SlideShare ist ein Scribd-Unternehmen logo
1 von 31
Downloaden Sie, um offline zu lesen
Criminals in the Cloud:
 Past, Present, and Future
           Jim Lippard
Sr. Product Manager, IT Security
       EarthLink Business




                                   1
Agenda
•   What is a botnet?
•   Bot Lifecycle
•   Botnet Ecosphere
•   Botnet History & Evolution
•   Defense
•   Offense
•   Future
•   Q&A




                                 2
What is a botnet?




                    3
What is a botnet?

           Traditional C&C




 P2P C&C


                             4
What is a botnet?
Two general purposes of using botnets:

• Provide layers of separation/insulation between criminal
  actors and criminal acts.
• Provide a cloud computing platform for a wide variety of
  functions.

Neither requires that there be anything of interest on victim
computers.




                                                                5
Bot Lifecycle
•    Infection
•    Control
•    Commands
•    Detection
•    Notification
•    Removal
    (repeat)




                                    6
Botnet Ecosphere
Social context: Botnets are created by human agents to
achieve some purpose.

Usually:
  1. Create botnet.
  2. ???
  3. Profit!

• What’s step 2?
• Do all of these steps need to be done by the same people?
• Who are these people?



                                                          7
Botnet Ecosphere
Some roles for division of criminal labor:
  •   Exploit/exploit pack developer
  •   Botherder/admin (manages botnet)
  •   Seller (drives traffic to exploit sites, paid per infection)
  •   Spammer (sender)
  •   Sponsor (spam ad buyer)
  •   Phisher
  •   Carder (trades in card data/makes counterfeits)
  •   Casher (takes out cash)
  •   Reshippers/mules (stolen good/cash laundering--
      WFH/GTJ)

                                                                     8
Botnet Evolution: Overview
The convergence of DDoS tools, IRC
bots, P2P software, worms, and SaaS =
modern botnets
•   Early 1990s: IRC channel bots (e.g., eggdrop, mIRCscripts,
    ComBot, etc.).
•   Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood
    Network, Stacheldraht, Shaft, etc.). Peer-to-peer file sharing tools.
•   2000: Merger of DDoStools, worms, and rootkits (e.g.,
    Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K).
•   2002: IRC-controlled bots implementing DDoS attacks.
•   2003: IRC-controlled bots spread with worms and viruses,
    fully implementing DDoS, spyware, malware distribution
    activity. First P2P bots (Sinit, WASTE).
•   (Dave Dittrich, “Invasion Force,” Information Security, March 2005,
    p. 30)
•   2003-present: Botnets used as a criminal tool for extortion,
    fraud, identity theft, computer crime, spam, and phishing.
                                                                            9
Botnet Evolution: History
•   Dec. 1993: Eggdrop bot - Non-malicious, occasionally
    abused (Supported linking multiple bots by 1999)

•   April 1998: GTbot variants - Based on mIRC, malicious
    bots

•   1999: Sub7 trojan - Pretty Park worm, IRC listeners

•   May 1999: Napster - Non-malicious file sharing, hybrid
    P2P & client-server

•   March 2000: Gnutella - Non-malicious file sharing,
    decentralized P2P

•   April 2002: SDbot variants - Malicious bot with IRC
    client. Code made widely available.                      10
Botnet Evolution: History
Aug 2002-Sep 2003: Sobig variants - Botnet used by Ruslan Ibragimov’s
send-safe spam operation




                                                                 11
Botnet Evolution: History
•   Oct 2002: Agobot variants - (500+ by 2008), malicious
    bot w/modular design

•   Apr 2003: SpyBot variants - Derived from Agobot

•   May 2003: Nullsoft WASTE - Encrypted P2P network.
    Removed from distribution by AOL

•   Sep 2003: Sinit - P2P trojan, found peers via crafted DNS
    packets to random IPs, exchanged peer lists when found

•   Nov 2003: Kademlia - P2P distributed hash table


                                                                12
Botnet Evolution: History

Feb 14, 2004: FBI takedown of
Foonet and “DDoS Mafia.”

DDoS tool of choice: Agobot

Creator: Axel “Ago” Gembe of
Germany, was indicted in 2008.




                                    13
Botnet Evolution: History
Mar 2004: Phatbot - P2P bot using WASTE
bot.command runs a command with system()                         rsl.logoff logs the user off
bot.unsecure enable shares / enable dcom                         rsl.shutdown shuts the computer down
bot.secure delete shares / disable dcom                          rsl.reboot reboots the computer
bot.flushdns flushes the bots dns cache                          pctrl.kill kills a process
bot.quit quits the bot                                           pctrl.list lists all processes
bot.longuptime If uptime > 7 days then bot will respond          scan.stop signal stop to child threads
bot.sysinfo displays the system info                             scan.start signal start to child threads
bot.status gives status                                          scan.disable disables a scanner module
ot.rndnick makes the bot generate a new random nick              scan.enable enables a scanner module
bot.removeallbut removes the bot if id does not match            scan.clearnetranges clears all netranges registered with the scanner
bot.remove removes the bot                                       scan.resetnetranges resets netranges to the localhost
bot.open opens a file (whatever)                                 scan.listnetranges lists all netranges registered with the scanner
bot.nick changes the nickname of the bot                         scan.delnetrange deletes a netrange from the scanner
bot.id displays the id of the current code                       scan.addnetrange adds a netrange to the scanner
bot.execute makes the bot execute a .exe                         ddos.phatwonk starts phatwonk flood
bot.dns resolves ip/hostname by dns                              ddos.phaticmp starts phaticmp flood
bot.die terminates the bot                                       ddos.phatsyn starts phatsyn flood
bot.about displays the info the author wants you to see          ddos.stop stops all floods
shell.disable Disable shell handler                              ddos.httpflood starts a HTTP flood
shell.enable Enable shell handler                                ddos.synflood starts an SYN flood
shell.handler FallBack handler for shell                         ddos.udpflood starts a UDP flood
commands.list Lists all available commands                       redirect.stop stops all redirects running
plugin.unload unloads a plugin (not supported yet)               redirect.socks starts a socks4 proxy
plugin.load loads a plugin                                       redirect.https starts a https proxy
cvar.saveconfig saves config to a file                           redirect.http starts a http proxy
cvar.loadconfig loads config from a file                         redirect.gre starts a gre redirect
cvar.set sets the content of a cvar                              redirect.tcp starts a tcp port redirect
cvar.get gets the content of a cvar                              harvest.aol makes the bot get aol stuff
cvar.list prints a list of all cvars                             harvest.cdkeys makes the bot get a list of cdkeys
inst.svcdel deletes a service from scm                           harvest.emailshttp makes the bot get a list of emails via http
inst.svcadd adds a service to scm                                harvest.emails makes the bot get a list of emails
inst.asdel deletes an autostart entry                            waste.server changes the server the bot connects to
inst.asadd adds an autostart entry                               waste.reconnect reconnects to the server
logic.ifuptime exec command if uptime is bigger than specified   waste.raw sends a raw message to the waste server
mac.login logs the user in                                       waste.quit
mac.logout logs the user out                                     waste.privmsg sends a privmsg
ftp.update executes a file from a ftp url                        waste.part makes the bot part a channel
ftp.execute updates the bot from a ftp url                       waste.netinfo prints netinfo
ftp.download downloads a file from ftp                           waste.mode lets the bot perform a mode change
http.visit visits an url with a specified referrer               waste.join makes the bot join a channel
http.update executes a file from a http url                      waste.gethost prints netinfo when host matches
http.execute updates the bot from a http url                     waste.getedu prints netinfo when the bot is .edu
http.download downloads a file from http                         waste.action lets the bot perform an action
                                                                 waste.disconnect disconnects the bot from waste




                                                                                                                                        14
Botnet Evolution: History
•   2003: Rbot - Uses encryption to evade detection

•   2004: Polybot - Adds polymorphism

•   Mar 2006: SpamThru - P2P bot

•   Apr 2006: Nugache - P2P bot, distributed via trojaned
    downloads on freeware sites. Author arrested Sep 2007.

•   2006-2011: Rustock - Major spammer. Atrivo takedown Sep
    2008, McColo takedown Nov 11, 2008.

•   Jan 2007-late 2008: Storm/Peacomm trojan - P2P; massive
    spammer. RBN connection? 20% of spam in 2008.

•   2007: Srizbi - Used Mpack, Reactor Mailer, bypassed host
    firewall. Similar to Rustock. Was largest botnet for a time.
                                                                   15
    McColo.
Botnet Evolution: History
•   2007: Cutwail trojan - Rootkit, DDoS and spam bot. 1.5M-2M
    bots. C&C taken down when ISP 3FN was taken down by the
    FTC on June 4, 2009.

•   2007-2012: Zeus - financial info stealer, variants of software sold
    for $500-$15K. Still prevalent. Configs stored in AWS EC2, use of
    Google, Twitter, Facebook.

•   2008-2009: Torpig/Anserin - Financial info stealer. Includes
    Mebroot rootkit. UCSB researchers temporarily controlled for 10
    days in 2009.

•   Nov. 2008: Conficker worm - Variants A-E, end action of A-D was
    to update to subsequent versions; disabled Windows update and
    AV. Variant E (Apr 2009) installed Waledac spambot and
    SpyProtect scareware. Massive propagation (10.5M+).
    On May 3, 2009, variant E deleted itself and left C.
                                                                          16
Botnet Evolution: History
Dec 2008: Koobface - Social network C&C, had Mac version.
Click fraud, scareware sales. Gang exposed in NY Times.




                                                            17
Botnet Evolution: History
•   2009: Grum/Tedroo -Spammer, generated 26% of spam in March 2010.

•   Mar 2009: Coreflood - Info stealer, taken down Apr 2011 (FBI w/ISC).

•   Apr 2009: Waledac - Spammer. 1% of spam volume. Microsoft
    takedown of C&C domains Feb. 2010, spam domains Sep. 2010.

•   May 2009: Bredolab trojan - Botnet. 30M bots, 143 C&C seized by
    Dutch police Oct. 25, 2010, Armenian suspect arrested.

•   2009: Aurora - Google attacked.

•   2009: Mariposa (Spain) - Info stealer, spam, DDoS. Taken down by
    Spanish police (w/Panda Security), Dec 23. 8-12M bots.

•   Apr 2010: Storm 2 - Minus P2P

                                                                           18
Botnet Evolution: History
2011: DNSChanger - Esthost/Rove Digital, redirected 6
million people to malicious websites, 4M bots. Nov 8: 100
servers seized in U.S., 6 Estonians arrested.




                                                            19
Botnet Evolution: History
2011: Kelihos/Hlux/Waledac 2.0 - P2P botnet similar to
Waledac. 3-tier design: controllers, routers, workers.
Spam, MacDefender scareware. Taken down Sep 26,
2011 by Microsoft.




                                                         20
Botnet Evolution: Present Day
  2011- 2012: Darkshell - DDoS botnet & buyable kit.




                                                       21
Botnet Evolution: Present Day
Feb 2012: Flashback trojan - Exploits Java flaw. Mac
botnet of 817,879 bots at peak. Deletes itself if
ClamXav is installed.
Feb 2012: SabPub trojan, used for spearphishing.




                                                       22
Defense
• Patch.




                     23
Defense
Mac users: It’s time for AV.




                               24
Defense
Filter
  •   Outbound traffic
  •   Web content filtering
  •   Application control
  •   Identity awareness
  •   Intrusion prevention
  •   Data leak prevention
  •   Web application firewall

                                 25
Defense
Monitor
  • Signs of bots often show up in
    web and DNS requests
  • Monitor user login activity; 30%
    of breaches use stolen
    credentials
  • Log and alert/review
  • You need an incident response
    plan



                                       26
Defense
• Report
• Collaborate




                          27
Offense
•   Track
•   Takeover
•   Takedown
•   Arrest & Prosecute
FBI:                                                Microsoft Digital Crimes Unit:
May 22, 2001: Operation Cyber Loss – 62 arrests     Feb 22, 2010: Operation b49, Waledac C&C takedown
May 16, 2002: Operation E-Con – 50 arrests          (w/Shadowserver, Symantec)
Nov 20, 2003: Operation Cyber Sweep – 125           Oct 27, 2010: Operation b49, Waledac spam
arrests                                             takedown
Feb 14, 2004: Operation Cyber Slam – Foonet         Mar 16, 2011: Operation b107, Rustock takedown
DDoS                                                (w/FireEye)
May 20, 2004: Operation SLAM-Spam - 50 targets      Sep 26, 2011: Operation b79, Kelihos/Waledac 2.0
Jun 13, 2007: Operation Bot Roast – 3 arrests       takedown; civil suit vs. Dominique Alexander Piatti.
Nov 29, 2007: Operation Bot Roast II – 3            Mar 23, 2012: Operation b71, Zeus takedown (w/F-
indictments                                         Secure)
Sep 30, 2010: Operation Trident Beach – 5 Ukraine
arrests, Zeus partial takedown                      Crowdstrike:
Apr 2011: Coreflood takedown (w/ISC)                Mar 29, 2012: Kelihos v2 takedown
Nov 8, 2011: Operation Ghost Click – 6 Estonians    (w/SecureWorks, Honeynet Project, Kaspersky)
arrested for DNSChanger. (w/Trend Micro)
                                                                                                           28
Offense: Track & Takeover
• Sinkholing
  – Domain-based (w/cooperation of domain
    registrar) – most common
  – Route-based (w/cooperation of ISPs/NSPs)
• C&C tracking/takeover
  – More common to monitor C&C servers to
    identify bots & attackers than to takeover




                                                 29
Future
• Macs as targets
• Social networks as delivery mechanism
• Mobile as target
• More indirect attacks (CAs, RSA, Sophos)
• Competing legal agendas:
   – Global Online Freedom Act (GOFA) HR
     3605
   – Cyber Intelligence Sharing and
     Protection Act (CISPA) HR 2523
• A decline in the use of large botnets except
  as “stepping stones”

                                                 30
Q&A

   Any questions?



          Jim Lippard
Sr. Product Manager, Security
      EarthLink Business
 jlippard@corp.earthlink.com
       Twitter: @lippard



                                31

Weitere ähnliche Inhalte

Andere mochten auch

Kademlia(日本語版)
Kademlia(日本語版)Kademlia(日本語版)
Kademlia(日本語版)Tasuku Takahashi
 
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_200906172009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617Kalman Graffi
 
Dynamic Search Algorithm for unstructured Peer to Peer Networks
Dynamic Search Algorithm for unstructured Peer to Peer NetworksDynamic Search Algorithm for unstructured Peer to Peer Networks
Dynamic Search Algorithm for unstructured Peer to Peer NetworksVenkata Sai Manoj Illendula
 
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...Kalman Graffi
 
Infinispan, a distributed in-memory key/value data grid and cache
 Infinispan, a distributed in-memory key/value data grid and cache Infinispan, a distributed in-memory key/value data grid and cache
Infinispan, a distributed in-memory key/value data grid and cacheSebastian Andrasoni
 
Performance evaluation methods for P2P overlays
Performance evaluation methods for P2P overlaysPerformance evaluation methods for P2P overlays
Performance evaluation methods for P2P overlaysKnut-Helge Vik
 
DATA WAREHOUSING
DATA WAREHOUSINGDATA WAREHOUSING
DATA WAREHOUSINGKing Julian
 
Managing warehouse operations. How to manage and run warehouse operations by ...
Managing warehouse operations. How to manage and run warehouse operations by ...Managing warehouse operations. How to manage and run warehouse operations by ...
Managing warehouse operations. How to manage and run warehouse operations by ...Omar Youssef
 

Andere mochten auch (10)

Kademlia(日本語版)
Kademlia(日本語版)Kademlia(日本語版)
Kademlia(日本語版)
 
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_200906172009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617
2009 kalman.graffi emanics_aspects_ofautonomiccomputing_20090617
 
Dynamic Search Algorithm for unstructured Peer to Peer Networks
Dynamic Search Algorithm for unstructured Peer to Peer NetworksDynamic Search Algorithm for unstructured Peer to Peer Networks
Dynamic Search Algorithm for unstructured Peer to Peer Networks
 
Ods chapter7
Ods chapter7Ods chapter7
Ods chapter7
 
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...
IEEE CCNC 2011: Kalman Graffi - LifeSocial.KOM: A Secure and P2P-based Soluti...
 
Infinispan, a distributed in-memory key/value data grid and cache
 Infinispan, a distributed in-memory key/value data grid and cache Infinispan, a distributed in-memory key/value data grid and cache
Infinispan, a distributed in-memory key/value data grid and cache
 
Introduction P2p
Introduction P2pIntroduction P2p
Introduction P2p
 
Performance evaluation methods for P2P overlays
Performance evaluation methods for P2P overlaysPerformance evaluation methods for P2P overlays
Performance evaluation methods for P2P overlays
 
DATA WAREHOUSING
DATA WAREHOUSINGDATA WAREHOUSING
DATA WAREHOUSING
 
Managing warehouse operations. How to manage and run warehouse operations by ...
Managing warehouse operations. How to manage and run warehouse operations by ...Managing warehouse operations. How to manage and run warehouse operations by ...
Managing warehouse operations. How to manage and run warehouse operations by ...
 

Ähnlich wie Criminals in the Cloud: Past, Present, and Future

Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against BotnetsJim Lippard
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & BotnetKendiv
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applicationsUltraUploader
 
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...APNIC
 
38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet 38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet APNIC
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zooUltraUploader
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Grudging monkeys and microservices
Grudging monkeys and microservicesGrudging monkeys and microservices
Grudging monkeys and microservicesCarlo Sciolla
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And AlifeZotronix
 
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet TakeoverYour Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet TakeoverAhmed EL-KOSAIRY
 
The Digital Demise - by Robin Turner
The Digital Demise - by Robin TurnerThe Digital Demise - by Robin Turner
The Digital Demise - by Robin Turnerrobinturner
 

Ähnlich wie Criminals in the Cloud: Past, Present, and Future (20)

Defending Against Botnets
Defending Against BotnetsDefending Against Botnets
Defending Against Botnets
 
BitTorrent on iOS
BitTorrent on iOSBitTorrent on iOS
BitTorrent on iOS
 
Storm Worm & Botnet
Storm Worm & BotnetStorm Worm & Botnet
Storm Worm & Botnet
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
 
38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet 38th TWNIC OPM: Observations and mitigation of Mozi botnet
38th TWNIC OPM: Observations and mitigation of Mozi botnet
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
about botnets
about botnetsabout botnets
about botnets
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
A short visit to the bot zoo
A short visit to the bot zooA short visit to the bot zoo
A short visit to the bot zoo
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
Botnets
BotnetsBotnets
Botnets
 
Grudging monkeys and microservices
Grudging monkeys and microservicesGrudging monkeys and microservices
Grudging monkeys and microservices
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Your Botnet is My Botnet:  Analysis of a Botnet TakeoverYour Botnet is My Botnet:  Analysis of a Botnet Takeover
Your Botnet is My Botnet: Analysis of a Botnet Takeover
 
The Digital Demise - by Robin Turner
The Digital Demise - by Robin TurnerThe Digital Demise - by Robin Turner
The Digital Demise - by Robin Turner
 

Kürzlich hochgeladen

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 

Kürzlich hochgeladen (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 

Criminals in the Cloud: Past, Present, and Future

  • 1. Criminals in the Cloud: Past, Present, and Future Jim Lippard Sr. Product Manager, IT Security EarthLink Business 1
  • 2. Agenda • What is a botnet? • Bot Lifecycle • Botnet Ecosphere • Botnet History & Evolution • Defense • Offense • Future • Q&A 2
  • 3. What is a botnet? 3
  • 4. What is a botnet? Traditional C&C P2P C&C 4
  • 5. What is a botnet? Two general purposes of using botnets: • Provide layers of separation/insulation between criminal actors and criminal acts. • Provide a cloud computing platform for a wide variety of functions. Neither requires that there be anything of interest on victim computers. 5
  • 6. Bot Lifecycle • Infection • Control • Commands • Detection • Notification • Removal (repeat) 6
  • 7. Botnet Ecosphere Social context: Botnets are created by human agents to achieve some purpose. Usually: 1. Create botnet. 2. ??? 3. Profit! • What’s step 2? • Do all of these steps need to be done by the same people? • Who are these people? 7
  • 8. Botnet Ecosphere Some roles for division of criminal labor: • Exploit/exploit pack developer • Botherder/admin (manages botnet) • Seller (drives traffic to exploit sites, paid per infection) • Spammer (sender) • Sponsor (spam ad buyer) • Phisher • Carder (trades in card data/makes counterfeits) • Casher (takes out cash) • Reshippers/mules (stolen good/cash laundering-- WFH/GTJ) 8
  • 9. Botnet Evolution: Overview The convergence of DDoS tools, IRC bots, P2P software, worms, and SaaS = modern botnets • Early 1990s: IRC channel bots (e.g., eggdrop, mIRCscripts, ComBot, etc.). • Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). Peer-to-peer file sharing tools. • 2000: Merger of DDoStools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K). • 2002: IRC-controlled bots implementing DDoS attacks. • 2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. First P2P bots (Sinit, WASTE). • (Dave Dittrich, “Invasion Force,” Information Security, March 2005, p. 30) • 2003-present: Botnets used as a criminal tool for extortion, fraud, identity theft, computer crime, spam, and phishing. 9
  • 10. Botnet Evolution: History • Dec. 1993: Eggdrop bot - Non-malicious, occasionally abused (Supported linking multiple bots by 1999) • April 1998: GTbot variants - Based on mIRC, malicious bots • 1999: Sub7 trojan - Pretty Park worm, IRC listeners • May 1999: Napster - Non-malicious file sharing, hybrid P2P & client-server • March 2000: Gnutella - Non-malicious file sharing, decentralized P2P • April 2002: SDbot variants - Malicious bot with IRC client. Code made widely available. 10
  • 11. Botnet Evolution: History Aug 2002-Sep 2003: Sobig variants - Botnet used by Ruslan Ibragimov’s send-safe spam operation 11
  • 12. Botnet Evolution: History • Oct 2002: Agobot variants - (500+ by 2008), malicious bot w/modular design • Apr 2003: SpyBot variants - Derived from Agobot • May 2003: Nullsoft WASTE - Encrypted P2P network. Removed from distribution by AOL • Sep 2003: Sinit - P2P trojan, found peers via crafted DNS packets to random IPs, exchanged peer lists when found • Nov 2003: Kademlia - P2P distributed hash table 12
  • 13. Botnet Evolution: History Feb 14, 2004: FBI takedown of Foonet and “DDoS Mafia.” DDoS tool of choice: Agobot Creator: Axel “Ago” Gembe of Germany, was indicted in 2008. 13
  • 14. Botnet Evolution: History Mar 2004: Phatbot - P2P bot using WASTE bot.command runs a command with system() rsl.logoff logs the user off bot.unsecure enable shares / enable dcom rsl.shutdown shuts the computer down bot.secure delete shares / disable dcom rsl.reboot reboots the computer bot.flushdns flushes the bots dns cache pctrl.kill kills a process bot.quit quits the bot pctrl.list lists all processes bot.longuptime If uptime > 7 days then bot will respond scan.stop signal stop to child threads bot.sysinfo displays the system info scan.start signal start to child threads bot.status gives status scan.disable disables a scanner module ot.rndnick makes the bot generate a new random nick scan.enable enables a scanner module bot.removeallbut removes the bot if id does not match scan.clearnetranges clears all netranges registered with the scanner bot.remove removes the bot scan.resetnetranges resets netranges to the localhost bot.open opens a file (whatever) scan.listnetranges lists all netranges registered with the scanner bot.nick changes the nickname of the bot scan.delnetrange deletes a netrange from the scanner bot.id displays the id of the current code scan.addnetrange adds a netrange to the scanner bot.execute makes the bot execute a .exe ddos.phatwonk starts phatwonk flood bot.dns resolves ip/hostname by dns ddos.phaticmp starts phaticmp flood bot.die terminates the bot ddos.phatsyn starts phatsyn flood bot.about displays the info the author wants you to see ddos.stop stops all floods shell.disable Disable shell handler ddos.httpflood starts a HTTP flood shell.enable Enable shell handler ddos.synflood starts an SYN flood shell.handler FallBack handler for shell ddos.udpflood starts a UDP flood commands.list Lists all available commands redirect.stop stops all redirects running plugin.unload unloads a plugin (not supported yet) redirect.socks starts a socks4 proxy plugin.load loads a plugin redirect.https starts a https proxy cvar.saveconfig saves config to a file redirect.http starts a http proxy cvar.loadconfig loads config from a file redirect.gre starts a gre redirect cvar.set sets the content of a cvar redirect.tcp starts a tcp port redirect cvar.get gets the content of a cvar harvest.aol makes the bot get aol stuff cvar.list prints a list of all cvars harvest.cdkeys makes the bot get a list of cdkeys inst.svcdel deletes a service from scm harvest.emailshttp makes the bot get a list of emails via http inst.svcadd adds a service to scm harvest.emails makes the bot get a list of emails inst.asdel deletes an autostart entry waste.server changes the server the bot connects to inst.asadd adds an autostart entry waste.reconnect reconnects to the server logic.ifuptime exec command if uptime is bigger than specified waste.raw sends a raw message to the waste server mac.login logs the user in waste.quit mac.logout logs the user out waste.privmsg sends a privmsg ftp.update executes a file from a ftp url waste.part makes the bot part a channel ftp.execute updates the bot from a ftp url waste.netinfo prints netinfo ftp.download downloads a file from ftp waste.mode lets the bot perform a mode change http.visit visits an url with a specified referrer waste.join makes the bot join a channel http.update executes a file from a http url waste.gethost prints netinfo when host matches http.execute updates the bot from a http url waste.getedu prints netinfo when the bot is .edu http.download downloads a file from http waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste 14
  • 15. Botnet Evolution: History • 2003: Rbot - Uses encryption to evade detection • 2004: Polybot - Adds polymorphism • Mar 2006: SpamThru - P2P bot • Apr 2006: Nugache - P2P bot, distributed via trojaned downloads on freeware sites. Author arrested Sep 2007. • 2006-2011: Rustock - Major spammer. Atrivo takedown Sep 2008, McColo takedown Nov 11, 2008. • Jan 2007-late 2008: Storm/Peacomm trojan - P2P; massive spammer. RBN connection? 20% of spam in 2008. • 2007: Srizbi - Used Mpack, Reactor Mailer, bypassed host firewall. Similar to Rustock. Was largest botnet for a time. 15 McColo.
  • 16. Botnet Evolution: History • 2007: Cutwail trojan - Rootkit, DDoS and spam bot. 1.5M-2M bots. C&C taken down when ISP 3FN was taken down by the FTC on June 4, 2009. • 2007-2012: Zeus - financial info stealer, variants of software sold for $500-$15K. Still prevalent. Configs stored in AWS EC2, use of Google, Twitter, Facebook. • 2008-2009: Torpig/Anserin - Financial info stealer. Includes Mebroot rootkit. UCSB researchers temporarily controlled for 10 days in 2009. • Nov. 2008: Conficker worm - Variants A-E, end action of A-D was to update to subsequent versions; disabled Windows update and AV. Variant E (Apr 2009) installed Waledac spambot and SpyProtect scareware. Massive propagation (10.5M+). On May 3, 2009, variant E deleted itself and left C. 16
  • 17. Botnet Evolution: History Dec 2008: Koobface - Social network C&C, had Mac version. Click fraud, scareware sales. Gang exposed in NY Times. 17
  • 18. Botnet Evolution: History • 2009: Grum/Tedroo -Spammer, generated 26% of spam in March 2010. • Mar 2009: Coreflood - Info stealer, taken down Apr 2011 (FBI w/ISC). • Apr 2009: Waledac - Spammer. 1% of spam volume. Microsoft takedown of C&C domains Feb. 2010, spam domains Sep. 2010. • May 2009: Bredolab trojan - Botnet. 30M bots, 143 C&C seized by Dutch police Oct. 25, 2010, Armenian suspect arrested. • 2009: Aurora - Google attacked. • 2009: Mariposa (Spain) - Info stealer, spam, DDoS. Taken down by Spanish police (w/Panda Security), Dec 23. 8-12M bots. • Apr 2010: Storm 2 - Minus P2P 18
  • 19. Botnet Evolution: History 2011: DNSChanger - Esthost/Rove Digital, redirected 6 million people to malicious websites, 4M bots. Nov 8: 100 servers seized in U.S., 6 Estonians arrested. 19
  • 20. Botnet Evolution: History 2011: Kelihos/Hlux/Waledac 2.0 - P2P botnet similar to Waledac. 3-tier design: controllers, routers, workers. Spam, MacDefender scareware. Taken down Sep 26, 2011 by Microsoft. 20
  • 21. Botnet Evolution: Present Day 2011- 2012: Darkshell - DDoS botnet & buyable kit. 21
  • 22. Botnet Evolution: Present Day Feb 2012: Flashback trojan - Exploits Java flaw. Mac botnet of 817,879 bots at peak. Deletes itself if ClamXav is installed. Feb 2012: SabPub trojan, used for spearphishing. 22
  • 24. Defense Mac users: It’s time for AV. 24
  • 25. Defense Filter • Outbound traffic • Web content filtering • Application control • Identity awareness • Intrusion prevention • Data leak prevention • Web application firewall 25
  • 26. Defense Monitor • Signs of bots often show up in web and DNS requests • Monitor user login activity; 30% of breaches use stolen credentials • Log and alert/review • You need an incident response plan 26
  • 28. Offense • Track • Takeover • Takedown • Arrest & Prosecute FBI: Microsoft Digital Crimes Unit: May 22, 2001: Operation Cyber Loss – 62 arrests Feb 22, 2010: Operation b49, Waledac C&C takedown May 16, 2002: Operation E-Con – 50 arrests (w/Shadowserver, Symantec) Nov 20, 2003: Operation Cyber Sweep – 125 Oct 27, 2010: Operation b49, Waledac spam arrests takedown Feb 14, 2004: Operation Cyber Slam – Foonet Mar 16, 2011: Operation b107, Rustock takedown DDoS (w/FireEye) May 20, 2004: Operation SLAM-Spam - 50 targets Sep 26, 2011: Operation b79, Kelihos/Waledac 2.0 Jun 13, 2007: Operation Bot Roast – 3 arrests takedown; civil suit vs. Dominique Alexander Piatti. Nov 29, 2007: Operation Bot Roast II – 3 Mar 23, 2012: Operation b71, Zeus takedown (w/F- indictments Secure) Sep 30, 2010: Operation Trident Beach – 5 Ukraine arrests, Zeus partial takedown Crowdstrike: Apr 2011: Coreflood takedown (w/ISC) Mar 29, 2012: Kelihos v2 takedown Nov 8, 2011: Operation Ghost Click – 6 Estonians (w/SecureWorks, Honeynet Project, Kaspersky) arrested for DNSChanger. (w/Trend Micro) 28
  • 29. Offense: Track & Takeover • Sinkholing – Domain-based (w/cooperation of domain registrar) – most common – Route-based (w/cooperation of ISPs/NSPs) • C&C tracking/takeover – More common to monitor C&C servers to identify bots & attackers than to takeover 29
  • 30. Future • Macs as targets • Social networks as delivery mechanism • Mobile as target • More indirect attacks (CAs, RSA, Sophos) • Competing legal agendas: – Global Online Freedom Act (GOFA) HR 3605 – Cyber Intelligence Sharing and Protection Act (CISPA) HR 2523 • A decline in the use of large botnets except as “stepping stones” 30
  • 31. Q&A Any questions? Jim Lippard Sr. Product Manager, Security EarthLink Business jlippard@corp.earthlink.com Twitter: @lippard 31

Hinweis der Redaktion

  1. This talk is botnet-focused; other types of malware and criminal activity are not covered or only touched upon, such as use of exploit packs, the details of carding and phishing, and actions by hacktivists and state-supported actors.
  2. “Lippard dubs bot software ‘the Swiss army knife of crime on the Internet.’” Joaquim P. Menezes, NetworkWorld, July 26, 2007: http://www.networkworld.com/news/2007/072507-why-were-losing-the-botnet.html (quoted from May 2006 interview on the Security Catalyst podcast)“Networks of compromised computers controlled by a central server, better known as botnets, are a Swiss Army knife of tools for online criminals.” Robert Lemos, “Breaking the Botnet Code,” Technology Review, November 11, 2009: http://www.technologyreview.com/computing/23924/“’Botnets are the Swiss Army knife of attack tools,’ said Marc Fossi, manager of research and development for Symantec Corp.'s security response team.” Gregg Keizer, “Botnets ‘the Swiss Army knife of attack tools’”, Computerworld, April 7, 2010: http://www.computerworld.com/s/article/9174560/Botnets_the_Swiss_Army_knife_of_attack_tools_“Botnets are the Swiss Army Knife of Internet criminals, according to Minister of Economic Affairs Maxime Verhagen.” Dutch Daily News, Jan. 14, 2011: http://www.dutchdailynews.com/botnet-computers/“‘Botnets are the Swiss Army knife of our criminals’, Picko said.” June 24, 2011: http://en.eco.de/association/202_9230.htmPublic domain photo from http://en.wikipedia.org/wiki/File:Swiss_army_knife_open_20050612.jpgVictorinox Swiss Army knife, photo taken in Sweden. This is a Mountaineer model.12 June 2005 (2005-06-12)Photo taken by Jonas Bergsten using a Canon PowerShot G3.
  3. Images used with permission from Ben Woelk, “Avoiding the Botnet Snare,” Rochester Institute of Technology’s ITS eNews, 2007.http://www.rit.edu/its/news/archive/07feb/botnet.html
  4. Image from Wikipedia, https://en.wikipedia.org/wiki/File:Botnet.svg, by user Tom-b, and is available under a Creative Commons Attribution-Share Alike 3.0 Unported license. 1. Infection (trojan horse in this case), 2. Control, 3. Third party spammer purchases service (part of the social network to be discussed next), 4. Spam is sent out by the bots.Many options:Infection: Trojan horse, drive-by-download, worm, social engineering, etc. Primarily web or worm delivery, web delivery often driven by email, IM, social networking, search results, etc. Lots of room for creativity.Control: Most common channels: HTTP, HTTPS, IRC.Commands: Again, virtually no limits, but driven by goals—spam, click fraud, DDoS, identity/financial theft, extortion, encrypting files, etc. Common functions include keystroke logging, proxying spam or other types of connections, collecting credentials, engaging in DDoS, and propagating further.
  5. Step 2 depends in part on the organizational structure of the social network behind the botnet, and whether the botnet is rented out, sold, or used in house. Similarly, step 1 is often divided amongst different players; slide 5’s components can be done by different players and even more steps can be added.Step 2: Open proxies, sell for spam. Build own spam service and sell it. Lease the bots. Sell the botnet. Encrypt end user files and demand ransom for return. Install keyloggers, intercept traffic to financial sites, sell credentials and financial information. Install scareware, sell bogus AV software. Generate clicks to web advertising sites that pay affiliate fees. DDoS competitors.Step 3 can be other things, of course—status, revenge, distraction, lulz, which then motivates other Step 2s like rigging online polls, adjusting popularity of links and websites, stealing and publishing information online.Who are these people: 83% of breaches in Verizon DBIR 2012 are by organized criminal groups (p. 20). Larger enterprises tend to also see apparent state-sponsored or supported breaches (APT, which likely steer away from botnets), smaller are often targets of opportunity, apparently due to weaker controls (e.g., more breaches from default credentials on remote access).
  6. Exploit packs are an interesting topic in their own right, see:Team Cymru, “A Criminal Perspective on Exploit Packs,” 2011: http://www.team-cymru.com/ReadingRoom/Whitepapers/2011/Criminal-Perspective-On-Exploit-Packs.pdfCriminal network roles are also discussed in Phil Williams, “Transnational Criminal Networks,” in John Arquilla and David Ronfeldt, Networks and Netwars: The Future of Terror, Crime, and Militancy, 2001, RAND, pp. 61-97, and especially pp. 82-84. Williams identifies Organizers, Insulators, Communicators, Guardians, Extenders, Monitors, and Crossovers.Example cash mule/launderer: Ronnie Cutshall: http://voices.washingtonpost.com/securityfix/2009/11/fdic_uptick_in_money_mule_scam.html
  7. This slide is little changed from talks given in 2005. Main changes since then are more P2P, Macs as bots, and arrests and takedowns.Sources: Dave Dittrich, “Evolution: Rise of the bots,” Information Security, March 2005, p. 30.http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1068914,00.htmlJulian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent ByungHoon Kang, and David Dagon, "Peer-to-Peer Botnets: Overview and Case Study,“ Hotbots '07: Proceedings of the first conference on hot topics in understanding botnets:http://static.usenix.org/event/hotbots07/tech/full_papers/grizzard/grizzard_html/
  8. Most of these are derived from Grizzard et al., op cit., up through Storm/Peacomm in 2007.Rik Ferguson points to Sub7 and Pretty Park as pregenitors of IRC bots and puts GTbots later than Grizzard:http://www.businesscomputingworld.co.uk/the-history-of-the-botnet-part-i/
  9. Sobig/Ibragimov/Send-Safe ROKSO record: http://www.spamhaus.org/rokso/evidence/ROK2400/ruslan-ibragimov-send-safe.com/main-info
  10. Dittrich (op cit).Agobot variant count: Kleber Cariello de Oliveira, “Botconomics” – Mastering the Underground Economy of Botnets. LACNIC May, 2008. http://www.slideshare.net/Annie05/botconomics-presentationWASTE: A reference to Thomas Pynchon’s The Crying of Lot 49: https://en.wikipedia.org/wiki/WASTEKademlia’s distributed hash table algorithm was later used by Limewire to augment Gnutella and by BitTorrent. It is subject to Sybil attacks/pseudospoofing: https://en.wikipedia.org/wiki/Sybil_attack
  11. Saad “Jay” Echouafni, CEO of Orbit Communication Corp., hired Paul Ashley, owner of Foonet, to DDoS his main business rivals in satellite TV resale, for $1,000, and skipped the country on $750K bail. He’s never been caught. The rivals, WeaKnees.com and RapidSatellite.com, were taken down by SYN flood attacks.Paul Ashley of Foonet turned informer to get Echouafni on tape. This takedown was part of the FBI’s “Operation Cyberslam.”Kevin Poulsen, “FBI busts alleged DDoS Mafia,” Security Focus, August 26, 2004: http://www.securityfocus.com/news/9411Kevin Poulsen, “Hackers Admit to Waves of Attacks,” Wired, September 8, 2005:http://www.wired.com/politics/security/news/2005/09/68800?currentPage=allGembe indicted: Lucian Constantin, “European Botnet Runners Indicted in the Foonet DDoS Case,” Softpedia, October 4, 2008: http://news.softpedia.com/news/European-Botnet-Runners-Indicted-in-the-FooNet-DDoS-Case-94919.shtmlAlso see: https://en.wikipedia.org/wiki/Rizon
  12. Phatbot command list from LURHQ, now part of SecureWorks.
  13. Polybot, Rbot: Ferguson “History of the Botnet, Part I,” op cit.Nugache: David Dittrich and Sven Dietrich, “P2P as botnet command and control: a deeper insight,” Proceedings of the 2008 3rd International Conference on Malicious and Unwanted Software (Malware), October 2008:http://staff.washington.edu/dittrich/misc/malware08-dd-final.pdfNugache/Storm: Sam Stover, Dave Dittrich, John Hernandez, and Sven Dietrich, “Analysis of the Storm and Nugache Trojans,” USENIX ;login:v. 32, no. 6, December 2007, pp. 18-27: http://staff.washington.edu/dittrich/misc/stover.pdfAtrivo: http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.htmlAtrivo, McColo probably had Esthost connections as well—see Nov 8, 2011.McColo shut down Nov. 11, 2008 by Global Crossing and Hurricane Electric, reducing global spam by 75% (temporarily):http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.htmlStorm: http://en.wikipedia.org/wiki/Storm_botnetOn Russian Business Network, see Joseph Menn, Fatal System Error, 2010, PublicAffairs.
  14. Cutwail: Ferguson, history of the botnet part II: http://countermeasures.trendmicro.eu/the-history-of-the-botnet-part-ii/Takedown: Brian Krebs, “The Fallout from the 3FN takedown,” June 9, 2009: http://voices.washingtonpost.com/securityfix/2009/06/the_fallout_from_the_3fn_taked.htmlZeus: http://www.antisource.com/article.php/zeus-botnet-summaryUse of Amazon Web Services Elastic Compute Cloud, Google, Facebook, and Twitter: Ferguson, “history of the botnet, part III”: http://countermeasures.trendmicro.eu/the-history-of-the-botnet-part-iii/Operation Trident Beach, initial Zeus takedown Sep 30, 2010: Dan Goodin, “5 botnet kingpins busted in $70m fraud ring,” 1 Oct 2010: http://www.theregister.co.uk/2010/10/01/zeus_kingpin_arrest/5 arrests in Ukraine.Torpig: http://www.cs.ucsb.edu/~seclab/projects/torpig/index.htmlhttp://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdfConficker C details: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Worm%3aWin32%2fConficker.CConficker E details: http://blog.priveonlabs.com/sec_blog.php?title=conficker_e_we_hardly_knew_ye&more=1&c=1&tb=1&pb=1
  15. Koobface gang tracked down to St. Petersburg, Russia, exposed in the New York Times after investigation by Jan Drömer, independent researcher,and Dirk Kollberg, SophosLabs, in “The Koobface malware gang - exposed!”: http://nakedsecurity.sophos.com/koobface/“Web Gang Operating in the Open,” New York Times, 17 January 2012: http://www.nytimes.com/2012/01/17/technology/koobface-gang-that-used-facebook-to-spread-worm-operates-in-the-open.html?_r=1“Anton Korotchenko, who uses the online nickname “KrotReal”; StanislavAvdeyko, known as “leDed”; Svyatoslav E. Polichuck, who goes by “PsViat” and “PsycoMan”; Roman P. Koturbach, who uses the online moniker “PoMuc”; and Alexander Koltyshev, or “Floppy.””
  16. Coreflood takedown: http://www.wired.com/threatlevel/2011/04/coreflood/http://threatpost.com/en_us/blogs/coreflood-takedown-raises-questions-about-offensive-actions-against-botnets-042911Waledac takedown, Operation b49: http://www.theregister.co.uk/2010/03/16/waledac_takedown_success/Aurora: http://www.damballa.com/research/aurora/Mariposa takedown December 23, 2009: http://www.computerworld.com/s/article/9164838/Spanish_police_take_down_massive_Mariposa_botnetBredolab takedown, October 25, 2010: http://blogs.technet.com/b/mmpc/archive/2010/10/26/bredolab-takedown-another-win-for-collaboration.aspx
  17. Image from http://blog.trendmicro.com/trojan-on-the-loose-an-in-depth-analysis-of-police-trojan/Operation Ghost Clickhttp://www.darkreading.com/advanced-threats/167901091/security/client-security/231902809/teaming-up-to-take-down-threats.htmlhttp://venturebeat.com/2011/11/09/fbi-operation-ghost-click/http://blog.trendmicro.com/esthost-taken-down-biggest-cybercriminal-takedown-in-history/
  18. Kelihos: https://threatpost.com/en_us/blogs/botnet-shutdown-success-story-how-kaspersky-lab-disabled-hluxkelihos-botnet-092911 (source of image)Controllers host nginx web servers, don’t show up in peer lists on workers.Routers add an insulation layer to protect the controllers and include proxy capability.
  19. Official website, www.darkshellnew.com.“Darkshell DDoS Botnet Evolves with Variants,” April 5, 2012, McAfee Labs:http://blogs.mcafee.com/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants
  20. Flashback: http://news.drweb.com/show/?i=2341&lng=en&c=9Peak infection (by UUID): http://news.drweb.com/show/?i=2386&lng=en&c=14Rich Mogull, “What you need to know about the Flashback trojan,” April 6, 2012, MacWorld:http://www.macworld.com/article/1166254/what_you_need_to_know_about_the_flashback_trojan.htmlEstimated number of infections as of 10 April 2012: 655,700.SabPubtrojan: http://news.cnet.com/8301-1009_3-57414516-83/new-mac-os-x-trojan-unearthed-call-it-sabpub/Second variant using infected Word documents (via CVE-2009-0563) appeared in April.
  21. Patch: Most breaches are still from a small number of vulnerabilities, including older ones.30% of breaches use stolen login credentials—Verizon DBIR 2012, p. 26. People getting better about Windows patching—but don’t forget applications, esp. Adobe & Java.
  22. ClamXav, which uses the ClamAVenginer from SourceFIRE, is free.Mac security/hardening guides:https://isc.sans.edu/diary.html?storyid=12616
  23. Next-generation firewall, anyone? Gets you most of the above in one package (WAF sold separately).
  24. Monitoring and Incident Response plan: There are two kinds of companies, those which know that they’ve been breached and those that don’t. You will be breached if you haven’t been already, and most companies only hear about it after the fact from a third party. Better to be in the former category and be able to recognize a breach when it occurs and respond.Log & review: How about doing some crowdsourcing on login misuse, by sending login notifications to the mobile device of the user?
  25. To FBI, USSS, or ic3.gov.Collaborate: Share as much information where possible about breaches, at least within secure settings (e.g., industry Information Sharing and Analysis Centers (ISACs): http://www.isaccouncil.org/)SEC guidance requires breach disclosure now if such incidents are “among the most significant factors that make an investment in the company speculative or risky” (http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm), and companies with mature security programs are disclosing in detail (e.g., Verisign, RSA). It’s time to build a culture where we’re open about security breaches and those who disclose are not stigmatized for the disclosure (as opposed to for having terrible security). Failure to disclose and very late disclosure should be seen as a negative sign, while timely disclosure should be seen as a positive sign.And these things can lead to….
  26. The law finally catching up:Roger A. Grimes, “If you do the cyber crime, expect to do the time,” InfoWorld, April 3, 2012:http://www.infoworld.com/d/security/if-you-do-the-cyber-crime-expect-do-the-time-190042Tracking: Brian Krebs, various security researchers, Microsoft Digital Crimes Unit, Team Cymru, SecureWorks, Damballa, Sophos, Symantec, Crowdstrike.Takeover, Takedown: Microsoft, Crowdstrike.Arrest & Prosecute: FBI, USSS, national police agencies, Interpol.FBI Operations:Operation Cyber Loss, May 22, 2001.http://www.fbi.gov/news/pressrel/press-releases/internet-fraud-investigation-operation-cyber-loss Arrests 62 fraudsters.Operation E-Con, May 16, 2002http://www.justice.gov/opa/pr/2003/May/03_crm_302.htm 50 arrested, 48 charged, 12 guilty pleas Operation Cyber Sweep, November 20, 2003http://www.justice.gov/opa/pr/2003/November/03_crm_638.htm 125 arrestsOperation SLAM-Spam, May 20, 2004 (IC3/industry)http://www.fbi.gov/news/testimony/anti-spam-initiatives-on-the-web Identified 100 spammers, targeted 50.Operation Bot Roast, June 13, 2007http://www.fbi.gov/news/stories/2007/june/botnet_061307 Robert Alan Soloway, James C. Brewer, Jason Michael Downey Operation Bot Roast II, November 29, 2007http://www.fbi.gov/news/stories/2007/november/botnet_112907 3 indictmentsOperation Ghost Click, November 9, 2011http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911 six Estonians arrestedPrivate operations: Microsoft/Shadowserver/Symantec Operation b49, Waledac C&C takedown, February 22, 2010 Microsoft Waledac spam takedown, October 27, 2010 Microsoft/FireEyeRustock takedown, Operation b107, March 16, 2011http://www.eweek.com/c/a/Windows/Microsoft-Claims-Rustock-Botnet-Takedown-825397/ 1.1M-1.7M infected machines, hardcoded IPs for C&C Microsoft/Kaspersky Kelihos (Waledac 2.0) takedown, September 26, 2011 Dominique Alexander Piatti, dotFREE Group SRO and John Does 1-22 of owning a domain cz.cc and using cz.cc to register other subdomains such as lewgdooi.cz.cc used to operate and control the Kelihos botnet. 41,000 computershttp://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx Microsoft/F-Secure, etc. Zeus takedown Operation b71, RICO statutes, March 23, 2012 13 million Zeus infections, 3 million in U.S.  Zeus sold for $700 to $15K for latest, source code leaked May 2011, see Wikipedia http://www.secureworks.com/research/threats/zeus/?threat=zeus Crowdstrike/Honeynet Project/SecureWorks/Kaspersky Kelihos v2 takedown, March 29, 2012
  27. Shadowserversinkholing (2008): http://www.darkreading.com/security/security-management/211201241/index.htmlTrend Micro report on lessons from sinkholing: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp__sinkholing-botnets.pdfRoute-based blackholing (or nullrouting)/sinkholing/filtering:https://tools.ietf.org/rfc/rfc3882.txthttps://tools.ietf.org/html/rfc5635https://tools.ietf.org/html/draft-ietf-idr-flow-spec-09Honeynet Project Code of Conduct: https://honeynet.org/codeofconductMenlo Report: Ethical Principles Guiding Information and Communication Technology Research: http://www.cyber.st.dhs.gov/wp-content/uploads/2011/12/MenloPrinciplesCORE-20110915-r560.pdf
  28. Social networks as delivery mechanism: http://www.itworld.com/it-managementstrategy/264648/social-spam-taking-over-internetTwitter sues top 5 spammers (April 5, 2012): https://mashable.com/2012/04/05/twitter-sues-spammers/Mobile: iOS safer due to developer accountability (Dan Guido research): https://threatpost.com/en_us/blogs/accountability-not-code-quality-makes-ios-safer-android-042012Indirect:CAs: Comodo hacked Mar. 2011, DigiNotar hacked Sep. 2011: http://arstechnica.com/security/news/2011/09/comodo-hacker-i-hacked-diginotar-too-other-cas-breached.arsGlobalSign hacked Sep. 2011: http://threatpost.com/en_us/blogs/comodo-hacker-claims-credit-diginotar-attack-090611RSA, hacked March 2011: http://bits.blogs.nytimes.com/2011/04/02/the-rsa-hack-how-they-did-it/Sophos partner portal hacked, Apr 6, 2012: http://www.cio.com/article/703694/Sophos_Takes_Down_Partner_Portal_After_Signs_of_HackingGOFA opposes use of surveillance and content filtering by governments to promote “Internet freedom.”CISPA has been criticized on civil liberties grounds, for allowing disclosure of information to the NSA or DOD CyberCommand.The U.S. is a bit conflicted on what “Internet freedom” means or requires (see, e.g., EvgenyMorozov, The Net Delusion: The Dark Side of Internet Freedom, 2011, PublicAffairs). As the Arizona legislature passes a bill (HB 2549) to expand telephone harassment & stalking statutes to cover online speech, the federal government is condemning censorship by authoritarian governments—but also seeking to expand its own ability to monitor.As botnets become a target for takedown, and if targets of opportunity show any progress in becoming more secure, the methods of choice for state-sponsored actors will filter down to other groups (and surely already have to some extent).