Top Botnets and how MAEC can help keep you out of their clutches

  Robert  A.  Mar,n,   Principal  Engineer,   MITRE  Corpora,on  

Page 1 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Top  5  Bots  by  Class  

Data  TheF  Bots  

Spam  Bots  

Rank  

Family  

Rank  

Family  

1  

Zeus  

1  

Rustock  

2  

Koobface  

2  

Pushdo  

3  

Rimecud  

3  

Grum  

4  

Alureon  

4  

Bobax  

5  

Carberp  

5  

Storm  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Data  TheF  Bots  -­‐  Zeus   Aliases  

Notable  ALributes  

Types  of  Data  Stolen  

Related  Reading  

• Zbot   • Wsnpoem   • Based  on  widely  distributed  crimeware    ($4000*)   • Rootkit  funcGonality   • Supports  dynamic  web-­‐page  injecGon   • Takes  screenshots  and  HTML  scrapes  of  target  sites   • Has  ability  to  kill  target  system   • Trusted  web  site  cerGficates  (X.509  PKI)   • Cached  web  browser  passwords   • Cookies   • FTP  and  POP  account  credenGals   • Banking  login  credenGals   • Security  Fix:  Zeus  Trojan  Infiltrates  Bank  Security  Firm   • Security  Fix:  PC  Invader  Costs  Ky.  County  $415,000   • h[p://www.forGguard.com/analysis/zeusanalysis.html  

*Source:  hLp://www.prevx.com/blog/112/ZEUS-­‐steals-­‐informa,on-­‐from-­‐home-­‐and-­‐business-­‐PCs.html  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Data  TheF  Bots  -­‐  Koobface   Aliases  

Notable  ALributes  

Types  of  Data  Stolen  

Related  Reading  

• HiloG   • Facebook.331   • Propagates  through  social  networks  (e.g.  Facebook)   • Uses  cookies  of  exisGng  sessions   • Posts  malicious  status  updates   • Sends  malicious  messages  to  friends   • MulG-­‐component  based   • Latest  variant  targets  Mac  OS  X,  Linux   • Windows  digital  product  IDs   • Internet  profiles   • Email  credenGals   • FTP  credenGals   • IM  applicaGon  credenGals   • Koobface  Mac  Security  Threat  Described   • 10  things  you  didn't  know  about  the  Koobface  gang    

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Data  TheF  Bots  -­‐  Rimecud  

Aliases  

Notable  ALributes  

Types  of  Data  Stolen   Related  Reading  

• Buzus   • Palevo.ann   • SillyFDC   • Boaxxe   • Based  on  crimeware  kit   • Propagates  via  IM,  P2P  and  removable  drives   • MulG-­‐component  based   • UDP-­‐based  C2   • Keystrokes   • System  login  credenGals   • Stored  FireFox/IE  credenGals   • US  Leads  in  Botnet  InfecGons   • Encyclopedia  entry:  Worm:Win32/Rimecud.B  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Data  TheF  Bots  -­‐  Alureon  

Aliases  

Notable  ALributes  

Types  of  Data  Stolen   Related  Reading  

• Zlob   • Femab   • DnsChange   • Tidserv   • TDSS   • Rootkit  funcGonality   • Infects  MBR   • Supports  dynamic  web-­‐page  injecGon   • Used  for  click  fraud  &  other  purposes   • SSL-­‐based  C2   • URLs  visited   • Strings  from  search  engine  queries   • MS10-­‐015  Restart  Issues  Are  the  Result  of  Rootkit   InfecGon     • Alureon  Evolves  to  64  Bit  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Data  TheF  Bots  –  Carberp   Aliases  

Notable  ALributes  

Types  of  Data  Stolen  

Related  Reading  

• Agent-­‐OZL   • Zbot   • IRCNite   • Rootkit  funcGonality   • Does  not  require  admin  privileges  to  run   • Also,  makes  no  changes  to  the  registry   • Supports  control  of  HTTPS/EV-­‐SSL  traffic   • Removes  other  malware   • System  login  credenGals   • Windows  clipboard  data   • Windows  product  key   • Banking  credenGals  (w/SSL)   • Fresh  Trojan  Carberp  Reported  To  Be  Evolving   • Carberp:  Quietly  replacing  Zeus  as  the  financial   malware  of  choice  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Spam  Bots  -­‐  Rustock  

Aliases  

Notable  ALributes   Es,mated  Spam  Volume   Related  Reading  

• Costrat   • Mailbot.c!Rootkit   • Meredrop   • RKRustok   • Rootkit  funcGonality   • Capable  of  TLS  encrypGon  for  sent  email   • Uses  Encrypted  HTTP  for  C2   • Around  since  2006   • 46  billion  messages/day*   • Rustock  botnet  responsible  for  40%  of  spam   • Rustock  Botnet  Switches  Techniques  

*Source  =  hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Spam  Bots  –  Pushdo   Aliases   Notable  ALributes   Es,mated  Spam  Volume   Related  Reading  

• Cutwail   • Pandex   • Mutant   • Rootkit  funcGonality   • Uses  Encrypted  HTTP  for  C2   • 8  billion  messages/day*   • Pushdo  /  Cutwail  -­‐  An  Indepth  Analysis   • Insights  into  the  Pushdo/Cutwail  Infrastructure  

*Source  =  hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Spam  Bots  –  Grum   Aliases   Notable  ALributes   Es,mated  Spam  Volume   Related  Reading  

• Tedroo   • Rootkit  funcGonality   • Performs  DNS  MX  lookups  to  send  spam   • 18.4  billion  messages/day*   • ‘Grum’  Botnet  Leads  Spam  Charge   • Grum  and  Rustock  botnets  drive  spam  to  new  levels  

*Source  =  hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Spam  Bots  –  Bobax  

Aliases  

Notable  ALributes   Es,mated  Spam  Volume   Related  Reading  

• Kraken   • Bobic   • Oderoor   • Cotmonger   • Hacktool.spammer   • Uses  unencrypted  HTTP  for  C2   • 2  billion  messages/day*   • Kraken  botnet  re-­‐emerges  318000  nodes  strong   • Security  Fix  -­‐  The  Storm  Worm's  Family  Tree  

*Source  =  hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Spam  Bots  –  Storm   Aliases  

Notable  ALributes   Es,mated  Spam  Volume   Related  Reading  

• Nuwar   • Peacomm   • ZhelaGn   • Likely  modified  version  of  ‘original’  Storm  worm  from   2008   • Removes  P2P  funcGonality   • Rootkit  funcGonality   • 2.2  billion  messages/day*   • Infamous  Storm  botnet  rises  from  the  grave   • A  Breeze  of  Storm  

*Source  =  hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Malware Attribute Enumeration and Characterization (MAEC)

&  Bots  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Why Do We Need to Develop Standards for Malware? Lots of products Multiple layers of protection

Inconsistent reports

There’s an arms race

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Correlate, Integrate, Automate

Threats Detection

Vulnerabilities Platforms

Response

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Background

Rise of New Threats

Symantec Global Internet Security Threat Report, Volume XIII, 4/2008

Nimda or I-Worm or Readme?

Oct 2004

Feb 2005

Oct 2005

CME Submission CME public Initial CME Server announcement and discussions at VB website Conference

Jan 2007

Feb 2007

39 CME IDs DHS SwA Forum assigned Malware WG

Dec 2009

Jun 2010

MAEC public website

Initial MAEC Schema

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Malware Attribute Enumeration and Characterization (MAEC)

Focus on attributes and behaviors, not intent and malware families

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC Use Cases ■  Operational

Tool

■  Analysis –  Help Guide Analysis Process –  Standardized Tool Output –  Malware Repositories Tool

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC Overview

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC & MSM Standards

High-­‐level  Mechanisms   CAPEC  

The  aLack  paLern(s)  exhibited  by  a  malware  mechanism  or  behavior.  

Mid-­‐level  Behaviors   CVE  

The  vulnerabili,es  targeted  by  a  malware  behavior.  

Low-­‐level  Ac,ons   CPE  

The  plaborm(s)  targeted  by  a  malware  ac,on.  

CEE  

The  event(s)  associated  with  a  malware  ac,on.  

OVAL  

The  host-­‐based  object(s)  created  or  modified  by  a   malware  ac,on.  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

The World of Malware Packers

Page 21 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC  &  Zeus  –  Host  Based  Detec,on  I   Malware  Analysis   Engine  

•  Anubis   •  CWSandbox   •  ThreatExpert   •  Etc.  

Zeus  Binary  

Engine   Output  

Sandbox  -­‐>  MAEC  Translator   Host-­‐based  Scanner  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC  &  Zeus  –  Host  Based  Detec,on  II   Real  World  Example Anubis   Output*  

OVAL Output Anubis  MAEC Translator Script MAEC Output

Anubis Sandbox

Zeus  Binary  

MAEC  OVAL Translator Script *http://anubis.iseclab.org/? Page 23 action=result&task_id=1167a57d1aa905e949df5d5478ab23bf9 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC Schema Overview – Initial Release Ac,onType  

BehaviorType  

ObjectType  

…

Page 24

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC  &  Zeus:  Profiling  C2  

MAEC  Mechanism:  C2   MAEC  Behavior:  Get  Configura,on     MAEC  Behavior:  Beacon   MAEC  Behavior:  Receive  Command   MAEC  Behavior:  Send  Data  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Mechanism:  C2  

MAEC  &  Zeus  C2  I

Behavior:  Get  Configura,on     Behavior:  Beacon   Behavior:  Recv  Command   Behavior:  Send  Data  

MAEC  Behavior:  C2  Get  Configura,on   Protocol:  HTTP     Encryp,on  Type:  RC4/custom   MAEC  Ac/on:  hLp_get     MAEC  Object:  tcp_connecGon  

External  IP:  xxx.xxx.xxx.xxx   External  Port:  80  

MAEC  Object:  hLp_connec,on   Method:  GET   Parameter:  /config.bin   Response:  HTTP/1.1  200  OK   Response  Body:     Response  Content  Length:  1212  bytes  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Mechanism:  C2  

MAEC  &  Zeus  C2  II

Behavior:  Get  Configura,on     Behavior:  Beacon   Behavior:  Recv  Command   Behavior:  Send  Data  

MAEC  Behavior:  C2  Beacon  

Protocol:  HTTP     Encryp,on  Type:  RC4/custom   Frequency:  1/20  minutes  

MAEC  Ac/on:  hLp_post     MAEC  Object:  tcp_connec,on   External  IP:  xxx.xxx.xxx.xxx   External  Port:  80  

MAEC  Object:  hLp_connec,on   Method:  POST   POST  Data:     Parameter:  .*/gate.php   Response:  HTTP/1.1  200  OK   Response  Body:     Response  Content  Length:  44  bytes   The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Mechanism:  C2   Behavior:  Get  Configura,on    

MAEC  &  Zeus  C2  III

Behavior:  Beacon   Behavior:  Recv  Command   Behavior:  Send  Data  

MAEC  Behavior:  C2  Receive  Command  

Protocol:  HTTP     Encryp,on  Type:  RC4/custom   Supported  Commands:  reboot,  kos,  shutdown,  bc_add,  bc_del,  block_url,   unblock_url,  block_fake,  gesile,  getcerts,  resetgrab,  upcfg,  rename_bot  …   MAEC  Ac/on:  decode_hLp_response     MAEC  Object:  tcp_connec,on  

MAEC  Object:  hLp_connec,on  

External  IP:  xxx.xxx.xxx.xxx   External  Port:  80  

Response  Body:    

Response  Content  Length:  >  44  bytes  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Mechanism:  C2  

MAEC  &  Zeus  C2  IV

Behavior:  Get  Configura,on     Behavior:  Beacon   Behavior:  Recv  Command   Behavior:  Send  Data  

MAEC  Behavior:  C2  Send  Data  

Protocol:  HTTP     Encryp,on  Type:  RC4/custom  

MAEC  Ac/on:  hLp_post    

MAEC  Object:  tcp_connec,on   External  IP:  xxx.xxx.xxx.xxx   External  Port:  80  

MAEC  Object:  hLp_connec,on   Method:  POST   POST  Data:     Parameter:  .*/gate.php   Response:  HTTP/1.1  200  OK  

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Emerging Collaboration ■  Related MSM Efforts –  There is significant overlap between MAEC, CAPEC, and CEE in describing observed actions, objects, and states. –  As such, we’re working on developing a common schematic structure of observables for use in these efforts:

■  Others –  Feature requests on Handshake group, discussion list ■ Anubis & ThreatExpert translators are being developed as a result of a user request ■ We encourage submission of any other such requests

Page 30

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC Community: Discussion List ■ Request to join: http://maec.mitre.org/community/discussionlist.html ■ Archives available

Page 31

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

MAEC Community: MAEC Development Group on Handshake ■  MITRE hosts a social networking collaboration environment: https://handshake.mitre.org ■  Supplement to mailing list to facilitate collaborative schema development

Page 32

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Future Development Plans ■ Expand MAEC coverage of network attributes – Possible focus: bots/botnets ■ Create RDF/OWL ontology based on MAEC schema ■ Revise schema to better support characterization of relationships between actions/behaviors ■ Implement common observables schema – Based on MAEC/CAPEC/CEE collaboration ■ Encourage and invite more participation in the development process – MAEC Website: http://maec.mitre.org (contains MAEC Discussion list sign-up) – MAEC Handshake Group

Page 33

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

Summary ■ MAEC is attempting to address many of the issues that are integral to accurate and unambiguous communication about malware ■ The adoption of MAEC will facilitate new methods of correlation and automation against malware ■ MAEC is an open, collaborative effort. It needs expertise and input from various parties in order to be successful

Page 34

The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.