hacker halted 2014 - why botnet takedowns never work, unless it’s a smackdown!
DESCRIPTION
Why Botnet Takedowns Never Work, Unless It’s a SmackDown! If organizations are truly working to limit Internet abuse and protect end users, we need to take a more thoughtful approach to botnet takedowns – or once again bots will veer their ugly heads. There are three main causes of ineffective takedowns: The organizations performing botnet takedowns do so in a haphazard manner. The organizations do not account for secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA) that may be used by the malware. The takedowns do not result in the arrest of the malware actor. So what does a successful botnet take down actually look like? In his presentation on Botnet SmackDowns, Brian Foster, CTO of Damballa will share with attendees how to effectively takedown botnets for good. The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.TRANSCRIPT
![Page 1: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/1.jpg)
Why Botnet Takedowns Never Work, Unless It’s a SmackDown!
-Brian Foster, CTO Damballa
1
![Page 2: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/2.jpg)
The Old Security Stack
Prevention DetectionResponse
ForensicsATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
Firewall
IDS/IPS
Web Security
Email Security
Sandboxing
Host AV/IPS/FW
Resource intensive, inefficient manual
investigation efforts.
“Is this alert real or a false positive?”
ALERT & LOGS
SOC
SIEMSingle Pane of Glass
2
![Page 3: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/3.jpg)
The New Security Stack
Prevention DetectionResponse
ForensicsATTACK INFECTION DAMAGE
INFECTION RISK BUSINESS RISK
NGFW
Endpoint Containment
Sandboxing
Email Gateway
ALERT & LOGS
SOC
SIEMSingle Pane of Glass
LEGACY
Host AV/IPS/FW
Damballa fills
the security
gap between
failed
prevention and
your incident
response
3
![Page 4: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/4.jpg)
Productizing Research
4
![Page 5: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/5.jpg)
5
Predictive Security Analytics Platform
Case Analyzer Platform
Connection
Query
• Indicators of
Compromise
• Threat Actors / Intent
File
Request
• Zero Day Files
• Suspicious HTTP
Content
Domain Fluxing
Automation
Execution
Peer-To-Peer
• Automated Malicious
Activity
• Observed Evasion Tactics
Data Transferred PCAPs Communication Success Malicious File Availability Sequence of Events Importance of Endpoint Malware Family Intent Severity AV Coverage
Damage Potential
• Observed Activity
• Device Properties
• Threat Sophistication
• Threat Intent
9 Risk
Profilers
Prioritized Risk
of Confirmed
Infections
8 Detection
Engines
Rapid Discovery &
Validation
of Infections
5
![Page 6: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/6.jpg)
Network Data
qrl89y666z.tang.la
p5ctnvqyd3.myftp.org
5opskttv3y.serveblog.net
tzeh62imx.informatix.com.ru
0zd2bwqqyu.no-ip.info
2ndk2swdma.madhacker.biz
pe4d0t35bs.no-ip.info
5c0x3re4vr.zapto.org
seqkhgd4pj.logout.us
zkycgbn8es.serveblog.net
a4669k3.spacetechnology.net
s45223a.tang.la
0098.no-ip.info
Sbdat.servevlog.net
0few3kd4yv.mooo.info
…
6
![Page 7: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/7.jpg)
Network Data
qrl89y666z.tang.la
p5ctnvqyd3.myftp.org
5opskttv3y.serveblog.net
tzeh62imx.informatix.com.ru
0zd2bwqqyu.no-ip.info
2ndk2swdma.madhacker.biz
pe4d0t35bs.no-ip.info
5c0x3re4vr.zapto.org
seqkhgd4pj.logout.us
zkycgbn8es.serveblog.net
a4669k3.spacetechnology.net
s45223a.tang.la
0098.no-ip.info
Sbdat.servevlog.net
0few3kd4yv.mooo.info
…
Numbers
30 Billion per day.
8 Trillion per year.
DNS Records
ISPs
Telcos
Enterprises
7
![Page 8: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/8.jpg)
Network Data
Numbers
100 Thousand per day.
36.5 Million per year.
Malware samples
Enterprises.
Industry sharing/feeds.
8
![Page 9: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/9.jpg)
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
9
![Page 10: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/10.jpg)
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
10
![Page 11: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/11.jpg)
Supervised Learning
Y-Axis – Total malware
samples looking up the
domain.
X-Axis – Total blacklisted
domains on BGP prefix.
11
![Page 12: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/12.jpg)
Unsupervised Learning
Y-Axis – n-grams.
X-Axis – Entropy.
12
![Page 13: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/13.jpg)
Unsupervised Learning
Y-Axis – n-grams.
X-Axis – Entropy.
13
![Page 14: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/14.jpg)
Domain Name Reputation
• message-tvit.com – 172.16.32.193
• artizondigital.com – 10.10.9.1
• ubibar.ubi.com – 192.168.7.4
• www.benjaminsparkmemorialchapel.ca -172.16.1.45
• player-update.info – 10.1.3.156
• king-orbit.com – 192.168.24.1914
![Page 15: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/15.jpg)
Domain Name Reputation
• message-tvit.com - .08
• artizondigital.com - .87
• ubibar.ubi.com - .93
• www.benjaminsparkmemorialchapel.ca - .78
• player-update.info - .05
• king-orbit.com - .1215
![Page 16: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/16.jpg)
Notos
16
![Page 17: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/17.jpg)
Zone Based Clusters
17
Introduction
Motivation
Preparation
Notos’ Components
Results
Conclusions and Future Work
Network Profile Modeling
Network and Zone Profile Clustering
Reputation Function
2nd Level Clustering Split Due to Zone Properties
[A]: ns6.b0e.ru 218.75.144.6
...
188.240.164.122.dalfihom.cn 218.75.144.6
0743f9.tvafifid.cn 218.75.144.6
ns5.bg8.ru 218.75.144.6
097.groxedor.cn 218.75.144.6
adelaide.zegsukip.cn 218.75.144.6
07d2c.fpibucob.cn 218.75.144.6
0c9.xyowijam.cn 218.75.144.6
ns6.b0e.ru 218.75.144.6
0678fc.yxbocws.cn 218.75.144.6
ns1.loverspillscalm.com 218.75.144.6
09071.tjqsjfz.cn 218.75.144.6
0de1f.wqutoyih.cn 218.75.144.6
katnzvv.cn 218.75.144.6
...
[B]: e752.p.akamaiedge.net72.247.179.52
...
e882.p.akamaiedge.net 72.247.179.182
e707.g.akamaiedge.net 72.247.179.7
e867.g.akamaiedge.net 72.247.179.167
e747.p.akamaiedge.net 72.247.179.47
e732.g.akamaiedge.net 72.247.179.32
e932.g.akamaiedge.net 72.247.179.232
e752.p.akamaiedge.net 72.247.179.52
e729.g.akamaiedge.net 72.247.179.29
e918.p.akamaiedge.net 72.247.179.218
e831.p.akamaiedge.net 72.247.179.131
e731.p.akamaiedge.net 72.247.179.31
...
25 / 32
![Page 18: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/18.jpg)
RZA - Motivation
• Takedowns are: ad-hoc, of arguable success, are performed without oversight
• System goal: add rhyme/reason to takedowns
– evaluate previous takedown attempts, and
– recommend and inform on/for future takedowns
18
![Page 19: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/19.jpg)
RZA - Datasets
• Large passive DNS (pDNS) database– pDNS stores historic assignments btw IPs/domains– ~3 years of visibility
• Implement RHDN/RHIP operations–
–
• Source: major NA ISP, other customers• Data also in Hadoop for large-scale processing• Malware MD5 <-> domain name mapping
19
![Page 20: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/20.jpg)
RZA - Overview
Domains
InfrastructureEnumeration
DomainReputation
Domain &MD5
Association
MalwareInterrogation
pDNS
Malware DB
MD5s
RZA
EnumeratedDomains
Low ReputationDomains
Malware-relatedDomains
InterrogatedDomains
PostmortemReport
TakedownRecommendation
1
2
3
4
5a
5b
Malware Backup Plan
De
Ds
Di
Dr
Dm
Dm: malware-related domains
De: enumerated domains
Dr: low reputation domains
Ds: seed domains
Di: malware interrogation domains
20
![Page 21: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/21.jpg)
• Manipulate fundamental protocol packets to convince malware its primary network asset is unavailable– DNS and TCP– Easy to add additional protocols
• If malware is presented with unavailable infrastructure:– Retries hardcoded IPs/domains,– Tries to reach a finite set of IPs/domains, or– Tries to reach an infinite set of IPs/domains (DGA/P2P)
RZA – Malware Interrogation
21
![Page 22: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/22.jpg)
22
![Page 23: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/23.jpg)
23
![Page 24: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/24.jpg)
24
![Page 25: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/25.jpg)
25
![Page 26: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/26.jpg)
26
![Page 27: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/27.jpg)
RZA – Malware Interrogation
• Game malware to present primary infrastructure failure
• DNS/TCP packet manipulation (NXDomain/TCP RST)
• Automaticallydetermine backup behaviors
VM1 ...
G1 ...
VM2
G2
VMn
Gn
VM0
Gnull
Host
Internet
27
![Page 28: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/28.jpg)
RZA – Malware Interrogation
• Simple heuristics to determine malware behavior
• Fake domain-level and IP-level takedowns
– Forge all non-white DNS responses -> NXDomain
• Alexa top 10K
– Forge all non-white TCP connections -> TCP reset
• IPs derived from Alexa top 10K
• Five analysis scenarios:
– Vanilla run
– DNS whitelist for time t
– DNS whitelist for time 2t
– IP whitelist for time t
– IP whitelist for time 2t
28
![Page 29: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/29.jpg)
RZA – Takedown Recommendation
Enumerate Infrastructure
InterrogateMalware
No Behavioral Changes
Finite Domains/
IPsDGA
Input: {Ds}
Input: {De U Di}
ClassifyMalware Behavior
P2P
1.) Revoke D
1.) Reverse engineer DGA2.) TLD cooperation3.) Revoke D
1.) Counter P2P2.) Revoke D
29
![Page 30: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/30.jpg)
Target Which Sets?
De
Ds
Di
Dr
Dm
Dm: malware-related domains
De: enumerated domains
Dr: low reputation domains
Ds: seed domains
Di: malware interrogation domains
30
![Page 31: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/31.jpg)
RZA – Studies
• Postmortem study: analysis of Kelihos, ZeuS, and 3322.org/Nitol takedowns
– Use lookup volume to show activity to infrastructure
• Takedown study: analysis of 45 active botnet C&Cs
– Can we take them down?
31
![Page 32: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/32.jpg)
Postmortem: Kelihos
32
![Page 33: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/33.jpg)
Postmortem: Zeus
33
![Page 34: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/34.jpg)
Postmortem: 3322.org/Nitol
34
![Page 35: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/35.jpg)
RZA – Takedown Study
• Of the 45 botnets:
– 2 had DGA-based backup mechanism
– 1 had P2P-based backup mechanism
– 42 susceptible to DNS-only takedown
35
![Page 36: Hacker Halted 2014 - Why Botnet Takedowns Never Work, Unless It’s a SmackDown!](https://reader033.vdocument.in/reader033/viewer/2022060203/559dfdfc1a28ab56098b4770/html5/thumbnails/36.jpg)
Policy Discussion• Current drawbacks to takedowns
– ad-hoc
– Little oversight
– Arguable success
• All point to need for central authority
– ICANN’s UDRP/URS as example frameworks• Criteria for takedown
• More eyes = more successes
• Test with new TLDs (much like w/ URS)