S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In...
Transcript of S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In...
![Page 1: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/1.jpg)
Challenges posed by Botnets
S.S.Sarma, CISSP, CEH
1
S.S.Sarma, CISSP, CEH
CERT-InDepartment of Information Technology
Government of India
![Page 2: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/2.jpg)
Objective
• Understanding Bots, Botnets• Activities of Botnets and Impact• Presence of Bots and Botnets in India• Mitigation of Botnet Attacks
2
![Page 3: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/3.jpg)
Understanding Botnets
• Bot
– Derived from the word “Robot”. ‘Bot’ is a generic term used to describe an automated process
– Gets installed on user computer without their
3
– Gets installed on user computer without their knowledge
– Bot infected machines, pass the control of the machine to a remote attacker and act as per the attackers command
– Popularly known as zombie machines
![Page 4: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/4.jpg)
Understanding Botnets
• Botnet– A network of compromised computers (Infected
with Bots) – work as zombies– Bot infected machines opens a backdoor and
listen for commands issued by attackers – Media for controlling botnets
4
– Media for controlling botnets • IRC channel • P2P• Instant Messaging• Web sites
![Page 5: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/5.jpg)
Understanding Botnets
• Bot Herder– finds vulnerable systems – Exploit the vulnerable systems– install their bot program– The infected machine then has become one of many
zombies in a botnet and responds to commands
5
zombies in a botnet and responds to commands given by the bot herder
• Command & Control– The exercise of authority and direction by Bot herder
over Bots within the Botnet to perform desired tasks
![Page 6: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/6.jpg)
IRC Botnet
6
![Page 7: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/7.jpg)
Understanding Botnets - IRC
• IRC– Internet Relay Chat (IRC) is a form of real-time
Internet chat – Designed for group (many-to-many) communication
in discussion forums called channels – Allows one-to-one communication and data transfers
7
– Allows one-to-one communication and data transfers via private message
– IRC Networks• EFnet, IRCnet , QuakeNet, Undernet
– IRC Clients• mIRC, Bersirc, KVIrc, Trillian, Visual IRC, X-Chat
![Page 8: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/8.jpg)
Understanding Botnets - IRC
• Channel– The basic means of communication in an established
IRC session– Users can join to a channel using the command /join
#channelname and send messages to it– Controlled by channel operator. The channel
operator can restrict the usage of the IRC channel.
8
• Mode– Users and channels have modes, such as Private,
Secret etc
• Nick– Nickname is the identification name of the logged in
user
![Page 9: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/9.jpg)
Understanding Botnets - P2P
• Computer network that uses diverse connectivity between participants in a network
• Uses the cumulative bandwidth of network participants
• The P2P overlay network consists of all the participating peers as network nodes.
9
participating peers as network nodes. • Overlay networks permits routing messages to
destinations not specified by an IP address through “distributed hash tables”
• Examples– Napster, KaZaA, Gnutella, eDonkey
![Page 10: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/10.jpg)
P2P Botnets
• Decentralised C&C– Bot herder only has to become one of the
peers to broadcast his commands over the network.
• Different (modular) functions
10
• Different (modular) functions– SPAM Node– DNS Node– Proxy Node
![Page 11: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/11.jpg)
Botnets – Activities and Impact
• SPAM• Phishing• DDoS
11
• Spyware, Keyloggers• Malware Propagation
![Page 12: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/12.jpg)
Botnets – Activities and Impact
Spam and Phishing
• Spambot– Program designed to collect e-mail addresses from the Internet in order
to build mailing lists for sending Spam. Crawls the web and gathers e-mail addresses from Web sites, newsgroups, special-interest group (SIG) postings, and chat-room conversations
– Example Agobot
12
• SOCKS enabled Bots– email program sends email using the bot as a relay – If an anti-spam program blacklists the bot’s IP address, the herder
activates the SOCKS proxy on another bot, and his spam seems to originate from a new, clean IP address.
• Phishing– Phishing website Hosting supported by Botnets– Provide dynamic/Fast-Flux DNS for reliable hosting of Phishing
websites– Aid in spamming the phishing emails
![Page 13: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/13.jpg)
Botnets – Activities and Impact
Distributed Denial of Service attacks
• Flooding– TCP Syn
13
– UDP
– ICMP– HTTP GET
![Page 14: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/14.jpg)
Botnets – Activities and Impact
Recent DDoS attacks• Attacks on websites of Estonia
– 27th April- 15th May, 2007– ICMP and TCP Syn Floods– Upto 100 Mbps traffic for 10 Hours
• DDoS on websites of Canada (August 2007)
14
• DDoS on websites of Canada (August 2007)– Due to Spam by Storm Botnet
• Attacks on root DNS servers (February 2007)• DDoS attack on website of National Australia
Bank (October 2006)
![Page 15: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/15.jpg)
Botnets – Activities and Impact
• Spyware, Adware– Installation of BHOs
• Keyloggers– Info stealers, CD Keys
• Piracy, IP theft
15
• Piracy, IP theft• Malware Propagation
– Downloaders– Emails with malicious attachments
• Ransomware– Encrypts user’s data and demands money
![Page 16: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/16.jpg)
Types of Bots - Evolution• GT bot (Global Threat) – 1998• Agobot, Gaobot, Phatbot – 2002• SDbot, Spybot – 2002
– Spreads by NetBIOS, DCom, UPNP, RPC– Use backdoors created by Mydoom, Bagel,
• Rbot – 2003– Complex in structure, Packs executables
16
– Complex in structure, Packs executables • Mytob
– Convergence of mass mailing Worm and SD Bot• Q8 Bots
– UNIX/LINUX• Perl based Bots• P2P botnets
![Page 17: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/17.jpg)
Botnet - Spamthru
– Transpired in October 2006– The network generally consists of one control server
(running multiple peer-nets on different ports), several template servers, and around 500 peers per port
– Uses its own spam engine – downloads templates for sending spam messages from
the remote control server– The spam templates uses GIF file, size of which is
17
– The spam templates uses GIF file, size of which is modified each time spam is sent, templates encrypted with AES
– AES-based challenge-response authentication method is used to prevent third-parties from being able to download the templates from the template server
– Suspected to be involved in DDoS attacks on Estonian websites
![Page 18: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/18.jpg)
Botnet - Spamthru
18Source: Secureworks
![Page 19: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/19.jpg)
Botnet - Storm
– Transpired in January 2007– Also known as Zhelatin, Peacomm, Tibs– Propagates through SPAM– Sends various types of SPAM– Hides on machine with rootkit technology– Adds malicious drivers such as wincom32.sys,
spoolsv.sys– VM aware
19
– VM aware – Uses fast-flux DNS for hosting on named sites– Binary has gone through many revisions– P2P based network of Bots – eDonkey protocol– Features of P2P network have evolved with time– uses Kademlia a distributed hash table for
decentralized peer to peer computer communication– Growing in numbers - estimated at 50 million ?
![Page 20: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/20.jpg)
Bot infected systems tracked in India
Bot
14835 15160
10000
12000
14000
16000
20
760
4934
19761370 1020 1020
21021279
0
2000
4000
6000
8000
10000
Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08
![Page 21: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/21.jpg)
C&C Servers controlling Bots in India
C&C(All)
93
138
100
120
140
160
21
55 57 5748 46 45 48
70
0
20
40
60
80
Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08
![Page 22: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/22.jpg)
C&C Servers in India
C&C(India)
10
19
12
14
16
18
20
22
4 4 4 4 4
2 2 2
10
0
2
4
6
8
10
12
Jun-07 Jul-07 Aug-07 Sep-07 Oct-07 Nov-07 Dec-07 Jan-08 Feb-08 Mar-08
![Page 23: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/23.jpg)
Botnet - Mitigation
• Enterprises– Information Security Policies and Procedures– User awareness
• CERTs/ CSIRTs– Early warning– Advise malicious URLs, IP addresses– Advise attack trends and countermeasures
23
– Advise attack trends and countermeasures• ISPs
– Response to Botnet information received from CERT– Sensitize customers about Bot infection
• Registrars– Check malicious websites– Verify registrant details
![Page 24: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/24.jpg)
Botnet - Mitigation
• Vendors– Anti virus– Perimeter Security – IDS/IPS– Secure OS and applications
• Law Enforcement
24
– Investigate Botnet attacks and Incidents
• Users– Follow security best practices
![Page 25: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/25.jpg)
References
• http://cert-in.org.in/virus/index.html• http://tools.ietf.org/html/rfc1459• http://www.secureworks.com/research/threats/spamthru/?threat=spa
mthru• http://isc.sans.org/diary.html?storyid=3259• http://asert.arbornetworks.com/2007/05/estonian-ddos-attacks-a-
summary-to-date/• www.wikipedia.org
25
• www.wikipedia.org• http://www.zdnet.com.au/news/security/• http://www.honeynet.org/papers/kye.html• Black Energy DDoS Bot Analysis- Jose Nazario, Arbor Networks• Botnets – The Killer Web App , Schiller, et al, Syngress Publishers
![Page 26: S.S.Sarma, CISSP, CEH - 123seminarsonly.com · 2012-04-17 · S.S.Sarma, CISSP, CEH 1 CERT-In Department of Information Technology Government of India. Objective • Understanding](https://reader034.fdocuments.us/reader034/viewer/2022050600/5fa7719d5132e358703256fd/html5/thumbnails/26.jpg)
Thank You
26
www.cert-in.org.in