Embed Size (px)
Citation preview
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Page
1
Top Botnets and how MAEC can help keep you out of their clutches
Robert A. Martin, Principal Engineer, MITRE Corporation
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Top 5 Bots by Class
Rank Family
1 Zeus
2 Koobface
3 Rimecud
4 Alureon
5 Carberp
Rank Family
1 Rustock
2 Pushdo
3 Grum
4 Bobax
5 Storm
Data Theft Bots Spam Bots
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data Theft Bots - Zeus
Aliases •Zbot•Wsnpoem
Notable Attributes
•Based on widely distributed crimeware ($4000*)•Rootkit functionality•Supports dynamic web-page injection•Takes screenshots and HTML scrapes of target sites•Has ability to kill target system
Types of Data Stolen
•Trusted web site certificates (X.509 PKI)•Cached web browser passwords•Cookies•FTP and POP account credentials•Banking login credentials
Related Reading•Security Fix: Zeus Trojan Infiltrates Bank Security Firm•Security Fix: PC Invader Costs Ky. County $415,000•http://www.fortiguard.com/analysis/zeusanalysis.html
*Source: http://www.prevx.com/blog/112/ZEUS-steals-information-from-home-and-business-PCs.html
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data Theft Bots - Koobface
Aliases •Hiloti•Facebook.331
Notable Attributes
•Propagates through social networks (e.g. Facebook)• Uses cookies of existing sessions• Posts malicious status updates• Sends malicious messages to friends
•Multi-component based•Latest variant targets Mac OS X, Linux
Types of Data Stolen
•Windows digital product IDs•Internet profiles•Email credentials•FTP credentials•IM application credentials
Related Reading•Koobface Mac Security Threat Described•10 things you didn't know about the Koobface gang
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data Theft Bots - Rimecud
Aliases
•Buzus•Palevo.ann•SillyFDC•Boaxxe
Notable Attributes
•Based on crimeware kit•Propagates via IM, P2P and removable drives•Multi-component based•UDP-based C2
Types of Data Stolen•Keystrokes•System login credentials•Stored FireFox/IE credentials
Related Reading•US Leads in Botnet Infections•Encyclopedia entry: Worm:Win32/Rimecud.B
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data Theft Bots - Alureon
Aliases
•Zlob•Femab•DnsChange•Tidserv•TDSS
Notable Attributes
•Rootkit functionality• Infects MBR
•Supports dynamic web-page injection• Used for click fraud & other purposes
•SSL-based C2
Types of Data Stolen •URLs visited•Strings from search engine queries
Related Reading•MS10-015 Restart Issues Are the Result of Rootkit Infection •Alureon Evolves to 64 Bit
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data Theft Bots – Carberp
Aliases•Agent-OZL•Zbot•IRCNite
Notable Attributes
•Rootkit functionality•Does not require admin privileges to run
• Also, makes no changes to the registry•Supports control of HTTPS/EV-SSL traffic•Removes other malware
Types of Data Stolen•System login credentials•Windows clipboard data•Windows product key•Banking credentials (w/SSL)
Related Reading•Fresh Trojan Carberp Reported To Be Evolving•Carberp: Quietly replacing Zeus as the financial malware of choice
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots - Rustock
Aliases•Costrat•Mailbot.c!Rootkit•Meredrop•RKRustok
Notable Attributes•Rootkit functionality•Capable of TLS encryption for sent email•Uses Encrypted HTTP for C2•Around since 2006
Estimated Spam Volume •46 billion messages/day*
Related Reading•Rustock botnet responsible for 40% of spam•Rustock Botnet Switches Techniques
*Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Pushdo
Aliases•Cutwail•Pandex•Mutant
Notable Attributes•Rootkit functionality•Uses Encrypted HTTP for C2
Estimated Spam Volume •8 billion messages/day*
Related Reading•Pushdo / Cutwail - An Indepth Analysis•Insights into the Pushdo/Cutwail Infrastructure
*Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Grum
Aliases •Tedroo
Notable Attributes•Rootkit functionality•Performs DNS MX lookups to send spam
Estimated Spam Volume •18.4 billion messages/day*
Related Reading•‘Grum’ Botnet Leads Spam Charge•Grum and Rustock botnets drive spam to new levels
*Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Bobax
Aliases
•Kraken•Bobic•Oderoor•Cotmonger•Hacktool.spammer
Notable Attributes •Uses unencrypted HTTP for C2
Estimated Spam Volume •2 billion messages/day*
Related Reading•Kraken botnet re-emerges 318000 nodes strong•Security Fix - The Storm Worm's Family Tree
*Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Storm
Aliases•Nuwar•Peacomm•Zhelatin
Notable Attributes
•Likely modified version of ‘original’ Storm worm from 2008
• Removes P2P functionality•Rootkit functionality
Estimated Spam Volume •2.2 billion messages/day*
Related Reading•Infamous Storm botnet rises from the grave•A Breeze of Storm
*Source = http://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
& Bots
Malware Attribute Enumeration and Characterization (MAEC)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Why Do We Need to Develop Standards for Malware?
Multiple layers of protectionLots of products
Inconsistent reports
There’s an arms race
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Correlate, Integrate, Automate
Threats
Vulnerabilities
Detection
ResponsePlatforms
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Background
Oct 2005
CME public
announcement and
website
Jan 2007
39 CME IDs
assigned
Feb 2005
CME Submission
Server
Oct 2004
Initial CME
discussions at VB
Conference
Nimda orI-Worm orReadme?
Feb 2007
DHS SwA Forum
Malware WG
Dec 2009
MAEC public
website
Jun 2010
Initial MAEC
Schema
Rise of New ThreatsSymantec Global Internet Security Threat Report, Volume XIII, 4/2008
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Malware Attribute Enumeration and Characterization (MAEC)
Focus on attributes and behaviors,
not intent and malware families
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Use Cases
■ Operational
■ Analysis– Help Guide Analysis Process– Standardized Tool Output– Malware Repositories
Tool
Tool
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Overview
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & MSM Standards
CAPEC
CPE
OVAL
CEE
Low-level Actions
Mid-level Behaviors
High-level Mechanisms
CVE
The platform(s) targeted by a malware action.
The vulnerabilities targeted by a malware behavior.
The attack pattern(s) exhibited by a malware mechanism or behavior.
The host-based object(s) created or modified by a malware action.
The event(s) associated with a malware action.
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus – Host Based Detection I
Zeus Binary
Malware Analysis Engine
• Anubis• CWSandbox• ThreatExpert• Etc.
Engine Output
Engine Output
Sandbox -> MAEC Translator
Host-based Scanner
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Output
MAEC & Zeus – Host Based Detection IIReal World Example
Page
22
Zeus Binary
Anubis Sandbox
Anubis Output*
Anubis Output*
*http://anubis.iseclab.org/?action=result&task_id=1167a57d1aa905e949df5d5478ab23bf9
Anubis MAEC Translator Script
MAEC OVAL Translator Script
OVAL Output
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Schema Overview – Initial Release
Page 23
ActionType BehaviorType ObjectType
…
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus: Profiling C2
MAEC Mechanism: C2
MAEC Behavior: Get Configuration
MAEC Behavior: Beacon
MAEC Behavior: Receive Command
MAEC Behavior: Send Data
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus C2 IMechanism: C2
Behavior: Get Configuration
Behavior: Beacon
Behavior: Recv Command
Behavior: Send Data
MAEC Behavior: C2 Get ConfigurationProtocol: HTTP Encryption Type: RC4/custom
MAEC Action: http_get
MAEC Object: http_connection
Method: GETParameter: /config.binResponse: HTTP/1.1 200 OKResponse Body: <encrypted config.bin file>Response Content Length: 1212 bytes
MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus C2 IIMechanism: C2
Behavior: Get Configuration
Behavior: Beacon
Behavior: Recv Command
Behavior: Send Data
MAEC Behavior: C2 BeaconProtocol: HTTP Encryption Type: RC4/customFrequency: 1/20 minutes
MAEC Action: http_post
MAEC Object: http_connectionMethod: POSTPOST Data: <encrypted statistics>Parameter: .*/gate.phpResponse: HTTP/1.1 200 OKResponse Body: <encrypted static string>Response Content Length: 44 bytes
MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus C2 IIIMechanism: C2
Behavior: Get Configuration
Behavior: Beacon
Behavior: Recv Command
Behavior: Send Data
MAEC Behavior: C2 Receive CommandProtocol: HTTP Encryption Type: RC4/customSupported Commands: reboot, kos, shutdown, bc_add, bc_del, block_url, unblock_url, block_fake, getfile, getcerts, resetgrab, upcfg, rename_bot …
MAEC Action: decode_http_response
MAEC Object: http_connectionResponse Body: <encrypted command string>Response Content Length: > 44 bytes
MAEC Object: tcp_connectionExternal IP: xxx.xxx.xxx.xxxExternal Port: 80
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus C2 IVMechanism: C2
Behavior: Get Configuration
Behavior: Beacon
Behavior: Recv Command
Behavior: Send Data
MAEC Behavior: C2 Send DataProtocol: HTTP Encryption Type: RC4/custom
MAEC Action: http_post
MAEC Object: http_connectionMethod: POSTPOST Data: <encrypted stolen data>Parameter: .*/gate.phpResponse: HTTP/1.1 200 OK
MAEC Object: tcp_connection
External IP: xxx.xxx.xxx.xxxExternal Port: 80
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Emerging Collaboration
■ Related MSM Efforts– There is significant overlap between MAEC, CAPEC, and CEE in
describing observed actions, objects, and states.– As such, we’re working on developing a common schematic structure
of observables for use in these efforts:
■ Others– Feature requests on Handshake group, discussion list
■Anubis & ThreatExpert translators are being developed as a result of a user request
■We encourage submission of any other such requests
Page 29
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
■ Request to join: http://maec.mitre.org/community/discussionlist.html
■ Archives available
MAEC Community: Discussion List
Page 30
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
■ MITRE hosts a social networking collaboration environment: https://handshake.mitre.org
■ Supplement to mailing list to facilitate collaborative schema development
MAEC Community: MAEC Development Group on Handshake
Page 31
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Future Development Plans
■ Expand MAEC coverage of network attributes– Possible focus: bots/botnets
■ Create RDF/OWL ontology based on MAEC schema■ Revise schema to better support characterization of
relationships between actions/behaviors■ Implement common observables schema
– Based on MAEC/CAPEC/CEE collaboration ■ Encourage and invite more participation in the
development process– MAEC Website: http://maec.mitre.org (contains MAEC
Discussion list sign-up)– MAEC Handshake Group
Page 32
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Summary
■ MAEC is attempting to address many of the issues that are integral to accurate and unambiguous communication about malware
■ The adoption of MAEC will facilitate new methods of correlation and automation against malware
■ MAEC is an open, collaborative effort. It needs expertise and input from various parties in order to be successful
Page 33
