Scribd Logo
Upload

Welcome to Scribd!

  • Confe 18

    Uploaded by

    Enrique Moor
    4 views15 pages
    What if....?

    Original Title

    confe_18

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    What if....?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views15 pages

    Confe 18

    Uploaded by

    Enrique Moor
    What if....?

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    What if….?

    Felix Leder, Tillmann Werner

    ©2009 Felix Leder, Tillmann Werner


    1

    There’s a botnet!

    • 4 – 5 million IPs / day counted at C&C


    • Around for more than two years

    5000000
    4500000
    4000000
    3500000
    3000000
    2500000
    2000000
    ©2009 Felix Leder, Tillmann Werner

    1500000
    1000000
    500000
    0
    Stuxnet This Botnet

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Most IT Experts agree...

    “…size does NOT matter”


    (some exceptions):

    ©2009 Felix Leder, Tillmann Werner


    3

    What if …

    This botnet is far from harmless…


    • Military equipment
    • Hospitals
    ©2009 Felix Leder, Tillmann Werner

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    C&C Communication

    • Communication is signed
    • C&C domains change
    • Possible to get hold of some domains

    C&C

    ©2009 Felix Leder, Tillmann Werner


    5

    Mission Impossible

    C&C Server Takedown

    • Different approaches
    – Take down (physical) C&C server
    – Unplug network cable
    – Block all (known) domains
    – Arrest Botherder

    • Problems
    – There’s not a single (physical) C&C server - replacable
    – The C&C domain address changes every day
    ©2009 Felix Leder, Tillmann Werner

    (switch between arbitrary networks)


    – For how long do registrars cooperate (for free)?
    (6 months, 1 year, 5 years)
    – Why is it so hard to arrest the botherder?
    6

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    What if…

    …there’s a cure for the


    infected machines

    ©2009 Felix Leder, Tillmann Werner


    It’s a remote buffer overflow…

    • Exploit a flaw to “break into” the infected system


    • Needs to be tailored to
    – Windows version & service pack
    – Locale
    • Potential to crash systems
    • Not every infected machines can be reached
    ©2009 Felix Leder, Tillmann Werner

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Estimating success rate
    • We control some C&C domains but can’t issue commands
    (signing)
    • Approach: Wait for contact and scan
    (scanning possible without risk)

    C&C

    ©2009 Felix Leder, Tillmann Werner


    NAT / Proxy

    Estimated success rate

    • Time span: August – now


    • Random samples
    • World-wide average: 2.6% (~ every 40th computer)

    Cleanup Ratio (global)


    0.1
    0.09
    0.08
    0.07
    0.06
    0.05
    0.04
    ©2009 Felix Leder, Tillmann Werner

    0.03
    0.02
    0.01
    0

    10

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Success rate varies

    • Some countries have more open systems (up to 25%)


    (no firewalls?, no NAT (more IPs)?, no proxies?)

    Cleanup Ratio (world)


    0.3
    0.25
    0.2
    0.15
    0.1
    0.05

    ©2009 Felix Leder, Tillmann Werner


    0
    MD VC MY AF KZ TW ME GE KN

    Success-rate Openport-rate
    11

    Success rate varies

    Cleanup Ratio (EU)


    0.12

    0.1

    MX = 2.6%
    0.08

    0.06

    0.04

    0.02
    ©2009 Felix Leder, Tillmann Werner

    0
    LT LV RO HU FI BG IT LU NL IE SK SE PL PT AT DE FR GB ES DK CZ EE GR CY MT SI BE

    Success-rate Openport-rate

    12

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    What about your network?

    • Within network, higher success rates:


    – Less firewalls
    – No NAT
    – No proxies

    • Possible partners
    – Governments
    (governmental networks)
    – ISPs

    ©2009 Felix Leder, Tillmann Werner


    – Companies
    End-users

    13

    What about the “crashes” and “tailored stuff”?

    • Reliable “exploit” has to be fit to:


    – OS version
    – OS locale
    • Wrong version will crash 

    Reliable exploit development


    • Research on shared properties among versions
    • Well tested
    Cooperation: Test Matrix of some organisation
    ©2009 Felix Leder, Tillmann Werner

    • Query infected host for version


    • Only fire countermeasure if 99% sure
    (what about the remainder?)
    14

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Well tested!

    All software
    • Exploit
    • Disinfection Tool

    • Use of Test Matrix


    – Different OS versions
    – Service Packs
    – Patch Levels

    ©2009 Felix Leder, Tillmann Werner


    – Locales

    15

    Query infected host ©2009 Felix Leder, Tillmann Werner

    16

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Guarantees

    What about the remaining 0.x% of uncertainty?

    • There are no guarantees for things that can go wrong with


    software

    • Does Microsoft give guarantees for bug-free software?


    • Does open-source guarantee for less security holes?
    • Does your AV vendor guarantee for 100% detection?
    • Does your spam-filter work w/o false positives / false

    ©2009 Felix Leder, Tillmann Werner


    negatives?

    17

    What if something breaks?

    • Nobody wants to take responsibility

    • What if…
    – … the botnet infects a hospital and medical devices stop working?
    – … the botnet infects a (nuclear) power plant / critical infrastructures?
    – … the botnet infects military equipment?

    Who is responsible if the botnet breaks something major?


    ©2009 Felix Leder, Tillmann Werner

    What if this could have been prevented?

    18

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    AFTER BREAKING IN…

    ©2009 Felix Leder, Tillmann Werner


    19

    after breaking in…

    Install antidote

    • Remove infection
    • Patch original security hole
    (no re-infection)
    • Install vaccine
    • Remove self
    ©2009 Felix Leder, Tillmann Werner

    install and run software without user’s permission

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Software Complexity

    • Such an application is much more complex than an exploit


    • More complexity, more bugs

    • What if something breaks?

    ©2009 Felix Leder, Tillmann Werner


    21

    Well tested but no guarantee ©2009 Felix Leder, Tillmann Werner

    22

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Is it Ethical?

    • Is it ethical to break into someone’s computer and to take


    away his autonomy

    • Is the computer still under the user’s control?


    (autonomy is broken anyway)
    • Is the user able to take care himself?
    (Why do we need anti-botnet customer care centers?)
    • Is it ethical to let an infected machine attack others?

    ©2009 Felix Leder, Tillmann Werner


    23

    Is it legal?
    • Hmm, actually not … to run software without the user’s
    permission

    Where is it legal, today?


    • Some countries are very liberal: “good intentions”
    NL: [Cybercrime and Jurisdiction. A Global Survey, BJ Koops]
    • Legal if performed within a company

    Possible ways to make it legal (geek point of view):


    • Countries make more liberal laws (for this situation)
    ©2009 Felix Leder, Tillmann Werner

    • ISP EULA
    • A “service” for customers (Microsoft, Adobe, …) - EULA
    • Military, NATO – “defensive measure”
    24

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    NATO?

    ©2009 Felix Leder, Tillmann Werner


    25

    Locality? ©2009 Felix Leder, Tillmann Werner

    26

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    What about locality?

    • Attackers may use multiple hops


    (only last hop is seen)
    • C&C servers have better uptimes in CN, RU, UK, …
    • What about (terrorists) provoking a counterstrike against e.g.
    China?

    ©2009 Felix Leder, Tillmann Werner


    27

    What does that mean for disinfection?

    • An infected host may be situated somewhere else


    (VPN, multi-tier structure in the botnet, …)
    • The disinfected host may look like NL but data modifications
    happen in US  NSA, CIA, FBI, …
    • Tensions on diplomatic level
    ©2009 Felix Leder, Tillmann Werner

    What if local information is very reliable for our botnet?

    28

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany
    Conclusions
    What if we take active measures? What if we just pretend that we
    can’t do anything?
    • Is it ethical? • Is it ethical?
    We can do something and
    prevent further damage!

    • Is it legal?
    • Who is responsible if something
    really bad happens?

    • What about liability? • Who is liable for any damage?


    • What about responsibility?

    ©2009 Felix Leder, Tillmann Werner


    • Progress in arms race • A black-market without risks is
    growing fast

    29

    What if …

    • … the botnet is real?

    • … we are about to prototype and are looking for partners to


    cooperate and test within their realm:

    • … you are a country, ISP, company, … with infections


    ©2009 Felix Leder, Tillmann Werner

    Talk to us!

    30

    Copyright © 2010 Felix Leder & Tillmann Werner, Honeynet Project, Giraffe Chapter, Germany

    You might also like