1. Dissecting Distributed Malware Networks
Honeynet Project -
Dissecting Distributed Malware Networks
Dave Dittrich University of Washington cac.washington.edu>
11/14/2018

2. Honeynet Project - project@honeynet.org
Overview
Honeynet Project -
Introduction
Why this talk?
Review of DDoS
Response Strategy
Tools
Network Forensics
Host Forensics
Attack scenario (tactics)
Conclusion
11/14/2018

3. Honeynet Project - project@honeynet.org
Why this talk?
Honeynet Project -
This is not a new problem
D{DoS|warez|BNC|scanning} very much alive (Power, knight.exe, GTbot, X-DCC)
Bandwidth vs. Access vs. Security
Broadband, DSL, .edu = = MESS!
Chaos is the norm
11/14/2018

4. Honeynet Project - project@honeynet.org
Why this talk?
Honeynet Project -
Some networking tools aren’t keeping up with attack tools
11/14/2018

5. Honeynet Project - project@honeynet.org
Why this talk?
Honeynet Project -
To improve the state of network analysis These networks CAN be taken down, iff response is disciplined, coordinated, and efficient
11/14/2018

6. Honeynet Project - project@honeynet.org
Review of DDoS
Honeynet Project -
11/14/2018

7. Honeynet Project - project@honeynet.org
Review of DDoS
Honeynet Project -
11/14/2018

8. Strategies Analyze attack traffic (find agents)
Analyze command/control traffic (find agents & handlers, identify victims & attackers, etc.)
Identify signatures of tool (find artifacts, define cleanup procedures)
Pass along intelligence to other sites (take down entire network, not just 1%)
RESPECT PRIVACY RIGHTS!!!
Remember for future reference! (They’re BA-ACK!)
11/14/2018

9. Preparation Assemble tools Negotiate procedures Practice Execute
Coordinate
Communicate
11/14/2018

10. Tools
11/14/2018

11. Data Collection Tools libpcap/tcpdump Support scripts
Snort, Ethereal also useful (these are not covered here)
11/14/2018

12. Standard packet capture interface Common dump format
libpcap / tcpdump
Standard packet capture interface
Common dump format
Basic packet decoding features
Filters packets various ways
11/14/2018

13. tcpdump examples
# tcpdump –s 64 –w dos dump
# tcpdump –r dos dump ip proto 255
# tcpdump –s 0 –w irc dump \ tcp port 6667 or tcp port 7000
# tcpdump –r irc dump \ -w suspect-irc.dump “(ip host \ and port 1234) or ip net /24”
11/14/2018

14. Data Analysis Tools tcpslice tcpdstat tcptrace ngrep ipgrep
Graphing utilities
11/14/2018

15. Slices tcpdump files by start/end time Shows start/end times
tcpslice
Slices tcpdump files by start/end time
Shows start/end times
Merges tcpdump files
ftp://ftp.ee.lbl.gov/tcpslice.tar.gz
11/14/2018

16. tcpslice example
11/14/2018

17. tcpdstat Traffic Statistics Protocol breakdown My simple mods
More protocols
Peak flow rate
Compile on Linux
11/14/2018

18. tcpdstat example
11/14/2018

19. tcpdstat example (cont)
11/14/2018

20. tcptrace Reports on streams Produces flow graphs Reconstructs streams
11/14/2018

21. tcptrace example
11/14/2018

22. tcptrace example
11/14/2018

23. Identifies strings in network traffic
ngrep
Identifies strings in network traffic
Supports RE and byte arrays (hex)
Only clear text (of course)
11/14/2018

24. ngrep example
11/14/2018

25. Host Analysis Tools Foundstone’s Fport
Anti Virus software (if used properly)
@Stake’s TASK
Farmer/Venema’s TCT
11/14/2018

26. …and processes that hold them Windows tool (use “lsof” on Unix)
FPort
Shows open ports
…and processes that hold them
Windows tool (use “lsof” on Unix)
11/14/2018

27. FPort example
11/14/2018

28. Anti-Virus Software Disable auto-delete before scan
Use latest virus signature files
Not 100% reliable analyses
11/14/2018

29. Anti-Virus Software
11/14/2018

30. Anti-Virus Software
11/14/2018

31. Graphical interface (autopsy) Direct file system processing
TASK
Graphical interface (autopsy)
Direct file system processing
Supports FAT16/FAT32 (NTFS in development)
11/14/2018

32. Image Windows FAT16/FAT32, mount on Linux
The Coroner’s Toolkit
Not just for Unix
Image Windows FAT16/FAT32, mount on Linux
Perform MAC time analysis
11/14/2018

33. TCT (mactime) example
11/14/2018

34. Attack scenario (Tactics)
11/14/2018

35. Responding to an Attack
Honeynet Project -
Responding to an Attack
How it starts
11/14/2018

36. Using tcpdump to analyze attack traffic
11/14/2018

37. Use tcpdstat to analyze attack traffic
11/14/2018

38. First Attack
11/14/2018

39. Statistics of first attack
11/14/2018

40. More Attacks
11/14/2018

41. More Attacks
11/14/2018

42. Using ngrep to find control traffic
11/14/2018

43. Using Fport to correlate ports and programs
11/14/2018

44. Feedback from system owner
11/14/2018

45. Identification of attack tool
11/14/2018

46. Find analysis/code
11/14/2018

47. Identify keys to control
11/14/2018

48. Identify commands in source
11/14/2018

49. Use tcptrace to isolate TCP stream
11/14/2018

50. Identify attack victims
11/14/2018

51. What’s this?
11/14/2018

52. Top IRC channels
11/14/2018

53. XDCC traffic report
11/14/2018

54. XDCC traffic report (cont)
11/14/2018

55. Review what you know Attacks from: 128.95.X.154, 128.95.X.181…
Traffic mostly Protocol 255, IRC, “other”
Lots of FTP traffic (“warez”)
Firedaemon/knight.c/GTbot installed
IRC ports/channels known (“warez” bots)
11/14/2018

56. Communication/Cooperation
11/14/2018

57. Communication/Cooperation
11/14/2018

58. This was moderately complex
Conclusion
This was moderately complex
Encryption makes things much harder (Eggdrop w/Blowfish, burneye, etc.)
Today its guerilla warfare (on both sides)
Discipline and skill wins
Products from Arbor or Niksun help
11/14/2018

59. Honeynet Project - project@honeynet.org
Questions?
Website: (add misc/ddos/ for DDoS page, misc/core02/ for files)
11/14/2018