1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause Arlington 2008 Fred Archibald University of California Berkeley Electrical Engineering and Computer Sciences

2 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Overview EECS Network Background Security Concerns Existing Protections FireEye Deployment Infection Examples Futures and Challenges

3 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley EECS Network Background EECS is Large Department Serves More Than –4000 Undergrads –500 Grad Students –100 Faculty –200 Staff Network Largely Separate From Rest Of UCB

4 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Security Concerns Security A Constant Issue Berkeley Often A Target Security Is Now An Arms Race –Hackers Have Moved From Notoriety To Crime More Concern About Compliance

5 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Security Concerns Mobile Devices A Big Concern –Boom In WiFi –Over The Air Traffic Often Insecure –Less Enterprise Control Over User Owned Devices EECS Uses Internal And External WLANs Zero Day Concerns

6 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Existing Protections Enterprise Firewall –Less Effective In An “Open” Academic Net A/V –A Struggle To Keep Up To Date IDS –A Lot of False Positives Host Based Firewalls Anti-Spam Appliances

7 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley FireEye Deployment Targeted Primarily At Wireless Traffic Out Of Band Solution –Very Important For EECS Completely Clientless –Also Very Important Wireless Data Mirrored To Two Appliances

8 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley FireEye Deployment Appliances Run Traffic Against “Virtual Victim” Clients Positive Infection Can Result In Alerts Or Blocks Dynamic Updates From Botwall Network

9 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

10 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Infection Examples Spam Bots

11 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Clients Receive Malware Rustock

Ken Chiang, Levi Lloyd Sandia National lab 16 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Rustock Spam Mail Bot Installs a Rootkit Installs a SPAM module Uses Encryption Can Install any Arbitrary Code Flexible & Easy to Update

17 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botted Clients Send Spam

18 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

19 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

20 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Trojan.farfli

(Excerpt From Symantec)22 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Discovered: July 29, 2007 Updated: July 29, :51:54 AM Also Known As: TROJ_FARFLI.EY [Trend] Type: Trojan Infection Length: Varies Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000 It then hooks or patches ZwSetValueKey to prevent other threats or security risks overwriting the Start Page registry entry. If it finds a specific Web browser installed, it modifies files so that when a user performs a search it is conducted via the Baidu URL with the specific affiliate name:

23 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet IRC Channel Join Trojan-Downloader.QQHelper

24 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

25 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley User or Malware Connects to: – kXXXXj412http:// kXXXXj412 User connects to the site with a specific query id The site sent the browser a file called logo.jpg – Really a UPX packed malware executable The browser installed the exe Begin the Bot communication on IRC.

26 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG

27 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

28 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley

29 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Botnet_W32/Small.HSG Trojan-Downloader:W32/Small.HSG downloads and runs a file that is detected as Trojan- Downloader.Win32.Agent.HQL. Normally arrives as a dropped file by other malware or is downloaded unsuspectingly by the user from a malicious website. Once running on the system, this trojan will download a file from the following website: The downloaded file will then be stored as: %Windows%\17PHolmes exe

30 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Futures And Challenges Move Appliances To Network Edge –Capture Both Wireless And Wired Traffic –Mirroring Or Span Difficulties –Use Gigamon Data Access Switch Explore OSPF Null Routing To Block Traffic To Botnets More Mobile Platforms

31 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Summary Our Existing Protections No Longer Adequate Botnet Traffic Was Previously Difficult To Detect Botnet Detection Gives Us A New Weapon To Battle Stealth Malware

32 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Questions?