How are we protecting our organisations from being part of such a phenomenon
Clinton Cutajar
Team Leader – Information Security ccutajar@computime.com.mt / info@clintoncutajar.com

Location – Malta, Europe
Academic
• M.Sc. Information Security
• B.Sc. IT (Hons) in Computer Science and AI
Industrial
• Check Point
• Juniper
• Cisco
• CISA
• CompTIA+

• Established in 1979.
• Systems integrator – 90 Employees.
• Dedicated Systems, Networking and Information Security teams.
• Projects in Malta, Europe and North Africa.
• Clientele – Banks, Insurance agencies, Financial, Government,
Education and more.
• Partners with Check Point, Juniper, Cisco, Splunk, Vasco, etc …

• A malicious piece of software with the ability to communicate with a command-and-control (C&C) infrastructure.
• Communication with C&C allows a bot agent to receive new instructions and malicious capabilities (plain text or encrypted).
• Compromised host used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same C&C.

• The method used by botmasters for attacking to achieve their ultimate goals.
• Infecting new hosts
• Stealing personal information
• Phishing and SPAM proxy
• DDoS

• Several methods how to deliver bot agent to the victim
• Compressed attachments
• Encrypted attachments
• Drive by download
• Infected USB drives
• Exploiting vulnerabilities within applications allowing remote code execution

• Banking details, social security numbers etc ..
• Details sold to crime masterminds
• Methods to steal data
• Key loggers
• MiB (Man in the Browser) attack
• Camera shots

• SPAM is the process of flooding the Internet with multiple copies of the same message.
• Mostly related to Sex/Dating and pharmaceutical products.
• Phishing make use of fake emails routing victims to bogus websites to steal login credentials.
• Botmaster can sell SPAM services to 3 rd parties using infected hosts to send mails.

• A DoS (Denial of Service) seek to render target systems inaccessible by exhausting all network resources.
• DDoS attack is a DoS generated from different locations around the globe making it difficult to isolate particular IP addresses generating the malicious traffic
• DoS targets availability.
Confidentiality and Integrity are not affected.

• IRC
• HTTP
• IM

• The botmaster selects a single high bandwidth host (usually compromised) to be the C&C.
• Infected host is preconfigured to “phone home” to this central C&C, registering itself as a botnet member and awaits new instructions.
• Advantages:
- Rapid (low latency) data transfer
(commands and stolen data) due to direct communication
- Easy to implement
- Scalable to support large botnets
-
• Disadvantages:
- Blocking the central C&C shutdowns the botnet.

• Integrates peer-to-peer (P2P) concepts into malicious software, increasing scalability and availability, making the botnet more resilient.
• P2P botnets are difficult to estimate the size of botnet and trying to shut down a P2P botnet is somewhat difficult as no central hubs can be pin-pointed and disabled.
• Communication system does not rely on a single centralised server (which is easier to detect and shut down) but P2P C&C destination.

• A method by which new bots locate and join the botnet.
There are mainly three types of mechanisms how a bot can locate its C&C server.
• Hard coded IPs
• Dynamic DNS Domain
• Dynamic DNS servers

• Evasion techniques are ways to circumvent detection mechanisms from identifying communication between the bot infected host and the C&C
• Covert Channels
• VoIP
• Skype
• IPv6
• Fluxing

• Covert channels are ways on how to transfer instructions to the infected host going undetected.
• Embed instructions in valid web objects, pages and documents.
• Popular covert channels
• JPG Images (in EXIF information)
• Microsoft Word 2007 files (XML metadata)
• LinkedIn and Twitter status updates

• A new way to allow C&C location resolution and failover resilience.
• Two type of fluxing
• IP Flux : changing the IP address within a domain.
• Domain Flux : changing the DNS that is pointing to a particular IP.
• Both technologies are used by professional botmasters.

ZEUS Banking Botnet
Rustock SPAM Botnet
LOIC Traffic Generator
Poison Ivy RAT

• Different vendors offering botnet related protection
Check Point with Anti-Bot blade
Cisco with Anti-Bot license and CSC-SSM
HP Tipping Point
ThreatSTOP DNS Service
McAfee Host security
• Frequency of db update / real-time query is very important
• Need to keep up with latest threats
• Update services
Check Point ThreatCloud
Cisco Signature Intelligence Operations (SIO)

• Inspects traffic when exiting firewall.
• For each traffic, Check Point AB blade checks:
DNS
IP
Communication pattern
• Request is sent to Threat cloud and receive back state.
• If a positive match traffic is dropped denying malicious communication traffic.

• Collaboration is required to computer crime.
• Need inputs from different areas.
• Provide changes and new information to customers as fast as possible.
• Can be compared to a human virus (Eg swine flu) where different organisation collaborate to find a solution

• RSA – Organisation providing security tokens for dual factor authentication.
• Attack Feb 2011 – Devastating effect for RSA
60$ Million damages
Loss of trust
• Final target of the attack – one of RSA clients
- Lockheed Martin – US Defence Contractor

• Operation b107
Takedown of Rustock botnet (SPAM).
Date of takedown - 2011.
Collaboration between security organisations.
The McColo datacentre knockout, famous for hosting master servers of botnets.
Managed to put offline by disconnecting McColo uplinks but a new uplink (TeliaSoneraCERT) allowed the botmaster to update the zombie army with the new C&C server location.
Definite takedown by seizing physical servers in 7 US and 2 overseas hosted servers.
Spam rate decreased by 33.4%.

• A full holistic solution required rather than just isolated security functionalities.
• Dual layer firewall (different vendors) to avoid possible vulnerabilities on a particular OS from being exploited.
• Multiple functionalities
On external firewall
Intrusion Prevention System (IPS)
Network Anti-Virus
Email filter (protecting from SPAM etc) in the DMZ
On internal firewall
URL Filtering
Application Control
Anti-Bot
• Reporting Tool to generate “readable” reports
• Host security to prevent infections when connected to guest internet

• Security is risk based and it is impossible to be completely failproof.
• Even though security vendors are constantly studying and reverse engineering malicious applications to provide signatures for their products, there can still be the possibility that malicious communication manages to make it through the network protection.
• It is very important to deal with an experienced well established security vendor known to provide immediate support.
• Users must also collaborate by not running non-trusted executables which may easily be malware.
• Security is strong as its weakest link, the latter usually being the user (as we have seen in the RSA case).

ccutajar@computime.com.mt / info@clintoncutajar.com