Changing threat landscape The Botnet perspective

Changing threat landscape The Botnet perspective

Online Interactions Changing and Increasing INSTANT MESSAGING MUSIC BLOGS GAMES FILE SHARING CALENDAR 2 ND GENERATION CHAT PC Centric Online Centric PICTURES LATE 1990 s FINANCES VOIP EARLY 2000 s SOCIAL NETWORKS CURRENT COLLABORATION BotNet Seminar - CERT-IN 2

Threats Will Continue to Evolve Threats Will Continue to Evolve Financial / Criminal Phishing Zero Day Exploits & Threats Motivation Bots & Botnets Spyware Spam Crimeware Worms Vulnerabilities Curiosity / Viruses Technical Interest 1985 1995 2005 Mainstream Timing BotNet Seminar - CERT-IN 3

Global Intelligence Network 4 Symantec SOCs + 74+ Symantec Monitored Countries + 40,000+ Registered Sensors in 180+ Countries + 8 Symantec Security Response Centers 200,000 Millions Hundreds malware of threat security of submissions MSS reports alerts customers per month per month >6,000 Managed Security Devices + 120 Million Systems Worldwide + 30% of World s email Traffic + Advanced Honey Network Tokyo, Japan Calgary, Canada San Francisco, CA Redwood City, CA Santa Monica, CA Dublin, Ireland Twyford, England Munich, Germany Taipei, Taiwan Alexandria, VA Pune, India Sydney, Australia BotNet Seminar - CERT-IN 4

ISTR XI Global trends The current threat environment is characterized by an increase in data theft, data leakage, and the creation of malicious code that targets specific organizations. Attackers are refining their methods and consolidating assets to create global networks that support coordinated criminal activity Increased inter-operability between diverse threats - blended threats Year of the zero-day, targeted malicious code and the exploitation of medium severity vulnerabilities High levels of malicious activity across the Internet with increases in bot networks, phishing, spam and Trojans BotNet Seminar - CERT-IN 5

The Fraud Food Chain Phisher Cashier Spammer Egg Drop Server Fraud Website (+ Trojan horse) Botherder Phishing Messages Victims BotNet Seminar - CERT-IN 6

India Threat landscape The Indian threat landscape ecosystem -Malcode -Spam Zombies -Command and Control -Bots -Phishers -Spammers India is the hub for more than 40 Command and Control servers BotNet Seminar - CERT-IN 7

India ISTR XI - Active bot-infected computers per day Symantec observed an average of 19,095 active distinct bot-infected computers per day in the APJ region. Symantec detected an average of 277 active botinfected computers per day in India.. BotNet Seminar - CERT-IN 8

Bot-infected computers by city Rank City Percent of bot infected computers in India 1 Mumbai 38% 2 New Delhi 25% 3 Bangalore 15% 4 Chennai 10% 5 Bhopal 4% 6 Hyderabad 2% 7 Surat 1% 8 Bhubaneswar 1% 9 Pune 1% Mumbai had the highest number of bot-infected computers in India, accounting for 38 percent of the total 25 percent of all bot-infected computers in India were located in New Delhi Bangalore ranked third, accounting for 15 percent of bot-infected computers in India 10 Noida 1% BotNet Seminar - CERT-IN 9

India - ISTR XI Spam Spam originating in India accounted for one percent of all spam originating in the top 25 spam-producing countries making India the eighteenth ranked country worldwide for originating spam. A high percentage of email originating in India constituted spam. Of the messages originating in India 76 percent were considered spam BotNet Seminar - CERT-IN 10

India - ISTR XI Threats to confidential information 60% of the top 50 malicious codes reported in India contained threats to confidential information 84% of confidential information threats by volume allowed remote access BotNet Seminar - CERT-IN 11

Top Attacks against India Rank Short Description Proportion 1 Generic TCP Segment Overwrite Attack 63% 2 Generic HTTP CONNECT TCP Tunnel Attack 17% 3 Microsoft SQL Server 2000 Resolution Service Stack Overflow Attack 8% 4 Generic SMB Authentication Failure Event 5% 5 Generic SMB User Enumeration 3% 6 Generic TCP Hijacking Attack 2% 7 Generic IP Overlapping Fragment (teardrop, teardrop2, bonk, boink) DoS attack 1% BotNet Seminar - CERT-IN 12

Attacks on & from India Top originating countries for Attacks on India Top destination Countries for attacks from India Rank Country 1 United States 84% 2 Australia 6% 3 United Kingdom 3% 4 Switzerland 2% 5 China 1% 6 Germany 1% 7 Taiwan 1% Attack Proportion Rank Country Proportion 1 United States 68% 2 Australia 11% 3 United Kingdom 9% 4 China 2% 5 Canada 2% 6 Italy 1% 7 Switzerland 1% 8 Singapore 1% BotNet Seminar - CERT-IN 13

Botnet BotNet Seminar - CERT-IN 14

What is a botnet? An army of compromised hosts ( bots ) coordinated via a command and control center (C&C). The perpetrator is usually called a botmaster. C&C Server Find and infect more machines Bots BotNet Seminar - CERT-IN 15

A botnet is comparable to compulsory military service for windows boxes Bjorn Stromberg BotNet Seminar - CERT-IN 16

What is a botnet? Internet Relay Chat (IRC) is the most predominant protocol in use today to disseminate C&C information. Simple and flexible Many open source implementations are available BotNet Seminar - CERT-IN 17

Bot life cycle 1. Miscreant (botherd) launches worm, virus, or other mechanism to infect Windows machine. 2. Infected machines contact botnet controller via IRC. 2.5: Infection vector closed. 3. Spammer (sponsor) pays miscreant for use of botnet. 4. Spammer uses botnet to send spam emails. (Usually NOT through IRC channel; typically botherd will open proxy ports on bots and provide proxy list to spammer.) (Image from Wikipedia.) BotNet Seminar - CERT-IN 18

Botnet life cycle 1. Compromise of controller. 2. Distribution of malware compromise of individual bots. 3. Bots connect to controller; form botnet. 4. Botnet activity used by botherder for own purposes or use sold to others. 5. Botnet controller identified by NSP/ISP security; monitored or shutdown. 6. Bots become idle or attempt to contact another controller; some bots have vulnerabilities repaired. BotNet Seminar - CERT-IN 19

Roles and responsibilities Botherder: Collects and manages bots. Botnet seller: Sells the use of bots (or proxies) to spammers. Spammer: Sends spam. Sponsor: Pays spammer to promote products or services. Exploit developer: Develops code to exploit vulnerabilities. Bot developer: Develops (or more commonly, modifies existing) bot code. Money launderer ( payment processor ): Work-at-home opportunity to process payments/launder money for sponsors. BotNet Seminar - CERT-IN 20

Typical IRC Infection Cycle optional Bots usually require some form of authentication from their botmaster BotNet Seminar - CERT-IN 21

How authentication happens? Generally speaking, the bot-to-irc server communication requires any combination of 3 types of authentication: bot authenticates itself to server bot authenticates itself to C&C channel botmaster authenticates himself/herself to bots before they accept commands Passwords for steps I and II are hard-coded in the binary and sent in clear. BotNet Seminar - CERT-IN 22

Example Illicit activities piracy mining attacks hosting Activities which has been seen Stealing CD Keys: 50 botnets Š 100-20,000 bots/net ying!ying@ying.2.tha.yang PRIVMSG #atta :BGR 0981901486 $ getcdkeys BGR 0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :Microsoft Windows Product ID CD Key: (55274-648-5295662-23992). BGR 0981901486!nmavmkmyam@212.91.170.57 PRIVMSG #atta :[CDKEYS]: Search completed. Clients/servers spread around the world Reading a user's clipboard: B][!Guardian@globalop.xxx.xxx PRIVMSG ## chem## :~getclip Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem## :- [Clipboard Data]- Ch3m 784318!~zbhibvn@xxx-7CCCB7AA.click-network.com PRIVMSG ##chem ## :If You think the refs screwed the seahawks over put your name down!!! Š Different geographic concentrations DDoS someone: devil!evil@admin.of.hell.network.us PRIVMSG #t3rr0r0fc1a :! pflood 82.147.217.39 443 1500 s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a :\002Packets\002 \002D\002one \002;\002>\n s7n 2K503827!s7s@221.216.120.120 PRIVMSG #t3rr0r0fc1a flooding...\n Setup a webserver (presumably for phshing) [ DeXTeR]!alexo@l85-130-136-193.broadband.actcom.net.il PRIVMSG [Del]29466 :.http 7564 c:\\ [ Del]38628!zaazbob@born113.athome233.wau.nl PRIVMSG _[DeXTeR] :[HTTPD]: Server listening on IP: 10.0.2.100:7564, Directory: c:\\. BotNet Seminar - CERT-IN 23

Uses of BotNets Distributed Denial-of-Service Attacks Spamming Sniffing Traffic Keylogging Spreading new malware BotNet Seminar - CERT-IN 24

Uses of BotNets Installing Advertisement Add-ons and Browser Helper Objects (BHOs) Attacking IRC Chat Networks Manipulating online polls/games Mass identity theft BotNet Seminar - CERT-IN 25

Types of Botnets Agobot/Phatbot/Forbot/XtremBot SDBot/RBot/UrBot/UrXBot/... mirc-based Bots - GT-Bots BotNet Seminar - CERT-IN 26

Types of Botnets DSNX Bots Q8 Bots kaiten Perl-based bots BotNet Seminar - CERT-IN 27

Existing host-based bot detection Signature-based Behavior-based Monitor outbound network connection attempts (e.g. Symantec End Point Protection, ZoneAlarm, ) Block certain ports (25, 6667,...) Hybrid: content-based filtering Match network packet contents to known command strings (keywords) BotNet Seminar - CERT-IN 28

Content-based filtering BotNet Seminar - CERT-IN 29

Existing network-based botnet detection Use botnets ongoing C&C behavior as basis of detection {port, protocol, content-based} filtering Identify a particular IRC channel as likely to be rendezvous point via heuristics Distinguish botnet DDoS attack on website from flash crowd Identify botnet traffic based on its anomalous rate of dynamic- DNS lookups BotNet Seminar - CERT-IN 30

Defense mechanisms: Prevention Prevent infections at the host: Endpoint Security, Vulnerability Management. Prevent malware delivery on the network: Firewalls, Intrusion Prevention Systems, Clean IP, Mail Filtering, Composite Blocking List. Prevent sale of services to miscreants: AUPs, contracts, customer screening. Prevent phishing: Tools to identify fake websites for end users. BotNet Seminar - CERT-IN 31

Defense mechanisms: Detection Detection of host infections: Host Intrusion Detection Systems (IDS s), honeypots, monitoring botnet controller activity. Detection of malware on the network: Network IDS, Netflow, Darknets/Internet Motions Sensors/Internet Telescopes, honey monkeys. Detection of spam operations/miscreants: Spamhaus, monitoring miscreant communications. BotNet Seminar - CERT-IN 32

Defense mechanisms: Response Nullrouting of botnet controllers Quarantining of bots, automated notifications Bot simulation/intentional infection/monitoring (Microsoft Honey Monkeys, Decoy Bot) Undercover investigation (ICCC, FBI) Civil and criminal prosecution BotNet Seminar - CERT-IN 33

References Tracking BotnetsUsing honeynets to learn more about Bots The Honeynet Project & Research Alliance http://www.honeynet.org/papers/bots/ BotNet Seminar - CERT-IN 34

Conclusion Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, and creating more bots. An effective response to botnets in order to reduce spam, phishing, and denial of service requires a combination of policies and procedures, technology, and legal responses from network providers, ISPs, organizations on the Internet, and law enforcement and prosecutors. All of these components need to respond and change as the threats continue to evolve. BotNet Seminar - CERT-IN 35

Future Watch As broadband penetration in India increases, the impact of threats will increase Level of attacks are getting modular, sophisticated and for financial gain Clear signs of online underground economy for fraud India is a participant in the fraud food chain Increasing evidence of data leakage and financial driven crimes Old threats persist, as newer threats continue to emerge BotNet Seminar - CERT-IN 36

Key Findings The home user sector was by far the most highly targeted sector in the region, with attackers taking advantage of the relatively limited security measures and practices to gain access to confidential information. Threats targeting online games and gamers are emerging as a new focus of malicious activity. Phishers are expected to expand their targets to massively multiplayer online games. Phishing activity tends to mirror an average business week as attackers attempt to mimic legitimate companies email practices. Holidays such as Christmas and New Year and large events like the FIFA World Cup increase the amount of phishing activity. MSN Messenger was affected by 35% of new instant messaging threats in the second half of the year. BotNet Seminar - CERT-IN 37

Thank You! 2006 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. BotNet Seminar - CERT-IN 38