Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | arbor-networks |
View: | 743 times |
Download: | 0 times |
BladeRunner Adventures in Tracking Botnets
Jason Jones and Marc Eisenbarth
2
Agenda • Who Are We? • ASERT Background • BladeRunner
– Background – Redesign – Malware Tracked – Results – Future Work
• Conclusions
3
Who Am I (Jason)? • Sr. Security Research Analyst for Arbor Networks’ ASERT
– Previously of TippingPoint DVLabs • Speaker at
– BlackHatUSA 2012 – InfoSec Southwest 2013 – Usenix LEET13 – Botconf 2013 – AusCERT
• Research interests – IP reputation – Malware clustering – Data mining dns / malware / target data
4
Who is Marc? • Manager of ASERT Research Team / ASERT Architect
– Previously of TippingPoint DVLabs • Speaker at
– Shmoocon – Usenix LEET12 – InfoSec Southwest 2013 – BotConf – AusCERT * 2
5
ASERT
• Arbor Security Engineering & Response Team – Active Threat Feed – ATLAS Intelligence Feed – Malware Reverse Engineering – Threat Intelligence
6
ASERT • ASERT Malware Corral
– Malware storage + processing system – Processing occurs via sandbox, static methods – Tagging via behavioral and static methods
• Currently pulling in between 50 -100k samples / day – Biggest problem is figuring out what to run
• 665 Unique family names tagged in 2014 – DDoS, Bankers, Droppers, RATs, Advanced Threats, etc. – 161 different family phone homes tagged
7
MCorral
BladeRunner
9
Background • Started by Jose Nazario in 2006 • Original version focused on IRC bots • Only tracked DDoS commands • Presented at
– VirusBulletin Conference 2006 – BlackHat DC 2007 – http://www.arbornetworks.com/asert/2012/02/ddos-attacks-
in-russia/ – HITBKUL 2012
10
Background • Started tracking HTTP bots
– Use os.system calls to curl -_- – Was not enjoyable to read and write
• Track binary protocol bots – Uses “replay” – good to avoid time-consuming protocol
reversing, but…. – If sample made successful conn, send packet back to CnC – No connection in Mcorral = CnC was considered “dead” – DynDNS-based malware tends to only be up for small, random
periods. Lots missed
11
Redesign - Goals • Lack of flexibility, lack of tracking led to redesign • Most important requirement: *has* to do everything old
version did and “more” • Track non-DDoS commands • Support non-DDoS Malware • Automatically expire CnC • Have “conversations” with CnC
– No replay – Respond to all commands until termination
12
Redesign - Architecture • Three separate pieces
– Data model • Our system uses Django-based ORM • Postgres backend • Considering alt storage methods for handling “big data”
– Harvesters • Pull tagged connections from our analysis system • Use VirusTotal Intelligence Hunting • Configuration extractors
– “Replicants” aka fake bots
13
Redesign - Architecture
Replicated Malware
14
15
Replicated Malware
• Sixteen separate malware families re-implemented – Ten HTTP-based
• Four implement some form of encryption / obfuscation – One plain-text binary protocol – Five binary protocol with some form of encryption
• More time consuming to reimplement binary protocols • Even more time consuming to reverse custom crypto
• No IRC bots
16
My standard reversing process…
17
DirtJumper Family / Variants
18
DirtJumper Drive
h-ps://www.arbornetworks.com/asert/2013/06/dirtjumpers-‐ddos-‐engine-‐gets-‐a-‐tune-‐up-‐with-‐new-‐drive-‐variant/
19
Drive2
h-ps://www.arbornetworks.com/asert/2013/08/dirtjumper-‐drive-‐shiEs-‐into-‐a-‐new-‐gear/
20
Drive3
h-ps://www.arbornetworks.com/asert/2014/03/drive-‐returns-‐with-‐new-‐tacFcs-‐and-‐new-‐a-acks/
21
Athena HTTP
h-ps://www.arbornetworks.com/asert/2013/11/athena-‐a-‐ddos-‐malware-‐odyssey/
22
Madness
• Super-awesome Base64-encoded secrecy • Most interesting strings in the binary are Base64-encoded • Sometimes the author forgets to strip symbols from his binaries J • Sometimes botnet ops give you their FTP creds in a file download J • https://www.arbornetworks.com/asert/2014/01/can-i-play-with-madness/
23
Madness
• Bad admins give you download and execute containing their hosting site credentials J – And that gets you their admin panel credentials
• Poor guy has a small botnet L • Appears to be the “cracked” version available in forums
24
Solarbot
• RC4 using s parameter as key • NULL-delimited commands • Commands are byte values • Later discovered leaked cracked builder + panel
– http://www.sendspace.com/file/nm5isp • Really? Blocking Scrabble?
– “Blacklist: https://scrabblefb-live2.sn.eamobile.com”
25
DarkComet
h-ps://www.arbornetworks.com/asert/2012/03/its-‐not-‐the-‐end-‐of-‐the-‐world-‐darkcomet-‐misses-‐by-‐a-‐mile/
Results!
26
27
Results - Overview • In production for over a year • Provided a wealth of intelligence around attacks
– What kinds of attacks are most popular • Collected over 270,000 attack commands • Stores information on over 3500 C2
– Almost 1100 have been active at some point • Since Jan 2014, data harvested from 1996 unique MD5
– Number of C2 with double-digit sample associations
28
Results - Locations
29
Results - Locations
30
Results - Locations
31
Results - Locations
32
Results - Locations
33
Results - Locations
34
Results - Locations
35
Results - Locations
36
Results - Locations
37
Results - Locations
38
Results - Locations
39
Results - Locations
40
Results - Locations
41
Results - Locations
42
Results - Locations
43
Results - Locations
44
Results – Downloaded Malware (1)
45
Results – Downloaded Malware (2)
46
Results – CnC Relationships via pDNS (1)
47
Results – CnC Relationships via pDNS (2)
48
Results – CnC Relationships via pDNS (3)
h-ps://www.virustotal.com/en/ip-‐address/31.170.164.5/informaFon/
49
Results – CnC Relationships via Targets (1)
50
Results – CnC Relationships via Targets (2)
• Many Drive/Drive2 CnC share similar targets • Coupling similarity in targets with pDNS gives
– Many co-located in same /24 – Some on exact same IP
• Some targets have multiple CnC on multiple botnets targeting – Speaks to larger campaign against a site
51
Results – Geo-Political Activity (1)
• Russia / ex-Soviet Bloc area very active – Russian Gov’t related sites attacked – Azerbaijan / Dagestan-related event attacks – Anti-Gov’t sites attacked – Ukraine sees lots of attacks, is definitely not
weak ;) • Corruption exposure sites attacked
52
Results – Geo-Political Activity (2)
53
Results – Geo-Political Activity (3) • Sochi Olympics
– Expected target given some recent RU laws + global appeal of the event
– Drive3 started targeting a few days before the games began – Success story since we were able to use the intel for mitigation – Shocker was that it consisted of compromised sites as C2 – Hosters were able to get the majority of the C2 cleaned very fast
54
Results – Geo-Political Activity (4) • Numerous DDoS attacks launched during Crimea situation
– Local Crimean gov’t sites – UA gov’t sites – RU gov’t sites – Referendum Voting sites
• Attacks had varying success • Attacks still ongoing due to political unrest
55
Results – Retaliation DDoS
• Stelios / Maverick gets dox’d on paste sites – http://pastebin.ca/2457696
• Multiple CnC start launching attacks against paste sites – Specifically targeted pastes with dox – Hired externally, did not use own CnC for the attacks
• Listed as owner of ddos-service.cc – steliosmaver.ru Athena HTTP CnC possible backend
56
Results – Protecting Targets
• Major reason why ASERT tracks botnets is for protection + intelligence – Not for sale – Not for ambulance chasing
• Multiple instances of Arbor customers being attacked – Know the attack + botnet = easy to tailor protection
• Share data with those that have the power to take down
Parting Words
57
58
Wrap-Up • BladeRunner-like systems produce useful threat intelligence
– Botnet size can matter, especially in DDoS – Find some actual new-to-you underground forums via DDoS targets ;)
• Everyone should be doing it on some level – Goal is to provide a blueprint and a starting point to help that become a
reality • All the data makes for pretty pictures J • Need better handling of larger datasets • Add more custom command parsers
– Files – Generic “Commands”
59
Future Work • More bots
– Andromeda – Bankers (web-injects , configs)
• Data Mining – GraphDB – Currently investigating TitanGraph – Correlate with other internal data sources – Maltego modules via Canari
• Code availability – Config extraction – Fake bots
60
Moar Future Work
• Dynamically spin up EC2/Rackspace/Etc. instances for proxy-ing on demand – Seen a few geo-blocking DDoS CnC, but not
many – Also helps keep botnet IP space large and
dynamic to avoid blacklisting • Alternatives to Django/ORM
– I like it, but…
61
How Do I Get This Data? • Most people can’t get all of it
– As mentioned previously, not for sale • Hosters / those with power/willingness to take C2’s down • We freely share with CERTs / LE (EuroPol/FBI/equivs)
– Not in the business of takedowns • Full-time job with amount of data processed • Legal morass
– If you are one of those and are interested please contact us • Work for ASERT ;)
62
Code Availability
• Code *almost* ready yet ready for public release L • Still work to be done with cleaving out of our
infrastructure • Goal is to get standalone pieces of many fake bots to
allow people to integrate into their own backends and systems
• Targeting July 2014 • https://github.com/arbor/
Questions/Comments/Feedback • [email protected] / [email protected] • @jasonljones / http://www.arbornetworks.com/asert/ • http://jasonjon.es/research/
63
Thank You!