Cyber Attack Trend and Botnet
S.C. Leung CISSP CISA CBCP
Agenda
Botnet and Cyber Attack Trends
Botnet Attack Trends Commercialization of Cyber Crime Professionalization of Cyber Crimeware Social Engineering always cool – Waledac botnet Following the Social Network Services – Koobface botnet Delivering via Web attack & Search Engine – Gumblar botnet Following the Money – Banking Trojans like Zeus botnet Building the Survival Kit – Conficker botnet
Defending against Botnet
Page . 2 Botnet (roBot Network) = infrastructure of controlled victim computers (bots)
Up: Data Bot Herder Bot Herder Down: Command/Update
C&C C&C C&C Up: Data Down: Command/Update
bot bot bot bot bot bot bot
Spam, DDoS attack Malware victim victim Phishing Page . 3
1. Commercialization of Cyber Crime Product and Service Delivery for Profit
. What do attackers want now?
. What are their product and services? – Products • Personal credentials, CCN, SSN, software CD keys • Tools to exploit, tools to hide malware
– Service subscription: • spam, phishing, DDoS • botnet (76services.com now closed)
Page . 5
2. Professionalization of Cyber Crimeware Professionalization of Cyber Crimeware
. Division of Labour, R&D and Outsourcing . Botnet is a sign of maturity of the . Malware development, Botnet optimization infrastructure for – Malware good at detection evasion underground economy – Malware targeting identifying and terminating security software – Service delivery – Multi-language support – Maintenance – Remote administration support – Long term control – Signing and encryption
. IT Infrastructure – Hosting – network, web hosting at hacker friendly environment • where there is great bandwidth • where legislation is lax • where user awareness is low – Domain - registration, domain hosting • where take down procedure is lengthy
Page . 7
3. Social Engineering always cool
Waledac Botnet Waledac Botnet
. Spreading by – Spam emails employ social engineering extensively • contain link to iFrame embedded malicious website, tricking user to install the malware . Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)
. Has sound infrastructure
uses Nginx web server uses Double Fast Flux DNS
The DNS records are changing all the time
The DNS servers are changing all the time
Page . 9
Waledac – Fast-flux
Bot hosts can be dynamically assigned in real time
Page . 10 Waledac theme – eCard social engineering – follow the talks of the town
postcard.exe
Page . 11
Waledac Themes social engineering – follow the talks of the town
“Terrorist Attack”“SMS Spy “Independence themeon your Day”Partner”
Play
Page . 12 Waledac Service and Feature
. Impact – open a back door on the compromised computer – steal personal information – spam contacts in address book – turn zombie into web server, web proxy, DNS and spam template relays
. Major web server service – Pharmacy – serving malware
Page . 13
4. Following the Social Network Services Koobface (koob-face)
. A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo
. Spreading – Spoof a friend and send a message ““Hello; You must see it!!! LOL” with a URL – URL brings user to a fake YouTube site, luring to install a file “Flash_update.exe” – Upon execution, victim is infected. . Impact – Poison all user search (Google, Ask, Yahoo and Bing) to malicious site
http://www.f-secure.com/weblog/archives/00001517.html Page . 15
Koobface: Twitter campaign
. Infected PCs with Koobface sent out Tweets with malicious URL
Page . 16 A Botnet uses Twitter as Command Channel
. Bots subscribe to RSS feed to get command . A Tweet like this – “aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS 29Ibw==“
. Base64 decode the tweet, we got 2 tiny URLs – http://bit.ly/R6STV http://bit.ly/2KoHo
. The bit.ly tiny URLs translated to: – http://pastebin.com/pastebin.php?dl=m5222dc70 http://paste.debian.net/43529/download/43529
– URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware
Page . 17
5. Delivering via Web attack & Search Engine Gumblar Botnet Gumblar Botnet: Impact
. Web site is a delivery channel of malware – Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites – Botnet connect to two domains for download: “gumblar.cn” / “martuz.cn”
. Two Botnets formed: one for web sites and one for infected client PCs
. Impacts – Client PCs: install backdoor in victims’ computers that connect to C&C • steal FTP credentials from the victims’ computers • Man in the browser attack: monitor traffic to and from the browser: –Replace Google search results with links pointing to malicious websites – Redirect from e-commerce or banking site to phishing web sites
– Web sites: compromise any websites owned or operated by the victims • distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities
Page . 19
Gumblar Botnet: Obfuscation
. Web pages injected obfuscated scripts, which vary from site to site, or page to page
Malzilla
Page . 20 Gumblar Botnet: Detection and Take down
. Blocking – block the two C&C sites: “gumblar.cn” and “martuz.cn” . Checking (not 100% accurate) – http://www.unmaskparasites.com/security-report/
Page . 21
6. Following the Money Botnet targeting Banks
. What I have seen on a Zeus Botnet C&C Management interface
– Bot administration features:
• Screenshot (save to html without image)
• Fake redirect (redirect to a prepared fake bank webpage)
• Html inject (hijack the login session and inject new field)
:
• Log the visiting information of each banking site, record the input string (text or post URL)
•An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn
– if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit.
Page . 23
Fake Redirect login page
Source: Computer Associate
Page . 24 Man-in-the-Browser
Hacker’s ideal operation
. Intercept transaction
. Change amount and change destination to attacker account and send to the bank
. Change the display to user as if his transaction was executed – Calculate the “should be amount” and rewrites the remaining total to screen
Source: www.cronto.com
Page . 25
Man in the Browser (MITB)
. Install software/plugin inside the browser . Hooking key OS and web browser APIs and proxying data
. Advantage – No encryption barrier as in proxy Web App – SSL Padlock is unaffected for modified content – Direct access to Data MITB • Freely alter the web page displayed to the customer • Freely modify the requests sent back to the bank. – Direct interface to web browser & application : • Can create additional commands (GET/POST/PUT) : – Extremely stealthy • Client hard to detect, since network is not interfered, web address, digital certificates are all correct Winsock • Bank sees the customer real IP address – Faster real time response so can break 2FA
Page . 26 Limbo 2 - HTML Injection
. Limbo 2 Trojan kit . Some variants inject fake fields into the online banking forms that the browser displays to the user.
. The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account What is the use of getting the additional info?
Source: ThreatExpert
Page . 27
Inserting transaction (when login)
. Login Shadow Login Trojan kick up shadow login at the back
PIN + OTP PIN + OTP Submit
Insert a new window
PIN + OTP2
Hacker use OTP2 Submit “Not successful. to authenticate a Please retry” transaction
Page . 28 HKMA Circular 2009-07-13
. The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process.
. The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account.
Page . 29
7. Building the Survival Kit Conficker Botnet Conficker - Propagation Mechanism
Page . 31 Source: Cisco 2009 MidYear Report
Conficker – a model for sustainable botnet
. Designed to survive in disaster - What if the C&C are taken down? – Conficker.B - Domain generation for malware update • Active since Nov 2008, generating 250 domains/day in 5 TLDs for update
– Conficker’s natural predator: the Conficker Working Group • Alliance of ICANN, domain registries and IT industry worked together to pre-empt Conficker – Pre-register domains – Redirect traffic to sinkholes to study the behavious
– Conficker.C improved • Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in random (Some are existing domains) making it harder to preempt the domains • improved authentication and encryption so you cannot infiltrate into Conficker.C botnet easily • uses P2P for update as well – peers can update each other with the right authentication • Blocks more security vendors web site
Page . 32 Collaborative Effort Works!
. Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org) – ICANN organized all registries to pre-empt the registration, No infection handle affected domains – Researches generated the list of generated domain and affected domains to provide transparency – Some worked out an EyeChart for easy detection – Security vendors developed detection and removal tools Conficker.C . HKIRC, HKCERT, Police and OGCIO – Check affected domains in April list for suspicious content – Put idle domains in close observation – Exchange intelligence on the progress – Coordinate with CNCERT/CC on an HK IP address owned by a Conficker.A/B mainland web hosting provider
Page . 33
Conficker – a model for sustainable Botnet
. Everyone watching the domain generation, but nothing happened there
. Since Conficker has dual update mechanisms -- domain generation and P2P, it takes the liberty to use any one at any time. Conficker had succeeded to evolve by P2P channel.
. We still have a long way to close it down.
Page . 34 Defending against Botnets
Enhance Response
. Conficker Working Group approach works! ICANN and others are collaborating more to speed up the take down. – Sharing of intelligence – Speed up takedown – Preempt future attacks
. HKCERT – Proactive Discovery of malicious site in Hong Kong (with limited resources) – Awareness education for service providers: HKCERT organized with OGCIO and HKPF “ISP Symposium” in May 2009 – Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme “Combating Cyber Crime” in July 2009
. HKMA & Banks – HKMA circular – Banks tighten their procedure for high risk transaction and fraud detection
Page . 36 Defense against Botnet
. Botnet is malware . 3 Baseline Defense is necessary though insufficient – Protection from malware • Note browsers plugins can be malicious or weakness point – Personal Firewall – Update patches . Server defense – Install minimum modules on server. Do not use it to browse Internet – Keep patching update – Protect from web attacks • Application Firewall • See SQL Injection Defence Guideline published by HKCERT
Page . 37
Monitor software patch level and take prompt action . Secunia Personal Software Inspector – Scan for installed Windows software and their patch level, with threat level – Provide link to download available patch or workardound – http://secunia.com/vulnerabil ity_scanning/personal/
Page . 38 Monitor software update
. CleanSofts.com Update Notifier – scanning for installed Windows software and display list of updates – verifying the software against malware (best effort with current AV software only, so it is no better than VirusTotal) – http://cleansofts.org/view/update-notifier.html
Page . 39
Safe Browsers
. Browsers add anti-malware, anti-phishing features – IE, Mozillia, Opera; add Netcraft toolbar if you want – Minimize your browser and plug-ins . Firefox and Flock browser now incorporate Google safety alert . New browser use sandbox approach: Chrome
Page . 40 Detecting Botnet Next presentation
QQ && AA
S.C. Leung (梁兆昌) [email protected] Building up a Botnet
. Having the Malware to infect user machines – Detection evasion advancement – Control and update . Getting a Channel to Deliver the Malware – Spam: Social Engineering Waledac – Legitimate Web Server redirecting users to Exploit servers Gumblar – Social Network redirecting users to Exploit servers Koobface – Exploit servers hosting the malware . Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash, etc.) of the victim machine . Controlling the victim PCs – Botnet Command and Control Centre . Providing resilience in case of take down by law enforcement – Fast Flux DNS: to make the structure more dynamic Conficker – Disaster Recovery: find way to recover
Page . 43