Professional Documents
Culture Documents
Confe 18
Confe 18
There’s a botnet!
5000000
4500000
4000000
3500000
3000000
2500000
2000000
©2009 Felix Leder, Tillmann Werner
1500000
1000000
500000
0
Stuxnet This Botnet
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Most IT Experts agree...
What if …
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
C&C Communication
• Communication is signed
• C&C domains change
• Possible to get hold of some domains
C&C
Mission Impossible
• Different approaches
– Take down (physical) C&C server
– Unplug network cable
– Block all (known) domains
– Arrest Botherder
• Problems
– There’s not a single (physical) C&C server - replacable
– The C&C domain address changes every day
©2009 Felix Leder, Tillmann Werner
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
What if…
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Estimating success rate
• We control some C&C domains but can’t issue commands
(signing)
• Approach: Wait for contact and scan
(scanning possible without risk)
C&C
0.03
0.02
0.01
0
10
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Success rate varies
Success-rate Openport-rate
11
0.1
MX = 2.6%
0.08
0.06
0.04
0.02
©2009 Felix Leder, Tillmann Werner
0
LT LV RO HU FI BG IT LU NL IE SK SE PL PT AT DE FR GB ES DK CZ EE GR CY MT SI BE
Success-rate Openport-rate
12
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
What about your network?
• Possible partners
– Governments
(governmental networks)
– ISPs
13
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Well tested!
All software
• Exploit
• Disinfection Tool
15
16
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Guarantees
17
• What if…
– … the botnet infects a hospital and medical devices stop working?
– … the botnet infects a (nuclear) power plant / critical infrastructures?
– … the botnet infects military equipment?
18
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
AFTER BREAKING IN…
Install antidote
• Remove infection
• Patch original security hole
(no re-infection)
• Install vaccine
• Remove self
©2009 Felix Leder, Tillmann Werner
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Software Complexity
22
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Is it Ethical?
Is it legal?
• Hmm, actually not … to run software without the user’s
permission
• ISP EULA
• A “service” for customers (Microsoft, Adobe, …) - EULA
• Military, NATO – “defensive measure”
24
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
NATO?
26
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
What about locality?
28
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
Conclusions
What if we take active measures? What if we just pretend that we
can’t do anything?
• Is it ethical? • Is it ethical?
We can do something and
prevent further damage!
• Is it legal?
• Who is responsible if something
really bad happens?
29
What if …
Talk to us!
30
Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany