Botnets - Information Security Group

How are we protecting our organisations from being part of
such a phenomenon
Clinton Cutajar
Team Leader – Information Security
[email protected] / [email protected]
Personal Background
Location – Malta, Europe
• M.Sc. Information Security
• B.Sc. IT (Hons) in Computer Science and AI
Check Point
Computime Ltd - Malta
• Established in 1979.
• Systems integrator – 90 Employees.
• Dedicated Systems, Networking and Information Security
• Projects in Malta, Europe and North Africa.
• Clientele – Banks, Insurance agencies, Financial, Government,
Education and more.
• Partners with Check Point, Juniper, Cisco, Splunk, Vasco, etc …
What is a Bot?
• A malicious piece of software with the ability to communicate
with a command-and-control (C&C) infrastructure.
• Communication with C&C allows a bot agent to receive new
instructions and malicious capabilities (plain text or
• Compromised host used as an unwilling participant in Internet
crime as soon as it is linked into a botnet via that same C&C.
Attacking Behaviour
• The method used by botmasters for attacking to achieve their
ultimate goals.
Infecting new hosts
Stealing personal information
Phishing and SPAM proxy
Infecting new hosts
• Several methods how to deliver bot agent to the victim
Compressed attachments
Encrypted attachments
Drive by download
Infected USB drives
Exploiting vulnerabilities within applications allowing remote
code execution
Stealing Personal Information
• Banking details, social security numbers etc ..
• Details sold to crime masterminds
• Methods to steal data
• Key loggers
• MiB (Man in the Browser) attack
• Camera shots
Phishing and Spam proxy
• SPAM is the process of flooding the Internet with multiple
copies of the same message.
• Mostly related to Sex/Dating and pharmaceutical products.
• Phishing make use of fake emails routing victims to bogus
websites to steal login credentials.
• Botmaster can sell SPAM services to 3rd parties using infected
hosts to send mails.
Phishing and SPAM proxy (cont)
Phishing and Spam proxy (cont)
Distributed Denial of Service (DDOS)
• A DoS (Denial of Service) seek to render target systems
inaccessible by exhausting all network resources.
• DDoS attack is a DoS generated from different locations around
the globe making it difficult to isolate particular IP addresses
generating the malicious traffic
• DoS targets availability.
Confidentiality and Integrity are not
Communication Protocols
• IM
Centralised (Star) Model
• The botmaster selects a single high
bandwidth host (usually compromised) to
be the C&C.
• Infected host is preconfigured to “phone
home” to this central C&C, registering
itself as a botnet member and awaits new
• Advantages:
- Rapid (low latency) data transfer
(commands and stolen data) due to
direct communication
- Easy to implement
- Scalable to support large botnets
• Disadvantages:
- Blocking the central C&C shutdowns
the botnet.
Decentralised (Distributed) Model
• Integrates peer-to-peer (P2P) concepts into
malicious software, increasing scalability
and availability, making the botnet more
• P2P botnets are difficult to estimate the size
of botnet and trying to shut down a P2P
botnet is somewhat difficult as no central
hubs can be pin-pointed and disabled.
• Communication system does not rely on a
single centralised server (which is easier to
detect and shut down) but P2P C&C
Rallying Mechanism
• A method by which new bots locate and join the botnet.
There are mainly three types of mechanisms how a bot can
locate its C&C server.
• Hard coded IPs
• Dynamic DNS Domain
• Dynamic DNS servers
Evasion Techniques
• Evasion techniques are ways to circumvent detection
mechanisms from identifying communication between the bot
infected host and the C&C
Covert Channels
Evasion Techniques – Covert Channels
• Covert channels are ways on how to transfer instructions to
the infected host going undetected.
• Embed instructions in valid web objects, pages and
• Popular covert channels
• JPG Images (in EXIF information)
• Microsoft Word 2007 files (XML metadata)
• LinkedIn and Twitter status updates
Evasion Techniques – Covert Channels
Evasion Techniques – Fluxing
• A new way to allow C&C location resolution and failover
• Two type of fluxing
• IP Flux : changing the IP address within a domain.
• Domain Flux : changing the DNS that is pointing to a particular IP.
• Both technologies are used by professional botmasters.
Popular Botnets
ZEUS Banking Botnet
Rustock SPAM Botnet
Poison Ivy RAT
LOIC Traffic Generator
Vendor Protection
• Different vendors offering botnet related protection
Check Point with Anti-Bot blade
Cisco with Anti-Bot license and CSC-SSM
HP Tipping Point
ThreatSTOP DNS Service
McAfee Host security
• Frequency of db update / real-time query is very important
• Need to keep up with latest threats
• Update services
- Check Point ThreatCloud
- Cisco Signature Intelligence Operations (SIO)
Check Point Anti-Bot
• Inspects traffic when exiting firewall.
• For each traffic, Check Point AB blade checks:
- IP
- Communication pattern
• Request is sent to Threat cloud and receive back state.
• If a positive match traffic
is dropped denying malicious
communication traffic.
Signatures and Updates
• Collaboration is required to computer crime.
• Need inputs from different areas.
• Provide changes and new information to customers as fast as
• Can be compared to a human virus (Eg swine flu) where
different organisation collaborate to find a solution
Check Point ThreatCloud
Botnet Incident – RSA Breach
• RSA – Organisation providing security tokens for dual factor
• Attack Feb 2011 – Devastating effect for RSA
- 60$ Million damages
- Loss of trust
• Final target of the attack – one of RSA clients
- Lockheed Martin – US Defence Contractor
Botnet Incident – RSA Breach (cont)
Anti-Botnet actions
• Operation b107
Takedown of Rustock botnet (SPAM).
Date of takedown - 2011.
Collaboration between security organisations.
The McColo datacentre knockout, famous for hosting master
servers of botnets.
- Managed to put offline by disconnecting McColo uplinks but a
new uplink (TeliaSoneraCERT) allowed the botmaster to update
the zombie army with the new C&C server location.
- Definite takedown by seizing physical servers in 7 US and 2
overseas hosted servers.
- Spam rate decreased by 33.4%.
Security in practice
• A full holistic solution required rather than just isolated security
• Dual layer firewall (different vendors) to avoid possible vulnerabilities
on a particular OS from being exploited.
• Multiple functionalities
- On external firewall
- Intrusion Prevention System (IPS)
- Network Anti-Virus
- Email filter (protecting from SPAM etc) in the DMZ
- On internal firewall
- URL Filtering
- Application Control
- Anti-Bot
• Reporting Tool to generate “readable” reports
• Host security to prevent infections when connected to guest internet
• Security is risk based and it is impossible to be completely failproof.
• Even though security vendors are constantly studying and
reverse engineering malicious applications to provide
signatures for their products, there can still be the possibility
that malicious communication manages to make it through
the network protection.
• It is very important to deal with an experienced well
established security vendor known to provide immediate
• Users must also collaborate by not running non-trusted
executables which may easily be malware.
• Security is strong as its weakest link, the latter usually being
the user (as we have seen in the RSA case).
[email protected] / [email protected]

similar documents