Thursday, July 19, 2007

Managing and Monetizing Victims

I'd like to briefly point you to two must-read articles, if you haven't seen them already. First, the Honeynet Project published Fast-Flux Service Networks. Basically, intruders have introduced availability and load balancing features into their bot networks by quickly changing the IP addresses of redirectors pointing to back end servers (a technique called "single flux"). They may also rapidly change the IP addresses of the authoritative domain name servers (called "double flux") to further complicate identifying and shutting down bot nets. I'd like to hear how many of you predicted this would happen before the technique was reported by the Honeynet Project this month. Of those that say "I knew," did you know about it a year ago, when it was first detected by the Honeynet Project? And if you have known about it or predicted it, what did you or your security team do to detect and/or mitigate the attack?

My point is the vast majority of enterprises have not known about this, and they have no way to know if they've been affected. However, if you've been implementing Network Security Monitoring for any decent period of time, you have a rich data source to mine for indications of this activity. Now that you know what to look for, you can see if you're affected. The power of NSM is keeping track of what's happening on your network so that you can perform investigations once you know where to look.

A news story on fast flux is Attackers Hide in Fast Flux.

Second, Prevx posted a blog entry titled Ransomware... Holding Corporate America Ransom! that outlines another extortion attempt whereby an intruder will encrypt a victim's data if $300 isn't paid. The fact that money is explicitly involved means law enforcement should be able to "follow the money" to find the attacker, but still consider this: what would your organization do if executives and/or users received such notifications? Worse, what if your data was simply deleted, encrypted, or subtly altered, nevermind outright stolen? In other words, you aren't extorted -- you're simply assaulted.

While ransomware is not a new phenomenon, many people do not stop to think of the damage that can be done by not maintaining control of one's assets. Some of you will say "oh, we'll restore from backups." What do you do if you have dozens, hundreds, thousands of users affected? My point is we have to treat compromise of the endpoint as a serious matter, not something that has little or no consequence.

A news story on ransomware is Your Money or Your Documents.

On a related note, check out New Proxy Bot Method and Sigs. Basically the Bleeding Threats team has detected malware that uses compromised hosts as a proxy back into the corporate network. David Bianco reminded me that the Metasploit Meterpreter's portfw function provides the same capability. In other words, once a host is compromised via a client-side attack and it reports back to its command server, the command server can use the new victim as a stepping stone to attack any other reachable part of the enterprise.

Knowing how all three of these attacks operates allows us to build attack profiles so we can better resist, detect, and respond to them when they occur.

Update: Check out Passive Monitoring of DNS Anomalies at CAIDA.

6 comments:

dre said...

Meterpreter's portfw functionality is referred to as pivoting. There are other names for it. CORE invented the term for their techniques in their syscall proxying backdoors, which ImmunitySec's MOS DEF is based on, which in turn - Meterpreter is based on.

All three major exploitation engines include this ability, and I'm not even aware of other exploitation engines besides the two commercial and one open-source project.

There is a very robust implementation of pivoting called pivoting bouncer, or "pbounce".

The web application security equivalent of pivoting would be something like XSS proxy tunneling.

john fellers said...

While it may seem like a new concept for commercial, or open source 'hacking' tools, botnets, etc. this technique has been used for years in the underground hacking scenes. Attackers would use comprimised systems as 'jump' points. They would also social engineer their way into a corporate system, or use a virus/worm that would connect back to an IRC channel and use those to increase their foothold into the corporate networks.

It is an old technique added to new technologies. It is definitly a concern as the attacks become ever increasing in sophistication, evasion, and as cyber crime becomes more organized.

I feel ransomware is still not getting the attention that it needs. I don't think corporations are taking it seriously enough. They still have the attitude that "it won't happen to me" and if and when it does happen, they usually don't report it. Very good articles though!

Alex Raitz said...

To Richard's point about preparedness, the Storm p2p botnet, as described in the Honeynet paper, is fairly easy to detect with NSM because the traffic is so irregular. Most p2p clients will connect to a handful of other nodes to get server lists, etc. Machines compromised by the Storm malware contact thousands of peers in a very short time and end up sticking out like a sore thumb on a monitored network.

Adam said...

So I'm a little confused. How would this affect my business? Let's say I run a little blog, call it emergentchaos.com, and pretend I ran ads.

Why should I care if someone's botnet is running around doing this?

I see why botnet fighters care, but assuming I'm uninfected, and not being DOS'd, why does this impact my org?

dre said...

I'd like to hear how many of you predicted this would happen before the technique was reported by the Honeynet Project this month. Of those that say "I knew," did you know about it a year ago, when it was first detected by the Honeynet Project? And if you have known about it or predicted it, what did you or your security team do to detect and/or mitigate the attack?

I first heard about the technique at DEF CON 12 (2004). No further comment.

http://www.architectsban.webs.com said...
This comment has been removed by a blog administrator.