Taking Down Botnets: Microsoft and the Rustock Botnet
description
Transcript of Taking Down Botnets: Microsoft and the Rustock Botnet
Taking Down Botnets: Microsoft and the Rustock Botnet
報告者:劉旭哲
• 95% of all spam are from botnets – almost half of that spam comes from a single botnet,
Rustock.– 39%– size from 2.5 million to 1.3 million bots over the
same period• total amount is down except Rustock– reduced their number of bots but increased its
volume– 6% increase in spam emails per day
• Rustock– 5+ years old– consist of exploit pushers, malware writers, botnet
operators, hosting companies, and many sub components of each.
– infects a user simply by selling ad space to enterprising 3rd parties.
– It will rootkit
• C&C– In 2008, IP address inside an executable
• even today, many bots don’t use the DNS and relying on a set of IPs. – If you need both a domain name and hosting on
an IP (a server), that gives the Internet Good Guys two ways to knock you out
1. IP routing infrastructure 2. DNS infrastructure with registrars/registries.
• “new” Rustock
1) Miss Accept-Language/Accept-Encoding2) The User-Agent is faked3) The Host4) The URI5) HTTP/1.1 instead of 1.0.
• The botmaster designed his botnet – make it look a little more legitimate than a typical
botnet. • By Rustock not making such mistakes, it made
itself just slightly more difficult to detect than the above, and indeed as analysts have came out with SpyEye snort sigs, it has been morphing its structure.
• the bot is connecting to "go-thailand-now.com". 1. no A record returned2. there were a number of domains hidden inside
the malware that would be queried3. IP address returned in the A record4. a mathematical transform would happen and the
bot would connect to a totally different domain.
• five other "fake" domains: 1. godlovesme.org2. chernomorsky.name3. hollybible.com4. hollyjesus.com5. muza-flowers.biz.
Login C&C server
• all C&C communications are encrypted.• encryption algorithm was RC4
Communications
1. Client sends kill.txt2. Server responses list of processes to kill3. Client send information
– Bandwidth to server – OS – SMTP(port 25) – is VM – is blacklist on DNS
4. Server response– Client IP– machine name– taskid
5. Client sends neutral.txt6. Server responses list of domain for spam7. Client sends unlucky.txt8. Server responses list of SMTP server responses
that indicate failure9. Client sends tmpcode.bin10. Server responses spam content11. Client send “–” 12. Server responses target mail addr
Conclusion
• rootkit technology – difficult to detect the infection at the host level.
• encrypted HTTP for C&C (TSL)– difficult to detect at the network level.
• Rustock was felled by Microsoft and federal law enforcement agents.
• Use the legal process to shutter the C&C at US host provider • Therefore, I considered Rustock will come back soon,
because there is no way to detection.
Reference
• http://www.usenix.org/event/hotbots07/tech/full_papers/chiang/chiang.pdf
• http://blog.fireeye.com/research/2011/03/an-overview-of-rustock.html