Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013
Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2
What is a botnet? Specific kind of network Network operated by a special kind of malware Gets on computer like other malwares (drive-by, piracy, trojan horses, vulnerabilities, ) Connects to a central «Command and control server» Sits and awaits for orders 3
What is a botnet? Goal of the botnet Operated by cyber criminals to sell resources Network, CPU, accounts, Botnets were doing cloud computing before it was a trend! Targets Spam Click frauds, spamdexing (SEO «optimization») DDOS Brute force (SSH, FTP, SMTP, ) Coupled with typical malware actions (stealing credentials, adware, spyware, scareware, ) 4
What is a botnet? 5
Botnets: symptoms Symptoms of a Botnet attack Network is slow SMTP server answering slowly Some computers too slow or unusable Huge spikes in traffic Receiving complaints at the abuse@ address Addresses / range blacklisted by spamcop, spamhaus, Legitimate emails lost in spam 6
How does it work? The botnet is operated through a C&C server Typically using IRC (port 6667), HTTP This kind of botnet can be easily shut down But sometimes uses a P2P network Using web 2.0 (twitter, google, ) Using P2P protocols Sometimes, custom DNS servers are used 7
Life cycle (I) Infection The malware is copied on the victim s computer Activation The malware makes itself part of the botnet (registers on the C&C) Update The authors of these malwares write updates to fix bugs, to fight against AV software or add functionalities Self-protection Hides itself from the user and security software, and makes itself persistent (resistant to erasure) 8
Life cycle (II) Propagation Uses its exploit kit to propagate on other targets: By spam campaigns, scans and exploitation of known vulnerabilities, infection of shared drives & brute force of accounts Operation The malware is ready to attack and to be sold to the highest bidder The pricing model depends on the number of PCs and the available bandwidth 9
Size of botnets Number of botnets Today s estimation: between 1800 and 1900 Hard to count since some botnets are very quiet Changes a lot when botnets are shut down Size of single botnets Varies with botnets Some botnets had more than 30M zombies Check out on http://www.shadowserver.org 10
Fighting against botnets Proactive measures Block common botnet ports IRC(6667), DNS to outside Throttle single user s access to internet Install AV (and maintained) software on desktops Use a proper network segmentation Use an NIDS/Layer 7 firewall Reactive measures Find the infected hosts and quarantine / clean them Remove yourself from blacklists (when you re 100% clean) 11
NIDS? Network Intrusion Detection System Taps on and listens to network traffic and generates alarms based on signatures Lot of commercial and free solutions, most of them based on Snort (http://www.snort.org) and Suricata (http://www.suricata-ids.org) Botnets are generally very noisy when active and generate a lot of alerts Generates a lot of events, so fine-tuning is necessary 12
Finding and cleaning infected PC Yes but it s a Wi-Fi user You should have enough logging in place to trace back an event (abuse report) to an IP address (Firewall logs, NIDS) Finding the user is hard, but finding is MAC is easy (DHCP logs) Put him on a quarantine VLAN (or deny access to the network). If you can t find the user, the user will find you. If it s not your device You have no right to install AV software or clean it yourself Prepare a procedure for them and wait for the user to do the cleaning before unblocking him again. 13
In brief Botnets attack your resources and reputation Protect using firewalls, AV and patching policy Inspect with logs and NIDS React with cleaning and quarantine 14
Q&A 15