Webinar: Botnets - The clone army of cybercrime
Transcript of Webinar: Botnets - The clone army of cybercrime
![Page 1: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/1.jpg)
1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
Botnets: The clone army of cybercrime
Avi Turiel, Geffen Tzur
![Page 2: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/2.jpg)
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Botnet 101 Evolution What they do Setting up a botnet A day in the life Evading detection Ghost hosts Q3 Cyberthreat data
Agenda
![Page 3: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/3.jpg)
3© 2014 CYREN Confidential and Proprietary 3©2016. CYREN Ltd. All Rights Reserved
Bots carry out orders
DDoSMalware Spam
Peer to Peer
C&C sends orders to bots
Click fraud
New bots recruited
Botmaster
![Page 4: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/4.jpg)
4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Global C&C distribution
United States, 30.09%
Netherlands, 8.85%
Germany, 7.96%Australia, 6.19%Indonesia, 5.31%
Turkey, 5.31%
Brazil, 4.87%
France, 4.87%
Russian Federation, 4.42%
Canada, 2.65%
Others, 19.47%
![Page 5: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/5.jpg)
5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
“Distributed computing“
![Page 6: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/6.jpg)
6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
If malware communicates – is it a bot?Ransomware C&C – Q3 2016
United States, 33.11%
Russian Federation, 14.29%
Ukraine, 8.40%
Netherlands, 7.23%
Germany, 6.89%
France, 6.22%
Portugal, 4.03%
Turkey, 1.51%
Czech Republic, 1.51%
Spain, 1.34%
Others, 15.46%
![Page 7: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/7.jpg)
7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Evolution of botnets
![Page 8: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/8.jpg)
8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Evolution of botnets
![Page 9: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/9.jpg)
9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Malware distribution• Distributed Denial-of-
Service (DDoS) Attacks• Spam and phishing
emails• Sniffing & Keyloggers• Click-fraud• Online Polls and Social
Media Manipulation• Ticketing
What Botnets Do
Bot hotspots
India, 30.69%
Iran, 10.43%
Vietnam, 8.37%Pakistan, 6.89%Mexico, 4.33%
China, 3.85%
Brazil, 3.04%
Algeria, 1.98%
Tunisia, 1.97%
Thailand, 1.90%
Others, 26.55%
![Page 10: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/10.jpg)
10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Has a bot ever been detected in your organization?• Yes• Not that I am aware of
Poll: Found a bot?
![Page 11: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/11.jpg)
11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Basic botnet infrastructure can be set up in approximately 15 to 20 minutes
• Tailored systems more expensive, complex, less vulnerable
• Online vendors, tools, and even sponsors
• Botnet rental is an option• DDoS packages from $0.66/day to
$34.99/month
Setting up a botnet
![Page 12: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/12.jpg)
12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Zeus 2.0.9.15 Management Panel
• Linux server with an Apache Web server and other standard components
• Copy contents of zip file and -- Install --
Setting up a Zeus botnet - Server
![Page 13: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/13.jpg)
13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Set up config file• Choose .jpg image• Steganography used to
encrypt configuration inside image
• Executable file is tailored to this botnet
Setting up a Zeus botnet - malware
![Page 14: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/14.jpg)
14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Next step is distribution…
Running Zeus botnet – control panel
![Page 15: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/15.jpg)
15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Necurs distributes spam and malware – most notably Locky ransomware• Bot is 2 year old malware detected as W32/Necurs.C.gen!Eldorado
Day in the life of a Necurs bot
![Page 16: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/16.jpg)
16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:05 – 10:08 am - A comfy working environment • Looks for virtual environments, debuggers, and other monitoring tools• Install, create services (syshost32)• Check language of host machine• Bypass firewall
Day in the life of a Necurs bot
![Page 17: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/17.jpg)
17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:08 – 10:19 am – Is anybody out there?
• Test DNS resolution of facebook.com
• Tries DGA with 4 domains• Tries qcmbartuop.bit 57
times • Tries DGA to 2076 domains• Tries hardcoded IP
addresses
Day in the life of a Necurs bot
![Page 18: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/18.jpg)
18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:20 – 4:30 pm – Contact!, Receive mission data• Hardcoded IP address responds – C&C found• Bot sends encrypted updates about host• C&C sends bot encrypted updated malware, spam targets and
messages
Day in the life of a Necurs bot
![Page 19: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/19.jpg)
19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:21 pm – 11:14 pm –Spam campaign
• Attempts connection to Gmail and Yahoo servers
• Eventually succeeds via Yahoo and Live (Hotmail) servers
Day in the life of a Necurs bot
![Page 20: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/20.jpg)
20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• 10:47 am – Locky campaign
Day in the life of a Necurs bot
![Page 21: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/21.jpg)
21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Tor network• Anonymous, encrypted• Latencies, slow-downs, and unreliability
• Domain Generation Algorithm (DGA)• Thousands of random names – only few are actually responsive C&C
• IRC• 1st Generation botnet technology – now seeing reuse
• Legitimate services• Twitter, Pinterest, Dropbox, Pastebin, Imgur and Evernote
• Steganography
Hiding bot communications
![Page 22: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/22.jpg)
22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Encrypted, complex protocols
Bot command:0x01 = No operation, just contacting C&C server0x02 = Execute payload via shellcode or [binary file]0x03 = Retrieve system information (ex. Internal IP, Domain Name, Processes, etc.)0x04 = Retrieve software installed0x05 = Retrieve web browser history0x64 = Execute shellcode0xDC =Retrieve windows folder timestamp
Session ID
![Page 23: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/23.jpg)
23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
Known malware accesses domain – so domain is blocked
“Ghost Host”
1
2
Subsequent access to “bad” IP address uses different HTTP hosts in header – the “ghost hosts” – these are not blocked by many Web security solutions
![Page 24: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/24.jpg)
24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• Check email traffic• Blacklisting/warning
• Corporate firewalls• Specific rule sets for detecting suspicious ports use or unknown transactions.
• Intrusion prevention system• Built-in open source or vendor-defined rules for detecting bot traffic.
• Web security/URL filtering systems • Devices or services detect and block C&C communications.
• Consider creating of an “internal honeypot” on your network • Use dedicated anti-bot security solutions
• Behavioral analysis combining log analytics and traffic analysis• Device or cloud service.
Detecting bots
![Page 25: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/25.jpg)
25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
• What anti-bot protection methods has your organization deployed (choose more than one)
• Firewall rules• Intrusion prevention• Web security/URL filtering system• Internal honeypot• Dedicated anti-bot security solution
Poll: Bot Protection
![Page 26: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/26.jpg)
26© 2014 CYREN Confidential and Proprietary 26©2016. CYREN Ltd. All Rights Reserved
Q3 2016
![Page 27: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/27.jpg)
27© 2014 CYREN Confidential and Proprietary 27©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
![Page 28: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/28.jpg)
28© 2014 CYREN Confidential and Proprietary 28©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
![Page 29: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/29.jpg)
29© 2014 CYREN Confidential and Proprietary 29©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
![Page 30: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/30.jpg)
30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
The World’s Largest Security Cloud
500K+ Threat collection points
600M+Users protected
17B+Daily transactions
130M+Threats blocked
![Page 31: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/31.jpg)
31©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved©2016. CYREN Ltd. All Rights Reserved
CYREN’s 100% cloud security services
SaaS Secure Web Gateway protects users from cyber-
threats, monitors and controls web usage, and protect users both on and off the network.
SaaS Secure Email Gateway protects users from spam,
phishing attacks, viruses and zero-hour malware with a
seamless end-user experience.
Cloud-powered threat feeds and SDKs allow technology vendors
and service providers to detect a broad set of cyber-threats,
including malicious websites, phishing attacks, malware,
botnets, and spam.
Enterprise OEM
![Page 32: Webinar: Botnets - The clone army of cybercrime](https://reader031.fdocuments.us/reader031/viewer/2022022410/58e5df001a28ab1d608b66ed/html5/thumbnails/32.jpg)
32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2016. CYREN Ltd. All Rights Reserved
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2016. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?