Cyber Attack Trend and Botnet

Home , Conficker, Gumblar, July 2009 cyberattacks, Koobface, Storm botnet, Waledac botnet

S.C. Leung CISSP CISA CBCP

Agenda

Botnet and Cyber Attack Trends

Botnet Attack Trends  Commercialization of Cyber Crime  Professionalization of Cyber Crimeware  Social Engineering always cool – Waledac botnet  Following the Social Network Services – Koobface botnet  Delivering via Web attack & Search Engine – Gumblar botnet  Following the Money – Banking Trojans like Zeus botnet  Building the Survival Kit – Conficker botnet

Defending against Botnet

Page . 2 Botnet (roBot Network) = infrastructure of controlled victim computers (bots)

Up: Data Bot Herder Bot Herder Down: Command/Update

C&C C&C C&C Up: Data Down: Command/Update

bot bot bot bot bot bot bot

Spam, DDoS attack Malware victim victim Phishing Page . 3

1. Commercialization of Cyber Crime Product and Service Delivery for Profit

. What do attackers want now?

. What are their product and services? – Products • Personal credentials, CCN, SSN, software CD keys • Tools to exploit, tools to hide malware

– Service subscription: • spam, phishing, DDoS • botnet (76services.com  now closed)

Page . 5

2. Professionalization of Cyber Crimeware Professionalization of Cyber Crimeware

. Division of Labour, R&D and Outsourcing . Botnet is a sign of maturity of the . Malware development, Botnet optimization infrastructure for – Malware good at detection evasion underground economy – Malware targeting identifying and terminating security software – Service delivery – Multi-language support – Maintenance – Remote administration support – Long term control – Signing and encryption

. IT Infrastructure – Hosting – network, web hosting at hacker friendly environment • where there is great bandwidth • where legislation is lax • where user awareness is low – Domain - registration, domain hosting • where take down procedure is lengthy

Page . 7

3. Social Engineering always cool

Waledac Botnet Waledac Botnet

. Spreading by – Spam emails employ social engineering extensively • contain link to iFrame embedded malicious website, tricking user to install the malware . Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)

. Has sound infrastructure

uses Nginx web server uses Double Fast Flux DNS

The DNS records are changing all the time

The DNS servers are changing all the time

Page . 9

Waledac – Fast-flux

Bot hosts can be dynamically assigned in real time

Page . 10 Waledac theme – eCard social engineering – follow the talks of the town

postcard.exe

Page . 11

Waledac Themes social engineering – follow the talks of the town

“Terrorist Attack”“SMS Spy “Independence themeon your Day”Partner”

Play

Page . 12 Waledac Service and Feature

. Impact – open a back door on the compromised computer – steal personal information – spam contacts in address book – turn zombie into web server, web proxy, DNS and spam template relays

. Major web server service – Pharmacy – serving malware

Page . 13

4. Following the Social Network Services Koobface (koob-face)

. A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo

. Spreading – Spoof a friend and send a message ““Hello; You must see it!!! LOL” with a URL – URL brings user to a fake YouTube site, luring to install a file “Flash_update.exe” – Upon execution, victim is infected. . Impact – Poison all user search (Google, Ask, Yahoo and Bing) to malicious site

http://www.f-secure.com/weblog/archives/00001517.html Page . 15

Koobface: Twitter campaign

. Infected PCs with Koobface sent out Tweets with malicious URL

Page . 16 A Botnet uses Twitter as Command Channel

. Bots subscribe to RSS feed to get command . A Tweet like this – “aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS 29Ibw==“

. Base64 decode the tweet, we got 2 tiny URLs – http://bit.ly/R6STV http://bit.ly/2KoHo

. The bit.ly tiny URLs translated to: – http://pastebin.com/pastebin.php?dl=m5222dc70 http://paste.debian.net/43529/download/43529

– URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware

Page . 17

5. Delivering via Web attack & Search Engine Gumblar Botnet Gumblar Botnet: Impact

. Web site is a delivery channel of malware – Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites – Botnet connect to two domains for download: “gumblar.cn” / “martuz.cn”

. Two Botnets formed: one for web sites and one for infected client PCs

. Impacts – Client PCs: install backdoor in victims’ computers that connect to C&C • steal FTP credentials from the victims’ computers • Man in the browser attack: monitor traffic to and from the browser: –Replace Google search results with links pointing to malicious websites – Redirect from e-commerce or banking site to phishing web sites

– Web sites: compromise any websites owned or operated by the victims • distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities

Page . 19

Gumblar Botnet: Obfuscation

. Web pages injected obfuscated scripts, which vary from site to site, or page to page

Malzilla

Page . 20 Gumblar Botnet: Detection and Take down

. Blocking – block the two C&C sites: “gumblar.cn” and “martuz.cn” . Checking (not 100% accurate) – http://www.unmaskparasites.com/security-report/

Page . 21

6. Following the Money Botnet targeting Banks

. What I have seen on a Zeus Botnet C&C Management interface

– Bot administration features:

• Screenshot (save to html without image)

• Fake redirect (redirect to a prepared fake bank webpage)

• Html inject (hijack the login session and inject new field)

• Log the visiting information of each banking site, record the input string (text or post URL)

•An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn

– if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit.

Page . 23

Fake Redirect login page

Source: Computer Associate

Page . 24 Man-in-the-Browser

Hacker’s ideal operation

. Intercept transaction

. Change amount and change destination to attacker account and send to the bank

. Change the display to user as if his transaction was executed – Calculate the “should be amount” and rewrites the remaining total to screen

Source: www.cronto.com

Page . 25

Man in the Browser (MITB)

. Install software/plugin inside the browser . Hooking key OS and web browser APIs and proxying data

. Advantage – No encryption barrier as in proxy Web App – SSL Padlock is unaffected for modified content – Direct access to Data MITB • Freely alter the web page displayed to the customer • Freely modify the requests sent back to the bank. – Direct interface to web browser & application : • Can create additional commands (GET/POST/PUT) : – Extremely stealthy • Client hard to detect, since network is not interfered, web address, digital certificates are all correct Winsock • Bank sees the customer real IP address – Faster real time response so can break 2FA

Page . 26 Limbo 2 - HTML Injection

. Limbo 2 Trojan kit . Some variants inject fake fields into the online banking forms that the browser displays to the user.

. The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account What is the use of getting the additional info?

Source: ThreatExpert

Page . 27

Inserting transaction (when login)

. Login Shadow Login Trojan kick up shadow login at the back

PIN + OTP PIN + OTP Submit

Insert a new window

PIN + OTP2

Hacker use OTP2 Submit “Not successful. to authenticate a Please retry” transaction

Page . 28 HKMA Circular 2009-07-13

. The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process.

. The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account.

Page . 29

7. Building the Survival Kit Conficker Botnet Conficker - Propagation Mechanism

Page . 31 Source: Cisco 2009 MidYear Report

Conficker – a model for sustainable botnet

. Designed to survive in disaster - What if the C&C are taken down? – Conficker.B - Domain generation for malware update • Active since Nov 2008, generating 250 domains/day in 5 TLDs for update

– Conficker’s natural predator: the Conficker Working Group • Alliance of ICANN, domain registries and IT industry worked together to pre-empt Conficker – Pre-register domains – Redirect traffic to sinkholes to study the behavious

– Conficker.C improved • Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in random (Some are existing domains)  making it harder to preempt the domains • improved authentication and encryption  so you cannot infiltrate into Conficker.C botnet easily • uses P2P for update as well – peers can update each other with the right authentication • Blocks more security vendors web site

Page . 32 Collaborative Effort Works!

. Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org) – ICANN organized all registries to pre-empt the registration, No infection handle affected domains – Researches generated the list of generated domain and affected domains to provide transparency – Some worked out an EyeChart for easy detection – Security vendors developed detection and removal tools Conficker.C . HKIRC, HKCERT, Police and OGCIO – Check affected domains in April list for suspicious content – Put idle domains in close observation – Exchange intelligence on the progress – Coordinate with CNCERT/CC on an HK IP address owned by a Conficker.A/B mainland web hosting provider

Page . 33

Conficker – a model for sustainable Botnet

. Everyone watching the domain generation, but nothing happened there

. Since Conficker has dual update mechanisms -- domain generation and P2P, it takes the liberty to use any one at any time. Conficker had succeeded to evolve by P2P channel.

. We still have a long way to close it down.

Page . 34 Defending against Botnets

Enhance Response

. Conficker Working Group approach works! ICANN and others are collaborating more to speed up the take down. – Sharing of intelligence – Speed up takedown – Preempt future attacks

. HKCERT – Proactive Discovery of malicious site in Hong Kong (with limited resources) – Awareness education for service providers: HKCERT organized with OGCIO and HKPF “ISP Symposium” in May 2009 – Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme “Combating Cyber Crime” in July 2009

. HKMA & Banks – HKMA circular – Banks tighten their procedure for high risk transaction and fraud detection

Page . 36 Defense against Botnet

. Botnet is malware . 3 Baseline Defense is necessary though insufficient – Protection from malware • Note browsers plugins can be malicious or weakness point – Personal Firewall – Update patches . Server defense – Install minimum modules on server. Do not use it to browse Internet – Keep patching update – Protect from web attacks • Application Firewall • See SQL Injection Defence Guideline published by HKCERT

Page . 37

Monitor software patch level and take prompt action . Secunia Personal Software Inspector – Scan for installed Windows software and their patch level, with threat level – Provide link to download available patch or workardound – http://secunia.com/vulnerabil ity_scanning/personal/

Page . 38 Monitor software update

. CleanSofts.com Update Notifier – scanning for installed Windows software and display list of updates – verifying the software against malware (best effort with current AV software only, so it is no better than VirusTotal) – http://cleansofts.org/view/update-notifier.html

Page . 39

Safe Browsers

. Browsers add anti-malware, anti-phishing features – IE, Mozillia, Opera; add Netcraft toolbar if you want – Minimize your browser and plug-ins . Firefox and Flock browser now incorporate Google safety alert . New browser use sandbox approach: Chrome

Page . 40 Detecting Botnet Next presentation

QQ && AA

S.C. Leung (梁兆昌) [email protected] Building up a Botnet

. Having the Malware to infect user machines – Detection evasion advancement – Control and update . Getting a Channel to Deliver the Malware – Spam: Social Engineering Waledac – Legitimate Web Server  redirecting users to Exploit servers Gumblar – Social Network  redirecting users to Exploit servers Koobface – Exploit servers hosting the malware . Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash, etc.) of the victim machine . Controlling the victim PCs – Botnet Command and Control Centre . Providing resilience in case of take down by law enforcement – Fast Flux DNS: to make the structure more dynamic Conficker – Disaster Recovery: find way to recover

Page . 43