Botnets: Battling the Borg of the Internet

1
Botnets Battling the Borg of the Internet

• Corey Nachreiner, CISSP
• Network Security Analyst
• November 2007

2
Botnets The Borg of the Internet

• Alien race that forcefully assimilated others
  into their collective.
• All controlled remotely by one leader, the hive
  queen.
• One of the Enterprises biggest threats.

3
Why Talk About Botnets?Bot Statistics Suggest
Assimilation

• In 2006, Microsofts Malicious Software Removal
  Tool (MSRT) found backdoor trojans on 62 of the
  5.7 million computers it scanned. The majority of
  these were bots.
• Commtouch found, 87 of all email sent over the
  Internet during 2006 was spam. Botnets generated
  85 of that spam.
• Commtouchs GlobalView Reputation Service
  identifies between 300,000 and 500,000 newly
  active zombies per day, on average.
• ISPs rank zombies as the single largest threat
  facing network services and operational
  security.
• Worldwide Infrastructure Security Report, Arbor
  Networks, September 2007.

4
Agenda
5
What is a Botnet?
6
What is a Botnet?Botnet Lingo Defined

• A Botnet is a network of compromised computers
  under the control of a remote attacker. Botnets
  consist of
• Botherder
• The attacker controlling the malicious network
  (also called a Botmaster).
• Bot
• A compromised computers under the Botherders
  control (also called
• zombies, or drones).
• Bot Client
• The malicious trojan installed on a compromised
  machine that connects it to the Botnet.
• Command and Control Channel (CC)
• The communication channel the Botherder uses to
  remotely control his or
• her bots.

7
What is a Botnet?Visualizing a Botnet
8
What is a Botnet?The CC Makes a Big Difference

• Theoretically, a botherder can use any
  communication or networking protocol he likes for
  his CC server.
• Today, botherders primarily rely these three
  protocols for their CC
• Internet Relay Chat (IRC) Protocol
• Hyper-Text Transfer Protocol (HTTP)
• Peer-to-Peer (P2P) networking protocols.

9
What is a Botnet?Internet Relay Chat (IRC)
Botnets

• Until recently, IRC-based botnets were by far the
  most prevalent type exploited in the wild.
• Benefits of IRC to botherder
• Well established and understood protocol
• Freely available IRC server software
• Interactive, two-way communication
• Offers redundancy with linked IRC servers
• Most blackhats grow up using IRC.

10
What is a Botnet?Internet Relay Chat (IRC)
Botnets (cont.)

• Botherders are migrating away from IRC botnets
  because researchers know how to track them.
• Drawbacks
• Centralized server
• IRC is not that secure by default
• Security researchers understand IRC too.
• Common IRC Bots
• SDBot
• Rbot (Rxbot)
• Gaobot

11
What is a Botnet?HTTP Botnet Diagram
Polling Method
Registration Method
12
What is a Botnet?HTTP Botnets

• Botherders are shifting to HTTP-based botnets
  that serve a single purpose.
• Benefits of HTTP to botherder
• Also very robust with freely available server
  software
• HTTP acts as a covert channel for a botherders
  traffic
• Web application technologies help botherders get
  organized.
• Drawbacks
• Still a Centralized server
• Easy for researchers to analyze.
• Recent HTTP Bots
• Zunker (Zupacha) Spam bot
• BlackEnergy DDoS bot

13
What is a Botnet?P2P Botnet Diagram
14
What is a Botnet?P2P Botnets

• P2P communication channels offer anonymity to
  botherders a and resiliency to botnets.
• Benefits of P2P to botherder
• Decentralized No single point of failure
• Botherder can send commands from any peer
• Security by Obscurity There is no P2P RFC
• Drawbacks
• Other peers can potentially take over the botnet
• P2P Bots
• Phatbot AOLs WASTE protocol
• Storm Overnet/eDonkey P2P protocol

15
Blackhat Bot Creation
16
Blackhat Bot CreationThree Steps to Building a
Bot Client

• The best way to understand malware is to see real
  world examples in action.
• Steps include
• Find bot source code
• Configure and compile the source code
• Pack crypt the bot client (optional)

17
Blackhat Bot Creation1) Find Source Code

• IRC bot source code is easy to find
• Just Google it. ?
• Underground forums sell / trade / share IRC
  botnet source.
• HTTP botnet kits are harder to find
• P2P bot source is rare commodity

Ill focus on recent IRC bot source code
18
Blackhat Bot CreationA Quick Tour of IRC Bot
Source

• Very Organized
• Modular design
• Script kiddie ready

19
Blackhat Bot Creation2) Configuring Your Bot
Client
20
Blackhat Bot Creation3) Pack Crypt Bot Client
21
Bot Harvesting 101
22
Bot Harvesting 101From Zero to Zombie Army in
Three Steps

• Prepare your CC Channel
• Draft your first zombie recruit
• Leverage that zombie to help recruit more.

23
Bot Harvesting 101Preparing Your CC

• "By failing to prepare you are preparing to
  fail."
• Benjamin Fanklin
• The Basics
• Install your IRC Server
• Make sure its settings match your bot client
• Join your bot channel first to gain ops.
• Extra Credit
• Modify your IRC server and channel to protect
  your botnet.

24
Bot Harvesting 101Drafting Your First Zombie
Recruit

• Like making your first million, drafting that
  first zombie victim is always the hardest.
• Time to dust off your l33t H_at_x0r skills
• Spam bot client attached to email
• Seed it as a fake, P2P music download
• Manually exploit remote vulnerabilities
• Host bot client of malicious Drive-by Download
  site
• Etc

25
Bot Harvesting 101Drafting Your First Zombie
Recruit

• DEMO Recruiting our first victim with a Drive-by
  Download

26
Bot Harvesting 101Leverage Your Bot to Recruit
an Army

• It only takes one seed to start a forest.
• Now you have your first bot, you can leverage it
  to automate the attack
• process and recruit more victims. Some popular
  automated harvesting
• attacks include
• Scan for local files shares
• Send malicious, booby-trapped spam
• SPIM
• Seeding fake P2P shares
• Hosting a malicious web sites
• Scanning for USB shares
• Automated vulnerability scanning (Massscan)

27
Bot Harvesting 101Scanning for Well-Known
Vulnerabilities

• Some common exploits in IRC bots
• Windows DCOM RPC Interface buffer overflow
• Windows LSASS buffer overflow
• MS SQL Server buffer overflow
• Windows UPnP buffer overflow
• Windows Workstation service buffer overflow
• MS Webdav buffer overflow
• Windows ASN.1 integer overflow
• Windows Server Service (NetAPI) buffer overflow
• Symantec AV Remote Management buffer overflow
• RealVNC password bypass vulnerability
• Botherder can add new exploits as they come out

28
Bot Harvesting 101Scanning in Action

• Video DEMO
• What happens if a botherder named Spike
  leverages his first bot to scan a network of
  unpatched machines?

29
Bot Powered Attacks
30
Botnet Powered AttacksThe Ultimate Blended Threat

• Botnets are like the Swiss Army knife of the
  malware world and
• botherders have many blades to choose from.
• You can separate a botnets many attacks into two
  general categories
• Attacks targeted toward the bot-infected victims
• Attacks targeted toward others on the Internet

31
Botnet Powered AttacksTargeting Your Bots
Q A botherder has full control of each bot
machine. What can you do to them?

• Install more malware
• Adware
• Spyware
• Ransomware
• Steal sensitive data
• CD Keys
• Emails and email addresses
• Various login credentials
• Password storage files
• Any file on the victims machine

• Enable various network services
• HTTP server
• FTP / TFTP server
• Sock proxy
• HTTP or HTTPS proxy
• Man-in-the-Middle (MitM) attacks.
• Redirect TCP traffic
• Redirect GRE traffic (PPTP VPN)
• Gain backdoor access

• A Once he has control of your computer, a
  botherder can do anything you can.

32
Botnet Powered AttacksTargeting Your Bots (cont.)

• Spy on victims
• Keylog
• Packet sniff
• Capture screenshots
• Capture webcam images and video
• Video DEMO
• Spike exploits Rxbot spying techniques.
• (i.e. stupid script kiddie tricks)

33
Botnet Powered AttacksTargeting the World

• With full control of a massive army of machines,
  the only limit to
• a botherders attack potential is his
  imagination.
• Distributed Denial of Service (DDoS) Attacks
• BlueSecurity
• Estonia
• Extortion of small businesses
• Spamming
• Email spam
• SPIM
• Forum spam

34
Botnet Powered AttacksTargeting the World (cont.)

• Phishing
• Use bots as malicious phishing web servers
• Use bots to spam phishing emails
• Click Fraud / Poll Manipulation
• ID Theft
• And more

35
The Future of Botnets?
36
The Future of Botnets?Storm A Sign of Things to
Come

• What started as an indistinct, unimpressive email
  worm, has grown into one of the more successful
  botnets ever seen.
• Short History
• Started as basic email worm
• Uses smart social engineering techniques
• Didnt appear wide-spread early on
• However, Storm was quietly recruiting zombie
  machines

230 dead as storm batters Europe.
37
The Future of Botnets?Storm A Sign of Things to
Come

• Whats futuristic about Storm
• First real successful P2P Botnet
• Changes tactics and technology regularly,
  Polymorphic.
• Mature kernel rootkit technology
• Incorporates Attack back logic
• Uses Fast Flux DNS to hide.

38
The Future of Botnets?Whats Futuristic About
Storm

• How big is the Storm botnet
• Estimates range from 160,000 to 50 million?
• Brandon Enright says Storm is dwindling
• No one really knows for sure.
• Latest developments
• Storm being segmented with 40-byte keys
• Neuters AV rather than killing it
• Sending Pump and Dump stock spam
• Recent Halloween ecard.

39
Avoid Assimilation Botnet Defense
40
Avoid Assimilation Botnet DefenseResistance is
Not Futile

• Three categories of Botnet Defense
• Keeping bot clients off your network
• Bot detection and mitigation
• Protecting your network from external botnet
  attacks.

41
Avoid Assimilation Botnet DefensePreventing Bot
Infections

• Protecting your network from a botnets many
  attack vectors requires Defense in Depth.
• Use a Firewall
• Patch regularly and promptly
• Use AntiVirus (AV) software
• Deploy an Intrusion Prevention System (IPS)
• Implement application-level content filtering
• Define a Security Policy and share it with your
  users systematically
• USER EDUCATION IS VITAL!

42
Avoid Assimilation Botnet DefenseBot Search and
Destroy

• There is no infallible defense, so prepare for
  the worst.
• Egress filter with your firewall
• Egress filtering allows you to muzzle some bots
  by preventing them from reaching their CC.
• Monitor your network traffic regularly
• Establish a recognized baseline
• Use graphically traffic monitors
• Ourmon is a nice free tool that can help you
  detect bots.
• Stay current with botnet evolutions.

43
Avoid Assimilation Botnet DefenseSurviving
External Botnet Attacks

• Even if you succeed at keeping bot infections off
  your network, you still have to contend with
  external botnets targeting you for attack.
• How do you survive Distributed Denial of Service
  attacks?
• DDoS mitigation products only work so well
• Multiple ISP connections only help a little
• In the end, we need ISPs to help solve this
  problem.
• How do your survive Spam and Phishing emails?
• Some spam blocking products well
• Commtouch offers a unique solution.

44
Avoid Assimilation Botnet DefenseShare Your
Knowledge

• We will only defeat the ever-changing botnet
  threat if we come together as a security
  community, and share our information as far and
  wide as possible.
• Download WatchGuards free botnet educational
  series
• FTP ftp.watchguard.com
• Login botnetvideos
• Password Fr3e_V1de0s
• or
• FTP//botnetvideosFr3e_V1de0s_at_ftp.watchguard.com

45
References

• Craig A. Schiller, Jim Binkley, David Harley,
  Gadi Evron, Tony Bradley, Carsten Willems,
  Michael Cross. Botnets The Killer Web App.
  Syngress Publishing, 2007.
• Brandon Enright, UCSD ACT/Network Operations.
  Exposing the Stormworm. Toorcon, 2007
• Dr. Jose Nazario. Botnet Tracking Tools,
  Techniques, and Lessons Learned. Black Hat DC,
  March 2007.
• Dr. Jose Nazario. Analyzing and Understanding
  Botnets. Arbor Networks, 2007.
• Arbor Networks. Worldwide Infrastructure Security
  Report. September 2007.
• Phillip Poras, Hassen Saidi, Vinod Yegneswaran. A
  Multi-perspective Analysis of the Storm (Peacomm)
  Worm. SRI International, October 2007.
• Frank Boldewin. Peacomm.C Cracking the nutshell.
  September 2007.
• Andre Fucs, Augusto Paes de Barros, Victor
  Pereira. New Botnet Trends and Threats. Blackhat,
  Europe 2007.
• Commtouch. Q3 2007 Email Threats Trend Report.
  October 2007.
• Brandon Enright, UCSD ACT/Network Operations.
  Exposing the Stormworm. Toorcon, 2007
• Gadi Evron. Estonia Information Warfare and
  Lessons Learned. Blackhat, Las Vegas 2007.
• Matthew Braverman of the Microsoft Antimalware
  team. Malicious Software Removal Tool Progress
  Made, Trends Observed. Microsoft, November 2006.
• Dr. Alan Solomon, Gadi Evron. The World of
  Botnets. Virus Bulletin, September 2006.
• Paul Baucher, Thorsten Holz, Markkus Kotter,
  Georg Wicherski. Know Your Enemy Tracking
  Botnets. Honeynet Project. March, 2005

46
QA
47
Thank You!