BOTNETS Pius Ndebele Yermek Sakiyev How big is the problem? • • • “The Storm worm botnet has grown so massive and far-reaching that it easily overpowers the world's top supercomputers…If you add up all 500 of the top supercomputers, it blows them all away with just 2 million of its machines. It's very frightening that criminals have access to that much computing power, but there's not much we can do about it." “An industrial control security researcher in Germany who has analyzed the Stuxnet computer worm is speculating that it may have been created to sabotage a nuclear plant in Iran.” “Shockingly, botnets produce 95% of the world's spam and have infected around 100 million systems. It makes defending against botnets tough.” What is a botnet? Life cycle • • • • Exploitation Securing the botnet Waiting for orders and getting the payload Reporting the results Types of botnets • IRC • HTTP • P2P Fast flux networks • Innovative technique built in DNS • Use for load balancing • Abused by criminals in a way that they can register thousands of IP addresses assigned to one hostname and change TTL to very short time • This way it will be very hard to detect the real IP addresses of C&C What can a botnet do? • • • • Recruit others DDoS Spam Phishing and identity theft Motivation behind botnets First Generation Distribution/Platform: IRC / Chat rooms and warez DDoS: fun, demonstration elite skill [l33t sk1llz, p0wnag3], political activism. Examples: AOHell [1] Punter (IM-bomber), which would send an Instant Message containing HTML code to another user that would sign them off. Mail bomb - script which would rapidly send e-mails to a user's inbox until it was full. Flooding script that would flood a chat room with ASCII art of an offensive nature. An 'artificial intelligence bot', which did not really contain artificial intelligence, but had the ability to automatically respond to a message in a chatroom upon identification of keywords. (For example, a 'profane language' autoresponse was built-in to the program.) ------------------------------------[1] http://en.wikipedia.org/wiki/AOHell Motivation behind botnets Second Generation Distribution/Platform: Worm/trojan with malicious payloads Motive: Money highly organized criminal organization botnet avoiding Ukraine.[6] Why? Avoiding local law enforcement Conficker used latest encryption algorithm MD6 [submitted to NIST/FIPS]. Flaw discovered and fixed in 16 days [2] Examples: Storm harvesting Personal Identifiable Information, racking a suspected profit $2m in 1 year [3] DDoS researchers investigating it [4] Koobface [5] targeting social networks. Which one? --------------------------------------[2] http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/Timeline [3] http://news.bbc.co.uk/2/hi/technology/7719281.stm [4] http://boingboing.net/2007/10/24/stormworm-botnet-las.html [5] http://www.infowar-monitor.net/reports/iwm-koobface.pdf [6] http://en.wikipedia.org/wiki/Conficker Motivation behind botnets Third Generation Distribution/Platform: Industrial systems Hardware and firmware based botnets Potential political/economic ‘cyberwar’ or espionage Counterfeit networking gear (Cisco) sold to DoE, US AirForce, Federal Aviation Administration and several universities [6] To counteract NSA has its own chip fabrication plant [7] and a hardware/software certification program [8] Example: Stuxnet [9] Targeting Programmable Logic Circuits (PLC) in control system sold to vendors in Finland and Iran. Specifically targeted were nuclear high-speed centrifugal motors. --------------------------------------------------------[6] http://www.popularmechanics.com/technology/gadgets/news/4253628 [7] http://en.wikipedia.org/wiki/National_Security_Agency [8] http://www.nsa.gov/business/programs/tapo.shtml [9] http://www.symantec.com/connect/blogs/stuxnet-breakthrough Detection & Prevention Techniques Detection techniques Reactive (N)(H) IDS external notifications (eg spamming friends, spam-blacklist) Proactive honeypots/honeynets (understanding internal workings; Torpig, Conficker) Note: Honeypot used to lure researcher to a fake C&C to study their techniques and provide fake statistics (exploitation rates for IE, PDF, Java vulnerabilities) [10] Prevention techniques Depth-in-defense [Protection in layers] Anti-Malware [anti-virus, rootkit detectors] (N)(H) IPS proxies; network and application [layer 3-7] firewalls (egress filtering) policies (security, patching policy, computer use – ex. use of usb media) local legislature and international laws: used as severe punitive deterrents New research points to using new approaches like economics (incentives), psychology ( ---------------------------------[10] http://blog.tllod.com/2010/11/03/statistics-dont-lie-or-do-they/