Cyber Attack Trend and Botnet

S.C. LeungCISSP CISA CBCP

Page 2

Agenda

Botnet Attack Trends

Commercialization of Cyber Crime

Professionalization of Cyber Crimeware

Social Engineering always cool Waledac botnet

Following the Social Network Services Koobface botnet

Delivering via Web attack & Search Engine Gumblar botnet

Following the Money Banking Trojans like Zeus botnet

Building the Survival Kit Conficker botnet

Defending against Botnet

Botnet and Cyber Attack Trends

Page 3

DDoS DDoS attackattackSpam, Spam, MalwareMalwarePhishingPhishing victim victim

Botnet (roBot Network) = infrastructure of controlled victim computers (bots)

Up: DataDown: Command/Update

bot bot bot bot bot bot bot

Up: DataDown: Command/Update

C&C C&C C&C

Bot HerderBot Herder

1. Commercialization of Cyber Crime

Page 5

Product and Service Delivery for Profit

What do attackers want now?

What are their product and services? Products

Personal credentials, CCN, SSN, software CD keys

Tools to exploit, tools to hide malware

Service subscription: spam, phishing, DDoS botnet (76services.com now closed)

2. Professionalization of Cyber Crimeware

Page 7

Professionalization of Cyber Crimeware

Division of Labour, R&D and Outsourcing

Malware development, Botnet optimization Malware good at detection evasion Malware targeting identifying and terminating security software Multi-language support Remote administration support Signing and encryption

IT Infrastructure Hosting network, web hosting at hacker friendly environment

where there is great bandwidth where legislation is lax where user awareness is low

Domain - registration, domain hosting where take down procedure is lengthy

Botnet is a sign of maturity of the infrastructure for underground economy Service delivery Maintenance Long term control

3. Social Engineering always cool

Waledac Botnet

Page 9

Waledac Botnet

Spreading by Spam emails employ social engineering extensively

contain link to iFrame embedded malicious website, tricking user to install the malware

Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)

Has sound infrastructure

uses Nginx web server uses Double Fast Flux DNS

The DNS records are changing all the time

The DNS servers are changing all the time

Page 10

Waledac Fast-flux

Bot hosts can be dynamically assigned in real time

Page 11

Waledac theme eCardsocial engineering follow the talks of the town

postcard.exe

Page 12

Waledac Themes social engineering follow the talks of the town

SMS Spy on your Partner

Terrorist Attacktheme

Play

Independence Day

Page 13

Waledac Service and Feature

Impact open a back door on the compromised computer

steal personal information

spam contacts in address book

turn zombie into web server, web proxy, DNS and spam template relays

Major web server service Pharmacy

serving malware

4. Following the Social Network Services4. Following the Social Network Services

Page 15

Koobface (koob-face)

A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo

http://www.f-secure.com/weblog/archives/00001517.html

Spreading Spoof a friend and send a message

Hello; You must see it!!! LOL with a URL

URL brings user to a fake YouTube site, luring to install a file Flash_update.exe

Upon execution, victim is infected.

Impact Poison all user search (Google,

Ask, Yahoo and Bing) to malicious site

Page 16

Koobface: Twitter campaign

Infected PCs with Koobfacesent out Tweets with malicious URL

Page 17

A Botnet uses Twitter as Command Channel

Bots subscribe to RSS feed to get command A Tweet like this

aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==

Base64 decode the tweet, we got 2 tiny URLs http://bit.ly/R6STV http://bit.ly/2KoHo

The bit.ly tiny URLs translated to: http://pastebin.com/pastebin.php?dl=m5222dc70

http://paste.debian.net/43529/download/43529

URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware

5. Delivering via Web attack & Search EngineGumblar Botnet

Page 19

Gumblar Botnet: Impact

Web site is a delivery channel of malware Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites Botnet connect to two domains for download: gumblar.cn / martuz.cn

Two Botnets formed: one for web sites and one for infected client PCs

Impacts Client PCs: install backdoor in victims computers that connect to C&C

steal FTP credentials from the victims computers Man in the browser attack: monitor traffic to and from the browser:

Replace Google search results with links pointing to malicious websites Redirect from e-commerce or banking site to phishing web sites

Web sites: compromise any websites owned or operated by the victims distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities

Page 20

Web pages injected obfuscated scripts, which vary from site to site, or page to page

Gumblar Botnet: Obfuscation

Malzilla

Page 21

Gumblar Botnet: Detection and Take down

Blocking block the two C&C sites: gumblar.cn and martuz.cn

Checking (not 100% accurate) http://www.unmaskparasites.com/security-report/

6. Following the Money

Page 23

Botnet targeting Banks

What I have seen on a Zeus Botnet C&C Management interface

Bot administration features:

Screenshot (save to html without image)

Fake redirect (redirect to a prepared fake bank webpage)

Html inject (hijack the login session and inject new field)

:

Log the visiting information of each banking site, record the input string (text or post URL)

An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn

if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit.

Page 24

Fake Redirect login page

Source: Computer Associate

Page 25

Man-in-the-Browser

Hackers ideal operation

Intercept transaction

Change amount and change destination to attacker account and send to the bank

Change the display to user as if his transaction was executed Calculate the should be

amount and rewrites the remaining total to screen

Source: www.cronto.com

Page 26

Man in the Browser (MITB)

Install software/plugin inside the browser Hooking key OS and web browser APIs and proxying data

Advantage No encryption barrier as in proxy SSL Padlock is unaffected for modified content Direct access to Data

Freely alter the web page displayed to the customer Freely modify the requests sent back to the bank.

Direct interface to web browser & application Can create additional commands (GET/POST/PUT)

Extremely stealthy Client hard to detect, since network is not interfered, web

address, digital certificates are all correct Bank sees the customer real IP address

Faster real time response so can break 2FA

Web App

Winsock

MITB

::

Page 27

Limbo 2 - HTML Injection

Limbo 2 Trojan kit

Some variants inject fake fields into the online banking forms that the browser displays to the user.

The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account

Source: ThreatExpert

What is the use of getting the additional info?

Page 28

Inserting transaction (when login)

Login Trojan kick upshadow login at

the back

Submit

Submit

Shadow Login

Not successful. Please retry

PIN + OTP

PIN + OTP2

PIN + OTP

Hacker use OTP2 to authenticate a transaction

Insert a new window

Page 29

HKMA Circular 2009-07-13

The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process.

The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account.

7. Building the Survival KitConficker Botnet

Page 31

Conficker - Propagation Mechanism

Source: Cisco 2009 MidYear Report

Page 32

Conficker a model for sustainable botnet

Designed to survive in disaster - What if the C&C are taken down? Conficker.B - Domain generation for malware update

Active since Nov 2008, generating 250 domains/day in 5 TLDs for update

Confickers natural predator: the Conficker Working Group Alliance of ICANN, domain registries and IT industry worked together to pre-empt

Conficker Pre-register domains Redirect traffic to sinkholes to study the behavious

Conficker.C improved Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in

random (Some are existing domains) making it harder to preempt the domains improved authentication and encryption so you cannot infiltrate into Conficker.C

botnet easily uses P2P for update as well peers can update each other with the right

authentication Blocks more security vendors web site

Page 33

Collaborative Effort Works!

Conficker.C

Conficker.A/B

No infection

Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org)

ICANN organized all registries to pre-empt the registration, handle affected domains

Researches generated the list of generated domain and affected domains to provide transparency

Some worked out an EyeChart for easy detection Security vendors developed detection and removal tools

HKIRC, HKCERT, Police and OGCIO Check affected domains in April list for suspicious content Put idle domains in close observation Exchange intelligence on the progress Coordinate with CNCERT/CC on an HK IP address owned by a

mainland web hosting provider

Page 34

Conficker a model for sustainable Botnet

Everyone watching the domain generation, but nothing happened there

Since Conficker has dual update mechanisms -- domain generation and P2P, it takes the liberty to use any one at any time. Conficker had succeeded to evolve by P2P channel.

We still have a long way to close it down.

Defending against Botnets

Page 36

Enhance Response

Conficker Working Group approach works! ICANN and others are collaborating more to speed up the take down.

Sharing of intelligence Speed up takedown Preempt future attacks

HKCERT Proactive Discovery of malicious site in Hong Kong (with limited resources) Awareness education for service providers: HKCERT organized with OGCIO

and HKPF ISP Symposium in May 2009 Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme

Combating Cyber Crime in July 2009

HKMA & Banks HKMA circular Banks tighten their procedure for high risk transaction and fraud detection

Page 37

Defense against Botnet

Botnet is malware

3 Baseline Defense is necessary though insufficient Protection from malware

Note browsers plugins can be malicious or weakness point

Personal Firewall

Update patches

Server defense Install minimum modules on server. Do not use it to browse Internet

Keep patching update

Protect from web attacks

Application Firewall

See SQL Injection Defence Guideline published by HKCERT

Page 38

Monitor software patch level and take prompt action Secunia Personal Software

Inspector Scan for installed Windows

software and their patch level, with threat level

Provide link to download available patch or workardound

http://secunia.com/vulnerability_scanning/personal/

Page 39

Monitor software update

CleanSofts.com Update Notifier scanning for installed Windows software

and display list of updates

verifying the software against malware (best effort with current AV software only, so it is no better than VirusTotal)

http://cleansofts.org/view/update-notifier.html

Page 40

Safe Browsers

Browsers add anti-malware, anti-phishing features IE, Mozillia, Opera; add Netcraft toolbar if you want

Minimize your browser and plug-ins

Firefox and Flock browser now incorporate Google safety alert

New browser use sandbox approach: Chrome

Detecting BotnetNext presentation

Q & AQ & A

S.C.Leung() scleung@hkcert.org

Page 43

Building up a Botnet

Having the Malware to infect user machines Detection evasion advancement Control and update

Getting a Channel to Deliver the Malware Spam: Social Engineering Legitimate Web Server redirecting users to Exploit servers Social Network redirecting users to Exploit servers Exploit servers hosting the malware

Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash, etc.) of the victim machine Controlling the victim PCs

Botnet Command and Control Centre

Providing resilience in case of take down by law enforcement Fast Flux DNS: to make the structure more dynamic Disaster Recovery: find way to recover

Waledac

Gumblar

Conficker

Koobface