Webinar: Botnets - The clone army of cybercrime

1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

Botnets: The clone army of cybercrime

Avi Turiel, Geffen Tzur

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved

Botnet 101 Evolution What they do Setting up a botnet A day in the life Evading detection Ghost hosts Q3 Cyberthreat data

Agenda

3© 2014 CYREN Confidential and Proprietary 3©2016. CYREN Ltd. All Rights Reserved

Bots carry out orders

DDoSMalware Spam

Peer to Peer

C&C sends orders to bots

Click fraud

New bots recruited

Botmaster


Global C&C distribution

United States, 30.09%

Netherlands, 8.85%

Germany, 7.96%Australia, 6.19%Indonesia, 5.31%

Turkey, 5.31%

Brazil, 4.87%

France, 4.87%

Russian Federation, 4.42%

Canada, 2.65%

Others, 19.47%


“Distributed computing“


If malware communicates – is it a bot?Ransomware C&C – Q3 2016

United States, 33.11%

Russian Federation, 14.29%

Ukraine, 8.40%

Netherlands, 7.23%

Germany, 6.89%

France, 6.22%

Portugal, 4.03%

Turkey, 1.51%

Czech Republic, 1.51%

Spain, 1.34%

Others, 15.46%


Evolution of botnets


Evolution of botnets


• Malware distribution• Distributed Denial-of-

Service (DDoS) Attacks• Spam and phishing

emails• Sniffing & Keyloggers• Click-fraud• Online Polls and Social

Media Manipulation• Ticketing

What Botnets Do

Bot hotspots

India, 30.69%

Iran, 10.43%

Vietnam, 8.37%Pakistan, 6.89%Mexico, 4.33%

China, 3.85%

Brazil, 3.04%

Algeria, 1.98%

Tunisia, 1.97%

Thailand, 1.90%

Others, 26.55%


• Has a bot ever been detected in your organization?• Yes• Not that I am aware of

Poll: Found a bot?


• Basic botnet infrastructure can be set up in approximately 15 to 20 minutes

• Tailored systems more expensive, complex, less vulnerable

• Online vendors, tools, and even sponsors

• Botnet rental is an option• DDoS packages from $0.66/day to

$34.99/month

Setting up a botnet


• Zeus 2.0.9.15 Management Panel

• Linux server with an Apache Web server and other standard components

• Copy contents of zip file and -- Install --

Setting up a Zeus botnet - Server


• Set up config file• Choose .jpg image• Steganography used to

encrypt configuration inside image

• Executable file is tailored to this botnet

Setting up a Zeus botnet - malware


• Next step is distribution…

Running Zeus botnet – control panel


• Necurs distributes spam and malware – most notably Locky ransomware• Bot is 2 year old malware detected as W32/Necurs.C.gen!Eldorado

Day in the life of a Necurs bot


• 10:05 – 10:08 am - A comfy working environment • Looks for virtual environments, debuggers, and other monitoring tools• Install, create services (syshost32)• Check language of host machine• Bypass firewall



• 10:08 – 10:19 am – Is anybody out there?

• Test DNS resolution of facebook.com

• Tries DGA with 4 domains• Tries qcmbartuop.bit 57

times • Tries DGA to 2076 domains• Tries hardcoded IP

addresses



• 10:20 – 4:30 pm – Contact!, Receive mission data• Hardcoded IP address responds – C&C found• Bot sends encrypted updates about host• C&C sends bot encrypted updated malware, spam targets and

messages



• 10:21 pm – 11:14 pm –Spam campaign

• Attempts connection to Gmail and Yahoo servers

• Eventually succeeds via Yahoo and Live (Hotmail) servers



• 10:47 am – Locky campaign



• Tor network• Anonymous, encrypted• Latencies, slow-downs, and unreliability

• Domain Generation Algorithm (DGA)• Thousands of random names – only few are actually responsive C&C

• IRC• 1st Generation botnet technology – now seeing reuse

• Legitimate services• Twitter, Pinterest, Dropbox, Pastebin, Imgur and Evernote

• Steganography

Hiding bot communications


Encrypted, complex protocols

Bot command:0x01 = No operation, just contacting C&C server0x02 = Execute payload via shellcode or [binary file]0x03 = Retrieve system information (ex. Internal IP, Domain Name, Processes, etc.)0x04 = Retrieve software installed0x05 = Retrieve web browser history0x64 = Execute shellcode0xDC =Retrieve windows folder timestamp

Session ID


Known malware accesses domain – so domain is blocked

“Ghost Host”

1

2

Subsequent access to “bad” IP address uses different HTTP hosts in header – the “ghost hosts” – these are not blocked by many Web security solutions


• Check email traffic• Blacklisting/warning

• Corporate firewalls• Specific rule sets for detecting suspicious ports use or unknown transactions.

• Intrusion prevention system• Built-in open source or vendor-defined rules for detecting bot traffic.

• Web security/URL filtering systems • Devices or services detect and block C&C communications.

• Consider creating of an “internal honeypot” on your network • Use dedicated anti-bot security solutions

• Behavioral analysis combining log analytics and traffic analysis• Device or cloud service.

Detecting bots


• What anti-bot protection methods has your organization deployed (choose more than one)

• Firewall rules• Intrusion prevention• Web security/URL filtering system• Internal honeypot• Dedicated anti-bot security solution

Poll: Bot Protection

26© 2014 CYREN Confidential and Proprietary 26©2016. CYREN Ltd. All Rights Reserved

Q3 2016

27© 2014 CYREN Confidential and Proprietary 27©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved




The World’s Largest Security Cloud

500K+ Threat collection points

600M+Users protected

17B+Daily transactions

130M+Threats blocked


CYREN’s 100% cloud security services

SaaS Secure Web Gateway protects users from cyber-

threats, monitors and controls web usage, and protect users both on and off the network.

SaaS Secure Email Gateway protects users from spam,

phishing attacks, viruses and zero-hour malware with a

seamless end-user experience.

Cloud-powered threat feeds and SDKs allow technology vendors

and service providers to detect a broad set of cyber-threats,

including malicious websites, phishing attacks, malware,

botnets, and spam.

Enterprise OEM

32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved

You can also find us here:

www.CYREN.com

twitter.com/cyreninc

linkedin.com/company/cyren

©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Thank You. Any Questions or Thoughts?

Internet

Webinar: Botnets - The clone army of cybercrime