CSCE 465 Lecture 9

From Notes
Jump to navigation Jump to search

« previous | Tuesday, February 12, 2013 | next »


Lecture Slides


Distributed Botnet

  • Peer-to-peer: resource is both a client and a server
  • instructions sent to a few machines will propagate to other machines
  • no single point of failure

Storm

(a.k.a W32/Peacomm Trojan)

Spreads by cleverly designed spam campaign

  • Arrives as an email with a catchy subject (e.g. "230 dead a storm batters Europe")
  • Attachment or URL with malicious payload

Infected machines join botnet (1–5 M machines infected as of Sep 2007)

Obfuscated P2P control structure: uses eDonkey protocol instead of IRC

Obfuscated code, anti-debugging defenses:

  • Goes into infinite loop if it detects VMware or Virtual PC
  • Large number of spurious probes triggers DoS attack

Email addresses obtained by scanning files on infected machines.

Weaknesses:

  • Initial peer list (expose a few IP addresses)
  • Sybil attack (introducing spies to botnet: sniffing, stopping, or modifying instructions)
  • Index poisoning (net needs routing index to know who has received message already and who to send it to)

Comparison with Centralized

  Communication System Security
  Design Complexity Channel Type Message Latency Detectability Resilience
Centralized Low Bidirectional Low High Low
Distributed High Unidirectional High Low High


Detecting Botnets using BotHunter

  1. Inbound Scan
  2. Inbound Infection
  3. Client-side exploit
  4. Egg Download [1]

Recommended Reading: Detecting Malware Infection through IDS-Driven Dialog Correlation

Botnets don't want to leave any trace of themselves, so most botnet programs include a SUICIDE command

Stuxnet

The most complex malicious software created in the history of cyber security

Primary target: Windows Machines running industrial control systems

  • Reprogram Industrial Control Systems (ICS)
  • on Programmable Logic Controllers (PLCs)
  • specifically Siemens Simatic (Step 7) PLC
  • Code changes are hidden
  • Vast array of components used:
    • multiple (4) zero-day (previously unknown) exploits
    • Windows rootkit
    • PLC rootkit (first ever)
    • Antivirus evasion
    • Peer-to-peer updates
    • Signed driver with valid (compromised) certificates (2)
  • Command and control interface (why it's called a botnet)

Propagation Methods

Network:

  • P2P communication/updatens
  • Infecting WinCC machines via hard-coded DB server password
  • Shares
  • MS10-061 Print Spooler (Zero-Day Vulnerability)
  • MS08-067 Windows Server Service Vulnerability

USB storage devices!

Tests connection to windowsupdate.com and msn.com (port 80)

Then tries to connect to malicious websites (mypremierfutbol.com, todaysfutbol.com; pointed to servers in Malaysia and Denmark)

Footnotes

  1. shell code can be used to download a malicious package; this is that malicious package
Retrieved from "https://notes.komputerwiz.net/w/index.php?title=CSCE_465_Lecture_9&oldid=2625"