360 likes | 373 Views
Learn about botnets, viruses, and spam, their common uses, and how to defend against them. Get insights on combating cyber threats and protecting your systems from malicious attacks.
E N D
Bots, viruses, and spam: The converged threat and how to fight it January 27, 2005
Bots, viruses, and spam • AGENDA • Introduction. • What is a botnet? • What are botnets used for? • Who is behind this? • How we can fight them. • Conclusion/Q&A
Legend Landing Points Cities Connected (Switch Sites) Cities Connected Connecting Systems IP POP Spokane Helena Green Bay Seattle Minneapolis Billings Montreal Toronto Rochester Portland Detroit Milwaukee Buffalo Syracuse Boston Eugene Albany Erie Des Moines Chicago Toledo Casper Cleveland Medford Omaha New York Akron Lincoln Salt Lake City Pittsburgh Newark Redding Altoona Reno Trenton Denver Columbus Chico Philadelphia Indianapolis Dayton Kansas City Baltimore Sacramento Oakland Washington DC Cincinnati San Francisco Colorado Springs Topeka Fredericksburg St. Louis Sunnyvale Louisville Richmond San Jose Chesapeake Bowling Green Salinas Nashville Greensboro Tulsa Charlotte San Luis Obispo Rocky Mount Albuquerque Chattanooga Greenville Raleigh Santa Barbara Oklahoma City Anaheim Los Angeles Phoenix Atlanta San Diego Macon Tucson Tijuana Dallas Fort Worth El Paso Mobile Baton Rouge Jacksonville Austin Tallahassee Houston New Orleans Daytona Beach San Antonio Orlando Melbourne Tampa Fort Lauderdale Miami Monterrey Mazatlan Guadalajara Mexico City Global Crossing North America – Dedicated Internet Access/IP Transit
St. Croix Puerto Viejo Panama City Ft. Amador Caracas Fortaleza Lima Lurin São Paulo Santos Legend Rio De Janeiro Landing Points Cities Connected Connecting Systems IP POP Valparaiso Santiago Buenos Aires Las Toninas Global Crossing South America – Dedicated Internet Access/IP Transit
Legend Landing Points Cities Connected Connecting Systems IP POP Aberdeen Glasgow Edinburgh Newcastle Carlisle Middlesbrough York Preston Dublin Leeds Liverpool Sheffield Derby Beverwijk Nottingham Manchester Peterborough Norwich Kilmore Quay Birmingham Amsterdam Wexford Southend Bristol London Reading Rotterdam Antwerp Bude Dover Southampton Exeter Brighton Basingstoke Plymouth Brussels Whitesands Global Crossing UK – Dedicated Internet Access/IP Transit
Stockholm Oslo Aberdeen Copenhagen Edinburgh Glasgow Sylt Dublin Liverpool Beverwijk Hamburg Berlin Hannover Wexford Kilmore Quay London Bristol Dusseldorf Amsterdam Bude Cologne Dresden Rotterdam Leipzig Antwerp Frankfurt Whitesands Brussels Nuremberg Strasbourg Munich Stuttgart Paris Zurich Geneva Lyon Milan Turin Legend Marseilles Landing Points Cities Connected Connecting Systems IP POP Barcelona Madrid Global Crossing Europe – Dedicated Internet Access/IP Transit
Bots, viruses, and spam • Percentage of email that is spam: • 2002: 9%. 2003: 40%. 2004: 73%. • Percentage of email containing viruses: • 2002: 0.5%. 2003: 3%. 2004: 6.1%. • Number of phishing emails: • Total through September 2003: 273 • Total through September 2004: >2 million • Monthly since September 2004: 2-5 million • (Above from MessageLabs 2004 end-of-year report.) • Denial of Service Attacks: • 2002: 48. 2003: 409. 2004: 482. Jan. 1-26, 2005: 25. • (Above from Global Crossing; 2002 is for Oct-Dec only.)
Bots, viruses, and spam • Unique Infected IPs, week ending January 24, 2005: • Entire Internet (unique IPs within each category; a single IP may have multiple problems)
Bots, viruses, and spam • What do viruses, worms, spams, phishing, and denial of service attacks have in common? • All are associated with bots and botnets. • All are being used to get criminals what they want: • Your clean (not listed on blacklists) IP addresses. • Your accounts and passwords. • Your money. • Your identity. • The ability to continue getting these things without being caught.
Bots, viruses, and spam • What is a botnet? • A collection of compromised systems (“bots”) under the control of a single entity who uses a central controller (“botnet controller”) to issue commands to the bots. • Bots are almost always compromised Windows machines—they may be compromised by worms, viruses, trojan horses, or automated or semi-automated attack tools exploiting common Windows vulnerabilities. • Botnet controllers are almost always compromised Unix machines—most often compromised by automated or semi-automated attack tools exploiting common Unix vulnerabilities. • The method of control is almost always IRC, usually on standard IRC ports (TCP 6667-up). • When the use of botnets is sold to third parties, there is often a nice, professional-looking Windows or web interface provided.
Phatbot command list (from LURHQ) bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status ot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than specified mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates the bot from a http url http.download downloads a file from http rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered with the scanner scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flood redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit waste.privmsg sends a privmsg waste.part makes the bot part a channel waste.netinfo prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste Bots, viruses, and spam
Bots, viruses, and spam • What are bots used for? • They are a disposable platform of computing power, usable for: • Scanning for other vulnerable systems to create more bots. • Collecting information from the compromised system (accounts, passwords). • Operating as proxies for sending spam (including phishing attacks), or launching new worms or viruses. • Launching denial of service attacks (to attack competition or commit extortion). • Distribution of pirated or illegal material. • They can be used for anything the controlling entity wants to use them for—and the activity will be attributed to the bot rather than the controlling entity. • They refute the argument that “There’s nothing on my computer that anyone would want” (usually given as an excuse not to secure a home computer).
Bots, viruses, and spam • Who is behind this? • Criminal hackers: They write the worms, viruses, and trojan horses, and act as “botnet wranglers.” • Criminal spammers: They pay criminal hackers to obtain mailing lists and for the use of botnets to use as proxies (or “peas”) for sending spam. • Organized crime: They hire or have their own criminal hackers to engage in online protection rackets, credit card fraud, and identity theft. The underground economy is fueled by money, derived from sale of spammed products, direct theft from online bank accounts, credit card fraud, and denial of service attack extortion. The main tool used to commit the crime and create a buffer between the criminal and his actions is the bot.
Bots, viruses, worms • What are the direct connections between the criminal and the Internet? • Purchase of colo space, often in carrier hotels. • Sometimes, in interactions with others in the underground economy (e.g., spammer/hacker interactions). • Sometimes, in telephone conversations with Internet providers. • Sometimes, when signing contracts or working on hosted equipment in a colo facility. • Sometimes, when collecting the money (credit card processors, banks, Paypal and similar services like ePassporte). • When arranging sale or delivery or receiving payment for merchandise sold through spam (dubious nutritional supplements, pharmaceuticals, mortgage leads, porn site memberships).
Bots, viruses, and spam • Others: • Howard Carmack, the Buffalo spammer: $16 million judgment for Earthlink, 3.5-7 years on criminal charges from NY AG. • Jennifer Murray, Ft. Worth spamming grandmother, arrested and extradited to VA. • Ryan Pitylak, UT Austin philosophy student, sued by Texas AG. • 200+ spam lawsuits filed in 2004 by Microsoft (Glenn Hannifin, etc.) • Robert Kramer/CIS Internet lawsuit in Iowa: $1 billion judgment. • Long list of names at the Registry of Known Spam Operations (ROKSO): http://www.spamhaus.org
Bots, viruses, and spam • This slide intentionally left blank – not to be distributed.
Bots, viruses, and spam • How can we fight them? • Any solution that requires all or most end users to become power users or system administrators to secure their systems will fail. The vast majority of bots are end user systems belonging to home users, sitting behind a cable or DSL modem. • Effective reduction of bots, viruses, spam, and denial of service attacks will require actions from multiple parties—software and OS vendors, organizations with an Internet presence, online service providers, and law enforcement.
Bots, viruses, and spam • Things software and OS vendors should do. • Start providing software without major well-known, detectible defects—there is no excuse for software with buffer overflows being released as a product. • Software defaults should be the most secure settings, not the least secure.
Bots, viruses, and spam • Things organizations should do. • Implement organizational firewalls (with default deny on outbound as well as inbound) and content filtering. • Implement spam filtering (w/CBL) and antivirus. • Implement endpoint security on client machines to enforce organizational standards for antivirus, patch levels, host firewall rules, file integrity—hosts out of compliance don’t get connectivity. • Switch to thin clients where a desktop computer is overkill. • Implement intrusion prevention systems. • Segment large networks to allow segregation of traffic by criticality/quarantining of infected hosts.
Bots, viruses, and worms • Things online service providers should do. • Put the right provisions in contracts/AUPs. • Implement screening mechanisms as part of pre-sales (or pre-provisioning) process. • Implement detection and filtering mechanisms where/when feasible (ISPs with end users have more options). • Participate in intelligence sharing with security researchers, anti-spammers, and other providers. • Work with law enforcement to assist in prosecutions (e.g., FBI’s Operation Slam Spam). • File lawsuits against criminal abusers (AOL, Earthlink, Microsoft are good at this). • Act aggressively to get known abusers off networks and keep them from getting on in the first place (e.g., Spamhaus Blackhole List, or SBL). • Provide 24/7 incident response capability. • ISPs (with end users as direct customers): • Quarantine infected end user systems. • Demand regular notifications of detected issues from upstream providers. • NSPs (with ISPs, colo, webhosting, etc. as direct customers): • Blackhole botnet controllers and phishing websites upon verification. • Send regular notifications to downstream customers of detected issues.
Bots, viruses, and worms • Things law enforcement should do. • Work with online providers and security researchers to collect intelligence (e.g., Operation Slam Spam). • Go undercover to engage in deals with criminal hackers, criminal spammers, and organized criminals to “follow the money” and connect online identities to real identities, pursuing the common contact points. • Follow up on civil litigation from online providers with criminal prosecutions.
Bots, viruses, and worms • Conclusion • 2004 was the year major law enforcement investigations began—2005 will be the year of major prosecutions. • There’s a lot more to be done, and online providers play a key role, especially those with bot-infected end users as direct customers and those with spam operations as direct customers. • A combination of technology and aggressive enforcement (criminal, civil, and AUP) are essential.
Bots, viruses, and worms • 2004 SBL Listings by Provider
Bots, viruses, and spam • Further Information • Composite Blocking List: http://cbl.abuseat.org • Registry Of Known Spam Operations (ROKSO): http://www.spamhaus.org • Bot information: http://www.lurhq.com/research.html • Message Labs 2004 end-of-year report: • http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf • CAIDA Network Telescope: http://www.caida.org/analysis/security/telescope/ • Team Cymru DarkNet: http://www.cymru.com/Darknet/ • Internet Motion Sensor: http://ims.eecs.umich.edu/ • Brian McWilliams, Spam Kings, 2004, O’Reilly and Associates. • Spammer-X, Inside the Spam Cartel, 2004, Syngress. (Read but don’t buy.) • Jim Lippard • james.lippard@globalcrossing.com