Cyber Criminal Activity (group 2)

From CyberSecurity
Jump to: navigation, search

Whitepaper Proposal

Summary

Topics: Cyber Criminal Activity

Team members:

Jing Xiao (James)

Ted Zuvich

Michael A. Laurenzano

Elijah Joshua Esquibel


Spyware is causing bigger and bigger trouble and confusion to the Internet users. We will do some research on current spyware intrusion and botnet attacks. We will analyze the severity and range of this threat to the ordinary Internet individuals and organizations. We will use a certain type of spyware and botnet attack as an example and analyze its way of intrusion and operation, the harm it will cause, the cost to prevent it... We will also look into the history of cyber criminal activity, trace the evolution of attackers, targets, defenders, vulnerabilities, threats and goals of attacks.

How are we dividing the tasks:

Spyware intrusion (general analysis and example) -- Jing

Botnets attacks (general analysis and example) -- Ted

Evolution of attackers, targets, defenders, vulnerabilities, threats and goals of attacks. Botnets --Elijah spyware --Michael


Section 1: Spyware Intrusion

Section 2: Botnets Attacks

Section 3: Spyware

Section 4: Development and Expanion of Bots: Attackers, Victims, and Policy

First Draft

Advancements and Developments in Bot Software

In the Internet Relay Chat was commonly used in the infant sages of internet. “It was originally written by Jarkko Oikarinen in 1988. Since starting in Finland, it has been used in over 60 countries around the world. IRC is a multi-user chat system, where people meet on "channels" (rooms, virtual places, usually with a certain topic of conversation) to talk in groups, or privately. There is no restriction to the number of people that can participate in a given discussion, or the number of channels that can be formed on IRC.”(Vonck) It was a simple way for people to chat and insult each other over the internet, think Microsoft messenger or AOL, but without all the pretty skins and features.

The difference with IRC is that you could impose specific rules and limit the number of users that had access to your server along with passwords for private chat. As time went on people developed ways to monitor activity on these channels the inherent problem with this type of chat is that if the operator lost connection another person would be assigned as operator and given control of the channel. This led people to target specific users and launch DDoS attacks and worse.

In 1993 Eggdrop was written by the then 18 year old Robey Pointer (Marijn) this program allowed the user to monitor a single channel within the IRC and combine the power of bots. In 1999 Prettypark is an attachment that shows a 3D pipes screensaver was distributed and allowed the controller to download an executable file from the IRC server. The possibilitiesunleashed by this bot are still active in today's bots. The bot allows a controller to gather and monitor information on an infected PC or in a corporate sense a number of workstations. Later once connected to the controller's server the bot can be used as a Trojan and be used to gather passwords and user login information as well as access their hard disks. The icon is that of Kyle Broflovsk from southpark to entice people to click on the icon.

Prettyprak is not a direct relative of the current IRC bot software that we see today, but did inspire the one that all malicious IRC bots share as a common ancestor and that would be Backdoor.Sdbots. Gtbots brought to the table the ability to use hidewindow to run covertly on a infected PC without being noticed, but they were not used a lot until later in 2000. It was not until 2002 that Backdoor.Sdbot types were able to wield the collective power of a botnet under a single channel. This Backdoor.Sdbot was malicious by nature setting up to run upon startup of an infected PC, and it was C++ based allowing it broad flexibility. It was crafted to be stealthy in that it would cover its tracks to the user of the infected host computer by running in the background under unsuspicious .exe titles and would download and install automatically without being noticed.

Moving along we come to the Agobots of late 2002 these decedents of Backdoor.Sdbots were able to incorporate more features and cleaner code so that modification was made easier. It also included scanners for backdoors and vulnerabilities that may be exploitable. Agobot was highly modular and was able to be used efficiently to build botnets. Agobot and its derivative Spybot continue to this day be the choice programming for launching attacks. Botmasters are even becoming more sophisticated in that they are organizing their botnets into categories as those that run systems prior to XP and connect via a modem to be on a botnet used for DDoS attacks. The other more powerful computers are used to execute higher level attacks.

Vulnerabilities and Threats

Key loggers These allow the controller to view a log file of information typed on an infected computer's keyboard. This may allow them to steal passwords.

Screen Shots This allows the bot to send the controller an image of the infected machine’s display. This could possibly defraud password protection measures that companies have tried to use and thwart theft such as partial entering of passwords or images that go with a passphrase.

Application termination This allows botmasters to attack specific programs on a bot that may detect its operation. This means that the infected computers will turn off the AV software that is installed on them because the bot received a command to kill all AV programs.

Clipboard Copy Copy’s anything that you have saved to copy and paste such as word files or passwords. The bot then reports back to the server your actions.

Passwords Bots are able to scan the host for vulnerabilities and then download malicious programs that will take advantage of these exploits give the controller access to privileges and passwords.

Peripheral control This allows the botmaster to take control of items attached to the infected computer like a webcam or a printer and seize information or become a “peeping tom”.

Spam The infected computer is used to send out spam and commit DDoS attacks in coordination with other computers on the channel

Packet interception(sniffing) The botmaster can intercept packet and discover where they are coming from and expand over the local network.

Rootkits Basically hides all the functions that would let a user know that their computer has become a zombie. It allows the botmaster to move about the bot without detection.

P2P fraud The use of Peer to Peer networks like Kaza to distribute malicious programs so that more bots can be brought onto the botnet. This is accomplished by naming files as desirable content and fooling unsuspecting downloaders.

Motives and Goals

Botnets are used to send out e-mail messages for spam and phishing attacks. They can also be used to send out a flood of data to bring down a system in a denial-of-service attack.

The software that bots operate on is much more difficult to detect than a worm because bot software tends to be less obvious to the user. Worms spread automatically and with blazing fast speed. This speed and randomness creates a lot of traffic (internet noise) that is easily picked up by monitoring devices. Botnets on the other hand are designed to look for networks to infect this does not take as much bandwidth as a worm and allow the bot software to propagate with less detection.

DDoS to the highest bidder by these botmasters are the equivalent to paid hits to take out internet sites. Extortion of money for not commencing a DDoS attack is also a way of making money. Spam, credit card fraud, and affiliates incentive programs also are reasons to setup a botnet and make easy money.

Defense

In an article by David Dittrich we are given five simple ways to fight back the attacks by bots on our computers. In the beginning of he says, “ Large enterprises may have hundreds of compromised hosts being used by a single attacker. And numerous attackers are likely using multiple sets of computers. Defending against botnet attacks is challenging and complex.”3. (Dittrich) His suggestions are as follows:

  1. Scan hosts and network traffic for the telltale signs of bot infection
  2. Tune routers, firewalls and intrusion-detection/prevention systems to detect and block botnet traffic.
  3. Secure hosts against botnet exploit.
  4. Apply reverse engineering to bot code.
  5. Work with law enforcement to help prosecute botnet creators.

I believe that these suggestions would greatly limit the ability of bot “herders” to collect these massive botnets because they would be discovered at a higher rate and hopefully we can mitigate damages done by reducing time that machines are compromised or that others are infected.

Prevention of attacks

More robust nodes by making sure that your servers, desktops, and laptops all have current patches. TCP/IP stack fortification by use of max queue and syncookies. Eliminate those services that are not necessary and pose a threat more applications equal more vulnerabilities. Restrict TCP to port 80 and 443 on web servers TCP/DNS 35 and other known ports watch for access attempts on open ports.

These bots can be really nasty in that some variants are extremely hard to eradicate. Hard drive format and OS reinstall is easy and cheap. But we must all work together to combat bots and a HD image may be required to help investigators and determine defenses from bots in the future.

Botmasters are driven by cold hard cash pipeline and the incentive system does not seem to be going anywhere anytime soon. What is more alarming is that a zero-day exploit will not be as easily detected as slammer or other types of attacks. The result will be that a group will have a tailored attack rather than a random attack that can be used by terrorists.

The fight against botnets would be greatly made easier if ISP’s and the Anti-Virus makers were able to team up and share information so that botnets could be dismantled and uninstalled from end-users computers.


Works Cited

  1. “Invasion of the “Bots” You Could Be A “Zombie” and Don’t Know It!!” National Webcast Initiative NYS Office of Cyber Security & Critical Infrastructure Coordination 18 May 2005 < http://www.cscic.state.ny.us/msisac /webcasts/05_05/info/518q_a.htm>
  2. Vonck, Tjerk “Introduction to IRC for people using Windows” 27August 2003 < http://www.mirc.com/ircintro.html>
  3. Dittrich, David “Five steps for beating back the bots” Information Security 20 March 2005 <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1068834,00.html>
  4. Marijn “Guide to TCL scripting for Eggdrop 1.6” 05 December 2005<http://www.suninet.org/tclguide/index.php?chap=1&pg=-1>
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Cyber_Criminal_Activity_(group_2)&oldid=3406"