1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating...
33
1 ELECTRICAL ENGINEERING AND COMPUTER SCIENCES UNIVERSITY OF CALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in
Higher Education Educause Arlington 2008 Fred Archibald University
of California Berkeley Electrical Engineering and Computer
Sciences
Slide 2
2 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Overview EECS Network Background Security
Concerns Existing Protections FireEye Deployment Infection Examples
Futures and Challenges
Slide 3
3 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley EECS Network Background EECS is Large
Department Serves More Than 4000 Undergrads 500 Grad Students 100
Faculty 200 Staff Network Largely Separate From Rest Of UCB
Slide 4
4 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Security Concerns Security A Constant Issue
Berkeley Often A Target Security Is Now An Arms Race Hackers Have
Moved From Notoriety To Crime More Concern About Compliance
Slide 5
5 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Security Concerns Mobile Devices A Big
Concern Boom In WiFi Over The Air Traffic Often Insecure Less
Enterprise Control Over User Owned Devices EECS Uses Internal And
External WLANs Zero Day Concerns
Slide 6
6 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Existing Protections Enterprise Firewall
Less Effective In An Open Academic Net A/V A Struggle To Keep Up To
Date IDS A Lot of False Positives Host Based Firewalls Anti-Spam
Appliances
Slide 7
7 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley FireEye Deployment Targeted Primarily At
Wireless Traffic Out Of Band Solution Very Important For EECS
Completely Clientless Also Very Important Wireless Data Mirrored To
Two Appliances
Slide 8
8 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley FireEye Deployment Appliances Run Traffic
Against Virtual Victim Clients Positive Infection Can Result In
Alerts Or Blocks Dynamic Updates From Botwall Network
Slide 9
9 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 10
10 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Infection Examples Spam Bots
Slide 11
11 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Clients Receive Malware Rustock
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Ken Chiang, Levi Lloyd Sandia National lab 16 E LECTRICAL E
NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA
Berkeley Rustock Spam Mail Bot Installs a Rootkit Installs a SPAM
module Uses Encryption Can Install any Arbitrary Code Flexible
& Easy to Update
Slide 17
17 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botted Clients Send Spam
Slide 18
18 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 19
19 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 20
20 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Trojan.farfli
Slide 21
Slide 22
(Excerpt From Symantec)22 E LECTRICAL E NGINEERING AND C
OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Discovered:
July 29, 2007 Updated: July 29, 2007 8:51:54 AM Also Known As:
TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me,
Windows NT, Windows Server 2003, Windows 2000 It then hooks or
patches ZwSetValueKey to prevent other threats or security risks
overwriting the Start Page registry entry. If it finds a specific
Web browser installed, it modifies files so that when a user
performs a search it is conducted via the Baidu URL with the
specific affiliate name:
Slide 23
23 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet IRC Channel Join
Trojan-Downloader.QQHelper
Slide 24
24 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 25
25 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley User or Malware Connects to:
http://www.yahoo550.com/image/logo.jpg?queryid=21
kXXXXj412http://www.yahoo550.com/image/logo.jpg?queryid=21
kXXXXj412 User connects to the site with a specific query id The
site sent the browser a file called logo.jpg Really a UPX packed
malware executable The browser installed the exe Begin the Bot
communication on IRC.
Slide 26
26 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG
Slide 27
27 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 28
28 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley
Slide 29
29 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG
Trojan-Downloader:W32/Small.HSG downloads and runs a file that is
detected as Trojan- Downloader.Win32.Agent.HQL. Normally arrives as
a dropped file by other malware or is downloaded unsuspectingly by
the user from a malicious website. Once running on the system, this
trojan will download a file from the following website:
http://ymq.a2000150.wrs.mcboo.com/[Removed] The downloaded file
will then be stored as: %Windows%\17PHolmes2000150.exe
Slide 30
30 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Futures And Challenges Move Appliances To
Network Edge Capture Both Wireless And Wired Traffic Mirroring Or
Span Difficulties Use Gigamon Data Access Switch Explore OSPF Null
Routing To Block Traffic To Botnets More Mobile Platforms
Slide 31
31 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Summary Our Existing Protections No Longer
Adequate Botnet Traffic Was Previously Difficult To Detect Botnet
Detection Gives Us A New Weapon To Battle Stealth Malware
Slide 32
32 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY
OF C ALIFORNIA Berkeley Questions?