Fighting the. Botnet Ecosystem. Renaud BIDOU. Page 1

Transcription

1 Fighting the Botnet Ecosystem Renaud BIDOU Page 1

2 Bots, bots, bots Page 2

3 Botnet classification Internal Structure Command model Propagation mechanism 1. Monolithic Coherent, all features in one binary Evolution may not be trivial Kaiten, SDBot, Spybot 2. Modular Evolution voluntarily made easy Choice of appropriate language (C++) AgoBot 3. Barnum Set of heterogeneous scripts Often relies on local interpreters PHP bots, GTBot Page 3

4 Botnet classification Internal Structure Command model Propagation mechanism 1. No control Automated behavior Less flexible, more resistant Morris worm, CodeRed 2. Public infrastructure Reliable and «anonymous» Mostly IRC, P2P upcoming 95% of botnets 3. Private CC Channel Usually based on covert channels Better stealth at short term Sobig Page 4

5 Botnet classification Internal Structure Command model Propagation mechanism 1. No No propagation function Relies on 3rd party Kaiten 2. Single Exploits one specific vulnerability May need human action CodeRed, Netsky, Mytob 3. Modular Use of multiple exploits Transported by different vectors Morris worm, SDBot, MPack Page 5

6 Short botnet history 1988 Morris Worm Multiple vectors propagation «Unvoluntarily» blocked the internet Page 6

7 Short botnet history 1988 Morris Worm 1993 EggDrop Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated through IRC channels Page 7

8 Short botnet history 1988 Morris Worm 1993 EggDrop 1998 GTBot Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition with PrettyPark for the title Page 8

9 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, TFN, Stacheldraht Page 9

10 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS 2001 CodeRed Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed to DoS white house web site Page 10

11 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Propagated through IRC channels First 2001 visible CodeRed DDoS for dummies 2002 Rise of the Giants Multiple vectors propagation «Unvoluntarily» blocked the internet First bot based on IRC C&C Channel Competition with PrettyPark for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed AgoBot to DoS Professional white house design web site SDBot Still the most popular IRC bot Page 11

12 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants 2003 Mass mailing worms Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed AgoBot First to «large DoS Professional white scale house» worm design web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, Mytob Page 12

13 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants AgoBot 2003 First «large Mass Professional scale mailing» worm design worms 2004 Witty Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed to DoS white house web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, First «Mytob 0-day» worm Launched 36 hours after discovery Page 13

14 Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel Competition First 2001 visible CodeRed with DDoS PrettyPark for dummies for the title Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants Failed AgoBot 2003 First to «large DoS Mass Professional white scale mailing house» worm design worms web site SDBot Failed PoC 2004 : to Melissa, Witty Still DoSthe white «most I love house popular you web» IRC sitebot Since 2005 The Botnet Ecosystem Multiple vectors propagation «Unvoluntarily» blocked the internet Netsky, First «Mytob 0-day» worm Launched Turning technology 36 hours after intodiscovery money A new actor on the field : organized crime No more «state of the art» research Evolution and variant of existing technologies Short-term exploits Page 14

15 Birth and growth of a botnet Page 15

16 Ecosystem actors The Good The Bad «Innocent» Systems Malicious Systems The Ugly 0-day, botnet, malware «markets» Page 16

17 Birth of a worm-based botnet Markets BUY ATTACK C&C Botnet Page 17

18 Birth of a botnet via spam Markets Relays BUY ATTACK C&C Botnet Page 18

19 Birth of a MPack-like botnet Markets Relays BUY SET C&C Botnet Page 19

20 Extending the botnet Basic propagation [urx] #foobar :.advscan lsass r -s PRIVMSG #foobar :[lsass]: Exploiting IP: XXX PRIVMSG #foobar :[TFTP]: File transfer started SDBot Page 20

21 Extending the botnet Advanced propagation WAREZ SITE harvest.cdkeys AgoBot Page 21

22 Into the Ecosystem Page 22

23 Making money with botnets Direct cash generation Spam Impacting stock values Stealing credential (phishing) «Nigerian scam» Advertisement Extorsion DDoS Private data stealth On-demand Hacking Page 23

24 Making money with botnets Botnet market Renting the botnet & services Time limited DoS generator Mail relays & spam campains Proxy chains to provide anonymity Advertisement via pop-ups Malware distribution Technology markets 0-day markets Corporate vs. Underground «Promoted» by security laws IE vulnerability ~ $ Tools / malware market «Hacking for dummies» MPack ~ 500 $ Page 24

25 Mapping the threat Map of the ecosystem Client-side vulnerability Most of current security concerns are involved in the ecosystem Page 25

26 Hurting the ecosystem Laws Financial Common laws against crime money Increase risks ad reduce interest for criminals Falls into organized crime prevention methods Efficient for «big» business not for $ exploits IT specific Illegal behaviors repression spam, intrusion etc. more or less effective Prevention of research Adopted by many countries Forbid security research and publication Leads to opposite effects, searchers going underground Page 26

27 Hurting the ecosystem Laws impact Client-side vulnerability No impact on operations Page 27

28 Hurting the ecosystem Education Computer security basics Anti-virus update Apply vendors security updates Relatively efficient Good usage of IT Do not click on everything! Avoid suspicious sites Only use legal software and licenses No illegal download of MP3, DivX Stop believing everybody wants to give you money! Merely useless : humans will be humans Page 28

29 Hurting the ecosystem Education impact Client-side vulnerability Mostly limited by lack of application kill users Page 29

30 Hurting the ecosystem Technologies Host-based technologies Local hygiene Patches,user accounts not admin, data encryption etc. Security technologies Anti-viruses, anti-spyware, HIPS, personal firewall Good efficiency but relies on end-user system Network-based technologies Traffic control Firewalls, NAC, Proxys Security enforcement Anti-Spam, IPS, URL filtering Efficient but very heterogeneous Page 30

31 Hurting the ecosystem Technology impact Client-side vulnerability Expensive and heterogeneous efficiency limited Page 31

32 Hurting the ecosystem All Together Client-side vulnerability The fight can be won Theoritically Page 32

33 The real world Reasons for a disaster Unlimited scope World-wide phenomenon reduces local laws impact International prosecution maybe impossible Everybody can be a victim enterprise, home users, universities etc. different level of education, security technologies etc. Global security impossible to provide Cost Management Lack of knowledge No one as a all-in-one solution Even if some claim they do Page 33

34 The command & control channel Page 34

35 Targeting the C&C Channel Strike to the heart Client-side vulnerability C&C channel is single point of failure Page 35

36 C&C characteristics Communication Protocols IRC 80% of current botnets Distributed and Reliable Clear text, most command known P2P Some experiments PhatBot (AgoBot variant) uses the WASTE network Probable future of IRC network Proprietary channels Usually based on Covert Channels and/or encryption Needs a «private» infrastructure Efficient at short-term but quickly blocked TOR to change this status Page 36

37 Blocking the C&C Prevention technologies Filtering Efficient against basic channels, who needs IRC anyway? Useless in all other cases Signatures Efficient against common commands issued through cleartext channels Efficient against major botnet variants Efficient to block most P2P communications Useless for encrypted and «home-made» channels Page 37

38 Blocking the C&C Prevention technologies Protocol anomalies Comes together with stateful analysis Efficient against covert channels Useless for other C&C channels Behavioral analysis Efficient in detecting abnormal use of legitimate traffic Relatively efficient against encrypted channels Useless against «low volume» C&C channels Page 38

39 Limitations Autonomous Botnets Few but famous : Morris Worm, CodeRed Definitely a pain AI to make them more and more dangerous Everybody s concern Channels to be blocked wherever computers are Unmanaged systems & networks will remain active One step behind anyway Prevention techniques are known Channels are designed to bypass Development takes time Page 39

40 Conclusion Page 40

41 Another never-ending story? Complete security is not realistic Prevention scope should be global Legal impact is long-term Secure behavior is becoming usual Most effects can be mitigated Botnet resources can be exhausted Page 41

42 Page 42