Croatia Botnet

Shannon OrtizDirector of IT Security

Fordham University

FORDHAM UNIVERSITY

THE JESUIT UNIVERSITY OF NEW YORK

What is a Croatia Botnet?

CroatiaOfficially the Republic of Croatia, is a country in Central Europe and

Southeastern Europe at the crossroads of the Pannonian Plain, the Balkans and the Adriatic Sea.

BotnetCollection of software agents, or robots, that run autonomously and

automatically. The term is most commonly associated with malicious software, but it can also refer to a network of computers using distributed computing software.

Croatia BotnetA botnet with the command and control center in Croatia that crippled

the Fordham University Internet link in May 2010.

Fordham IT 2 July 2010

What happened BEFORE the attack?

Several incidents of unexplained network anomalies

• May 20th, 2010 – 1:30 p.m. Duration: 10 minutes

• May 21st, 2010 – 3 occurrences between 1:00 p.m. – 2:00 p.m.

• May 25th, 2010 – 3:55 p.m. Duration: 5 minutes

Degradation of Lincoln Center Internet link

Slowness to and from Lincoln Center

Excessive connections (200,000+) on the firewall

Firewall CPU pinned at 100%

Dropped packets

Rose Hill Intermapper showed all Lincoln Center Devices down

Fordham IT 3 July 2010

Was that the attack? Not exactly…

The events of May 20th – 25th may have just been tests

The actual attack started on May 26th, 2010 ~9:30 a.m.

Fordham IT 4 July 2010

Who was doing what & what was found?

Network and Computer Services were working together very closely looking at:• Network switches and routers

• Firewalls

• XO (LC Internet link)

• New BGP routers

Each incident exhibited the same behavior UISO was approached by Frank Sirianni at 12:30 p.m. on May 26th The link to XO at Lincoln Center was disabled All bad traffic was redirected to Rose Hill (not an LC problem)

Fordham IT 5 July 2010

What happened next?

David Whitney relayed his suspicions of an “attack” to the UISO

Using OmniPeek we were able to identify a “top talker”

A rule was pushed on the firewall to block this top talker but the firewall could not handle the load

A decision was made to disable the RH link while a solution was found – all internal traffic was working fine

Around 2:00 p.m. the idea to block the top talker was discussed and implemented

• A QOS policy was set to direct all traffic destined for the top talker to 127.0.0.1 (localhost). In other words all traffic was dead-ended to the infected machines themselves

Attempts to block at our ISP took too long and ultimately would be costly

Fordham IT 6 July 2010

Tell me more about this top talker

A snippet of 31.18 minutes of traffic of the RH Internet link revealed an IP that used 86% of the bandwidth during that time

A lookup of that IP address, 85.94.76.155, showed the origin to be Croatia

Historically, MANY cyber attacks have come from countries like Croatia, China, Russia, Ghana and Ukraine

Remember we’re paranoid and sometimes we’re right 48 IP addresses were found to be communicating with this

address Most of the traffic was large in size and encrypted – what does

that mean for us?

Fordham IT 7 July 2010

What was done next?

Each IP owner and location was identified Each port was disabled from the network Every machine was scanned and cleaned All results were filtered through the UISO and approvals were

given to re-activate the network connections

But not always turned back on…

Machines that turned up negative results were rescanned by request of the UISO BUT this time with additional tools

EVERY identified machine was infected with a Trojan (harmful software disguised to look legitimate (eg. Trojan.FakeAV))

Once reported back clean, approval was given to re-activate the network connections

Fordham IT 8 July 2010

We are done!... Or are we?

Not quite.

What have we learned?

Fordham IT 9 July 2010

Lessons Learned

Fordham IT 10 July 2010

The UISO needs to be involved earlier We need more Defense-In-Depth

• We need to re-evaluate our EndPoint Security• Symantec alone is NOT sufficient• A different tools or additional tools are a MUST

– We ended up using MalwareBytes, IObit Security 360 and ComboFix (all free tools)

Need EndPoint Remediation Tools (scan, detect and clean) IDS/IPS will help More central logging and a Security Event Manager may help

with event correlation Desktops are just as important as our servers Vulnerability assessments are required for our desktops

Key Lesson Learned

Fordham IT 11 July 2010

Need an Internal Incident Response Plan• One with better ground rules to react• Pre-arranged communication plans• Codification of standard operating procedures for

incident handling Please remember to follow the documented Fordham

Incident Response Plan vetted by the ISAB and Legal Counsel

Botnet Motivation

Fordham IT 12 July 2010

$$$$ Money, Money, Money $$$$ According to Verisign iDefense, Botnet Rentals start at $8.94 and average at $67.20 for a

24 hour rental.

http://www.zdnet.co.uk/news/security-threats/2010/05/25/botnet-price-for-hourly-hire-on-par-with-cost-of-two-pints-40089028/

Three non-skilled programmers were the “hackers” behind the Mariposa 12.7 million PC botnet which infected ½ of the Fortune 1,000 companies and more than 40 banks. The worm was spread via removable drives, MSN Messenger and peer-to-peer programs and targeted XP and older machines.

http://www.zdnet.co.uk/news/security-management/2010/03/03/mariposa-botnet-spain-makes-three-arrests-40067866/

Fordham IT 13 July 2010

Let the UISO help, get us involved… EARLY!

If you see something… say something!!!

Let us accept the responsibility and be the goons.

If you’re not sure ask us.

Fordham IT 14 July 2010

Factoids (Did you know 37% of statistics are made up?)

Key highlights of the Secunia Half Year Report 2010 are:

Since 2005, no significant up-, or downward trend in the total number of vulnerabilities in the more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.

A group of ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco, account on average for 38 percent of all vulnerabilities disclosed per year.

In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.

During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.

A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.

http://secunia.com/gfx/pdf/Secunia_Half_Year_Report_2010.pdf

Fordham IT 15 July 2010

Think I’m kidding?

Date: Sat, 10 Jul 2010 16:17:04 GMT

From: "Webmail Support Team" <websupport@discuz.org>

Subject: University Support Last Warning!!!

 

University Support Last Warning!!!

University Webmaster

 

DEAR USER,

 

This mail is to inform all our students, individual or staff that we will be upgrading our site in a couple of days from now, So you as a Subscriber of our site, you are required to send us your Email account details so as to enable us know if you are still making use of your mail box. Further be informed that we will be deleting all mail account that is not functioning so as to create more space for our new users. So you are to send us your mail account details which are as follows:

 

*Login URL:

*User name:

*Password:

*Date of birth:

 

Failure to do this will immediately render your email address deactivated from our database.

 

Copyright (c) 2010 The University Webmail Support Team.

Fordham IT 16 July 2010

Be like the UISO

Fordham IT 17 July 2010

Questions?

Q&A