Course list http://www.c-jump.com/bcc/
Today's malware behavior:
evolving at alarming rates
supports self-replication
uses self-preservation
launches counter-attacks in response to attempts at detection/clean-up.
Malware looks more and more like it's built by scientists (frightening!)
Advanced malware is no longer client side-only
-- it is a true client/server environment: a botnet
Botnet power:
A botnet is a group of compromised computers
The computers run a remote control bot application
The bot herder sends commands to the droves of compromised systems
Primary target of botnet operator: expanding the network of well-connected computers.
As a result,
all broadband-connected PCs are constantly under attack.
These are attacks by automated scanning and exploitation tools that run from existing botnets
When a compromised computer (a bot) is on a high-speed connection, it presents more value for the attacker.
Since 2007, bots are no longer trying to take down the Internet:
without a functioning Internet infrastructure, botnets aren't very useful.
Denial of service attacks (DDoS) aren't as useful as they were
Spam:
biggest usage of botnets
exists because it's profitable
still big business (although everybody says they're fed up with it.)
Executing DDoS attacks (used to be the #1 priority, but fading out nowdays)
Spam -- still a king!
Innocent attempts at "we want to sell you something" are dying off
Nigerian Scams, phishing, illegal product promotion -- main motivation now.
Harvesting email addresses from user's address books -- always!
Logging keystrokes, logging network traffic.
Botnets also provide hosting for Web sites involved in phishing attacks
When a known Web server is compromised, everybody on the Internet is reporting it as a phishing sites:
compromised Web servers don't last very long.
Instead, Bot herders find a reliable bot client (your PC!) and host the Phishing web site on compromised machine.
Other use for bot hosting - drug selling websites.
As soon as the website is identified (i.e. automatically by a smarter browser), the botnet adapts and changes to another bot in the botnet.
New Web servers start on infected computers to aid in phishing attacks
IRC is a protocol for real-time Internet text messaging (chat) or synchronous conferencing
Because IRC connections are usually unencrypted and typically span long time periods, they are an attractive target for hackers.
Many corporate networks block IRC data to stop bot clients from calling home, effectively rendering the bot useless to the operator.
Botnet command and control channels are no longer just IRC.
People wonder why ISPs can't just block "bot activity" ?
Botnets started using encrypting HTTPS:
Peer-to-peer HTTPS traffic is completely indistinguishable from other Internet traffic
Firewalls cannot detect the presence of infection
Antivirus software is unaware of new viruses
Virus writers are always one step ahead of antivirus vendors:
antivirus companies by nature are playing a "reactionary game."
Firewalls can no longer stop initial infections
Firewalls cannot prevent compromised host from participating in the botnet
HTTPS and JavaScript browser exploits are all that's necessary to build a botnet
Zero-day attack is an attempt to exploit computer vulnerability that is yet unknown.
Once one user on a network becomes exploited, every host on that subnet should be considered hostile
When a bot herder launches a zero-day exploit, neighboring hosts do certainly fall:
the local subnet is a very dangerous place to have an attacker
(Again, don't be foolish to think antivirus companies are ahead of the game!)
Your well-being really depends on the operating system security and the network security.
Botnets would not exist without software vulnerabilities.
Windows can get infected with an extreme ease...
However, botnets would not disappear if Windows suddenly became secure enough to stop them
Botnet clients are running well on Unix-based systems
On a large scale, systems are as secure as applications that run on them
Fact: there are tons of Linux machines running botnet clients!
Q8bot and kaiten bots are the most well known bots written explicitly for Unix systems
Countless little Perl scripts pervade LAMP(*) nightmares
______________________
(*) LAMP is an acronym for open source software: Linux, Apache HTTP Server, MySQL database, and PHP -- principal components to build a viable general-purpose web server.
The recipe:
disable all defense mechanisms,
then install undetectable bot.
Most botnets
automatically replicate themselves
have the ability to self-update
download and run new versions of themselves by bot herder command
Many have update mechanism more efficient than Windows update (frightening!)
Viruses disable antivirus software -- most users would never notice.
The botnet itself is also a worm
Recent bot clients began DDoS'ing any computer that attempted to detect them by scanning.
Many still using IRC to communicate -- over SSL
(that means you cannot detect their presence -- unstoppable.)
Botnet became a living and breathing ecosystem.
Few examples of herder commands:
Scan for and infect other computers on the local network
Send spam
Download and execute a file from a given FTP site
Start flooding a specific IP or network using TCP, UDP, or ICMP
Add/delete Windows services from the registry
Test the Internet connection speed of the infected computer
Start the following services:
http proxy
TCP port redirector,
various socks proxies
Run bot own IRC server, becoming a master for other bots to connect to
Capture Windows registry traffic, including passwords (sometimes capture entire Windows registry.)
All of the IRC bots have modular capabilities.
Therefore, if someone programs a new module, the owner of the botnet runs a single command to install and use the new module on every bot.
Attackers gain control of a client machine when it visits a malicious Web page.
Most common ia an attack via browser vulnerabilities (drive-by infection)
The attacking code instructs the Web browser to download and execute malicious code -- without the user knowing.
"Stupid user that clicked yes" is no longer the case!
Defence: very important to install any patches as soon as they are released.
Attack code is never part of the initial exploit.
A malicious Web page doesn't generally host the exploit, because it would be reported more quickly.
Instead, the malicious Website instructs the victim browser to download the exploit from another server.
How does Web server become exploitated?
piece of PHP (or other) code allows someone to secretly upload whatever they wanted, caused by
mistakes in server configuration
Web application programming errors
plain old security holes in the underlying technologies
Attackers keep track of IPs they have compromised
MPack and IcePack are the two most popular kits:
provide the user with a Web interface, and
configuration options to set up a downloader
The downloader is
the program that runs on exploited machines after an attack has succeeded,
fetches and executes malware from wherever it's configured to do so, and
can use encryption to avoid networkbased detection.
MPack and IcePack provide attackers with a neat Web interface to
view statistics about attack progress
see the info about how successful the attack is,
maintain lists of already compromised IP addresses.
July 2004 -- spam has peaked at 94.5 percent of all email monitored by MessageLabs
Today -- spam hovers around 71 percent.
Relatively new breed of botnets is spawned by the Storm worm
Storm worm malware lately contributed to a slight increases in spam volumes
Controlled by notorious Russian spammer Zliden
Storm is believed to have infected 50 million machines
Only 10 to 20 percent of its capacity is being used
Includes image and PDF generation engine to ensure all emails are unique
Random graphical elements helps to to thwart detection and profiling.
Source: MessageLabs
Storm masks its command and control structure in eDonkey
Uses P2P traffic, not IRC
Turns infected machines into bots
Uses low DNS time to live (TTL) cycles
Enables botnet of phishing web sites via a set of dynamic hosts:
The website hops from server to server too quickly -- way before investigators can get to it.
Zombie machines can automatically shift to DDoS attack mode
Knocks rival botnet malware offline
Undergoes regular updates to circumvent detection by antivirus
Many people believe that botnets were engineered with one sole purpose in mind --
Distributed Denial of Service (DDoS) attacks:
DDoS Sends IP packets to a host as fast as possible
DDoS attacks can come from thousands of computers at once
One can only guess how many dollars companies pay each year to organized crime groups to sustain their Internet presence.
Source: 2005 worldwide DDoS stats, 2006 CommTouch Report
Botnet-based spam is ever-increasing
In August 2007 security company Sophos claimed that a 30 percent increase in spam was due to pump-and-dump stock scams.
Bot herders remain in control of botnets, perfecting their attacks
Botnets can boost the PageRank of certain websites
The more sites link to a web page, the more likely that page is to turn up high in search engine results.
Known as inbound links, or backlinks.
More links make a page more relevant -- Google gives it a higher keyword ranking
Botnets can also boost inbound links to malicious sites
Sunbelt Security identified a number of blogs on Google Blogger service linking to malicious content.
The sites claimed to offer multimedia files.
Users required to download a CODEC to view the content
The "CODEC" was actually a Trojan horse that delivered a ZLOB virus variant.
Thus, combined with Page Rank boosting botnets, other types of botnets could spread faster.
Botnets are very useful in gaining visibility for websites selling illegal drugs
Manipulating search engine ranking is a very powerful tool in this business
Universities and all .edu web domains are a prime target:
Google ranks content from .edu higher
Almost any university Web page full of links to pharmaceutical dealers helps the search visibility.
When searching for a particular drug name, the users think the first results page would be
a Wikipedia article, or
a medical information site, etc.
Instead, first page of search results is links to sell drugs:
Some may be legitimate
Others sell drugs illegally
Third kind is pharming for a credit card information.
Internet.com, Enterprise Networking Planet, Enterprise IT Planet Web
Also:
www.esecurityplanet.com
www.antionline.com
www.internet.com/security
www.internetnews.com/security
www.earthwebnews.com/security
www.enterpriseitplanet.com/security
www.insideid.com
www.smallbusinesscomputing.com
www.linuxtoday.com/security/
www.jupiterwebcasts.com/security