BotnetsHow are we protecting our organisations from being part of

such a phenomenon

Clinton CutajarTeam Leader – Information Security

ccutajar@computime.com.mt / info@clintoncutajar.com

Personal Background

Location – Malta, Europe

Academic• M.Sc. Information Security• B.Sc. IT (Hons) in Computer Science and AI

Industrial• Check Point • Juniper• Cisco • CISA• CompTIA+

Computime Ltd - Malta

• Established in 1979.• Systems integrator – 90 Employees.• Dedicated Systems, Networking and Information Security

teams.• Projects in Malta, Europe and North Africa.• Clientele – Banks, Insurance agencies, Financial, Government,

Education and more.• Partners with Check Point, Juniper, Cisco, Splunk, Vasco, etc …

What is a Bot?

• A malicious piece of software with the ability to communicate with a command-and-control (C&C) infrastructure.

• Communication with C&C allows a bot agent to receive new instructions and malicious capabilities (plain text or encrypted).

• Compromised host used as an unwilling participant in Internet crime as soon as it is linked into a botnet via that same C&C.

Attacking Behaviour

• The method used by botmasters for attacking to achieve their ultimate goals.

• Infecting new hosts• Stealing personal information• Phishing and SPAM proxy• DDoS

Infecting new hosts

• Several methods how to deliver bot agent to the victim

• Compressed attachments• Encrypted attachments• Drive by download• Infected USB drives• Exploiting vulnerabilities within applications allowing remote

code execution

Stealing Personal Information

• Banking details, social security numbers etc ..• Details sold to crime masterminds• Methods to steal data

• Key loggers• MiB (Man in the Browser) attack• Camera shots

Phishing and Spam proxy

• SPAM is the process of flooding the Internet with multiple copies of the same message.

• Mostly related to Sex/Dating and pharmaceutical products.

• Phishing make use of fake emails routing victims to bogus websites to steal login credentials.

• Botmaster can sell SPAM services to 3rd parties using infected hosts to send mails.

Phishing and SPAM proxy (cont)

Phishing and Spam proxy (cont)

Distributed Denial of Service (DDOS)• A DoS (Denial of Service) seek to render target systems

inaccessible by exhausting all network resources.

• DDoS attack is a DoS generated from different locations around the globe making it difficult to isolate particular IP addresses generating the malicious traffic

• DoS targets availability. Confidentiality and Integrity are not affected.

Communication Protocols

• IRC• HTTP• IM

Centralised (Star) Model• The botmaster selects a single high

bandwidth host (usually compromised) to be the C&C.

• Infected host is preconfigured to “phone home” to this central C&C, registering itself as a botnet member and awaits new instructions.

• Advantages:- Rapid (low latency) data transfer

(commands and stolen data) due to direct communication

- Easy to implement- Scalable to support large botnets-

• Disadvantages:- Blocking the central C&C shutdowns

the botnet.

Decentralised (Distributed) Model

• Integrates peer-to-peer (P2P) concepts into malicious software, increasing scalability and availability, making the botnet more resilient.

• P2P botnets are difficult to estimate the size of botnet and trying to shut down a P2P botnet is somewhat difficult as no central hubs can be pin-pointed and disabled.

• Communication system does not rely on a single centralised server (which is easier to detect and shut down) but P2P C&C destination.

Rallying Mechanism

• A method by which new bots locate and join the botnet. There are mainly three types of mechanisms how a bot can locate its C&C server.

• Hard coded IPs• Dynamic DNS Domain • Dynamic DNS servers

Evasion Techniques

• Evasion techniques are ways to circumvent detection mechanisms from identifying communication between the bot infected host and the C&C

• Covert Channels• VoIP• Skype• IPv6• Fluxing

Evasion Techniques – Covert Channels

• Covert channels are ways on how to transfer instructions to the infected host going undetected.

• Embed instructions in valid web objects, pages and documents.

• Popular covert channels• JPG Images (in EXIF information)• Microsoft Word 2007 files (XML metadata)• LinkedIn and Twitter status updates

Evasion Techniques – Covert Channels

Evasion Techniques – Fluxing

• A new way to allow C&C location resolution and failover resilience.

• Two type of fluxing• IP Flux : changing the IP address within a domain.• Domain Flux : changing the DNS that is pointing to a particular IP.

• Both technologies are used by professional botmasters.

Popular Botnets

Rustock SPAM Botnet

ZEUS Banking Botnet

LOIC Traffic GeneratorPoison Ivy RAT

Vendor Protection

• Different vendors offering botnet related protection- Check Point with Anti-Bot blade- Cisco with Anti-Bot license and CSC-SSM- HP Tipping Point- ThreatSTOP DNS Service- McAfee Host security

• Frequency of db update / real-time query is very important• Need to keep up with latest threats• Update services- Check Point ThreatCloud- Cisco Signature Intelligence Operations (SIO)

Check Point Anti-Bot

• Inspects traffic when exiting firewall.• For each traffic, Check Point AB blade checks:

- DNS- IP- Communication pattern

• Request is sent to Threat cloud and receive back state.

• If a positive match traffic is dropped denying malicious communication traffic.

Signatures and Updates• Collaboration is required to computer crime.• Need inputs from different areas.• Provide changes and new information to customers as fast as

possible.• Can be compared to a human virus (Eg swine flu) where

different organisation collaborate to find a solution

Check Point ThreatCloud

Botnet Incident – RSA Breach

• RSA – Organisation providing security tokens for dual factor authentication.

• Attack Feb 2011 – Devastating effect for RSA- 60$ Million damages- Loss of trust

• Final target of the attack – one of RSA clients- Lockheed Martin – US Defence Contractor

Botnet Incident – RSA Breach (cont)

Anti-Botnet actions

• Operation b107- Takedown of Rustock botnet (SPAM).- Date of takedown - 2011.- Collaboration between security organisations.- The McColo datacentre knockout, famous for hosting master

servers of botnets.- Managed to put offline by disconnecting McColo uplinks but a

new uplink (TeliaSoneraCERT) allowed the botmaster to update the zombie army with the new C&C server location.

- Definite takedown by seizing physical servers in 7 US and 2 overseas hosted servers.

- Spam rate decreased by 33.4%.

Security in practice

• A full holistic solution required rather than just isolated security functionalities.

• Dual layer firewall (different vendors) to avoid possible vulnerabilities on a particular OS from being exploited.

• Multiple functionalities - On external firewall

- Intrusion Prevention System (IPS)- Network Anti-Virus- Email filter (protecting from SPAM etc) in the DMZ

- On internal firewall- URL Filtering- Application Control- Anti-Bot

• Reporting Tool to generate “readable” reports• Host security to prevent infections when connected to guest internet

ISP2ISP1

INT_FW1 INT_FW2

Layer 1 Firewall Cluster Vendor 1

Security FnIPS, Network AV

Servers Network

DMZWeb

Web ServerHTTP TCP 80

DB Server

BackendEmail Server

Domain Controller Users Net 1 Users Net 2

EXT_FW1 EXT_FW2

Mgmt Network

Firewall MgmtCentralised

Logger andReporter

MonitoringServer

Layer 2 Firewall Cluster Vendor 2

Security FnURL filtering,

Application Control and Anti-Bot

Frontend Email Server

OWA TCP 443SMTP Relay : Email Filter

only

SecondaryDomain

Controller

Wireless Access based on 802.1x

with Domain authentication

Email FilterSMTP TCP 25

SecondaryEmail Filter

SMTP TCP 25

DMZEmail

DMZESRV

Internal Routers inActive / Standby

configuration

BackupFirewall Mgmt

Conclusion

• Security is risk based and it is impossible to be completely fail-proof.

• Even though security vendors are constantly studying and reverse engineering malicious applications to provide signatures for their products, there can still be the possibility that malicious communication manages to make it through the network protection.

• It is very important to deal with an experienced well established security vendor known to provide immediate support.

• Users must also collaborate by not running non-trusted executables which may easily be malware.

• Security is strong as its weakest link, the latter usually being the user (as we have seen in the RSA case).

Thanks

ccutajar@computime.com.mt / info@clintoncutajar.com