Zombie or not to be:Trough the meshes of Botnets

-Guillaume Lovet

Agenda

• Presentation objectives

• Introduction: a quick overview of Botnets

• Attack scenarios

• Protecting from Botnets

• Q&A

Presentation objectives

• Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future

• Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network

Introduction

• A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server.

• Botnets have existed for years

• Recent raise of their activity

• High deleterious potential and obvious financial value

Botnets are the number 1 Internet security threat today

Threats posed by botnets

• Critical data compromise

• Proxying (attacks, spam, phish)

• Hosting of illegal content

• Seeding new malwares

• Distributed denial of service

Scenario 1: The worm in the fruit

• Multiple infection vectors for bots to intrude in the corporate network:– Typical: Email, Webpage, IM systems– Bypassing gateways: CD (c.f. W32/YsRailee.A-tr),

Laptops (c.f. W32/Dumador.DH)

• Once a bot is inside:– Connect back to master server– Receive the order to spread inside the corp. net– Exfiltrate critical data

Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough

Scenario 2: The Cyberterrorist strike

• Botnets are a perfect base to launch Distributed Denial of Service attacks

• Effectively protecting against DDoS is not trivial

• Companies which offer online services lose massive amounts of money if DDoSed (e.g. ebay)

Blackmail & Racket

• Ransom is officially deemed “security consulting costs”

Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability

One future possible scenario:The double-strike seed

• Factors to create a successful worldwide virus outbreak:– Size of the seeding vector– Length of the “Opportunity Window”

• Botnet A seeds: the new malware is mass-mailed

• Botnet B extends the opportunity window: DDoS update servers of AV vendors

Conclusion: Tight update policies are not enough

Protecting from Botnets

• Some security policies eradicate or mitigate the impact of Botnets on the company’s resources

• Protection must be twofold

• From the “inside” to be immune to:– Data exfiltration– Being a vector of cyber-criminal activities (roots of the

problem)

• From the “outside” to be immune to:– Intrusion– DoS attacks

Protecting from bots inside the corporate network Pt I: Security 101

• Use appropriate and consistent firewall rules

– Goal: cut communication to the master server

– Default rule for both inbound and outbound connections: Deny

– Allow only needed services for outbound connections (e.g.:HTTP, SMTP, SSH)

– Enforce the use a HTTP proxy, so that port 80 is closed for users.

– Will not always be sufficient, because of an expected diversification of bot/master protocols: e.g. W32/Dumador.DH is a “full HTTP” bot

Alternate Master/Slave communication channel

Alternate Master/Slave communication channel

Alternate Master/Slave communication channel

Protecting from bots inside the corporate network Pt II: Spot em’

• Is my network hosting bots?– Sniffing outbound traffic on the gateway for keywords

used in Bot/Master communications:• .login• .scan• .status• .sysinfo

– Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts

– Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating

Protecting from bots outside the corporate network

• Sums up to protect against known types of attacks, bots only being a vector for those:

– DDoS: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users

– Spam: Antispam & RBL

– Phish: AV integrated to email gateways

– Malware mass-mailing: "push update" AV technology (c.f. MyTob's case) combined with a 0-hour detection solution

Questions?

Contact:glovet@fortinet.com