1、Botnets and spam: What were doing to deal with the blended threat,Jim Lippard FRnOG 6, April 1, 2005,2,Botnets and spam,Overview of the blended threat. Some trends. Rogues gallery. Defense and attack strategies. Our implementation and plans. Help wanted. Q&A.,AGENDA,3,Rise of the botnets,Early 1990s
2、: IRC channel bots (e.g., eggdrop, mIRC scripts, ComBot, etc.). Late 1990s: Denial of service tools (e.g., Trinoo, Tribal Flood Network, Stacheldraht, Shaft, etc.). 2000: Merger of DDoS tools, worms, and rootkits (e.g., Stacheldraht+t0rnkit+Ramen worm; Lion worm+TFN2K). 2002: IRC-controlled bots imp
3、lementing DDoS attacks. 2003: IRC-controlled bots spread with worms and viruses, fully implementing DDoS, spyware, malware distribution activity. (Dave Dittrich, “Invasion Force,” Information Security, March 2005, p. 30) 2003-2005: Botnets used as a criminal tool for extortion, fraud, identity theft
4、, computer crime, spam, and phishing.,4,Botnets today,Botnets are usually compromised Windows machines, usually controlled from a compromised Unix machine running ircd, sometimes with passwords, sometimes with encryption. Controllers are most often found on low-cost, high-volume web hosting provider
5、s. Bots are most often found on home machines of cable modem and DSL customers.Agobot/Phatbot is well-written, modular code supporting DoS attacks, spam proxying, ability to launch viruses, scan for vulnerabilities, steal Windows Product Keys, sniff passwords, support GRE tunnels, self-update, etc.
6、Phatbot control channel is WASTE (encrypted P2P) instead of IRC.Approximately 70% of spam is sent via botnets. (MessageLabs, October 2004 Monthly Report)Bots refute the common argument that “theres nothing on my computer that anyone would want” (usually given as an excuse not to bother securing the
7、system).,5,Malicious traffic comparison,Unique Infected IPs, week ending March 28, 2005: Entire Internet (unique IPs within each category; a single IP may have multiple problems),6,Malicious traffic trends,Spam, viruses, phishing are growing. Possible drop in DoS attacks. Percentage of email that is
8、 spam: 2002: 9%. 2003: 40%. 2004: 73%. (received by GLBC Apr 2004-Mar 2005: 73%) Percentage of email containing viruses: 2002: 0.5%. 2003: 3%. 2004: 6.1%. (received by GLBC Apr 2004-Mar 2005: 5%) Number of phishing emails: Total through September 2003: 273 Total through September 2004: 2 million Mon
9、thly since September 2004: 2-5 million (Above from MessageLabs 2004 end-of-year report.) Denial of Service Attacks (reported): 2002: 48 (16/mo). 2003: 409 (34/mo). 2004: 482 (40/mo). Jan. 1-Mar. 23, 2005: 74 (25/mo). (Above from Global Crossing; 2002 is for Oct-Dec only.),7,GLBC downstream malware-i
10、nfected hosts,8,Infected hosts: Internet/GLBC downstreams,9,GLBC Infected Downstreams,Distribution by region for week ending March 28, 2005; unique infected IPs on ASs with more than 300 infected IPs, which accounts for 91% of unique infected IPs for the week.,10,Money is the main driver,Most botnet
11、-related abuse is driven by financial considerations:Viruses and worms are used to compromise systems to use as bots.Bots are used to send spam to sell products and services (often fraudulent), engage in extortion (denial of service against online gambling, credit card processors, etc.), send phishi
12、ng emails to steal bank account access.Access to bots as proxies (“peas”) is sold to spammers, often with a very commercial-looking front end web interface.,11,Ruslan Ibragimov/send-,12,Ruslan Ibragimov ROKSO Record,13,“FRESH Peas for X-Mas Special Discount”,14,General Interest emails for sale,15,Pr
13、oxies for Sale,16,Jay Echouafni / Foonet,17,Jeremy Jaynes 9 year prison sentence,18,Other miscreants,Others: Howard Carmack, the Buffalo spammer: $16 million judgment for Earthlink, 3.5-7 years on criminal charges from NY AG. Jennifer Murray, Ft. Worth spamming grandmother, arrested and extradited t
14、o VA. Ryan Pitylak, UT Austin philosophy student, sued by Texas AG. 200+ spam lawsuits filed in 2004 by Microsoft (Glenn Hannifin, etc.) Robert Kramer/CIS Internet lawsuit in Iowa: $1 billion judgment. Long list of names at the Registry of Known Spam Operations (ROKSO): http:/www.spamhaus.org,19,Wea
15、k points in need of defense,Weak points being exploited:ISPs not vetting/screening customersspammers set up shop in colo spaces at carriers worldwide.Poorly secured end user machines with high-bandwidth connections.Organizations failing to secure their networks and servers.NSPs/ISPs not monitoring f
16、or malicious traffic, not being aggressive to terminate abusersspammers operating for months or years on major carriers sending proxy spam.Law enforcement not having the right resources or information to catch/prosecute offenders.,20,Defense and attack strategies for NSPs/ISPs,Screen prospective cus
17、tomers against ROKSO and other publicly available information sources.Strengthen AUPs and contracts to allow rapid removal of miscreants (and filtering or nullrouting of specific problems prior to termination).Secure company end-user machines with endpoint security.Monitor for malicious traffic (or
18、interact with security researchers or upstreams who monitor); notify downstreams and escalate if they fail to act.Filter and terminate abusers.Nullroute bot controllers and phishing websites.Collect actionable intelligence and notify law enforcement.,21,Global Crossings implementation,External custo
19、mer-facing components AUP provisions Global Crossing reserves the right to deny or terminate service to a Customer based upon the results of a security/abuse confirmation process used by Global Crossing. Such confirmation process uses publicly available information to primarily examine Customers his
20、tory in relation to its prior or current use of services similar to those being provided by Global Crossing and Customers relationship with previous providers. If a Customer has been listed on an industry-recognized spam abuse list, such Customer will be deemed to be in violation of Global Crossings
21、 Acceptable Use Policy. Customer screening Policy Enforcement/Compliance department reviews new orders for known publicly reported abuse incidents, suspicious contact information (e.g., commercial mail drops, free email addresses, cell phone as only contact). Network monitoring and customer notifica
22、tion We use Arbor Peakflow to detect and mitigate DoS attacks and engage in regular information exchange with peers and security researchers. We have automated processes for sending daily reports to customers of detected issues. Regular review of spam block lists and taking action Reduced Spamhaus S
23、BL listings from 43 in January 2004 to 6 at end of 2004. Currently (25 March 2005) at 11; several removal actions in process.,22,Global Crossings implementation,Law enforcement interaction Participation in the FBIs Operation Slam Spam, which has collected data since September 2003. We are hoping to
24、see major prosecutions in 2005.Internal components Comprehensive Enterprise Security Program Plan (ESPP) Physical and Information Security merged into single organization; reports directly to Security Committee of corporate board of directors under Network Security Agreement with U.S. government age
25、ncies (a public document obtainable at www.fcc.gov). Endpoint security Sygate Enforcer at corporate VPN access points; Sygate Agent on all corporate laptops (and being deployed to all corporate workstations). Sygate Agent acts as PC firewall, IDS, file integrity checker, and enforces compliance on p
26、atch levels and anti-virus patterns; it reports back to a central management station. The IDS functionality makes every individuals machine into an IDS sensor. Antispam/antivirus Corporate mail servers use open source SpamAssassin plus Trend Micro VirusWall.,23,Future Plans,Partially automated escal
27、ation Automated testing of botnet controllers and phishing websites; ticket generation, customer notification, nullrouting (with human intervention step). More creative monitoring and analysis of Netflow data To automate detection of proxy spamming and botnet activity. More creative monitoring and a
28、nalysis of DNS queries To spot cache poisoning and “pharming” attacks, detection of bots by DNS lookups of botnet controllers; possibly use passive DNS replication to view historical data or find FQDNs associated with botnet controllers where the IP has no rDNS.,24,Help wanted,Peers: Similar impleme
29、ntations: screen customers, strengthen and enforce AUPs, nullroute botnet controllers and phishing websites. Share additional ideas; coordination of defenses.OS/Application vendors: More securely written software, with secure-by-default configurations. Automated, digitally-signed update capability,
30、turned on by default for home users.ISPs with end user customers: Better filtering/quarantining of infected customer systemsautomation and self-service point-and-click tools needed. Any solution that requires end users to become expert system administrators is doomed to failure.Organizations on the
31、Internet: Use firewalls and endpoint security solutions, use spam and anti-virus filtering. Block email from known infected systems using the Composite Blocking List (CBL), cbl.abuseat.org.Law enforcement and prosecutors: Undercover investigations to follow the money and capture the criminals profit
32、ing from spam, phishing, denial of service, and the use of botnets. Follow up civil litigation from large providers like AOL, Earthlink, and Microsoft with criminal charges.,25,Conclusion,An effective response to botnets, spam, phishing, and denial of service requires a combination of policies and p
33、rocedures, technology, and legal responses from network providers, ISPs, organizations on the Internet, and law enforcement and prosecutors. All of these components need to respond and change as the threats continue to evolve.,26,Botnets and spam,Composite Blocking List: http:/cbl.abuseat.org Regist
34、ry Of Known Spam Operations (ROKSO): http:/www.spamhaus.org Bot information: http:/ Message Labs 2004 end-of-year report: http:/ CAIDA Network Telescope: http:/www.caida.org/analysis/security/telescope/ Team Cymru DarkNet: http:/ Internet Motion Sensor: http:/ims.eecs.umich.edu/ Passive DNS Replicat
35、ion: http:/cert.uni-stuttgart.de/stats/dns-replication.php Brian McWilliams, Spam Kings, 2004, OReilly and Associates. Spammer-X, Inside the Spam Cartel, 2004, Syngress. (Read but dont buy.)Jim Lippard ,Further Information,27,Appendix: Global Crossing notifications,The following is a list of IP addr
36、esses on your network which we have good reason to believe may be compromised systems engaging in malicious activity. Please investigate and take appropriate action to stop any malicious activity you verify.The following is a list of types of activity that may appear in this report:BEAGLE BEAGLE3 BL
37、ASTER BOTNETS BOTS BRUTEFORCEDAMEWARE DIPNET DNSBOTS MYDOOM NACHI PHATBOTPHISHING SCAN445 SINIT SLAMMER SPAMOpen proxies and open mail relays may also appear in this report. Open proxies are designated by a two-character identifier (s4, s5, wg, hc, ho, hu, or fu) followed by a colon and a TCP port n
38、umber. Open mail relays are designated by the word “relay“ followed by a colon and a TCP port number.A detailed description of each of these may be found athttps:/ IPs identified as hosting botnet controllers or phishing websites (marked with BOTNETS or PHISHING, respectively) may be null routed by
39、Global Crossing following a separately emailed notice.This report is sent on weekdays, Monday through Friday. If you would prefer a weekly report, sent on Mondays, please contact us by replying to this email to request it. We would prefer, however, that you receive and act upon these reports daily.U
40、nless otherwise indicated, timestamps are in UTC (GMT).3549 | 208.50.20.164/32 | 2005-01-10 23:23:36 BOTNETS | GBLX Global Crossing Ltd. 3549 | 209.130.174.106/32 | 2005-02-03 15:58:06 TCP 13222 BOTNETS | GBLX Global Crossing Ltd. 3549 | 146.82.109.130 | 2005-03-24 10:01:30 BEAGLE3 | GBLX Global Cr
41、ossing Ltd. 3549 | 195.166.97.130 | 2005-03-24 08:40:03 SPAM | GBLX Global Crossing Ltd. 3549 | 206.132.221.37 | 2005-03-24 01:56:13 PHATBOT | GBLX Global Crossing Ltd. 3549 | 206.132.93.5 | 2005-03-23 22:13:40 NACHI | GBLX Global Crossing Ltd. 3549 | 206.165.142.184 | 2005-03-23 09:35:53 SLAMMER |
42、GBLX Global Crossing Ltd. 3549 | 206.165.192.5 | 2005-03-24 12:35:53 SPAM | GBLX Global Crossing Ltd.,28,Appendix: Phatbot functionality,Phatbot command list (from LURHQ) mand runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns f
43、lushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status ot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot
44、.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shel
45、l handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets
46、the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than specif
47、ied mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates
48、the bot from a http url http.download downloads a file from http,rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads
49、 scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered with the scanner scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered with the scanner scan.delnetrange deletes a netran
50、ge from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flo
51、od redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get
52、a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit waste.privmsg se
53、nds a privmsg waste.part makes the bot part a channel info prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste,
