level. • encrypted HTTP for C&C (TSL) • difficult to detect at the network level. • Rustockwas felled by Microsoft and federal law enforcement agents. • Use the legal process to shutter the C&C at US host provider • Therefore, I considered Rustock will come back soon, because there is no way to detection.

  14. Reference • http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang.pdf • http://blog.fireeye.com/research/2011/03/an-overview-of-rustock.html

More Related