Issue 2 – Mar 2010 | Page - 1
Issue 12 – Jan 2011 | Page - 2
Issue 12 – Jan 2011 | Page - 3
JavaScript Botnets Introduction Anybody who has had even a slight brush with the security industry would have heard of Botnets atleast once. Botnets are a group of computers compromised and controlled by an attacker, these computers or zombies would perform any actions that the attacker commands them to do. Botnets are usually created by compromising the victims' systems with some remote code execution exploits and then installing backdoors on them. The attackers must have been working on exploits for 0-days or newly discovered vulnerabilities to be able to infect more victims. Even then they are usually restricted to only one platform unless they have exploits and backdoors for the different platforms out there. There is another type of remote code execution that is far more easier to perform
- JavaScript in web pages. Executing JavaScript in someone's system does not require any 0-days or exploits but simply requires the person to visit a website. Moreover the same piece of JavaScript would work across all OSs‘ and platform(desktops, tablets, mobiles etc). Every time a user clicks on a link he is giving a remote website an opportunity to execute code (JavaScript) on his machine. The window of this opportunity is widened by the concept of tabbed browsing. Most users have multiple open tabs and most tabs remain open throughout the browsing session which could stretch for hours. This enables an external entity to utilize the user‘s processing power and bandwidth for his malicious needs. Spammers, especially on sites like Twitter, have been able to get thousands of users to click on their links in very short durations. But JavaScript is believed to be handicapped due to performance constraints and the restrictions enforced by the browser‘s sandbox. This however is a misconception as JavaScript engines have become extremly
Issue 12 – Jan 2011 | Page - 4
fast over the recent years. Moreover HTML5 introduces WebWorkers which is a threading model for JavaScript. This lets any website start a background JavaScript thread unknown to the user and execute code without slowing down or making the browser unresponsive.
Creating a JavaScript Botnet: A JavaScript botnet would include thousands of systems that have the attacker controlled page open on their browsers for an extended duration allowing continued execution of the attacker‘s JavaScript. There are two phases in building such a botnet: 1) Reaching out to victims 2) Extending execution lifetime 1) Reaching out to victims : This involves getting the victim to visit an attacker controlled website. This can be done in a number of different ways: 1) Email spam 2) Trending topics on Twitter 3) Persistent XSS on popular websites, forums etc 4) Search Engine Poisoning 5) Compromised websites 6) Abusing URL Shortners These are methods used by current JavaScript malware authors to attack victims to their website and can draw thousands of victms. While traditional malware spreading website can be quickly identified due to automated crawlers looking for signatures of browser exploits, JavaScript botnet payloads are less likely to be identified since its regular JavaScript working within the constraints of the sandbox and does not perform any exploitation against the browsers.
2) Extending execution lifetime: Once a victim visits the attacker controlled page it is essential to keep this page open in the victim‘s browser for as long as possible. This can be done by using a combination of Clickjacking and Tabnabbing. When the page is loaded, it would contain an invisible link with the target attribute set to ‗_blank‘. This link is always placed under the mouse pointer using the ‗document.onmousemove‘ event handler. This way, when the victim clicks anywhere on the page a new tab opens and grabs the victim‘s attention. With multiple tabs open the likelihood of the victim coming back to the main tab and closing it is reduced. To add to this effect Tabnabbing can be used to refresh the page after the user leaves it, to update the favicon and appearance to seem similar to popular websites like YouTube, Google or Facebook so that the page blends in with the other tabs the victim would usually have open. There is a working demo[http://www.andlabs.org/hacks/xtend _life.html] for this available on the Attack and Defense Labs website.
JavaScript botnet activities: JavaScript botnets can be used to perform the same activities that are performed by traditional botnets. This article will discuss three such activities: 1) Application‐level DDoS attacks 2) Email Spam 3) Distributed password cracking 1) Application‐level DDoS attacks DDoS attacks have been all over news in recent time as activists belonging to either side of the Wikileaks debate took out each others websites. Firms like Mastercard and Visa have suffered significant losses due to this.
Issue 12 – Jan 2011 | Page - 5
Application‐level DDoS attack is an effective type of DDoS attack that has affected even sites like Twitter. Usually these attacks involve large number for HTTP requests to specific sections of the website that could potentially be resource intensive for the server to process. Background JavaScript threads that were started using WebWorkers can send cross domain XMLHttpRequests even though the remote website does not support it. The Cross Origin Request security restriction is only on reading the response. A website that does not support Cross Origin requests will also process these request thereby creating load on the server. A simple request like http://www.target.site/search_product.php ?product_id=% when sent in large numbers can create serve performance issues on the server. A browser can send surprisingly large of GET requests to a remote website using COR from WebWorkers. During tests it was found that around 10,000 requests/minute can be sent from a single browser. With even a very small botnet of just 600 zombies we would be sending around 100,000 requests/sec, depending on the nature of the page being requested this could be enough to bring a website down. After I wrote about DDoS attacks with COR a very smart person[http://shellex.info] showed me that similar numbers could also be achieved by using the img tag to request remote resources. Ben Schmidt has gone one step further by creating a malcious URL shortening service called d0z.me[http://d0z.me/]. d0z.me seems to work like any other URL shortening service but it actually shows the destination page in an iframe while perform DoS attacks on a target website from the victim's browser. It executes this so well that it is extremly
unlikely that the user will even sense that he is part of a DDoS attack. 2) Email Spam Spam mails are largely sent using open‐relay mail servers and botnet zombies. Though it would not be possible to a regular open‐relay mail server from JavaScript still it would be possible to send such spam mails through the web equivalent of open‐relay mails servers. Many websites have feedback sections which ask the user to enter their name, email ID, subject and feedback. Once these are entered and the form is submitted, the server would craft this in the form of an email, with hard‐coded from and to mail addresses and send it to the internal mail server. Poorly designed websites would contain the from and to mail addresses in hidden form fields on the browser and by overwriting them to external addresses it should be possible to send mails with spoofed addresses if the company‘s mail server is also configured to operate in an open‐relay mode. Since only GET requests can be sent through COR, the feedback form should either be sending all data in QueryString or it should be differentiating between QueryString and POST parameters. Alternatively if it is JSP page then HTTP Parameter Pollution can be used to submit forms over GET. 3) Distributed password cracking Password cracking has always been a task assigned for programs written in native code with performance enhancement by writing some sections in Assembly. With its relatively slower execution rate JavaScript has never been considered for performing such resource‐intensive tasks. Things however have changed, JavaScript engines in modern browser are becoming
Issue 12 – Jan 2011 | Page - 6
increasingly fast and the concept of WebWorkers allows creation of dedicated background threads for the purpose of password cracking. During our tests it has been possible to observe password guessing rates of 100,000 MD5 hashes/second in JavaScript. This figure is still slow compared to native code which can easily loop through a few million MD5 hashes/second on a machine with similar configuration. The JavaScript approach has been found to be on an average about 100�115 times slower than that of native code but more than that it makes up in scalability. ~110 machines running the JavaScript password cracking program can match the cracking rate of one machine running a similar program written in native code. As shown in the previous sections it would be very easy to build a botnet of a few thousand zombies executing our JavaScript password cracker in the background. Even with 1100 zombies our cracking rate would be equivalent to that of having 10 machines of similar configurations running a password cracked written in native code. An effective botnet creation effort could potentially get hundreds of thousands of such zombies to crack password hashes providing unimaginable computing capability. I have built Ravan[http://www.andlabs.org/tools/ravan .html], a JavaScript distributed hash cracking system which is an implementation of this concept designed to be used for legitimate needs.
Lavakumar Kuppan lava@andlabs.org Lava is a Penetration tester and Security Researcher.
Issue 12 – Jan 2011 | Page - 7
Botnet detection tool: Ourmon Introduction A botnet is a fusion of many exploits into a single client-server application. The server is called as bot server (generally an IRC server) where as clients are called as Botclients or Zombies or Drones. The most interesting thing about botclients is that they create more botclients in a coordinated manner for accomplishing a common goal with little or no intervention from the attacker. Botnets are used frequently because the attacker's machines (botserver) are not used and all the work is done by the drones which are generally machines other than that of the attacker. There are many common botnet families like Spybot, Agobot, RBot, Mytob, SDBot etc. A botnet can be used for sniffing packets, starting DDoS attack, spamming, phishing, and stealing data. In this Tool Gyan column, we will learn about botnet detection though
the popular network sniffing tool known as Ourmon.
How Ourmon Works Ourmon is a *NIX based open source tool originally designed for network packet sniffing. It works on the concept of promiscuous mode of Ethernet packet detection. It also uses port mirroring technique through a Layer 2 (Ethernet) switch. It works best in FreeBSD Operating System. Ourmon has two software parts, which are called, 1. The probe or front-end which sniffs packets and summarizes them into various bits of statistical information. 2. The back-end graphics engine, which processes the probe result and makes Web graphics, ASCII reports, log entries, and reports. The graphics engine needs web server like Apache to be installed.
Issue 12 – Jan 2011 | Page - 8
Installation of Ourmon Ourmon can be downloaded from http://sourceforge.net/projects/ourmon/. The latest version is ourmon29.tar.gz.Installation of Ourmon is bit tricky because it depends on many things like the OS you are using and the web server that is running and some specific libraries. We need following libraries to be installed before installing Ourmon.
libpcap-devel pcre pcre-devel rrdtool rrdtool-perl
You can use "yum install" or ―zypper install‖ whichever suits you best. Also make sure that all these libraries and devel-tools are compatible with the version of your OS. You also need to install a web server for the GUI display of results. For this article, we have used Fedora as OS. Here are the screen prints of installation. ---------------------------------------------------[root@localhost mrourmon]# ./makeclean.sh [root@localhost mrourmon]# ./configure.pl configuration script to install ourmon. note: default is suggested like so: [default] note: just hit carriage-return for default actions -------------------------------Would you like to install the ourmon probe? [y] y Front-end configuration phase started ####################
Would you like to compile/install ourmon? [y] y ourmon build: using make -f Makefile.linux cc -I. -I/usr/local/include -O4 -DLINUX -DDAEMON -c ourmon.c cc -I. -I/usr/local/include -O4 -DLINUX -c ipanalyze.c cc -I. -I/usr/local/include -O4 -DLINUX -c machdep.c cc -I. -I/usr/local/include -O4 -DLINUX -c util.c cc -I. -I/usr/local/include -O4 -DLINUX -c interfaces.c cc -I. -I/usr/local/include -O4 -DLINUX -c filter.c filter.c: In function ‘write_report’: filter.c:1324: warning: passing argument 7 of ‘print_icmplist’ makes integer from pointer without a cast hashicmp.h:62: note: expected ‘int’ but argument is of type ‘int *’ filter.c:1324: warning: passing argument 8 of ‘print_icmplist’ from incompatible pointer type hashicmp.h:62: note: expected ‘char *’ but argument is of type ‘char (*)[1024]’ cc -I. -I/usr/local/include -O4 -DLINUX -c monconfig.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsort.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashport.c cc -O4 -DLINUX -c signal.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashsyn.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashicmp.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c ircscan.c cc -I. -I/usr/local/include -O4 -DLINUX -c trigger.c cc -I. -I/usr/local/include -O4 -DLINUX -c cprogram.c cc -I. -I/usr/local/include -O4 -DLINUX -c nonipanalyze.c
Issue 12 – Jan 2011 | Page - 9
cc -I. -I/usr/local/include -O4 -DLINUX -c patmatch.c cc -O4 -DLINUX -c spinlock.c cc -O4 -DLINUX -c sync.c cc -I. -I/usr/local/include -O4 -DLINUX -c ourpcap.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashblist.c cc -O4 -DLINUX -c thread.c cc -I. -I/usr/local/include -O4 -DLINUX -c stringstore.c cc -I. -I/usr/local/include -O4 -DLINUX -c hashdns.c cc -O4 -DLINUX -c pktlinux.c cc -O4 -o ourmon ourmon.o ipanalyze.o machdep.o util.o interfaces.o filter.o monconfig.o hashsort.o hashport.o signal.o hashsyn.o hashicmp.o hashscan.o ircscan.o trigger.o cprogram.o nonipanalyze.o patmatch.o spinlock.o sync.o ourpcap.o hashblist.o thread.o stringstore.o hashdns.o pktlinux.o -lpcre -lpcap /usr/lib/libJudy.a Next we determine the ourmon config/filter file to use. By default, we use the local /opt/ourmon/mrourmon/etc/ourmon. conf to provide input filters to ourmon. WARNING: you should read/edit/understand ourmon.conf! Do you want to use another ourmon.conf file in some other directory than /opt/ourmon/mrourmon/etc? [n] n Next we suggest one modification to the ourmon.conf file. If this is a default install, you should change the following config directive: topn_syn_homeip network/netmask
and set it to your home network and mask (A.B.C.D/maskbits style) Do you want to change the topn_syn home network address? [y] y note: the home net address may be a subnet or host address (/32). enter a home net address and mask. [127.0.0.1/32] 192.168.0.17/24 netmask: 192.168.0.17/24 Do you want to install the ourmon startup script in the ourmon bin? [y] y WARNING: the default for the interface may not be what you want. WARNING: use #ifconfig -a to determine interfaces. Please enter the input interface name to sniff from: [eth0] eth0 input interface is eth0 Please enter directory for probe output files (mon.lite, etc.): [/opt/ourmon/mrourmon/tmp] /opt/ourmon/mrourmon/tmp probe output directory name is: /opt/ourmon/mrourmon/tmp Creating bin/ourmon.sh driver for startup of ourmon. ourmon.sh placed in ourmon bin for ourmon front-end/probe startup ./ourmon.sh start WARNING: this is a gross guess and it may be best handled by you yourself! WARNING: linux has at least two major variations in distributions in this area! install the startup script (bin/ourmon.sh) in /etc somewhere for boot startup? [y] y ourmon front-end install complete ourmon front-end build worked
Issue 12 – Jan 2011 | Page - 10
You should now run /opt/ourmon/mrourmon/bin/ourmon. sh to start ourmon e.g., # /opt/ourmon/mrourmon/bin/ourmon. sh start You can use ourmon.sh stop to stop ourmon part 2: install the back-end, omupdate.pl, etc. (web part)? [y] y Back-end configuration phase started ################################ We need a local web directory for generated web output. hint: the webpath given here is a guess: give the CORRECT base web directory with /ourmon at the end enter absolute web server web path directory: [/var/www/apache2default/ourmon] /var/www/html/ourmon your output web path is: /var/www/html/ourmon Do you want to create the web directory for ourmon? HINT: good idea if it doesn't exist. [y] y mkdir: cannot create directory `/var/www/html/ourmon': File exists cp bard/* /var/www/html/ourmon/bard cp batchip.sh batchipall.sh omupdate.sh /opt/ourmon/mrourmon/bin cp *.pl /opt/ourmon/mrourmon/bin cp mklogdir.sh /opt/ourmon/mrourmon/bin chmod +x /opt/ourmon/mrourmon/bin/*.sh chmod +x /opt/ourmon/mrourmon/bin/*.pl
INFO only: also setting up logging directory (if needed) creating log rrddata tmp dirs, if necessary, in /opt/ourmon/mrourmon hit CR to continue: If different, enter front-end output file directory absolute path: [/opt/ourmon/mrourmon/tmp] probe output file path (back-end input/s) is /opt/ourmon/mrourmon/tmp Now we copy supplied .html files to the web directory for later editing do you want to copy base web files to the web directory? [y] y INFO only: setting up local rrdbase directory at /opt/ourmon/mrourmon/rrddata your runtime rrds get stored in this directory, along with the rrd error log file if you create new BPF filters, check rrdbase/ourmon.log for errors. hit CR to continue: We need a UDP weight threshold for UDP scan alerts what should be the weight (default is given): [10000000] Install backend crontab commands in /etc/crontab (default answer y)?: [y] y ourmon system config complete see INSTALL for post-config sanity checking [root@localhost mrourmon]# ls ACKS CHANGES dumps INSTALL makeclean.sh README.bsd README.openbsd scripts tmp ubuntudep.sh VERSION bin configure.pl etc logs README
Issue 12 – Jan 2011 | Page - 11
README.linux rrddata src TODO uninstall.txt web.pages [root@localhost mrourmon]# cd bin/ [root@localhost bin]# ls batchipall.sh daily.pl logbackup.pl mklogdir.sh ombatchip.pl ombatchsyn.pl omupdate.sh ourmon.sh ssh.pl udpreport.pl batchip.sh irc.pl makebar.pl monbackup.pl ombatchipsrc.pl omupdate.pl ourmon sshdb.pl tcpworm.pl wormtolog.pl [root@localhost bin]# ---------------------------------------------------When in doubt, read the supplied INSTALL file at mrourmon/ as shown above. We can detect the botnets from the GUI screen of the Ourmon which runs continuously. Reports are generated in daily, weekly, monthly and yearly basis. Here are some screen shots of the results. Note that here we are showing you the screenshots of a private network. In real time scenario the screen shots will be different. But the procedure of installation and results viewing process remains the same.
The Ourmon Web Interface
Issue 12 – Jan 2011 | Page - 12
Ourmon Main Web Page: Summarizations
TCP Anomaly Detection
Issue 12 – Jan 2011 | Page - 13
DNS RRDs:
Issue 12 – Jan 2011 | Page - 14
Major L2 protocol Graphs:
ICMP and UDP Error Generation Page:
Issue 12 – Jan 2011 | Page - 15
Top N TCP and UDP flows:
UDP Summarizations:
Issue 12 – Jan 2011 | Page - 16
Base OS and Ourmon Directory Screenshots:
Issue 12 – Jan 2011 | Page - 17
It is a huge tool and it can be used for multiple purposes. Users are encouraged to go through this tool carefully and find out many interesting features. We also can see evil channel sorts which show us all the four types (PINGs, PONGs, JOINs and PRIVMSG) of IRC messages. An IRC channel having more than few clients with high maxworm values can be a potential botnet channel. Also, non-scanning host in an evil-channel could be botnet servers.
Further Reading 1. ―Ourmon and Network Monitoring Performance", James Binkley, Bart Massey, April 2005 Freenix/USENIX paper 2. "Anomaly-based Botnet Server Detection," James R. Binkley, Computer Science, PSU, FLOCON CERT/SEI, Vancouver WA, October 2006. 3. "Traffic Analysis of UDP-based flows in Ourmon," Jim Binkley and Divya Parkeh, FLOCON CERT/SEI 2009, Phoenix, Arizona.
Documentation 1. http://sourceforge.net/projects/our mon/ 2. http://ourmon.sourceforge.net/
Ashis Dash ashisdash1@gmail.com Ashis is a network programmer, blogger and open source software advocate. He works extensively on Layer2/Layer 3 switches and routers. His areas of interests include Network Security, Shell Code and Buffer Overflow Techniques.
Issue 12 – Jan 2011 | Page - 18
What are Botnets? Introduction Recently, Indian Cinema experienced an unusual phenomenon of technology and imagination - ―Ro ‗bot‘s‖. The superstar of the south was again at his best and we could see excellent combination of talent and technology. But ever wondered, if this was to happen for real, what were the things which we saw had unusual strength? How could just they become ―1-2-ka-4‖ in number (or even more)? Execute orders given to them with most accuracy? Re-evolve even after the destruction? Well this was an absolute scenario which we might face in near future. And this could be possible by the evolution of current technology called ―Bots‖ or ―Botnets‖. So what exactly are bots/botnets? Before we actually see about Botnets, one needs to have an insight about the category to which they belong – Malwares.
Malwares are any malicious computer programs, which intentionally or unintentionally cause harmful, irritating, unrecoverable damages to one‘s computer systems. There are varied types into which a malware can be categoriesed, vizViruses–file infectors, inserting/appending code in the original code and executes when the file is accessed. Worms – Self-replicating programs which propagate through networks. Trojans – Programs which disguise as normal programs but, steal/sniff data of victim and send it to the attackers/infectors. Rootkits – Sophisticated malware category, which is stealth to be detected and perform maximum damage. Spyware – Fake / Copy of original programs, which are not harmful but disguise to open backdoors into the system for further attacks. Ransomware – Normally termed as spywares, but are specifically used for money laundering and economical frauds. And of course, the newly evolving technique of Bots/Botnets.
Issue 12 – Jan 2011 | Page - 19
So what exactly are Botnets? A bot can be a single system infected with malicious software/code and a collection of bots form a botnet which is controlled by the commands of the botnet controller. The above description contains some specific terminologies which need to be understood in order to understand the working of botnets. A botnet starts with malicious code written by the attacker. The attacker infects a single system/server with the code. This in turn is used by the attacker as Command and Control (C&C) center for further infection. The attacker here is often termed as ―Botmaster‖.
The Botmaster tries to install the malicious code in the users system by wooing them to access/download a fake file. Once the system is infected with the code, it tries to infect other systems connected to it. The infected systems are known as ―Zombies‖. Thus the infection is spread exponentially into the computer systems and an army of
zombies is created All the Zombies are connected to the attacker by a Command and Control Center (C&C). Attacker can send any commands to all systems to which the connection has been established using this.All this happens with absolute no knowledge to the user.
Issue 12 – Jan 2011 | Page - 20
infected his/her system and deploy their stub for the botnet. Thus the infected system is now turned into a Zombie. Most of the analyzed botnets till date used IRC based C&C mechanism. For E.g., SDBot, Agobot, etc.
When a botnet is being considered, some of the important aspects which are involved are, Botnet Control Methodology, Zombie Control Techniques, Propagation Techniques, Target Exploits Techniques,
and
Attack
File Delivery and Deception Strategies used.
All the above points define the architecture of a Botnet. Botnet Control Methodology : When an Attacker writes a code to deploy botnet, attacker first needs a control mechanism to find his victim, deploy the botnet and to have control on the infected systems. When botnets were first deployed, the only mechanism which was used was (Internet Relay Chat) IRC Servers. IRC servers were one of the most vulnerable and easy to use Control mechanisms used by attackers to start a botnet. Attackers used to setup an IRC server and woo users to join into it. Once a user joins in, attackers
But to create more sophisticated botnets attackers have already slowly moved on to P2P services, Dynamic DNS services, HTTP C&C, etc. One of the major advantages of these is that many organizations may not allow IRC connections into their network, but almost all, allow services like HTTP. Zombie Control Mechanism : To control the zombies, attacker decides his own commands and protocols. Using these, attackers control the infected systems (zombies). Many known bots have their own set of commands to change the passwords, download a file to the victims computer, upload the logs of victim and to gather victims sensitive information. Attackers change the passwords/ deploy a backdoor so that the access can be maintained for the next time. Attackers disable the antivirus software in order to avoid detection/removal from the system. Propagation Techniques : As mentioned earlier, once a system gets infected with the botnet, it itself can infect other machines connected to it. For e.g., if one system gets infected, it tries to infect other systems connected to it. Thus there are now total two systems spreading the botnet.
Issue 12 – Jan 2011 | Page - 21
Thus the botnet spreads exponentially. (Remember the movie scene where snake kind of thing spirals out from nowhere.) Attackers use different mechanism for the propagation. Attackers send emails to users and ask them to click on a malicious URL or to download a greeting/joke file. An automated code tries to perform a vertical or horizontal scan to find out open ports across a single address or a range of addresses.
Deception Strategies : Since long IRC base bots could be used without any stopping into a botnet. But with the increase in awareness among the people about the botnets, it has been easy to detect compromised machines. Hence attackers have started to come up with more and more sophisticated techniques to avoid detection. Common methods used were, - disabling any AV programs found onto the systems, - disguise as a legitimate program,
Target Exploits Techniques :
and
Attack
Most of the systems which fall prey to botnets are often unpatched systems. Attackers try to exploit known vulnerabilities of a system. A specific botnet can be designed to exploit a specific vulnerability. In such cases, attacker only makes changes to the malwares it drops into victims system. These kind of botnets have the same basic architecture and hence are variants of their previous.
File Delivery : By now it is quite clear, that every botnet involves some kind of malware which is deployed onto victim machine. When a system has been compromised, attacker acquires sufficient rights and sends/downloads malwares into the victim machine. Attacker may use utilities provided by IRC server for download/upload purpose. Attacker may also use HTTP/FTP protocols to send/receive files depending upon the system vulnerabilities.
- delete system logs, etc. Now attackers are even trying to hide into a system using rootkit technology. Rootkits are the most stealth and undetectable malwares. Attackers have been trying to incorporate this kind of technology to avoid detection.
All work and no play makes jack a dull boy – With all its strategies, techniques and its spread, what does a botnet do? Typically botnets evolved with a view to demonstrate programming skills of its creator. But with its technological advances, botnets are now a lethal weapon for cyber criminals and hackers. Botnets are now used for, -
DDoS Spamming Phishing Financial Frauds Identity Theft Cheating in online games /polls Click Frauds
Issue 12 – Jan 2011 | Page - 22
-
Espionage
Botnets cause a significant amount of loss to an organization which has been plagued by a botnet.Once a system/network gets infected by the botnet it no longer belongs to the user/owner. The attacker can have full control of the system and can perform all kinds of malicious activities using the system. If current scenario of terrorism is taken under consideration, botnets can be an important weapon to affect a country‘s stability and infrastructure. According to recent observations, around 10000bot nodes are created per hour. Also as stated in the Wikipedia page for Botnet, up to one quarter of all personal computers connected to the internet may be a part of some or other botnet. There have been many attempts to bring down as many botnets as possible. But as the old saying goes ―Prevention is better than cure‖, its always better to avoid getting infected than to detect and remove it after infection. You never know how much amount of damage has been done till its detection. -
Standard methods of computer security should strictly be followed in an organization.
-
Keep users well acquainted with the best security practices to follow at the workplace.
-
Even though Content Security products like AVs, IDS, IPS may not be able to detect the new emerging threats, its still a best practice to keep them updated.
And of course, “Patch!”
“Patch!”
“Patch!”
Pushkar Pashupat push.pashupat@gmail.com Pushkar aka- push is a Security evangelist, Working with Content Security and Anti-Virus Product Company.
Issue 12 – Jan 2011 | Page - 23
About Information Warfare: new rules for a new world Introduction During my presentation at Club Hack Conference on day 2, the one named ―Cybercrime, CyberWar, Information Warfare: what‘s this all about, from a Hacker‘s perspective? New rules for a new world‖, I‘ve noticed a deep interest by the audience.
world‘s top experts on RBN, the infamous Russian Business Network we‘re used to hear about. Besides being a wonderful person and an highly-skilled professional, Jart belongs to an international network of experts, closing working with Law Enforcement and the IT Industry while fighting cybercrime every day. Summing up our backgrounds, we have been able to develop this very first presentation on such topics, bridging both experiences and contacts, in order to build something new, aiming to bring a totally new approach to the subject. Giving the amount and nature of feedbacks, both onside (after my talk) and those emails I‘ve received, I may definitely say that we‘ve been able to reach the goals :)
All of the delegates, no matter if operating in the InfoSec industry or in Military environments, attended this presentation with an high and true interest, possibly due to the topic and keywords of the talk itself.
Reasons to speak about Information Warfare from a hacker’s perspective
I have designed the slides along with Mr. Jart Armin, RBN exploit and Hostexploit.com founder and among the
After 9/11, the IA (Intelligence Agency) world started to ―hunt‖ for hackers, meaning that they made up their very first move into the digital underground, looking
Issue 12 – Jan 2011 | Page - 24
for hacking resources to be hired, with specific goals.
very deep link with SCADA and Industrial Automation (IA) security.
At the beginning, US Government was informally seeking for hackers, in order to attack and/or infiltrate into Al Qaeda communication network. I do remember requests related to hacking into Thuraya (http://www.thuraya.com/), a Middle-East based satellite operator.
Analyzing the nutshell
Intelligence gossip at that time was claiming that Al-Qaeda‘s members were seen while using Thuraya phones, and obviously this may have lead IAs to imagine a scenario in which, if somebody would have been able to obtain both CDRs and satellite information of specific Thuraya‘s users, then analyzing and correlating those data, the war against one of the main actors in worldwide terrorism could have been won. Then, the time passed by, and no more requests of ―on-demand‖ hacking to Thuraya‘s network have been made to world‘s most notorious, old-school hackers, at least as far as I know. During 2002 and 2003 tough, those guys assisted to a huge escalation of different requests, this time coming from US and Israel based IAs. These agencies were asking for 0-days, probably to be used in specific scenarios. Also, a few people got ―softly detailed‖ requests to run black operations (hacking attacks for Intelligence purposes) 2005 observed the official claim of attacks pointing to China as the source of them, and popped up the very big issue of the Source of the Attack or Attack Source Attribution, that‘s still pending today. Finally, since 2008 up to now we started being aware of National Critical Infrastructures (NCIs) and those issue while trying to secure them, summed up to the
If we take a look at the wonderful graph made by the folks at Hostexploit.com, we‘ll notice how all of the above I‘ve written in this article, perfectly fits the reality of facts and what effectively happened. While the 2000-2003 period has been for testing purposes, then during 2003 and 2004 we can see rising the extortion approach, that would explain and justify USA and Israel IAs (namely, just the ―top of the iceberg‖) to possibly seek for e-weapons. Then, all of this leads us to 2005 and 2007, where I can see a deep, highly-shaked mix between the China attacks and the ―botnets for hiring‖ boom, while not forgetting about what happened in Estonia (2007) and Georgia (2008). The last three years made all of us seeing the botnet concept nicely applied both to Cybercrime and Information Warfare environments, while affairs such as the Vodafone Greece (2004/2005), Telecom Italia ―Tiger team‖ scandal (2003/2005), Stuxnet (June 2010) and Israel VS Lebanon & Egypt (December 2010), not speaking about the Wikileaks (and CableWeaks) one, definitely helped us at drawing the big picture and realize what this is all about. Today‘s trends see IAs and MoDs deeply scouting hacker‘s environments and underground, hiring specialized know-how for mission-oriented capabilities, such as 0Days e-arsenary, launching cyber attacks, protecting National Security, rather than relying on the Industry and the Underground and Public communities in order to analyze malware and obtain early
Issue 12 – Jan 2011 | Page - 25
warning, alerts, statistics.
malware
trends
and
So, during the very next years will hear about a few new terms, such as Next Generation Cybercrime (NGC) and Next Generation Walfare (NGW), along with the evergreen Cyberwar and Information Warfare. From Cybercrime to Warfare, through Espionage
Information Industrial
They do exist deep links between Cybercrime and the concept itself of Information Warfare. This happens because today‘s information is digitally stored, parked on hard drives rather then on-line, from virtual hard drives to social networks, passing-by the Cloud. So, we just said that this information is digital. This means, beside the media where it is stored, that it stays into a file: it could be an email file, an Excel or Word document, a PDF or a Power Point presentation, an Open Office document, a simple text (txt) note. But it‘s still a file, whose security relays on the operating system of the computer storing it, rather than the whole context and scenario
around it: server farm rather than home users, so to speak. This is one of the main reasons why Industrial Espionage incidents raised up drastically in the last 20 years, thanks to the Digital Revolution, and IT and TLC resources and chances. In both cases we found ―instruments‖ like botnets, DDoS tools, 0-days and so on that, depending on the scenario itself, can be labeled as ―cybercrime tools‖ or ―eweapons‖. While the Underground Economy business model is indeed a wonderful and exciting study, it‘s my opinion that what we should learn – and apply to our needs and scenarios – from the cybercrime environment is mostly the technical-related part. Analysing the ―life‖ of botnets, rather than reverse engineering latest malware and 0-day exploited vulnerabilities may lead us to a total new world and perspectives, where the concept of electronic weapons to be applied and used in Information Warfare scenarios become totally true. We will assist to an escalation of digital attacks, where some of them will became
Issue 12 – Jan 2011 | Page - 26
public while others will not. The recent NATO interest shown in Lisbona a few weeks ago is an important sign: in case of cyberattacks to a NATO Member, the other Members should support and help the State under attack‖. This means really a lot, and automatically includes perspectives such as Information Sharing, CERT (Gov and Mil ones, mainly) involvement, Incident Management, a Coordination Center, and establishing defined Point of Contacts among all the Members, as well as defining the Chain of Cyber Command and how it will interlink and interact with the external. Because the threat is global, just as well as the cybercrime is borderless. What’s already happening? Former speaker at Duma, Nikolai Kuryanovich, back in 2007 made a very strong but visionary statement: ―In the very near future, many conflicts will not take place on the open field of battle, but rather in spaces on the Internet, fought with the aid on information soldiers… This means that a small force of hackers is stronger than the multi-thousand force of the current armed forces.‖ Nowadays many States already began, trough their Minister of Defence, to work on topics such as an Official Cyber Doctrine, Cyberwarfare Training, Cyberwarfare exercise and simulations, building an IT roadmap (from a military and National Security point of view), working as well with the IT industry and technical universities (see Malaysia, China and many others), establishing Information Warfare units and, obviously, starting keeping record of hacking activities on other Nations.
It‘s not a futuristic scenario, here we are talking about something that already happened a long time ago. It was in the middle of the 80‘s when CCC members Hagbard and Pengo used to hack into Government and Military contracts, as well as centers and research labs, in the USA, giving back the results of their hacks to the KGB and receiving money and facilities from them. Hagbard was found dead, hanged to a tree out of the town he was living it, and burned. Vodafone Head of Network Design, possibly involved in the 2005 Vodafone Greece affair, was found suicide. The same for Adamo Bove, working at Telecom Italia Lawful Interception System. And, the same recently happened to Majid Shahriari in Iran, and everything seems to be related to the Stuxnet worm (http://www.debka.com/article/20406/).
Issue 12 – Jan 2011 | Page - 27
It’s out there, right now. No, we are not talking about an Hollywood movie, tough it would be a great screenplay. This is reality. It‘s a paradigm shift, where the classical war between armies has reached his long-term apogee, and a new paradigm recently started. So, the ―good & old‖ Menani‘s scale on cyberconflicts, raising from Cybervandalism to Internet crime, Cyberespionage, Cyberterrorism and Cyberwar, will sadly need to be ―enhanced‖: new rules for a new world.
Note from the Author In this article I have reported information that have been gathered from personal experience and network of contacts: nevertheless, everything I am stating here is ―suspected to be so‖, meaning, speculations and possible scenarios. Also, I have to underline that the views expressed are those of the author(s) and speaker(s) and do not necessary reflect the views of UNICRI or others United Nations agencies and institutes, nor the view of ENISA and its PSG (Permanent Stakeholders Group).
About the Author Raoul ―Nobody‖ Chiesa is 36 years old and lives in Turin, Italy. At UNICRI (United Nations Interregional Crime & Justice Research Institute) he‘s a Senior Advisor on Cybercrime and manager for Strategic Alliances. Raoul is also a member of ENISA (European Network Information & Security Agency) Permanent Stakeholders Group (PSG) and a recognized international security expert, running its own independent security consulting companies, @ Mediaservice.net (a Security Advisory company) and @ PSS (Digital Forensics consulting). He can be contacted at chiesa [at] UNICRI [dot] IT
Issue 12 – Jan 2011 | Page - 28
Botnet attacks and the Law Introduction A botnet (a contraction of the term ―RoBOT NETwork‖) is a computer network made up of a vast number of compromised computers that have been infected with malicious code, and can be remotely-controlled through commands sent via the Internet. Typically, users whose computers have been conscripted into a botnet are unaware that their computers have been compromised. The computer so affected is called as “Zombie”.
Applicable Sections Sections 43, 66 and 66 (A) of the Information Technology Act and Section 426 of Indian Penal Code
Sec. 43
If any person without permission of the owner or any other person who is incharge of a computer, computer system or computer network,— (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; He shall be liable to pay damages by the way of compensation to the person so affected; Explanation — for the purposes of this section,—
The Law Case Study Siddarth, a skilled programmer creates a malicious code and releases it on the internet. It has compromised vast number of computers and caused a loss of worth millions of dollars.
(i)
"Computer Contaminant" means any set of computer instructions that are designed—
Issue 12 – Jan 2011 | Page - 29
(a) to modify, destroy, record, transmit data or program residing within a computer, computer system or computer network; or (b) by any means to usurp the normal operation of the computer, computer system, or computer network;
Sec. 66A
Any person who sends, by means of a computer resource or a communication device— (a) any information that is grossly offensive or has menacing character; or
Sec. 66
Any person ―dishonestly‖ or ―fraudulently‖ – (c) Introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; He shall be liable for an imprisonment which may extend upto 3 years and fine upto Rs. 5 lakh.
(b) any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device,
For the purpose of this Section, The word “dishonestly” shall have the meaning assigned to it in Section 24 of the Indian Penal Code. , i.e.:―Whoever does anything with the intention of causing wrongful gain to one person or wrongful loss to another person is said to do that thing "dishonestly".‖ The word “fraudulently” shall have the meaning assigned to it in Section 25 of the Indian Penal Code, i.e.:―A person is said to do a thing fraudulently if he does that thing with intent to defraud but not otherwise.‖
(c) any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages, He shall be punishable with imprisonment for a term which may extend to three years and with fine.
Issue 12 – Jan 2011 | Page - 30

Sec. 426 of Indian Penal Code
Punishment for mischief Whoever commits mischief shall be punished with imprisonment of either description for a term which may extend to three months, or with fine, or with both.
Additionally provisions are also made in Sec. 66F Cyber terrorism and Sec. 69B Power to authorise to monitor and collect traffic data or information through any computer resource for cyber security regarding introduction, intrusion and spread of Computer Contaminant.
Sagar Rahukar sr@asianlaws.org Sagar Rahukar, a Law graduate, is Head(Maharashtra) at Asian School of Cyber Laws. Sagar specializes in Cyber Law, Intellectual Property Law and Corporate Law. Sagar also teaches law at numerous educational institutes and has also trained officials from various law enforcement agencies.
Issue 12 – Jan 2011 | Page - 31
Who is leaving my home? Introduction The whole team came to me and said this issue will have to be on BOTNET only. They gathered article in all sections related to the same topic & now it was my responsibility to make ―Command Line Gyan‖ on the related topic. So finally I decided to give you a closer look at my good old. cross platform friend ‗netstat‘. There is a reason why I chose ‗netstat‘, this would give you an idea and help you keep an eye on outgoing connection & monitor if your machine is a part of botnet or not. You can say that my antivirus is up-to-date and it will take care of the same, but having said that are we sure all the malware are caught by ‗my‘ antivirus? Am I sure my Linux box doesn‘t have a malware which is leaving me vulnerable to this? And that‘s where our friend ‗netstat‘ comes handy but we‘ll take a different approach to use it this time.
Windows Although again we are dividing this article in windows vs linux subsections, remember most of the commands will work on both the OS. All you have to be careful is with additional tools you are using to filter results. To start with we‘ll see on how many ports is my machine listening to a connection C:\> netstat -na | find /i "Listening"
This will give you a list of ports on your machine which are in listening mode. Make sure you check reason behind each. to be sure which application has opened that port You may want to use switch –o to see the PID of the process which has opened the port C:\> netstat -noa | find /i "Listening"
Now how can you check which application does that PID belong to? For that use WMIC
Issue 12 – Jan 2011 | Page - 32
C:\> wmic process where processid="pid" list full
This will tell you the process with your chosen PID. You may also try other switches of netstat like -b = display executable name responsible for the connection
Aah! I hate & love the case sensitivity of Linux environment. And that‘s why we use –i to ignore case while searching and use only ―listen‖ in filter as it may differ among various Linux flavors. I know Linux users are geek themselves, so this article was just a reminder that don‘t forget your friend netstat, keep using it
-p = specific protocol -o = display process ID -a = display all -n = display IP only and no the fqdn
But the most interesting you‘ll find is using a continous netstat to keep looking at the results C:\> netstat –na 5
This will keep checking the result of ―netstat –na‖ every 5 seconds. You may choose your own time interval and make a script out of it For more work on netstat there is an interesting but more difficult way in Microsoft Powershell but we‘ll keep that out from this article
Linux For linux more or less all the parameters are same. You may want to try the same command on linux too. Remember parameter for netstat are same, not the other executables Like the first example in linux will become # netstat -na | grep –i "listen"
Rohit Srivastwa rohit@clubhack.com
Issue 2 – Mar 2010 | Page - 1