1. Zombie or not to be: Trough the meshes of Botnets - Guillaume Lovet AVAR 2005 Tianjin, China

2. Agenda Presentation objectives Introduction: a quick overview of Botnets Attack scenarios Protecting from Botnets Q&A

3. Presentation objectives Identify the threats currently posed by Botnets company-wise, and recognize what to expect in a near future Generate consistent and effective security policies to protect against Botnets, from inside and outside the corporate network

4. Introduction A Botnet is a network of trojanized computers, reporting to and commanded via a Master Server. Botnets have existed for years Recent raise of their activity High deleterious potential and obvious financial value Botnets are the number 1 Internet security threat today

5. Threats posed by botnets Critical data compromise Proxying (attacks, spam, phish)‏ Hosting of illegal content Seeding new malwares Distributed denial of service

6. Scenario 1: The worm in the fruit Multiple infection vectors for bots to intrude in the corporate network: –Typical: Email, Webpage, IM systems –Bypassing gateways: CD (c.f. W32/YsRailee.A-tr), Laptops (c.f. W32/Dumador.DH)‏ Once a bot is inside: –Connect back to master server –Receive the order to spread inside the corp. net –Exfiltrate critical data Conclusion: strong firewall policies and AV/IPS systems at the edge of the network are not enough

7. Scenario 2: The Cyberterrorist strike Botnets are a perfect base to launch Distributed Denial of Service attacks Effectively protecting against DDoS is not trivial Companies which offer online services lose massive amounts of money if DDoSed (e.g. ebay)‏  Blackmail & Racket Ransom is officially deemed “security consulting costs” Conclusion: The Botnets problem must be coped with at its roots – it’s a bit of everyone’s responsability

8. One future possible scenario: The double-strike seed Factors to create a successful worldwide virus outbreak: –Size of the seeding vector –Length of the “Opportunity Window” Botnet A seeds: the new malware is mass-mailed Botnet B extends the opportunity window: DDoS update servers of AV vendors Conclusion: Tight update policies are not enough

9. Protecting from Botnets Some security policies eradicate or mitigate the impact of Botnets on the company’s resources Protection must be twofold From the “inside” to be immune to: –Data exfiltration –Being a vector of cyber-criminal activities (roots of the problem)‏ From the “outside” to be immune to: –Intrusion –DoS attacks

10. Protecting from bots inside the corporate network Pt I: Security 101 Use appropriate and consistent firewall rules –Goal: cut communication to the master server –Default rule for both inbound and outbound connections: Deny –Allow only needed services for outbound connections (e.g.:HTTP, SMTP, SSH)‏ –Enforce the use a HTTP proxy, so that port 80 is closed for users. –Will not always be sufficient, because of an expected diversification of bot/master protocols: e.g. W32/Dumador.DH is a “full HTTP” bot

11. Alternate Master/Slave communication channel

14. Protecting from bots inside the corporate network Pt II: Spot em’ Is my network hosting bots? –Sniffing outbound traffic on the gateway for keywords used in Bot/Master communications:.login.scan.status.sysinfo –Set up a DNS redirection to an in-house honeypot (or sinkhole) for blacklisted bot master servers => unveil the infected hosts –Bot masters RSL (Real-Time Sinkhole List) public server project for DNS records updating

15. Protecting from bots outside the corporate network Sums up to protect against known types of attacks, bots only being a vector for those: –DDoS: Some products exist but not much can be done against an attack performed by a large botnets. Note that IPS re-active technologies can backfire at their users –Spam: Antispam & RBL –Phish: AV integrated to email gateways –Malware mass-mailing: "push update" AV technology (c.f. MyTob's case) combined with a 0-hour detection solution

16. Questions? Contact: glovet@fortinet.com