Upload
cyren-inc
View
81
Download
0
Embed Size (px)
Citation preview
1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
Botnets: The clone army of cybercrime
Avi Turiel, Geffen Tzur
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Botnet 101 Evolution What they do Setting up a botnet A day in the life Evading detection Ghost hosts Q3 Cyberthreat data
Agenda
3© 2014 CYREN Confidential and Proprietary 3©2016. CYREN Ltd. All Rights Reserved
Bots carry out orders
DDoSMalware Spam
Peer to Peer
C&C sends orders to bots
Click fraud
New bots recruited
Botmaster
4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Global C&C distribution
United States, 30.09%
Netherlands, 8.85%
Germany, 7.96%Australia, 6.19%Indonesia, 5.31%
Turkey, 5.31%
Brazil, 4.87%
France, 4.87%
Russian Federation, 4.42%
Canada, 2.65%
Others, 19.47%
5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
“Distributed computing“
6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
If malware communicates – is it a bot?Ransomware C&C – Q3 2016
United States, 33.11%
Russian Federation, 14.29%
Ukraine, 8.40%
Netherlands, 7.23%
Germany, 6.89%
France, 6.22%
Portugal, 4.03%
Turkey, 1.51%
Czech Republic, 1.51%
Spain, 1.34%
Others, 15.46%
7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Evolution of botnets
8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Evolution of botnets
9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Malware distribution• Distributed Denial-of-
Service (DDoS) Attacks• Spam and phishing
emails• Sniffing & Keyloggers• Click-fraud• Online Polls and Social
Media Manipulation• Ticketing
What Botnets Do
Bot hotspots
India, 30.69%
Iran, 10.43%
Vietnam, 8.37%Pakistan, 6.89%Mexico, 4.33%
China, 3.85%
Brazil, 3.04%
Algeria, 1.98%
Tunisia, 1.97%
Thailand, 1.90%
Others, 26.55%
10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Has a bot ever been detected in your organization?• Yes• Not that I am aware of
Poll: Found a bot?
11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Basic botnet infrastructure can be set up in approximately 15 to 20 minutes
• Tailored systems more expensive, complex, less vulnerable
• Online vendors, tools, and even sponsors
• Botnet rental is an option• DDoS packages from $0.66/day to
$34.99/month
Setting up a botnet
12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Zeus 2.0.9.15 Management Panel
• Linux server with an Apache Web server and other standard components
• Copy contents of zip file and -- Install --
Setting up a Zeus botnet - Server
13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Set up config file• Choose .jpg image• Steganography used to
encrypt configuration inside image
• Executable file is tailored to this botnet
Setting up a Zeus botnet - malware
14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Next step is distribution…
Running Zeus botnet – control panel
15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Necurs distributes spam and malware – most notably Locky ransomware• Bot is 2 year old malware detected as W32/Necurs.C.gen!Eldorado
Day in the life of a Necurs bot
16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:05 – 10:08 am - A comfy working environment • Looks for virtual environments, debuggers, and other monitoring tools• Install, create services (syshost32)• Check language of host machine• Bypass firewall
Day in the life of a Necurs bot
17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:08 – 10:19 am – Is anybody out there?
• Test DNS resolution of facebook.com
• Tries DGA with 4 domains• Tries qcmbartuop.bit 57
times • Tries DGA to 2076 domains• Tries hardcoded IP
addresses
Day in the life of a Necurs bot
18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:20 – 4:30 pm – Contact!, Receive mission data• Hardcoded IP address responds – C&C found• Bot sends encrypted updates about host• C&C sends bot encrypted updated malware, spam targets and
messages
Day in the life of a Necurs bot
19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:21 pm – 11:14 pm –Spam campaign
• Attempts connection to Gmail and Yahoo servers
• Eventually succeeds via Yahoo and Live (Hotmail) servers
Day in the life of a Necurs bot
20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:47 am – Locky campaign
Day in the life of a Necurs bot
21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Tor network• Anonymous, encrypted• Latencies, slow-downs, and unreliability
• Domain Generation Algorithm (DGA)• Thousands of random names – only few are actually responsive C&C
• IRC• 1st Generation botnet technology – now seeing reuse
• Legitimate services• Twitter, Pinterest, Dropbox, Pastebin, Imgur and Evernote
• Steganography
Hiding bot communications
22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Encrypted, complex protocols
Bot command:0x01 = No operation, just contacting C&C server0x02 = Execute payload via shellcode or [binary file]0x03 = Retrieve system information (ex. Internal IP, Domain Name, Processes, etc.)0x04 = Retrieve software installed0x05 = Retrieve web browser history0x64 = Execute shellcode0xDC =Retrieve windows folder timestamp
Session ID
23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Known malware accesses domain – so domain is blocked
“Ghost Host”
1
2
Subsequent access to “bad” IP address uses different HTTP hosts in header – the “ghost hosts” – these are not blocked by many Web security solutions
24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Check email traffic• Blacklisting/warning
• Corporate firewalls• Specific rule sets for detecting suspicious ports use or unknown transactions.
• Intrusion prevention system• Built-in open source or vendor-defined rules for detecting bot traffic.
• Web security/URL filtering systems • Devices or services detect and block C&C communications.
• Consider creating of an “internal honeypot” on your network • Use dedicated anti-bot security solutions
• Behavioral analysis combining log analytics and traffic analysis• Device or cloud service.
Detecting bots
25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• What anti-bot protection methods has your organization deployed (choose more than one)
• Firewall rules• Intrusion prevention• Web security/URL filtering system• Internal honeypot• Dedicated anti-bot security solution
Poll: Bot Protection
26© 2014 CYREN Confidential and Proprietary 26©2016. CYREN Ltd. All Rights Reserved
Q3 2016
27© 2014 CYREN Confidential and Proprietary 27©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
28© 2014 CYREN Confidential and Proprietary 28©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
29© 2014 CYREN Confidential and Proprietary 29©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
The World’s Largest Security Cloud
500K+ Threat collection points
600M+Users protected
17B+Daily transactions
130M+Threats blocked
31©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN’s 100% cloud security services
SaaS Secure Web Gateway protects users from cyber-
threats, monitors and controls web usage, and protect users both on and off the network.
SaaS Secure Email Gateway protects users from spam,
phishing attacks, viruses and zero-hour malware with a
seamless end-user experience.
Cloud-powered threat feeds and SDKs allow technology vendors
and service providers to detect a broad set of cyber-threats,
including malicious websites, phishing attacks, malware,
botnets, and spam.
Enterprise OEM
32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?