|
|
10-30-2009
Registered User
26,240,
27
Another "Cat and Mouse fight" or... Tracking down a botnet
A while ago the company I work for was hired for a Telecom company to secure their data centers.
During the initial gap analysis phase, the backbone was hit by a DDos attack and of course we were assigned to try to help.
The interesting about this case is that we act on a "happening now" scenario instead of the regular "post mortem" case.
The Evidence: This is a botnet!!!
Just to baseline everyone
Whats is a botnet?
From Wikipedia:
Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
Continuing...
We deployed a traffic analysis tool to Monitor all traffic at one BRAS aggregation; we could see hundreds of requests going to http://www.cvsr.ru .
We checked the DNS server responses (A records) and we saw several different DNS servers answering the requests. We checked some of those and we realized they were all non updated BIND servers and all of them were poisoned.
Checking the website www.cvsr.ru using a Virtual Machine, we verified that a javascript redirects the user to http://kodj.ru/cgi-bin/index.cgi?add were finally a client-side exploit was executed.
Then, we saw that the now zombie machine started to send UDP traffic (port 3074) to different servers (round robin) with a specific payload and finally when a response was issued the infected machine started to send http traffic to a website in Europe. We saw (I repeat) thousands of requests of this type on the backbone only at one aggregation point so if we estrapolate this data and imagine a entire backbone with millions of subscribers connect...How may of them were zombies? And in the entire world....?
"This tought really scared me..."
Conclusion
With this information we could be able to deploy apropriated ACL's in their distribution/border routers to block the UDP traffic and also to block the botnet master servers network. This action reduced a lot the amount of malicious traffic on the backbone.
Finally we coded a signature to be deployed on their IPS to block the server-zombie payload to at least avoid this botnet to continue spreading itself on this network.
We also recomended the purchase of a specific Denial of Service Detection/Mitigation solution that can help a lot administrators in this tough task.
I'll talk further about DDOS Mitigation Devices on a future post
Best Regards
More...
During the initial gap analysis phase, the backbone was hit by a DDos attack and of course we were assigned to try to help.
The interesting about this case is that we act on a "happening now" scenario instead of the regular "post mortem" case.
The Evidence: This is a botnet!!!
Just to baseline everyone
Whats is a botnet?
From Wikipedia:
Botnet is a jargon term for a collection of software robots, or bots, that run autonomously and automatically. The term is often associated with malicious software but it can also refer to the network of computers using distributed computing software. While botnets are often named after their malicious software name, there are typically multiple botnets in operation using the same malicious software families, but operated by different criminal entities.
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, this word is generally used to refer to a collection of compromised computers (called Zombie computers) running software, usually installed via drive-by downloads exploiting Web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure.
Continuing...
We deployed a traffic analysis tool to Monitor all traffic at one BRAS aggregation; we could see hundreds of requests going to http://www.cvsr.ru .
We checked the DNS server responses (A records) and we saw several different DNS servers answering the requests. We checked some of those and we realized they were all non updated BIND servers and all of them were poisoned.
Checking the website www.cvsr.ru using a Virtual Machine, we verified that a javascript redirects the user to http://kodj.ru/cgi-bin/index.cgi?add were finally a client-side exploit was executed.
Then, we saw that the now zombie machine started to send UDP traffic (port 3074) to different servers (round robin) with a specific payload and finally when a response was issued the infected machine started to send http traffic to a website in Europe. We saw (I repeat) thousands of requests of this type on the backbone only at one aggregation point so if we estrapolate this data and imagine a entire backbone with millions of subscribers connect...How may of them were zombies? And in the entire world....?
"This tought really scared me..."
Conclusion
With this information we could be able to deploy apropriated ACL's in their distribution/border routers to block the UDP traffic and also to block the botnet master servers network. This action reduced a lot the amount of malicious traffic on the backbone.
Finally we coded a signature to be deployed on their IPS to block the server-zombie payload to at least avoid this botnet to continue spreading itself on this network.
We also recomended the purchase of a specific Denial of Service Detection/Mitigation solution that can help a lot administrators in this tough task.
I'll talk further about DDOS Mitigation Devices on a future post
Best Regards
More...