Transcript Document

Bots, viruses, and spam: The converged threat and how
to fight it
January 10, 2005
Bots, viruses, and spam
AGENDA
1.
2.
3.
4.
5.
6.
2
Introduction
What is a botnet?
What are botnets used for?
Who is behind this?
How can we fight them?
Conclusion/Q&A
Bots, viruses, and spam
Introduction
Who we are, our background.
2. Current statistics on spam, viruses, worms, denial of service.
3. What do they all have in common?
1.
3
Bots, viruses, and spam
Jim Lippard
Director, Information Security Operations
Global Crossing
Andrew Ramsey
Manager, Policy Enforcement
Global Crossing
We both previously held the equivalent positions at GlobalCenter (webhosting company acquired
by Exodus->Cable & Wireless USA->Savvis) and at Primenet (national dialup ISP).
Global Crossing
Global Crossing is a global telecom/data/conferencing company, operating one of the world’s
largest fiber optic networks (75,000 route miles).
4
Spokane
Helena
Seattle
Green Bay
Minneapolis
Billings
Montreal
Toronto
Portland
Detroit
Milwaukee
Rochester
Buffalo
Syracuse
Eugene
Casper
Medford
Redding
Chico
Oakland
Salt Lake City
Reno
Denver
Colorado
Springs
Sunnyvale
San Jose
Salinas
San Diego
Tijuana
Akron
St. Louis
Bowling Green
Nashville
Tulsa
San Luis Obispo
Santa Barbara
Anaheim
Cleveland
Indianapolis
Topeka
Albuquerque
Chattanooga
Oklahoma
City
Phoenix
Tucson
El Paso
Fort Worth
Columbus
Dayton
Baltimore
Cincinnati
Fredericksburg
Louisville
Richmond
Chesapeake
Greensboro
Charlotte
Greenville
Newark
Trenton
Philadelphia
Washington DC
Rocky Mount
Raleigh
Dallas
Houston
San Antonio
Mobile
Jacksonville
Tallahassee
New Orleans
Daytona Beach
Orlando
Tampa
Legend
Monterrey
Mazatlan
Cities Connected
Connecting Systems
IP POP
Guadalajara
New York
Pittsburgh
Altoona
Atlanta
Austin
Mexico City
Global Crossing North America –
5
Dedicated
Internet Access/IP Transit
Boston
Albany
Macon
Baton
Rouge
Landing Points
Cities Connected (Switch Sites)
Erie
Toledo
Chicago
Kansas City
Sacramento
San Francisco
Los Angeles
Des Moines
Omaha
Lincoln
Melbourne
Fort Lauderdale
Miami
St. Croix
Ft. Amador
Panama City
Puerto Viejo
Caracas
Fortaleza
Lima
Lurin
São Paulo
Santos
Legend
Landing Points
Cities Connected
Connecting Systems
IP POP
Global Crossing South America –
6
Dedicated
Internet Access/IP Transit
Rio De
Janeiro
Valparaiso
Santiago
Buenos Aires
Las Toninas
Legend
Landing Points
Cities Connected
Connecting Systems
IP POP
Aberdeen
Glasgow
Edinburgh
Carlisle
Newcastle
Middlesbrough
Preston
Dublin
Liverpool
Manchester
Kilmore Quay
Derby
Beverwijk
Peterborough
Birmingham
Wexford
York
Leeds
Sheffield
Nottingham
Norwich
Amsterdam
Southend
Bristol
Reading
London
Rotterdam
Antwerp
Bude
Southampton
Exeter Basingstoke Brighton
Plymouth
Whitesands
Global Crossing UK –
7
Dedicated
Internet Access/IP Transit
Dover
Brussels
Stockholm
Oslo
Aberdeen
Copenhagen
Edinburgh
Glasgow
Sylt
Dublin
Kilmore Quay
Liverpool
Wexford Bristol
Beverwijk
London
Bude
Whitesands
Paris
Hamburg
Berlin
Hannover
Amsterdam Dusseldorf
Cologne
Dresden
Rotterdam
Leipzig
Antwerp
Frankfurt
Brussels
Nuremberg
Strasbourg
Munich
Stuttgart
Zurich
Lyon
Geneva
Milan
Turin
Legend
Landing Points
Cities Connected
Connecting Systems
IP POP
Marseilles
Barcelona
Madrid
Global Crossing Europe –
8
Dedicated
Internet Access/IP Transit
Bots, viruses, and spam
Percentage of email that is spam:
2002: 9%. 2003: 40%. 2004: 73%.
Percentage of email containing viruses:
2002: 0.5%. 2003: 3%. 2004: 6.1%.
Number of phishing emails:
Total through September 2003: 273
Total through September 2004: >2 million
Monthly since September 2004: 2-5 million
(Above from MessageLabs 2004 end-of-year report.)
Denial of Service Attacks:
2002: 48. 2003: 409. 2004: 482.
(Above from Global Crossing; 2002 is for Oct-Dec only.)
9
10
12/29/2004
11/29/2004
10/29/2004
9/29/2004
8/29/2004
7/29/2004
6/29/2004
5/29/2004
4/29/2004
3/29/2004
2/29/2004
1/29/2004
12/29/2003
11/29/2003
10/29/2003
9/29/2003
Bots, viruses, and spam
GLBC Unique Infected Customer IPs
350000
300000
250000
200000
GLBC Unique Infected Customer IPs
150000
100000
50000
0
Bots, viruses, and spam
Unique Infected IPs, week ending January 3, 2005:
Entire Internet (unique IPs within each category; a single IP may have multiple problems)
Spam
1071454
36.6%
Bots
831044
28.4%
Beagle
503108
17.2%
Phatbot
346351
11.8%
Beagle3
83928
2.9%
Slammer
28402
1.0%
Dameware
20123
0.7%
Proxy
18740
0.6%
Blaster
12504
0.4%
7797
0.3%
Nachi
595
0.0%
Mydoom
594
0.0%
Sinit
588
0.0%
Scan445
Total
11
2925228
Bots, viruses, and spam
What do viruses, worms, spams, phishing, and denial of
service attacks have in common?
All are associated with bots and botnets.
All are being used to get criminals what they want:
•Your clean (not listed on blacklists) IP addresses.
•Your accounts and passwords.
•Your money.
•Your identity.
•The ability to continue getting these things without being
caught.
12
Bots, viruses, and spam
What is a botnet?
A collection of compromised systems (“bots”) under the control of a single entity who
uses a central controller (“botnet controller”) to issue commands to the bots.
Bots are almost always compromised Windows machines—they may be compromised by
worms, viruses, trojan horses, or automated or semi-automated attack tools exploiting
common Windows vulnerabilities.
Botnet controllers are almost always compromised Unix machines—most often
compromised by automated or semi-automated attack tools exploiting common Unix
vulnerabilities.
The method of control is almost always IRC, usually on standard IRC ports (6667-up).
When the use of botnets is sold to third parties, there is often a nice, professional-looking
Windows or web interface provided.
13
Bots, viruses, and spam
Phatbot command list (from LURHQ)
bot.command runs a command with system()
bot.unsecure enable shares / enable dcom
bot.secure delete shares / disable dcom
bot.flushdns flushes the bots dns cache
bot.quit quits the bot
bot.longuptime If uptime > 7 days then bot will respond
bot.sysinfo displays the system info
bot.status gives status
ot.rndnick makes the bot generate a new random nick
bot.removeallbut removes the bot if id does not match
bot.remove removes the bot
bot.open opens a file (whatever)
bot.nick changes the nickname of the bot
bot.id displays the id of the current code
bot.execute makes the bot execute a .exe
bot.dns resolves ip/hostname by dns
bot.die terminates the bot
bot.about displays the info the author wants you to see
shell.disable Disable shell handler
shell.enable Enable shell handler
shell.handler FallBack handler for shell
commands.list Lists all available commands
plugin.unload unloads a plugin (not supported yet)
plugin.load loads a plugin
cvar.saveconfig saves config to a file
cvar.loadconfig loads config from a file
cvar.set sets the content of a cvar
cvar.get gets the content of a cvar
cvar.list prints a list of all cvars
inst.svcdel deletes a service from scm
inst.svcadd adds a service to scm
inst.asdel deletes an autostart entry
inst.asadd adds an autostart entry
logic.ifuptime exec command if uptime is bigger than specified
mac.login logs the user in
mac.logout logs the user out
ftp.update executes a file from a ftp url
ftp.execute updates the bot from a ftp url
ftp.download downloads a file from ftp
http.visit visits an url with a specified referrer
http.update executes a file from a http url
http.execute updates the bot from a http url
14
http.download downloads a file from http
rsl.logoff logs the user off
rsl.shutdown shuts the computer down
rsl.reboot reboots the computer
pctrl.kill kills a process
pctrl.list lists all processes
scan.stop signal stop to child threads
scan.start signal start to child threads
scan.disable disables a scanner module
scan.enable enables a scanner module
scan.clearnetranges clears all netranges registered with the scanner
scan.resetnetranges resets netranges to the localhost
scan.listnetranges lists all netranges registered with the scanner
scan.delnetrange deletes a netrange from the scanner
scan.addnetrange adds a netrange to the scanner
ddos.phatwonk starts phatwonk flood
ddos.phaticmp starts phaticmp flood
ddos.phatsyn starts phatsyn flood
ddos.stop stops all floods
ddos.httpflood starts a HTTP flood
ddos.synflood starts an SYN flood
ddos.udpflood starts a UDP flood
redirect.stop stops all redirects running
redirect.socks starts a socks4 proxy
redirect.https starts a https proxy
redirect.http starts a http proxy
redirect.gre starts a gre redirect
redirect.tcp starts a tcp port redirect
harvest.aol makes the bot get aol stuff
harvest.cdkeys makes the bot get a list of cdkeys
harvest.emailshttp makes the bot get a list of emails via http
harvest.emails makes the bot get a list of emails
waste.server changes the server the bot connects to
waste.reconnect reconnects to the server
waste.raw sends a raw message to the waste server
waste.quit
waste.privmsg sends a privmsg
waste.part makes the bot part a channel
waste.netinfo prints netinfo
waste.mode lets the bot perform a mode change
waste.join makes the bot join a channel
waste.gethost prints netinfo when host matches
waste.getedu prints netinfo when the bot is .edu
waste.action lets the bot perform an action
waste.disconnect disconnects the bot from waste
Bots, viruses, and spam
What are bots used for?
They are a disposable platform of computing power, usable for:
•Scanning for other vulnerable systems to create more bots.
•Collecting information from the compromised system (accounts, passwords).
•Operating as proxies for sending spam (including phishing attacks), or
launching new worms or viruses.
•Launching denial of service attacks (to attack competition or commit
extortion).
•Distribution of pirated or illegal material.
They can be used for anything the controlling entity wants to use them for—
and the activity will be attributed to the bot rather than the controlling entity.
They refute the argument that “There’s nothing on my computer that anyone
would want” (usually given as an excuse not to secure a home computer).
15
Bots, viruses, and spam
Who is behind this?
•Criminal hackers: They write the worms, viruses, and trojan
horses, and act as “botnet wranglers.”
•Criminal spammers: They pay criminal hackers to obtain
mailing lists and for the use of botnets to use as proxies (or
“peas”) for sending spam.
•Organized crime: They hire or have their own criminal hackers
to engage in online protection rackets, credit card fraud, and
identity theft.
16
Bots, viruses, and spam
17
Bots, viruses, and spam
18
Bots, viruses, and spam
19
Bots, viruses, and spam
20
Bots, viruses, and spam
21
Bots, viruses, and spam
22
Bots, viruses, and spam
23
Bots, viruses, and spam
24
Bots, viruses, and spam
This slide intentionally left blank, as the image to be shown
here may not be distributed.
25
Bots, viruses, and spam
How can we fight them?
Any solution that requires all or most end users to become
power users or system administrators to secure their systems
will fail. The vast majority of bots are end user systems
belonging to home users, sitting behind a cable or DSL
modem.
Effective reduction of bots, viruses, spam, and denial of
service attacks will require actions from multiple parties—
software and OS vendors, organizations with an Internet
presence, online service providers, and law enforcement.
26
Bots, viruses, and spam
Things software and OS vendors should do.
•Start providing software without major well-known, detectible defects—
there is no excuse for software with buffer overflows being released as a
product.
•Software defaults should be the most secure settings, not the least
secure.
27
Bots, viruses, and spam
Things organizations should do.
•Implement organizational firewalls (with default deny on outbound as well
as inbound) and content filtering.
•Implement spam filtering (w/CBL) and antivirus.
•Implement endpoint security on client machines to enforce organizational
standards for antivirus, patch levels, host firewall rules, file integrity—hosts
out of compliance don’t get connectivity.
•Switch to thin clients where a desktop computer is overkill.
•Implement intrusion prevention systems.
•Segment large networks to allow segregation of traffic by
criticality/quarantining of infected hosts.
28
Bots, viruses, and worms
Things online service providers should do.
•Put the right provisions in contracts/AUPs.
•Implement detection and filtering mechanisms where/when feasible.
•Participate in intelligence sharing with security researchers, anti-spammers, and other
providers.
•Work with law enforcement to assist in prosecutions (e.g., FBI’s Operation Slam Spam).
•File lawsuits against criminal abusers (AOL, Earthlink, Microsoft are good at this).
•Act aggressively to get known abusers off networks and keep them from getting on in the first
place (e.g., Spamhaus Blackhole List, or SBL).
ISPs (with end users as direct customers):
•Quarantine infected end user systems.
•Demand regular notifications of detected issues from upstream providers.
NSPs (with ISPs, colo, webhosting, etc. as direct customers):
•Blackhole botnet controllers and phishing websites upon verification.
•Send regular notifications to downstream customers of detected issues.
29
Bots, viruses, and worms
Things law enforcement should do.
•Work with online providers and security researchers to collect intelligence
(e.g., Operation Slam Spam).
•Go undercover to engage in deals with criminal hackers, criminal
spammers, and organized criminals to “follow the money” and connect
online identities to real identities.
•Follow up on civil litigation from online providers with criminal
prosecutions.
30
Bots, viruses, and worms
2004 SBL Listings by Provider
250
200
150
100
50
31
12/15/2004
11/15/2004
10/15/2004
9/15/2004
8/15/2004
7/15/2004
6/15/2004
5/15/2004
4/15/2004
3/15/2004
2/15/2004
1/15/2004
0
Provider
Global Crossing
Verio
Sprint
Cogent
Qwest
TW Telecom
AT&T
Savvis
Verizon
Level 3
AboveNet
XO
SBC
MCI
Bots, viruses, and spam
Further Information
Composite Blocking List: http://cbl.abuseat.org
Registry Of Known Spam Operations (ROKSO):
http://www.spamhaus.org
Bot information: http://www.lurhq.com/research.html
Message Labs 2004 end-of-year report:
http://www.messagelabs.com/binaries/LAB480_endofyear_v2.pdf
Jim Lippard
[email protected]
Andrew Ramsey
[email protected]
32