Professional Documents
Culture Documents
Agenda
Bots/Zombies/Drones
Call them anything you want but they all describe the same thing: Trouble Botnets Today:
Infected files Fileshares/P2P Direct attack of vulnerabilities Enticement via Web/Instant Messages
(This is cool! Click Me)
Network Statistics
Determine unusual traffic patterns Find out all systems talking to a specific host Verify firewall rules are working or not Downside: Hard to read Generates a huge amount of data Only reactive
http://www.snort.org/
Rule Sets
Select only a specific group of bot rules Also get the Bleeding Edge Snort rules
http://www.bleeding-snort.org/
Rules To Choose
Get the rules that detect IRC commands on both standard and non standard IRC ports:
NICK JOIN PRIVMSG
Use both the standard Snort and Bleeding snort rules that cover these commands UMR does not use any custom rules to detect bots as these basic rules really do the job
The key here is that unique names are required in a IRC channel, thus bots use random names
CAUTION! Do not examine PRIVMSG if you do not have your policies in place to allow such examinations.
Channel names are a little tricky as normal names can be very similar. Recommend using IRC to get a baseline.
Channel Names
#(14 - 1584355) [2005-10-25 00:00:34] [snort/2000348] BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port IPv4: 131.151.xxx.yyy -> 69.64.51.161 hlen=5 TOS=0 dlen=54 ID=28371 flags=0 offset=0 TTL=128 chksum=55367 TCP: port=4321 -> dport: 1231 flags=***AP*** seq=2096338814 ack=2490835872 off=5 res=0 win=17116 urp=0 chksum=49459 Payload: length = 14 000 : 4A 4F 49 4E 20 23 45 76 31 6C 73 20 78 0A JOIN #Ev1ls x.
Channel Names
#(6 - 5795325) [2005-05-12 00:41:08] [snort/2000348] BLEEDING-EDGE IRC - Channel JOIN on non-std port IPv4: 131.151.xxx.yyy -> 220.85.13.93 hlen=5 TOS=0 dlen=55 ID=17572 flags=0 offset=0 TTL=127 chksum=47920 TCP: port=2993 -> dport: 4367 flags=***AP*** seq=1143137794 ack=1716133218 off=5 res=0 win=17392 urp=0 chksum=29328 Payload: length = 15 000 : 4A 4F 49 4E 20 23 78 23 20 6C 6D 61 6F 0D 0A JOIN #x# lmao..
Warning: Private messages contain private conversations, downloads, etc. Use with extreme caution
Tagged Packets
Part of the instructions within a Snort rule will generate what are called Tagged Packets. They do not match the full inspection for the purpose of the rule, but they contain significant information. Turning them off is possible, but are very useful.
#(14 - 1584280) [2005-10-25 00:00:27] [snort/1] Tagged Packet IPv4: 131.151.xxx.yyy -> 69.64.51.161 hlen=5 TOS=0 dlen=83 ID=27977 flags=0 offset=0 TTL=128 chksum=55732 TCP: port=4321 -> dport: 1231 flags=***AP*** seq=2096338771 ack=2490835835 off=5 res=0 win=17153 urp=0 chksum=39888 Payload: length = 43 000 : 4D 4F 44 45 20 5B 58 50 2D 37 35 34 36 34 31 31 010 : 5D 20 2B 69 78 0A 4D 4F 44 45 20 5B 58 50 2D 37 020 : 35 34 36 34 31 31 5D 20 2B 69 0A MODE [XP-7546411 ] +ix.MODE [XP-7 546411] +i.
Remediation
Generally will end up with some Administrator/SYSTEM level compromise Can be cleaned, but no guarantees rare to return to trusted state. Possible rootkits www.sysinternals.com tools great tools Hidden files Entire Internet is domain for other installs Best Practice: Flatten/Rebuild
Risk Mitigation
Block ports not needed for business Proxy servers Install network statistics monitoring like netflow Install IDS sensors like Snort
Moving targets
IRC servers change Ports change
Summary
Bots will be with us for a very long time Best practices:
Educate Users: Patches/Security Settings/What not to do! Install IDS and network statistics monitoring Keep yourself up to date on the bots and tactics Share your findings. Inform MOREnet: security@more.net Further questions: kfl@umr.edu