Top Botnets and how MAEC can help keep you out of their clutches
Robert A. Mar,n, Principal Engineer, MITRE Corpora,on
Page 1 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Top 5 Bots by Class
Data TheF Bots
Spam Bots
Rank
Family
Rank
Family
1
Zeus
1
Rustock
2
Koobface
2
Pushdo
3
Rimecud
3
Grum
4
Alureon
4
Bobax
5
Carberp
5
Storm
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data TheF Bots -‐ Zeus Aliases
Notable ALributes
Types of Data Stolen
Related Reading
• Zbot • Wsnpoem • Based on widely distributed crimeware ($4000*) • Rootkit funcGonality • Supports dynamic web-‐page injecGon • Takes screenshots and HTML scrapes of target sites • Has ability to kill target system • Trusted web site cerGficates (X.509 PKI) • Cached web browser passwords • Cookies • FTP and POP account credenGals • Banking login credenGals • Security Fix: Zeus Trojan Infiltrates Bank Security Firm • Security Fix: PC Invader Costs Ky. County $415,000 • h[p://www.forGguard.com/analysis/zeusanalysis.html
*Source: hLp://www.prevx.com/blog/112/ZEUS-‐steals-‐informa,on-‐from-‐home-‐and-‐business-‐PCs.html
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data TheF Bots -‐ Koobface Aliases
Notable ALributes
Types of Data Stolen
Related Reading
• HiloG • Facebook.331 • Propagates through social networks (e.g. Facebook) • Uses cookies of exisGng sessions • Posts malicious status updates • Sends malicious messages to friends • MulG-‐component based • Latest variant targets Mac OS X, Linux • Windows digital product IDs • Internet profiles • Email credenGals • FTP credenGals • IM applicaGon credenGals • Koobface Mac Security Threat Described • 10 things you didn't know about the Koobface gang
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data TheF Bots -‐ Rimecud
Aliases
Notable ALributes
Types of Data Stolen Related Reading
• Buzus • Palevo.ann • SillyFDC • Boaxxe • Based on crimeware kit • Propagates via IM, P2P and removable drives • MulG-‐component based • UDP-‐based C2 • Keystrokes • System login credenGals • Stored FireFox/IE credenGals • US Leads in Botnet InfecGons • Encyclopedia entry: Worm:Win32/Rimecud.B
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data TheF Bots -‐ Alureon
Aliases
Notable ALributes
Types of Data Stolen Related Reading
• Zlob • Femab • DnsChange • Tidserv • TDSS • Rootkit funcGonality • Infects MBR • Supports dynamic web-‐page injecGon • Used for click fraud & other purposes • SSL-‐based C2 • URLs visited • Strings from search engine queries • MS10-‐015 Restart Issues Are the Result of Rootkit InfecGon • Alureon Evolves to 64 Bit
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Data TheF Bots – Carberp Aliases
Notable ALributes
Types of Data Stolen
Related Reading
• Agent-‐OZL • Zbot • IRCNite • Rootkit funcGonality • Does not require admin privileges to run • Also, makes no changes to the registry • Supports control of HTTPS/EV-‐SSL traffic • Removes other malware • System login credenGals • Windows clipboard data • Windows product key • Banking credenGals (w/SSL) • Fresh Trojan Carberp Reported To Be Evolving • Carberp: Quietly replacing Zeus as the financial malware of choice
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots -‐ Rustock
Aliases
Notable ALributes Es,mated Spam Volume Related Reading
• Costrat • Mailbot.c!Rootkit • Meredrop • RKRustok • Rootkit funcGonality • Capable of TLS encrypGon for sent email • Uses Encrypted HTTP for C2 • Around since 2006 • 46 billion messages/day* • Rustock botnet responsible for 40% of spam • Rustock Botnet Switches Techniques
*Source = hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Pushdo Aliases Notable ALributes Es,mated Spam Volume Related Reading
• Cutwail • Pandex • Mutant • Rootkit funcGonality • Uses Encrypted HTTP for C2 • 8 billion messages/day* • Pushdo / Cutwail -‐ An Indepth Analysis • Insights into the Pushdo/Cutwail Infrastructure
*Source = hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Grum Aliases Notable ALributes Es,mated Spam Volume Related Reading
• Tedroo • Rootkit funcGonality • Performs DNS MX lookups to send spam • 18.4 billion messages/day* • ‘Grum’ Botnet Leads Spam Charge • Grum and Rustock botnets drive spam to new levels
*Source = hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Bobax
Aliases
Notable ALributes Es,mated Spam Volume Related Reading
• Kraken • Bobic • Oderoor • Cotmonger • Hacktool.spammer • Uses unencrypted HTTP for C2 • 2 billion messages/day* • Kraken botnet re-‐emerges 318000 nodes strong • Security Fix -‐ The Storm Worm's Family Tree
*Source = hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Spam Bots – Storm Aliases
Notable ALributes Es,mated Spam Volume Related Reading
• Nuwar • Peacomm • ZhelaGn • Likely modified version of ‘original’ Storm worm from 2008 • Removes P2P funcGonality • Rootkit funcGonality • 2.2 billion messages/day* • Infamous Storm botnet rises from the grave • A Breeze of Storm
*Source = hLp://www.messagelabs.com/mlireport/MLI_2010_08_August_Final_EN.pdf
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Malware Attribute Enumeration and Characterization (MAEC)
& Bots
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Why Do We Need to Develop Standards for Malware? Lots of products Multiple layers of protection
Inconsistent reports
There’s an arms race
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Correlate, Integrate, Automate
Threats Detection
Vulnerabilities Platforms
Response
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Background
Rise of New Threats
Symantec Global Internet Security Threat Report, Volume XIII, 4/2008
Nimda or I-Worm or Readme?
Oct 2004
Feb 2005
Oct 2005
CME Submission CME public Initial CME Server announcement and discussions at VB website Conference
Jan 2007
Feb 2007
39 CME IDs DHS SwA Forum assigned Malware WG
Dec 2009
Jun 2010
MAEC public website
Initial MAEC Schema
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Malware Attribute Enumeration and Characterization (MAEC)
Focus on attributes and behaviors, not intent and malware families
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Use Cases ■ Operational
Tool
■ Analysis – Help Guide Analysis Process – Standardized Tool Output – Malware Repositories Tool
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Overview
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & MSM Standards
High-‐level Mechanisms CAPEC
The aLack paLern(s) exhibited by a malware mechanism or behavior.
Mid-‐level Behaviors CVE
The vulnerabili,es targeted by a malware behavior.
Low-‐level Ac,ons CPE
The plaborm(s) targeted by a malware ac,on.
CEE
The event(s) associated with a malware ac,on.
OVAL
The host-‐based object(s) created or modified by a malware ac,on.
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
The World of Malware Packers
Page 21 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus – Host Based Detec,on I Malware Analysis Engine
• Anubis • CWSandbox • ThreatExpert • Etc.
Zeus Binary
Engine Output
Sandbox -‐> MAEC Translator Host-‐based Scanner
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus – Host Based Detec,on II Real World Example Anubis Output*
OVAL Output Anubis MAEC Translator Script MAEC Output
Anubis Sandbox
Zeus Binary
MAEC OVAL Translator Script *http://anubis.iseclab.org/? Page 23 action=result&task_id=1167a57d1aa905e949df5d5478ab23bf9 The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Schema Overview – Initial Release Ac,onType
BehaviorType
ObjectType
…
Page 24
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC & Zeus: Profiling C2
MAEC Mechanism: C2 MAEC Behavior: Get Configura,on MAEC Behavior: Beacon MAEC Behavior: Receive Command MAEC Behavior: Send Data
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Mechanism: C2
MAEC & Zeus C2 I
Behavior: Get Configura,on Behavior: Beacon Behavior: Recv Command Behavior: Send Data
MAEC Behavior: C2 Get Configura,on Protocol: HTTP Encryp,on Type: RC4/custom MAEC Ac/on: hLp_get MAEC Object: tcp_connecGon
External IP: xxx.xxx.xxx.xxx External Port: 80
MAEC Object: hLp_connec,on Method: GET Parameter: /config.bin Response: HTTP/1.1 200 OK Response Body: Response Content Length: 1212 bytes
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Mechanism: C2
MAEC & Zeus C2 II
Behavior: Get Configura,on Behavior: Beacon Behavior: Recv Command Behavior: Send Data
MAEC Behavior: C2 Beacon
Protocol: HTTP Encryp,on Type: RC4/custom Frequency: 1/20 minutes
MAEC Ac/on: hLp_post MAEC Object: tcp_connec,on External IP: xxx.xxx.xxx.xxx External Port: 80
MAEC Object: hLp_connec,on Method: POST POST Data: Parameter: .*/gate.php Response: HTTP/1.1 200 OK Response Body: Response Content Length: 44 bytes The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Mechanism: C2 Behavior: Get Configura,on
MAEC & Zeus C2 III
Behavior: Beacon Behavior: Recv Command Behavior: Send Data
MAEC Behavior: C2 Receive Command
Protocol: HTTP Encryp,on Type: RC4/custom Supported Commands: reboot, kos, shutdown, bc_add, bc_del, block_url, unblock_url, block_fake, gesile, getcerts, resetgrab, upcfg, rename_bot … MAEC Ac/on: decode_hLp_response MAEC Object: tcp_connec,on
MAEC Object: hLp_connec,on
External IP: xxx.xxx.xxx.xxx External Port: 80
Response Body:
Response Content Length: > 44 bytes
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Mechanism: C2
MAEC & Zeus C2 IV
Behavior: Get Configura,on Behavior: Beacon Behavior: Recv Command Behavior: Send Data
MAEC Behavior: C2 Send Data
Protocol: HTTP Encryp,on Type: RC4/custom
MAEC Ac/on: hLp_post
MAEC Object: tcp_connec,on External IP: xxx.xxx.xxx.xxx External Port: 80
MAEC Object: hLp_connec,on Method: POST POST Data: Parameter: .*/gate.php Response: HTTP/1.1 200 OK
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Emerging Collaboration ■ Related MSM Efforts – There is significant overlap between MAEC, CAPEC, and CEE in describing observed actions, objects, and states. – As such, we’re working on developing a common schematic structure of observables for use in these efforts:
■ Others – Feature requests on Handshake group, discussion list ■ Anubis & ThreatExpert translators are being developed as a result of a user request ■ We encourage submission of any other such requests
Page 30
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Community: Discussion List ■ Request to join: http://maec.mitre.org/community/discussionlist.html ■ Archives available
Page 31
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
MAEC Community: MAEC Development Group on Handshake ■ MITRE hosts a social networking collaboration environment: https://handshake.mitre.org ■ Supplement to mailing list to facilitate collaborative schema development
Page 32
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Future Development Plans ■ Expand MAEC coverage of network attributes – Possible focus: bots/botnets ■ Create RDF/OWL ontology based on MAEC schema ■ Revise schema to better support characterization of relationships between actions/behaviors ■ Implement common observables schema – Based on MAEC/CAPEC/CEE collaboration ■ Encourage and invite more participation in the development process – MAEC Website: http://maec.mitre.org (contains MAEC Discussion list sign-up) – MAEC Handshake Group
Page 33
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.
Summary ■ MAEC is attempting to address many of the issues that are integral to accurate and unambiguous communication about malware ■ The adoption of MAEC will facilitate new methods of correlation and automation against malware ■ MAEC is an open, collaborative effort. It needs expertise and input from various parties in order to be successful
Page 34
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS.