Botnets: Proactive System Defense

1
Botnets Proactive System Defense John C. A.
Bambenek University of Illinois Urbana-Champaign
June 2006
www.iti.uiuc.edu
2
Introduction

• Assumptions
• Paradigm shifts in eCommerce
• Growth and changes in malware
• Future trends of botnets
• Fundamental flaws in our current system
• Remediation of the core vulnerabilities
• Cost justification

3
Assumptions

• Focus on financial transactions DDoS is painful
  but small in damage possibilities and exposes
  botnet once DDoS begins.
• Consumer doesnt directly pay for fraud loses.
  Banks and merchants do.
• Consumers, as a rule, arent qualified or
  motivated to sufficiently harden their own
  machines.
• Corporations have other means of protection
  available to them, focus effort on consumers.

4
Paradigm Shifts in eCommerce

• 1993 Web browsers and Web servers invented
• (instant information access)
• 1995 eBay, Amazon begin era of eCommerce
• (money transactions over internet)
• 2003 Spyware, Phishing, Identity theft
• (Hackers in it for money)
• All had reactive responses to paradigm shifts,
  adapted current/old technologies to new needs.
• Weve not had a fundamental examination of how we
  do business online.
• We are playing the information security game on
  the hackers terms, not ours.

5
Growth and Change in Malware Development

• In the beginning there were viruses
• 2003 saw the beginning of spyware, phishing,
  botnets, etc. as an outgrowth of spamming
  outfits, not hacking outfits. (Spamford
  Wallace fined 4m for spyware operations)1
• Slow development in botnet technology (2 years to
  start to see real use of encryption).
• Spyware, Phishing, Botnets still growing despite
  the increase of money being spent to remediate
  the problem.

6
Growth in Phishing, Malware

• Number of trojans intercepted by Kaspersky Labs.2
• About 10-15k new bot machines per day. Dropped
  to 5k after SP2 release for only a few months.3
• Only 4-6 days until exploit released, yet 40-60
  days for patch.4
• Money being involved means more players
  developing the malware and trying to deploy it.
• Why do they keep growing? Because it keeps
  working.
• We havent eliminated the real problem.

7
Botnets and Theft

• Zotob/Mytob/Rbot creators developed software to
  maintain control of computers for financial gain.
• Authors forwarded credit card information stolen
  to a credit card fraud ring.
• Oct. 2005, botnet with 1.5 million hosts found
  and shut down.5
• Hackers were caught trying a DDoS extortion
  scheme, however software also has a keylogger.
  Financial information likely also compromised.
• Most botnet software includes keyloggers that
  will steal financial information and send either
  via IRC or e-mail.

8
Future Trends of Botnets

• Botnet operators want to remain online and in
  control of machines as long as possible.
• More encryption
• More mimicking of normal traffic
• Can still detect by looking for bad IPs
• Possible detection by outbound connection
  monitoring (PrivacyGuard, etc)

9
Future Botnet Evolution?

• Future paradigm shift? Using allowable and
  ordinary communication to hide botnet control
  messages.
• Using gmail as a botnet control protocol
• Known good IP space
• XML makes it easy to develop bots to interact
  with it (i.e. read messages with RSS)
• Can use SSL
• Will be invisible to network inspection
• Use for economic warfare?

10
Fundamental Flaws in our Current System

• Financial information (i.e. CC numbers) are
  entered in the clear on untrustworthy machines.
• Financial transactions generally only require
  one-factor authentication.
• We have a weak and de facto national ID system,
  only a 9-digit number needed to assume someones
  identity.
• Anti-Virus/Spyware assumes all software is safe
  until proven otherwise. 20 of malware is not
  detected.6
• We must wait until exploitation to make
  signatures.

11
Remediation

• Financial Identity information should be
  encrypted before it gets to the PC. (i.e. Smart
  Cards)
• Anti-Virus/Spyware should go to a deny all
  default policy, develop a trusted software
  model. (i.e. signed software)
• Develop free consensus-based hardening scripts
  for consumer PCs, let ISPs, banks, etc,
  distribute. Stronger automatic updating.
• Develop ways to remotely validate a machine is
  safe before allowing a transaction.

12
Remediation (2)

• Should not exclude continuing other host-based
  and network-based detection schemes.
• Needs to be convenient and free for user.
• Creates a defense-in-depth environment of PCs.
  Hackers will have a harder time undermining
  several layers of protection instead of having to
  just undermine one non-effective one.
• It will be expensive to do all of these, but
  its worth the cost.

13
Cost Justification

• Estimated 24 billion USD (.2 GDP) assets
  already at risk from stolen identities of US
  consumers (low-balled estimate)7
• Real vulnerability is more like 110 billion (
  .9 GDP)8
• If stolen identities were used for economic
  warfare instead of simple theft, damage would be
  much higher (run on the bank, dramatic loss of
  confidence in eCommerce)
• Changes the security dynamics and forces hackers
  to adapt to us.

14
Conclusion

• The core vulnerabilities with eCommerce have not
  yet been adequately addressed (insecure PCs,
  one-factor auth, use of old technologies and
  methods)
• Fraud and identity theft will continue to be
  primary drivers of botnet growth and development
  until those problems are addressed.
• If left unchecked, botnets will become harder to
  near-impossible to detect on the network.
• Proactive steps will put the bad guys on
  defense, great return on security investment.
• Get institutional players and money out of the
  botnet business.
• Apply defense-in-depth to consumer PCs.

15
References

• The Register, May 5th, 2006. (http//www.theregis
  ter.co.uk/2006/05/05/ftc_spyware_lawsuits/)
• Viruslist, Malware Evolution 2005, February
  8th, 2006. (http//www.viruslist.com/en/analysis?p
  ubid178949694)
• Symantec, March 5th, 2005 (http//www.symantec.com
  /small_business/library/article.jsp?aidsymantec_r
  esearch)
• Ullrich, J. The Disappearing Patch Window.
  (http//isc.sans.org/presentations/MITSecCampISCPr
  esentation.pdf)
• Internet Storm Center, October 10th, 2005.
  (http//isc.sans.org/diary.php?storyid778)
• Internet News (citing Gartner) June 13th, 2006
  (http//www.internetnews.com/security/article.php/
  3613236)
• Bambenek, J. (http//handlers.dshield.org/jbambene
  k/keylogger.html)
• Unpublished study by John Bambenek and Agnieszka
  Klus