1 / 33

Top Botnets and how MAEC can help keep you out of their clutches

Top Botnets and how MAEC can help keep you out of their clutches. Robert A. Martin , Principal Engineer, MITRE Corporation. Top 5 Bots by Class. Data Theft Bots. Spam Bots. Data Theft Bots - Zeus.

ramya
Download Presentation

Top Botnets and how MAEC can help keep you out of their clutches

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Top Botnetsand how MAEC can help keep you out of their clutches • Robert A. Martin, Principal Engineer, MITRE Corporation

  2. Top 5 Bots by Class Data Theft Bots Spam Bots

  3. Data Theft Bots - Zeus *Source: http://www.prevx.com/blog/112/ZEUS-steals-information-from-home-and-business-PCs.html

  4. Data Theft Bots - Koobface

  5. Data Theft Bots - Rimecud

  6. Data Theft Bots - Alureon

  7. Data Theft Bots – Carberp

  8. Spam Bots - Rustock *Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf

  9. Spam Bots – Pushdo *Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf

  10. Spam Bots – Grum *Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf

  11. Spam Bots – Bobax *Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf

  12. Spam Bots – Storm *Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf

  13. Malware Attribute Enumeration and Characterization (MAEC) & Bots

  14. Why Do We Need to Develop Standards for Malware? Lots of products Multiple layers of protection Inconsistent reports There’s an arms race

  15. Correlate, Integrate, Automate Threats Detection Vulnerabilities Response Platforms

  16. Rise of New Threats Symantec Global Internet Security Threat Report, Volume XIII, 4/2008 Background Nimda or I-Worm or Readme? Oct 2004 Initial CME discussions at VB Conference Feb 2005 CME Submission Server Oct 2005 CME public announcement and website Jan 2007 39 CME IDs assigned Feb 2007 DHS SwA Forum Malware WG Dec 2009 MAEC public website Jun 2010 Initial MAEC Schema

  17. Malware Attribute Enumeration and Characterization (MAEC) Focus on attributes and behaviors, not intent and malware families

  18. MAEC Use Cases Tool Tool • Operational • Analysis • Help Guide Analysis Process • Standardized Tool Output • Malware Repositories

  19. MAEC Overview

  20. MAEC & MSM Standards High-level Mechanisms The attack pattern(s) exhibited by a malware mechanism or behavior. CAPEC Mid-level Behaviors CVE The vulnerabilities targeted by a malware behavior. Low-level Actions CPE The platform(s) targeted by a malware action. CEE The event(s) associated with a malware action. The host-based object(s) created or modified by a malware action. OVAL

  21. MAEC & Zeus – Host Based Detection I • Malware Analysis Engine • Anubis • CWSandbox • ThreatExpert • Etc. Engine Output Zeus Binary Sandbox -> MAEC Translator Host-based Scanner

  22. MAEC & Zeus – Host Based Detection IIReal World Example OVAL Output Anubis Output* Anubis  MAEC Translator Script MAEC Output Anubis Sandbox Zeus Binary MAEC  OVAL Translator Script *http://anubis.iseclab.org/?action=result&task_id=1167a57d1aa905e949df5d5478ab23bf9

  23. MAEC Schema Overview – Initial Release ActionType BehaviorType ObjectType …

  24. MAEC & Zeus: Profiling C2 MAEC Mechanism: C2 MAEC Behavior: Get Configuration MAEC Behavior: Beacon MAEC Behavior: Receive Command MAEC Behavior: Send Data

  25. MAEC & Zeus C2 I Mechanism: C2 MAEC Behavior: C2 Get Configuration Protocol: HTTP Encryption Type: RC4/custom Behavior: Get Configuration Behavior: Beacon MAEC Action: http_get Behavior: Recv Command • MAEC Object: tcp_connection • External IP: xxx.xxx.xxx.xxx • External Port: 80 • MAEC Object: http_connection • Method: GET • Parameter: /config.bin • Response: HTTP/1.1 200 OK • Response Body: <encrypted config.bin file> • Response Content Length: 1212 bytes Behavior: Send Data

  26. MAEC & Zeus C2 II Mechanism: C2 • MAEC Behavior: C2 Beacon • Protocol: HTTP • Encryption Type: RC4/custom • Frequency: 1/20 minutes Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command MAEC Action: http_post Behavior: Send Data • MAEC Object: tcp_connection • External IP: xxx.xxx.xxx.xxx • External Port: 80 • MAEC Object: http_connection • Method: POST • POST Data: <encrypted statistics> • Parameter: .*/gate.php • Response: HTTP/1.1 200 OK • Response Body: <encrypted static string> • Response Content Length: 44 bytes

  27. MAEC & Zeus C2 III Mechanism: C2 • MAEC Behavior: C2 Receive Command • Protocol: HTTP • Encryption Type: RC4/custom • Supported Commands: reboot, kos, shutdown, bc_add, bc_del, block_url, unblock_url, block_fake, getfile, getcerts, resetgrab, upcfg, rename_bot … Behavior: Get Configuration Behavior: Beacon Behavior: Recv Command Behavior: Send Data MAEC Action: decode_http_response • MAEC Object: tcp_connection • External IP: xxx.xxx.xxx.xxx • External Port: 80 • MAEC Object: http_connection • Response Body: <encrypted command string> • Response Content Length: > 44 bytes

  28. MAEC & Zeus C2 IV Mechanism: C2 • MAEC Behavior: C2 Send Data • Protocol: HTTP • Encryption Type: RC4/custom Behavior: Get Configuration Behavior: Beacon MAEC Action: http_post Behavior: Recv Command Behavior: Send Data • MAEC Object: tcp_connection • External IP: xxx.xxx.xxx.xxx • External Port: 80 • MAEC Object: http_connection • Method: POST • POST Data: <encrypted stolen data> • Parameter: .*/gate.php • Response: HTTP/1.1 200 OK

  29. Emerging Collaboration • Related MSM Efforts • There is significant overlap between MAEC, CAPEC, and CEE in describing observed actions, objects, and states. • As such, we’re working on developing a common schematic structure of observables for use in these efforts: • Others • Feature requests on Handshake group, discussion list • Anubis & ThreatExpert translators are being developed as a result of a user request • We encourage submission of any other such requests

  30. MAEC Community: Discussion List • Request to join: http://maec.mitre.org/community/discussionlist.html • Archives available

  31. MAEC Community: MAEC Development Group on Handshake • MITRE hosts a social networking collaboration environment: https://handshake.mitre.org • Supplement to mailing list to facilitate collaborative schema development

  32. Future Development Plans • Expand MAEC coverage of network attributes • Possible focus: bots/botnets • Create RDF/OWL ontology based on MAEC schema • Revise schema to better support characterization of relationships between actions/behaviors • Implement common observables schema • Based on MAEC/CAPEC/CEE collaboration • Encourage and invite more participation in the development process • MAEC Website: http://maec.mitre.org (contains MAEC Discussion list sign-up) • MAEC Handshake Group

  33. Summary • MAEC is attempting to address many of the issues that are integral to accurate and unambiguous communication about malware • The adoption of MAEC will facilitate new methods of correlation and automation against malware • MAEC is an open, collaborative effort. It needs expertise and input from various parties in order to be successful

More Related