Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond Fast Flux: Parasitic Command And Control Networks in the Near Future.

Published byBenedict Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "Beyond Fast Flux: Parasitic Command And Control Networks in the Near Future."— Presentation transcript:

1 www.immunityinc.com Beyond Fast Flux: Parasitic Command And Control Networks in the Near Future

2 Agenda ● Problems of scale when hacking – Client-sides ● Immunity's PINK Framework ● Trojaning hard targets – Immunity Debugger Parasitic Infection

3 Targets are ephemeral ● Time – Your workstation turns on and off as you come to work ● Location – Your laptop travels across network security boundaries ● Configuration – Your server is upgraded, reconfigured, network infrastructure changes around it

4 Command and Control in most hacking platforms is a tree Attacker Target 1 Target 2 Target 3

5 Networks are not trees ● A fully connected graph is what we want ● Self routing with some human input ● This is a hugely expensive solution ● Management costs ● Development costs ● Need to emulate TCP over thousands of protocols ● Those who don't use TCP are doomed to re-implement it...

6 Building and storing routing tables is a hard problem ● Harder for us due to covertness ● We don't want any node to have a larger picture of all the other owned nodes than it absolutely has to ● Automatic solutions are possible, but for now, manual operation of routing is easiest

7 Scalability problems ● Management of one hundred ants is easy – Picture of thirty million ants ● A good client-side vulnerability can be used to own a quarter million boxes a day ● Future work involves self-directed worms

8 Asymmetric attack means we need to not have a rack of machines ● Portable C&C ● Scalable C&C ● Covert C&C ● Immunity's PINK infrastructure solves these problems

9 Current Botnet C&C technology ● IRC ● HTTP to single server ● Fast-Flux of DNS Servers ● Storm P2P protocols

10 Covertness or Reliability? ● P2P is reliable, not covert – Requires chatty communications on the network – Difficult to pass through strict proxies – Easily fingerprintable

11 PINK C&C Framework C&C Listening Posts Targets Dead Drops Blog/Web/News Searchers

12 Blogsearch ● Blog searching is the current best parasitic host protocol for PINK – Almost instantaneous responses – Easy to find hosts for our blogs – Lots of signal to hide in ● Any search engine will do though

13 PINK DEAD DROPS ●

14 Each Target is looking for multiple triggers ● Goal is to divide our targets into manageable sets – Per Country – Per Company – Per Domain – Per Time-of-exploit – etc ● “All hosts from immunityinc.com” please contact listeningpost.my.com using HTTP MOSDEF on port 443 ● All target.com's please deliver any.xls with “Payroll” string to email address bob@example.com

15 Signed and Encrypted payloads prevent replay attacks with removal kits ● Triggers need to be signed with time-based key as well ● Making triggers strings of random words makes it hard for search engines to filter our requests

16 Client-side conclusions ● Currently in Beta-testing state – pushing out to CANVAS shortly ● Parasitic C&C is: – Nearly impossible to detect and monitor – Easily re-targetable to any search engine or search option on a web page – Does not require expensive infrastructure to maintain

17 Servers and hard targets ● Servers may not be able to contact us via HTTP ● Need way to connect to stationary targets behind firewalls and application proxies covertly ● Each target is different! ● Example target: MS SQL Server 2005 in strict DMZ tier

18 Every web application is a unique snowflake Attacker Firewall+IPS+Reverse HTTP Proxy+Load Balancer Web Servers Firewall App Servers Firewall Database we Control

19 Custom automatic backdoors ● Use Immunity Debugger to analyze target.exe/.dll ● Send traffic to it and trace where our triggers are seen ● Create custom patch to PINKize target.dll and write this to disk and memory ● Box is now trojaned in a way that does not require direct connectivity!

20 Why Immunity Debugger? ● Includes built in analysis engine ● Full Python scripting API can do both dynamic and static analysis ● Send data to the server and then see what API it triggers ● Mutate our parasite to look statistically like the target program ● Trojan in memory or on disk or both

21 Avoiding Structural BinDiff ● Change all CALL opcodes to point to our dispatcher ● Have dispatcher send hooked API's to our code instead B C D A E Di sp. B C D E A

22 Overall Conclusions ● Botnets and trojans will be extremely difficult to find and analyze in the near future. ● Nascent market shift to automated incident response as part of vulnerability analysis faces ongoing challenges as attackers build one-time custom-use trojans

Download ppt "Beyond Fast Flux: Parasitic Command And Control Networks in the Near Future."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Packets and Protocols Chapter Seven Real World Packet Captures.

Packets and Protocols Chapter Seven Real World Packet Captures.
Copyright © 1995-2009 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci530 Computer Security Systems Lecture.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Platform as a Service (PaaS)

Platform as a Service (PaaS)
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Network Address Translation (NAT) CS-480b Dick Steflik.

Network Address Translation (NAT) CS-480b Dick Steflik.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,

Article presentation for: The Dark Cloud: Understanding and Defending against Botnets and Stealthy Malware Based on article by: Jaideep Chandrashekar,
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.

IMPLEMENTING F-SECURE POLICY MANAGER. Page 2 Agenda Main topics Pre-deployment phase Is the implementation possible? Implementation scenarios and examples.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Similar presentations

Ads by Google