Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness tip #22 Detecting and Avoiding Bots and Zombies

Published: 2007-10-21
Last Updated: 2007-10-22 16:28:17 UTC
by donald smith (Version: 2)
0 comment(s)

Today is the 22nd day of our Cyber Security Awareness month which means we will be covering Detecting and Avoiding Bots and Zombies. If I had created the list I would have put this on the 31st in honor of Halloween.
One problem solving technique I like is divide and conquer.

So divide this task into two sections one for detection and one for avoiding the Bots and Zombies.
Then let us break it again one network based and one for host based methods.
Detection Network based:
How does one detect Zombies?
One way is to watch network traffic for unusual destinations, services, packet type, or packets per second.
Enterprise networks often have the ability to look at firewall, IDS and other logs for network anomalies.  
Home users may not have or may not know how to use their network devices to look for anomalies. Purchasing a network detector or using currently available network based reporting tools would help many home users detect Zombies.

Running a nepenthes server (http://nepenthes.mwcollect.org/) listening on local subnet(s) is a great way of automating detection of infected hosts scanning local subnets for other vulnerable hosts. (Ned)
Similar to above, setting up and monitoring a darknet to identify spurious network traffic can help with early detection of infected hosts. (Ned)


I have written an IDS rule that looks for IRC nickname changes on non-standard ports.  With a network of over 15,000 PC's worldwide, my true positive detection rate is over %90.
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"CHAT IRC nick change on a non-standard port"; content:"NICK "; offset:0; nocase; classtype:policy-violation; sid:100001; rev:1;) (Brian)

Gary wrote in to remind us of Bot-Hunter http://www.cyber-ta.org/BotHunter/
"BotHunterTM is a novel, dialog-correlation-based engine (patent-pending), which recognizes the communication patterns of malware-infected computers within your network perimeter."


3rd party reporting services:
Many enterprises have a 3rd party service that assists them in detecting Botnet members within their network.
Home users frequently do not have such resources or do not know they have access to those resources.
Most home users do not have static IP addresses. Their IP address change with some frequency. There are a number of services that will report your external IP address. Given the external IP address a home user can type it into the main Internet Storm Center page and type their external IP address into the “port/ip lookup/search: box and click GO.
This way home users can see if their address has been reported by any of the dshield users. They can also use a well known trusted Remote Black Listing service (RBL).

Detection Host based:
There are many great host based network detection tools. They all have the same basic flaw once the system is compromised by an unknown, undetected exploit they can be disabled or circumvented.

Most enterprises monitor various host or application logs for significant system events.

Most home users do not. They either don’t know how or don’t have the tools.

Many bots/zombies contain built in backdoor functionality. Netstat is a great tool for identifying unknown processes listening on external ports that shouldn't be. (Ned)

Avoiding Bots and Zombies:
Network based:
Block unknown or untrusted services and content.
Enterprises often do this by having an enforced network policy.
Most home users do not have a network policy or a method to enforce one.

Many/most bots spread through known vulnerabilities - ensure all software is fully patched (not just Windows Updates). (Ned)

One thing, which probably isn't addressed enough for the home users, is if they are running any type of software firewall, they should block IP ranges that are known as bad. I have used a software based firewall for years on my home network, and it is simple to add a range of IP's that I never visit or plan to visit any time soon.Also most home routers offer a basic firewall that they can master in a short period of time to perform IP address space and untrusted or risky port filtering. (Gary)


Human filtering:
Many bots or zombies are installed by the end user. Usually this occurs unknowingly due to some social engineering trick. Being a bit paranoid or untrusting can significantly improve your odds in avoiding Bots and Zombies.   

I am sure a lot of you have some great ideas on how to avoid or detect Zombies and Bots please contribute your comments via the contact link @ http://isc.sans.org/contact.html.

Keywords:
0 comment(s)

Cyber Security Awareness Tip #21: Understanding Online Threats

Published: 2007-10-21
Last Updated: 2007-10-21 15:41:26 UTC
by Stephen Hall (Version: 1)
0 comment(s)

Its day twenty one of Cyber Security Awareness month and today is Understanding Online Threats.

My main function in life is the security of kit with plugs on. Application security I leave to a different bread of people. However, I have learnt one application security mantra over the years and it fits into todays theme perfectly - In the client / server model -  Never Trust The Client.

In an ever increasingly hostile online world, how do you do business with what could be a hostile client, which could be your PC, or the PC of one of your customers.

In the last few days, I've read some amazing tips presented around how to perform authentication. A lot of these are targeted at preventing phishing fraud. Phishing, for those recently returned from a distant planet, is the collection and fraudulent use of credentials to make money. During my day job with a financial institution I have experienced a wide and varied methods used by organised phishing gangs. Probably the most prolific of those in wide spread use is Rock Phish, and it is a good example to gain an understanding of the scale of the problem. Check out f-secure's blog entry, they have a video (here) which shows some of the numerous online banking sites being targeted.

The principal a phisher uses is the time delay between the fraud being performed, and the fraud being detected. This attack method is made more effective by the length of time it takes to take down a phishing web site and as we've seen Rock Phish has increased the effectiveness by increasing the number of web sites being hosted at any one time.  Supporting this is a huge organised crime subsystem to get the money into the hands of the bad guys. So, as a user of online banking, auction house, etc, always look for unexpected information. Does the web site show the date of last log in, does it tally with your activities? If not, contact their customer help desk and have your account checked.

Customer education is the first line of defense in the fight against phishing. Teaching your customers not to expect e-mails from your organization ever requesting your credentials is paramount.  CyLab have recently released an anti phishing educational game, check it out here .

Phishing often uses URL Obfuscation techniques to make that link you click on all that more real. Ed Skoudis compiled a list of techniques often used by phishers and it is hosted here at the ISC. The page is here and the source code of the attack techniques here 

To get over this threat, the use of modern browsers with built in rogue site detection or add on toolbars which alert users to potential phishing sites should be considered. But be careful about how you recommend your customer base to do this, as the phishers could jump on your "download and install now!" bandwagon to distribute trojans. Communication of this sort is only recommended once  the customer has authenticated to you, and equally that you have authenticated to them.  There are a few examinations of this sort of technology on the web, such as CERT's report .

However, Phishing needs the banks customer to give away their credentials, and customers are becoming more aware of the dangers. So the fraudsters are moving to trojans, and to other areas to cast their phishing nets. The area's of the Internet that phishers are covering is colossal, from Banking, to identify theft, from auction sites, to online gaming, any where a credential is used, and money can be made, phishers are targeting. There will be more on online gaming safety later in the month.

In the financial world, trojans are the 'soup de jour'. If your system has been infected with a modern banking trojan it is game over, it is often safer to format, and reinstall. The trojans are now so advanced as to render what you see through your browser as totally unbelievable. 

To protect yourself against this sort of threat, have a good antivirus product installed and update signatures daily, make sure you are patched, and that you are running an effective firewall product. Check with your bank, some of them are giving away AV/Firewall products so you might not even have to buy one. Look back through the last few days to get tips on how to configure your operating system of choice.

The move from username and password authentication to two-factor authentication is underway, some banks and organisations such as e-bay . There are multiple standards in play here, and we will all - maybe in the short term - end up with multiple tokens to use to authenticate as your bank, and your auction site may use different technologies. If your financial organisation of choice uses such two factor authentication for log on, but not for marking your transactions to third parties as valid, then trojans are an active threat to any transactions you make.

How do you protect your online commerce? What steps do you take to protect yourself from the bad guys online? What do you tell you family members and friend to do to stay safe online? Send your suggestions to us here and we may put your idea up in lights.

Update #1

Ray sent in the following tips:

I stress to my friends and relatives to unwaveringly adhere to the following rules:

  • Never respond to unsolicited emails regardless how authentic the email appears.
  • Never click on a provided url or dial a provided telephone number. Ever.
  • If you think an unsolicited email may be authentic then contact that organization through a previously established communications channel. This could be from a phone number off a bill or contact information from their website (but the website access has to be made from a new browser window using a saved Favorites link that YOU previously established).
Keywords:
0 comment(s)
Diary Archives