![Page 1: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/1.jpg)
Taking Down Botnets: Microsoft and the Rustock Botnet
報告者:劉旭哲
![Page 2: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/2.jpg)
• 95% of all spam are from botnets – almost half of that spam comes from a single botnet,
Rustock.– 39%– size from 2.5 million to 1.3 million bots over the
same period• total amount is down except Rustock– reduced their number of bots but increased its
volume– 6% increase in spam emails per day
![Page 3: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/3.jpg)
• Rustock– 5+ years old– consist of exploit pushers, malware writers, botnet
operators, hosting companies, and many sub components of each.
– infects a user simply by selling ad space to enterprising 3rd parties.
– It will rootkit
![Page 4: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/4.jpg)
• C&C– In 2008, IP address inside an executable
![Page 5: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/5.jpg)
• even today, many bots don’t use the DNS and relying on a set of IPs. – If you need both a domain name and hosting on
an IP (a server), that gives the Internet Good Guys two ways to knock you out
1. IP routing infrastructure 2. DNS infrastructure with registrars/registries.
![Page 6: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/6.jpg)
• “new” Rustock
1) Miss Accept-Language/Accept-Encoding2) The User-Agent is faked3) The Host4) The URI5) HTTP/1.1 instead of 1.0.
![Page 7: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/7.jpg)
• The botmaster designed his botnet – make it look a little more legitimate than a typical
botnet. • By Rustock not making such mistakes, it made
itself just slightly more difficult to detect than the above, and indeed as analysts have came out with SpyEye snort sigs, it has been morphing its structure.
![Page 8: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/8.jpg)
• the bot is connecting to "go-thailand-now.com". 1. no A record returned2. there were a number of domains hidden inside
the malware that would be queried3. IP address returned in the A record4. a mathematical transform would happen and the
bot would connect to a totally different domain.
![Page 9: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/9.jpg)
• five other "fake" domains: 1. godlovesme.org2. chernomorsky.name3. hollybible.com4. hollyjesus.com5. muza-flowers.biz.
![Page 10: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/10.jpg)
Login C&C server
• all C&C communications are encrypted.• encryption algorithm was RC4
![Page 11: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/11.jpg)
Communications
1. Client sends kill.txt2. Server responses list of processes to kill3. Client send information
– Bandwidth to server – OS – SMTP(port 25) – is VM – is blacklist on DNS
4. Server response– Client IP– machine name– taskid
![Page 12: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/12.jpg)
5. Client sends neutral.txt6. Server responses list of domain for spam7. Client sends unlucky.txt8. Server responses list of SMTP server responses
that indicate failure9. Client sends tmpcode.bin10. Server responses spam content11. Client send “–” 12. Server responses target mail addr
![Page 13: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/13.jpg)
Conclusion
• rootkit technology – difficult to detect the infection at the host level.
• encrypted HTTP for C&C (TSL)– difficult to detect at the network level.
• Rustock was felled by Microsoft and federal law enforcement agents.
• Use the legal process to shutter the C&C at US host provider • Therefore, I considered Rustock will come back soon,
because there is no way to detection.
![Page 14: Taking Down Botnets: Microsoft and the Rustock Botnet](https://reader035.vdocuments.mx/reader035/viewer/2022062518/56814a11550346895db7391b/html5/thumbnails/14.jpg)
Reference
• http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang.pdf
• http://blog.fireeye.com/research/2011/03/an-overview-of-rustock.html