1

Hiding a Giant:Botnet analysis. Emerging trends in

malware infection and locking down botnets.

2

One of the many reasons to work at Telspace Systems.

admin@telspace.co.za

3

Content

This presentation will provide an insight into the inner workings of a next generation botnet. We will examine why they exist and what kind of power they give to botmasters. How botnets have evolved and why they are so hard to take down.

We will show you how DNS is used to evade CNC control take down. In addition, we'll analyze how mobile devices can be used in botnets including an analysis of the recent iPhone botnet and the more malicious worms that followed.

4

Who are we?

A leading Information Security Company – South Africa

Operating since 2002

Giving back to the open source community – responsible reporting and disclosure (latest advisories)

Speak at local (.za) and international conferences, such as Hack in the Box, SecTor and many others

Provide worldwide training courses on high level topics – such as Hacking Wireless and Bluetooth 101 done here in Dubai.

5

Terminology.

Botnet – network of infected machines controlled by central person.

Bots – Machine infected by malicious software and part of the network of infected machines. Often referred to as “Zombies”

Bot Master – Entity in control of the network of zombies. Sends all controls to botnets via C&C.

Command and control channels(C&Cs) – Used to send commands and controls to infected machines, responses include status updated.

•Commands and bot replies used to more commonly be sent over(IRC) although now more over HTTP(HTTPS) or peer to peer.

6

Centralized Botnet

Centralised botnet with a single cnc channel.

7

Why so serious?

D-DOS Further distribution of Malware Extortion Identity theft Spam Phishing Warez hosting Click fraud (Denial of Revenue)

8

Servers all over the world are targets.(Shadowserver Foundation map)

9

Infection in Africa.(Team - Cymru)

10

Known Infections - February 2010

Egypt – 42000

Algeria – 20000

Nigeria – 11000

Morocco – 8000

South Africa 4000

11

Malware Evolution

Hacked web server always played a roll, now becoming more prevalent in spreading.

June 2009 Newer attacks on browsers identified.

Focus on client side attacks to propagate.

12

Malware Evolution

Embedding Hidden Iframes into hacked web sites (number of South African sites), pointing to hacked servers hosting malicious content.

These Iframes point to the Drive-By download server

• Seen in TorPig and mebroot attacks.

13

Malware Evolution

Domains registered for hacked servers, change everyday to prevent static domain blocking.

Large registration of .cn Domains noticed as well as free third level domains hosted by free Dynamic DNS servers.

Iframe called on port 8080. Requests made to a CGI file. With a parameter called Income followed by 2 numbers.

14

Malware Evolution

Drive-by servers then check which browser is visiting and which plugins are enabled then quietly runs the exploit in the background(Flash or PDF).

Seen with adobe exploits as pdf's can be run without notification in browsers.

Attack seen against CVE-2008-2992: “Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument“.

15

Malware Evolution

16

Malware Evolution

As new patches and vulnerabilities are released new exploits are ran against the browsers.

17

Malware Evolution

Worms becoming “smarter”. Single worms able to identify a number of attack vectors.

Worms for propagating the infection software will look for unpatched vulnerabilities, unsecured file shares and weak passwords.

• This can be seen in Conficker. A rather recent prolific worm.

18

Malware Evolution

19

Fighting the botnets

First objective is taking the command and control center down.

Attackers know this and have come up with ways to keep the C&Cs on the move.

Something recent is the use of a domain name generation algorithm stored within the zombie server code.

20

Fighting the botnets

No longer relying on a single net of domains to control the botnet.

Why Command and control centers are vulnerable to take down:

• Static IPs are used. people block or remove host.• Dns names are quickly blacklisted.• Single command centers allow quick take down.

21

Fighting the botnets – DNS Flux

➢ Using domain generation algorithms allow attackers to have the zombies generate the domain name of the C&C at a specific time.

➢ This is done using system variables such as system time and date. From here the two are combined and all zombies will point to the same domain name. Seen in Conficker.

Different domain name generation algorithms

• Weekly domain name• Daily domain name

22

Fighting the botnets

23

Fighting the botnets

Switches between top-level-domain.

• The zombie will look from .com to .biz until a domain correctly responds.

Botmaster will register the domains in advance of a couple weeks.

To Provide redundancy:• First attempts are made to 3 weekly domain names. If responses are found the servers the fall back to the daily domain requests.

24

Fighting the botnets

25

Fighting the botnets

What is done by people fighting the botnets?

Go for the C&C.

• Place a vulnerable machine on net.• Once infected monitor calls made by infected machines.(protocol, controls)• Reverse engineer the DGA. • Register domains of future C&C to point to their server.

26

Fighting the botnets

Done by UCSB on TorPig and Mebroot botnet.

http://www.cs.ucsb.edu/~seclab/projects/torpig/

Within their 10 days of having control:

• Over 8GB of Apache Logs.• Over 69GB pcap data.

27

Botmasters fight back.

Once a botmaster sees his C&C has been taken over, the race is on to get it back.

Once they know where the new C&C domain is pointing. The DDOS begins.

Botmasters will perform DDOS attacks against the server now acting as the new C&C.

He then checks for the next available domain, this will be the next first level domain or a domain generated by the daily domain algorithm.

28

Botmasters fight back.

From here the compromised C&C will not be able to respond and the bots will fallback to the next domain.

Once the bots are all connected to the botmasters C&C he can upload a new bin file, with new algorithms.

This leaves the cracker's algorithm useless to the defenders.

29

Botmasters fight back.

Members of the FireEye security team coordinated an attack on the Mega-D botnet (also known as Ozdok).

Once the C&C was taken over spam coming from Mega-D stopped almost instantly.

Same attack methods used against TORPIG and Mebroot.

30

New Generation botnets.

Mobile devices – Why?

New attack vectors.

Not restricted to an infected computer on a network.

Mobility allows for broader attack spectrum.

• Used on move finding devices looking to connect to wireless networks(802.11)• Large Number of wireless attacks can be used.

Other vectors of stealing information.

• SMS• Phone calls• Phone books

More methods of spreading -Phone applications.

31

New Generation botnets.

First proof of concept IPhone worm released in October 2009.

Called Ikee worm.

Attacked jailbroken IPhones that used the default SSH password 'alpine'.

Within a very short time a large number of phones had become infected.

Nothing malicious performed. Changed user background picture to Internet meme Rick Astley.

32

Never gonna give you up.

33

Newer IPhone attacks.

Shortly after Ikee worm, a malicious worm gets released.

Aimed at stealing sensitive information.

Attacks jailbroken iPhone and iPod Touch devices only.

Like PC botnets, they also makes use of a command and control channel (92.61.38.16) . First seen of this sort. Although no fluxing techniques were used we can definitely expect to see this in future generation botnets.

34

Newer IPhone attacks.

Worm spreads faster on a Wi-Fi connection than a 3G connection

Two start-up scripts.

• One runs the worm on bootup.• One creates a connection to remote server(Lithuanian), then uploads stolen information, sent over HTTP.

Mtans – SMS's used by banks for authentication, contains confidential information. The worm searches for these.

35

IBotnet

36

IBotnet

As mentioned earlier, these devices. Are vulnerable to new attack methods.

This has been demonstrated by TippingPoint's Digital Vaccine Group. Project named IBotnet.

Targets IPhone and android smartphone users.

Poses as innocuous weather application called weatherfist.

Distributed via third party app markets like Cydia.

37

IBotnet

Before they went public with their findings they had compromised around 8,000 devices.

Botnet was not malicious but just shows how trusting people are of applications they install.

Demonstrated how quickly a large number of devices can become infected.

38

IBotnet

39

In Closing - IBotnet

What can we expect to see in the future?

• More structured botnets.

• Obfuscating of C&C's as we have seen with Mega-D.

• Used for more than stealing information. Malicious activities that include Spam and other attacks.

• Faster spreading worms with more attack vectors.

40

Thanks to:

Dhillon Kannabhiran and the Hack in the Box team.

Team Cymru.

unmaskparasites.com

A special thanks to Charlton Smith and the Telspace Systems Research Team.

41

Follow us on.....

Our Facebook group – “Telspace Systems”

Our Blog - http://0mghax.blogspot.com

http://www.telspace.co.za

42

Q&A