T8 - Bots Combine! : Behind the Modern Botnet, Andrea Scarfo (@AScarf0)

so hi everyone i'm andrea Scarfo this talks about botnet research that i've done regarding the dns queries that we see on our resolve resolvers at a cisco umbrella and so we're gonna talk a little bit about what botnets are how they work and then what we're seeing the threat actors use botnets for so about me so I'm a security research analyst at a Cisco umbrella which formerly we used to be Open DNS so I was about two years ago we became Cisco before that for 12 years I was a system administrator for various companies in California so start out what is a botnet so it's a infected computers that are working together to form form the the botnet and they

receive commands from command and control server so they can get automated commands and a lot of times like what you'll see here in this picture is you can rent a bot so some an attacker will own an infected system and then rent the use of it out for something cheap like ten dollars a day and then you can provide your own malware so you like your own dropper your own rat and get the use of these infected infected BOTS so why research botnet infrastructure well it's the infrastructure behind what's running all these cyber crimes like you know it's the infrastructure behind sending spam with malicious attachments behind malvert izing behind rats and ransomware so if we can see

these where these servers are then we can dig deeper and find more systems - it's a block but it's a hard problem to solve because there's millions of infected devices all over the globe there's not one central location where you can just say this is where everything is coming from which just deny all traffic from this location since there proxied and it's also a hard problem because now you don't have to build your own botnet like you can just rent one for ten dollars or so that someone else has already done the work to compromise systems and control them together so that helps the spread of ransomware what we see mostly infections go undetected so these systems and these

businesses can be infected for years and if they don't have good security they don't even know that the machines are calling back to the to the servers and then they're also leaking information and providing bandwidth to the entire botnet so if someone wants to rent an infected systems in a botnet and just use it to ddos something that's one thing that they're used for so the life cycle of a bot basically what we see is the first step is the infection and spreading so you need to get your bot out there it's and in fact the infect the systems so spam is one of the largest ones or if you compromise the website with injected code and also

through malvert izing so once the system is infected then the bots going to try to make contact with the command and control server and it does this it used to be through a list oh like static IPS that would be in the binary but you know now that's easy to find through Sam if you sandbox the the the code so we see them using domain flux or IP flux so they'll register their domains and then one domain name will use many different IPS over a short period of time constantly changing the IP so it's always moving around and then the bots will report back to the command and control server and then at that point it

can be used in whatever way so can be used as part of a DDoS it can be used to send more spam to send more infections or it can just sit on a system and just become a an info stealer and leak information and then also after that you want the goal is to evade detection so they'll use these techniques of domain flux and IP flux to always be like proxied so you can't find where the actual command and control servers is located so this is what you might see as a typical layout of how the botnet infrastructure will work so on the first layer you have the the infected users or computers and these are what are going

to accept and carry out the commands that they get from the attacker another layer could be more infected systems but they have the ability to act as HTTP proxy so between the bots and the command and control server so it just adds a layer of hiding behind a proxy and then you can have a the third layer that's made up of usually compromised servers and that's another proxy between the nodes and the back end and the back end is the control panel where the attacker can manage all of his boss so on our resolvers we see all of the DNS queries that clients are making that are using our result resolvers here so the type of information that we're going

to see about these botnets our domain names you know most of them are DJ's you will see a majority of them that are an X domain so they're not going anywhere they're not registered we'll also see the IP addresses of the command and control servers and then the name servers that that they're running on some of the detection methods that that will use is if there is a sudden surge of queries coming from our clients I'm one of two through the resolvers - one of the domains that's going to look suspicious whereas there would be no traffic then suddenly there's you know 75,000 queries this one domain name that's going to be suspicious and then

the IP history of a domain is interesting because if they're using a fast flux they're going to consistently be changing IP addresses like a couple of times a day or every other day and then so from here this is where we'll start to pivot from domains from ip's name servers or Whois information just to find more out about the infrastructure or to find more attacks so what I'm gonna do is just kind of go through how we would do some threat hunting on this on some of the bottom infrastructure the example I'm going to use is hailstorm spam so hailstorm spam we call it hailstorm because there will be a sudden burst of query traffic maybe

like 75,000 an hour all at once with these spam domains and then you never hear from them again and it just goes quiet most of the time it's just advertising spam but if you pivot through the different IP addresses and domain names you'll find actual malware and when we see this we see it on the necker's botnet and it's coming from usually all over the world but mostly like Russia Germany some of the US as well so if we start here with this IP that we've seen sending a hailstone storm spam using a passive DNS information we can see some domains that we've seen in the past associated with this IP address so this example here is just using virustotal

there's tons of different passive DNS resources that you can use and of course with Cisco umbrella that's what I use just because I get a lot more but these are some more domains that were associated with this IP and I know if you can see them but they're kind of like oh it's all Pharma in this one so I think I actually have a screenshot that been used in his before it's the next one so on this one IP we saw 857 different domains on the one IP and so here's some more of the Canadian Russian Pharma fraud if you were to click through go to any of those domains and the other slides this is what you would

see so they're still active now they're still serving these pages so then if we start to pivot through this other domain here that we saw hosted on the 95 IP we can see that it in the past also used to resolve to a different IP address here the 185 address and on this if you look at some of the domain names and just using virustotal we can see that another researchers put in a note for this one that is so shining this with the lambo I think they're called farm of fraud and Spamhaus had this has done a lot of investigation into that organization one of the other IPS there that we pivot from just see more of the same of the

all the domain names are related to you know like your rx shop medical drugs so more more farmers fraud so you're finding more than the same you know spam Pharma fraud let's try to find something different so lucky it's still out there so we'll go through we want to find something more interesting so on this IP address with one of these domains that was associated with the farm of fraud you find this this binary that we found that was spreading Milwaukee in the network callouts after we ran this in a sandbox environment you can see there where it's grabbing the the images from the site that have to do with the drug so amoxicillin prednisone so you know

you're dealing with more the same and then if you look at the rest of the network call-outs here that IP address at the bottom is the actual c2 server that will have the locky payload so originally so in this sample we saw it dropping the walkie ransomware and associated with Pharma fraud but the original attachment that some you know that a user had gotten in their email was a fake UPS zip file so pretending to be you know a package for them so this is just our friends at abuse eh showing that uh this CT server had been around for a while so they'd seen it associated with other locky attacks it's offline right now so this one here is

spam more spam with walkie downloader attachment you'll see on the 95 IP it does the HTTP request to get the Pharma fraud and then that the last IP address that we looked at before is the CT server in here again that's gonna drop the payload and then if you analyze the the network traffic in a pcap here you could see the HTML of the actual pharma site being loaded they're viewing it and then so this hash is showing where they're actually trying to compromise the system and turn it into a spam bot so it becomes part of the botnet here and continues to spread more spam so this is an example of of one of the

emails that would be sent sent out once the once the system is infected so it just continues this spread more spam and here is all of the emails that were sent when when we ran this in a sandbox environment so it just yeah this one just went through quite a bit sent sent more spam out with more farmer fraud and here if we look at the actual I am IMF messages that are sent out in the spam if you analyze the the binary and the you can pull out more domain names that are in here that are being sent and if you look at any of these this is going to be more Pharma fraud some Russian

dating sites but you you can pivot off of any of any of these and find more ransomware I think that was kind of quick plenty of time for questions so shout out if you want or remain silent

so I get the feeling looking at this that you have a pretty good understanding of how these botnets work at least how they spread and where they're going to detection is the hard problem but understanding how these botnets work what's the next step the next step with what we're finding is we kind of just want to see the infrastructure behind it so we want to find the domain names find the IP addresses so that it just leads us down more so you can just continue our thread hunting so we find all the i/os C's related and just make sure that we can block them that way and it always leads you down like a different path to find

something new something more interesting because you you can start researching one IP address and then it might actually later turn out to stop sending Pharma fraud and just send some other type of attack so it's kind of something that once we find it we'll keep watching it just to see what it involves too because it'll use the infrastructure for other things if they already have those systems

anybody else no oh yes okay so thanks thanks Andrea and [Applause]