www.iti.uiuc.edu

Botnets: Proactive System

DefenseJohn C. A. Bambenek

University of Illinois –Urbana-ChampaignJu

ne 2

00

6

2

Introduction

• Assumptions

• Paradigm shifts in eCommerce

• Growth and changes in malware

• Future trends of botnets

• Fundamental flaws in our current system

• Remediation of the core vulnerabilities

• Cost justification

3

Assumptions

• Focus on financial transactions; DDoS is painful but small in damage possibilities and exposes botnet once DDoS begins.

• Consumer doesn’t directly pay for fraud loses. Banks and merchants do.

• Consumers, as a rule, aren’t qualified or motivated to sufficiently harden their own machines.

• Corporations have other means of protection available to them, focus effort on consumers.

4

Paradigm Shifts in eCommerce

• ~1993 – Web browsers and Web servers invented– (instant information access)

• ~1995 – eBay, Amazon begin era of eCommerce– (money transactions over internet)

• ~2003 – Spyware, Phishing, Identity theft– (“Hackers” in it for money)

• All had “reactive” responses to paradigm shifts, adapted current/old technologies to new needs.

• We’ve not had a fundamental examination of how we do business online.

• We are playing the information security game on the hackers terms, not ours.

5

Growth and Change in Malware Development

• In the beginning there were viruses…

• 2003 saw the beginning of spyware, phishing, botnets, etc. as an outgrowth of spamming outfits, not hacking outfits. (“Spamford Wallace” fined $4m for spyware operations)1

• Slow development in botnet technology (2 years to start to see real use of encryption).

• Spyware, Phishing, Botnets still growing despite the increase of money being spent to remediate the problem.

6

Growth in Phishing, Malware

Number of trojans intercepted by Kaspersky Labs.2

• About 10-15k new bot machines per day. Dropped to 5k after SP2 release for only a few months.3

• Only 4-6 days until exploit released, yet 40-60 days for patch.4

• Money being involved means more players developing the malware and trying to deploy it.

• Why do they keep growing? Because it keeps working.• We haven’t eliminated the real problem.

7

Botnets and Theft

• Zotob/Mytob/Rbot creators developed software to maintain control of computers for financial gain.– Authors forwarded credit card information stolen

to a credit card fraud ring.

• Oct. 2005, botnet with 1.5 million hosts found and shut down.5

– Hackers were caught trying a DDoS extortion scheme, however software also has a keylogger. Financial information likely also compromised.

• Most botnet software includes keyloggers that will steal financial information and send either via IRC or e-mail.

8

Future Trends of Botnets

• Botnet operators want to remain online and in control of machines as long as possible.

– More encryption

– More mimicking of “normal” traffic

– Can still detect by looking for “bad IPs”

– Possible detection by outbound connection monitoring (PrivacyGuard, etc)

9

Future Botnet Evolution?

• Future paradigm shift? Using allowable and ordinary communication to hide botnet control messages.

– Using gmail as a botnet control protocol

• Known good IP space• XML makes it easy to develop bots to interact

with it (i.e. read messages with RSS)• **Can use SSL**• Will be invisible to network inspection

• Use for economic warfare?

10

Fundamental Flaws in our Current System

• Financial information (i.e. CC numbers) are entered in the clear on untrustworthy machines.

• Financial transactions generally only require one-factor authentication.

• We have a weak and de facto national ID system, only a 9-digit number needed to assume someone’s identity.

• Anti-Virus/Spyware assumes all software is safe until proven otherwise. ~20% of malware is not detected.6

• We must wait until exploitation to make signatures.

11

Remediation

• Financial & Identity information should be encrypted before it gets to the PC. (i.e. Smart Cards)

• Anti-Virus/Spyware should go to a “deny all” default policy, develop a “trusted” software model. (i.e. “signed software”)

• Develop free consensus-based hardening scripts for consumer PCs, let ISPs, banks, etc, distribute. Stronger automatic updating.

• Develop ways to remotely validate a machine is “safe” before allowing a transaction.

12

Remediation (2)

• Should not exclude continuing other host-based and network-based detection schemes.

• Needs to be convenient and “free” for user.

• Creates a defense-in-depth environment of PCs. Hackers will have a harder time undermining several layers of protection instead of having to just undermine one non-effective one.

• It will be “expensive” to do all of these, but its worth the cost.

13

Cost Justification

• Estimated $24 billion USD (.2% GDP) assets already at risk from stolen identities of US consumers (low-balled estimate)7

• Real vulnerability is more like: $110 billion ( .9% GDP)8

• If stolen identities were used for economic warfare instead of simple theft, damage would be much higher (run on the bank, dramatic loss of confidence in eCommerce…)

• Changes the security dynamics and forces hackers to adapt to us.

14

Conclusion

• The core vulnerabilities with eCommerce have not yet been adequately addressed (insecure PCs, one-factor auth, use of old technologies and methods…)

• Fraud and identity theft will continue to be primary drivers of botnet growth and development until those problems are addressed.

• If left unchecked, botnets will become harder to near-impossible to detect on the network.

• Proactive steps will put the “bad guys” on defense, great return on security investment.

• Get “institutional players” and money out of the botnet business.

• Apply defense-in-depth to consumer PCs.

15

References

1. The Register, May 5th, 2006. (http://www.theregister.co.uk/2006/05/05/ftc_spyware_lawsuits/)

2. Viruslist, “Malware Evolution: 2005”, February 8th, 2006. (http://www.viruslist.com/en/analysis?pubid=178949694)

3. Symantec, March 5th, 2005 (http://www.symantec.com/small_business/library/article.jsp?aid=symantec_research)

4. Ullrich, J. “The Disappearing Patch Window”. (http://isc.sans.org/presentations/MITSecCampISCPresentation.pdf)

5. Internet Storm Center, October 10th, 2005. (http://isc.sans.org/diary.php?storyid=778)

6. Internet News (citing Gartner) June 13th, 2006 (http://www.internetnews.com/security/article.php/3613236)

7. Bambenek, J. (http://handlers.dshield.org/jbambenek/keylogger.html)

8. Unpublished study by John Bambenek and Agnieszka Klus