Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014
Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI) Lecturer in Cyber-security and Digital Forensics, USIU MSc, CCSP, CISA Christian Kisutsa Information Security Consultant Serianu Limited Computer Forensics & Cyber Crime Graduate (USIU)
Introduction: What is a bot(net) Bot type of malicious software Places the infected machine (zombie) under the control of an attacker (bot herder or bot master) Zombie connects to a Command and Control (C&C) server Initially Internet Relay Chat (IRC) used to connect to C&C These days use HTTP to connect to C&C because its NOT blocked on firewalls Botnet - Network of machines infected with a particular bot Common Command and Control (C&C) server Often infected machines are designed to use automated infection vectors to infect other machines on the network
Introduction: Worldwide Statistics Top Banking Botnets of 2013 Released Feb 2014 Dell Secure Works Counter Threat Unit (CTU) Over 900 financial institutions around the globe are being targeted Banks and Corporate Finance providers Also providers of corporate payroll services, stock trading, social networking, email services, mail delivery services, employment portals, entertainment and dating portals
Top Botnets in Kenya - 2013 [exclusive statistics] Check out Kenya Cyber Security Report 2014 by Serianu
What do Botnets Do? Theft of Information (keyloggers) Login credetials leading to Identity Theft Financial data especially Credit Card data IP/Trade secrets on espionage basis and Identity theft Financial fraud: E-banking and Mobile banking Consumer Accounts Online shopping (Jambopay/Jumia/Pesapal) Business Accounts Online Banking (Corporate/Retail) Spam/Phishing: Infected machines relay spam Click Fraud: Automated clicks of Web advertising links for revenue DDoS: Zombies can be co-ordinated to launch massive attacks Pay per Install: malware distribution. Bot masters get paid for every 1,000 infected machines Botnets for hire: Crime as a Service(CaaS)
Tactics for Botnet malware delivery Cracked softwares or Free wares Clicking links to infected sites e.g link on email/social media Drive by downloads: visiting site with malicious scripts, automatic download through browser without user s interaction/knowledge Malicious PDFs Malicious images/photos e.g. On social media Creating FUD (Fully Undetectable) files by use of cryptors that evade anti-virus detection Executable flash disks Malicious mobile applications
Botnets on the Network
Background of Zeus, Citadel and Spyeye Zeus creator called Slavik aka Monstr Released 2007. Zeus code publicly leaked in May 2011 (Many variants thereafter SpyEye creator called Gribodemon, aka Harderman Released 2009. Initially a competitor to Zeus (removed Zeus) Author Aleksander Panin arrested in Jan 2014 Citadel and Ice IX considered by-products of Zeus Released in 2011 Citadel s creator called Aquabox Improved ZeuS s code by making its control panel more user-friendly Very good customer support network for buyers in underground Ice IX creator called nvidiag Gameover P2P Zeus variant released in 2011. Highest infection. P2P ZitMO Zeus in The Mobile since 2010. Intercepts SMS and 2F authentication KINS latest Zeus variant since 2013
Timeline of Zeus and its variants http://securityblog.s21sec.com/2013/11/zeus-timeline-i.html
DEMO TIME ZEUS AND CITADEL
Building the botnet Builder Bot preparation and compilation Configuration file Contains settings for the Bot Web injects Man-in-the-Browser customizations. These show extra fields in the log-in screens Control Panel Bot Master s screen where they control all the Bots under their control. Remote Scripts The Bot Master s tools to send commands to the infected machines
WHERE IS EAST AFRICA? ONLINE BANKING, PAYMENT & SHOPPING
Online Services Measures Taken to Secure Online Banking in East Africa Virtual Keyboards Randomized Keys Hover-mode Encryption SSL over HTTP - HTTPS Client Side Encryption 2 page authentication Measures Taken to Secure Online Payment and Shopping Encryption SSL over HTTP - HTTPS
Statistics: Online Banking - Kenya Banks using virtual keyboards 6/33 Banks Banks using 2PG 4/33 Banks
Online Banking - Kenya Banks with client side encryption 2/33 Banks Banks with NO client side encryption : 31/33 Banks
Online Banking - East Africa Banks using virtual keyboards 9/46 Banks Banks using 2PG 6/46 Banks
Online Banking - East Africa Banks with NO client side encryption : 40/46 Banks Banks with client side encryption : 6/46 Banks
Online Payment and Shopping Top Online Payment Sites in Kenya with NO client side encryption : 4/4 sites Top Online Shopping Sites in Kenya with NO client side encryption : 6/6 sites
Mobile Malware ZitMo for Mobile banking Version of Zeus that infects Mobile Phones Mobile Banking is the new thing in Kenya hence users exposed to this Mobile Trojan and other mobile malware. M-pesa users at risk as Android malware is on the rise. Only a matter of time before a custom malware is made that targets M-pesa.
Botnet Evolution Domain Generation Algorithms (DGA) Tor Botnets - Anonymized P2P botnets Zeus P2P/Gameover etc
REMEDIATION WHAT DO WE NEED TO DO?
Prevention Patch systems: bots exploit known vulnerabilities for infection especially browsers and Windows OS Anti-malware tools: antivirus makers have signatures for the well known bot types Use Browser protection Use latest anti-malware updates and signatures User Information Security Education, Training and Awareness Program (SETA) Use reports like those by Serianu and Tespok Cyberusalama to know latest trends and how to avoid common vectors of infection
How do I know I m Infected Process Monitoring: e.g. use of CrowdInspect and Sysinternals TCP View Registry Entries with sdra64.exe Strange UDP and TCP ports
How do I know I m Infected CrowdInspect highly recommended for Microsoft users Multiple sources of information, including VirusTotal, Web of Trust (WOT), and Team Cymru's Malware Hash Registry Host-based process inspection for Forensic analysis Tells you which network connections are open to which IP addresses, processes
Remediation: Network Side Detecting C&C traffic Examine networktrafficforcertain known patterns Use logging information from IDS/IPS, Firewalls E.g BotHunter and BotSniffer Honeypots/Honeybots: www.honeynet.org Dionaea, Spam traps, Open Proxies, URL analysis Correlate using SIEM tools Sinkholing Hijacking Botnet traffic, redirecting it to analysis servers Done by CERTs and Security Researchers in collaboration with ISPs and Domain Registrars E.g. by Microsoft (Mar 2012), Polish CERT, Team Cymru Study the Botnet then take down Domain Names and C&C Servers
Remediation: Network Side Zeus Tracker and SpyEye Tracker (abuse.ch) Provide domain- and IP-blocklist of known ZeuS Command&Control servers (hosts) around the world Including Kenya
THANK YOU Q&A? pmusuva@usiu.ac.ke christian.kisutsa@serianu.com
Boot camp at USIU Dates: Mon 28 April - Sat 03 May 2014 Fee: Ksh 60,000/= only Excellent Practical Labs & Certified Trainers Meals Included Sign Up TODAY Contact: pmusuva@usiu.ac.ke