An Eye on the Storm: Inside the Storm Epidemic. Josh Ballard Network Security Analyst Kansas State University

Similar documents
Norman presentation. From Storm to Waledac. By Hans Christoffer Gaardløs Hansen virus analyst, Norman ASA

(Botnets and Malware) The Zbot attack. Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

DNS Security. Ch 1: The Importance of DNS Security. Updated

Synchronized Security

Avoiding Information Overload: Automated Data Processing with n6

BOTNET-GENERATED SPAM

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Application Firewalls

Zillya Internet Security User Guide

«On the Internet, nobody knows you are a dog» Twenty years later

4MMSR-Network Security Seminar. Peer-to-Peer Botnets: Overview and Case Study

Automating Security Response based on Internet Reputation

CSC 474/574 Information Systems Security

The evolution of malevolence

Peering into Botnets via Fast Flux Enumeration: The ATLAS Experience. Jose Nazario, Ph.D. FIRST 2008 NSM-SIG Vancouver

(Im)possibility of Enumerating Zombies. Yongdae Kim (U of Minnesota - Twin Cities)

The Interactive Guide to Protecting Your Election Website

Real Security. In Real Time. White Paper. Preemptive Malware Protection through Outbreak Detection

New Developments in the SpamPots Project

Beyond Blind Defense: Gaining Insights from Proactive App Sec

A Survey of Defense Mechanisms Against DDoS Flooding A

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Graph-based Detection of Anomalous Network Traffic

Global DDoS Threat Landscape

Cisco s Appliance-based Content Security: IronPort and Web Security

Endpoint Protection : Last line of defense?

Unit 4: Firewalls (I)

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

Computer Security and Privacy

Why Firewalls? Firewall Characteristics

IoT - Next Wave of DDoS? IoT Sourced DDoS Attacks A Focus on Mirai Botnet and Best Practices in DDoS Defense

Feasibility study of scenario based self training material for incident response

CS Paul Krzyzanowski

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

CompTIA E2C Security+ (2008 Edition) Exam Exam.

LEAVE THE TECH TO US BLACKBOX.COM/COALESCE

Chapter 4: Networking and the Internet. Network Classifications. Network topologies. Network topologies (continued) Connecting Networks.

Exam in Computer Networks

Identifying and Preventing Distributed-Denial-Of-Service Attacks

Bots Combine! : Behind the Modern Botnet. Andrea Sept 1, 2017

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Jianhui Zhang, Ph.D., Associate Prof. College of Computer Science and Technology, Hangzhou Dianzi Univ.

Temporal Correlations between Spam and Phishing Websites

Malware Research at SMU. Tom Chen SMU

CASE STUDY: REGIONAL BANK

A Comparative Analysis of the Resilience of Peer to Peer Botnets

CS System Security Mid-Semester Review

Intelligent and Secure Network

Internet Security: Firewall

Botnets: A Survey. Rangadurai Karthick R [CS10S009] Guide: Dr. B Ravindran

Anonymous Network Concepts & Implementation

Pass4suresVCE. Pass4sures exam vce dumps for guaranteed success with high scores

LEAVE THE TECH TO US BLACKBOX.EU

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Root KSK Roll Delay Update

Palo Alto Networks PCNSE7 Exam

Elastic Load Balancing

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

Protocol Layers, Security Sec: Application Layer: Sec 2.1 Prof Lina Battestilli Fall 2017

SECURITY & NETWORK WHITEPAPER

Incorporating Network Flows in Intrusion Incident Handling and Analysis

Chapter 4: Networking and the Internet. Figure 4.1 Network topologies. Network Classifications. Protocols. (continued)

Chapter 4: Networking and the Internet

inside: THE MAGAZINE OF USENIX & SAGE June 2002 volume 27 number 3 SECURITY PROTOWRAP by Gunnar Wolf

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

COMPUTER NETWORK SECURITY

Introduction to Wireshark

Network Defenses 21 JANUARY KAMI VANIEA 1

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

UTM 5000 WannaCry Technote

CE Advanced Network Security Honeypots

Kaspersky Security Network

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

August 14th, 2018 PRESENTED BY:

Botnet Communication Topologies

Managing SonicWall Gateway Anti Virus Service

Grades of Service at a glance

4.1.3 Filtering. NAT: basic principle. Dynamic NAT Network Address Translation (NAT) Public IP addresses are rare

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

RSA Security Analytics

MANAGING ENDPOINTS WITH DEFENSE- IN-DEPTH

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CSC Network Security

Be certain. MessageLabs Intelligence: May 2006

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security activities in Japan towards the future standardization. Cybersecurity

States, Companies Begin to Can Spam

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

CompTIA. SY0-401 EXAM CompTIA Security+ Certification Exam. m/ Product: Demo. For More Information:

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

HX Grade of Service W3a & Sesat2 Middle East. 16 Jan 2008

SIEM (Security Information Event Management)

Transcription:

An Eye on the Storm: Inside the Storm Epidemic Josh Ballard Network Security Analyst Kansas State University bal@k-state.edu

Contents The Headlines Peer-to-peer network So just how big is this thing? How It Works: Update Process (deprecated) Control Architecture

The Headlines Bots Launching Storm Attacks Increase Dramatically Totaling 1.7 Million in June/July -- SecureWorks, 8/2/2007 The Storm botnet is enormous. Reasonable guesses would put it at around 5 or 10 million machines, but nobody can be exactly sure. -- MessageLabs 7/13/2007

The Headlines (cont.) those spikes are usually five to 10 times what we normally see, he said, noting he suspects the botnet could be as large as 50 million computers. --MessageLabs 9/6/2007 Storm Worm Botnet More Powerful Than Top Supercomputers -- InformationWeek via Prof. Peter Gutmann, Univ of Auckland

The Headlines (cont.) It's probably the largest collection of infected machines we've ever seen. -- Mikko Hypponen, F-Secure, Time Magazine

Where I m Coming From I m a protocol analyst (aka packet nerd) Protocol identification developer (http://hippie.oofle.com/) 7 years of research into protocol identification, with a heavy focus on peerto-peer

My Data Source In the first 2 weeks of distribution of the Storm worm, I started analyzing packets for this peer-to-peer botnet I realized I knew the protocol, and had the silly idea that maybe I could map the network, so I did.

Storm Peer-to-Peer Storm piggybacks an existing peer-to-peer network operating on the Overnet protocol This protocol and network are long dead, but there are a select few clients actually still running the network This creates an interesting challenge of setting apart the bot from the non-bot.

Exchange Mechanism Client starts with a preset list of seed peers. Client sends a Overnet connect packet to those hosts. Server responds with an acknowledgement of peering, and a list of peers the client might be interested in, based on its hash.

Exchange Mechanism (cont.) Client sends an Overnet search packet for its own hash out to the network, again soliciting more peers. Server responds with a list of peers who might be able to provide the answer to the search. Process is repeated until a maximum number of peering relationships are established

So How Big Is It? 11.5 million unique IP addresses since mid- April 6,000 average non-storm hosts online 240,000 peak users in 24 hours 90,000 average 24 hour usage today Smaller than the initial network after 1 month

May 2007

June 2007

July 2007

August 2007

September 2007

How It Works: Deprecated Update Process Once a client has reached a minimum peering point, it begins to search for updates. It chooses a number between 0-31, and generates a hash based on the date and that number, and begins searching for that hash. Controlling nodes on the network own those hashes for each day, and respond with update information. HTTP downloads ensue from encrypted URL returned.

How It Works: Control Architecture Storm now uses a tiered architecture for the control mechanism. Ultimately, there are two stages which interact on the botnet, and a third which does not.

Storm Control Stage 1 Stage 1 hosts are those which find themselves either behind a firewall (incoming connections blocked), or with RFC1918 addresses. This is the attacker stage, those hosts which carry out outbound attacks. These hosts are used as spam runners and DoS bots. Communicate up the chain to Stage 2 hosts via TCP communications.

Storm Control Stage 2 Storm Stage 2 nodes are those accessible from the outside world, but still not upper level control nodes. This is the relay or messenger stage of Storm. Stage 2 nodes will serve multiple purposes, from DNS for fast-flux domains, hosting for fast-flux, hosting for malware distribution, socks proxies, and TCP services for Stage 1 control. Stage 2 nodes are set to communicate to a Stage 3 control node, which is not represented on the p2p net.

Storm Control Stage 3 Likely non-compromised hosts rented/owned by the authors. Receives proxied web requests from Stage 2 nodes. Issues commands to Stage 2 nodes for them and their Stage 1 members.

Conclusions Ultimately, this malware is brilliantly designed. There have been many, many infected Storm hosts, but response has been good, and the network is not as advertised. This is not the end of the world as forecasted.

Questions? Attributions and Thanks: John Kristoff, NeuStar Ultra Services - Perl debugging and guidance Dave Monnier, REN-ISAC - Notifications and much more Wes Young, University of Buffalo - General Perl nerdery and help Many folks who wished to remain nameless for contributions of notification help, testing, packet captures, and many other things

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback