Fighting the. Botnet Ecosystem. Renaud BIDOU. Page 1

Similar documents
Endpoint Protection : Last line of defense?

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

Malware Research at SMU. Tom Chen SMU

Automating Security Response based on Internet Reputation

CompTIA E2C Security+ (2008 Edition) Exam Exam.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

UTM 5000 WannaCry Technote

Intelligent and Secure Network

Dynamic Botnet Detection

How do you decide what s best for you?

Securing Information Systems

INDEX. browser-hijacking adware programs, 29 brute-force spam, business, impact of spam, business issues, C

Service Provider View of Cyber Security. July 2017

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Symantec Protection Suite Add-On for Hosted Security

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

Massive Attack WannaCry Update and Prevention. Eric Kwok KL.CSE

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

CIH

Botnets: major players in the shadows. Author Sébastien GOUTAL Chief Science Officer

Is the Best Defense a Good Offense? Christopher T. Pierson, CIPP/US, CIPP/G James T. Shreve, CIPP/US, CIPP/IT

The Tension. Security vs. ease of use: the more security measures added, the more difficult a site is to use, and the slower it becomes

Security Awareness. Presented by OSU Institute of Technology

Next Generation Enduser Protection

CYBER ATTACKS DON T DISCRIMINATE. Michael Purcell, Systems Engineer Manager

IC B01: Internet Security Threat Report: How to Stay Protected

Office 365 Buyers Guide: Best Practices for Securing Office 365

Network Security Fundamentals

Who We Are! Natalie Timpone

MODERN DESKTOP SECURITY

CE Advanced Network Security Botnets

Training UNIFIED SECURITY. Signature based packet analysis

IBM Security Network Protection Solutions

The First 12. An Hour-by-Hour Breakdown of a Threat Actor Inside Your Environment. Dr. Chase Cunningham ECSA,

Enterprise D/DoS Mitigation Solution offering

May the (IBM) X-Force Be With You

ACS / Computer Security And Privacy. Fall 2018 Mid-Term Review

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

RANSOMWARE PROTECTION. A Best Practices Approach to Securing Your Enterprise

Fast Deployment of Botnet Detection with Traffic Monitoring

The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Ethical Hacking and Prevention

RSA Web Threat Detection

A Review Paper on Network Security Attacks and Defences

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Chapter 6 Network and Internet Security and Privacy

Introduction to Information Security Dr. Rick Jerz

NETWORK THREATS DEMAN

(Botnets and Malware) The Zbot attack. Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Sizing and Scoping ecrime

Threat Landscape vs Threat Management. Thomas Ludvik Næss Country Manager

Bringing the Fight to Them: Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams

Securing the SMB Cloud Generation

THE ACCENTURE CYBER DEFENSE SOLUTION

Imperva Incapsula Website Security

Future-ready security for small and mid-size enterprises

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Certified Cyber Security Analyst VS-1160

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Evolution of Spear Phishing. White Paper

Securing Your Amazon Web Services Virtual Networks

Changing face of endpoint security

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Fighting Spam, Phishing and Malware With Recurrent Pattern Detection

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

FIREWALL BEST PRACTICES TO BLOCK

Most Common Security Threats (cont.)

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Agile Security Solutions

Cyber Criminal Methods & Prevention Techniques. By

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Security Gap Analysis: Aggregrated Results

CHAPTER 8 SECURING INFORMATION SYSTEMS

Online Security and Safety Protect Your Computer - and Yourself!

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

3.5 SECURITY. How can you reduce the risk of getting a virus?

Security & Phishing

How We Delivered Compliance to a London-based Law Firm. A Network Security Project Case Study.

Panda Security 2010 Page 1

Discover threats quickly, remediate immediately, and mitigate the impact of malware and breaches

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

IBM Next Generation Intrusion Prevention System

Security. The DynaSis Education Series for C-Level Executives

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Securing Your Microsoft Azure Virtual Networks

ANATOMY OF AN ATTACK!

Beyond Firewalls: The Future Of Network Security

6 KEY SECURITY REQUIREMENTS

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Office 365 & Other SaaS

Cybersecurity. You have been breached; What Happens Next THE CHALLENGE FOR THE FINANCIAL SERVICES INDUSTRY

Basic Concepts in Intrusion Detection

Transcription:

Fighting the Botnet Ecosystem Renaud BIDOU Page 1

Bots, bots, bots Page 2

Botnet classification Internal Structure Command model Propagation mechanism 1. Monolithic Coherent, all features in one binary Evolution may not be trivial Kaiten, SDBot, Spybot 2. Modular Evolution voluntarily made easy Choice of appropriate language (C++) AgoBot 3. Barnum Set of heterogeneous scripts Often relies on local interpreters PHP bots, GTBot Page 3

Botnet classification Internal Structure Command model Propagation mechanism 1. No control Automated behavior Less flexible, more resistant Morris worm, CodeRed 2. Public infrastructure Reliable and «anonymous» Mostly IRC, P2P upcoming 95% of botnets 3. Private CC Channel Usually based on covert channels Better stealth at short term Sobig Page 4

Botnet classification Internal Structure Command model Propagation mechanism 1. No No propagation function Relies on 3rd party Kaiten 2. Single Exploits one specific vulnerability May need human action CodeRed, Netsky, Mytob 3. Modular Use of multiple exploits Transported by different vectors Morris worm, SDBot, MPack Page 5

Short botnet history 1988 Morris Worm Multiple vectors propagation «Unvoluntarily» blocked the internet Page 6

Short botnet history 1988 Morris Worm 1993 EggDrop Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated through IRC channels Page 7

Short botnet history 1988 Morris Worm 1993 EggDrop 1998 GTBot Multiple vectors propagation «First Unvoluntarily «real» worm» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition with PrettyPark for the title Page 8

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, TFN, Stacheldraht Page 9

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS 2001 CodeRed Multiple vectors propagation «Unvoluntarily» blocked the internet Propagated First bot based through on IRC C&C channels Channel Competition First visible with DDoS PrettyPark for dummies for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed to DoS white house web site Page 10

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm 2000 Major DDoS Propagated through IRC channels First 2001 visible CodeRed DDoS for dummies 2002 Rise of the Giants Multiple vectors propagation «Unvoluntarily» blocked the internet First bot based on IRC C&C Channel Competition with PrettyPark for the title Trin00, First «TFN, large Stacheldraht scale» worm Failed AgoBot to DoS Professional white house design web site SDBot Still the most popular IRC bot Page 11

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants 2003 Mass mailing worms Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed AgoBot First to «large DoS Professional white scale house» worm design web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, Mytob Page 12

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel First 2001 visible CodeRed DDoS for dummies Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants AgoBot 2003 First «large Mass Professional scale mailing» worm design worms 2004 Witty Multiple vectors propagation «Unvoluntarily» blocked the internet Competition with PrettyPark for the title Failed to DoS white house web site SDBot Failed PoC : to Melissa, Still DoSthe white «most I love house popular you web» IRC sitebot Netsky, First «Mytob 0-day» worm Launched 36 hours after discovery Page 13

Short botnet history 1988 Morris Worm 1993 EggDrop First 1998 «real GTBot» worm Propagated First 2000 bot based Major through on DDoS IRC C&C channels Channel Competition First 2001 visible CodeRed with DDoS PrettyPark for dummies for the title Trin00, First 2002 «TFN, large Rise Stacheldraht scale of the» worm Giants Failed AgoBot 2003 First to «large DoS Mass Professional white scale mailing house» worm design worms web site SDBot Failed PoC 2004 : to Melissa, Witty Still DoSthe white «most I love house popular you web» IRC sitebot Since 2005 The Botnet Ecosystem Multiple vectors propagation «Unvoluntarily» blocked the internet Netsky, First «Mytob 0-day» worm Launched Turning technology 36 hours after intodiscovery money A new actor on the field : organized crime No more «state of the art» research Evolution and variant of existing technologies Short-term exploits Page 14

Birth and growth of a botnet Page 15

Ecosystem actors The Good The Bad «Innocent» Systems Malicious Systems The Ugly 0-day, botnet, malware «markets» Page 16

Birth of a worm-based botnet Markets BUY ATTACK C&C Botnet Page 17

Birth of a botnet via spam Markets Relays BUY ATTACK C&C Botnet Page 18

Birth of a MPack-like botnet Markets Relays BUY SET C&C Botnet Page 19

Extending the botnet Basic propagation [urx]-700159 #foobar :.advscan lsass 200 5 0 -r -s PRIVMSG #foobar :[lsass]: Exploiting IP: 200.124.175.XXX PRIVMSG #foobar :[TFTP]: File transfer started SDBot Page 20

Extending the botnet Advanced propagation WAREZ SITE harvest.cdkeys AgoBot Page 21

Into the Ecosystem Page 22

Making money with botnets Direct cash generation Spam Impacting stock values Stealing credential (phishing) «Nigerian scam» Advertisement Extorsion DDoS Private data stealth On-demand Hacking Page 23

Making money with botnets Botnet market Renting the botnet & services Time limited DoS generator Mail relays & spam campains Proxy chains to provide anonymity Advertisement via pop-ups Malware distribution Technology markets 0-day markets Corporate vs. Underground «Promoted» by security laws IE vulnerability ~ 50.000 $ Tools / malware market «Hacking for dummies» MPack ~ 500 $ Page 24

Mapping the threat Map of the ecosystem Client-side vulnerability Most of current security concerns are involved in the ecosystem Page 25

Hurting the ecosystem Laws Financial Common laws against crime money Increase risks ad reduce interest for criminals Falls into organized crime prevention methods Efficient for «big» business not for 10.000$ exploits IT specific Illegal behaviors repression spam, intrusion etc. more or less effective Prevention of research Adopted by many countries Forbid security research and publication Leads to opposite effects, searchers going underground Page 26

Hurting the ecosystem Laws impact Client-side vulnerability No impact on operations Page 27

Hurting the ecosystem Education Computer security basics Anti-virus update Apply vendors security updates Relatively efficient Good usage of IT Do not click on everything! Avoid suspicious sites Only use legal software and licenses No illegal download of MP3, DivX Stop believing everybody wants to give you money! Merely useless : humans will be humans Page 28

Hurting the ecosystem Education impact Client-side vulnerability Mostly limited by lack of application kill users Page 29

Hurting the ecosystem Technologies Host-based technologies Local hygiene Patches,user accounts not admin, data encryption etc. Security technologies Anti-viruses, anti-spyware, HIPS, personal firewall Good efficiency but relies on end-user system Network-based technologies Traffic control Firewalls, NAC, Proxys Security enforcement Anti-Spam, IPS, URL filtering Efficient but very heterogeneous Page 30

Hurting the ecosystem Technology impact Client-side vulnerability Expensive and heterogeneous efficiency limited Page 31

Hurting the ecosystem All Together Client-side vulnerability The fight can be won Theoritically Page 32

The real world Reasons for a disaster Unlimited scope World-wide phenomenon reduces local laws impact International prosecution maybe impossible Everybody can be a victim enterprise, home users, universities etc. different level of education, security technologies etc. Global security impossible to provide Cost Management Lack of knowledge No one as a all-in-one solution Even if some claim they do Page 33

The command & control channel Page 34

Targeting the C&C Channel Strike to the heart Client-side vulnerability C&C channel is single point of failure Page 35

C&C characteristics Communication Protocols IRC 80% of current botnets Distributed and Reliable Clear text, most command known P2P Some experiments PhatBot (AgoBot variant) uses the WASTE network Probable future of IRC network Proprietary channels Usually based on Covert Channels and/or encryption Needs a «private» infrastructure Efficient at short-term but quickly blocked TOR to change this status Page 36

Blocking the C&C Prevention technologies Filtering Efficient against basic channels, who needs IRC anyway? Useless in all other cases Signatures Efficient against common commands issued through cleartext channels Efficient against major botnet variants Efficient to block most P2P communications Useless for encrypted and «home-made» channels Page 37

Blocking the C&C Prevention technologies Protocol anomalies Comes together with stateful analysis Efficient against covert channels Useless for other C&C channels Behavioral analysis Efficient in detecting abnormal use of legitimate traffic Relatively efficient against encrypted channels Useless against «low volume» C&C channels Page 38

Limitations Autonomous Botnets Few but famous : Morris Worm, CodeRed Definitely a pain AI to make them more and more dangerous Everybody s concern Channels to be blocked wherever computers are Unmanaged systems & networks will remain active One step behind anyway Prevention techniques are known Channels are designed to bypass Development takes time Page 39

Conclusion Page 40

Another never-ending story? Complete security is not realistic Prevention scope should be global Legal impact is long-term Secure behavior is becoming usual Most effects can be mitigated Botnet resources can be exhausted Page 41

Page 42

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback