Professional Documents
Culture Documents
イスラエルにおけるセキュリティ関連動向調査報告書
Survey on Information Security Situation in Israel
Countermeasures against Bots in Israel
2009 年 3 ⽉
GlobalConn LTD
Survey on Countermeasures
Against Bots in Israel
0
Table of Contents
Page
Introduction 5-6
1
7.9 Sandboxing 51
7.10 The Development of BotNets in the Future 52
Bibliography 59
2
Overview
Vocabulary
3
Bot Herder A “middleman” used by the attacker to deploy the BotNet.
Downloader Site The prewritten link of the BotNet program from which the
Bot gets updates and orders.
Mitigation The evolving nature of the BotNet and the ingenuity of the
attackers mean that total prevention or blocking is virtually
impossible, therefore most solutions apply mitigation.
Zero-Hour The fast pace in which the malicious “Agent” is spread and
Detection transforms requires Real-Time detection and solution.
False Positive Using P2P for BotNet purposes means Denial of Service of a
genuine end-user.
Click Fraud E-crime related to E-commerce, where the vendor pays per-
click on advertising and the Bot imitates an end user.
4
Introduction
The BotNet is the modern cyber warfare. Unlike hacking, which targets specific
users or websites, the BotNet is aimed to inflict massive damage to multiple
users in a short space of time.
The BotNet is multitasking and can change its objectives while activated. In order
to cause DDoS, the Zombie computer inhibiting the BotNet will send spam on
command. If the purpose of the intruder is to eavesdrop, then the BotNet will
function as a Trojan horse.
However, one should draw a bold line between hacking or defacing of websites
and the use of BotNet. The latter is expensive and not commonly used by the
usual hacker. Breaking a website’s code or even crashing a server does not
necessitate special resources. To inflict harm on a sole target requires only a
single hacker. Even to make a grandiose statement, one only needs to convene a
group of driven youths or fundamentalists who break into the targets codes and
deface a website (see the Bank of Israel case study in chapter 1.6.). Planting an
“Agent” in thousands of Zombie computers requires resources and usually some
financial gain which will at least cover the cost of operation. On the other hand,
this can be a pawn to be used in the hands of power players with deep pockets
or financial backing.
Ways of spreading BotNet are also diverse. Malware can be planted in spam, in
text files, in image files, in voice files and on websites. Transplanting the BotNet
into the zombie has no immediate effect on the end user. Some service providers
choose not to divulge the list of zombies sitting on their platform, and others
wish not to know of the active or non-active zombies. Their platitude is derived
5
from the end user’s indifference and unwillingness to boot their computer as
means of clearing the system of the BotNet, or the fear that the customer will
point the finger to the service provider as the liable element.
In the last security report from 2009, it is said that BotNets are becoming much
more widespread. Some researchers are estimating that some BotNet herders
own millions of systems across the globe. This provides herders with extensive
capability. Not only can they attempt multiple DDoS attacks, but owning these
many systems allows them to control their own online Army. It is foreseen that
there will now be more focus on host-based IDS/IPS solutions to control BotNets.
6
1. Status of Bots Today
Recently published in Israel was the opinion of Mr. Cohen and Mr. Cruman, heads
of the technology department at IBM about BotNet.
Their opinion about the status of Bots today is that “BotNet is adding yet another
trick to its vast repertoire. In the past, the malware would check the process file
name against an internal list and deleted the ones that match the list. Now it
would rather leave processes running and just patch entry points of loading
processes that might pose a threat to it. Then, when processes such as anti-virus
programs run, they simply return a value of 0”.
According to Mr. Cohen, “BotNet enables the operation of the P.C. to work
normally even though a strong malware like BotNet sits quietly in the
background, the owner of the system is not aware of it. Malware starts
operating only when it gets orders from its operator. This is far less suspicious
than a process that gets terminated suddenly from the outside, which means it
will not alarm users due to the fact that anti-virus software is not running. The
technique is designed to fool the network access control systems, which bar
insecure clients from registering on a network by checking to see whether a
client is running anti-virus software and whether it’s patched. According to the
expert, the anti-virus is running but it’s brain-dead. It’s worse than shutting it off,
as it opens the door for Storm bots to waltz past even networks considered
being hardened with network access control”.
“The BotNet is the latest evidence of why Storm is the scariest and most
substantial threat security researchers have ever seen. Storm is patient, its
resilient, its adaptive in that it can defeat anti-virus products in multiple ways
(programmatically, it changes its signature every 30 minutes), it’s invisible
because it comes with a built in root kit, and hides at the kernel level, and its
clever enough to change every few weeks”.
7
It has its own mythology, composed of up to 50 million zombie PCs, it has as
much power as a supercomputer, it has brute strength to crack Department of
Defense encryption schemes and with this power it terrifies the researchers of
this field and the administrators in charge of network security.
On the other hand, those who know how to watch it are guarding their techniques.
They’re afraid of retaliation. They fear that if they disclose their unique means of
finding information on Storm, the BotNet herder will change tactics yet again and
the window into Storm will slam shut.
According to other experts that are quoted in the newspaper, the BotNet’s
strength is exaggerated in the sense of the amount of systems which are infected,
or its capabilities to become supercomputer and the fact that it fights back and
punishes instantaneously. They claim is fiction, however, they still agree it has a
lot of power.
Mr. Cohen concludes when it comes to the war of good guys (security
researchers) versus bad guys (BotNet herders), BotNets have won. He indicates
the case of Blue Security Israeli-based startup whose aggressive anti-spam
measures in May 2006 drew a counterattack from spammers that were so
vicious; it forced the company out of business. “Blue Security did a really good
job of fighting,” said Mr. Cohen. “So [the attackers] did a DDoS and took it off the
Net for awhile. Blue Security went to the best anti-DDoS technology on earth.
The next onslaught came and Blue Securities defenses worked. So the BotNet
herder stole two other people’s BotNets. With three BotNets, the attack worked,
to the point where the ISP said, I’m not going to let you take down my entire ISP
to protect you, you’re on your own. And Blue Security is now out of business.”
8
2. Statistics
Most statistics reports are slanted and show overwhelming data of infected
Zombies or BotNet attacks. Internet security companies have a given stake in
showing the increasing dangers on the one hand, and success in detecting and
blocking on the other hand.
Every single day, new vulnerabilities are discovered and published (One of the
Israeli security companies alone reports 5 - 10 new vulnerabilities in various
systems every day).
We found that companies are reluctant to reveal the cyber attacks and there is
no official publication specifically on Israeli BotNet attack.
Government resources Tehila report 14,000 BotNets and alike attackes yearly on
the government and semi government sites.
Below are some graphs which show international BotNet attacks brought by an
Israeli software security copmpany’s servers.
9
10
11
A general picture of worldwide active Zombie attacks:
Israeli software security companies accumulate statistics about general cyber attacks
all over the world. Following some details of second quarter 2008:
12
3. Damages
Organized crime has applied its resources to the Internet first and foremost to
realize the rather fast, anonymous and unregulated financial gain integral to E-
Crime. The damages inflicted through BotNet operation are diverse. There are
direct damages and collateral damages. The initial act of tampering with bank
accounts after obtaining passwords via phishing and Trojan horse tools is as
simple as any bank robbery. Accessing sensitive information has two potential
financial gains for BotNet operators. Industrial espionage and selling data to
rivals can be just as lucrative as threatening with extortion. All these operations
still require foot soldiers to activate the chosen BotNet application and execute
the transaction.
The vast success of this type of E-Crime is due to the ever growing global
community turning to E-Commerce and online banking. Banks nowadays rely
heavily on online transactions, so a breach in their security means a loss of
potential business. This is the next layer of damage caused by BotNet. The
reputation of any business is a gainful asset which, when impaired, can have
lasting consequences. Even service providers avoid divulging the BotNet activity
and some Internet Service Providers (ISP) prefer not to get hold of the available
Zombie list so as not to expose their vulnerability. Blacklisting and blocking
legitimate ISP and users is another costly risk. Unless the attack might cause a
total crash or has multiple targets, there is little chance that the end users will be
notified of its occurrence.
The cost of blocking attacks and scanning for new malwares means even more
financial burden. Website owners, large or small, find the need to add layers of
security to their existing firewall.
13
3.1 BotNet Damage Examples
There is a clear distinction between hacking for defamation purposes and using
BotNet to inflict harm or procure gain during an attack. The most infamous case
of industrial espionage in Israel became common knowledge in June 2004. It was
dubbed “The Haephrati Trojan horse” it involved CEOs of leading corporations.
The catalyst was a family feud which instigated an Israeli couple who were
computer experts, residing at the time in the UK, to write an espionage Bot that
was thereafter sold to private investigation firms. Their intent was turning the
Trojan horse into a lucrative business. Though this case has similarities to the
BotNet intent and harm, its modus operandi is completely different.
The BotNet doesn’t act against a chosen individual target. The statement that
BotNet does not target an individual needs to be parenthesized. For example,
Blue Security was an Israeli start-up company which tried to wage an Anti-Spam
Crusade. The method was simple and effective. Blue Securitie’s software
bombarded the spammers with millions of unsubscribe requests that crashed the
spammer’s ISP. On May 2006, the founder and owner of Blue Security had to
admit defeat after one of the spammers engaged in a counter attack. The
assaulted spammer used thousands of Zombies at the tip of his fingers to inflict a
successful DDoS attack. The spammer used other methods of intimidation and
extortion frequently abused by BotNet operators. This case ended with Blue
Security going into hiding and the Internet security community unanimously
agreeing that striking back is not the answer.
The Security department of Bank Leumi, one of Israel’s leading banks, received
an e-mail message on the 28th of January, 2008, requesting its customers to
enter an enclosed page that requires registration of their identification with the
bank. This was a phishing attack on its customers
14
The security department managed to locate the impersonator’s location and
managed to remove him from the net. The bank immediately contacted all the
customers that entered their identification and asked them to change all their
passwords and to go over their Accounts to see if anything was done that had
not been done by them. The bank also published a note to all its’ customers that
it is not accustomed to ask for identification on the web and this type of request
is a fraud and done to gain control over the customer’s details using an
impersonated web page of the bank.
In order to prevent these types of attacks, the bank issued new regulations for
transfers of funds to a third party through the Internet. According to the bank,
their quick reaction and attempts to catch the intruder reduced the damage to
only tens of customers out of thousands that were exposed to this phenomenon,
and due to its’ actions, none of the customers were damaged due to this attack.
An additional important case that occurred in Estonia, put the BotNet on the
map in April 2007 as the next Cyber Warfare weapon. Estonia was the
battleground of the biggest cyberspace attack which lasted for 3 weeks, allegedly
triggered by the removal of a Soviet statue. Russia was the immediate suspect
during the 2007 attack, and has seemingly used the same scheme against
Georgia during the outbreak of fighting in August 2008. The Estonian case
recorded the use of about 1 million worldwide Zombies which inflicted a vast
DDoS to government and corporate websites. This attack was extremely effective
due to Estonia's high Internet exposure and usage. It is the first country to allow
online voting for its’ Parliament. According to updated FBI reports, 108 countries
hold Cyber Warfare capabilities.
15
3.1.3 International Corporation
The police authorities revealed that Three Israelis from north of Israel who
were suspected to be part of an international crime organization stole money
from banks in different countries. The headquarters of the organization was
based in Germany where the investigation started. They used the BotNet
technology by which they stole the customers’ identifications. The Israeli police
said that the crime organization acted out of Israel.
Another example where Israeli Technology was involved was a BotNet attack by
hackers which was discovered on September 4, 2007 on the site of eBay
members (the global purchase store site). This attack, which used brute-force,
was for the purpose of uncovering valid account log-in information. The
preparations for the attack against eBay started about a month before the actual
attack. The attack began with hackers compromising third-party websites using a
technique called SQL (Structured Query Language) Injection. Extra code was
dynamically added to the main page of these websites using a hidden IFRAME
tag which loaded a malicious web page. This page contained a VBScript file that
used AJAX to download and save a file called MISuvstm.exe into the Windows
system folder. Once this file was downloaded, it attached itself to the Windows
Explorer process and went hunting for a further Trojan, which was the basis for a
Distributed Denial-of-Service (DDoS) attack on eBay itself. The attack used eBay’s
own Application Programming Interfaces to guess eBay users’ passwords by
brute-force. According to the information published, attackers changed one
user’s eBay identity and sent out at least 25 e-mails to individuals in the United
Kingdom who were attempting to sell Sony laptop computers. The compromised
account, which retained the original user’s high eBay rating, offered the sellers
more money than they asked for in exchange for the laptops being shipped “as
soon as possible.” The technology of the Israeli company Aladdin’s got involved
in this attack. Aladdin first found out about the eBay attacks using its software
scanning product that runs ISPs that detect and block attempted IFRAME
redirections. Furthermore Aladdin’s technology of two-factor authentication is a
16
solution where two different methods of identification are used, such as a user
name and password combined with a physical item, like a mobile phone, credit
card, or hardware dongle device, in the hands of the owner. These solutions,
while not invulnerable, would prevent brute-force attacks such as the one
directed at eBay. More details about Aladdin and its technology will be detailed
in the Israeli technology section.
The Israeli software security companies’ servers survey many computers around
the world to secure and detect BotNet and malicious alike attacks.
There is no local character to the operation of a BotNet. In the past, when the
attack needed C&C (Command & Control), there was a local linkage between the
manufacturer of the malware and its consumer. Nowadays, the meaning of there
being a Net of Bots made the place of production redundant. Zombies from all
over the world can be deployed instantly, crossing jurisdictions and confusing
local law enforcement agencies.
The operational mode of BotNet is much the same as drug trafficking. Recent
cases of BotNet deployment proved that the motivation might have been
nationalistic in nature (see the Estonian case study). However, the precise source
of the attack was unidentifiable.
Israel, together with a few nations, dominates the scene as a recipient nation of
spam, viruses and website defacement. Being a target of Muslim Fanatics
heightens the drive to crash servers and service providers on a daily basis. The
flip side of the Israeli-Arab conflict means that there is also heightened activity
among rightwing political activists breaching and defacing terrorist websites and
attracting even more fire in Israel’s direction.
One of the main problems in fighting the spread of BotNet is a lack of legislation
against E-crimes in most countries. It is easy enough to deploy the BotNet from a
certain country and evade all international law enforcement agencies. There are
17
currently a handful of online vigilante groups which try to fill the void created by
the shortage in law enforcement manpower. One such group operates from
Britain and is called Spamhaus.org. Another group fighting BotNet is
Shadowserver.org which is run by proactive security professional, one of whom
is an advisor to Cisco Systems.
18
4. Damage Amount By
B Bots
The table is based on number of employees, their salary, the number of ee-mails
they receive daily and average spam they receive. We entered
entered some basic
information and the calculator calculated the following results:
Top of Form
Number of employees: 50 Employees
Bottom of Form
19
Response rate: % 1
Financial damages are the main interest of large corporations on the one hand
and end users on the other.
other In some cases, the industry publishes their damage
and its cost for security.
security However, the governmental and secret agencies
dominance can be undermined by BotNet attacks.
attacks. Deploying Cyber warfare and
defending against it are the work of governmental and secret agencies which are
treated with the same secrecy
secrec as any other doomsday weapon.
20
5. Countermeasures
5.1 Prevention
The aim of the BotNet is making the fight against security breaches futile. As
many firewalls are added to block attacks, there are just as many breaches
written into the programs. Security experts all agree that prevention of BotNet
proliferation is impossible. First the harm is already done and until the Zombie is
activated, no one, including the Zombie itself, can tell what it was infected by.
Second, the use of P2P increases the bandwidth and the spreading rate. Finally,
there are too many breaches from which the malicious entities can infiltrate.
These facts should not, however, create a feeling of surrender, as the entire
academic world that works in this field as well as many security companies, are
developing new technologies to prevent the possible infiltration of Bots.
21
5.3 Government & Military Organization
There are two main organizations in the Israeli government which are in charge
of the national Internet security. One is dedicated to all the strategic and
national security sites and is called “The Director of Security of the Defense
Establishment” and is a part of the Ministry of Defense. The second is the
Government’s ISP “Tehila” and is part of the Treasury Ministry.
Tehila was established in order to control all the e-government in Israeli
government.
In 2006, a former manager of Israeli CERT started a mailing list where people not
necessarily involved with the vetted, trusted or closed circles of cyber crime
fighting could share information and be informed of threats. The BotNets mailing
list was aimed to get people involved, engaged and aware of cyber crimes.
22
His main objective was to provide the public an open mailing list where anyone
can join in and report a BotNet command and control (C&C) server that they
might see.
The mailing list server targets were to create:
* A place where one can discuss detection techniques.
* A place where one can report the BotNets.
* A place where all relevant private groups will get reports.
* A place where the relevant ISP will be automatically notified.
* A place where action taken on the reports will be seen.
The main concept behind the BotNets mailing list is to provide information and
sharing cyber information online. He thought that sharing the resources could
change the tide of the cyber crime war. One of the strategies that could help is
public information sharing of “lesser evils” already in the public domain.
He thought that to fight a war, one needs to be involved and engaged. It is a fact
that while much progress was made in the efforts to fight cyber crime, there was
nearly no effect what-so-ever against the criminals and the attackers. They
maintained their business and the industry kept writing analysis.
The former manager of Israeli CERT decided to revive the BotNet mailing list. He
says the list was fairly successful two years ago, but quickly lost steam, because
some researchers didn't feel confident in sharing their information in a public
setting. Since he revived the list in September 2008, researchers have been
actively sharing raw data with other list members.
“We have better tools, we’re better organized, we know what we’re doing, but
still we have not really made a dent,” he said. “There have been some arrests,
we’ve taken down some operations, but what it comes down to is that the
criminals are still making money.”
The communities that are currently active are closed and by their nature more
secretive. Less information gets out and less information is shared because
23
people who should be trusted cannot find the right groups or it’s too difficult to
find an information sharing group.
The ultimate goal of the mailing list is to get more IT administrators and security
researchers involved in combating cybercrime, get them to care about the
problem and get them organized.
The Israeli government initiated laws against cyber attackers as a tool for
countermeasures.
In 1995, The Computer Law was adopted in Israel, and prohibits cyber attacks
and prescribes punishment for this type of crime of 3 to 5 years imprisonment.
Following are the details:
o Disruption or Interruption of a computer or computer content. This is
equivalent to breaking and entering, and includes falsifying, transferring,
storing information or output, writing software related to this information or
using such software;
o Infiltrating computer materials illegally;
o Infiltrating computer content with the intent of breaking the law;
o Anything pertaining to computer viruses;
o Denial of Service;
o Writing and distribution of Trojan Horses.
The Israeli Parliament approved at the end of May 2008 an amendment to the
Israeli Communication Law also referred to as “The Anti Spam Law”. This
amendment prohibits various sorts of spam: e-mail, fax messages, short text
messages (such as cellular SMS) and automatic dialing systems, if they intend to
induce the recipient to spend money.
24
The strict demand requirement for prior consent in the law is mitigated by two
exemptions. An advertiser may send a one-time unsolicited offer to businesses
to accept further commercial messages. An advertiser may also send unsolicited
commercial messages if the receiver of the message is a client or a potential
client of the sender, if the message refers to a product or a service similar to
products or services purchased by the client in the past from the sender, and if
the receiver is given proper opportunity to refuse any further messages.
Furthermore, the advertiser must conspicuously indicate that the message is
commercial in nature and that the receiver has a right to refuse any further
messages. The advertiser must also provide clear contact details for sending
refusal notices.
The Anti Spam Law became effective in December 2008. Failure to comply with it
will subject spammers and senders of commercial offers to statutory damages of
up to NIS 1,000 (approximately US $300) per one message. The amendment also
indicates that a class action may be brought against infringers.
The amendment allows civil actions to be taken against the spammer, regardless
of the criminal charges. However, the amendment doesn’t refer to spammers
residing abroad. The offender targeted by the amendment is not only the sender
of the spam but the advertiser sending unsolicited mail that stands to gain from
the action.
The law requires that parties sending information receive prior authorization
from the legal parties. The police authority has established a special unit to
follow up and enforce this law.
25
5.6 Private Sector
Many organizations expect more than just an Anti-Spam and Anti-Virus solution.
They require a sophisticated tool that provides customization rules and control
over incoming and outgoing mail, footnotes, attachments, notifications,
forwarding and more. Furthermore, they require that a policy be enforced
throughout the whole organization, groups and even the specific users.
Organizations also expect such a system to be in synchronization with their
existing active directory or other Lightweight Directory Access Protocol (LDAP)
servers. As a result, software security Israeli companies are researching and
developing software as countermeasures for cyber attack. The Academic sector
in Israel, takes part in the Research and development which is also detailed in
Chapter 6.
Following is a research which deals with the social aspect of cyber attack:
* Network Security: Vulnerability and Disclosure Policy.
This research was carried out by, Dr. Chaim Freshman and others, with
cooperation between Tel Aviv University and Michigan State University.
This work deals with the dilemma of software companies that find bugs in their
software. The dilemma is, should the company disclose the bug and issue an up-
date for it, if this is done, then the disclosure itself could facilitate reverse
engineering and vulnerability to hackers. Should the disclosure be mandatory?
26
2007, Internet experts estimated that “BotNet” programs – sophisticated
programs that install themselves on unprotected personal computers – were
present in more than 10 percent of the 650 million computers worldwide that
are connected to the Internet. More than this, they cite another research project
that has been done by America Online and the National Cyber Security Alliance
(2004), which found that 80 percent of the computers in the US are infected
with Spyware. According to this work, in spite of the huge efforts and
investigations into writing more secure code, it is virtually impossible to design
software that is free of vulnerabilities. The researchers are not sure that all the
efforts of the software companies which continue to try to discover
vulnerabilities after the software has been licensed and sold. In order to update
the software to overcome the vulnerability, the release of updates enables
hackers to “reverse engineer” and find out how to exploit the vulnerabilities.
The reverse engineering increases the probability of attack.
The main issue that the paper discusses is how to motivate investment in
product security by investigating how a decline in the number of vulnerabilities
and an increase in the probability that the firm will identify vulnerabilities before
hackers affect disclosure policy, price and profits. An additional subject which is
raised in this work is the mandatory disclosure of vulnerabilities and bug bounty
programs. The researchers find that mandatory disclosure is not necessarily
welfare improving. Mandatory disclosure improves welfare only when the
probability of attack is very high and the expected damage is relatively small.
When both the probability of attack and the expected damage are moderate,
mandatory disclosure is welfare reducing since a non-disclosure policy
maximizes welfare. Mandatory disclosure has no effect since the firm will
disclose vulnerability even without regulatory intervention.
27
6. Researches
The BotNet community is comprised of black hats, trying to outwit the security
experts, and on the flip side, researchers who try to probe the malware. The R&D
of BotNet is putting out fires on a daily basis, but they also are developing
technologies for the long range.
This research was carried out by, Barak Nirenberg at the Technion, Israel
Institute of Technology.
The project, completed just a few months ago, started by defining Bots and
BotNet. The Bots are software applications that run automated tasks over the
Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The
largest use of Bots is in web spidering, in which an automated script fetches,
analyzes and files information from web servers at many times the speed of a
human.
The BotNet is the technique allowing the Bots’ masters to control remotely a
large number of infected machines in a single operation, thus creating the
BotNets. According to researchers, the characteristics of the BotNet are that it
runs autonomously and automatically. The BotNet is often associated with
malicious software, but it can also refer to the network of computers using
distributed computing software. It is interesting to note that the Bot creators
evolved their Bots to use Dynamic DNS (DDNS) in order to find their C&C server.
The DDNS is a service which is mostly offered for free on the Internet that allows
a user to own a constant DNS name that will be translated to a specific IP
28
address. The BotNet master would overcome IP blocking by ISPs. The researcher
of this subject describes in detail the problem of the Bots master control over a
large number of hosts with AVT causing collapse of the entire net. The
researcher describes the process of evolution until it became such malicious
software and, more important, became widely available on the Internet. Today,
most of the Bots are using worms in order to spread on the Internet.
A worm is a kind of malware that spreads over the net by itself automatically,
usually by exploiting security holes and known software vulnerabilities. The
researcher describes in this work the most common method by which Bots
spread today and once more the researchers indicate that there are also several
cases where the infected Bot will try to remove other rival Bots from the host it
infected in order to be the sole owner of the host.
This research was carried out by, David Hoeflin and associates.
In this research, the researchers use algorithms which can detect and
characterize BotNets. The researchers use algorithms to detect several hundred
controllers over a period of a few months running on arbitrary ports with a very
low false positive rate.
This paper describes the methodology to detect, track and characterize BotNets
on a large Tier-1 ISP network. This BotNet analysis is performed mostly on
transport layer data and thus does not depend on particular application layer
information. The researchers wrote algorithms that can produce alerts with
information about controllers. Alerts are followed up with analysis of application
layer data that indicates less than 2% false positive rates. Following is a
29
description of how BotNets function. Malicious BotNets are networks of “Bots”,
compromised hosts that are remotely controlled by a master host via one or
more controller hosts. The master host is the computer used by the perpetrator
and is used to issue commands that are relayed to the bots via the controllers.
The controllers are often Internet Relay Chat servers, which are normally used
for relaying messages among client terminals. Controllers are often created from
compromised hosts that perform a coordinating role for the BotNet. The
purposes of using BotNets vary and most of them are related to illegitimate
activity. Some of their uses include launching Distributed Denial-of-Service
(DDoS) attacks, sending spam, Trojan and phishing email, illegally distributing
pirated media, serving phishing sites, performing click fraud, and stealing
personal information. They are also the sources of massive exploitive activity as
they recruit new vulnerable systems to expand their reach. BotNets have
developed several techniques in their malware and infrastructure that make
them resistant to typical mitigation techniques. All this is a threat to the Internet
as well as enterprise networks. The threats undermine the reliability and utility
of the Internet for commerce and critical applications. At the beginning, the
majority of BotNets were traditionally based on Internet Relay Chat. This was
due to the ability of IRC to easily scale to thousands of clients. There are existing
cases of other types of BotNet detection systems based on HTTP, DNS, and peer-
to-peer models.
The advantages of their system are many. The major ones are that the system:
a. is entirely passive and therefore invisible to the operator,
b. has a false positive rate of less than 2%,
c. helps identify BotNets that are most affecting real users (and customers),
d. can detect BotNets that use encrypted communications.
The system helps quantify the size of BotNets, and identify and characterize their
activities without joining the BotNet.
30
The contribution of this work is the development of an anomaly-based passive
analysis algorithm that has been able to detect IRC BotNet controllers achieving
less than 2% false positive rate. The algorithm is able to detect IRC BotNet
controllers running on any random port without the need for known signatures
or captured binaries. Even though this analysis is tuned to Internet Relay Chat -
based BotNets, the researchers believe BotNets will continue to require
inventory management as well as a command and control structure that allows
the BotNets to be detected using similar methods. There are some distinct
advantages to this type of BotNet detection:
a. Network data analysis is entirely passive, so it is invisible to the BotNets,
b. It does not interfere with network operations,
c. It does not run any risk of contributing to the problem, and
d. It is able to show the dynamics of BotNet activity by detecting activities
that have been most effective in targeting the specific customer sets.
This research was carried out by Yoav Atsion, at The Hebrew University,
Jerusalem.
The researchers found that all major operating systems today with the possible
exception Mac OS X are vulnerable to such attacks, due to the usage of the CPU
31
and how it prioritizes competing processes. The researchers call the BotNet
attack “cheat attack” as it is a process whereby large percentages of the CPU are
hijacked and every operating system there is scheduled to obey a third party, but
when listing the active process, it will not show that the CPU’s resources are
being used at all, which will make it difficult to detect the attack. The success of
the intruder of such attempts depends on knowing the resources allocated and
how much competing process is used.
Importantly, all of these activities are typically tied to the same clock interrupts.
This overloading can be exploited by a simple attack that uses the timer to
ensure that a process always starts to run just after a clock tick, but stopping it
before the next tick. As a result, the process is never billed, because it is never
the process that was sampled by a clock tick. The most problematic factor that
arises from this process is that the attack process becomes essentially invisible.
The most basic defense one has against malicious programs is seeing them run
using a monitoring tool. If the system doesn’t account for the CPU usage of the
attacking process, it won’t show up on the monitors. Even worse, the attack
actually leads to miscounting, where another process is billed for CPU time used
by the cheating process. As a result, even if the system administrators suspect
32
something, they will suspect the wrong processes. The cheating process can
further disguise its’ tracks by controlling the amount of CPU it uses so as not to
have too great an impact on system performance.
Even though great efforts were made to overcome the cheating process, the
researchers found that the threat of it is still very real. These kinds of attacks can
infect over 10 million computers combining such worms with the cheating attack
that can be used to create an ad-hoc supercomputer, and run a computational
payload on massive resources in minimal time. There are two ways to account
for CPU usage: one is by direct measurement, and the second by sampling. Even
some systems that actually perform accurate measurements do not use this
information for scheduling. The researchers explain that some systems like Linux
2.6 and the ULE scheduler for FreeBSD have problematic prioritization practices
regarding interactive processes that further increase their vulnerability. They
analyzed their results on different operating systems such as Windows XP, Solaris
and others beside Linux 2.4 and 2.6. The result of this research was run alone on
each system to get a reference value, and was then executed alongside the
cheater to examine the cheater’s effect on the counting application’s throughput
of the operating system. There is a simple, low cost solution.
The solution is to implement the system in Linux, which is complete and based
on accurate billing. The explanation of the “cheat” which has been discussed
above seems simple by using the prioritization of processes that use less of the
CPU. The idea is to avoid the accounting, and then enjoy the resulting high
priority. The mechanism of billing works on the long and short term, a process
that runs for a short period, each time which is scheduled will typically not be
billed, processes that use more CPU time have a higher chance of being
interrupted and billed.
33
6.4 DDoS Attacks Prevention by Packets Encapsulation
This research was carried out by Dr. Avital Yachin, at Technion, Israel Institute of
Technology.
Dr. Yachin based his method on research by Gal Badishi and Dr. Idit Keidar of the
Technion Electrical Engineering Faculty, and Amir Herzberg of the Computer
Science Department at Bar-Ilan University.
34
processes such requests at the application level, a lot of computer power is
consumed up to a phase where the server crashes.
Authentication process is the main key in this research. Starting by describing the
mechanism of the system in order to create trusted communication between a
client and a server, the client must be “authenticated” by the server. This is done
by attaching to each client with a unique ID (secret code) that is registered at the
server. Clients who were either not registered at the server or who don't have
secret codes will not be able to communicate with the server.
The client’s secret code is used to create a random key that is attached for every
outgoing packet. The key is created by hashing (SHA-1) the secret code with the
current timestamp. When the server receives a packet, it tries to calculate an
identical key based on its timestamp and the list of registered clients. If a match
is found, the packet is passed to the TCP stack; otherwise, the packet is dropped.
35
6.5 Survey on Detection of Covert Channels through VPN
This research was carried out by, Isakov Yehiel at Technion Israel Institute of
Technology.
36
the receiver and one involving the sender signaling information by modulating
the use of resources (like inter-packet delays and packet transmission rate) over
time so that the receiver can observe it and decode the information.
This research was carried out by, Jonathan Avidal and Oren Ben Simon, at
Technion Israel Institute of Technology.
The main target of this project is to create a secret channel which will be difficult
to detect even for a person who knows the algorithm. For this purpose, the
researchers tried to imitate the usual traffic that passes through the channel and
to make minimum change to it. They composed algorithms with new principals
which help prevent the channel reveal. Apparently, the new channel, which was
built by the researcher, is active but should be passive as much as possible.
The secret channel is a hidden channel which uses mutual sources for
transferring information among different bodies in the system by using a secret
channel to computers that can communicate one with the other, and a third
party does not know about its existence. The target of this kind of channel is to
send secret information or to hide sending additional information, sending
password or cryptographic keys or even hide illegal information and so on.
This project deals with a situation when there are two computers’ networks
which are far away from each other and are connected through UDP/IP
communication. The researchers assume that in one of the networks exists a
Trojan horse which tries to transfer secret information from the secret network
to a hostile body which is located on the Internet. The researchers also assume in
their project that the Trojan horse is put into the communication channel and
controls the information transfer, which means that the Trojan horse is able to
37
use the communication channel from one computer network to another
computer network to transfer information to a hostile body.
For example, change of the reaction time of cache or the change of the time
space between two IP messages.
38
Chapter 7: Trends
The BotNet trends include two parts. One is the technology which comes to
prevent and control and detect the BotNet intrusion, and second, products
which includes Israeli products which were developed in Israeli universities or
the companies. In companies, we can find some research that is completed and
being marketed.
This research was carried out by, Efi Arazi, at Israel Inter-University Computation
Center (IUCC).
This technology has assigned a /16 (former Class B - with 65,536 IP addresses),
which is “dark space”, as a place where the researchers have been able to install
a network monitor, which receives “backscatter” packets from all over the
Internet. There are other Internet telescopes out there like the one at SWITCH.
CAIDA was the first to document it and present analysis numbers and has done
some more recent research in this area.
39
Attacks seen
The packets that are received by the telescope can be roughly categorized into 4
categories:
40
3. Configuration Mistakes: a flow that lives for a very short time, and that cannot
be categorized to one of the above categories is basically labeled as
configuration mistakes of one of the computers in the Internet.
4. Others: a long flow that could not be categorized to any of the above groupings.
DDOS backscatter 5%
Configuration mistakes 2%
Others 1%
By far, not all DDOS attacks can be seen by a Network Telescope. Those that
cannot be seen are:
1. Bogon attacks: A bogon attack is an attack that comes with a source IP that
should never appear in the Internet global routing tables. A list of bogons is
available from Team CYMRU. IUCC filters out some but not all of the bogons so in
general, the Network Telescope will not see bogon attacks.
2. uRPF filtering: Even spoofed attacks may not reach a Network Telescope if they
are stopped along the way via a method known as Reverse Path Forwarding
filtering.
3. Non-spoofed attacks: An attacker can always attack a victim directly, using any
number of attack tools to try to overwhelm the resources of the victim. In
general, these types of attacks would be easy to backtrack and to determine who
the attacker was, so we assume most attacks are no longer of this type.
41
4. BotNet attacks: Since attacking with an identifiable IP would lead to backtracking,
attackers now use what is known as a BotNet or Zombies attack. By infecting
many PCs and using them as a proxy for launching their attack, attackers are able
to hide their identity. Since a BotNet attack is in general, not spoofed, a Network
Telescope would not see such an attack. There have been cases of BotNet
attacks with spoofed IP addresses but the attacker then takes the chance that
some of the attack packets might be filtered by uRPF checking. It is assumed,
that most attacks these days on the Internet are launched by BotNets.
Results
The dominate source port for traffic that is classified as DDOS. This is the port
that the victim was attacked with the dominate destination port of traffic that
reached the telescope.
1. Information on the traffic characteristic, especially ports. We output the top ten
destination ports and source ports in regards to viewed spoofed attacks for every
day of the last week.
2. A daily list of Machba systems that have been determined to have a worm or
been infected. Infected systems are those that have been seen to be scanning
consecutive IP addresses, whereas a worm is defined as probing a specific list of
predefined ports on random IPs.
42
False Positives can be generated in different ways. Intrusion Detection Systems
(IDSs), for example, generate logs to alarm administrators of illegal attempts to
enter a website. Such logs, in addition to real alarms, contain false alarms that
overwhelm the administrator. In contradiction to the passive nature of most IDSs,
application security solutions are usually proactive. This means that they are
designed to block access to a website and in the case of a “False Positive” may
block legitimate users from accessing a website.
The reason that False Positives occur is simply that security solutions are
automated and have only limited intelligence capabilities. Most solutions have a
database of known attacks and are constantly comparing incoming traffic to this
database, trying to identify an attack. This opens the door to False Positives since
often the security system views traffic differently than the target system. This
may be because of different protocols and operating systems, as well as
encryption or fragmented streams. Even harmless requests may be misjudged
as. What is the effect of False Positives on a website? - “malicious” when there is
an unusually high and unexpected volume of traffic.
There is a much more important issue than why False Positives are generated.
More importantly, what is more harmful, a successful attack or False Positives?
An immediate answer may be that a successful attack is more harmful. It seems
logical. However, further analysis reveals that in fact False Positives pose a
greater threat. The reason lies in the fact that organizations can evaluate
damages resulting from malicious activities and can quantify them. However,
damages that occur from a False Positive created by a third-party are much more
difficult to predict and protect against.
Let’s look at an example. In most legal systems, if the facts in a case are
ambiguous, the legal system would tend towards letting a suspect go, letting a
guilty person walk free rather than finding an innocent person guilty. For
43
lawmakers, it has long been clear that such a False Positive (finding an innocent
person guilty) causes more damage to society than freeing a guilty person.
The problem of False Positives on the Internet is mainly a result of the way
security companies have approached the problem. Current security solutions
have looked at how to identify the malicious activities and stop them. In order to
do that, these solutions rely on a database with examples of illegal traffic. They
try to match incoming traffic against the database and thus look for attacks.
There are many problems with this logic. First, they are unable to detect attacks
that are not registered in the database. It may be a new kind of attack or a new
version of an old attack. Second, and much more worrisome, are the False
Positives they create.
Let’s examine this issue from another perspective. Let's say that there is a
terrorist who is threatening to start shooting in a crowd of people. The
authorities want to eliminate this threat but they will not shoot into the crowd
because they may cause innocent bystanders to be hit, i.e., it will create False
Positives. So we arrive back to the question of what is less harmful, a successful
attack or a False Positive? Now the answer is clearer. Every law enforcement
agency would choose to let the terrorist get away and then pursue him later
rather than harm innocent people.
Now the question arises of why not adopt this attitude with web security
solutions? Instead of wasting time, money and resources on trying to identify
“bad” traffic, it would be much more effective to protect the site with positive
rather than negative logic. Instead of looking at what is not allowed, one should
be looking to “understand” only what is allowed. This means that the web
security solution “understands” what kind of traffic can be forwarded to the site
and can automatically block all traffic that is not allowed. True, this is a more
complicated solution since it requires the security solution to be much more
sophisticated and equipped with more advanced logic. However, this way of
protecting the website has many advantages over the older methods since, when
44
applied intelligently, it can eliminate “False Positives” and protect the site
against both unknown and known threats.
Let’s take an example from the real world. Some current application security
solutions parse a retrieved page from a web server, dynamically creating a URL
list from that page. The user should then request the objects as listed on that
HTTP page.
Another issue that can cause False Positives is the use of proxies between the
user and the website. In this case, the requested page may be stored in the
cache, sometimes for quite a long time (usually only static HTTP pages or
objects). The requested objects would not be retrieved from the origin site and
therefore will not be part of the “tracking list” on the security system. “False
Positives” may be generated and the user's requests may be blocked by the
system. In the worst case scenario, the user will be added to the Access Control
45
List (ACL), thereby blocking his IP address completely for future access. From
that user's point of view, the site is dead or is under a Denial of Service attack.
How can you avoid both application attacks and “False Positives” at the same
time?
There is another issue that we have to bring up. One of the greatest security
threats website operators face today are attacks that use perfectly legitimate
traffic as the means of attack. This kind of attack is called a “Fake-Legitimate”
attack. To illustrate this, we can take an example from the “real” world. Let's say
that there are a certain number of good quality fake tickets to a sports event.
The guards at the entrances to this event will have the difficult job not only of
admitting those who have a valid ticket, but also to look at each and every ticket
and try to judge if it is a real one or a forgery.
The problem with these kinds of attacks is that the security system will need to
intelligently differentiate between legitimate and “Fake-Legitimate” traffic. This
requires very sophisticated intelligence as well as fast processing. Today’s
firewalls and other security systems cannot perform this task. Therefore, they
cannot protect the sites from these kinds of attacks. Current solutions try to
combat them but lack the tools to do that effectively. As a consequence, these
systems create “False Positives” in the process.
It is clear that conventional IDS's do not stand a chance in the fight against
either “Fake-Legitimate” attacks or False Positives. These kinds of systems use a
46
signature database of known threats against which they check incoming traffic.
This has serious drawbacks, since the method cannot protect against attacks for
which it does not have a record. It also can generate many False Positives while it
fails to discriminate between legitimate and malicious traffic.
There are also security systems in the market that attempt to detect attacks by
identifying traffic anomalies. While the theory is good, one of the major
drawbacks of such systems is that they find it difficult to differentiate between
legitimate traffic surges and attacks. Such surges can be created by an
advertisement that just ran on TV or a breaking story in the press. Thus, they
often create False Positives by inaccurately identifying such surges as attacks.
The weakness of current IDSs/IPSs is clear. Not only do they need to be able to
inspect over 600 known attack signatures with minimum delay, they need to
reconstruct fragmented streams to avoid partial stream views. Most of the
systems on the market resort to some sort of corner-cutting and are applying
“statistics-based inspections” instead of inspecting every single packet.
For security systems to create false alarms and logs is one thing. But there is a
much more serious problem with active security systems. They can actually block
47
the traffic to the site. The problem starts when such systems start creating False
Positives and thus block legitimate users. In a case where a person is regarded by
the security system as an attacker and cannot get into his bank account, this will
create a bad impression of the bank. Because of such possibilities, banks prefer
to undergo an attack rather than block a legitimate user. False Positives are
therefore unacceptable.
48
7.4 Peer-to Peer
Due to the fact that most security solutions for protection against malicious virus
are equipped with tracing and blocking of image embedded malware capabilities,
spammers have devised clever ways of utilizing common and legitimate content
which filters through. The disclaimer message at the end of an email can be one
such common content. The content based filter tags this as a non malicious
message and allows the infiltration. This method is also aimed to trick the end
user, whose mind will rest at ease after seeing the disclaimer text. If the end user
allows viewing of infected images or clicks on the malicious link, the perpetrator
will also receive confirmation of his attack, which puts the end user at higher risk
of future attacks.
The growing popularity of blogs has turned them into a target for Botnet
semination. The big platforms fall on victims first, but the awareness grew, the
49
attention switched to less popular blog platforms. Some subject lines used
randomly chosen words or misspelled subject lines to evade filtering.
Facebook is also vulnerable to BotNet attacks due to the fact that it provides
access to inside files. Facebook uses two methods to identify and authenticate
users: cookies, which contain session information, and hidden form IDs that are
supposed to ensure that forms come from the user. With either a cookie or
knowledge of a user’s form ID, an attacker can impersonate a victim. A cookie’s
session information would allow an attacker to construct XMLHttp requests and
assume all the same privileges as the user. This is due to the fact that a BotNet
attack will have access to all files on the computer, including cookies files on the
computer. Israeli researchers have come to the conclusion in a research carried
out at the Technion, Computer Science Department, that this type of
Personalized Internet Pages demonstrates huge potential to distribute different
viruses including Botnets and others. (According to these researchers, just in
Facebook there are 124,000,000 users registered as of September 10, 2008).
Despite the enormous potential to distribute different viruses, these networks
were not used as a tool to distribute warms and viruses until recently, where a
new warm by the name Koobface started attacking the Internet Personalized
pages, it distributes itself and endangered all such pages. (The research is in
Hebrew)
Experimenting with new methods to bypass tracing has proven effective when
trying to evade the Zero Hour Detection of an attack. Playing with the display is
one of the earliest methods of convolution, yet the use of Asian languages has an
added value. Filters have difficulty due to the writing’s double-byte character
and the fact that the sentences have no spacing between words. The latest twist
was embedding Chinese content with vertical orientation.
50
7.8 Mobile Applications
Wi-Fi has made surfing the web much more accessible via laptop computers,
PDAs, Smartphone and 3G cell phones. There have been mobile malware attacks
in the past two years; however, they have been restricted to spreading viruses as
there hasn’t been a new method of money making schemes through cellular
communication. The same protections are vital on laptops and PDAs, especially
since they have turned into tools of the trade and sometimes contain even more
sensitive data.
7.9 Sandboxing
In the constant chase after development of malware, when the black hats listed
all researchers in the programming of Botnet and made special effort to exclude
them from being targets of active malware, the researchers devised ways to get
the Botnet to activate without harming the host computer. When the malware is
quarantined in what is referred to as a “Sandbox”, it operates under the
impression that it has reached its unsuspecting user, when in fact it is being
probed and explored by security experts. Every finding is diagnosed and
published for immediate practice. That is the nature of the online service and
forum that supplement all three solutions discussed in this paper.
51
7.10 The Development of BotNets in the Future
According to a survey that was carried out by different providers for Tier 1 and
Tier 2, a few interesting conclusions were reached that can indicate how
“tomorrows” BotNets will look.
The number of BotNets increases daily but their size decreases. A few years ago,
we could have identified BotNets that incorporated 80,000-140,000 computers;
today, this number has decreased to a few thousand or even hundreds. This
phenomenon can be explained due to the fact that smaller BotNets are harder to
identity and much easier to sell or rent. An additional reason derives from the
fact that almost every computer today has wideband and therefore a few
hundred computers with 1Mbps can saturate the OC-3 (OC-3 link) connection
that serves many networks.
It is certain that BotNets are a desired product in the market, and many people
are willing to pay in order to purchase BotNet. When there is a demand from the
market, there is also supply, so we can expect BotNets to continue to develop
and to be a very serious threat on today’s computers.
52
Chapter 8: Trends of Security Products
Mi5 takes a different approach to detecting and blocking bots. Instead of just
relying on IP blacklists, or desktop signature detection, Mi5 has developed a
series of patent-pending algorithms that use a combination of cues to detect and
block Bots. The technology looks inside the company’s network for C&C
communication, IP scanning, spamming and other BotNet activity, and develops
a “confidence score” for the traffic coming off Bot infected PCs.
As soon as some activity is detected, Mi5 technology, the WebGate flags the PC
as “suspected.” Once enough of Mi5’s algorithm triggers have been tripped, and
when Mi5 is confident the machine has an active Bot on it, the WebGate flags
the PC as “active” and blocks outbound Bot communications. But since typically
only 5-15% of Bot infected PCs are active at any one point in time, Mi5 goes one
step further, marking PCs that had active Bot activity that are no longer
communicating as “Inactive.” With that information, they can prioritize the
cleanup work and focus on the active Bots first.
Mi5’s WebGate appliances not only block incoming Bot and Trojan infections, but
also track the spread of BotNet infections throughout the organization, and
prevent Bots from sending any data back out of the organization.
This company’s BotNet capabilities are included with every Webgate appliance,
so it is not needed to separate point solutions to tackle the BotNet problem in
the enterprise.
53
8.2 CheckPoint
54
8.3 CommTouch Ltd.
The company’s first product is a security portal on the Internet that researches
security vulnerabilities and issues update of security alerts. It provides warnings
and then provides solutions to these vulnerabilities.
The company developed an automated scanning engine. This product scans the
organization’s network and simulates attacks originating from either the internal
or the external network. It then gives a report of the security vulnerabilities of
the organization and gives possible solutions to fix those vulnerabilities. The
engine of the product is updated on regular basis for the recent security
vulnerabilities.
55
8.5 PINEAPP LTD.
This company develops technology to secure networks and email systems from
attacks such as Botnet, spam and other malicious attacks.
56
8.7 BeeFence
This company develops a technology to deal with security threats such as Denial
of Service (DoS) attacks, BotNet and server malware, DoS and DDoS flood attacks.
The technology is aimed to block attacks before they get anywhere near the
application level. Their technology gives a multilayer approach. Their main
product DefensePro® is an in-line, intrusion prevention, DoS protection, and
traffic-shaping solution designed for enterprise core and perimeter deployment,
data centers and carrier backbone. It is aimed to be the industry’s solution to
fully integrate adaptive, behavior-based protection capabilities both in the
network and application levels.
57
network and server threats including Zero-Day attacks such as BotNets and
Trojan horse without requiring human intervention.
58
Bibliography
2. “The trouble with threat modeling” by Adam Shostack, a Series of Blogs, 2008.
3. “Cyber Assaults on Estonia Typify a New Battle Tactic”, The Washington Post,
May 19, 07.
4. “Digital Fears Emerge After Data Siege in Estonia”, The New York Times, May 24,
2007.
5. “Hundreds of sites infected with dynamic malware”, ZDNet, Jan 18, 2008.
6. “The Art of Cyber Warfare”, Part 1: The Digital Battlefield, Tech News World, Apr
29, 2008.
7. “The Art of Cyber Warfare”, Part 2: Digital Defense, Tech News World, Apr 30,
2008.
10. “Enemies Upon You”, Network, Information Week, Dec 10, 2007.
Personal Interviews
1. Commtouch CTO & President, Amir Lev.
59