BOTNETS & TARGETED MALWARE

Fernando Uribe

INTRODUCTION

Fernando Uribe Email:furibe.mia@gmail.com IT trainer and Consultant for over 15 years specializing in

Cyber security.

WHAT IS A BOT?

Bot, Standing for Robot, is the name given to malware which I installed on vulnerable devices and used to receive commands.

Once a vulnerable machine is infected with a bot, it can also be called a “Zombie”; since the bot lies dormant

WHAT IS A BOTNET?

When one has multiple zombie machines under a single controller, it’s known as a botnet.

Botnets can be used for good, like web crawling or search engine indexing.

Majority of the time botnets are used for Distributed denial of service attack.

DDOS is when a target is being attack by multiple zombie machines simultaneously.

Usually bots are controlled through an IRC channel via a command and control program.

People whom operate bonnets are usually called bot herder

HOW DO BOTNETS GET CREATED?

There are several phases to this: Setup of command and control Release bot to infect Have zombie propagate Bots connect to C&C ready to receive instructions Command is given to attack target Bots attack said target

SETUP OF COMMAND AND CONTROL

Attackers may use various tools, one example is poison ivy, or they may create their own.

RELEASE BOT TO INFECT

This could be done via social engineering, phishing, fake websites.

PROPAGATE

Depending on the bot, this could occur in similar ways of worm infection or malware installation.

CONNECT TO C&C

Think “ET phone home!” the bots try to connect to the programmed irc channel and report status

COMMAND SENT

The command is for a coordinated and automated attack of a target.

ATTACK ORDERED

Once the bots receive the command, they start the attack till told otherwise.

Usually a DDOS

RECOGNIZING DOS

Few ways to recognize a possible DDOS attack Websites unavailable Specific site not available Network access bogged down Increase of spam received in large amounts

DETECTING DDOS

Ways to Detect : Activity Profiling Changepoint Detection Wavelet-Based signal analysis

ACTIVITY PROFILING

This is the average packet rate for network flow It’s made up continuous packets with like fields An attack if identified when activity level increases

CHANGEPOINT DETECTION

Points out the change traffic during attack Identifies difference in actual vs. expected traffic Can also be use to identify scanning activities within your

network

WAVE SIGNAL ANALYSIS

Analyzes input signal when it comes to spectral components They give you concurrent time and how often description By analyzing the spectral data one can determine the

presence of an anomaly So they help you get the time when anomalies may have

occurred

ONCE WE KNOW WE MITIGATE ATTACK

2 examples of methods to mitigate a DDOS: Load Balancing Throttling

DEFENDING AGAINST BOTNETS

RFC 3704 filtering Black hole filtering Cisco IPS Source ip reputation filtering DDOS prevention offering from ISP or DDOS service

RFC 3704 FILTERING

Also knows as Ingress filtering for multihomed networks You're basically filtering out address space originating from

internet that is using private IP addresses Remember that private IP are not routable on public networks

BLACK HOLE FILTERING

Drops packets at routing level Normally, hen a packet did not reach its destination it sends a

request to resend, which would continue the attack. Simply drops packet, but does not inform source

CISCO IPS SOURCE IP REPUTATION FILTERING

Used by cisco IPS Database that deems whether an ip or service are to be a

possible threat

DDOS PREVENTION FROM ISP

Helps prevent ip spoofing at the isp level Uses DHCP snooping to make sure host use ip addresses

assigned to them Creates a white list in a way, of what ip address can access

your network

TARGETED MALWARE

Different method for malware attacks, where an individual or entity are specifically targeted.

Usually malware uses a “artillery” approach, to hit and infect as many as possible.

Main objectives could be to obtain access to sensitive information, or disruption.

HOW IT WORKS

Attackers use all the tricks in the book fake emails, malware filled websites.

They research their victims, to be able to extract information With the information gathered, a greater social engineering

attack Can be successfully completed Since the attacks are targeted to a smaller audience, it

sometimes slip through the cracks due to them not getting reported

EXAMPLES OF TARGETED MALWARE

Stuxnet worm Specifically targets industrial control systems

Hotord Trojan and Ginwui4 Both used in corporate espionage

DETECT AND MITIGATE

Some methods of detecting and mitigating malware: Heuristics Multi-layered pattern scanning Traffic-origin scanning Behavior observation

THANK YOU