Botconomics Mastering the Underground Economy of Botnets.

LACNIC May, 2008Kleber Carriello de OliveiraConsulting EngineerArbor Networks

Page * - Company Confidential

AgendaMalware, Botnets & DDoS

An Underground Economy: Botconomics

Questions & Answers

Page * - Company Confidential

Whats in a Denial of Service (DoS) Attack? # About an hour and 15 minutes duration # Misuse Null TCP 6 # IP Protocol 6, TCP # No Flags - Null TCP 0.0.0.0/0 # Very well distributed or Source-spoofed IPs 0-65535 # Very well distributed source ports xx.xx.X.X/32 # Surprise, undernet IRC Server 6667 # 6667 IRC

Page * - Company Confidential

Threat Time Line: NBA is Another Layer of DefenseTimeDiscoverVulnerabilityAV/IDS AvailableNew VersionAdvisoryPatchPATCH MANAGEMENTNETWORK ADMISSION Network Behavioral Analysis with PEAKFLOW Xzero-day

Page * - Company Confidential

Anti-Virus and IDS Detection RatesProjected that between 75k-250k new malware families or variants release in 2006 (one released every 1-3 minutes)Source: Internet Malware Classification and Analysis; University of Michigan & Arbor Networks, Inc., 2007

Some samples still not detected a year after collection of malware.

Almost half the samples in the small dataset undetected, and one quarter in the large

AV fails to detect malware between 20% and 62% of the time!

Page * - Company Confidential

Though Necessary, AV Performance PoorResearch puts most AV performance very low~38 AV products (open source & commercial)Average 28-32% hit on for newer threatsAV Vendors change heuristics to improve results - but raises false-positives rateWhy?Signature 1: 1000100010011111New variant: 1000100010010001 - No AV MatchMinor obfuscation techniquesPackersPolymorphic; e.g., recompileGetting better; more behavior-based functions, less static file analysisBehavior-based solutions augmentCisco CSA, Sana Security host behavior (file, process, network state) NBA, Network Behavioral Analysis coupled with threat feeds (e.g., Arbors ATF & Peakflow X)

Page * - Company Confidential

Bots: Putting the (D) in (D)DoSGot bot? A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm.

Communicates with a handler or controller via public IRC servers or other compromised systems.

A botmaster or botherder commands bots to perform any of an number of different functions.

System of bots and controller(s) is referred to as a botnet or zombie network.

Page * - Company Confidential

Anatomy of a DDoS AttackInternetBackboneBUK BroadbandUS CorpUS BroadbandBJP Corp.ProviderBBThePeacefulVillageBBBBBBSystemsBecomeInfectedBots connect to a C&C to create an overlay network (botnet)ControllerConnectsBotnet masterIssues attackCommandBMC&CBots attackBye Bye!

Page * - Company Confidential

Anatomy of Botnet ConstructionExploit vector (e.g., TCP/135)Second stage functions (e.g., TFTP, FTP, HTTP) to download bot software, C&C instructionsBot is executed, connected to C&C infrastructureoften IRC, identified by DNSBot connects to channel (e.g., USA|743634) of C&CPasswords often requiredC&C often employs encryption, anti-cloaking techniques

Page * - Company Confidential

Malware DeliveryTraditionally, worms with self propagation vector, not remote control functionLast real virus - Melissa; 1999Today email and other application-level functions laden with TrojansNow delivered via web sites - drive-by installsProjected 1 in 10 web sites hosts malicious contentWeb-based deliver means outpacing email, viruses, etc..Example: Dolphin stadium web site compromised to host malicious content just before Super Bowl in early 2007iframe functions popular today

Interesting read: The Ghost in the Browserhttp://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdfClever new attacks include multi-layer attacks:CompromiseGrab proxy IP; arpspoof, proxyiframe insertion, local malware delivery, etc..

Page * - Company Confidential

Engineering Malware: disable updates, speed tests..Engineer around current AV DBsDisable auto-update functionsEvaluate connectedness of asset EmployUpon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar 4.3.1.0 :www.nifty.comwww.d1asia.comwww.st.lib.keio.ac.jpwww.lib.nthu.edu.twwww.above.netwww.level3.comnitro.ucsc.eduwww.burst.netwww.cogentco.comwww.rit.eduwww.nocster.comwww.verio.comwww.stanford.eduwww.xo.netde.yahoo.comwww.belwue.dewww.switch.chwww.1und1.deverio.frwww.utwente.nlwww.schlund.net

Page * - Company Confidential

Sophisticated Botnet Management & Statistics Graphical user interface Performance Statistics

Page * - Company Confidential

Reflective Amplification AttacksAttacker - aVictim - vResolver - rA botnet with as few as 20 DSL-connect homes (1 Mbps upstream each) can generate 1.5 Gbps of attack traffic with DNS reflective amplification attack vectors such as those employed for root server attacks in early 2006 (1:76 amplification factor). Most enterprises have little more than 155 Mbps Internet connectivity.Source IP of Victim (v) spoofed when query sent to resolver, resolver receives, responds to v. 55-byte query elicits 4200-byte response

Page * - Company Confidential

Application of Anti-Spoofing MeasuresStill not ubiquitous deployment - far from (hence effectiveness of reflective attacks)Largest deployment burdenhardware supportconfiguration managementAuthoritative IP ownership repositoryLoose-mode RPF likely creates false sense of protectionShould assume slightly more clueful respondent pool than in general, so actual numbers likely less

Page * - Company Confidential

Attack Scale Still Increasing ConsiderablyProliferation of broadband connectivityIncreased virulence of attack vectorsSophistication of bot management software01 - 03 data projections based on public and private information regarding prominent attacksLargest attacks (22 & 24 Gbps) reported by large content provider and hosting providersBoth >20 Gbps attacks reported to have been DNS reflective amplification attacksMost backbone link speeds have 10G maximum capacity today

Page * - Company Confidential

DDoS Attacks: Taking Advantage of Our Broadband Botnets take advantage of our unlimited broadband pipes and PCs for amplification attacks and brute-force flooding attacksISPs are taken offline in the process of trying to mitigate these attacks.123456ISP AT1 AGGRTRT1Transit ISPGETarget3 Mbps DDoS - teeny tiny attack - well, to Transit ISP, not ISP A512k AttackTarget GoneCollateralDamageISP nMuch BIGGER Attack

Page * - Company Confidential

DNS Attacks - When & What?OCT 2002JUN 2004OCT 2004JAN-FEB 2006NOV 2004NOV 2002FEB 2007Root Server AttackedDuration:1 hourMulti-modal: smurf, ICMP, port 537 Root Servers appear unreachableImpact: No noticeable user effectUltraDNS TLD Servers AttackedDuration: 24 hours +ICMP 0,8 and then portEasily filtered -- uses pure volume of packets to disableResults in 2-way traffic loadImpact: No noticeable user effectAkamai attackedDuration: 4 hoursNo mitigation possiblePort 53, UDP, valid queriesMulti-millions queries per secondImpact: Global ImpactDDoS for hire (extortion)The golden age for worms/trojansThe perfect DNS DDoS in the wildNo protocol based defense or mitigationAttack on Bandwidth, not applications or servers - 11 Gbps+Impact: Significant collateral damageJanuary-February.com, .net (Verisign), .org (UltraDNS)Utilized open recursive serversAverage attack 7-10 GbpsTLD Operators have no successful defenseImpact: Considerable user impactG, L & M Root Servers, Other TLDs (UltraDNS)?Utilized large bogus DNS UDP queries from many botsAggregate attacks 10 Gbps+Mitigate: Special HardwareImpact: 90% Traffic dropped localized user impactNOV 2006UUNet Attack - 2nd Level DNSUDP/53, auth servers for bank.fooSpoofed source IPs - 800 KppsImpact: End-user/customerMitigated with Cisco Guard-XTCollateral damage: 2x .gov & 2 7206s in network pathRoot & TLD AttacksSpoofed source IPsLarge Bogus Queries10+ GbpsRegionalized User Impact

Page * - Company Confidential

Botconomics

Amalgamation:: botnets && economics == botconomicsBotconomics: its all about the $$$$

Page * - Company Confidential

Three Tiers of Cyber Criminals

Page * - Company Confidential

An Underground Economy: Botconomics

Religious, PoliticalEstoniaDenmark Cartoon Rage

Ego-driven (gaming, IRC)

Extortion (SuperBowl, World Cup - can your bookie afford to be offline?)$2B US Each - $48B MarketPlayer SLAs

Lift email, targeted spam, spear phishing (>90% spam through bots)

Page * - Company Confidential

Botconomics: Botnets are a business worth protectingJersey Joe (2005)http://tinyurl.com/2yoyfd

Whats easier:One wallet in the subway100 credit cards online?CC forums Lift CD KeysUsed to build cheap systems; cant patch -> quickly compromisedIs that webcam running?Bogus e-file sites - proxy transaction, switch direct deposit bank account numbers - could be into a stolen account to extract via wire transfer, ATM transaction, etc..Miscreants likely patch more systems than typical end users per automation

Rbots use still cameras or webcams to capture video and still images(!) - transmit them to a drop site

Page * - Company Confidential

Botconomics: Identity Theft & Fraud Global organized crime

How many people here:Have every bought anything online? Bank online? Have a credit cardHave a mortgage or pay rent? Were in the militaryHave ever been to a medical office?If you said yes to any of the above, youre at riskBut whod be dumb enough to fill this out?

Page * - Company Confidential

Botconomics: It doesnt matter if you dont use your credit card on line! The databases that contain all your in-person credit card transactions is where the money is.

Hits close to home.

But what do you do with 46 Million stolen credit card data sets?

Sell them - individual, bundle, wholesaleUse them to buy stuff online (e.g., movietickets.com)CC Forums - brokerage houses, printed cards..Buy stuffGet cash advancesNeed to monetizeItem Advertised Price (US $)

US-based credit card with card verification value$1 - $6UK-based credit card with card verification value$2 - $12List of 29,000 emails$5Online banking account with a $9,900 balance$300Yahoo Mail cookie exploit -- facilitates full access when successful$3Valid Yahoo and Hotmail email cookies$3Compromised computer$6 - $20Phishing Web site hosting - per site$3 - 5Verified PayPal account with balance (balance varies)$50 - $500Unverified PayPal account with balance (balance varies)$10 - $50Skype account$12World of Warcraft account - one month duration$10

Source: Symantec Internet Security Threat Report - March 2007

Page * - Company Confidential

Botconomics: Increase in Sophistication and MarketingKey loggersGotta get those full creds

Drop SitesClick FraudBot trading & Marketing.net - .$.05.gov - $1.00nasa.gov - $.05

Page * - Company Confidential

Botconomics: Closing the LoopPhishing SystemsCommand & Control Hosting phishing sitesLift email addressesSpam phishing messagesDrop SitesAll bots!Botnet Defense SystemsAttack anti-phishing, anti-spam and anti-botnet companiesBlueSecurity CastleCops[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.0" 200 497 "-" "Mozilla/4.0 (compatible)[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.1" 200 497 "-" "Mozilla/4.0 (compatible)[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://even.prolexic.cant.protect.you.net.wanna.try.akamai.ill.drop.them.too" "Mozilla/4.0 (compatible)

Page * - Company Confidential

From Arbors BLOG

Page * - Company Confidential

The Phish.Build the phishing site, host on bot; perhaps proxy actual siteSpam the phish message - perhaps targeted (spear) - Go to:https://online.wellsfargo.com/signon/Throw the spoils on a couple of drop sites - more botsUse the spoils to transfer money directly, use to transfer money internationally, etc..

Page * - Company Confidential

Wheres the Money Going?Funding an online dating service for al-Qaeda?investigators say they found some 37,000 stolen credit card numbers. Alongside each credit card record was other information on the ID theft victims, such as the account holder's address, date of birth, credit balances and limits...jihadists might need for their battle against the American and allied forces in Iraq, including global positioning satellite (GPS) devices, night-vision goggles, sleeping bags, telephones, survival knives and tents.

Page * - Company Confidential

Operation SpamalotOn Friday, Dec. 15, 2006, shares in Apparel Manufacturing Associates, Inc. (APPM) closed at $.06, with a trading volume of 3,500 shares. After a weekend spam campaign distributed emails proclaiming, "Huge news expected out on APPM, get in before the wire, We're taking it all the way to $1.00," trading volume on Monday, Dec. 18, 2006, hit 484,568 shares with the price spiking to over 19 cents a share. Two days later the price climbed to $.45. By Dec. 27, 2006, the price was back down to $.10 on trading volume of 65,350 shares.On Dec. 19, 2006, trading in Goldmark Industries, Inc. (GDKI), closed at $.17 on trading volume of 126,286 shares. On Dec. 20, 2006, the spam campaign started, with e-mail proclaiming "GDKI IS MAKING EVERYONE BANK!," and setting a 5-day price target of $2. By Dec. 28, 2006, spam emails boasted of the price spike that had already been achieved -- "$.28 (Up 152% in 2 days!!!)" -- and promised a 5-day price target of $1. That same day, GDKI closed at $.35 on a volume of more than 5 million shares. By January 9, 2007, the closing share price was back down to $.15. Attack Vector?

Page * - Company Confidential

Good News?The financial losses are at a point where industry must invest - obvious from Financials to LEOs discernible uptick in activityUS $ - BillionsTime - Losses AnnuallyFactored Losses, Tolerance ThresholdCyber Crime LossesTraditional Fraud~$20B US

Page * - Company Confidential

Arbors Worldwide Infrastructure Security Report

Demographics: 70 self-classified tier-1, tier-2, and hybrid IP network operators in North America, Europe & Asia Key Findings: Most significant operational threats are: #1 Botnets, #2 DDoS Frequency, size and complexity of attacks are growing 22 & 24 Gbps attacks reportedMore Application Layer attacks ISPs finish the jobDDoS Managed Services activity grows 800% Less than 2% reported to Law Enforcement

Page * - Company Confidential

DDoS Mitigation TechniquesGood & bad newsBad: SPs still effectively complete attack (protect network availability)Good: More mitigation solution deployment (scrub- ARBOR TMS, flow spec, etc..) and service offerings - nearly 10x increase percentage wise, even with wider respondent poolCant win bandwidth game (e.g., consider Storm with reflective amplification)New mitigation infrastructure only applies to MS customersMitigation highly fragmented - little incentive to follow-up with ingress (or even upstream/ adjacent) network for host cleanup - malicious activity recurrence factor considerableDetection without mitigation - hrmm

Page * - Company Confidential

Netflow + DPI

The system talk with the scrub to clean the trafficMitigation process is startedInteligent MitigationFlows sent to the collector systemSystem detects the attackInject BGP route (off-ramping)Scrub inspects each packet against its rules and network behaviorPeakflow SP TMSPeakflow SP

Page * - Company Confidential

Attack Scale & FrequencyAttacks from perspective of single ISP and single attack vector, thus aggregate for many is likely to be much higherCross-correlation of targets and times provides considerable insightDoesnt necessarily matter - scale all about perspectiveEstonia Attacks 4 Mpps aggregate at peak

Page * - Company Confidential

Even Cyber Criminals Take Some Time Off Data derived from Arbor products deployed in 70% of worlds ISPs

Page * - Company Confidential

Attack on Russia - Arbors Global VisibilityDetect multi-ISP distributed attack

Page * - Company Confidential

A Solution: Network Behavioral Analysis (NBA)Network transactional information + control plane data enables baselines (statistical and relational) that allow abnormalities to be identified

Network-based mitigation can be performed based upon NBA

Even to detect zero-day threats (e.g., many families have same network behavioral fingerprint but different payload)

Based on compound temporal functions, as well as single packet transactions (e.g., know botnet C&C, UN Exported Restricted Nations, known malware distribution sites, etc..)

Page * - Company Confidential

Behavioral FingerprintingUnique variants require new virus detection definitions: packerspolymorphism, recompileminor obfuscation techniques for known packersstrings E.g., 580+ Agobot variantsFingerprinting behaviors allows for more generalized detection mechanismsfile statusprocess statenetwork transactionsHost and network-based detection models that employ relational modeling and network behavioral analysis provide substrate for zero-day threat identification

Page * - Company Confidential

Threat Modeling and InstrumentationSample: Blaster WormInstrumentation of propagation and exploit vectors, with other second stage functions and modeling network transactions allows development of compound temporal network transactional signaturesTCP/135 SYN (40), ACK (40), RPC BIND (112), RPC Req. (1744) FIN(40):1 Microflow: 5 packets1984B2 RSTs----->>>Subsequent: TCP/4444N packets/bytes, subsequent to TCP/135 activity, from vulnerableHost, etc..Single stage threats much simpler (e.g., SYN to known botnet C&C)

Page * - Company Confidential

Think of the PossibilitiesInternetBackboneBUK BroadbandUS CorpUS BroadbandBAnti-Bot/Spam.comProviderBBThePeacefulVillageBBBBBBSystemsBecomeInfectedBots connect to a C&C to create an overlay network (botnet)ControllerConnectsBotnet masterIssues attackCommandBMBots attackBye Bye!PhishingSitePhishingSiteDropSiteDropSiteC&CSpamRelaySpamRelayOpenProxyOpenProxy

Page * - Company Confidential

Miscreant Feuding - Bot on Bot Attackshttp://asert.arbor.netMpack & Storm (Trojan.Srizbi)

Upon compromise by MPack malware is downloaded, checks for other root kits and uninstalls

Storm folks get perturbed, attack MPack malware distribution sites

Page * - Company Confidential

ConclusionsIts all about layered [network] security - there IS NO silver bulletBehavioral models coupled with real-time threat intelligence (e.g., Arbors ATLAS) can minimize threats; provide gap insurance and help hardening and preventionEnable account transaction alerting and keep an eye on those credit reports

Page * - Company Confidential

EOF

Kleber Carriello de Oliveirakco@arbor.netwww.arbor.net

A bot is a servant process on a compromised systemUsually installed by a Trojan, though worms have evolved to install bots as well (e.g., deloder) Communicates with a handler or controller, typically via IRC, often running on public IRC servers or other compromised systemsAlmost always unbeknownst to the systems owner - got bot?A botmaster or botherder commands bots to perform any of an number of different functionsSystem of bots and controller(s) is referred to as a botnet or zombie network

- Attacks employ flooding or amplification to target, actually an attack on intermediate bandwidth resources - Improbable anyone can scale to enough bandwidth because botnets use "our" bandwidth, and there are more than we can shake sticks at - We can solve many problems when we prune the traffic - but we're not getting the chance to - our pipes are overrun, and often times ISPs get flooded and taken offline in the process

Key Findings- Distributed Denial of Service attacks (DDoS) remain the most significant ISP security threat. After the initial flurryof well-publicized DDoS attacks six years ago, the majority of surveyed operators spend more resources addressingDDoS today than any other security threat, including worms and botnets.- Attack firepower grows. Respondents report- increased frequency and magnitude of multi-gigabit, supra-backboneDDoS attacks. ISPs now regularly report attacks beyond the capacity of core backbone circuits in the 10-20Gbpsrange.- Zombies rule. Despite the best efforts of firewall, IDS and OS vendors, compromised end systems available toparticipate in DDoS or other illegal activities number in the millions. And there is no end in sight.- ISPs finish the job. Lacking more advanced infrastructure/tools, the majority of ISPs surveyed mitigate attacks byfiltering all traffic to the victim. While this is successful in protecting ISPs backbones from collapse under DDoS,the mitigation cure may be worse than the original DDoS.- No law enforcement engagement. Despite an average of 40 attacks per month that directly impact their customers,most attacks go unreported by ISPs because the majority believes law enforcement cannot effectively assist them.

Modeling of network transactional information (e.g., via flow-based techniques such as NetFlow), and coupling with control plane data (e.g., BGP prefixes and attributes) can enable baselines (statistical and relational) that allow abnormalities to be identifiedNetwork-based mitigation can be performed, as output of above is actionable and can even be employed to detect zero-day threats (e.g., many families have same behavioral fingerprint but different payload)

If host does X, then Y, then Z, possibly with time t, AND has no history of similar transactions, more then likely infectedTransactional fingerprints and network behavioral analysis - with real-time threat feeds (e.g., Arbors Peakflow X & Active Threat Feed)Single transaction functions trivial to identify - e.g., connects to known botnet C&C, known phishing site, known malware distribution node, etc..Coupling IP reputation functions with NBA and globally distributed honeynet sensor networks provides zero-day threat detection