cyber attack trend and botnet - infosec.gov.hk · cyber attack trend and botnet s.c. leung cissp...
TRANSCRIPT
-
Cyber Attack Trend and Botnet
S.C. LeungCISSP CISA CBCP
Page 2
Agenda
Botnet Attack Trends
Commercialization of Cyber Crime
Professionalization of Cyber Crimeware
Social Engineering always cool Waledac botnet
Following the Social Network Services Koobface botnet
Delivering via Web attack & Search Engine Gumblar botnet
Following the Money Banking Trojans like Zeus botnet
Building the Survival Kit Conficker botnet
Defending against Botnet
Botnet and Cyber Attack Trends
-
Page 3
DDoS DDoS attackattackSpam, Spam, MalwareMalwarePhishingPhishing victim victim
Botnet (roBot Network) = infrastructure of controlled victim computers (bots)
Up: DataDown: Command/Update
bot bot bot bot bot bot bot
Up: DataDown: Command/Update
C&C C&C C&C
Bot HerderBot Herder
1. Commercialization of Cyber Crime
-
Page 5
Product and Service Delivery for Profit
What do attackers want now?
What are their product and services? Products
Personal credentials, CCN, SSN, software CD keys
Tools to exploit, tools to hide malware
Service subscription: spam, phishing, DDoS botnet (76services.com now closed)
2. Professionalization of Cyber Crimeware
-
Page 7
Professionalization of Cyber Crimeware
Division of Labour, R&D and Outsourcing
Malware development, Botnet optimization Malware good at detection evasion Malware targeting identifying and terminating security software Multi-language support Remote administration support Signing and encryption
IT Infrastructure Hosting network, web hosting at hacker friendly environment
where there is great bandwidth where legislation is lax where user awareness is low
Domain - registration, domain hosting where take down procedure is lengthy
Botnet is a sign of maturity of the infrastructure for underground economy Service delivery Maintenance Long term control
3. Social Engineering always cool
Waledac Botnet
-
Page 9
Waledac Botnet
Spreading by Spam emails employ social engineering extensively
contain link to iFrame embedded malicious website, tricking user to install the malware
Author = Creator of Storm botnet (which overwhelmed the Internet back in 2007)
Has sound infrastructure
uses Nginx web server uses Double Fast Flux DNS
The DNS records are changing all the time
The DNS servers are changing all the time
Page 10
Waledac Fast-flux
Bot hosts can be dynamically assigned in real time
-
Page 11
Waledac theme eCardsocial engineering follow the talks of the town
postcard.exe
Page 12
Waledac Themes social engineering follow the talks of the town
SMS Spy on your Partner
Terrorist Attacktheme
Play
Independence Day
-
Page 13
Waledac Service and Feature
Impact open a back door on the compromised computer
steal personal information
spam contacts in address book
turn zombie into web server, web proxy, DNS and spam template relays
Major web server service Pharmacy
serving malware
4. Following the Social Network Services4. Following the Social Network Services
-
Page 15
Koobface (koob-face)
A worm spreading in Facebook, MySpace, Twitter, Friendster, hi5 & Bebo
http://www.f-secure.com/weblog/archives/00001517.html
Spreading Spoof a friend and send a message
Hello; You must see it!!! LOL with a URL
URL brings user to a fake YouTube site, luring to install a file Flash_update.exe
Upon execution, victim is infected.
Impact Poison all user search (Google,
Ask, Yahoo and Bing) to malicious site
Page 16
Koobface: Twitter campaign
Infected PCs with Koobfacesent out Tweets with malicious URL
-
Page 17
A Botnet uses Twitter as Command Channel
Bots subscribe to RSS feed to get command A Tweet like this
aHR0cDovL2JpdC5seS9SNlNUViAgaHR0cDovL2JpdC5seS8yS29Ibw==
Base64 decode the tweet, we got 2 tiny URLs http://bit.ly/R6STV http://bit.ly/2KoHo
The bit.ly tiny URLs translated to: http://pastebin.com/pastebin.php?dl=m5222dc70
http://paste.debian.net/43529/download/43529
URLs are encoded file. When decoded and unzipped, giving malware files which were found to be poorly detected by VirusTotal as malware
5. Delivering via Web attack & Search EngineGumblar Botnet
-
Page 19
Gumblar Botnet: Impact
Web site is a delivery channel of malware Gumblar steal FTP credentials and upload malware to 3000 legitimate web sites Botnet connect to two domains for download: gumblar.cn / martuz.cn
Two Botnets formed: one for web sites and one for infected client PCs
Impacts Client PCs: install backdoor in victims computers that connect to C&C
steal FTP credentials from the victims computers Man in the browser attack: monitor traffic to and from the browser:
Replace Google search results with links pointing to malicious websites Redirect from e-commerce or banking site to phishing web sites
Web sites: compromise any websites owned or operated by the victims distribute malware which exploit Acrobat Reader & Flash Player vulnerabilities
Page 20
Web pages injected obfuscated scripts, which vary from site to site, or page to page
Gumblar Botnet: Obfuscation
Malzilla
-
Page 21
Gumblar Botnet: Detection and Take down
Blocking block the two C&C sites: gumblar.cn and martuz.cn
Checking (not 100% accurate) http://www.unmaskparasites.com/security-report/
6. Following the Money
-
Page 23
Botnet targeting Banks
What I have seen on a Zeus Botnet C&C Management interface
Bot administration features:
Screenshot (save to html without image)
Fake redirect (redirect to a prepared fake bank webpage)
Html inject (hijack the login session and inject new field)
:
Log the visiting information of each banking site, record the input string (text or post URL)
An unknown field (table: yes/no) found with syntax: nn:nnnnnnnn
if the value is yes, mostly with comment, the comment logged the a/c information, e.g. transfer limit.
Page 24
Fake Redirect login page
Source: Computer Associate
-
Page 25
Man-in-the-Browser
Hackers ideal operation
Intercept transaction
Change amount and change destination to attacker account and send to the bank
Change the display to user as if his transaction was executed Calculate the should be
amount and rewrites the remaining total to screen
Source: www.cronto.com
Page 26
Man in the Browser (MITB)
Install software/plugin inside the browser Hooking key OS and web browser APIs and proxying data
Advantage No encryption barrier as in proxy SSL Padlock is unaffected for modified content Direct access to Data
Freely alter the web page displayed to the customer Freely modify the requests sent back to the bank.
Direct interface to web browser & application Can create additional commands (GET/POST/PUT)
Extremely stealthy Client hard to detect, since network is not interfered, web
address, digital certificates are all correct Bank sees the customer real IP address
Faster real time response so can break 2FA
Web App
Winsock
MITB
::
-
Page 27
Limbo 2 - HTML Injection
Limbo 2 Trojan kit
Some variants inject fake fields into the online banking forms that the browser displays to the user.
The additional fields are designed to collect details to help an attacker to impersonate the victim and/or compromise victim's account
Source: ThreatExpert
What is the use of getting the additional info?
Page 28
Inserting transaction (when login)
Login Trojan kick upshadow login at
the back
Submit
Submit
Shadow Login
Not successful. Please retry
PIN + OTP
PIN + OTP2
PIN + OTP
Hacker use OTP2 to authenticate a transaction
Insert a new window
-
Page 29
HKMA Circular 2009-07-13
The HKMA noticed that the recent fraudulent technique adopted by fraudsters is believed to involve infecting the customer's personal computer (PC) with Trojan horse programs to hijack the Internet banking login credentials of customers (including one-time passwords for two-factor authentication) during the Internet banking login process.
The hijacked login credentials were used by the fraudsters to conduct high-risk Internet banking transactions such as making fund transfer to an unregistered third-party account.
7. Building the Survival KitConficker Botnet
-
Page 31
Conficker - Propagation Mechanism
Source: Cisco 2009 MidYear Report
Page 32
Conficker a model for sustainable botnet
Designed to survive in disaster - What if the C&C are taken down? Conficker.B - Domain generation for malware update
Active since Nov 2008, generating 250 domains/day in 5 TLDs for update
Confickers natural predator: the Conficker Working Group Alliance of ICANN, domain registries and IT industry worked together to pre-empt
Conficker Pre-register domains Redirect traffic to sinkholes to study the behavious
Conficker.C improved Starting Apr 1, 2009, generating 50,000 domains/day in 116 TLDs; uses 500 in
random (Some are existing domains) making it harder to preempt the domains improved authentication and encryption so you cannot infiltrate into Conficker.C
botnet easily uses P2P for update as well peers can update each other with the right
authentication Blocks more security vendors web site
-
Page 33
Collaborative Effort Works!
Conficker.C
Conficker.A/B
No infection
Conficker Working Group lead a concerted effort (www.confickerworkinggroup.org)
ICANN organized all registries to pre-empt the registration, handle affected domains
Researches generated the list of generated domain and affected domains to provide transparency
Some worked out an EyeChart for easy detection Security vendors developed detection and removal tools
HKIRC, HKCERT, Police and OGCIO Check affected domains in April list for suspicious content Put idle domains in close observation Exchange intelligence on the progress Coordinate with CNCERT/CC on an HK IP address owned by a
mainland web hosting provider
Page 34
Conficker a model for sustainable Botnet
Everyone watching the domain generation, but nothing happened there
Since Conficker has dual update mechanisms -- domain generation and P2P, it takes the liberty to use any one at any time. Conficker had succeeded to evolve by P2P channel.
We still have a long way to close it down.
-
Defending against Botnets
Page 36
Enhance Response
Conficker Working Group approach works! ICANN and others are collaborating more to speed up the take down.
Sharing of intelligence Speed up takedown Preempt future attacks
HKCERT Proactive Discovery of malicious site in Hong Kong (with limited resources) Awareness education for service providers: HKCERT organized with OGCIO
and HKPF ISP Symposium in May 2009 Cyber Drill: HKCERT organized with OGCIO and HKPF a cyber drill with theme
Combating Cyber Crime in July 2009
HKMA & Banks HKMA circular Banks tighten their procedure for high risk transaction and fraud detection
-
Page 37
Defense against Botnet
Botnet is malware
3 Baseline Defense is necessary though insufficient Protection from malware
Note browsers plugins can be malicious or weakness point
Personal Firewall
Update patches
Server defense Install minimum modules on server. Do not use it to browse Internet
Keep patching update
Protect from web attacks
Application Firewall
See SQL Injection Defence Guideline published by HKCERT
Page 38
Monitor software patch level and take prompt action Secunia Personal Software
Inspector Scan for installed Windows
software and their patch level, with threat level
Provide link to download available patch or workardound
http://secunia.com/vulnerability_scanning/personal/
-
Page 39
Monitor software update
CleanSofts.com Update Notifier scanning for installed Windows software
and display list of updates
verifying the software against malware (best effort with current AV software only, so it is no better than VirusTotal)
http://cleansofts.org/view/update-notifier.html
Page 40
Safe Browsers
Browsers add anti-malware, anti-phishing features IE, Mozillia, Opera; add Netcraft toolbar if you want
Minimize your browser and plug-ins
Firefox and Flock browser now incorporate Google safety alert
New browser use sandbox approach: Chrome
-
Detecting BotnetNext presentation
Q & AQ & A
S.C.Leung() [email protected]
-
Page 43
Building up a Botnet
Having the Malware to infect user machines Detection evasion advancement Control and update
Getting a Channel to Deliver the Malware Spam: Social Engineering Legitimate Web Server redirecting users to Exploit servers Social Network redirecting users to Exploit servers Exploit servers hosting the malware
Exploiting vulnerabilities (Windows, browser, Office, Acrobat Reader, Adobe Flash, etc.) of the victim machine Controlling the victim PCs
Botnet Command and Control Centre
Providing resilience in case of take down by law enforcement Fast Flux DNS: to make the structure more dynamic Disaster Recovery: find way to recover
Waledac
Gumblar
Conficker
Koobface