www.sharexxx.net - free books & magazines 363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you pur- chase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assort- ment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in down- loadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at 427_Botnet_FM.qxd 1/9/07 12:05 PM Page i 427_Botnet_FM.qxd 1/9/07 12:05 PM Page ii Craig A. Schiller Jim Binkley David Harley Gadi Evron Tony Bradley Carsten Willems Michael Cross Botnets THE KILLER WEB APP 427_Botnet_FM.qxd 1/9/07 12:05 PM Page iii Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress: The Definition of a Serious Security Library”™,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names men- tioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BAL923457U 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T Botnets: The Killer Web App Copyright © 2007 by Syngress Publishing, Inc., a division of Elsevier, Inc. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10: 1-59749-135-7 ISBN-13: 978-1-59749-135-8 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Gary Byrne Copy Editors: Michelle Melani, Darlene Bordwell, Technical Editors: Craig Schiller, and Adrienne Rebello Jim Binkley Indexer: Richard Carlson Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585. 427_Botnet_FM.qxd 1/9/07 12:05 PM Page iv Acknowledgments v Syngress would like to acknowledge the following people for their kindness and support in making this book possible. This may seem like a strange place to thank bankers, attorneys, and accountants, but these folks have all played a role in the success of Syngress Publishing: Jim Barbieri, Ed Remondi, Anne Marie Sharpe, and their team at Holbrook Coop in Holbrook, MA. Gene Landy, Amy Mastrobattista, and Beth Grazio at Ruberto, Israel & Weiner in Boston. Timothy D. MacLellan, at Morgan & Morgan, PC in Hingham, MA, along with his associate Darci Miller Nadeau. 427_Botnet_FM.qxd 1/9/07 12:05 PM Page v vi Lead Authors and Technical Editors Craig A. Schiller (CISSP-ISSMP, ISSAP) is the Chief Information Security Officer for Portland State University and President of Hawkeye Security Training, LLC. He is the primary author of the first Generally Accepted System Security Principles. He was a coauthor of several editions of the Handbook of Information Security Management and a contributing author to Data Security Management. Craig was also a contributor to Combating Spyware in the Enterprise (Syngress, ISBN: 1597490644) and Winternals Defragmentation, Recovery, and Administration Field Guide (Syngress, ISBN: 1597490792). Craig was the Senior Security Engineer and Coarchitect of NASA’s Mission Operations AIS Security Engineering Team. Craig has cofounded two ISSA U.S. regional chapters: the Central Plains Chapter and the Texas Gulf Coast Chapter. He is a member of the Police Reserve Specialists unit of the Hillsboro Police Department in Oregon. He leads the unit’s Police-to-Business-High-Tech speakers’ initiative and assists with Internet forensics. Jim Binkley is a senior network engineer and network security researcher at Portland State University (PSU). Jim has over 20 years of TCP/IP experience and 25 years of UNIX operating system experience. Jim teaches graduate-level classes in network secu- rity, network management, and UNIX operating systems at PSU. He provides the uni- versity with various forms of network monitoring as well as consulting in network design. In the past Jim was involved in the DARPA-funded “secure mobile networks” grant at PSU along with John McHugh. His specialties include wireless networking and network anomaly detection, including the open-source ourmon network monitoring and anomaly detection system. Jim holds a Master of Science in Computer Science from Washington State University. Tony Bradley (CISSP-ISSAP) is the Guide for the Internet/Network Security site on About.com, a part of The New York Times Company. He has written for a variety of other Web sites and publications, including PC World, SearchSecurity.com, WindowsNetworking.com, Smart Computing magazine, and Information Security magazine. Currently a security architect and consultant for a Fortune 100 company,Tony has driven security policies and technologies for antivirus and incident response for Fortune 500 companies, and he has been network administrator and technical support for smaller com- Contributors 427_Botnet_FM.qxd 1/9/07 12:05 PM Page vi vii panies. He is author of Essential Computer Security: Everyone’s Guide to E-mail, Internet, and Wireless Security (Syngress, ISBN: 1597491144). Tony is a CISSP (Certified Information Systems Security Professional) and ISSAP (Information Systems Security Architecture Professional). He is Microsoft Certified as an MCSE (Microsoft Certified Systems Engineer) and MCSA (Microsoft Certified Systems Administrator) in Windows 2000 and an MCP (Microsoft Certified Professional) in Windows NT.Tony is recognized by Microsoft as an MVP (Most Valuable Professional) in Windows security. On his About.com site,Tony has on average over 600,000 page views per month and 25,000 subscribers to his weekly newsletter. He created a 10-part Computer Security 101 Class that has had thousands of participants since its creation and continues to gain popu- larity through word of mouth. In addition to his Web site and magazine contributions, Tony was also coauthor of Hacker’s Challenge 3 (ISBN: 0072263040) and a contributing author to Winternals: Defragmentation, Recovery, and Administration Field Guide (ISBN: 1597490792) and Combating Spyware in the Enterprise (ISBN: 1597490644). Tony wrote Chapter 4. Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist/Computer Forensic Analyst with the Niagara Regional Police Service (NRPS). He performs com- puter forensic examinations on computers involved in criminal investigation. He also has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining the NRPS Web site at www.nrps.com and the NRPS intranet, he has provided support in the areas of programming, hardware, and network administration. As part of an information technology team that provides support to a user base of more than 800 civilian and uniform users, he has a theory that when the users carry guns, you tend to be more motivated in solving their problems. Michael also owns KnightWare (www.knightware.ca), which provides computer- related services such as Web page design, and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and he has been published more than three dozen times in numerous books and anthologies. He currently resides in St. Catharines, Ontario, Canada, with his lovely wife, Jennifer, his darling daughter, Sara, and charming son, Jason. Michael wrote Chapter 11. Gadi Evron works for the McLean, VA-based vulnerability assessment solution vendor Beyond Security as Security Evangelist and is the chief editor of the security portal SecuriTeam. He is a known leader in the world of Internet security operations, especially regarding botnets and phishing. He is also the operations manager for the Zeroday Emergency Response Team (ZERT) and a renowned expert on corporate security and espionage threats. Previously, Gadi was Internet Security Operations Manager for the Israeli government and the manager and founder of the Israeli government’s Computer Emergency Response Team (CERT). Gadi wrote Chapter 3. 427_Botnet_FM.qxd 1/9/07 12:05 PM Page vii viii David Harley (BA, CISSP) has written or contributed to over a dozen security books, including Viruses Revealed and the forthcoming AVIEN Malware Defense Guide for the Enterprise. He is an experienced and well-respected antivirus researcher, and he also holds qualifications in security audit (BS7799 Lead Auditor), ITIL Service Management, and medical informatics. His background includes security analysis for a major medical research charity and managing the Threat Assessment Centre for the U.K.’s National Health Service, specializing in the management of malware and e-mail security. His “Small Blue-Green World” provides consultancy and authoring services to the security industry, and he is a frequent speaker at security conferences. David cowrote Chapter 5. Chris Ries is a Security Research Engineer for VigilantMinds Inc., a managed security services provider and professional consulting organization based in Pittsburgh. His research focuses on the discovery, exploitation, and remediation of software vulnerabilities, analysis of malicious code, and evaluation of security software. Chris has published a number of advisories and technical white papers based on his research. He has also contributed to sev- eral books on information security. Chris holds a bachelor’s degree in Computer Science with a Mathematics Minor from Colby College, where he completed research involving automated malicious code detec- tion. Chris has also worked as an analyst at the National Cyber-Forensics & Training Alliance (NCFTA), where he conducted technical research to support law enforcement. Chris tech-edited Chapters 8 and 9. Carsten Willems is an independent software developer with 10 years’ experience. He has a special interest in the development of security tools related to malware research. He is the creator of the CWSandbox, an automated malware analysis tool.The tool, which he devel- oped as a part of his thesis for his master’s degree in computer security at RWTH Aachen, is now distributed by Sunbelt Software in Clearwater, FL. He is currently working on his PhD thesis, titled “Automatic Malware Classification,” at the University of Mannheim. In November 2006 he was awarded third place at the Competence Center for Applied Security Technology (CAST) for his work titled “Automatic Behaviour Analysis of Malware.” In addition, Carsten has created several office and e-business products. Most recently, he has developed SAGE GS-SHOP, a client-server online shopping system that has been installed over 10,000 times. Carsten wrote Chapter 10. 427_Botnet_FM.qxd 1/9/07 12:05 PM Page viii [...]... bot client can check the newly infected host for applications that it knows how to exploit When it determines that the host owner is a customer of, for example, an e-gold account, the client can download a component that piggybacks over the next connection to e-gold the customer makes While the host owner is connected to their e-gold account, the exploit will siphon the funds from the account by submitting... that connection.To the A/V vendor, they’ve done their job if they find the malicious code and deal with it However, the corporate security officer would really like to know more .The organizing schema for the bot tells the security officer what potential attack vectors were used to infect the computer so that they might plug the holes instead of just fixing the broken machines Each of the original bot families... describes the current state and how we got to this place We come from many levels and as such we must start from the very beginning What is a botnet? In its simplest form, it is an army of compromised computers that take orders from a botherder A botherder is an immoral hacker who uses the botnet for financial gain or as a weapon against others The Killer Web App How does this make a botnet a killer Web app? The. .. it Much has been made of the loss of this weapon by the press In the article, several security professionals admit that the battle is lost In real warfare, generals must battle the enemy, but just as important, they must battle against the loss of morale Many of the security professionals who pioneered the fight against botnets are demoralized by the realization that taking out the Command and Control... could give us no information that could vouch for the quality of their intelligence sources Our early weapon against botnets involved removing the bot server, the strategy of “removing the head of the serpent.” Recent articles about the state of the security profession response to botnets have lamented the discovery that we are not fighting a snake, but rather, a hydra It has not one head but many and... are seen in other bots Since many of the bots are open source, modular, and in C/C++, it is easy to take source from one bot and add its capabilities to another bot.There is also a tendency for the A/V companies to use the names that they designated to the exclusion of other vendor-created names Partially, this is because there are so many variants of each bot family that two bots in the same family... the hackers that the Lithuanians must be using it in some way to make money.They reasoned that they could do the same thing for themselves.They created their own botnet with 1.5 million zombie clients In one venture, they were using the botnet to install software for an adware company, 180Solutions 180Solutions had been under pressure from the public to clean up its act for years In January 2005, they... changed their policy to exclude paying for software installations that the user did not authorize In doing so they began to terminate agreements with distributors that installed their software without the user’s approval By August, according to 180Solutions, they had terminated 500 distributors .The Dutch hackers then employed the botnet to extort money by DDoSing 180Solutions until they paid .The company... sector for these attacks Although botnets can be random, they can also be customized to a selected set of potential hosts .The botherder can configure the bot clients to limit their scanning to hosts in a defined set of Internet Protocol (IP) addresses With this targeting capability comes the capability to market customized attacks for sale .The targeting capability of botnets is adaptive as well .The bot... were not usually detected until the botherder had abandoned the computer As soon as the bot client stopped running, the remnants were detected.This is to say, the actual number is much larger than what Symantec can report Recall that one of the bot client modules is supposed to make the antivirus tool ineffective and prevent the user from contacting the antivirus vendor’s Web site for updates or removal . entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10: 1-5 974 9-1 3 5-7 ISBN-13: 97 8-1 -5 974 9-1 3 5-8 Publisher: Andrew Williams Page Layout. against botnets involved removing the bot server, the strategy of “removing the head of the serpent.” Recent articles about the state of the security profession response to botnets have lamented the. solutions@syngress.com Web pages. There you may find an assort- ment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections,