HIDDENSALAMANDER - Electronic Frontier Foundation · HIDDENSALAMANDER Alerting and ... - Earl...

SECRET//COMINT//REL TO USA, FVEY

HIDDENSALAMANDER Alerting and Characterization of Botnet Activity in TURMOIL

r v i i s s i p r \ ] CZ A R A B I I — I T"i E 5

SECRET//REL TO USA, FVEY m i s s i o n CAPABILIT] E5

(S//REL) High Level Goals

O Detect (all!) botnet activity on our sensors

- Alert only when activity is relevant and time-sensitive »Involves entities/commanding of high interest »Involves protected areas » Could initiate defensive action

- Generate metadata always »Aids in attribution and retrospective analysis

- Enrich metadata as much as possible »Alleviate the need for in-depth knowledge of actors or malware

SECRET//REL TO USA, FVEY

(S//REL) Approach rvussiSrvj

CAPABILIT]

<D Z!

-I—1

(D C O)

CO

o c

CO

C0 E

o _D) < "O CD N

"03 'o 0) CL

CO

HIDDENSv B Process Payload for "targets",

BotlDs, channels, nicknames, add directionality...

Igical Fl

rocessi

Track C2 (IP and SID) over a

period of activity, document bots

Gather specialized knowledge

Decode, Detect

Encryption, ...

Track over Event's time

Apply generic

Knowledge

Summarize Activity

Report Overall "Event"

Report Instance



(S//REL) Concept/Idea Behind It rvuss iC^ j

CAPABILIT] EEE

Q Discovery


SECRET//REL TO USA, FVEY m i s s i o n [^ /XF 'A.Bt l i~T] E 5

(S//REL) What we offer today

o An extensible botnet processing service - Capabilities are added via configuration or specialized processors

® The ability to track events spanning across 5-tuples - Enables production of Event Summaries and Enrichment

© Geographical dispersion - SIGINT perspective, currently at SCS sites and MHS (prototype)

^ TURMOIL augments Defensive Efforts two fold - Early warning Tips for defensive action (to NETEZZA, then

TUTELAGE) - Metadata for characterization and to support attribution (to

GMPLACE and RONIN, then CYBERCLOUD and MARINA).


(S//REL) Progress over the last year

® Advancements - Zeus RC4 encrypted processing flow - Base64 decoding e.g. BEB vl .8 target IP extraction - Limited Metadata Enrichment

» Case Study to support QBOT activities - Deployment to F6 sites and a second system at MHS - Established ASDF to GMPLACE for GHOSTMACHINE analytics - Established flow to NETEZZA (TURQI) for validation - Defined Botnet Lifecycle Model for categorizing enrichment

metadata


(S//REL) Current Development Focus

® Attain analyst validation - Ingest into GM and creating Views - End-to-end dataflow validation

® Improve Metadata Enrichment capabilities - Define generic model to create metadata PCRE rules - Refine Enrichment Model for Malware

o Improvements to function as a framework/service - Greater focus on metadata enrichment

0 Provide dynamic AEG tasking ® Re-factor Tasking and Tips to fit botnets

- Update Tip format to closely align with extracted data

^ Add specialized packet processors - Mariposa - Looking for opportunities



(S//REL) Future Work

o Initial development - Initiate promotion (to XKS) or collection flows - Re-factor SEG to make Metadata Enrichment more flexible - Redesign the Analytic to provide more valuable Summaries

» Possibly detect point of origin of Herder commanding

® Biggest Challenges - Currently have no means to track peer-to-peer botnet activity

» May look to current TURMOIL Fast Flux capabilities for ideas - Encrypted bots defeat most attempts at tracking and reporting

» Possible candidate for TURMOIL Re-Injection flow


8

TOP SECRET//COMINT//REL TO USA, FVEY fviissiOM

(TS//SI//REL) Current Implementation

FSPF forwards packets to AEG's based on tasking f rom each coi .ït£Çaçç Packet F ¡Iter

TURMOIL

BotDiscoverySeg

RC4Aeg RC4Seg RC4Aeg RC4Seg

HIDDENSALAMANDER Components

rvussiSrvj CAPABILIT] ES

Attack Events:

MARINA

ma

\ \ Enriched \ \ M e t a d a t a :

\ 1 RONIN \ \

\

1 CYBERCLOUD

ET

CIDR Block/SID Filter

Low Latency lerts:

NETEZZA T ï ^ r Q I Turnabout Query interface

Existing Components

] External Systems

(S//REL FVEY) TOP SECRET//COMINT//REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY fviissiOM IVllSSlg lM C /XF'A.Btl fTq E5

(TS//SI//REL) The Components

O BotDiscoveryAeg - Not A Snort based Application. - Ingests translated Snort signatures and tasks the FSPF. - Emulates Snort behavior as closely as possible.

0 RC4Aeg/RC4Seg - Highly specialized components aimed at detecting RC4 Encrypted Zeus activity

O MariposaAeg (Currently in development) - Highly specialized - detects and decodes a particular encoding.

Q BotDiscoverySeg - De-dups on SID/5 Tuple for Tipping and MARINA. - De-dups on SID/IP/Port for BotAnalyticSeg.

O BotAnalyticSeg - Summarizes Event Metadata from BotDiscoverySeg. - Provides metadata to RON IN.

0 CIDR Block/SID Filter - Filters Tip Events based on IP information OR SID.

O cwbBot - Translates Tip messages to adhere to TRAFFICTHIEF schemas.

TOP SECRET//COMINT//REL TO USA, FVEY

SECRET//REL TO USA, FVEY m i s s i o n ( ARABII—IT, E5

(S//REL) Current Dataflow

Hjrnabout Query Interface

DB/WEB GM PLACE

ingest

normalize

aggregate

write

CLO UD SECRET//REL TO

ASDF ummarized

TOP SECRET//COMINT//REL TO USA, FVEY m i s s i o n CAPABII l"T| E5

(TS//SI//REL) Prototype View - POUNDSAND

POUNDSAND Prototype Incubator

Quer ies

W e l c o m e BotNet Family *

CITY FAMILY ROLE üo i r ie t r a n i m e s ADDRESS COUNTRY CITY FAMILY ROLE

F a m i l i e s " LT VILNIUS Donbo t Control Channe l l j • onbot IQ A S S U L A Y M A N m • o n b o t Control Channe l

R U MOSCOW • o n b o t Control Channe l u T ime Frame

LY TRIPOLI Donbo t Control Channe l V

Country Bots Targets Details Detection Address »

ADDRESS COUNTRY CITY FAMILY ROLE

LB BEIRUT Donbo t Bot A

LB BEIRUT Donbo t Bot

TM ASHGABAT Donbo t Bot

r "i LB BEIRUT Donbo t Bot 1

Submi t LB BEIRUT Donbo t Bot

IQ AS SU LAYMANM Donbo t Bot 1 IQ BAGHDAD Donbo t Bot

1 NL AMSTERDAM Donbo t Bot

TM ASHGABAT Donbo t Bot V 'i


1 2

TOP SECRET//COMINT//REL TO USA, FVEY f v i i s s iOM CAPABILITi ES

(TS//SI//REL) HIDDENSALAMANDER Outputs

Turnabout Query Interface t l™ tmLMli

Jfllfc li'i: i • • jj- C-JJ Ixa suor uwi i»t.«*s.10JSXftVtMJ7B_&««( Ml&lMÎ IT i**TtS3S?S EAfilMf-T1 bfiW«3fîXPAH37B bu«

Date SID Signature

vnnr USJ-TÎÎ WHS %UVB»a L£j-Jii UHE ftAWSCtlT UÎJ-K& UH£

H. S»: itnmtiM^ St î£ MVi I H 1 I W U 4 tB E£l.SS\-i tJfurfMt- H

Src IP Dest IP

i"TjMVOL 5flV1l«.lîlîlMM0 rus IRHOL seviitiîisiww I U«SJ TtfcJOl SSYlIiltltlMM Ai6iiftti-6tii-n*flslSeti.Ttiefl6lS3el

CASN

Who?

A

What?

What else can we tell today?

ROLE of the IPs involved: Is it a Bot Controller? Bot Victim? Target?

Whofest^e Target of this activity? (for certain botnets)

Who has troe Bot Controller been commanding (over time)? \ POUNDSAND

What botnet families are active in this region? How active? ^ ^ ^ ^ ^ ^ ^ ^ ^

What will we tell tomorrow?

What "Attack" commands are active that we could use to exploit?

What type of botnet activity is seen in this region? For this bot family? - (e.g. Increased "Infections" in US, or, most Bad Bot activity is "Reconnaisance")

What actual [server, filename, command, IP, url] did they send/grab/connect to?

v. V ,-q


SECRET//REL TO USA, FVEY IN/1Í i D N CAPABILIT] E5

(S//REL) Current Model for Metadata Enrichment Optional Payload Details

Stage Name Stage Instance Optional Attribute Optional Attribute Configuration •splay/Adjust Bot Name

Redirect Traffic Flush DNS Mode Change Connect to Server Server IP Unknown

Infection/Exploit Update Server IP Web Address Download Server 1P Web Address

Reconnaissance DNS IP/Host Resolve A Record (multi pie) •splay Network 1 nformation • spi ay Syste m 1 nf ormati o n Network Scan Enable Network Scan Di sable Harvest

C&C Communication Disconnect Server IP Connect Server IP Login LogOut Current Bot Status Remove Bot Terminate Bot

Attack Execute File DDOS Type (Syn, Http.. ) Target IP Open File File Name Repeat Excecute Command Command Execute Command Command

Need] ycra"

14


SECRET//REL TO USA, FVEY missiQNXJ CAPABILIT] ES

(S//REL) "Categorizing" Existing Signatures

® Most popular bot signature analyst repositories: - BLUESMOKE: Snort Rules - XKEYSCORE: Fingerprints

® Requires author to add extra detail to the existing signature

® Requires front end tools to add extra fields to their GUIs for analyst input - Suggested that the Lifecycle Stage Group and Stage

Instance be required for submission for botnet signatures - Other attributes may be optional for submission

SECRET//REL TO USA, FVEY rvìi i D N

CAPABILIT] ES

(S//REL) Bot Characterization Proposed Flow

[HIDDEN SALAMANDER]

CYBERCLOUD

Signatures Translated Tasked hyTURMOII HS

Analysts will develop signatures and include required metadata for submission

Metadata Produced and Consumed

TURMOIL HS will generate bot protocol tasking and accept tasking from repositories.

Map-Reduced Job Res jits Avai lable , /

Analyst Search Results, Available

CYBERCLOUD produces analytic results from all incoming data sources. RONIN provides immediate hardware characterization info.

GoGadget displays analytic results from CYBERCLOUD and detailed metadata for the analyst


U//FOUO

Q u e s t i o n s ? ? ?

TOP SECRET//COMINT//REL TO USA, FVEY rvii iDN

Example CAPABILITiE5

O Command Found: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http #1#xK3 2893BC90

O How alert describes it: IP SRC/DEST: 1.1.1.1/2.2.2.2 PORT TO/FROM: 234/123 SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of^ TIME: 00:00:00

O How summary describes it today: IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]

b.b.b.b .. z.z.z.z ...

SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of_Y TIME: 00:00:00 - 00:00:10 FAMILY: BEB Total Events: 51

for each instance

1 8

TOP SECRET//COMINT/ /REL TO USA, FVEY

TOP SECRET//COMINT//REL TO USA, FVEY rvii iDN

Example rvussiSrvj

CAPABILIT] ES

O Command Found: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http| t1#xK3 2893BC90

© How Summary describes it (tomorrow): IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]

b.b.b.b .. z.z.z.z ...

SIGAD/CASN: SID: 12345 SIGNATURE NAME: BEB:BlackEnergy_DDoS_X_of_Y FAMILY: BEB TIME: 00:00:00 - 00:00:10 Total Events: 51 CONFIGURATION / BOTID: xK3 2893BC90

fACK / DDQS / COMMAND: 20;3000;10;0;0;30;300;20;20;2000;3000#flood http j#1#xK3 2893B>C90

19


TOP SECRET//COMINT//REL TO USA, FVEY m i s s i o n [ /XRABII—IXq E5

Example #2

O Command Found: JOIN :#marCh2#<crlf>:TESTING1 .Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2

h t tp : / / ^ ^^^^^H/page / f i l e . j peg aFile.exe 1<crlf>

How alert describes it: We don't want alert! It's insignificant for defensive activity!

O How summary describes it today: IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]

b.b.b.b .. z.z.z.z ...

SIGAD/CASN: SID: unknown!!! SIGNATURE NAME: botnet/quantumbot/possible_download1 (XKS Fingerprint-derived) TIME: 00:00:00 - 00:00:10 FAMILY: IRC_GEN Total Events: 3

20


TOP SECRET//COMINT//REL TO USA, FVEY rvii i D N CAPABILITi ES

Example

O Command Found: JOIN :#marCh2#<crlf>:TESTING1 .Virus.HERE 332 virus-squadlr #marCh2# :!NAZELmarCh2

h t t p : / ^ ^ ^ ^ ^ ^ ^ ^ p a g e / f i l e . j p e g aFile.exe 1<crlf>

O How Summary describes it (tomorrow): IP SRC 1.1.1.1 PORT: 123 [ROLE: C2] IP DEST a.a.a.a PORT: 234 [ROLE: BOT]

b.b.b.b .. z.z.z.z ...

SIGAD/CASN: SID: unknown!!! SIGNATURE NAME: botnet/quantumbot/possible_download1 (XKS Fingerprint-derived) FAMILY: IRC_GEN TIME: 00:00:00 - 00:00:10 Total Events: 3 CONFIGURATION / BOTID /NICKNAME: virus-squadlr C&C COMMS / CONNECT / CHANNEL: #marCh2# C&C COMMS / CONNECT / SERVER: TESTING1.Virus.HERE

K M T UPDATE / C i N i ^ e r o !NAZELmarCh2 aFile.exe 1

21


HIDDENSALAMANDER - Electronic Frontier Foundation · HIDDENSALAMANDER Alerting and ... - Earl...

Documents

Transcript of HIDDENSALAMANDER - Electronic Frontier Foundation · HIDDENSALAMANDER Alerting and ... - Earl...