Solutions in this chapter:
■ Abuse
■ Network Infrastructure: Tools and Techniques
■ Intrusion Detection
■ Darknets, Honeypots, and Other Snares
■ Forensics Techniques and Tools for Botnet Detection
Chapter 5
133
Summary
Solutions Fast Track
Frequently Asked Questions
Introduction
In this chapter we look at tools and techniques commonly used for botnet detection. By definition, this is a big subject, and we only touch lightly on some ideas and tools. For example, the popular open-source Snort intrusion detection system is mentioned, but Snort is a very complex package, and we can’t do it justice in a few pages. In addition to skimming over some tools, we mention a few techniques that are commonly used either to prevent malware such as botnets in the first place or help in detection, prevention, or post-attack cleanup.
First we’ll discuss abuse reporting, because it could turn out that your enterprise simply receives e-mail to tell you that you seem to have a botnet client on your premises. (Of course, it’s better if you are proactive and try to control your network in the first place.) Then we will talk about common network-monitoring tools, including sniffers, and other network monitoring tools as well as confinement techniques, including firewalls and broadcast domain management. We will touch on common intrusion detection systems, including virus checkers and the Snort IDS system. We also mention the role darknets, honeypots, and honeynets have to play. Last we touch on host foren-sics. One thread through all this discussion to which we should draw your attention is the important part that logging and log analysis play at both the network and host levels. For example, firewall, router, and host logs (including server logs) could all show attacks. We cannot do the subject of log analysis justice, but we can and will at least give a few pointers on how to use them.
Abuse
One possible way to learn about botnets in your enterprise is if someone sends you e-mail to tell you about it. We typically refer to this as abuse e-mail.The basic idea is that someone out there on the Internet has decided to complain about something they think is wrong related to your site.This might include spam (from botnet clients), scanning activity (botnet clients at work), DoS attacks, phishing, harassment, or other forms of perceived “abuse.”The conven-tion is that you have administrative contacts of some form listed at global regional information registry sites such as ARIN, APNIC, LAPNIC, or RIPE
(see www.arin.net/community/index.html).The person sending the complaint determines an IP address and sends e-mail to complain about the malefactors, mentioning the IP address in the domain. In general, you should send that e-mail to abuse@somedomain, if that handle exists in the WHOIS information database.You want to use more general contacts than particular names simply because particular names might be wrong or those people on vacation, and more general names (admin, noc, abuse) might go to more people (such as someone who is awake). We will return to this subject later in the chapter.
In the meantime, assume that your network is 192.168.0.0/16. Also assume you are an abuse admin (or the head network person) at Enormous State University and you have this particularly lovely e-mail waiting for you in your in-basket one morning:
Subject: 192.168.249.146 is listed as exploited.lsass.org From: Nancy Netadmin <nancyn@bigisp.net>
To: abuse@enormoussu.edu Cc: abuse@bigisp.net Content-Type: text/plain X-Virus-Scaned: by amavisd-new
ESU Abuse:
It was recently brought to our attention that exploited.lsass.org has an A record pointing to 192.168.249.146. Please note that we sent an email on January 16, 2005 at 00:27 regarding this same host and its botnet activity. We have yet to receive a response to that message.
Please investigate ASAP and follow up to abuse@bigisp.net. Thank you.
$ dig exploited.lsass.org
; <<>> DiG 9.2.3 <<>> exploited.lsass.org
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46001
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;exploited.lsass.org. IN A
;; ANSWER SECTION:
exploited.lsass.org. 56070 IN A 10.0.0.1 exploited.lsass.org. 56070 IN A 10.2.2.3
exploited.lsass.org. 56070 IN A 192.168.249.146
;; AUTHORITY SECTION:
lsass.org. 68614 IN NS ns.dns.somecountry.
lsass.org. 68614 IN NS ns.dns2.somecountry.
;; ADDITIONAL SECTION:
ns.dns.somecountry. 68572 IN A 10.3.4.5
$ dig -x 192.168.249.146
;; QUESTION SECTION:
;146.249.168.192.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
168.192.in-addr.arpa. 1800 IN SOA dnsserver.enormoussu.edu -
--Nancy Netadmin Voice : XXX.123.1234
BIGISP Operations & Systems Engineer Fax : XXX.123.1345 Computing Center Email : nancyn@bigisp.net
This message poses some interesting questions, including:
■ What does it mean?
■ Where did I put the aspirin again?
■ What can we do about it?
■ How can we prevent it from happening again?
Nancy has been kind enough to tell us that we have a bot server on our campus. We should disconnect it from the Internet immediately and sanitize the host and any other local hosts that might be taking part in the botnet.
However, forensics and cleanup, although mentioned later in the chapter, are
not germane to our discussion at this point.The point is that the DNS name exploited.lsass.org was being used by a botnet so that botnet clients could find a botnet server.Typically, botnet experts have observed that a botnet will ren-dezvous on a DNS name using dynamic DNS.The clients know the DNS name and can check it to see whether the IP address of the server has changed.This is one method the botnet owner can use to try to keep the botnet going when the botnet server itself is destroyed.The botnet master has to get another IP address and use Dynamic DNS to rebind the existing name to a new IP address. Getting another IP address is not that hard if you own 50,000 hosts. One lesson is simple: A botnet client can become a botnet server at any time.This system might have started as an ordinary bot and gotten promoted by its owner. Another one is fairly simple and obvious too but needs repeating:Take down the botnet server as quickly as possible.
The DNS information in the message shows the DNS name to be mapped to several IP addresses, including one on the local campus. It also shows the DNS servers (presumably sites hosting dynamic DNS).The dig –x command was used to do a reverse PTR lookup (IP address to DNS name) of the IP address to show which DNS site (the local site) was hosting the PTR record itself.
Notes from the Underground…
More about lsass.exploited.org
Symantec’s Web site discusses related malware at www.sarc.com/
avcenter/venc/data/w32.spybot.won.html. They named this malware W32.spybot.wonand noted that IRC may be used as the command and control channel. They mention the name exploited.lsass.org and var-ious Microsoft security bulletins, including MS 03-026, Buffer Overrun in RPC Interface Could Allow Code Execution (www.microsoft.com/
technet/security/bulletin/MS03-026.mspx). We suspect that there is a likely relationship between the name of the DNS-based C&C (lsass.exploited.org) and its attacks against the Microsoft file share system.
One remaining question is, how you might report abuse? This is done through the various registries and can be done over the Web using a browser, or with the traditional UNIX whois command as follows:
# whois –h whois.arin.net 192.168.249.146
OrgName: Enormous State University OrgID: ENORMOUSSU-X
Address: XXX XX XXXX Street Address: Suite XXXX
City: Enormoustown StateProv: SOMESTATE PostalCode: XXXXX Country: US
NetRange: 192.168.0.0 - 192.168.255.255 CIDR: 192.168.0.0/16
NetName: ENORMOUSSU-NET NetHandle: NET-192-168-0-0-1 Parent: NET-192-0-0-0-0 NetType: Direct Assignment
RTechHandle: XXXXX-ARIN RTechName: Netguy, Rick RTechPhone: +X-XXX-XXX-XXXX
RTechEmail: netguyr@enormoussu.edu
OrgAbuseHandle: ABUSEXXX-ARIN OrgAbuseName: Abuse
OrgAbusePhone: +X-XXX-XXX-XXXX OrgAbuseEmail: abuse@enormoussu.edu
T
IPWHOIS information can be looked up on the Web at sites provided by the various registries. For example, see:
www.arin.net, for North America for the most part www.apnic.net, for the Asian Pacific region
www.ripe.net, for Europe
http://lacnic.net, for Latin America www.afrinic.net, for Africa
Arin has a Web page discussing the ins and outs of abuse handling at www.arin.net/abuse.html. Also visit www.abuse.net.