bots, viruses, and spam: the converged threat and how to fight it january 10, 2005

Bots, viruses, and spam: The converged threat and how to fight it

January 10, 2005

2

Bots, viruses, and spam

1. Introduction

2. What is a botnet?

3. What are botnets used for?

4. Who is behind this?

5. How can we fight them?

6. Conclusion/Q&A

AGENDA

3


1. Who we are, our background.

2. Current statistics on spam, viruses, worms, denial of service.

3. What do they all have in common?

Introduction

4


Jim LippardDirector, Information Security Operations

Global Crossing

Andrew RamseyManager, Policy Enforcement

Global Crossing

We both previously held the equivalent positions at GlobalCenter (webhosting company acquired by Exodus->Cable & Wireless USA->Savvis) and at Primenet (national dialup ISP).

Global CrossingGlobal Crossing is a global telecom/data/conferencing company, operating one of the world’s largest fiber optic networks (75,000 route miles).

5

Global Crossing North America – Dedicated Internet Access/IP Transit

Detroit

Denver

San Antonio

Dallas

TopekaSt. Louis

Tampa

Miami

Boston

Seattle

Los Angeles

El Paso

Houston

Atlanta

Portland

Des Moines

Minneapolis

Indianapolis

Salt Lake City

Kansas City

Chicago

Milwaukee

New York

Montreal

PhoenixTucson

Toronto

Albuquerque

Austin

ClevelandPittsburgh

Green Bay

Reno

ColoradoSprings

Oakland

Spokane

Helena

Billings

CasperOmaha

New Orleans

Jacksonville

Daytona BeachOrlando

Melbourne

Fort Lauderdale

Lincoln

Louisville

Bowling GreenNashville

Chattanooga

Baton Rouge

Baltimore

Mobile

Tallahassee

MaconFort Worth

Oklahoma City

Tulsa

Syracuse

Albany

Greenville

Greensboro

RaleighRocky Mount

Richmond

Fredericksburg

Buffalo

DaytonColumbus

Akron

Toledo

AnaheimSan Diego

Sunnyvale

Eugene

Medford

Redding

ChicoTrenton

Charlotte

Cincinnati Washington DC

Philadelphia

NewarkAltoona

Erie

Chesapeake

San FranciscoSacramento

San JoseSalinas

San Luis ObispoSanta Barbara

Monterrey

Mexico CityGuadalajara

Mazatlan

Tijuana

Legend

Landing PointsCities Connected (Switch Sites)Cities ConnectedConnecting Systems

IP POP

Rochester

6

Santiago

Buenos AiresLas Toninas

Lurin

Puerto ViejoFt. Amador

Fortaleza

Rio De Janeiro

St. Croix

Santos

Valparaiso

Lima

São Paulo

Landing PointsCities ConnectedConnecting SystemsIP POP

Legend

CaracasPanama City

Global Crossing South America – Dedicated Internet Access/IP Transit

7

EdinburghGlasgow

Carlisle

Preston

Sheffield

Newcastle

Amsterdam

LiverpoolLeeds

Bristol

WhitesandsPlymouth

Southampton

Brighton

Dover

York

Southend

Nottingham

Middlesbrough

ManchesterPeterborough

Birmingham

Reading London

Exeter

Norwich

Derby

Dublin

Beverwijk

Brussels

Antwerp

Rotterdam

Bude

Basingstoke

Legend

Landing PointsCities ConnectedConnecting SystemsIP POP

Aberdeen

WexfordKilmore Quay

Global Crossing UK – Dedicated Internet Access/IP Transit

8

Global Crossing Europe – Dedicated Internet Access/IP Transit

Legend

Landing Points

Cities Connected

Connecting Systems

IP POP

Marseilles

TurinMilan

Zurich

Munich

Nuremberg

Dresden

Berlin

Sylt

Stuttgart

Lyon

Paris

Whitesands

HannoverDusseldorfCologne

Leipzig

Barcelona

Geneva

Oslo

Stockholm

Madrid

Bristol

Rotterdam

Brussels

Bude

Beverwijk

London

Strasbourg

Amsterdam

FrankfurtAntwerp

Copenhagen

Hamburg

Aberdeen

EdinburghGlasgow

LiverpoolDublin

WexfordKilmore Quay

9


Percentage of email that is spam:

2002: 9%. 2003: 40%. 2004: 73%.

Percentage of email containing viruses:

2002: 0.5%. 2003: 3%. 2004: 6.1%.

Number of phishing emails:

Total through September 2003: 273

Total through September 2004: >2 million

Monthly since September 2004: 2-5 million(Above from MessageLabs 2004 end-of-year report.)

Denial of Service Attacks:

2002: 48. 2003: 409. 2004: 482.(Above from Global Crossing; 2002 is for Oct-Dec only.)

10


GLBC Unique Infected Customer IPs

0

50000

100000

150000

200000

250000

300000

350000

9/29

/200

3

10/2

9/20

03

11/2

9/20

03

12/2

9/20

03

1/29

/200

4

2/29

/200

4

3/29

/200

4

4/29

/200

4

5/29

/200

4

6/29

/200

4

7/29

/200

4

8/29

/200

4

9/29

/200

4

10/2

9/20

04

11/2

9/20

04

12/2

9/20

04

GLBC Unique Infected Customer IPs

11


Unique Infected IPs, week ending January 3, 2005:Entire Internet (unique IPs within each category; a single IP may have multiple problems)

Spam 1071454 36.6%

Bots 831044 28.4%

Beagle 503108 17.2%

Phatbot 346351 11.8%

Beagle3 83928 2.9%

Slammer 28402 1.0%

Dameware 20123 0.7%

Proxy 18740 0.6%

Blaster 12504 0.4%

Scan445 7797 0.3%

Nachi 595 0.0%

Mydoom 594 0.0%

Sinit 588 0.0%

Total 2925228

12


What do viruses, worms, spams, phishing, and denial of service attacks have in common?

All are associated with bots and botnets.

All are being used to get criminals what they want:•Your clean (not listed on blacklists) IP addresses.•Your accounts and passwords.•Your money.•Your identity.•The ability to continue getting these things without being caught.

13


What is a botnet?

A collection of compromised systems (“bots”) under the control of a single entity who uses a central controller (“botnet controller”) to issue commands to the bots.

Bots are almost always compromised Windows machines—they may be compromised by worms, viruses, trojan horses, or automated or semi-automated attack tools exploiting common Windows vulnerabilities.

Botnet controllers are almost always compromised Unix machines—most often compromised by automated or semi-automated attack tools exploiting common Unix vulnerabilities.

The method of control is almost always IRC, usually on standard IRC ports (6667-up).

When the use of botnets is sold to third parties, there is often a nice, professional-looking Windows or web interface provided.

14


Phatbot command list (from LURHQ)bot.command runs a command with system()bot.unsecure enable shares / enable dcombot.secure delete shares / disable dcombot.flushdns flushes the bots dns cachebot.quit quits the botbot.longuptime If uptime > 7 days then bot will respondbot.sysinfo displays the system infobot.status gives status ot.rndnick makes the bot generate a new random nickbot.removeallbut removes the bot if id does not matchbot.remove removes the botbot.open opens a file (whatever)bot.nick changes the nickname of the botbot.id displays the id of the current codebot.execute makes the bot execute a .exebot.dns resolves ip/hostname by dnsbot.die terminates the botbot.about displays the info the author wants you to seeshell.disable Disable shell handlershell.enable Enable shell handlershell.handler FallBack handler for shellcommands.list Lists all available commandsplugin.unload unloads a plugin (not supported yet)plugin.load loads a plugincvar.saveconfig saves config to a filecvar.loadconfig loads config from a filecvar.set sets the content of a cvarcvar.get gets the content of a cvarcvar.list prints a list of all cvarsinst.svcdel deletes a service from scminst.svcadd adds a service to scminst.asdel deletes an autostart entryinst.asadd adds an autostart entrylogic.ifuptime exec command if uptime is bigger than specifiedmac.login logs the user inmac.logout logs the user outftp.update executes a file from a ftp urlftp.execute updates the bot from a ftp urlftp.download downloads a file from ftphttp.visit visits an url with a specified referrerhttp.update executes a file from a http urlhttp.execute updates the bot from a http urlhttp.download downloads a file from http

rsl.logoff logs the user offrsl.shutdown shuts the computer downrsl.reboot reboots the computerpctrl.kill kills a processpctrl.list lists all processesscan.stop signal stop to child threadsscan.start signal start to child threadsscan.disable disables a scanner modulescan.enable enables a scanner modulescan.clearnetranges clears all netranges registered with the scannerscan.resetnetranges resets netranges to the localhostscan.listnetranges lists all netranges registered with the scannerscan.delnetrange deletes a netrange from the scannerscan.addnetrange adds a netrange to the scannerddos.phatwonk starts phatwonk floodddos.phaticmp starts phaticmp floodddos.phatsyn starts phatsyn floodddos.stop stops all floodsddos.httpflood starts a HTTP floodddos.synflood starts an SYN floodddos.udpflood starts a UDP floodredirect.stop stops all redirects runningredirect.socks starts a socks4 proxyredirect.https starts a https proxyredirect.http starts a http proxyredirect.gre starts a gre redirectredirect.tcp starts a tcp port redirectharvest.aol makes the bot get aol stuffharvest.cdkeys makes the bot get a list of cdkeysharvest.emailshttp makes the bot get a list of emails via httpharvest.emails makes the bot get a list of emailswaste.server changes the server the bot connects towaste.reconnect reconnects to the serverwaste.raw sends a raw message to the waste serverwaste.quitwaste.privmsg sends a privmsgwaste.part makes the bot part a channelwaste.netinfo prints netinfowaste.mode lets the bot perform a mode changewaste.join makes the bot join a channelwaste.gethost prints netinfo when host matcheswaste.getedu prints netinfo when the bot is .eduwaste.action lets the bot perform an actionwaste.disconnect disconnects the bot from waste

15


What are bots used for?

They are a disposable platform of computing power, usable for:•Scanning for other vulnerable systems to create more bots.•Collecting information from the compromised system (accounts, passwords).•Operating as proxies for sending spam (including phishing attacks), or launching new worms or viruses.•Launching denial of service attacks (to attack competition or commit extortion).•Distribution of pirated or illegal material.

They can be used for anything the controlling entity wants to use them for—and the activity will be attributed to the bot rather than the controlling entity.

They refute the argument that “There’s nothing on my computer that anyone would want” (usually given as an excuse not to secure a home computer).

16


Who is behind this?

•Criminal hackers: They write the worms, viruses, and trojan horses, and act as “botnet wranglers.”•Criminal spammers: They pay criminal hackers to obtain mailing lists and for the use of botnets to use as proxies (or “peas”) for sending spam.•Organized crime: They hire or have their own criminal hackers to engage in online protection rackets, credit card fraud, and identity theft.

17


18


19


20


21


22


23


24


25


This slide intentionally left blank, as the image to be shown here may not be distributed.

26


How can we fight them?

Any solution that requires all or most end users to become power users or system administrators to secure their systems will fail. The vast majority of bots are end user systems belonging to home users, sitting behind a cable or DSL modem.

Effective reduction of bots, viruses, spam, and denial of service attacks will require actions from multiple parties—software and OS vendors, organizations with an Internet presence, online service providers, and law enforcement.

27


Things software and OS vendors should do.

•Start providing software without major well-known, detectible defects—there is no excuse for software with buffer overflows being released as a product.•Software defaults should be the most secure settings, not the least secure.

28


Things organizations should do.

•Implement organizational firewalls (with default deny on outbound as well as inbound) and content filtering.•Implement spam filtering (w/CBL) and antivirus.•Implement endpoint security on client machines to enforce organizational standards for antivirus, patch levels, host firewall rules, file integrity—hosts out of compliance don’t get connectivity.•Switch to thin clients where a desktop computer is overkill.•Implement intrusion prevention systems.•Segment large networks to allow segregation of traffic by criticality/quarantining of infected hosts.

29

Bots, viruses, and worms

Things online service providers should do.•Put the right provisions in contracts/AUPs.•Implement detection and filtering mechanisms where/when feasible.•Participate in intelligence sharing with security researchers, anti-spammers, and other providers. •Work with law enforcement to assist in prosecutions (e.g., FBI’s Operation Slam Spam).•File lawsuits against criminal abusers (AOL, Earthlink, Microsoft are good at this).•Act aggressively to get known abusers off networks and keep them from getting on in the first place (e.g., Spamhaus Blackhole List, or SBL).

ISPs (with end users as direct customers):•Quarantine infected end user systems.•Demand regular notifications of detected issues from upstream providers.

NSPs (with ISPs, colo, webhosting, etc. as direct customers):•Blackhole botnet controllers and phishing websites upon verification.•Send regular notifications to downstream customers of detected issues.

30


Things law enforcement should do.•Work with online providers and security researchers to collect intelligence (e.g., Operation Slam Spam).•Go undercover to engage in deals with criminal hackers, criminal spammers, and organized criminals to “follow the money” and connect online identities to real identities.•Follow up on civil litigation from online providers with criminal prosecutions.

31


2004 SBL Listings by Provider

0

50

100

150

200

250

1/15

/200

4

2/15

/200

4

3/15

/200

4

4/15

/200

4

5/15

/200

4

6/15

/200

4

7/15

/200

4

8/15

/200

4

9/15

/200

4

10/1

5/20

04

11/1

5/20

04

12/1

5/20

04

ProviderGlobal CrossingVerioSprintCogentQwestTW TelecomAT&TSavvisVerizonLevel 3AboveNetXOSBCMCI

32


Composite Blocking List: http://cbl.abuseat.org

Registry Of Known Spam Operations (ROKSO): http://www.spamhaus.org

Bot information: http://www.lurhq.com/research.html

Message Labs 2004 end-of-year report:

http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf

Jim Lippard

[email protected]

Andrew Ramsey

[email protected]

Further Information

bots, viruses, and spam: the converged threat and how to fight it january 10, 2005

Documents