Inside a Botnet - ITRIS Enterprise AG

Transcription

Inside a Botnet
Anatomy of botnet malware technology
Holger Unterbrink
CSE EMEAR
October 2014
Agenda
• Cisco Security Portfolio
• Botnet Basics
• Hiding your tracks
• Botnet Demo
• Defense tactics
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Security University
2
Botnet Basics – What is a Botnet ?
A sophisticated distributed malware solution
• Combination of the words robot and network
• Client side malware (Bot/Rootkit/Trojan) executing automatically malicious tasks
• Command & Control Server(s) or C&C Infrastructure which controls and updates the
Bots
• Widely spread malware controlled by an attacker or group of attackers
(e.g. ZeroAccess Botnet ~ 1,9 Mio infections , BredoLab Botnet ~ 30 Mio infections )
• Mainly profit driven business
•
E.g. ZeroAccess estimated revenue $2.7M USD per month
•
Stealing Credit Cards, mining Bitcoins, SPAM, hosting illegal
content, DDOS, click fraud, anything else illegal…
•
Players: single person, cyber gangs, organized crime, government agencies
3
Botnet Basics
The Marketing Version
Attacker
Command & Control
Server
Victim
Victim
Internet
Victim
Victim
Victim
Command and Control
channel
Victim
4
Botnet Basics
Welcome to the real world
“Make everything as simple as
possible, but not simpler.”
5
Botnet Basics
Crime Kits (CK) - e.g. Zeus, SpyEye, Citadel, Atrax… the “software package”
•
Maintains the whole life cycle process of a botnet including
bot updates, bot control, bot building, bot configuration, statistics,…
•
Command & Control Server
•
Builder to build the client side malware (Bot)
•
Modular Crimeware Add-ons/Modules examples:
• WEB Injects and Form Grabber
• DDOS (DDOS Attacks)
• Bitcoin/Litecoin miner (CPU misuse for mining coins)
• STEALER (Browser, Mail, IM)
• …
•
Between $200 – $10.000 or more depending on the feature set
•
Usually sold in hidden and private market forums in the underground
•
Usually a series of web scripts (e.g. PHP) designed to run on a web server
6
Botnet Basics
Crime Kits (CK) - Underground Services, Customer support and more…
Automatically scan malware
binaries against the common
AntiVirus Engines
7
Botnet Basics
Exploit Kits (EK) e.g. Blackhole, Cool Pack, Flash Pack, Angler, LightsOut
www.kahusecurity.com
•
Offers latest public exploits and sometimes 0-days
•
Sold in underground forums (e.g. BH for $500 - $700 monthly fee)
•
Infects victims visiting the website with malware e.g. botnet rootkit
•
Often injected into compromised websites (e.g. as IFRAMES)
•
Uses Cryptors to obfuscate the malicious software so that it remains
undetectable by antivirus software
•
Can automatically pick the right exploit based on profiling victims browser
•
Usually a series of web scripts (e.g. PHP) designed to run on a web server
Detailed Analysis of LightsOut:
http://vrt-blog.snort.org/2014/05/continued-analysis-of-lightsout-exploit.html?utm_source=twitterfeed&utm_medium=twitter
8
Botnet – Example
Attacker installs Botnet Infrastructure
- Command & Control
Infrastructure/Server*
- Exploit Kit Server
- The attackers „crown jewels”
Set up the mother ship
Attacker
Command & Control Server(s)
Exploit Kit Server(s)
Attackers often use a compromised
or bullet proof hosting server(s)
TOR / VPN /
Proxy
Internet
* Depending on the botnet architecture, attacker setups up a dedicated C&C server for updating, maintaining and controlling the
Botnet. Other architectures will be shown later
9
Botnet – Example
How to infect a victim – e.g. Drive-By-Download Attack
Insecure
Command
Control
Attacker &
embeds
WWW App / Server(s) Server*
exploit kit in public
website (e.g. XSS)
Attacker
TOR / VPN /
Proxy
Internet
or P2P
Internet
Loads content from Exploit
Kit (EK) server and
embeds it in the vulnerable
WWW server
10
Botnet – Example
Or any other Attack vector: e.g. Phishing, offline techniques - USB, etc…
11
Botnet – Simplified Example
Bot Registration
Command & Control
and Exploit Kit server(s)
Insecure
WWW Server(s)
Attacker
Bot (malware/trojan) calls
home to C&C server and
register itself in the botnet
TOR / VPN /
Proxy
Internet
or P2P
Internet
12
Final – Game Over Attacker enjoys his/her botnet
Command & Control server(s)
Attacker
aka
Botnet
Herder
TOR / VPN /
Proxy
Internet
13
Final – Game Over Attacker enjoys his/her botnet
Command & Control server(s)
Attacker
aka
Botnet
Herder
TOR / VPN /
Proxy
Internet
Big question: How to hide C&C against security researchers and law enforcement ?
14
Botnet – C & C Obfuscation
Round Robin DNS* + small TTL value
(e.g. 1800 = 30 minutes)
Fast Flux
C&C
server
hu.bulletproof.com
DNS
bulletproof.com
DNS
server.hu.bulletproof.com. 1800 IN A 1.1.1.1
+
Internet
8.8.8.8
7.7.7.7
6.6.6.6
5.5.5.5
Proxy Proxy
1.1.1.1 2.2.2.2
1st introducing a Proxy (or Zombie) Layer
Proxy Proxy
3.3.3.3 4.4.4.4
Client (Bot) can choose any IP in the list
15
Round Robin DNS + very small TTL
value (e.g. 1800 = 30 minutes)
Fast Flux
hu.bulletproof.com
DNS
C&C
Server
bulletproof.com
DNS
Internet
30 minutes later…
8.8.8.8
7.7.7.7
6.6.6.6
5.5.5.5
Proxy Proxy
1.1.1.1 2.2.2.2
Proxy Proxy
3.3.3.3 4.4.4.4
Client
16
Round Robin DNS + very small TTL
value (e.g. 1800 = 30 minutes)
Fast Flux
hu.bulletproof.com
DNS
C&C
Server
bulletproof.com
DNS
Internet
30 minutes later…
8.8.8.8
7.7.7.7
6.6.6.6
5.5.5.5
Proxy Proxy
1.1.1.1 2.2.2.2
Proxy Proxy
3.3.3.3 4.4.4.4
Client
17
Botnet
–&
C C& Obfuscation
C Obfuscation
Botnet
–
C
Domain Generation Algorithms (DGA)
Domain Generator Algorithm (DGA)
•
•
BOT Algorithms generate a list of unique pseudo-random domain names every day
to reach the C&C server.
• E.g. based on Date, Twitter, News sides, …
• <month><day><year>.com
• -> obfuscated to random strings e.g. divide-wonder.com = 23. Dec 2014
Attackers can calculate the dynamic pseudo-random domain name and register it at
the right point in time
List for 2014
…
12. divide
12 (Number of month) | 23 (day)
13. rat
divide = func(12)
14. peter
wonder = func(23)
…
23. wonder
18
Botnet
– C –&CC&Obfuscation
Other
Botnet
C Obfuscation
Other C&C obfuscation techniques
Other C&C obfuscation techniques – social media
•
•
•
•
•
•
•
•
•
Use IRC
Use Twitter
Use Facebook
Use MySpace
Use Jabber
Use Google Plus
Use Windows Live Profile
Use other Web Blogs
…
 Bots using HTML parsing and new social media API
 HTTP Bots
19
Other C&C obfuscation techniques
•
C&C server is using TOR Hidden Services
• Involving non-victim nodes for free
• Hard to block by security admins
• TOR is designed to be unblockable
• E.g. Skynet C&C IRC over hidden TOR service
•
P2P Botnet Infrastructure (e.g. Zeus P2P)
• Often used together with other C&C techniques (e.g. central C&C server)
• One or the other is used as fallback if primary C&C is taken down by law enforcement
• Disadvantage: Better detectable, often uses custom port range, not TCP 80/443
20
Botnet – A Malware Business Solution
Putting it all together
Victim(s)
WWW
Malware
Distribution
Attacker
WEB
/P2P
Any other
client side attack
Drive-byTOR / VPN
P2P
download
TOR/Crypto
TOR/Crypto
Internet
FF/DGA
WEB
/P2P
FF/DGA
Command & Control Server(s)
and / or Dropzone
(sometimes just other bots)
Victim(s)
Command and
Control Channel
Money Mule doing the money laundry
21
Targets and Future
• Is it a MS Windows only issue ?
- Well, it used to be, but…
- Mobil Botnets and Malwares are raising, especially Android is already there
- Cutwail-Botnet, Neverquest, MisoSMS, MDK, SMSsend,…
- SMS Fraud, contacts, activate microphone, GPS, make calls,…
- Mixed OS Botnets are targeting todays banking security e.g. mTAN
- OSX Botnets and Malwares are raising too
- Flashback, Yontoo.1, KitM.A, Imuler.C, Tsunami, FBI-Ransomware
- Intelligence Agencies backdoor’ing network devices
- IoT … 100,000 Smart TVs, Refrigerator,.. found in SPAM botnet in Dec 2013
22
Botnet Demo…
Let’s have a look at the dark side
Stop boring me,
demo it !
23
Cisco Security Portfolio
Multi-Layer Defense in Depth
A
T
T
A
C
K
C
Control
Enforce
Harden
O
N
T
I
N
U
U
M
Scope
Contain
Remediate
Detect
Block
Defend
ASA
Firepower Services on ASA
Email Security (ESA)
Web Security (WSA/CWS)
Sourcefire NG IPS
Sourcefire Advanced Malware Protection (AMP)
Cyber Threat Defense (CTD)
ThreatGrid (Sandboxing)
24
Cisco NGIPS Best-in-Class
Sourcefire has
been a leader in
the Gartner Magic
Quadrant for IPS
since 2006.
Source: Gartner (December 2013)
25
Global Product Leadership Award for IPS 2013
Frost & Sullivan
• Leading Threat Prevention
• Best-in-Class Performance
• Advanced Malware Protection
• Scalable FirePOWER™ platform
• Flexibility for NGIPS or NGFW
“Sourcefire NGIPS products provide exceptional customer value in terms of
deployment flexibility, adaptability, and performance. …it is Sourcefire’s dedication
to understanding, detecting, and blocking the most advanced threats facing
enterprise networks that enables these products to stand out amongst the
competition.”
Source: Frost & Sullivan “2013 Global Intrusion Prevention Systems Product Leadership Award” May 2013
26
Cisco NGIPS Best-in-Class
•
Best Threat Effectiveness
•
Highest Throughput
•
Most Sessions
•
Best Value (TCO)
Top Ratings (8260)*
(lowest TCO/protected Mbps)
 98.9% detection & protection
"For the past five years,
Sourcefire has consistently
achieved excellent results in
security effectiveness based on
our real-world evaluations of
exploit evasions, threat block
rate and protection
capabilities.”
 34Gbps inspected throughput
 60M concurrent connections
 $15 TCO / protected Mbps
*NSS Labs 2012 Network IPS Product Analysis Report
Vikram Phatak, CTO NSS Labs, Inc.
27
Cisco NGFW Best-TCO-in-Class
September 2014
28
Thank you.
Botnet
–&
C C& Obfuscation
C Obfuscation
Botnet
–
C
Domain Generation Algorithms (DGA)
Domain Generator Algorithm (DGA)
•
•
•
•
Very small time window for researchers to find hidden C2C server or setup sinkholes
• E.g. majority of Kelihos domains having a lifetime of 1 day or less
• 900+ fast flux domains and subdomains used by Kelihos malicious campaigns
mid-summer of 2013 to December 2013
Kraken (and conficker) were one of the first malware families to use a DGA (~2008)
Todays malware is using on-the-fly replaceable DGA modules
Sometimes used as backup channel for P2P based bots for their C&C traffic
30
Man-in-the-Browser-attack
by the Bot (Trojan)
Botnet Basics
Web Injects
31
2013/14 – A good year for the Feds
Skynet Gang
Paunch
Carberp Gang
Bx1
Gribodemon
Arrested by GSG9
Blackhole EK
Arrested in
SpyEye
SpyEye Trojan
in December 2013
October 2013
April 2013
January 2013
June 2013
…and others e.g. Mariposa mastermind Iserdo sentenced to 5 yrs in Dec 2013 …
… Farid Essebar (Diabl0) (Zotob Worm in 2005, Swiss Bank 2013, $4 billion worth of damage)
arrested (again) in Bangkok in March 2014…
32
DNS Refresher – Resource Records (RR)
www.mydomain.com
1.1.1.1
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
Name
TTL(sec)
RR
www.mydomain.com. 3600 IN A
IP
1.1.1.1
ns1.mydomain.com. 86400 IN A 16.16.16.16
mydomain.com. 86400 IN NS ns1.mydomain.com
.com
DNS
Internet
A record = Name to IPv4 Address mapping
AAAA record = Name to IPv6 Address mapping
CNAME = Alias pointing to A,AAAA,NS,MX,PTR
Root
DNS
Client’s SP
DNS
PTR = IP to Name mapping (reverse DNS)
NS record = Nameserver for domain
MX record = Mailserver for domain
TTL(Time To Live) = entry removed from cache
Client
33
DNS Refresher – Name Resolution
www.mydomain.com
1.1.1.1
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
www.mydomain.com. 3600 IN A 1.1.1.1
.com
DNS
Ask g.gtld-servers.net
Internet
www.mydomain.com ?
Root
DNS
Client’s SP
DNS
Client
g.gtld-servers.net. 86400 IN A 192.42.93.30 …
com. 86400 IN NS g.gtld-servers.net
www.mydomain.com ?
34
www.mydomain.com
1.1.1.1
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
Ask ns1.mydomain.com
www.mydomain.com
?
Internet
.com
DNS
Root
DNS
Client’s SP
DNS
Client
35
www.mydomain.com
1.1.1.1
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
www.mydomain.com
www.mydomain.com
= 1.1.1.1 (TTL=3600)
Internet
Root
DNS
Client’s SP
DNS
.com
DNS
?
Client
36
www.mydomain.com
1.1.1.1
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
www.mydomain.com = 1.1.1.1
caching this for 3600 seconds
.com
DNS
Internet
Root
DNS
Client’s SP
DNS
Client
www.mydomain.com
= 1.1.1.1
37
DNS Refresher – Round Robin DNS
www.mydomain.com
1.1.1.1/2.2.2.2/3.3.3.3
WWW Server
ns1.mydomain.com
16.16.16.16
DNS
.com
DNS
Internet
Root
DNS
Client’s
DNS
Round Robin DNS:
> nslookup www.google.com
173.194.65.113
173.194.65.101
173.194.65.138
173.194.65.102
173.194.65.139
173.194.65.100
Client
38
Double Fast Flux
server.doubleflux.com 177
ns1.doubleflux.com 854
doubleflux.com.
doubleflux.com.
doubleflux.com.
doubleflux.com.
doubleflux.com.
doubleflux.com.
IN A
IN A
IN A
108877
108877
IN A
IN A
IN A
108877
108877
IN A
IN A
IN A
108877
108877
4.4.4.4
15.15.15.15
16.16.16.16
IN NS
ns1.doubleflux.com.
IN NS
ns2.doubleflux.com.
5.5.5.5
15.15.15.15
16.16.16.16
IN NS
ns1.doubleflux.com.
IN NS
ns2.doubleflux.com.
6.6.6.6
27.27.27.27
38.38.38.38
IN NS
ns1.doubleflux.com.
IN NS
ns2.doubleflux.com.
After
4 minutes
After
90 minutes
39
40
Does that mean we don’t need Firewalls anymore ?
No, of course not. Even if todays cars have airbags you don’t
want to remove the bumper !
41
Multi-Layer Defense in Depth
A
C
O
T
N
T
A
T
Control
Enforce
Harden
I
C
N
K
U
U
M
Scope
Contain
Remediate
Detect
Block
Defend
ASA
Sourcefire NG IPS
Web Security (WSA/CWS)
Email Security (ESA)
Sourcefire Advanced Malware Protection (AMP)
Cyber Threat Defense (CTD)
42
Products targeting advanced threats
Cyber Threat Defense
(CTD)
Network behavior based threat
detection without any signatures
43
Products targeting advanced threats
Sourcefire
(IPS/AMP)
44
Additional Resources and Key contacts
Sourcefire VRT blog
http://vrt-blog.snort.org/
Cisco Security
www.cisco.com/go/security
45
Key Takeaways
•
Attackers are thinking out of the box, do the
same
•
Use advanced Behavior Based Detection Tools
(e.g. Cyber Threat Defense , Sourcefire AMP)
•
Use a Multi Layer Security Architecture
•
Attack continuum – BEFORE, DURING, AFTER
•
Perimeter Security Devices are not obsolete,
they are just the first line of defense
•
For detecting Advanced Threats (APT) you need
advanced people !
X X X
X O X
X X O
O
46

Inside a Botnet - ITRIS Enterprise AG

Transcription

Similar documents

Cisco Recruitment Session* When

crescent village - Prime Commercial, Inc.

Cisco.com AEM Integration and Migration

Real, Relevant, Surprising and Fresh: Cisco Brand

Sales Forecast Accuracy

WHAT DOES PSTC Employees Federal Gredit DO WITH YOUR

Road Connect, Inc.

CCNP Flyer

Privacy Policy - SnoCope Credit Union

Secure E-mail - UnitedHealthcareOnline.com