SlideShare ist ein Scribd-Unternehmen logo

New Botnets Trends and Threats (BH Europe 2007)

André Fucs de Miranda
André Fucs de Miranda

The last years have seen the growth of botnets and its transformation into a highly profitable business. Most of the botnets seen until now have used the same basic concepts. This presentation intends to show what are the major challenges faced by botnet authors and what they might try in the future to solve them. The presentation will pass through some interesting solutions for botnet design challenges. A layered and extensible approach for Bots will be presented, showing that solutions from exploit construction (like metasploit), P2P networks (Gnutella and Skype), authentication (digital signatures) and covert channels research fields can be used to make botnets more reliable, extensible and hard to put down.

Technologie
1 von 39
Downloaden Sie, um offline zu lesen
NewNewNewNew botnetsbotnetsbotnetsbotnets trends and threatstrends and threatstrends and threatstrends and threats André Fucs – afucs@uol.com.br Augusto Paes de Barros – augusto@paesdebarros.com.br Victor Pereira – vp@sekure.org
Agenda • Botnet 101 • Botnet challenges • A Layered approach • Control layer • Communication Layer • Infection Layer • Features Layer • Back to the right side • Conclusion
Botnet 101 “a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.” !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!
Botnet 101 Botnets are an increasing threat: The Dutch police found a 1.5 million node botnet Telenor – Norwegian ISP – disbanded a 10,000 node botnet.
Botnet 101 SOCKS4/HTTP/s proxy TCP Port Redirect License key / cookie harvest Network sniffing Send e-mail to a list of addresses (SPAM) Bots usually have limited feature set: SYN/ICMP/UDP/H TTP Flood
Botnet 101 • Botnets can deploy several control channels, still IRC is currently the most commonly used But IRC is not such a common protocol anymore… At least not within corporate networks
Botnet challenges • IRC issues: – Easy to block – Easy to be monitored Web would be an easy choice, however… !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!
Botnet challenges • Increasing number of organizations are deploying content based screening… and it’s easy to block…. • Second stage payload web sites are easy to track and easy to shutdown! • But what about the home users?
Botnet challenges Botnet MUST avoid plain simpleweb second stage download –The botnet MUST communicate and relay control messages to peer machines and be NAT trasversal capable Botnet MUST avoid plain simpleweb second stage download The botnet MUST be able to infect new machines Botnets must be smart P2P applications!
Botnet challenges "In the traditional botnet, if you cut off the head, you kill the beast. We speculate that, as more command-and control servers get identified by ISPs, you will see more and more of these botnets go to peer-to-peer." Dean Turner, senior manager of development for Symantec.
A Layered approach Or… “Hello, may I speak with the product manager?”
A Layered approach Why not build the bot in a way that: • You don’t need to change the control logic when changing the communication protocol • You can work with new features as plugins • You can use different communication methods with the same basic code • You don’t need to release a new version when adding a new exploit • You don’t even need to code a new exploit!
A Layered approach Control Layer Communication Layer Features Infection Layer
A Layered approach • Why make it modular? – Possibility of infecting new machines without having to replace the whole bot – new exploit modules – Code re-use? – Lower cost of development?
A Layered approach What about a botnet that has the following features: • XML based communication; • Secure control using digital signatures; • Channel independent; • Plug-in capable; And even… • .NET ready!
Control Layer • Why an XML based control channel? – More or less easy to extend – Standard based – Amazing text based – Internet ready – Extremely pervasive – Easy to copy and paste on websites…
Control Layer A bot should be small and deploy a minimum features as more advanced features should be either download or uploaded. New features could be easily added to the bot <command> <jobid>123</jobid> <feature id="module X"> module parameters here </feature> </command>
Control Layer • Payload can be even more flexible • Bot can simply receive VBS or IronPython code on a signed XML message and run it. Both languages offer easy access to the .NET Framework Scriptable bots!
Control Layer • Why to use Digital signatures? – If we trust digital signatures to sign a dollar swap contracts, why shouldn’t we digitally sign commands for a botnet? – Easy to implement, just think about XMLSIG… – May prevent botnet takeovers.
Signed XML Control sign ( <command> <job_id>123</job_id> <feature id=“sendmail"> To: alice @ dss.com From: bob @ dss.com Subject: I Love you </feature> </command> ) signed_xml validate_sig ( signed_xml ) signed_xm l signed_xm l signed_xml validate_sig ( signed_xml ) validate_sig ( signed_xml ) signed_xm l validate_sig ( signed_xml )
Communication and Control • Why seek Channel independence? Imagine a world were: – A botnet can download a payload from a web site; – Replicate the payload to another bot using different transports like: • Skype • SMB • SMS • SIP • RFC1149 • …
Communication and Control Control: – OTP based herder search • Helps to re-establish contact between bot herder and unpaired bots. – Digital Signatures • Allows bot to replicate botnet commands to peer bots securely Communication: – Basic protocols covert channels • DNS, HTTP, 802.11 – P2P mechanism • Allows bot to communicate without herder intervention
OTP based herder search • The bot always need to know how to reach its master – Really? – Reverse Engineering vulnerable – Found the herder location, game over • What if the bot doesn’t know where the herder is, but knows how to search for it? • They need a shared secret • The shared secret can’t be static • Isn’t it just like the password dilemma?
OTP based herder search Solution: One Time Passwords – Bot and herder have the same seed – Both calculate a new OTP periodically – Herder publishes information for the bot together with the OTP string – Bot searches for the OTP string • On Google • On P2P networks • On Social Network Websites • Can search for a string posted by others? You can use it.
OTP based herder search Demo: Using Skype Profiles
Communication Layer A brief list of possible channels P2P networks SMS Skype DNS Webmail Search Engines Instant Messaging
Communication layer - Skype Skype… Pros – Popular client – P2P encrypted communication facilities – NAT Friendly – Firewall circumvention capabilities – Easy to use API – Profile Search capabilities Cons – Has Security Mechanisms to prevent unauthorized access to Skype client
Infection Layer Why not embed something like MetaExploit to a bot? • Exploits being published by others, ready for plug into the bot • The framework as part of the bot – Just one payload – The bot – N exploits – How many available in Metasploit today?
Features Layer DDoS, Spam,… What else can a bot do? • Criminals are making money by stealing users credentials for: – Auction sites – Online Banking Source: Win32/Bancos – Malicious Software Encyclopedia http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fBancos
Features Layer Those guys are improving their defenses: • Two-factor authentication – Tokens – OTP Cards / ‘ Bingo Cards’ – Very popular among Brazilian Banks:
Features Layer What a bot can do when two-factor authentication is being used? • Transaction tampering is easy and hasn’t been done until now...
Features Layer Demo: Transaction Tampering on IE
Infection and feature nightmare Let’s go again on a “what if” scenario... • One of the downloadable features is the packer/crypter used to build the bot • A new bot can: – Rebuild itself with a new packer/crypter – Start spreading itself with new exploits • AV nightmare!
Is it real? Is it possible? Dr. Jose Nazario, from Arbor Networks, on Black Hat DC (3wks ago): • Growing numbers of HTTP, IM and other bots • Ability of botnet herders is increasing – They will write their own communication protocols • Last botnets studied show these trends are real – P2P is used by Storm Worm (01-2007) – HTTP is used by Korgo, Padobot, Bzub, Nuclear Grabber – Encryption – Nugache – Bots (Rbot, Sdbot, and Gaobot) compose three of the top five slots in terms of total number of removals (MSRT)
Back to the right side “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore” Social Engineering is a key factor and a trend in terms of malicious software
Back to the right side Now, more than ever, users should be prevented from running with administrative privileges – User training and awareness is key Outbound traffic monitoring is still one of the few ways to detect bots in your network Network Behavior Analysis may indicate the use of Covert Channels
Conclusion • Botnets are growing and evolving fast but the are some things we can expect – They will be easily extended and upgraded – They wil traverse multiple types of network and protocols – Their master will not be easily found since not even the bot knows where to find him – They won’t be easily hijacked as they only accept digitally signed commands – They will be able to directly change transactions made by users on websites and on-line banks, without needing to steal credentials – They will use as communication vectors protocols that can't be easily blocked without causing harm, like DNS and HTTP
Thanks Aylton Souza, Emmanuel Gadaix, Gustavo Zeidan, Dr. Jose Nazario, Kenneth Chiedu Ogwu, Lincoln Moreira Junior Cabral, for doing nothing Ddos crew, for doing And a special thanks to Paulo T.
References • Paul Barford, Vinod Yegneswaran. An Inside Look at Botnets. Computer Sciences Department University of Wisconsin, Madison. • Kelly Jackson Higgins, Senior Editor, Dark Reading. Black Hat: Botnets Go One-on-One. Feb, 2007. • Evan Cooke, Farnam Jahanian, Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. USENIX SRUTI 05. • Paul Bächer, Thorsten Holz, Markus Kötter, Georg Wicherski. Know your Enemy: Tracking Botnets. Using honeynets to learn more about Bots. Honeynet Project. March, 2005. • David Dagon, Guofei Gu, Cliff Zou, Julian Grizzard, Sanjeev Dwivedi, Wenke Lee, Richard Lipton. A Taxonomy of Botnets. Georgia Institute of Technology, University of Central Florida. • John Kristoff. Botnets. NorthWestern University. NANOG 32. • Peter Judge. Computerworld Security, Cambridge professor warns of Skype botnet threat, January 25 2006. • Dan Kamiksy. Black Ops of DNS. Black Hat USA, July 2004. • Laurent Butti, Franck Veysett. Wi-Fi Advanced Stealh, Black Hat USA, August 2006. • Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat DC, March 2007. • Microsoft. Malicious Software Removal Tool: Progress made, trends observed. • Microsoft. Behavioral model of social engineering malware.

Empfohlen

Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
Aniq Eastrarulkhair
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
Rubal Sagwal
 
Botnets
BotnetsBotnets
Botnets
richashri3
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
Anant Narayanan
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 

Empfohlen

Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
Aniq Eastrarulkhair
 
All you know about Botnet
All you know about BotnetAll you know about Botnet
All you know about Botnet
Naveen Titare
 
Botnet Detection in Online-social Network
Botnet Detection in Online-social NetworkBotnet Detection in Online-social Network
Botnet Detection in Online-social Network
Rubal Sagwal
 
Botnets
BotnetsBotnets
Botnets
richashri3
 
A Brief Incursion into Botnet Detection
A Brief Incursion into Botnet DetectionA Brief Incursion into Botnet Detection
A Brief Incursion into Botnet Detection
Anant Narayanan
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
ijsrd.com
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 
Botnet
Botnet Botnet
Botnet
PriyanKa Harjai
 
about botnets
about botnetsabout botnets
about botnets
Alain Bindele
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
GangSeok Lee
 
BOTNET
BOTNETBOTNET
BOTNET
Arjo Ghosh
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
Bhagath Singh Jayaprakasam
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
Alexander Decker
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
Zotronix
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Stephen Abram
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
Biagio Botticelli
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
Rangana lakmal
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
Ramsés Gallego
 
The 5 most dangerous proxies
The 5 most dangerous proxiesThe 5 most dangerous proxies
The 5 most dangerous proxies
seldridgeD9
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 
Botnet
BotnetBotnet
Botnet
lokenra
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
P-e-t-a-r
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Priyanka Aash
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
yogendra singh chahar
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
Mahmoud Ibra
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
OWASP Delhi
 
20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
T.Rob Wyatt
 
Blockchain for good
Blockchain for goodBlockchain for good
Blockchain for good
MobileInception
 

Weitere ähnliche Inhalte

Was ist angesagt?

Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
Bini Bs
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
GangSeok Lee
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
Zotronix
 
The 5 most dangerous proxies
The 5 most dangerous proxiesThe 5 most dangerous proxies
The 5 most dangerous proxies
seldridgeD9
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
Team Firefly
 

Was ist angesagt? (20)

Botnet
Botnet Botnet
Botnet
 
about botnets
about botnetsabout botnets
about botnets
 
Study on Botnet Architecture
Study on Botnet ArchitectureStudy on Botnet Architecture
Study on Botnet Architecture
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
 
BOTNET
BOTNETBOTNET
BOTNET
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
A review botnet detection and suppression in clouds
A review botnet detection and suppression in cloudsA review botnet detection and suppression in clouds
A review botnet detection and suppression in clouds
 
Botnets And Alife
Botnets And AlifeBotnets And Alife
Botnets And Alife
 
Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)Pichman privacy, the dark web, &amp; hacker devices i school (1)
Pichman privacy, the dark web, &amp; hacker devices i school (1)
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
The 5 most dangerous proxies
The 5 most dangerous proxiesThe 5 most dangerous proxies
The 5 most dangerous proxies
 
Botnet Detection Techniques
Botnet Detection TechniquesBotnet Detection Techniques
Botnet Detection Techniques
 
Botnet
BotnetBotnet
Botnet
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
 
introduction to Botnet
introduction to Botnetintroduction to Botnet
introduction to Botnet
 
Botnets presentation
Botnets presentationBotnets presentation
Botnets presentation
 
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
Botnets - What, How and Why by Utsav Mittal @ OWASP Delhi July, 2014 Monthly ...
 

Ähnlich wie New Botnets Trends and Threats (BH Europe 2007)

Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
UltraUploader
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
qqlan
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
Positive Hack Days
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Abhinav Biswas
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
Positive Hack Days
 

Ähnlich wie New Botnets Trends and Threats (BH Europe 2007) (20)

20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?20130226 How Personal Is Your Cloud?
20130226 How Personal Is Your Cloud?
 
Blockchain for good
Blockchain for goodBlockchain for good
Blockchain for good
 
BOTLAB excersise
BOTLAB excersiseBOTLAB excersise
BOTLAB excersise
 
Botnet
BotnetBotnet
Botnet
 
Botnetsand applications
Botnetsand applicationsBotnetsand applications
Botnetsand applications
 
How to hack a telecom and stay alive
How to hack a telecom and stay aliveHow to hack a telecom and stay alive
How to hack a telecom and stay alive
 
Sergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay aliveSergey Gordeychik - How to hack a telecom and stay alive
Sergey Gordeychik - How to hack a telecom and stay alive
 
098
098098
098
 
How to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey GordeychikHow to hack a telecommunication company and stay alive. Sergey Gordeychik
How to hack a telecommunication company and stay alive. Sergey Gordeychik
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
 
Bots and malware
Bots and malwareBots and malware
Bots and malware
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
Botnets
BotnetsBotnets
Botnets
 
botnet.ppt
botnet.pptbotnet.ppt
botnet.ppt
 
Bot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent EllerbachBot. You said bot? Let build bot then! - Laurent Ellerbach
Bot. You said bot? Let build bot then! - Laurent Ellerbach
 
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
ITCamp 2017 - Laurent Ellerbach - Bot. You said bot? Let's build a bot then...
 
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerTouring the Dark Side of Internet: A Journey through IOT, TOR & Docker
Touring the Dark Side of Internet: A Journey through IOT, TOR & Docker
 
How to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay AliveHow to Hack a Telecom and Stay Alive
How to Hack a Telecom and Stay Alive
 
Botnet.pptx
Botnet.pptxBotnet.pptx
Botnet.pptx
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

New Botnets Trends and Threats (BH Europe 2007)

  • 1. NewNewNewNew botnetsbotnetsbotnetsbotnets trends and threatstrends and threatstrends and threatstrends and threats André Fucs – afucs@uol.com.br Augusto Paes de Barros – augusto@paesdebarros.com.br Victor Pereira – vp@sekure.org
  • 2. Agenda • Botnet 101 • Botnet challenges • A Layered approach • Control layer • Communication Layer • Infection Layer • Features Layer • Back to the right side • Conclusion
  • 3. Botnet 101 “a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure.” !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!
  • 4. Botnet 101 Botnets are an increasing threat: The Dutch police found a 1.5 million node botnet Telenor – Norwegian ISP – disbanded a 10,000 node botnet.
  • 5. Botnet 101 SOCKS4/HTTP/s proxy TCP Port Redirect License key / cookie harvest Network sniffing Send e-mail to a list of addresses (SPAM) Bots usually have limited feature set: SYN/ICMP/UDP/H TTP Flood
  • 6. Botnet 101 • Botnets can deploy several control channels, still IRC is currently the most commonly used But IRC is not such a common protocol anymore… At least not within corporate networks
  • 7. Botnet challenges • IRC issues: – Easy to block – Easy to be monitored Web would be an easy choice, however… !!!!!!!! !!!!!!!! !!!!!!!! !!!!!!!!
  • 8. Botnet challenges • Increasing number of organizations are deploying content based screening… and it’s easy to block…. • Second stage payload web sites are easy to track and easy to shutdown! • But what about the home users?
  • 9. Botnet challenges Botnet MUST avoid plain simpleweb second stage download –The botnet MUST communicate and relay control messages to peer machines and be NAT trasversal capable Botnet MUST avoid plain simpleweb second stage download The botnet MUST be able to infect new machines Botnets must be smart P2P applications!
  • 10. Botnet challenges "In the traditional botnet, if you cut off the head, you kill the beast. We speculate that, as more command-and control servers get identified by ISPs, you will see more and more of these botnets go to peer-to-peer." Dean Turner, senior manager of development for Symantec.
  • 11. A Layered approach Or… “Hello, may I speak with the product manager?”
  • 12. A Layered approach Why not build the bot in a way that: • You don’t need to change the control logic when changing the communication protocol • You can work with new features as plugins • You can use different communication methods with the same basic code • You don’t need to release a new version when adding a new exploit • You don’t even need to code a new exploit!
  • 13. A Layered approach Control Layer Communication Layer Features Infection Layer
  • 14. A Layered approach • Why make it modular? – Possibility of infecting new machines without having to replace the whole bot – new exploit modules – Code re-use? – Lower cost of development?
  • 15. A Layered approach What about a botnet that has the following features: • XML based communication; • Secure control using digital signatures; • Channel independent; • Plug-in capable; And even… • .NET ready!
  • 16. Control Layer • Why an XML based control channel? – More or less easy to extend – Standard based – Amazing text based – Internet ready – Extremely pervasive – Easy to copy and paste on websites…
  • 17. Control Layer A bot should be small and deploy a minimum features as more advanced features should be either download or uploaded. New features could be easily added to the bot <command> <jobid>123</jobid> <feature id="module X"> module parameters here </feature> </command>
  • 18. Control Layer • Payload can be even more flexible • Bot can simply receive VBS or IronPython code on a signed XML message and run it. Both languages offer easy access to the .NET Framework Scriptable bots!
  • 19. Control Layer • Why to use Digital signatures? – If we trust digital signatures to sign a dollar swap contracts, why shouldn’t we digitally sign commands for a botnet? – Easy to implement, just think about XMLSIG… – May prevent botnet takeovers.
  • 20. Signed XML Control sign ( <command> <job_id>123</job_id> <feature id=“sendmail"> To: alice @ dss.com From: bob @ dss.com Subject: I Love you </feature> </command> ) signed_xml validate_sig ( signed_xml ) signed_xm l signed_xm l signed_xml validate_sig ( signed_xml ) validate_sig ( signed_xml ) signed_xm l validate_sig ( signed_xml )
  • 21. Communication and Control • Why seek Channel independence? Imagine a world were: – A botnet can download a payload from a web site; – Replicate the payload to another bot using different transports like: • Skype • SMB • SMS • SIP • RFC1149 • …
  • 22. Communication and Control Control: – OTP based herder search • Helps to re-establish contact between bot herder and unpaired bots. – Digital Signatures • Allows bot to replicate botnet commands to peer bots securely Communication: – Basic protocols covert channels • DNS, HTTP, 802.11 – P2P mechanism • Allows bot to communicate without herder intervention
  • 23. OTP based herder search • The bot always need to know how to reach its master – Really? – Reverse Engineering vulnerable – Found the herder location, game over • What if the bot doesn’t know where the herder is, but knows how to search for it? • They need a shared secret • The shared secret can’t be static • Isn’t it just like the password dilemma?
  • 24. OTP based herder search Solution: One Time Passwords – Bot and herder have the same seed – Both calculate a new OTP periodically – Herder publishes information for the bot together with the OTP string – Bot searches for the OTP string • On Google • On P2P networks • On Social Network Websites • Can search for a string posted by others? You can use it.
  • 25. OTP based herder search Demo: Using Skype Profiles
  • 26. Communication Layer A brief list of possible channels P2P networks SMS Skype DNS Webmail Search Engines Instant Messaging
  • 27. Communication layer - Skype Skype… Pros – Popular client – P2P encrypted communication facilities – NAT Friendly – Firewall circumvention capabilities – Easy to use API – Profile Search capabilities Cons – Has Security Mechanisms to prevent unauthorized access to Skype client
  • 28. Infection Layer Why not embed something like MetaExploit to a bot? • Exploits being published by others, ready for plug into the bot • The framework as part of the bot – Just one payload – The bot – N exploits – How many available in Metasploit today?
  • 29. Features Layer DDoS, Spam,… What else can a bot do? • Criminals are making money by stealing users credentials for: – Auction sites – Online Banking Source: Win32/Bancos – Malicious Software Encyclopedia http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fBancos
  • 30. Features Layer Those guys are improving their defenses: • Two-factor authentication – Tokens – OTP Cards / ‘ Bingo Cards’ – Very popular among Brazilian Banks:
  • 31. Features Layer What a bot can do when two-factor authentication is being used? • Transaction tampering is easy and hasn’t been done until now...
  • 33. Infection and feature nightmare Let’s go again on a “what if” scenario... • One of the downloadable features is the packer/crypter used to build the bot • A new bot can: – Rebuild itself with a new packer/crypter – Start spreading itself with new exploits • AV nightmare!
  • 34. Is it real? Is it possible? Dr. Jose Nazario, from Arbor Networks, on Black Hat DC (3wks ago): • Growing numbers of HTTP, IM and other bots • Ability of botnet herders is increasing – They will write their own communication protocols • Last botnets studied show these trends are real – P2P is used by Storm Worm (01-2007) – HTTP is used by Korgo, Padobot, Bzub, Nuclear Grabber – Encryption – Nugache – Bots (Rbot, Sdbot, and Gaobot) compose three of the top five slots in terms of total number of removals (MSRT)
  • 35. Back to the right side “If a bad guy can persuade you to run his program on your computer, it's not your computer anymore” Social Engineering is a key factor and a trend in terms of malicious software
  • 36. Back to the right side Now, more than ever, users should be prevented from running with administrative privileges – User training and awareness is key Outbound traffic monitoring is still one of the few ways to detect bots in your network Network Behavior Analysis may indicate the use of Covert Channels
  • 37. Conclusion • Botnets are growing and evolving fast but the are some things we can expect – They will be easily extended and upgraded – They wil traverse multiple types of network and protocols – Their master will not be easily found since not even the bot knows where to find him – They won’t be easily hijacked as they only accept digitally signed commands – They will be able to directly change transactions made by users on websites and on-line banks, without needing to steal credentials – They will use as communication vectors protocols that can't be easily blocked without causing harm, like DNS and HTTP
  • 38. Thanks Aylton Souza, Emmanuel Gadaix, Gustavo Zeidan, Dr. Jose Nazario, Kenneth Chiedu Ogwu, Lincoln Moreira Junior Cabral, for doing nothing Ddos crew, for doing And a special thanks to Paulo T.
  • 39. References • Paul Barford, Vinod Yegneswaran. An Inside Look at Botnets. Computer Sciences Department University of Wisconsin, Madison. • Kelly Jackson Higgins, Senior Editor, Dark Reading. Black Hat: Botnets Go One-on-One. Feb, 2007. • Evan Cooke, Farnam Jahanian, Danny McPherson. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets. USENIX SRUTI 05. • Paul Bächer, Thorsten Holz, Markus Kötter, Georg Wicherski. Know your Enemy: Tracking Botnets. Using honeynets to learn more about Bots. Honeynet Project. March, 2005. • David Dagon, Guofei Gu, Cliff Zou, Julian Grizzard, Sanjeev Dwivedi, Wenke Lee, Richard Lipton. A Taxonomy of Botnets. Georgia Institute of Technology, University of Central Florida. • John Kristoff. Botnets. NorthWestern University. NANOG 32. • Peter Judge. Computerworld Security, Cambridge professor warns of Skype botnet threat, January 25 2006. • Dan Kamiksy. Black Ops of DNS. Black Hat USA, July 2004. • Laurent Butti, Franck Veysett. Wi-Fi Advanced Stealh, Black Hat USA, August 2006. • Dr. Jose Nazario. Botnet Tracking: Tools, Techniques, and Lessons Learned. Black Hat DC, March 2007. • Microsoft. Malicious Software Removal Tool: Progress made, trends observed. • Microsoft. Behavioral model of social engineering malware.