The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want...
Transcript of The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want...
![Page 1: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/1.jpg)
![Page 2: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/2.jpg)
The art of sinkholing
Tomasz Bukowski
CERT Polska / NASK
![Page 3: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/3.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
About
WHOIS
• Name:Tomasz Bukowski ([email protected])
• Works in CERT Polska/NASK
• 5 years in IRT
• Fight malware && monitor botnets
• Linux user and sysadadmin
• Programmer
• Member of Dragon Sector CTF team
![Page 4: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/4.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Introduction
![Page 5: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/5.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
So, you want fight botnets ?
Botnet lifecycle:
1. write/buy malware
2. write/buy exploit pack
3. buy/hack VPS/hosting for (1) and (2)
4. buy domain for (3)
5. spred malware using exploit pack
6. $ profit $
![Page 6: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/6.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
So, you want fight botnets ?
Life of security researcher:
1. monitor spam/social media/internets
2. see malware spreding using exploit pack
3. gather samples
4. monitoring / analysis / incubation
5. locate CnC domains
6. locate rest of infrastructure
7. << action required ! >>
![Page 7: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/7.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Fighting botnets ...
Malware domain takedown:
+ cut off botmaster from his flock of sheep
- devices still infected, no one get noticed
Malware domain takeover:
+ cut off botmaster from his flock of sheep
+ malware will keep talking to CnC
+ can gather and share infrmation on infections!
make cyberspace better place
![Page 8: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/8.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
![Page 9: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/9.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing ?
Sinkholing – let me google it for you ...
Sinkholing is a technique that researchers use to redirect the
identification of the malicious command-and-control (C&C)
server to their own analysis server. This way, the malicious
traffic that comes from each client goes straight to the
research box, ready to be analyzed.source: the internet
![Page 10: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/10.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
Scope : global
•Take over CnC domain • Point to researcher box (directly or by nameserver)
• Doable
• Need to provide evidence
• Good will from domain operator (TLD)
•Take over CnC IP :•Hard to do - need persuade IP owner (ISP/Hosting)
•Take over CnC infrastructure (server)• Physicaly takeover
• Often can be done only by law enforcements
![Page 11: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/11.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
Scope : global
•Take over CnC domain • Point to researcher box (directly or by nameserver)
• Doable
• Need to provide evidence
• Good will from domain operator (TLD)
•Take over CnC IP :•Hard to do - need persuade IP owner (ISP/Hosting)
•Take over CnC infrastructure (server)• Physicaly takeover
• Often can be done only by law enforcements
a lo
t o
f le
gislatio
n p
ro
ble
ms
![Page 12: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/12.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
„Local” sinkholing (LAN) - redirect CnC traffic:• By DNS : local DNS redirection
• By destination IP: traffic redirection
• Provide usefull information on infected workstations• Especially when you run multi-layered big internal company network
sou
rce:
th
e in
tern
et
![Page 13: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/13.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
domena-1.tld sinkhole.cert.plIN A
IN CNAME
IN A
1.2.3.4
IN A
??
DNS perspective sinkholed
1
![Page 14: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/14.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
domena-1.tld sinkhole.cert.plIN A
IN CNAME
domena-1.tld sinkhole.cert.plIN NS
IN A
1.2.3.4
IN A
??
IN A
1.2.3.4
IN A
??
DNS perspective
sinkholed
sinkholed
2
1
![Page 15: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/15.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
domena-1.tld sinkhole.cert.plIN A
IN CNAME
domena-1.tld domena-2.tldIN NS
domena-1.tld sinkhole.cert.plIN NS
sinkhole.cert.plIN NS
IN A
IN A
1.2.3.4
IN A
??
IN A
1.2.3.4
IN A
1.2.3.4
IN A
??
IN A
??
DNS perspective
sinkholed
sinkholed
sinkholed
accidently sinkholed
2
1
3
![Page 16: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/16.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sinkholing
„the goal”
• Allow malware to connect to your box
• Keep malware connected to your sinkhole as long as
possible
• Prevent malware from using alternative/bacup
communication channels
![Page 17: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/17.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC
![Page 18: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/18.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
![Page 19: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/19.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
![Page 20: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/20.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...TXT record
IP calculation
tunelling ?
p2p
![Page 21: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/21.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
+SSL?
fancyencryption
FTW
p2p
![Page 22: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/22.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
+SSL?HTTP
IRCfancyencryption
FTW
p2p
90+ % ?
![Page 23: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/23.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
+SSL?HTTP
IRC
other ...
fancyencryption
FTW
p2p
![Page 24: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/24.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
+SSL?HTTP
IRC
other ...
POST/GET paramsencrpted
response contentencryptedfancy
encryptionFTW
Hidden in „legit”content
Extra content(i.e. jpg file )
p2p
![Page 25: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/25.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
UDP
DNS
other ...
+SSL?HTTP
IRC
other ...
POST/GET paramsencrpted
response contentencryptedfancy
encryptionFTW
Hidden in „legit”content
Extra content(i.e. jpg file )
<!-- ? -->
p2p
![Page 26: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/26.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CERT .PLstory (1)
![Page 27: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/27.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
• Yet another malware using .pl domain as CnC• Yet did not have TLD sinkhole procedure (in progres)• Registrar decided to help (after abuse report)• Am... but we do not have sinkhole !?
![Page 28: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/28.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC – example: Dorkbot
IRC serverTCP SSL IRC
![Page 29: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/29.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
-> Take this old unused server and do somethink(4 GB RAM, 2x 3.0 Ghz CPU, 160 GB HDD , decend 1U !)
-> We need TLS IRC ->Take charybdis irc server, remove 80 % functions
![Page 30: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/30.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
• Realy long-living malware still sitting on .pl domains
• TLD sinkhole procedure in progres• Promising results from sinkholing dorkbot • Decistion : we need to do this !
![Page 31: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/31.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
• We already got hadrware (+)• We need (a lot) more software
![Page 32: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/32.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC – example: Virut
IRC serverTCP ENCRYPTIRC
(crippled)
randomkey
Not working ?
IRC serverTCP IRC(crippled)
(expectations)
![Page 33: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/33.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC – example: Virut - reality
TCPPORT 80
ENCRYPT
IRC(crippled)
randomkey
HTTP
PLAIN
(GET|POST)_
NICK_
brute the key
else ?
traffic
(reality)
![Page 34: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/34.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
• Write python script peek first 5 bytes (decision: irc/http/crypted) keep TCP connection as long as possible
![Page 35: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/35.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
200 K connections in„established” state !?
![Page 36: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/36.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Encountered problems: TCP timeouts
•close timeout = 10s
•close-wait timeout = 60s
•established timeout = 5 days
•fin-wait timeout = 120s
•last-ack timeout = 30s
•syn-received timeout = 60s
•syn-sent timeout = 120s
•time-wait timeout = 120s
srsly ! it is just waiting for RST
![Page 37: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/37.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Encountered problems: software
(you know them when you hit the limit )
Somewhere in code you need to „select()” over opened file descriptors. It uses limited size bit-fields !
Hint: on Linux use poll !
![Page 38: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/38.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Encountered problems: default OS limits
(you know them when you hit the limit )
• max opened file descriptors (each tcp connection=new FD)
can be easily fixed : ulimit –n 999999
• max entries in contract table
requires kernel param tweak, fixable
![Page 39: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/39.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Conclusion (1)
Establishing TCP connection and
leaving it with default settins is bad idea !
Use SO_KEEPALIVE socet option
(obvious ?)
![Page 40: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/40.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Conclusion (2)
SELECT()
POLL()
![Page 41: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/41.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
30K simultanious connections
![Page 42: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/42.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
spring 2013 – few ZueS domains
• Write python script that will understand HTTP and decode incoming zeus data ...
![Page 43: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/43.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC – example: ZeuS
POST /gate.php
key
CNC
RC4
visual-encrypt
binstorageextract
records
RC4
visual-encrypt
binstoragepack
records
TCP SSL HTTP
![Page 44: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/44.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
end of 2012 – dorkbot
begin of 2013 – virut
spring 2013 – few ZueS domains
summer 2013 – domainsilver takedown
• A LOT of various malware domains
•Write python scripts .... .... ?
![Page 45: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/45.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Encountered problems:
we already got numerous different python scripts running different CnC
![Page 46: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/46.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Timeline
Conclusion (3)
Need decent sinkhole software
(obvious ?)
![Page 47: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/47.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CERT.PLsink-soft
![Page 48: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/48.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Requirements
•Build consistent framework for sinkholing
•Make event logging/sharing easy
•Identify common content processing functions
•Handle undret of TCP connections from
•Be as elastic as possible
•Implement any fancy encryption/encoding anywhere
Allow to sinkhole new malware with
lowest possible effort
![Page 49: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/49.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Design
Build your sinkhole out of blocks (modules)
POST /gate.php
key
CNC
RC4
visual-encrypt
binstorageextract
records
RC4
visual-encrypt
binstoragepack
records
TCP SSL HTTP
![Page 50: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/50.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
CnC Types
CnC
TCP
+SSL?HTTP
IRCfancyencryption
FTW
b64
gzip
RC4visual-
encryptXOR
AES....
rot13
POST/GET paramsencrypted
response contentencrypted
![Page 51: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/51.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Design
• Provide TCP conevtivity layer
• Use MQ – ZeroMQ (fast && simple)
• PUB-SUB messaging pattern
• Deployed as standalone package with lowest possible requirements (msgpack && zmq-python)
• Easy configuration (chose ip,port and modules chain)
• unpack & config & run
![Page 52: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/52.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Design
![Page 53: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/53.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sink-softSinkholing > 200 active malware domains
![Page 54: The art of sinkholing - FIRST · The art of sinkholing :: Tomasz Bukowski :: June 2014 So, you want fight botnets ? Life of security researcher: 1. monitor spam/social media/internets](https://reader031.fdocuments.us/reader031/viewer/2022022104/5bcc27b309d3f2e1348d752d/html5/thumbnails/54.jpg)
The art of sinkholing :: Tomasz Bukowski :: June 2014
Sink-soft
demo :)