taking down botnets: microsoft and the rustock botnet

Taking Down Botnets: Microsoft and the Rustock Botnet

報告者：劉旭哲

• 95% of all spam are from botnets – almost half of that spam comes from a single botnet,

Rustock.– 39%– size from 2.5 million to 1.3 million bots over the

same period• total amount is down except Rustock– reduced their number of bots but increased its

volume– 6% increase in spam emails per day

• Rustock– 5+ years old– consist of exploit pushers, malware writers, botnet

operators, hosting companies, and many sub components of each.

– infects a user simply by selling ad space to enterprising 3rd parties.

– It will rootkit

• C&C– In 2008, IP address inside an executable

• even today, many bots don’t use the DNS and relying on a set of IPs. – If you need both a domain name and hosting on

an IP (a server), that gives the Internet Good Guys two ways to knock you out

1. IP routing infrastructure 2. DNS infrastructure with registrars/registries.

• “new” Rustock

1) Miss Accept-Language/Accept-Encoding2) The User-Agent is faked3) The Host4) The URI5) HTTP/1.1 instead of 1.0.

• The botmaster designed his botnet – make it look a little more legitimate than a typical

botnet. • By Rustock not making such mistakes, it made

itself just slightly more difficult to detect than the above, and indeed as analysts have came out with SpyEye snort sigs, it has been morphing its structure.

• the bot is connecting to "go-thailand-now.com". 1. no A record returned2. there were a number of domains hidden inside

the malware that would be queried3. IP address returned in the A record4. a mathematical transform would happen and the

bot would connect to a totally different domain.

• five other "fake" domains: 1. godlovesme.org2. chernomorsky.name3. hollybible.com4. hollyjesus.com5. muza-flowers.biz.

Login C&C server

• all C&C communications are encrypted.• encryption algorithm was RC4

Communications

1. Client sends kill.txt2. Server responses list of processes to kill3. Client send information

– Bandwidth to server – OS – SMTP(port 25) – is VM – is blacklist on DNS

4. Server response– Client IP– machine name– taskid

5. Client sends neutral.txt6. Server responses list of domain for spam7. Client sends unlucky.txt8. Server responses list of SMTP server responses

that indicate failure9. Client sends tmpcode.bin10. Server responses spam content11. Client send “–” 12. Server responses target mail addr

Conclusion

• rootkit technology – difficult to detect the infection at the host level.

• encrypted HTTP for C&C (TSL)– difficult to detect at the network level.

• Rustock was felled by Microsoft and federal law enforcement agents.

• Use the legal process to shutter the C&C at US host provider • Therefore, I considered Rustock will come back soon,

because there is no way to detection.

Reference

• http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang.pdf

• http://blog.fireeye.com/research/2011/03/an-overview-of-rustock.html