190 likes | 357 Views
Botnets : Attacks and Defense. by Sammie Bush and Lance Pendergrass. Basic Definitions. Botnet - network of compromised machines that can be remotely controlled by an attacker Bot , “ zombie ” - an unwillingly infected host
E N D
Botnets: Attacks and Defense by Sammie Bush and Lance Pendergrass
Basic Definitions • Botnet - network of compromised machines that can be remotely controlled by an attacker • Bot, “zombie” - an unwillingly infected host • Command & Control (C&C) - some channel or structure acting as a handler in relaying commands and updates to the bots • Botmaster, Bot-herder - person(s) anonymously controlling the botnet via C&C
Motivation • Notoriety versus Long-Term Control • Survivability • DDoS / Extortion • Spam • Identity Theft • keylogging • traffic captures • ClickFraud / PollManipulation • BitcoinMining–involuntarycloudcomputing • Distributed Storage – warez, malware • Search Engine Optimization (SEO) poisoning • BlackmarketServicesfor Rent
Typical Lifecycle • Creation / Testing • Infection • Software Vulnerability • Drive-By Download • Trojan Horse (email attachment, pirated software) • Usually followed by rootkit, infecting system restore • Rallying – contacting C&C • Potential Propagation • Waiting • Executing Instructions
IRC Botnets • Historically most common • Centralized topology • Support large number of connections • Traffic not as common, easily blocked • Server often hosted in public network such as Efnet, Undernet
HTTP Botnets • Typically allowed through firewalls • Server easily hidden in plain view • Https support trivial, difficult to inspect • Doesn’t scale as well, easy to overload server • Covert channels: DNS, ICMP, SSL, RSS feed, IM
Decentralized P2P Botnets • Lack single point of failure, no centralized C&C • Often seeded with initial nodes to contact • Download list or learn current peers • Common for nodes to relay/proxy traffic • Typically make use of existing P2P protocols: BitTorrent, eDonkey/Overnet, Kademlia DHT
Evasion Techniques • Multiple Failover C&C servers • Dynamic DNS • Domain Generation Algorithms (DGA) • Fast-Flux / Internal Round-Robin Proxies • Protocol / IPv6 tunneling • Botmaster concealment: SOCKS, TOR, BNC’s • Polymorphism / Obfuscation
Defense • OS / Software Updates • Antivirus / IDS Signatures • Network Baselines / Anomaly Detection • Firewall Rules • Domain seizure / Contact ISP Hosting C&C • Agent masquerading / Honeypots • MitM Attacks against HTTPS communication • Sinkholing – analyzing DGA, capturing C&C • Reverse Engineering – IDA Pro, OllyDbg, Wireshark • BotmasterTraceback
Select History • Agobot (2002 ) – first to use modular design, staged payloads • Sinowal (2005) – 1.2 million bots, rootkit/MBR, banking credential thief • Zeus (2007) – targets banking info, estimated $12.5mil loss, RC4/XOR encoded traffic, source code leaked in 2011 leading to many variants, custom kits for sale in blackhat forums • Storm (2007) – estimated at 1-5mil bots, p2p topology, made use of Fast-Flux technique, IPS rivaling many supercomputers, reputation for launching DDoSdefensive measures against researchers • SpyEye (2009) – predecessor / competitor to Zeus, Zeus removal, financial MitM attacks, credential theft • TDL-4 / Alureon (2011) – 4.5mil bots, MBR rootkit, encrypted p2p communication, removes rival malware, variant implements malicious DHCP/DNS server, used for spamming, DDoS, proxies
Skynet C&C (Zues variant, 2013) – generated over $1mil in Bitcoins
Sources • Network and System Security, 2ed [2013] – John Vacca http://www.amazon.com/Network-System-Security-Second-Vacca/dp/012416689X/ • http://www.fortinet.com/sites/default/files/whitepapers/Anatomy-of-a-Botnet-WP.pdf • https://www.sans.org/reading-room/whitepapers/malicious/byob-build-botnet-33729 • http://threatpost.com/peer-to-peer-botnets-resilient-to-takedown-attempts/100851
Sources • http://countermeasures.trendmicro.eu/history-of-the-botnet-white-paper/ • http://threatpost.com/coming-better-ways-count-and-counter-botnets-050212/76516 • http://arstechnica.com/security/2013/04/a-beginners-guide-to-building-botnets-with-little-assembly-required/ • http://www.wired.com/wiredsmallbizprogram/howto-28.html • https://community.rapid7.com/community/infosec/blog/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit