Upload
christopher-palmer
View
213
Download
0
Embed Size (px)
Citation preview
www.iti.uiuc.edu
Botnets: Proactive System
DefenseJohn C. A. Bambenek
University of Illinois –Urbana-ChampaignJu
ne 2
00
6
2
Introduction
• Assumptions
• Paradigm shifts in eCommerce
• Growth and changes in malware
• Future trends of botnets
• Fundamental flaws in our current system
• Remediation of the core vulnerabilities
• Cost justification
3
Assumptions
• Focus on financial transactions; DDoS is painful but small in damage possibilities and exposes botnet once DDoS begins.
• Consumer doesn’t directly pay for fraud loses. Banks and merchants do.
• Consumers, as a rule, aren’t qualified or motivated to sufficiently harden their own machines.
• Corporations have other means of protection available to them, focus effort on consumers.
4
Paradigm Shifts in eCommerce
• ~1993 – Web browsers and Web servers invented– (instant information access)
• ~1995 – eBay, Amazon begin era of eCommerce– (money transactions over internet)
• ~2003 – Spyware, Phishing, Identity theft– (“Hackers” in it for money)
• All had “reactive” responses to paradigm shifts, adapted current/old technologies to new needs.
• We’ve not had a fundamental examination of how we do business online.
• We are playing the information security game on the hackers terms, not ours.
5
Growth and Change in Malware Development
• In the beginning there were viruses…
• 2003 saw the beginning of spyware, phishing, botnets, etc. as an outgrowth of spamming outfits, not hacking outfits. (“Spamford Wallace” fined $4m for spyware operations)1
• Slow development in botnet technology (2 years to start to see real use of encryption).
• Spyware, Phishing, Botnets still growing despite the increase of money being spent to remediate the problem.
6
Growth in Phishing, Malware
Number of trojans intercepted by Kaspersky Labs.2
• About 10-15k new bot machines per day. Dropped to 5k after SP2 release for only a few months.3
• Only 4-6 days until exploit released, yet 40-60 days for patch.4
• Money being involved means more players developing the malware and trying to deploy it.
• Why do they keep growing? Because it keeps working.• We haven’t eliminated the real problem.
7
Botnets and Theft
• Zotob/Mytob/Rbot creators developed software to maintain control of computers for financial gain.– Authors forwarded credit card information stolen
to a credit card fraud ring.
• Oct. 2005, botnet with 1.5 million hosts found and shut down.5
– Hackers were caught trying a DDoS extortion scheme, however software also has a keylogger. Financial information likely also compromised.
• Most botnet software includes keyloggers that will steal financial information and send either via IRC or e-mail.
8
Future Trends of Botnets
• Botnet operators want to remain online and in control of machines as long as possible.
– More encryption
– More mimicking of “normal” traffic
– Can still detect by looking for “bad IPs”
– Possible detection by outbound connection monitoring (PrivacyGuard, etc)
9
Future Botnet Evolution?
• Future paradigm shift? Using allowable and ordinary communication to hide botnet control messages.
– Using gmail as a botnet control protocol
• Known good IP space• XML makes it easy to develop bots to interact
with it (i.e. read messages with RSS)• **Can use SSL**• Will be invisible to network inspection
• Use for economic warfare?
10
Fundamental Flaws in our Current System
• Financial information (i.e. CC numbers) are entered in the clear on untrustworthy machines.
• Financial transactions generally only require one-factor authentication.
• We have a weak and de facto national ID system, only a 9-digit number needed to assume someone’s identity.
• Anti-Virus/Spyware assumes all software is safe until proven otherwise. ~20% of malware is not detected.6
• We must wait until exploitation to make signatures.
11
Remediation
• Financial & Identity information should be encrypted before it gets to the PC. (i.e. Smart Cards)
• Anti-Virus/Spyware should go to a “deny all” default policy, develop a “trusted” software model. (i.e. “signed software”)
• Develop free consensus-based hardening scripts for consumer PCs, let ISPs, banks, etc, distribute. Stronger automatic updating.
• Develop ways to remotely validate a machine is “safe” before allowing a transaction.
12
Remediation (2)
• Should not exclude continuing other host-based and network-based detection schemes.
• Needs to be convenient and “free” for user.
• Creates a defense-in-depth environment of PCs. Hackers will have a harder time undermining several layers of protection instead of having to just undermine one non-effective one.
• It will be “expensive” to do all of these, but its worth the cost.
13
Cost Justification
• Estimated $24 billion USD (.2% GDP) assets already at risk from stolen identities of US consumers (low-balled estimate)7
• Real vulnerability is more like: $110 billion ( .9% GDP)8
• If stolen identities were used for economic warfare instead of simple theft, damage would be much higher (run on the bank, dramatic loss of confidence in eCommerce…)
• Changes the security dynamics and forces hackers to adapt to us.
14
Conclusion
• The core vulnerabilities with eCommerce have not yet been adequately addressed (insecure PCs, one-factor auth, use of old technologies and methods…)
• Fraud and identity theft will continue to be primary drivers of botnet growth and development until those problems are addressed.
• If left unchecked, botnets will become harder to near-impossible to detect on the network.
• Proactive steps will put the “bad guys” on defense, great return on security investment.
• Get “institutional players” and money out of the botnet business.
• Apply defense-in-depth to consumer PCs.
15
References
1. The Register, May 5th, 2006. (http://www.theregister.co.uk/2006/05/05/ftc_spyware_lawsuits/)
2. Viruslist, “Malware Evolution: 2005”, February 8th, 2006. (http://www.viruslist.com/en/analysis?pubid=178949694)
3. Symantec, March 5th, 2005 (http://www.symantec.com/small_business/library/article.jsp?aid=symantec_research)
4. Ullrich, J. “The Disappearing Patch Window”. (http://isc.sans.org/presentations/MITSecCampISCPresentation.pdf)
5. Internet Storm Center, October 10th, 2005. (http://isc.sans.org/diary.php?storyid=778)
6. Internet News (citing Gartner) June 13th, 2006 (http://www.internetnews.com/security/article.php/3613236)
7. Bambenek, J. (http://handlers.dshield.org/jbambenek/keylogger.html)
8. Unpublished study by John Bambenek and Agnieszka Klus