bots, viruses, and spam: the converged threat and how to fight it january 10, 2005
TRANSCRIPT
Bots, viruses, and spam: The converged threat and how to fight it
January 10, 2005
2
Bots, viruses, and spam
1. Introduction
2. What is a botnet?
3. What are botnets used for?
4. Who is behind this?
5. How can we fight them?
6. Conclusion/Q&A
AGENDA
3
Bots, viruses, and spam
1. Who we are, our background.
2. Current statistics on spam, viruses, worms, denial of service.
3. What do they all have in common?
Introduction
4
Bots, viruses, and spam
Jim LippardDirector, Information Security Operations
Global Crossing
Andrew RamseyManager, Policy Enforcement
Global Crossing
We both previously held the equivalent positions at GlobalCenter (webhosting company acquired by Exodus->Cable & Wireless USA->Savvis) and at Primenet (national dialup ISP).
Global CrossingGlobal Crossing is a global telecom/data/conferencing company, operating one of the world’s largest fiber optic networks (75,000 route miles).
5
Global Crossing North America – Dedicated Internet Access/IP Transit
Detroit
Denver
San Antonio
Dallas
TopekaSt. Louis
Tampa
Miami
Boston
Seattle
Los Angeles
El Paso
Houston
Atlanta
Portland
Des Moines
Minneapolis
Indianapolis
Salt Lake City
Kansas City
Chicago
Milwaukee
New York
Montreal
PhoenixTucson
Toronto
Albuquerque
Austin
ClevelandPittsburgh
Green Bay
Reno
ColoradoSprings
Oakland
Spokane
Helena
Billings
CasperOmaha
New Orleans
Jacksonville
Daytona BeachOrlando
Melbourne
Fort Lauderdale
Lincoln
Louisville
Bowling GreenNashville
Chattanooga
Baton Rouge
Baltimore
Mobile
Tallahassee
MaconFort Worth
Oklahoma City
Tulsa
Syracuse
Albany
Greenville
Greensboro
RaleighRocky Mount
Richmond
Fredericksburg
Buffalo
DaytonColumbus
Akron
Toledo
AnaheimSan Diego
Sunnyvale
Eugene
Medford
Redding
ChicoTrenton
Charlotte
Cincinnati Washington DC
Philadelphia
NewarkAltoona
Erie
Chesapeake
San FranciscoSacramento
San JoseSalinas
San Luis ObispoSanta Barbara
Monterrey
Mexico CityGuadalajara
Mazatlan
Tijuana
Legend
Landing PointsCities Connected (Switch Sites)Cities ConnectedConnecting Systems
IP POP
Rochester
6
Santiago
Buenos AiresLas Toninas
Lurin
Puerto ViejoFt. Amador
Fortaleza
Rio De Janeiro
St. Croix
Santos
Valparaiso
Lima
São Paulo
Landing PointsCities ConnectedConnecting SystemsIP POP
Legend
CaracasPanama City
Global Crossing South America – Dedicated Internet Access/IP Transit
7
EdinburghGlasgow
Carlisle
Preston
Sheffield
Newcastle
Amsterdam
LiverpoolLeeds
Bristol
WhitesandsPlymouth
Southampton
Brighton
Dover
York
Southend
Nottingham
Middlesbrough
ManchesterPeterborough
Birmingham
Reading London
Exeter
Norwich
Derby
Dublin
Beverwijk
Brussels
Antwerp
Rotterdam
Bude
Basingstoke
Legend
Landing PointsCities ConnectedConnecting SystemsIP POP
Aberdeen
WexfordKilmore Quay
Global Crossing UK – Dedicated Internet Access/IP Transit
8
Global Crossing Europe – Dedicated Internet Access/IP Transit
Legend
Landing Points
Cities Connected
Connecting Systems
IP POP
Marseilles
TurinMilan
Zurich
Munich
Nuremberg
Dresden
Berlin
Sylt
Stuttgart
Lyon
Paris
Whitesands
HannoverDusseldorfCologne
Leipzig
Barcelona
Geneva
Oslo
Stockholm
Madrid
Bristol
Rotterdam
Brussels
Bude
Beverwijk
London
Strasbourg
Amsterdam
FrankfurtAntwerp
Copenhagen
Hamburg
Aberdeen
EdinburghGlasgow
LiverpoolDublin
WexfordKilmore Quay
9
Bots, viruses, and spam
Percentage of email that is spam:
2002: 9%. 2003: 40%. 2004: 73%.
Percentage of email containing viruses:
2002: 0.5%. 2003: 3%. 2004: 6.1%.
Number of phishing emails:
Total through September 2003: 273
Total through September 2004: >2 million
Monthly since September 2004: 2-5 million(Above from MessageLabs 2004 end-of-year report.)
Denial of Service Attacks:
2002: 48. 2003: 409. 2004: 482.(Above from Global Crossing; 2002 is for Oct-Dec only.)
10
Bots, viruses, and spam
GLBC Unique Infected Customer IPs
0
50000
100000
150000
200000
250000
300000
350000
9/29
/200
3
10/2
9/20
03
11/2
9/20
03
12/2
9/20
03
1/29
/200
4
2/29
/200
4
3/29
/200
4
4/29
/200
4
5/29
/200
4
6/29
/200
4
7/29
/200
4
8/29
/200
4
9/29
/200
4
10/2
9/20
04
11/2
9/20
04
12/2
9/20
04
GLBC Unique Infected Customer IPs
11
Bots, viruses, and spam
Unique Infected IPs, week ending January 3, 2005:Entire Internet (unique IPs within each category; a single IP may have multiple problems)
Spam 1071454 36.6%
Bots 831044 28.4%
Beagle 503108 17.2%
Phatbot 346351 11.8%
Beagle3 83928 2.9%
Slammer 28402 1.0%
Dameware 20123 0.7%
Proxy 18740 0.6%
Blaster 12504 0.4%
Scan445 7797 0.3%
Nachi 595 0.0%
Mydoom 594 0.0%
Sinit 588 0.0%
Total 2925228
12
Bots, viruses, and spam
What do viruses, worms, spams, phishing, and denial of service attacks have in common?
All are associated with bots and botnets.
All are being used to get criminals what they want:•Your clean (not listed on blacklists) IP addresses.•Your accounts and passwords.•Your money.•Your identity.•The ability to continue getting these things without being caught.
13
Bots, viruses, and spam
What is a botnet?
A collection of compromised systems (“bots”) under the control of a single entity who uses a central controller (“botnet controller”) to issue commands to the bots.
Bots are almost always compromised Windows machines—they may be compromised by worms, viruses, trojan horses, or automated or semi-automated attack tools exploiting common Windows vulnerabilities.
Botnet controllers are almost always compromised Unix machines—most often compromised by automated or semi-automated attack tools exploiting common Unix vulnerabilities.
The method of control is almost always IRC, usually on standard IRC ports (6667-up).
When the use of botnets is sold to third parties, there is often a nice, professional-looking Windows or web interface provided.
14
Bots, viruses, and spam
Phatbot command list (from LURHQ)bot.command runs a command with system()bot.unsecure enable shares / enable dcombot.secure delete shares / disable dcombot.flushdns flushes the bots dns cachebot.quit quits the botbot.longuptime If uptime > 7 days then bot will respondbot.sysinfo displays the system infobot.status gives status ot.rndnick makes the bot generate a new random nickbot.removeallbut removes the bot if id does not matchbot.remove removes the botbot.open opens a file (whatever)bot.nick changes the nickname of the botbot.id displays the id of the current codebot.execute makes the bot execute a .exebot.dns resolves ip/hostname by dnsbot.die terminates the botbot.about displays the info the author wants you to seeshell.disable Disable shell handlershell.enable Enable shell handlershell.handler FallBack handler for shellcommands.list Lists all available commandsplugin.unload unloads a plugin (not supported yet)plugin.load loads a plugincvar.saveconfig saves config to a filecvar.loadconfig loads config from a filecvar.set sets the content of a cvarcvar.get gets the content of a cvarcvar.list prints a list of all cvarsinst.svcdel deletes a service from scminst.svcadd adds a service to scminst.asdel deletes an autostart entryinst.asadd adds an autostart entrylogic.ifuptime exec command if uptime is bigger than specifiedmac.login logs the user inmac.logout logs the user outftp.update executes a file from a ftp urlftp.execute updates the bot from a ftp urlftp.download downloads a file from ftphttp.visit visits an url with a specified referrerhttp.update executes a file from a http urlhttp.execute updates the bot from a http urlhttp.download downloads a file from http
rsl.logoff logs the user offrsl.shutdown shuts the computer downrsl.reboot reboots the computerpctrl.kill kills a processpctrl.list lists all processesscan.stop signal stop to child threadsscan.start signal start to child threadsscan.disable disables a scanner modulescan.enable enables a scanner modulescan.clearnetranges clears all netranges registered with the scannerscan.resetnetranges resets netranges to the localhostscan.listnetranges lists all netranges registered with the scannerscan.delnetrange deletes a netrange from the scannerscan.addnetrange adds a netrange to the scannerddos.phatwonk starts phatwonk floodddos.phaticmp starts phaticmp floodddos.phatsyn starts phatsyn floodddos.stop stops all floodsddos.httpflood starts a HTTP floodddos.synflood starts an SYN floodddos.udpflood starts a UDP floodredirect.stop stops all redirects runningredirect.socks starts a socks4 proxyredirect.https starts a https proxyredirect.http starts a http proxyredirect.gre starts a gre redirectredirect.tcp starts a tcp port redirectharvest.aol makes the bot get aol stuffharvest.cdkeys makes the bot get a list of cdkeysharvest.emailshttp makes the bot get a list of emails via httpharvest.emails makes the bot get a list of emailswaste.server changes the server the bot connects towaste.reconnect reconnects to the serverwaste.raw sends a raw message to the waste serverwaste.quitwaste.privmsg sends a privmsgwaste.part makes the bot part a channelwaste.netinfo prints netinfowaste.mode lets the bot perform a mode changewaste.join makes the bot join a channelwaste.gethost prints netinfo when host matcheswaste.getedu prints netinfo when the bot is .eduwaste.action lets the bot perform an actionwaste.disconnect disconnects the bot from waste
15
Bots, viruses, and spam
What are bots used for?
They are a disposable platform of computing power, usable for:•Scanning for other vulnerable systems to create more bots.•Collecting information from the compromised system (accounts, passwords).•Operating as proxies for sending spam (including phishing attacks), or launching new worms or viruses.•Launching denial of service attacks (to attack competition or commit extortion).•Distribution of pirated or illegal material.
They can be used for anything the controlling entity wants to use them for—and the activity will be attributed to the bot rather than the controlling entity.
They refute the argument that “There’s nothing on my computer that anyone would want” (usually given as an excuse not to secure a home computer).
16
Bots, viruses, and spam
Who is behind this?
•Criminal hackers: They write the worms, viruses, and trojan horses, and act as “botnet wranglers.”•Criminal spammers: They pay criminal hackers to obtain mailing lists and for the use of botnets to use as proxies (or “peas”) for sending spam.•Organized crime: They hire or have their own criminal hackers to engage in online protection rackets, credit card fraud, and identity theft.
17
Bots, viruses, and spam
18
Bots, viruses, and spam
19
Bots, viruses, and spam
20
Bots, viruses, and spam
21
Bots, viruses, and spam
22
Bots, viruses, and spam
23
Bots, viruses, and spam
24
Bots, viruses, and spam
25
Bots, viruses, and spam
This slide intentionally left blank, as the image to be shown here may not be distributed.
26
Bots, viruses, and spam
How can we fight them?
Any solution that requires all or most end users to become power users or system administrators to secure their systems will fail. The vast majority of bots are end user systems belonging to home users, sitting behind a cable or DSL modem.
Effective reduction of bots, viruses, spam, and denial of service attacks will require actions from multiple parties—software and OS vendors, organizations with an Internet presence, online service providers, and law enforcement.
27
Bots, viruses, and spam
Things software and OS vendors should do.
•Start providing software without major well-known, detectible defects—there is no excuse for software with buffer overflows being released as a product.•Software defaults should be the most secure settings, not the least secure.
28
Bots, viruses, and spam
Things organizations should do.
•Implement organizational firewalls (with default deny on outbound as well as inbound) and content filtering.•Implement spam filtering (w/CBL) and antivirus.•Implement endpoint security on client machines to enforce organizational standards for antivirus, patch levels, host firewall rules, file integrity—hosts out of compliance don’t get connectivity.•Switch to thin clients where a desktop computer is overkill.•Implement intrusion prevention systems.•Segment large networks to allow segregation of traffic by criticality/quarantining of infected hosts.
29
Bots, viruses, and worms
Things online service providers should do.•Put the right provisions in contracts/AUPs.•Implement detection and filtering mechanisms where/when feasible.•Participate in intelligence sharing with security researchers, anti-spammers, and other providers. •Work with law enforcement to assist in prosecutions (e.g., FBI’s Operation Slam Spam).•File lawsuits against criminal abusers (AOL, Earthlink, Microsoft are good at this).•Act aggressively to get known abusers off networks and keep them from getting on in the first place (e.g., Spamhaus Blackhole List, or SBL).
ISPs (with end users as direct customers):•Quarantine infected end user systems.•Demand regular notifications of detected issues from upstream providers.
NSPs (with ISPs, colo, webhosting, etc. as direct customers):•Blackhole botnet controllers and phishing websites upon verification.•Send regular notifications to downstream customers of detected issues.
30
Bots, viruses, and worms
Things law enforcement should do.•Work with online providers and security researchers to collect intelligence (e.g., Operation Slam Spam).•Go undercover to engage in deals with criminal hackers, criminal spammers, and organized criminals to “follow the money” and connect online identities to real identities.•Follow up on civil litigation from online providers with criminal prosecutions.
31
Bots, viruses, and worms
2004 SBL Listings by Provider
0
50
100
150
200
250
1/15
/200
4
2/15
/200
4
3/15
/200
4
4/15
/200
4
5/15
/200
4
6/15
/200
4
7/15
/200
4
8/15
/200
4
9/15
/200
4
10/1
5/20
04
11/1
5/20
04
12/1
5/20
04
ProviderGlobal CrossingVerioSprintCogentQwestTW TelecomAT&TSavvisVerizonLevel 3AboveNetXOSBCMCI
32
Bots, viruses, and spam
Composite Blocking List: http://cbl.abuseat.org
Registry Of Known Spam Operations (ROKSO): http://www.spamhaus.org
Bot information: http://www.lurhq.com/research.html
Message Labs 2004 end-of-year report:
http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf
Jim Lippard
Andrew Ramsey
Further Information