330 likes | 472 Views
U NIVERSITY OF C ALIFORNIA Berkeley. E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES. Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008. Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences.
E N D
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Combating Stealth Malware and Botnets in Higher EducationEducause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Overview • EECS Network Background • Security Concerns • Existing Protections • FireEye Deployment • Infection Examples • Futures and Challenges
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES EECS Network Background • EECS is Large Department • Serves More Than • 4000 Undergrads • 500 Grad Students • 100 Faculty • 200 Staff • Network Largely Separate From Rest Of UCB
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Security Concerns • Security A Constant Issue • Berkeley Often A Target • Security Is Now An Arms Race • Hackers Have Moved From Notoriety To Crime • More Concern About Compliance
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Security Concerns • Mobile Devices A Big Concern • Boom In WiFi • Over The Air Traffic Often Insecure • Less Enterprise Control Over User Owned Devices • EECS Uses Internal And External WLANs • Zero Day Concerns
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Existing Protections • Enterprise Firewall • Less Effective In An “Open” Academic Net • A/V • A Struggle To Keep Up To Date • IDS • A Lot of False Positives • Host Based Firewalls • Anti-Spam Appliances
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES FireEye Deployment • Targeted Primarily At Wireless Traffic • Out Of Band Solution • Very Important For EECS • Completely Clientless • Also Very Important • Wireless Data Mirrored To Two Appliances
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES FireEye Deployment • Appliances Run Traffic Against “Virtual Victim” Clients • Positive Infection Can Result In Alerts Or Blocks • Dynamic Updates From Botwall Network
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Infection Examples Spam Bots
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Clients Receive Malware Rustock
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Rustock • Spam Mail Bot • Installs a Rootkit • Installs a SPAM module • Uses Encryption • Can Install any Arbitrary Code • Flexible & Easy to Update Ken Chiang, Levi Lloyd Sandia National lab
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botted Clients Send Spam
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Trojan.farfli
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Discovered: July 29, 2007 Updated: July 29, 2007 8:51:54 AM Also Known As: TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 It then hooks or patches ZwSetValueKey to prevent other threats or security risks overwriting the Start Page registry entry.If it finds a specific Web browser installed, it modifies files so that when a user performs a search it is conducted via the Baidu URL with the specific affiliate name: (Excerpt From Symantec)
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet IRC Channel Join Trojan-Downloader.QQHelper
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES • User or Malware Connects to: • http://www.yahoo550.com/image/logo.jpg?queryid=21kXXXXj412 • User connects to the site with a specific query id • The site sent the browser a file called logo.jpg • Really a UPX packed malware executable • The browser installed the exe • Begin the Bot communication on IRC.
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet_W32/Small.HSG
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Botnet_W32/Small.HSG • Trojan-Downloader:W32/Small.HSG downloads and runs a file that is detected as Trojan-Downloader.Win32.Agent.HQL. Normally arrives as a dropped file by other malware or is downloaded unsuspectingly by the user from a malicious website. • Once running on the system, this trojan will download a file from the following website: http://ymq.a2000150.wrs.mcboo.com/[Removed] The downloaded file will then be stored as: %Windows%\17PHolmes2000150.exe
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Futures And Challenges • Move Appliances To Network Edge • Capture Both Wireless And Wired Traffic • Mirroring Or Span Difficulties • Use Gigamon Data Access Switch • Explore OSPF Null Routing To Block Traffic To Botnets • More Mobile Platforms
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Summary • Our Existing Protections No Longer Adequate • Botnet Traffic Was Previously Difficult To Detect • Botnet Detection Gives Us A New Weapon To Battle Stealth Malware
UNIVERSITY OF CALIFORNIA Berkeley ELECTRICAL ENGINEERING AND COMPUTER SCIENCES Questions?