Lessons learned: Sinkholing the Zeroaccess botnet. Ross Gibb. Attack Investigations Team Symantec Security Response.

Similar documents
A Review of ZeroAccess peer-to-peer Botnet

2014 ASE BIGDATA/SOCIALCOM/CYBERSECURITY Conference, Stanford University, May 27-31, 2014 ASE 2014 ISBN:

Introducing IBM s Advanced Threat Protection Platform

IBM WebSphere Application Server Communications Enabled Applications

Protecting the Infrastructure: Symantec Web Gateway

Billion Dollar Botnets:

The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain

How Cisco IT Protects Against Distributed Denial of Service Attacks

Symantec enterprise security. Symantec Internet Security Threat Report April An important note about these statistics.

Best Practices for Controlling Skype within the Enterprise. Whitepaper

NetBackup Best Practice Using Tape Storage with Deduplicating Disk Storage

Network Address Translation (NAT) Adapted from Tannenbaum s Computer Network Ch.5.6; computer.howstuffworks.com/nat1.htm; Comer s TCP/IP vol.1 Ch.

Best Practices for Controlling Skype within the Enterprise > White Paper

Internet Advertising: Is Your Browser Putting You at Risk?

A Critical Investigation of Botnet

LOAD BALANCING 2X APPLICATIONSERVER XG SECURE CLIENT GATEWAYS THROUGH MICROSOFT NETWORK LOAD BALANCING

Secure Your Mobile Workplace

PEER-TO-PEER NETWORK

Security.cloud Configuring DLP on to your flow and applying security to your hosted deployment

VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION

On and off premises technologies Which is best for you?

Unified Security, ATP and more

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

Deciphering and Mitigating Blackhole Spam from -borne Threats

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

Resilient Botnet Command and Control with Tor

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

Getting Ahead of Malware

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

Deploying IPv6, Now. Christian Huitema. Architect Windows Networking & Communications Microsoft Corporation

ZeroAccess. James Wyke. SophosLabs UK

Cisco Advanced Services for Network Security

HoneyBOT User Guide A Windows based honeypot solution

To Catch A Thief: Preventing the Next Fortune 500 Data Breach

F5 Silverline DDoS Protection Onboarding: Technical Note

Managing Security Risks in Modern IT Networks

Product Roadmap Symantec Endpoint Protection Suzanne Konvicka & Paul Murgatroyd

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

SIP, Security and Session Border Controllers

Internet and Intranet Calling with Polycom PVX 8.0.1

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

How To Mitigate A Ddos Attack

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

ISB13 Web security deployment options - which is really best for you? Duncan Mills, Piero DePaoli, Stuart Jones

Korea s experience of massive DDoS attacks from Botnet

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Cisco Collaboration with Microsoft Interoperability

Enabling Windows Management Instrumentation Guide

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

Multifaceted Approach to Understanding the Botnet Phenomenon

Storm Worm & Botnet Analysis

Securing the endpoint and your data

Seminar Computer Security

Guidance Regarding Skype and Other P2P VoIP Solutions

Best Practices for Running Symantec Endpoint Protection 12.1 on Point-of- Sale Devices

Enabling Remote Management of SQL Server Integration Services

Extreme Security Threat Protection G2 - Intrusion Prevention Integrated security, visibility, and control for next- generation network protection

WebSphere DataPower Release DNS Enhancements

Symantec Database Security and Audit 3100 Series Appliance. Getting Started Guide

Detecting peer-to-peer botnets

FortiWeb 5.0, Web Application Firewall Course #251

Network Intrusion Analysis (Hands-on)

Shellshock. Oz Elisyan & Maxim Zavodchik

Security Toolsets for ISP Defense

Integrating MSS, SEP and NGFW to catch targeted APTs

Symantec Security Information Manager 4.8 Release Notes

Dialogic Brooktrout SR140 Fax Software with Broadvox GO! SIP Trunking Service

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Malware B-Z: Inside the Threat From Blackhole to ZeroAccess

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Security A to Z the most important terms

Parallels Plesk Panel. VPN Module for Parallels Plesk Panel 10 for Linux/Unix Administrator's Guide. Revision 1.0

Dell One Identity Cloud Access Manager How to Configure for High Availability

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers with Oracle WebLogic 12c

MailMarshal SMTP in a Load Balanced Array of Servers Technical White Paper September 29, 2003

Network Address Translation (NAT) Good Practice Guideline

The Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet

End to End Security do Endpoint ao Datacenter

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Skype network has three types of machines, all running the same software and treated equally:

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Application Note: GateManager Internet requirement and port settings

What is VLAN Routing?

White Paper. Copyright 2012, Juniper Networks, Inc. 1

Steelcape Product Overview and Functional Description

VMware View 5.0 and Horizon View 6.0 DEPLOYMENT GUIDE

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Web Security Firewall Setup. Administrator Guide

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

TDC s perspective on DDoS threats

VALIDATING DDoS THREAT PROTECTION

UP L13: Leveraging the full protection of SEP 12.1.x

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Symantec Managed Security Services The Power To Protect

Southwest Arkansas Telephone Cooperative Network Management Practices

Strong Authentication for Juniper Networks

SwiftBroadband and IP data connections

Firewall Testing Methodology W H I T E P A P E R

GoToMyPC and. pcanywhere. expertcity.com. Remote-Access Technologies: A Comparison of

Transcription:

Lessons learned: Sinkholing the Zeroaccess botnet Ross Gibb Attack Investigations Team Symantec Security Response AIT - Zeroaccess 1

Agenda 1 Introduction to Zeroaccess 2 Details of the P2P protocol 3 The sinkhole operation 4 Results of the sinkhole operation 5 Next steps AIT - Zeroaccess 2

Zeroaccess (ZA) Introduction Zeroaccess is a botnet, also known as Sirefef or ZAccess or Zerokit First appeared in Summer 2011 Two major versions Version 1, rootkit, TCP P2P (2011) Version 2, user mode, UDP P2P (2012) Infected computers exclusively use the peer-to-peer (P2P) network to distribute payloads Can be thought of as a framework to load any module/malware Infection vectors include social engineering, exploit kits, and other downloaders Pay Per Install (PPI) and revenue sharing model Primary revenue is through click-fraud Malicious payloads use their own C&C infrastructure AIT - Zeroaccess 3

ZA Size Counts are of average daily unique infected hosts, measured in May 2013 Networks are subdivided into 32-bit and 64-bit client networks; no internetwork / cross-port communication ZA v1 (TCP) All Networks 30K ZA v2 (UDP) Network 1 UDP ports 16471 (32-bit) / 16470 (64-bit) Network 2 UDP ports 16464 (32-bit) / 16465 (64-bit) 1.6-1.8M What would a sinkhole of Zeroaccess look like? AIT - Zeroaccess 4

ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP 16471 UDP 16471 Internal List of Peers Bot B IP 1.2.250.252 256 th IP 3 Refresh Internal List AIT - Zeroaccess 5

ZA P2P Operation Bot A Bot B 1 Request: IP list and file meta-data (getl) Response: IP list and file meta-data (retl) 2 UDP 16471 UDP 16471 Request: IP list and file meta-data (getl+) 3 4 Response: IP list and file meta-data (retl+) Bot A s IP (newl) (16) (16) (16) (16) (16) 8 times How many bots could receive Bot A s IP address? i 8 1 16 4.5billion More than the entire IPv4 address space i AIT - Zeroaccess 6

ZA Could the P2P network be sinkholed? Identified weaknesses Relatively small fixed length internal peer list (256 IPs) Unsolicited P2P messages are accepted from any IP IP list in P2P messages is not digitally signed, only payload file meta data is digitally signed Any IP address can be introduced into a remote peer s internal peer list AIT - Zeroaccess 7

ZA Challenges to sinkholing Sinkhole 1 newl (with S s IP) Public Peer 1 3 getl 2 retl (with S s IP) NAT Internal peer list Sinkhole IP 1 Sinkhole IP 2 Sinkhole IP 3 256 th IP newl (Public Peer IP) newl (Public Peer IP) Public Peer 2 Takes a very large amount of continuous bandwidth Public Peer 3 IP churn makes it difficult to know all the public peers (super nodes) Zeroaccess author could use newl s in the same way to retake public peers Difficult to run in a network simulation prior to deployment AIT - Zeroaccess 8

ZA Sinkholing Plan Internal List of Peers newl (with A s IP) newl (with A s IP) newl (with A s IP) 1 getl 4 getl 2 Public Peer 1 IP Sinkhole Public Peer Farm 2 A IP IP 256 th IP NAT 3 retl (with A s IP) Sinkhole Farm A Sinkhole B 5 retl (with B s IP) retl (with B s IP) retl (with B s IP) retl (with B s IP) getl (sinkhole servers) Sinkholed Internal List of Peers Sinkhole B IP 1 Sinkhole B IP 2 127.0.0.1 127.0.0.2 127.0.0.253 AIT - Zeroaccess 9

ZA The sinkhole master plan Preconditions to launching the sinkhole operation Simulate infected peers to understand runtime behaviour Test sinkholing infected computers on a private LAN with various NAT devices Test against the live P2P live as much as possible without actually sinkholing Expected results Infected peers behind NAT devices are sinkholed and the payloads can no longer be updated All infected machines can be identified for remediation AIT - Zeroaccess 10

ZA The best laid plans of mice and men From April to June 2013, the simulation and testing of the sinkhole plan progressed On June 29, 2013, new P2P code was distributed to Zeroaccess version 2 network 2 ZA v2 (UDP) Network 1 UDP ports 16471 (32-bit) / 16470 (64-bit) Network 2 UDP ports 16464 (32-bit) / 16465 (64-bit) The update made P2P Network 2 much more resilient to sinkholing Reduction in instruction set (newl dropped) Introduction of secondary internal peer list (holds ~16M IPs) Altered run-time peer communication (secondary peer list for redundancy, and connection state table) AIT - Zeroaccess 11

ZA Sinkhole results P2P sinkhole of Network 1 initiated on July, 15 2013 Available targets June 29, 2013, protocol update reduced possible targets to ~900,000 Sinkhole results week of July 17 July 23 (in avg. daily IPs) Botnet size: 797,235 Number of bots sinkholed: 460,000 High sinkhole count for 24 hour period 495,610 Average proportion of botnet sinkholed: 58.7% AIT - Zeroaccess 12

2013-08-02 2013-08-04 2013-08-06 2013-08-08 2013-08-10 2013-08-12 2013-08-14 2013-08-16 2013-08-18 2013-08-20 2013-08-22 2013-08-24 2013-08-26 2013-08-28 2013-08-30 2013-09-01 2013-09-03 2013-09-05 2013-09-07 2013-09-09 2013-09-11 2013-09-13 2013-09-15 2013-09-17 ZA Graph of botnet size 820000 Botnet size 800000 780000 760000 740000 720000 700000 Botnet size 680000 660000 640000 620000 AIT - Zeroaccess 13

ZA Graph of sinkhole size 600000 Sinkholed 500000 400000 300000 Sinkholed 200000 100000 0 AIT - Zeroaccess 14

Worldwide Infections of Zeroaccess (Approx 800K Daily) AIT - Zeroaccess 15

ZA Next steps Continue to work with ISP s and CERTs to clean up infections Continue monitoring P2P networks (sinkholed and not), as well as payload infrastructure Continue with other avenues of investigation AIT - Zeroaccess 16

ZA Questions Ross Gibb ross_gibb@symantec.com Attack Investigations Team (AIT) Symantec Security Response Culver City, California AIT - Zeroaccess 17

Thank you! Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. AIT - Zeroaccess 18

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information