1 / 57

Botnets and Botherders The Shadowserver Foundation

Botnets and Botherders The Shadowserver Foundation. Hillar Leoste. Agenda. Botnets Shadowserver Botnets IRL Questions. Botnets – The Good, Bad, and Ugly. A look into the methods, usage, control, and motivations of botnet herders. Botnet

bragdon
Download Presentation

Botnets and Botherders The Shadowserver Foundation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Botnets and BotherdersThe Shadowserver Foundation Hillar Leoste

  2. Agenda • Botnets • Shadowserver • Botnets IRL • Questions The Shadowserver Foundation

  3. Botnets – The Good, Bad, and Ugly A look into the methods, usage, control, and motivations of botnet herders

  4. Botnet A distributed network of compromised computers controlled by a malicious user via a command & control mechanism. C&C “Command & Control” A computer or a network of computers, controlled by a herder, that sends commands to the botnet. Drone or Zombie A compromised computer that receives commands via the C&C Bot Herder Individual who owns or controls the botnet. IRC A protocol designed for real time chat communication based on client-server architecture Definitions The Shadowserver Foundation

  5. Botnets - Spreading Scanning • exploiting vulnerabilities • “Night of the Living Dead” Email and IM links • still a major vector Drive-by Downloads • Web redirects • Social networking sites • P2P sharing The Shadowserver Foundation

  6. 5 6 7 4 3 2 1 2 Zombie 1 Zombie CC - Chat Server Distribution Server Internet 1. Are you vulnerable for Win X problem ? 2. Yes / No 3. If Yes => send malware to infect 4. After installation => connect to CC 5. Master command => download / update 6. Request download from dist. server 7. Sends requested download Bot autopropagation infection scheme The Shadowserver Foundation

  7. Botnets – Spreading The Shadowserver Foundation

  8. Botnets - Infections The Shadowserver Foundation

  9. Botnets – 0day InfectionsMonthly stats The Shadowserver Foundation

  10. Botnets – Retest InfectionsMonthy stats The Shadowserver Foundation

  11. Architecture Agobot Sophisticated – Complete – Modular Rootkit-like capabilities P2P protocol SDBot Much simpler – smaller Easy to extend Hundreds of variants Control Agobot Standard and custom IRC command ddos_maxthreads spam_aol_channel bot_topiccmd SDBot Lightweight IRC Executes channel topic as command Interprets other messages as commands Bot - Details The Shadowserver Foundation

  12. Propagation Agobot Assigns network ranges to drones scan.addnetrange <IP_range> scan.startall SDBot Base version has no scanning capabilities Variants now include scanning and propagation very advanced Attack Mechanisms Agobot Elaborate set of self contained modules Many types of DDoS attacks SDBot No exploits in base version Easily and rapidly expanded Bot - Details The Shadowserver Foundation

  13. Centralized IRC Easy to Deploy Low Latency Central weak link HTTP Drone calls home via port 80 Can seem like normal traffic Distributed P2P No central server More complex More difficult to detect and takedown Hybrid IRC/HTTP P2P/HTTP Botnets - Control The Shadowserver Foundation

  14. DDoS attacks TCP or UDP floods HTTP spidering Spamming Phishing Harvest email addresses Traffic Sniffing Interesting clear-text data Can help 'steal' other botnets Keylogging & E-Fraud bypasses encrypted channels use of filters Malware Propagation scanning and infecting rapid deployment of exploits Clickthrough Fraud pay-per-click manipulate polls, surveys, etc. Warez and Pirated Goods Botnets - Usage The Shadowserver Foundation

  15. Hacker Info Cmd My IP is x.y.z.z Chat Server Webserver / node Computer Crash Internet Access line blocked Botnet attack on a webserver / node The Shadowserver Foundation

  16. Botnets – Usage (DDoS) The Shadowserver Foundation

  17. Botnets – Herder Defense • Use of Dynamic DNS • Short TTL in DNS Records (Fastflux) • Channel and Server Changes • Being directed to another C&C • Via HTTP download • Obfuscate drone hostnames • Encryption of intra-channel communications • Modified IRC servers • Anti-Sandbox mechanisms in binaries The Shadowserver Foundation

  18. Botnets - Motivation Script Kiddies stay away ! • For-profit industry Becoming an Industry • underground network • various roles Targeted Attacks • Sophistication • Industrial Espionage • State Sponsored The Shadowserver Foundation

  19. Botnets – Organizational Dedicated networks • IRC, P2P, Web sites Various roles and hierarchies • Advertising • “Consumer Reports” • Traffic in a variety of goods and services Public Information • No presumption of privacy • Relationships The Shadowserver Foundation

  20. Botnets - Relationships The Shadowserver Foundation

  21. Botnets - Relationships The Shadowserver Foundation

  22. Detection, Tracking, and Closure? The Shadowserver Foundation process and methodology

  23. Shadowserver The Shadowserver Foundation • An all volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. It is the mission of the Shadowserver Foundation • To improve the security of the Internet by raising awareness of the presence of compromised servers, malicious attackers, and the spread of malware. The Shadowserver Foundation

  24. Shadowserver The Shadowserver Foundation

  25. Server based Emulate vulnerable systems Deploy and wait Nepenthes Client based Threats are changing Initiate connections to Internet Emulate a user Seed with known malicious URLs HoneyC & Capture-HPC Botnets – Detection & Capture Honeypots • Auto-submit • Deploy on wide variety of IP space • Server & Client based Honeytokens • Email – IM - IRC • Spamtraps • Link spam • Social networking • Forums The Shadowserver Foundation

  26. Botnets - Nepenthes The Shadowserver Foundation

  27. Botnets - Sandboxing Manual • Static • Dynamic Automated • Notification • Classification The Basics • C&C address – Port – Channel • Nick & Ident • Passwords The Shadowserver Foundation

  28. Botnets - Tracking The Shadowserver Foundation

  29. Botnets - Tracking The Shadowserver Foundation

  30. Recipients ~30 CERTS ~100 ASN owners Bleeding Edge Snort 5 Public IRC Services 3 DNS Registrars 4 Commercial Vendors 2 private mailing lists 7 International LEO’s 3 US Federal LEO’s 5 International government critical infrastructure groups Shadowserver Revisited – Reports~500 Custom reports produced daily Report Types • DDoS • C&C List • Compromised Host • Click-Through Fraud • Drones • Proxies • URL Report Filters • ASN • CIDR • Country Code The Shadowserver Foundation

  31. Shadowserver Revisited – DDoS Reports The Shadowserver Foundation

  32. Two Minutes The Shadowserver Foundation

  33. Botnets – Real Life A case study of a group of bad actors on their actions and methodology

  34. Botnets – Real Life The Shadowserver Foundation

  35. Botnets – Real Life • Binary captured by honeypot system on 2006-08-22 • SDBot variant using #rap@tamer.pikolata.net:6121 • Used 32 different hosts (IPs) as C&C servers in less than 60 days • Moved between servers at least 40 times • At least six other control channels known to use this hostname The Shadowserver Foundation

  36. Real Life – The Malware • The C&C spread 51 unique binaries in the two months • Two-thirds were SDBot variants, others are RBot, Zapchast, Parite.B, Kirsun, ... The Shadowserver Foundation

  37. Real Life - Speading • Using standard spreading mechanisms (asn, dcom, lsass, ...) The Shadowserver Foundation

  38. Real Life - Usage • Running DDOS (targets were usually servers being run by 'enemy' groups) • Keylogging (Data used for ID theft and efraud) The Shadowserver Foundation

  39. Real Life – More Usage • Click-fraud (Money-making. Accounts could be used to track back the herders) • Clone flooding (Often advertising new underground servers and carding channels) The Shadowserver Foundation

  40. Real Life - Cooperation • Cooperative scanning of network ranges • Downloading/Installing binaries for a 'friend' or in exchange for something • Helping out with bots to ddos targets that can handle a high load • Sharing/trading private IRC servers • Sharing/trading bot sources and binaries The Shadowserver Foundation

  41. Real Life - ChanOps mr`bet DDOS, Sniffing Mr|YlLi Clone flooding, proxies KaHIN DDOS, Clone flooding Location: Turkey Realname: Mehmet The Shadowserver Foundation

  42. Real Life – More ChanOps Sh3llx DDOS, Sniffing, Clone flooding Bill DDOS Location: Kosovo gu3sT DDOS, Proxies, Clone flooding The Shadowserver Foundation

  43. Real Life - Summary • Several domain names were removed • Several servers shutdown • No real affect on the operations of this group • Why? The Shadowserver Foundation

  44. Future Trends Where is all this going? What do we have to look forward to?

  45. Future Trends - Malware • Rootkits • AntiVirus Detection • Scripting Worms • RSS Hijack • Client-side Exploits • Escalation of Privileges • Packers and Protectors • Themida, private packers The Shadowserver Foundation

  46. Future Trends - Themida The Shadowserver Foundation

  47. Future Trends - Botnets • New Protocols • HTTP – P2P – VOIP – IM • Nugache, Skype and Storm worm • Encryption • Covert channels via TCP and ICMP tunneling • Smaller and Distributed Botnets • Distributed DNS services • Stronger Protection of the Botnet • Industry Bankroll The Shadowserver Foundation

  48. HTTP based C&C • Black Energy • Very simple and light • DDOS • Last known version – 1.9.2 • http://asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available The Shadowserver Foundation

  49. HTTP based C&C • Zunker • Sophisticated • SPAM • http://pandalabs.pandasecurity.com/archive/Zunker.aspx The Shadowserver Foundation

  50. HTTP based C&C • MPack • ICEPack • Barracuda • Pinch • etc The Shadowserver Foundation

More Related