Download 2008-1-201-secprj_final_presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts
no text concepts found
Transcript 
Spam botnets
Project goals:
Track a spam bot, and:
 Discover how does the bot receive orders
 Characterize its activity in the affected computer and in the
network
 Discover how does the bot compose SPAM messages.
My work and findings:
 I tracked its network activity and discovered that every time it
runs, it connects to and donloads data from 66.199.251.242
 The bot executable is encrypted. I extracted the original
executable and found that the address 66.199.251.242 is hard
coded in the executable.
 I analyzed the memory of the bot after receiving data from this
server and from the “network replayer” which i created, and
found there the template of the SPAM and data used in them
as mail server addresses, mail usernames and spam content.
The spam:
•This is an advertise for site which promises pirate videos (of
popular series)
•The fake sender is [email protected], and the recipient is
[email protected]
The message source
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE></TITLE></HEAD><BODY>
<center><style>(...‫טקסט באנגלית‬...(</style>
Полное собрание сериалов
<br>
"Доктор Хаус","Остаться в живых" (Lost(
<br><style>NOT to use them). neurobiology, cognitive the latest research in
the patterns that or on the real relationship to use them (and when
Facade, Proxy, and Factorysomewhere in the worlddesign problems, and
better principles will helpbrain in a way that sticks. </style>
"Отчаянные домохозяйки","Побег из тюрьмы"
<br>
И десятки других!
<a href="http://2009serial.com"><br>Дешевле не бывает!</a><br>
<style>(...‫טקסט באנגלית‬...( </style>
</center>
</BODY></HTML>



The english text is surrounded by ‘style’ tags, which make it
invisible.
It consists of meaningless mix of parts of english sentences.
My assumption: it’s porpuse is to confush anti-spam application
which filter messages by their text, by addind meaningless text.
‫‪Discovery of the bot executable‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫הקובץ חדר למחשב הביתי‪ ,‬כנראה דרך פרצה ב‬
‫‪internet explorer‬‬
‫לפני ניקוי המחשב‪ ,‬שמרתי את הקובץ‪.‬‬
‫בדיקה באתר ‪ virustotal.com‬גילתה שהוא מזוהה (בין‬
‫השאר) ע"י ‪ mcafee‬כ ‪ , Spam-Mailbot‬וע"י‬
‫‪ kaspersky‬כ ‪. Trojan-Mailfinder.Win32.Mailbot.dp‬‬
‫הרצה שלו (תוך כדי מעקב אחרי התקשורת) גילתה שהוא‬
‫מתקשר עם שרת בכתובת ‪ ,66.199.251.242‬ושולח‬
‫ספאם‪.‬‬
The spam bot has strange executable...
There are no
DLL imports
 The file may be
created by
obfascuating tools,
or contain encrypted
executable.

Another problem:
the bot hides itself
The bot hides itself partially:
Its PID is hidden from the task
manager, but not from netstat.
 66.199.251.242 is the C&C
server address. The pid 1944
doesn’t appear in the task manager

Idea: use a debugger


In the memory of the bot, starting from address 0x00405000
there is new executable (which is the decrypted code)
The adderss
66.199.251.242
is hard-coded
in the original
executable.
The dependency walker shows the
difference

Now there are
DLL imports,
which means
that real
exacutable
was indeed
encrypted
inside the
bot executable
Network activity monitoring





Bot’s network acitivity was monitored, and analyzed
using WireShark.
After its launch, the bot connect to some mail server
which are hard-coded in it, but sends no data to
them.
Then, it connects to 66.199.251.242, sends short
messges and recieves data.
After receiving the data, it start to send SPAM.
Every minute it requests more data from
66.199.251.242, and if it indeed receives data – it
send more SPAM.
The most
communicated
hosts (in 6-hour
tracking)
•The most significant
communication is with
the C&C server
•The bot connected to more
than 800 mail servers
More information...



Every minute it sends and receives data from
66.199.251.242.
The data is not encoded in known plain-text
protocol as IRC or HTTP.
Every two minutes it connects to some mail
servers (which their hostname is hard-coded
in the executable), apparently to theck the
internet connectivity.
During the thacking, it was discovered that
many servers use partial protection from
spam botnets:

Some servers refuse to recieve mail from
private internet users (if the IP is in suitable
range):
554 5.7.1 DSL or DialUp sender bzq-79-176-10196.red.bezeqint.net [79.176.101.96] (1), please use
Provider SMTP
Some statistics:




During 6 hours, the bot sent spam only in the first 30
minutes.
After 30 minutes, the server ceased to send new
information to the bot.
During these 30 minutes, it tried to send to more
than 300 servers approximately 4000 messages,
about 300 of them were sent.(as explained in the
previous page, most of the servers refuse to accept
messages from private IP).
The C&C server sent 900KB to the bot.
‫‪More statictics‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫‪‬‬
‫המכתבים שהתקבלו (בערך ‪ )300‬התקבלה ע"י כ ‪ 80‬שרתים (כרבע‬
‫מהשרתים)‪ .‬התקבלו בממוצע בערך ארבעה מכתבים לשרת‪.‬‬
‫שאר השרתים (יותר מ ‪ )200‬סירבו לקבל את המכתבים בגלל שהם נשלחו מ‬
‫‪ IP‬דינמי‪ ,‬או בגלל שגיאות אחרות (למשל אם כתובת המייל שאליה נשלח‬
‫הספאם לא קיימת)‪.‬‬
‫הבוט המשיך להתחבר גם לשרתים שסירבו לקבל ממנו מכתבים (כלומר‪,‬‬
‫הוא לא שמר רשימה של שרתים שמסרבים לקבל ממנו ספאם)‪.‬‬
‫הוא כנראה גם לא שמר רשימות של שרתים שקיבלו ממנו מייל‪ ,‬אלא פעל אך‬
‫ורק לפי רשימות הכתובות שהוא קיבל משרת ה ‪.C&C‬‬
‫פחות מ ‪ 10%‬מהניסיונות שלו לשלוח הודעות הצליחו‪.‬‬
‫הוא הצליח לשלוח בערך ‪ 10‬הודעות בכל דקה‪.‬‬
‫בקצב הזה‪ ,‬כדי לשלוח מיליון הודעות הוא יצטרך לנסות לשלוח יותר מ ‪10‬‬
‫מיליון הודעות למיליון שרתים שונים‪ ,‬וזה יקח לו ‪ 100,000‬דקות ‪ -‬יותר‬
‫מחודשיים‪.‬‬
Network graphs
•The scale is
bytes/sec.
•First graph: the
beginning
•Second graph: after
30 minutes
•Third graph: after
more than three hours
•The colors:
•Communication with
66.199.251.242
•DNS queries
•SMTP
communication
Using the debugger again reveals the
template of the spam
Received: from {BOT_IP} by {MAILFROM_MX}; {DATE}
Date: {DATE}
From: {_nTagMailFrom}
X-Mailer: The Bat! ({nTheBat_2_ver}) {nTheBat_1_type}
Reply-To: {MAIL_FROM}
X-Priority: 3 (Normal)
Message-ID: <{DIGIT[9]}.{DIGIT[14]}@{MAILFROM_DOMAIN}>
To: {MAIL_TO}
Subject: {SUBJECT}
MIME-Version: 1.0
Content-Type: text/html;
charset=koi8-r
Content-Transfer-Encoding: 8bit
{ENCODE}<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
</HEAD>
<BODY>
{_BODY_HTML}
</BODY></HTML>{/ENCODE}
The C&C server sends also the recipient
addresses:
The address in the
first spam is:
[email protected]
After each mail domain,
there are mail
usernames: here they are
3dsales,hsales,...
 There are thousands of
mail server names,
addresses and
names in bot’s memory.
‫‪The network replayer‬‬
‫‪‬‬
‫‪‬‬
‫תוך כדי העבודה יצרתי (בהתבסס על קוד של שרת‬
‫‪ winsock‬פשוט) תוכנה שמאפשרת לשדר שוב לבוט‬
‫הוראות משרת ה ‪ C&C‬שנשמרו‪ ,‬מה שמאפשר‬
‫הרצה מבוקרת של הוירוס עם קלט קבוע‪.‬‬
‫השיטה מבוססת על ייצוא התקשורת מ ‪wireshark‬‬
‫למערכים בשפת ‪ ,C‬סקריפט שעובר על המערכים‬
‫ומוסיף מידע (עבור כל מערך – לאיזה כיוון‬
‫התקשורת‪ ,‬ומה אורכה)‪ ,‬והשרת שעובר עליהם‬
‫ומשדר אותם לבוט‪.‬‬
Related documents
שאלה מספר 16-4
שאלה מספר 16-4
ב- SQL 2014
ב- SQL 2014
- Microsoft
- Microsoft
מודל האיום - עו"ד ד"ר נמרוד קוזלובסקי
מודל האיום - עו"ד ד"ר נמרוד קוזלובסקי
מבוא ל android
מבוא ל android