Fighting the Botnet Ecosystem Renaud BIDOU Page 1
Bots, bots, bots Page 2
Botnet classification Internal Structure Command model Propagation mechanism 1. Monolithic Coherent, all features in one binary Evolution may not be trivial Kaiten, SDBot, Spybot 2. Modular Evolution voluntarily made easy Choice of appropriate language (C++) AgoBot 3. Barnum Set of heterogeneous scripts Often relies on local interpreters PHP bots, GTBot Page 3
Botnet classification Internal Structure Command model Propagation mechanism 1. No control Automated behavior Less flexible, more resistant Morris worm, CodeRed 2. Public infrastructure Reliable and «anonymous» Mostly IRC, P2P upcoming 95% of botnets 3. Private CC Channel Usually based on covert channels Better stealth at short term Sobig Page 4
Botnet classification Internal Structure Command model Propagation mechanism 1. No No propagation function Relies on 3rd party Kaiten 2. Single Exploits one specific vulnerability May need human action CodeRed, Netsky, Mytob 3. Modular Use of multiple exploits Transported by different vectors Morris worm, SDBot, MPack Page 5
Short botnet history 1988 Morris Worm Multiple vectors propagation «Unvoluntarily» blocked the internet Page 6
Short botnet history 1988 Morris Worm 1993 EggDrop Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated through IRC channels Page 7
Short botnet history 1988 Morris Worm 1993 EggDrop 1998 GTBot Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition with PrettyPark for the title Page 8
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, TFN, Stacheldraht Page 9
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS 2001 CodeRed Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed to DoS white house web site Page 10
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Propagated through IRC channels First 2001 visible CodeRed DDoS for dummies 2002 Rise of the Giants Multiple vectors propagation «Unvoluntarily» blocked the internet First bot based on IRC C&C Channel Competition with PrettyPark for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed AgoBot to DoS Professional white house design web site SDBot Still the most popular IRC bot Page 11
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants 2003 Mass mailing worms Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed AgoBot First to «large DoS Professional white scale house» worm design web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, Mytob Page 12
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants AgoBot 2003 First «large Mass Professional scale mailing» worm design worms 2004 Witty Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed to DoS white house web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, First «Mytob 0-day» worm Launched 36 hours after discovery Page 13
Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel Competition First 2001 visible CodeRed with DDoS PrettyPark for dummies for the title Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants Failed AgoBot 2003 First to «large DoS Mass Professional white scale mailing house» worm design worms web site SDBot Failed PoC 2004 : to Melissa, Witty Still DoSthe white «most I love house popular you web» IRC sitebot Since 2005 The Botnet Ecosystem Multiple vectors propagation «Unvoluntarily» blocked the internet Netsky, First «Mytob 0-day» worm Launched Turning technology 36 hours after intodiscovery money A new actor on the field : organized crime No more «state of the art» research Evolution and variant of existing technologies Short-term exploits Page 14
Birth and growth of a botnet Page 15
Ecosystem actors The Good The Bad «Innocent» Systems Malicious Systems The Ugly 0-day, botnet, malware «markets» Page 16
Birth of a worm-based botnet Markets BUY ATTACK C&C Botnet Page 17
Birth of a botnet via spam Markets Relays BUY ATTACK C&C Botnet Page 18
Birth of a MPack-like botnet Markets Relays BUY SET C&C Botnet Page 19
Extending the botnet Basic propagation [urx]-700159 #foobar :.advscan lsass 200 5 0 -r -s PRIVMSG #foobar :[lsass]: Exploiting IP: 200.124.175.XXX PRIVMSG #foobar :[TFTP]: File transfer started SDBot Page 20
Extending the botnet Advanced propagation WAREZ SITE harvest.cdkeys AgoBot Page 21
Into the Ecosystem Page 22
Making money with botnets Direct cash generation Spam Impacting stock values Stealing credential (phishing) «Nigerian scam» Advertisement Extorsion DDoS Private data stealth On-demand Hacking Page 23
Making money with botnets Botnet market Renting the botnet & services Time limited DoS generator Mail relays & spam campains Proxy chains to provide anonymity Advertisement via pop-ups Malware distribution Technology markets 0-day markets Corporate vs. Underground «Promoted» by security laws IE vulnerability ~ 50.000 $ Tools / malware market «Hacking for dummies» MPack ~ 500 $ Page 24
Mapping the threat Map of the ecosystem Client-side vulnerability Most of current security concerns are involved in the ecosystem Page 25
Hurting the ecosystem Laws Financial Common laws against crime money Increase risks ad reduce interest for criminals Falls into organized crime prevention methods Efficient for «big» business not for 10.000$ exploits IT specific Illegal behaviors repression spam, intrusion etc. more or less effective Prevention of research Adopted by many countries Forbid security research and publication Leads to opposite effects, searchers going underground Page 26
Hurting the ecosystem Laws impact Client-side vulnerability No impact on operations Page 27
Hurting the ecosystem Education Computer security basics Anti-virus update Apply vendors security updates Relatively efficient Good usage of IT Do not click on everything! Avoid suspicious sites Only use legal software and licenses No illegal download of MP3, DivX Stop believing everybody wants to give you money! Merely useless : humans will be humans Page 28
Hurting the ecosystem Education impact Client-side vulnerability Mostly limited by lack of application kill users Page 29
Hurting the ecosystem Technologies Host-based technologies Local hygiene Patches,user accounts not admin, data encryption etc. Security technologies Anti-viruses, anti-spyware, HIPS, personal firewall Good efficiency but relies on end-user system Network-based technologies Traffic control Firewalls, NAC, Proxys Security enforcement Anti-Spam, IPS, URL filtering Efficient but very heterogeneous Page 30
Hurting the ecosystem Technology impact Client-side vulnerability Expensive and heterogeneous efficiency limited Page 31
Hurting the ecosystem All Together Client-side vulnerability The fight can be won Theoritically Page 32
The real world Reasons for a disaster Unlimited scope World-wide phenomenon reduces local laws impact International prosecution maybe impossible Everybody can be a victim enterprise, home users, universities etc. different level of education, security technologies etc. Global security impossible to provide Cost Management Lack of knowledge No one as a all-in-one solution Even if some claim they do Page 33
The command & control channel Page 34
Targeting the C&C Channel Strike to the heart Client-side vulnerability C&C channel is single point of failure Page 35
C&C characteristics Communication Protocols IRC 80% of current botnets Distributed and Reliable Clear text, most command known P2P Some experiments PhatBot (AgoBot variant) uses the WASTE network Probable future of IRC network Proprietary channels Usually based on Covert Channels and/or encryption Needs a «private» infrastructure Efficient at short-term but quickly blocked TOR to change this status Page 36
Blocking the C&C Prevention technologies Filtering Efficient against basic channels, who needs IRC anyway? Useless in all other cases Signatures Efficient against common commands issued through cleartext channels Efficient against major botnet variants Efficient to block most P2P communications Useless for encrypted and «home-made» channels Page 37
Blocking the C&C Prevention technologies Protocol anomalies Comes together with stateful analysis Efficient against covert channels Useless for other C&C channels Behavioral analysis Efficient in detecting abnormal use of legitimate traffic Relatively efficient against encrypted channels Useless against «low volume» C&C channels Page 38
Limitations Autonomous Botnets Few but famous : Morris Worm, CodeRed Definitely a pain AI to make them more and more dangerous Everybody s concern Channels to be blocked wherever computers are Unmanaged systems & networks will remain active One step behind anyway Prevention techniques are known Channels are designed to bypass Development takes time Page 39
Conclusion Page 40
Another never-ending story? Complete security is not realistic Prevention scope should be global Legal impact is long-term Secure behavior is becoming usual Most effects can be mitigated Botnet resources can be exhausted Page 41
Page 42