Don't Bring Me Down: Weaponizing Botnets

besides DC would like to thank all of our sponsors and a special thank you to all of our speakers volunteers and organizers for making 2018 a success first of all thanks everybody for being here I hope you've had a great con here at besides DC I'm Cheryl Biswas I'm your friendly Canadian neighbor to the north you're welcome north of the border anytime all right I'm also very proud to be a founder of the Diana initiative and we champion women and diversity in tech we just had our second event in Las Vegas this summer you can also find me online as encrypted we all know what this is but you can say it with me if you want views and

opinions expressed herein are those of the presenter only and do not represent those of any employer past or present and now my employer is much happier ok let me show you our agenda for today as we explore what is an evolution of evil because there are many stories to be told will question our choices around IOT we'll take a look at who's out there we'll talk about miners and money and then we're gonna play a little game of what-if now botnets aren't something that's new they've been around for a while but they have been steadily evolving they're well past the point of being an annoyance or an inconvenience they've moved into the Enterprise realm and when they have the capability there

to do a lot more damage I work in spread Intel so my job is to track the trends and to identify the things that could potentially cause business risk or harm the bottom line so for me there was no question the gate in January this year when I noticed massive botnets and crypto miners I thought that that was attention worthy the thing is with business it's not a problem until it's a problem and so things suddenly changed around June with VPN filter and I found myself staying up all night working on a very important report on this new trend of botnets we can all agree it is not a new trend however it's now the end of

October as I see things botnets pose a clear and present danger we need to look past what it is we think we know because something wicked this way comes so let's get started typically when we talk about botnets we think of distributed denial-of-service DDoS campaigns so it's an inconvenience and we'll get over right well let's talk more about that inconvenience around DDoS how many people here use github okay so you remember what happened back in February of this year to github the biggest DDoS attack recorded happened to github 1.3 five terabytes that was actually twice the size of Moriah now looking at that mem crashed wasn't actually a botnet however it was a bunch of misconfigured servers that could be

made into a botnet and we've got a lot of those servers that are internet facing that shouldn't be and they live in enterprises that don't seem to know about them because we've got this ongoing problem with shadow IT but that's another talk so how do I know I had to go looking for them I have two words for you okay asset management women when it is done right assets management is gonna save your ass time and again you can quote me on that one done the way I have seen it you are going to get hit so I'm gonna illustrate this point with the misconfigured memcache servers that were accessible via public internet that's a

very important statement accessible via public internet because the predecessors were and couch databases and I'm pretty sure some of you last year saw what happened to a wack load of those then they got totally pwned by ransomware and you can see how well that lesson was applied here and it's only going to keep happening so by way of a quick explanation for people who who may not know or be familiar with the term of memcache because I certainly wasn't it's all about helping to boost the response time for database driven web search websites and and it's a memory caching so what you've got here is a default insecure configuration and we have experienced a number of major issues

around insecure default configurations we understand this very well in this case it allowed for a DDoS attack by using the UDP packets that were amplified by these servers and amplified in terms of 51,000 times it enabled the attackers to use fewer resources it greatly escalated the scale of the attack I'm going to assume that everything everybody knows what the CIA try is right confidentiality integrity availability so it's really easy to understand this in terms of availability and its impact to us but what if these attacks by botnets were able to impact the other two sides of the triangle so Martin McKay is the global security advocate at Akamai and I know a lot of enterprises use Akamai and he said this

that a lot of countries don't even have one point three terabytes coming in so if you had an attack leveraged at a country that didn't even have that level of resource you would see them go offline for a considerable length of time yeah you knew this was coming all right imagine a zombie apocalypse of cots my kidding oh my god we connect everything to the Internet this is the connected hell of IOT we're set it and forget it really is the best practice so default passwords there de rigueur embedded system vulnerabilities are everywhere and we haven't even factored in what is a veritable tsunami of unsecured connected by devices being acquired within the developing world so

botnets a few years ago were used by script kiddies who were playing The Grinch at Christmastime and just you know owning Xboxes and Playstations but now well now we've got bigger kids to worry about and the attacks have taken on a whole new meaning because botnets have become one more weapon in a digital arsenal for the games that nation-states play there's no referees and there's no playbooks so we've now experienced the impact of DDoS botnets built from hundreds of thousands of Internet think of things devices compromised and they represent a rapidly expanding attack surface for us problem is its consumer driven so the race to the finish line doesn't even let security be an afterthought and there's

there's very little incentive for manufacturers to do things better and how do we even begin to regulate this ok put up your hand if you want to be a regulator will single you out afterwards all right I'm at at the beginning of this month another nine million inherently insecure devices got added to the botnet trough it's not really the devices in IOT botnets that are this is per Jeremy Canelli of fireEye but it's that things are just left out there untended not updated and the problem is a non-technical average user just thinks it's a glitch when in essence they have no idea they are being compromised so how about this botnets that are built to download other botnets

that's wicked and actually that is wicked which is a botnet that has downloaded Omni owari and Sora which are all spawn of Mirai so what we've got here is virtually quite literally even a playground for attackers with botnets and aspirations so if they don't see the limits to their creations we should not limit our expectations of attacks we all know by now what happens when source code is made public and there are numerous variants of Mirai and Satori out there but we need to start thinking hybrid because their source code out there as well for Trojans ransomware and other interesting exploits I'm gonna let this one speak for itself by chance does anybody follow Bob Rudess he's with

rapid7 he does a lot of interesting posts on Twitter with regard to data science and botnets and he's put some interesting scary stuff out there this past year ok so let's talk a bit more about who's out there I would say that Mirai was the pivotal moment how many people here remember the fall of 2016 when the East Coast went down there was no Twitter there was no Facebook there was pretty much no internet and dine got ddosed I want you to take a very good look at this map because this is what I believe it looks like when botnets as a weapon happen but this is actually just stage three of that mirai attack back in 2016

and the cost to businesses in downtime was significant these are some of the major botnets since mirai this is where it pretty much all happened for me I'm gonna say it incorrectly but smallman room so this is when I perceived botnets pivoting from DDoS and spam to monetized attack vectors this mom and me was a giant mining rig one of the biggest and most successful crypto jacking botnets that were active and as we've seen this past year botnets and crypto mining go hand in glove it netted 2.3 million dollars and it leveraged eternal blue so that it could find in a slave more of the devices but in this case it learned how to evade sinkholes also it uses or

use the windows management infrastructure WMI to help manage and configure more mining Lots and this wasn't something seen up to this point in other miners hide-and-seek is anybody familiar hasn't even buddy been following the development of botnets over the past year ok these ones are intriguing that's why I'm presenting them to you because you really will see the evolution of sophistication and capability and why we should really be worried this one emerged in January it was only the second botnet to have peer-to-peer architecture versus conventional command and control peer-to-peer enables it not to be trapped so it also comes with a worm like spreading mechanism for but infection and it different from the other botnets out there in terms of its

complex features and its constant redesign because why just DDoS when you can do data X film code execution and tamper with device operation this is a bot that's going places so in May it came back with even more one magic word persistence and this this my friends is a game-changer because before this you could just turn it off turn it back on and flush it out of your systems not anymore then in July hmm they added database servers there's a reason why I put up and couch we've got a bad history with servers and they're an exposure and online susceptibilities but no no there's more because in September they added the capability for Android devices

and we all know there is a truckload of those out there and they're not secure ah my Lobot this one's interesting this is an attack bot it was designed for malware versus malware Wars and it can hunt and disable malware on the targets it surface from the dark web I'm not surprised they're back in June and it displayed an unheard-of level of complexity this is an ongoing theme for this year with various tools and the evasion tactics note the anti VM anti sandbox and anti debug up there yes but even better its internal parts are wrapped with a lovely encrypted resource file now in addition in addition to the ability to hide itself it's multi-purpose multifunctional so it

could do code injection but it also does something called process hollowing has anybody heard of the term process hollowing do you want to give me a quick explanation right so if if a bot had this would you be worried about it yeah me too okay now the malware comes in three layers and each layer is responsible for executing the layer that comes after it the final layer uses reflexive exe technique so essentially it's running exe s in memory none of this stuff is really happening on the disk and we all know that if you do stuff from memory you're not being able to track it or trace it so Milo bots can be used to download whatever it's bought

herders want if you're thinking ransomware if you're thinking crypto mining if you're thinking banking Trojans spyware anything did everybody get that FBI notice in June oh my god half-a-million Soho routers across 54 countries now this malware strain it's incredibly complex compared to the other stuff out there but for good reason because we know that it is nation-state driven and this is the second thought that was equipped with support for persistence remaining after it was rebooted and I hate to say this but a lot of people a lot of people believe that we haven't kicked it it is still thriving out there and despite of what the FBI had said if we can detect it and

we can clean it a lot of people believe those infections are still valid so what this one does is it scans for components and it has a function that will wipe the firmware and incapacitate affected devices sounds a little bit like Stuxnet for good reason Cisco Talos did a series of fantastic blogs with their research on this and they identified code overlapped with black energy and if you're not familiar with black energy that's the code that was used behind the attacks on the power grids in the Ukraine in 2015 and 2016 so in September Tayloe stated that this malware was still being developed and enhanced so it's new and improved with seven third-stage modules it's got port

forwarding it's got a Sox five proxy and it's got a reverse TCP VPN on the infected devices From Russia With Love and I'll wrap this section up with tor I this is the latest evolution in women eyes but net experiments yes this one offers wide coverage from multiple CPUs now while that happens to be common for Mirai variants what's interesting here is this is the largest amount of variance seen to date it is a massive number the security researcher who caught the sample found that it was tunnelling through tor and everybody understands I'm sure that tour is that as The Onion Router network so that you can't be detected hence its name this botnet goes after systems with telnet

exposed yeah and we credentials who does not currently there's a lot of them out there though it determines what the system is and then it will use several versions of the same command to ensure payload delivery backups on backups quite literally and this botnet is lucky number three to achieve persistence after reboot so we've got three of them out there yes it runs six methods concurrently to ensure that it gets loaded and stays running you actually can kick it off but you have to restore back to default settings I don't believe that I don't know if that works for VPN filter but it does in the case of tour I so my point here is nobody

knows what the heck this bottle is designed for typically they're engineered either for crypto mining or for DDoS capabilities the researchers have said they can't find any indication of either of these we need to expect the unexpected okay so who here works in Fi all right account takeover or ATO has been a massive issue for for our section this past year just because of the numbers attackers use botnets and in mass efforts so that they can get malicious logins per Akamai it went from 3.2 billion from January to April 2 3 billion from April through May this is called credential stuffing so botnets go across the internet to steal login information on mass and the fact is

every business not just fi is at risk it's a huge cost to financial organizations and it has become an increasing battle to fight there's days when when the bank sites are just absolutely hammered and we look at our logs and the spikes are massive showing the attempts to get in botnets it looks like a did a DDoS attack but it's much much worse so here's the hitch mitigation impacts user experience we are all answerable to our customers so if our customers complain that they cannot access their accounts or that things are slow mitigation is going to be compromised what we've learned through our exercises is that botnets are now going undetected when they make their attack methods by going low and

slow we can't hear them they're much stealthier and then they get to in fact multiple afi's or multiple enterprises and stay in the game so this is our our life botnets and Trojans Derek's made in heaven too I'll talk through a few of them with you just to get you familiar with what we're seeing black botnet happens to be a proxy botnet why is this important again it's so that you can go undetected you've got a relay or a chain of proxies we know sock puppet puppets and proxies from other things in terms of security same with botnets you can't follow them you can't track them this one is delivering the Ramnath banking Trojan it's been taken down by law enforcement

at least twice so this is its latest greatest enhancement in March we had the gozi banking Trojan being delivered via the dark cloud botnet and dark cloud works very well at delivering several families malware so this botnets appeal comes through how it's using an army of hijacked computers and changing the DNS frequently as much as 800 no 287 different DNS addresses just across a 24-hour period again it's very hard to track this you may have heard of the Necker spam botnet that's a big problem for every enterprise but it took a major pivot in August of this year specifically going after banking employees through a bunch of spam emails and delivering flawed Amy rat and I'll

and last but not least with emo Ted emo Ted is a huge issue for Fi so it's growth over 2018 has been to comprise about 59% of all identified malware and it's become a multi-purpose threat so with that it too is a delivery service vehicle for other malware it's gone on to spawn crackpot which targets Fi as well as brokerage houses and PackBot utilizes PowerShell and mini cats because we all know the value and meaning of living off the land so if 2017 was about ransomware 2018 has been all about crypto miners there have been some very notable pivots from individual machines up to enterprise systems now this is not about the Bitcoin and Manero themselves but it's

about what it takes to mine them because miners are resource intensive but they devour CPU and power so that's the move behind enterprises data centers or cloud services all of those servers and all of that power come crypto miners dream and it's a lot easier to go to those places where they expect how usage of those particular things you're far less likely to be detected in the event that it gets detected crypto miners will be flagged typically as a PUA or a potentially unwanted application and I hate to say it but very often not much gets done in those cases because they're what we're ranking they're not identified people go after what they know and they persist my

concern is the use of exploits like eternal glue that are now getting combined with ready and available exploits on vulnerable enterprise systems case in point would be the Oracle WebLogic server does anybody here use Oracle in your environment ok so there was a critical vulnerability identified earlier this summer in two days a proof of concept had been distributed across pastebin and github and it was being actively exploited so not only do we have to watch for things like that we also need to watch for an open source exploit tool known as Jack's boss and this is going after vulnerable JBoss servers this is enterprise environment and the reason I bring this up is we saw a very very similar kind of

attack against this particular group of servers in 2016 with the ransomware attacks

that's the massive spike semantics blocked eight million attacks in December of 2017 Z scaler says that at one point attackers were trying to compromise 30 percent of vulnerable systems across the globe in a 24-hour period bless you but even if your systems are patched you can still be at risk you're at risk to the browser-based attacks and this is an area where considerable growth has taken and the barrier for entry is low in June prolly botnet infected 40,000 web servers plus modems plus IOT devices for crypto mining and it redirected users to malicious sites it leveraged multiple vulnerabilities and it bruised post credentials in order to gain access victims were infected with them a narrow

miner and then the r2 r2 worm in order to allow this to propagate and expand the botnet in addition to this it went after CMS platforms that were running web sites and installed a backdoor

now when you hear patchy struts you should know it's bad Equifax bad right but no actually gets worse because I will now add the magic words eternal blue zealot offers new attack vectors it automatically delivers malware on internal networks via web application vulnerabilities and it exploits Apache struts it uses eternal blue and you know the other infamous NSA tools cache to propagate internally in your networks

and then at the heart of it all are easily compromised routers and what is the router of choice McCraw deck and that just went from bad to worse because they leveled it up to carrier grade routers we're five months in when the attackers are still finding more ways to poem even more routers we did have somebody out there attempting to go and patch these routers is sort of reverse vigilante alright so the fact is attacks evolve where could attackers go with this what happens when they level up to nation-state capabilities and that bag of tools and tricks because the devices that make up armies here don't need to be sophisticated and the attackers are definitely winning with quantity over

quality and just how much damage do we think then weaponized botnets could do to our environments just given this talk we could estimate their capacity to create an extensive outage or deliver malicious payloads but what is it that we're not taking into consideration that attackers could potentially leverage next as we know most botnets have tasks to fulfill that means they need to call home and usually that will reveal the command and control servers which has allowed us to track them down I present to you the next pivot what if they don't have to call home and what if they just have one job go for it and propagate so what we're talking about here is a

for mobile botnet self-propagating and leveraging some of the best available exploits out there like eternal blue and friends no human required up until now we've seen botnets as something that's been monetized for crypto mining and just to have a very modicum level of control in terms of a DDoS attack but then there was Mariah and Mariah was used as retribution in targeted attacks first against Brian cremes but then leveled against a major ISP in France when DDoS became a weapon it was no longer just an outage so I want to talk a little bit more about what it means in terms of were mobile and self-propagating by looking at some worms that have left their mark in

history Michaelangelo damaging it over wrote the hard drive and the Master Boot Record storm worm was massive and the infected machines just continued growing and snowballing Morris worm well it started off as a host this was rapid and far-reaching think of how that could affect us today because the the an instigator wasn't even able to get it under control as much as they wanted to talk about cost code read both 1 & 2 these were the most expensive in terms of the damage that they caused we're looking at 200 million dollars a day for long lasting you can't beat conficker this resides in the land and SCADA and ICS and it is the bane of their

existence because it goes on to perpetuate older unpatched systems and it's averaging believe it or not 2 million new infections yearly and last but not least for sophistication a nation-state capability there's ducks net this is a very recent worm going after Android it has the potential makings of a perfect storm because there's also a Metasploit module for exporting and routing Android devices via port five five five five in an automated and a scripted manner so this config this is a Miss configuration issue that actually poses a clear and present danger for any Android device owners which leads me to ask from an attackers perspective which botnets would you pick and why I definitely go with hide and seek not just because of

the persistence but because it's been constantly upgraded and customized with its toolset absolutely my Lobot it's an attack bot it's built for evasion it's got layers it avoids detection we've got VPN filter nation state capabilities don't write in zealot is malevolence pure and simple and look what it leverages living off the land means you don't get detected and finally tor I because now we're going into the realm of utilizing tor but also all of those platforms you know uncharted territory so what do you get when you combine unpatched vulnerabilities existing nation-state exploits millions of inflatable inherently insecure devices and self-propagating malware but if you could add to that time delay being able to evade notice and make less noise and

then leverage multiple attack methods based on operating system Oh an establishing persistence and the cherry on top it's all automated let's have some fun with us now okay I'm really not as technical as most the people here so this should serve as fair warning since we talked about lowering the bar for entry with botnets all right where to start oh my god you can YouTube and meeting I found this the botnet Bible but I didn't feel like partying with $25 I love you all but not that much so I made it to do list botnet herders standard business plan appears to be using exploit kits and then getting somebody to click on a link to

drop that payload all right so what we know is design we need to use peer to peer because we don't want to get detected easily and we know that they can track us through conventional command and control well we definitely need a good posting surface a bulletproof one preferably in Russia we have to build something called a stub that is our infecting file then we need to buy a krypter for that stub it's better to buy it because there are people who that is their whole purpose is to be excellent at encryption we don't have to be good at all the things right we know that you can buy that and that will help us evade detection

and then we know this you need to find a vulnerability that affects lots of devices like a router and we're going to need a rat because a remote administration tool is essential here I didn't really want to go play down in the dark web so I stuck to the surface web and you can find loads of stuff on pastebin you really can this isn't just a selection of some of the bulletproof hosting providers out there I took a look at one this is the clientele that you're going to find I'd like to point out things like G pond loader and cubot oh and we talked about this earlier Jack's boss vulnerability scanner as you can see there's some really high-end

clientele on he on these if you're looking for it to probably find it through your bulletproof poster now we also know we need a krypter for our stub I went and looked on hack forums and you can see there's an excellent selection of krypter 's available we want to be able to bypass conventional AV signature detection I looked at an offering from night crypt it looks like it has a it has an actual Terms of Service but it's also all about being able to run on a variety of Windows platforms you don't have to run on Windows but I know Windows so that's what I'm going with and it already offers us private stub so we've covered two points

here we've got our stub and we've got the krypter for it please note I do not know what the hell I'm doing but I'm happily building a bomb in here all right how do you build a rout oh my gosh well I watched a few YouTube videos I'm not sharing those with you I will tell you that this one literally was the idiot proof on me being the idiot and it walked me through how I would configure the ports on my firewall and router so that I could actually run this if I can do it think about who else could do this who doesn't have my ethics okay what are we gonna use for a botnet code again I

found lots of stuff github has a great variety of things if you paste them will often actually redirect you to get up to find more of the code so I went looking and I found this one UFO net it's UFOs it's got to be fun right and it looks really straightforward and simple which actually it is and if you want to just build a botnet for free you follow the instructions online zombies and droids and aliens but it's really straightforward it's it's very simple you follow the instructions you build your botnet and you're ready to go remember we talked about finding a good vulnerability that goes after a lot of devices this happens to be a router

vulnerability exploited through the hajime botnet one of many choices you can find online for free now if you wanted to upgrade your source code there's more I there's the Tauri or there's Sora which is particularly nasty but you could cut and paste snippets of this code that's online to enhance what you've already got there and last but not least don't forget your coin miners well yes this is far from over but my talk pretty much is yes to wrap it up we need to keep very close watch over specific ports because you know that the attackers are keeping up-to-date on security patches the proof is in the pudding here you know what they can build in terms of exploits you

know how and you know why because they know we're not up to date and the move into enterprise should be very scary for all of us we're far more vulnerable than we realize I'll be posting this talk so I'll have some of the resources available from a great many people I've read I won't post the links from paste hint paste bin and github for understandable reasons and that's it for me are there any questions yes

but be enterprising is that me there okay so the question was how do we make people care especially when it hits enterprise systems where it's a drop in the bucket essentially that has been our job as security people is you know acting as Canaries and coal mines and sounding an alarm time and again and feeling on a regular basis defeated because we can't get the message across I don't know I really don't like I said earlier for business it's not a problem until it's a problem when it hits you in the bottom line when your reputation and brand are at stake I have seen the people who make the decisions sit up and take notice I think

honestly the best thing that we can do is what we are really good at doing which is we say to hell with it and we secure this anyway because we actually know what's coming and it's it's just our nature to do the work that nobody else is doing because we know what's going to come further down the line and it impacts everybody we get caught up in it just as much as the guys in the suits upstairs who really don't don't understand what this is gonna play out like does that answer your question someone okay did you have a question is going in and patching those micronic routers do you think that that's like a

viable way to sort of combat these is to actually have something that's going out there in an automated fashion sort of like clothes like these vulnerabilities wow I have so the question was is it a good idea to have somebody similar to the Whitehead vigilante who was going out and patching the vulnerabilities on the mikrotik routers doing this automatically I follow a podcast called darknet Diaries and they talked about a botnet from 2012 or so it's a fascinating story I would actually encourage everybody to to listen to it if you can because it's a really good lesson about what you'll discover out there and how there are there are attackers and there are BOTS and go and

patchy each other some of them do it in the case of making it stronger for their own opportunities but I would like I would really like to say if we had a kind altruistic source that could safely automate identification and patching of these routers to make that possible it would help all of us it is an enormous job and it's something that we can't rely on individuals or even enterprises to do well to regulation and like you know potentially is this a role that the some government needs to take because you mentioned like you know if one of these botnets goes after our country you know it could completely shut down the country so we're essentially you know if

nation-states are going to be using these as weapons it may be other okay so the question is should we put this into the hands of a government to manage I'm going to back down on that one and I'm going to say no because it can become a very dangerous double-edged sword I don't want to give any government that degree of ability or power as much as I think we need to have a bigger body regulating this and taking it on it's a great question any any other questions yes

I can't say from a real experience the question was if I had called my my to-do-list to fruition how many boxes could I poem well it's it's all theoretical it's based on documented evidence of what attackers have before me have gone and done I expect there would be some some mistakes and some miss footings but I could reliably given that this is if I if I inject my code with Mariah and I use a really good and available router bonnet I could go after thousands and I would probably leverage at least a couple of scanning sources across the internet that we're very familiar with to be able to identify them and flag them I'd also probably be

very interested in investigating what's available in terms of potable servers right now does that answer your question okay do I am I done all done okay thank you so much and happy Halloween everybody