CEHv8 module 10 denial of service

CEHv8 module 10 denial of service

to be allied w ith Islam ic terrorism

"H SBC servers ca m e u n d e r a d e n ia l o f service atta ck w h ic h a ffe cte d a n u m b e r o f HSBC

w eb sites a ro u n d th e w orld," the London-based banking giant said in a statem ent "This denial o f service a ttack did not a ffe ct any cu sto m er data, but did prevent custom ers using HSBC on lin e services, including inte rnet banking."

HSBC said it had the situ atio n under c o n tro l in the early m orning hours o f Friday London time.

The Izzad-D in al-Q assam Cyber Fighters to o k responsibility fo r th e atta ck th at at points crippled users' access to hsbc.com and o th e r HSBC-owned properties on the W eb The group, w hich has also disrupted the w ebsites o f scores o f o th e r banks including J.P

M o rgan Chase (JPM) and Bank o f Am erica (BAC), said the attacks w ill co ntinue until the

a n ti-lslam ic 'Innocence o f M u slim s' film tra ile r is rem oved fro m the Internet

"HSBC servers came under a denial of service attack which affected a number of HSBC websites around the world," the London-based banking giant said in a statement "This denial

of service attack did not affect any customer data, but did prevent customers using HSBC online services, including internet banking."

HSBC said it had the situation under control in the early morning hours of Friday London time The Izz ad-Din al-Qassam Cyber Fighters took responsibility for the attack that at points crippled users' access to hsbc.com and other HSBC-owned properties on the Web The group, which has also disrupted the websites of scores of other banks including J.P Morgan Chase (JPM) and

D e n i a l o f S e r v i c e

In this case, a group claiming to be aligned with the loosely-defined brigade of hackers called Anonymous also took responsibility However, a source in the computer security field who has been monitoring the attacks told FOX Business "the technique and systems used against HSBC were the same as the other banks." However, the person who requested anonymity noted that Anonymous "may have joined in, but the damage was done by" al-Qassam.

The people behind al-Qassam have yet to be unmasked Several published reports citing unnamed U.S officials have pointed to Iran as a potential culprit, but multiple security researchers have told FOX Business the attacks don't show the hallmarks of an attack from that country.

There is a consensus, however, that the group is likely using a fairly sophisticated type of denial-of־service attack Essentially, al-Qassam has leveraged exploits in Web server software

to take servers over and then use them as weapons Once they are taken over, they slam the Web servers hosting bank websites with a deluge of requests, making access either very slow or completely impossible Servers have an especially high level of connectivity to the Internet, giving al-Qassam more horsepower with fewer machines.

copyright©2012 FOX News Network, LLC

By Adam Samson.

h ttp ://w w w f o x b u 5 in e s 5 c o m /in d u s tr ie s /2 0 1 2 /1 0 /1 9 /h s b c is la te s t ta r g e t in c v b e r a tta c k

-sp re e /# ix z z 2 D 1 4 7 3 9 c A

Module Objectives C E H

Service Attacks?

J D0S/DD0S C o u n te rm e a su re

J Sym ptom s of a DoS Attack

J Techniques to Defend ag ain st B otnets

J DoS Attack Techniques

J B otnet

Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited.

An Analogy

Consider a company (Target Company) that delivers pizza upon receiving a telephone order The entire business depends on telephone orders from customers Suppose a person intends to disrupt the daily business of this company If this person came up with a way

to keep the company's telephone lines engaged in order to deny access to legitimate customers, obviously Target Company would lose business.

DoS attacks are similar to the situation described here The objective of the attacker is not to steal any information from the target; rather, it is to render its services useless In the process, the attacker can compromise many computers (called zombies) and virtually control them The

Attack Traffic Regular Traffic

W h a t A r e D i s t r i b u t e d D e n i a l

o f S e r v i c e A t t a c k s ?

j A d i s t r b u t e d d e n ia l- o f- s e rv ic e ( D D o S ) attack invoh/es a m u l t i t u d e o f

c o m p r o m i s e d s ys te m s attack r ig a single ta rg et, t h e r e b y causing d e n 01 o f

serv ic e f o r users o f t h e t a r g e t e d sy ste m

j To la unch a DDoS attack, a n a ttacke r uses b o t n e t s a n d a tta ck s a single sy ste m

DisabledNetworkLoss of

Goodwil

DisabledOrganization

Financial Loss

C opyrights trf E t C M K l AJ Rights Reserved Re prod urtion is S triettf Piohbfted.

g j g g W h a t A r e D i s t r i b u t e d D e n i a l o f S e r v i c e A t t a c k s ?

Source: www.searchsecurity.com

A distributed denial-of-service (DDoS) attack is a large-scale, coordinated attack on the availability of services on a target's system or network resources, launched indirectly through many compromised computers on the Internet.

The services under attack are those of the ״primary target," while the compromised systems used to launch the attack are often called the "secondary target." The use of secondary targets

in performing a DDoS attack provides the attacker with the ability to wage a larger and more disruptive attack, while making it more difficult to track down the original attacker.

As defined by the World Wide Web Security FAQ: "A Distributed Denial-of-Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial-of- service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms."

If left unchecked, more powerful DDoS attacks could cripple or disable essential Internet services in minutes.

In te rn e t

f ,־

Attacker sets a / handler system

H andler

C o m p ro m ise d PCs (Zom bies)

Copyright © by EC-Cauactl All Rights Reserved Reproduction is Strictly Prohibited.

Zombie systems are instructed

© Unavailability of a particular website

© Inability to access any website

© Dramatic increase in the amount of spam emails received

© Unusually slow network performance

of techniques that are used by the attacker to perform DOS attacks on a computer or a network They are:

© Bandwidth Attacks

© Service Request Floods

© SYN Flooding Attacks

© ICMP Flood Attacks

© Peer-to-Peer Attacks

© Permanent Denial-of-Service Attacks

© Application-Level Flood Attacks

CEH Bandwidth Attacks

When a DDoS attack is launched, flooding

a network, it can cause network

significant statistical change in the

'

A single machine cannot make enough

requests to overwhelm network equipment;

Basically, all bandwidth is used and no bandwidth remains for legitimate use

Copyright © by E & C o in a l All Rights Reserved Reproduction is Strictly Prohibited.

Attackers use botnets and carry

out DDoS attacks by flooding the

network with ICMP ECHO

packets

B a n d w i d t h A t t a c k s

A bandwidth attack floods a network with a large volume of malicious packets in order to overwhelm the network bandwidth The aim of a bandwidth attack is to consume network bandwidth of the targeted network to such an extent that it starts dropping packets The dropped packets may include legitimate users A single machine cannot make enough requests to overwhelm network equipment; therefore, DDoS attacks were created where an attacker uses several computers to flood a victim.

Typically, a large number of machines is required to generate the volume of traffic required to flood a network As the attack is carried out by multiple machines that are combined together

to generate overloaded traffic, this is called a distributed-denial-of-service (DDoS) attack Furthermore, detecting the source of the attack and blocking it is difficult as the attack is carried out by numerous machines that are part of different networks All the bandwidth of the target network is used by the malicious computers and no bandwidth remains for legitimate use.

Attackers use botnets and carry out DDoS attacks by flooding the network with ICMP ECHO packets.

An attack er o r g roup of zom bies a tte m p ts

to e x h a u st serv er re so u rc e s by setting up and tearin g dow n TCP connections

Service re q u e s t flood attacks flood serv ers with a high ra te of c o n n ectio n s from a valid source

O It initiates a re q u e s t on every connection

Copyright © by E&Cauacil All Rights Reserved Reproduction is Strictly Prohibited.

S e r v i c e R e q u e s t F l o o d s

Service request floods work based on the connections per second principle In this method or technique of a DoS attack, the servers are flooded with a high rate of connections from a valid source In this attack, an attacker or group of zombies attempts to exhaust server resources by setting up and tearing down TCP connections This probably initiates a request on each connection, e.g., an attacker may use his or her zombie army to fetch the home page from

a target web server repeatedly The resulting load on the server makes it sluggish.

1D5n ן in

D e n i a l o f S e r v i c e

©

N o rm a l co n n e c tio n Sy/y e s ta b lis h m e n t

syN/P,CK A C K <t11 SYN Floo d in g

SYN SYN SYN SYN

J SYN Flooding takes advantage of a flaw in

how m ost hosts im plem ent th e TCP

three-w ay handshake

J When Host B receives th e SYN request

from A, it must keep track of the

partially-opened connection in a "listen

queue" for at least 75 seconds

J A malicious host can exploit th e small

size of th e listen queue by sending

multiple SYN requests to a host, but

never replying to the SYN/ACK

J The victim's listen queue is quickly filled

up

J This ability of removing a host from the

network for at least 75 seconds can be

used as a denial-of-service attack

Copyright © by E & C o in a l All Rights Reserved Reproduction is Strictly Prohibited.

S Y N F l o o d i n g

S Y N f l o o d i n g is a T C P v u l n e r a b i l i t y p r o t o c o l t h a t e m e r g e s i n a d e n i a l - o f - s e r v i c e a t t a c k

T h i s a t t a c k o c c u r s w h e n t h e i n t r u d e r s e n d s u n l i m i t e d S Y N p a c k e t s ( r e q u e s t s ) t o t h e h o s t

s y s t e m T h e p r o c e s s o f t r a n s m i t t i n g s u c h p a c k e t s is f a s t e r t h a n t h e s y s t e m c a n h a n d l e

T h e c o n n e c t i o n is e s t a b l i s h e d a s d e f i n e d b y t h e T C P t h r e e - w a y h a n d s h a k e a s :

Q H o s t A s e n d s t h e S Y N r e q u e s t t o t h e H o s t B

Q H o s t B r e c e i v e s t h e S Y N r e q u e s t , a n d r e p l i e s t o t h e r e q u e s t w i t h a S Y N - A C K t o H o s t A

6 T h u s , H o s t A r e s p o n d s w i t h t h e A C K p a c k e t , e s t a b l i s h i n g t h e c o n n e c t i o n

W h e n H o s t B r e c e i v e s t h e S Y N r e q u e s t f r o m H o s t A , i t m a k e s u s e o f t h e p a r t i a l l y o p e n

c o n n e c t i o n s t h a t a r e a v a i l a b l e o n t h e l i s t e d l i n e f o r a f e w s e c o n d s , e g , f o r a t l e a s t 7 5 s e c o n d s

T h e i n t r u d e r t r a n s m i t s i n f i n i t e n u m b e r s o f s u c h S Y N r e q u e s t s w i t h a f o r g e d a d d r e s s , w h i c h

a l l o w s t h e c l i e n t t o p r o c e s s t h e f a l s e a d d r e s s e s l e a d i n g t o a m i s p e r c e p t i o n S u c h n u m e r o u s

r e q u e s t s c a n p r o d u c e t h e T C P S Y N f l o o d i n g a t t a c k I t w o r k s b y f i l l i n g t h e t a b l e r e s e r v e d f o r h a l f

o p e n T C P c o n n e c t i o n s i n t h e o p e r a t i n g s y s t e m ' s T C P I P s t a c k W h e n t h e t a b l e b e c o m e s f u l l ,

n e w c o n n e c t i o n s c a n n o t b e o p e n e d u n t i l a n d u n l e s s s o m e e n t r i e s a r e r e m o v e d f r o m t h e t a b l e ( d u e t o h a n d s h a k e t i m e o u t ) T h i s a t t a c k c a n b e c a r r i e d o u t u s i n g f a k e I P a d d r e s s e s , s o i t is

d i f f i c u l t t o t r a c e t h e s o u r c e T h e t a b l e o f c o n n e c t i o n s c a n b e f i l l e d w i t h o u t s p o o f i n g t h e s o u r c e

IP a d d r e s s N o r m a l l y , t h e s p a c e e x i s t i n g f o r f i x e d t a b l e s , s u c h a s a h a l f o p e n T C P c o n n e c t i o n

t a b l e , is l e s s t h a n t h e t o t a l

Host BNormal connection establishm ent

SYN Flooding

SYN

SYN

5Host A

FIGURE 10.3: SYN Flooding

to a destination system and receive a response with the roundtrip time.

A DDoS ICMP flood attack occurs when zombies send large volumes of ICMP_ECHO packets to

a victim system These packets signal the victim's system to reply, and the combination of traffic saturates the bandwidth of the victim's network connection The source IP address may

be spoofed.

In this kind of attack the perpetrators send a large number of packets with fake source addresses to a target server in order to crash it and cause it to stop responding to TCP/IP requests.

After the ICMP threshold is reached, the router rejects further ICMP echo requests from all addresses in the same security zone.

D e n i a l o f S e r v i c e

Copyright © by E frC o in a l All Rights Reserved Reproduction is Strictly Prohibited.

J U sin g p e e r-to -p e e r a tta cks, a tta c ke rs in s t r u c t c lie n t s o f p e e r -t o -p e e r file s h a r in g h u b s to

d isc o n n e c t fro m th e ir p e e r-to -p e e r n e tw o r k a n d to c o n n e c t to th e v ic tim 's fake w e b site

J A tta c k e rs e x p lo it fla w s fo u n d in th e n e tw o r k u sin g DC++ (D ire ct C o n n e ct) p ro to co l, th a t is used

fo r s h a rin g all ty p e s o f files b e tw e e n in s ta n t m e ssa g in g clien ts

J U sin g th is m e th o d , a tta c ke rs la u n ch m a ss iv e d e n ia l- o f- s e r v ic e a tta c k s and c o m p ro m is e w e b site s

User-1

Unlike o th e r DoS attacks, it sa b o ta g e s th e system

h a rd w a re , requiring th e victim to replace o r reinstall

th a t damages th e system and makes th e hardw are unusable fo r its original purpose u n til it is

a d m in is tra tio n on the m anagem ent interfaces o f th e v ic tim 's hardw are such as printers, routers, and o th e r n e tw o rkin g hardw are

This attack is carried o u t using a m ethod know n as "b ric k in g a system " In this m e tho d , the

a tta cke r sends em ail, IRC chats, tw e ets, and posts videos w ith fra u d u le n t hardw are updates to

th e victim by m o d ify in g and c o rru p tin g the updates w ith vu ln e ra b ilitie s or d e fe c tiv e firm w a re

W hen th e victim clicks on th e links or pop-up w in d ow s re fe rrin g to the fra u d u le n t h a rd w a re updates, th e y get installed on the victim 's system Thus, th e a tta cke r takes co m p lete co n tro l over th e v ic tim 's system

FIGURE 10.5:

S e n d s e m a il, IRC c h a ts , t w e e t s , p o s t v id e o s

w i t h f r a u d u l e n t c o n t e n t f o r h a r d w a r e u p d a t e s

V ic tim (Malicious code is executed)

D e n i a l o f S e r v i c e

Application Level Flood Attacks CEH

UrtrfW* itfciul lUilwt

J A p p lic a tio n -le v e l flo o d a tta cks re s u lt in th e loss o f services o f a p a rtic u la r

n e tw o rk , such as em ails, n e tw o rk resources, th e te m p o ra ry ceasing o f

a p p lic a tio n s an d services, and m o re -J Using th is a tta c k, attackers d e s tro y p ro g ra m m in g sou rce code an d file s

in a ffected c o m p u te r system s

Using application-level flood attacks, attackers attempts to:

Jam the application- database connection by crafting malicious SQL queries

D isrupt service to a specific system o r person, fo r example, blocking a user’s access by repeating invalid login attem pts

Flood w eb applications

to legitim ate user tra ffic

Copyright © by E&Coinal All Rights Reserved Reproduction is Strictly Prohibited.

Attacker exploiting application source code

V ic tim

FIGURE 1 0 7 : A p p lic a tio n -le v e l F lo o d A tta c k s

A tta c k e r

th a t offers crim inal services

Organized groups create and re n t b o tn e ts and o ffe r various services, fro m

w ritin g malware, to hacking bank accounts, to creating massive de nial-o f- service attacks against any target fo r a price

According to Verizon's 2012 Data Breach Investigations Report, the

m a jo rity o f breaches w ere driven by organized groups and alm ost all data stolen (98%) was the w o rk o f criminals outside the victim organization

The grow ing involvem ent o f organized crim inal syndicates in p o litic a lly

m o tiv a te d cyber w a rfare and hactivism is a m atter o f concern fo r national security agencies

C o pyrig ht © by E &C auacfl A ll Rights Reserved R eproduction is S trictly Prohibited.

C yber c rim in a ls have d e v e lo p e d v e ry re fin e d and s ty lis h w ays to use tr u s t to th e ir

a d v a n ta g e and to m ake fin a n c ia l gains C yber c rim in a ls are in c re a s in g ly b e in g associated w ith

o rg a n ize d c rim e syn d ica te s to ta k e a d v a n ta g e o f th e ir re fin e d te c h n iq u e s C y b e rc rim e is n o w

g e ttin g m o re o rg a n iz e d C yb e r c rim in a ls are in d e p e n d e n tly d e v e lo p in g m a lw a re fo r fin a n c ia l gain N o w th e y o p e ra te in g ro u p s This has g ro w n as an in d u s try T h e re are o rg a n ize d g ro u p s o f

c y b e r c rim in a ls w h o d e v e lo p plans fo r d iffe r e n t kinds o f a tta c k s and o ffe r c rim in a l services

O rganized g ro u p s c re a te and re n t b o tn e ts and o ffe r v a rio u s services, fro m w r itin g m a lw a re , to

a tta c k in g bank a cco u n ts, to c re a tin g m assive d e n ia l-o f-s e rv ic e a tta c k s a g a in st any ta rg e t fo r a

p rice The increase in th e n u m b e r o f m a lw a re p u ts an e x tra load on s e c u rity system s

A c c o rd in g to V e riz o n 's 2010 D a ta B reach In v e s tig a tio n s R e p o rt, th e m a jo rity o f breaches w e re

d riv e n by o rg a n ize d g ro u p s and a lm o s t all d a ta s to le n (70% ) w as th e w o rk o f c rim in a ls o u ts id e

th e ta rg e t o rg a n iz a tio n

The g ro w in g in v o lv e m e n t o f o rg a n ize d c rim in a l s y n d ic a te s in p o litic a lly m o tiv a te d c y b e r

w a rfa re and h a c tiv is m is a m a tte r o f co n c e rn fo r n a tio n a l s e c u rity agencies

C yb e rcrim e s are o rg a n iz e d in a h ie ra rc h ic a l m a n n e r Each c rim in a l gets paid d e p e n d in g

on th e ta s k th a t he o r she p e rfo rm s o r his o r h e r p o s itio n The head o f th e c y b e rc rim e

o rg a n iz a tio n , i.e., th e boss, acts as a business e n tre p re n e u r He o r she does n o t c o m m it

c y b e rc rim e s d ire c tly The boss is th e fir s t in th e h ie ra rc h y level The p e rso n w h o is a t th e n e x t level is th e "u n d e rb o s s " The u n d e rb o s s is th e second p e rso n in c o m m a n d and m anages th e

o p e ra tio n o f c y b e rc rim e s

The "u n d e rb o s s " p ro v id e s th e necessary T ro ja n s fo r a tta c k s and also m anages th e T ro ja n s ׳

c o m m a n d and c o n tro l c e n te r P eople w o rk in g u n d e r th e "u n d e rb o s s " are k n o w n as "c a m p a ig n

m a n a g e rs " These c a m p a ig n m ana g e rs h ire and ru n th e ir o w n a tta c k cam p a ig n s T h e y p e rfo rm

a tta c k s and ste a l da ta by using th e ir a f filia tio n n e tw o rk s as d is trib u te d ch a n n e ls o f a tta c k The

s to le n d a ta is th e n sold by "re s e lle rs " These re se lle rs are n o t d ire c tly in v o lv e d in th e c rim e w a re atta cks T h e y ju s t sell th e s to le n da ta o f g e n u in e users

Underboss: Trojan Provider and Manager of Trojan Command and Control

Stolen Data Reseller

FIGURE 10.8: Organizational Chart

D e n i a l o f S e r v i c e

CEH Botnet

J Bots a re so ftw a re applications th a t run a u to m a te d ta s k s over th e In te rn e t and p erform

sim ple repetitive tasks, such as w eb spidering and search engine indexing

J A b o tn e t is a huge n etw o rk of th e co m p ro m ised sy stem s and can be used by an in tru d e r

Sets a bot C&C handler

Copyright © by E&Cauacfl A ll Rights Reserved Reproduction is Strictly Prohibited.

The te rm b o tn e t is d e riv e d fro m th e w o rd roB O T N E T w o rk , w h ic h is also calle d zo m b ie

a rm y A b o tn e t is a huge n e tw o rk o f c o m p ro m is e d system s It can c o m p ro m is e huge n u m b e rs

o f m a ch in e s w ith o u t th e in te rv e n tio n o f m a c h in e o w n e rs B o tn e ts co n s is t o f a se t o f

c o m p ro m is e d system s th a t are m o n ito re d f o r a s p e cific c o m m a n d in fra s tru c tu re

B o tn e ts are also re fe rre d to as a g e n ts th a t an in tr u d e r can send to a s e rv e r system to p e rfo rm som e ille g a l a c tiv ity T hey are th e h id d e n p ro g ra m s th a t a llo w id e n tific a tio n o f v u ln e ra b ilitie s It

is a d v a n ta g e o u s fo r a tta c k e rs to use b o tn e ts to p e rfo rm ille g itim a te a c tio n s such as s te a lin g

s e n s itiv e in fo r m a tio n (e.g., c re d it card n u m b e rs ) and s n iffin g c o n fid e n tia l c o m p a n y

in fo rm a tio n

B o tn e ts are used fo r b o th p o s itiv e and n e g a tiv e p u rp o se s T hey h e lp in v a rio u s u se fu l services such as search e n g in e in d e x in g and w e b s p id e rin g , b u t can also be used by an in tr u d e r to c re a te

d e n ia l-o f-s e rv ic e atta cks S ystem s th a t are n o t p a tc h e d are m o s t v u ln e ra b le to th e s e atta cks As

th e size o f a n e tw o rk increases, th e p o s s ib ility o f th a t system b eing v u ln e ra b le also increases

An in tr u d e r can scan n e tw o rk ranges to id e n tify w h ic h ones are v u ln e ra b le t o a tta c k s In o rd e r

to a tta c k a syste m , an in tr u d e r ta rg e ts m a ch in e s w ith Class B n e tw o rk ranges

P u rp o se o f B o tn e ts :

0 A llo w s th e in tr u d e r to o p e ra te re m o te ly

I l l

6 Scans e n v iro n m e n t a u to m a tic a lly , and spreads th ro u g h v u ln e ra b le areas, g a in in g access

v ia w e a k p a s s w o rd s and o th e r m eans

Q A llo w s c o m p ro m is in g a h o s t's m a c h in e th ro u g h a v a rie ty o f to o ls

Q C reates DoS a tta cks

6 Enables spam a tta c k s th a t cause SMTP m a il relays

© Enables click fra u d and o th e r ille g a l a c tiv itie s

The d ia g ra m th a t fo llo w s sh o w s h o w an a tta c k e r laun ch e s a b o tn e t-b a s e d DoS a tta c k on a

A ttacke r sends com mands to

th e bots through C&CBot Command &

Control Center

A

Victim (Bot)Attacker

FIGURE 10.9: BOTNET

In o rd e r to p e rfo rm th is kind o f a tta c k , th e a tta c k e r fir s t needs to c re a te a b o tn e t For th is

p u rp o s e , th e a tta c k e r in fe c ts a m a c h in e , i.e., v ic tim b o t, and c o m p ro m is e s it He o r she th e n uses th e v ic tim b o t to c o m p ro m is e so m e m o re v u ln e ra b le s y s te m s in th e n e tw o rk Thus, th e

a tta c k e r cre a te s a g ro u p o f c o m p ro m is e d system s k n o w n as a b o tn e t The a tta c k e r c o n fig u re s a

b o t c o m m a n d and c o n tro l (C&C) c e n te r and fo rc e s th e b o tn e t to c o n n e c t to it The z o m b ie s o r

b o tn e t c o n n e c t to th e C&C c e n te r and w a it f o r in s tru c tio n s The a tta c k e r th e n sends c o m m a n d s

to th e b o ts th ro u g h C&C to la u n c h DoS a tta c k on a ta r g e t s e rv e r Thus, he o r she m akes th e

ta rg e t s e rv e r u n a v a ila b le o r n o n -re s p o n s iv e f o r o th e r g e n u in e hosts in th e n e tw o rk

B o tn e t p ro p a g a tio n is th e te c h n iq u e used to h a ck a s y s te m a n d g ra b tra d a b le

in fo r m a tio n fr o m it w ith o u t th e v ic tim 's k n o w le d g e The head o f th e o p e ra tio n s is th e boss o r

th e c y b e rc rim in a l B o tn e t p ro p a g a tio n in v o lv e s b o th c rim in a l (boss) and a tta c k e rs (ca m p a ig n

m a n a g e rs) In th is a tta c k , th e c rim in a l d o e s n 't a tta c k th e v ic tim system d ire c tly ; in s te a d , he o r she p e rfo rm s a tta c k s w ith th e h e lp o f a tta c k e rs The c rim in a l c o n fig u re s an a ffilia tio n n e tw o rk

as d is trib u tio n ch a n n e ls The jo b o f c a m p a ig n m a n a g e rs is to hack and in s e rt re fe re n c e to

m a lic io u s code in to a le g itim a te site The m a lic io u s code is u su a lly o p e ra te d by o th e r a tta c k e rs

W h e n th e m a lic io u s co d e runs, th e c a m p a ig n m a n a g e rs are paid a c c o rd in g to th e v o lu m e o f

in fe c tio n s a c c o m p lis h e d Thus, c y b e rc rim in a ls p ro m o te in fe c tio n flo w The a tta c k e rs serve

m a lic io u s co d e g e n e ra te d by th e a ffilia tio n s to v is ito rs o f th e c o m p ro m is e d sites A tta c k e rs use

c u s to m iz e d c rim e w a re fro m c rim e w a re to o lk its th a t is capable o f e x tra c tin g tra d a b le

in fo rm a tio n fro m th e v ic tim 's m a ch in e

Cybercrime Related IT Operations (Servers, Software, and Services) ״

0

Criminal

Trojan upload stolen data and receives com m ands fro m com m and and control center

) • : ־

FIGURE 10.10: Botnet Propagation Technique

©

Attackers

D e n i a l o f S e r v i c e

CEH Botnet Ecosystem

Malicious Site Scan &

Intrusion

o '6

Financial Diversion

Licenses MP3, DivX

B o t n e t

Data Theft

Crimeware Toolkit Trojan Command Database and Control Center s'

: Spam : Mass Mailing

Client-Side

\ Vulnerab ility^

Botnet Market

to e n o rm o u s increase in c y b e rc rim e s B o tn e ts fo rm th e co re o f th e c y b e rc rim in a l a c tiv ity c e n te r

th a t links and u n ite s v a rio u s p a rts o f th e c y b e rc rim in a l w o rld C y b e rc rim in a l s e rv ic e su p p lie rs are a p a rt o f c y b e rc rim e n e tw o rk These s u p p lie rs o ffe r services such as m a lic io u s code

d e v e lo p m e n t, b u lle tp r o o f h o s tin g , c re a tio n o f b ro w s e r e x p lo its , and e n c y rp tio n and packing

M a lic io u s c o d e is th e m a in to o l used by c rim in a l gangs to c o m m it c y b e rc rim e s B o tn e t o w n e rs

o rd e r b o th b o ts and o th e r m a lic io u s p ro g ra m s such as T ro ja n s, viruses, w o rm s , keylo g g e rs,

sp e c ia lly c ra fte d a p p lic a tio n s to a tta c k re m o te c o m p u te rs via n e tw o rk , etc M a lw a re services are o ffe re d by d e v e lo p e rs on p u b lic sites o r closed In te r n e t re so u rce s

T y p ic a lly , th e b o tn e t e co syste m is d iv id e d in to th re e p a rts, n a m e ly tra d e m a rk e t, DDoS a tta c k , and spam A b o tm a s te r is th e p e rso n w h o m akes m o n e y by fa c ilita tin g th e in fe c te d b o tn e t

g ro u p s fo r service on th e black m a rk e t The m a s te r searches fo r v u ln e ra b le p o rts and uses

th e m as c a n d id a te z o m b ie s to in fe c t The in fe c te d z o m b ie s f u r th e r can be used to p e rfo rm DDoS atta cks On th e o th e r h a nd, spam e m a ils are s e n t to ra n d o m ly chosen users All th e se

a c tiv itie s to g e th e r g u a ra n te e th e c o n tin u ity o f m a lic io u s b o tn e t a c tiv itie s

The p ic to ria l re p re s e n ta tio n o f b o tn e t e co syste m is s h o w n as fo llo w s :

M a licio u s Site

Q

Financial Diversion

Licenses

M P3, DivX

B o t n e t

Data Theft

M alw are M arket

FIGURE 10.11: Botnet Ecosystem

D e n i a l o f S e r v i c e

:ha♦, De&oc Preview [RC-Chat mbsta

Q S o rta b le and c o n fig u ra b le SIN C onsole

[9 :4 6 :4 0 AW] Hew Versicn ovoiloblc: □ < !-־ turing cluster_prod ־ >

[9 :50 :2 5 A N ] * New Server: 127.0.0.1 Server 1 (Mockers <S> ECC-272FF53AA87)

ן 1

1 _ 1

FIGURE 10.12: Botnet Trojan: sharK

D e n i a l o f S e r v i c e

Poison Ivy: Botnet Command

gMaiayr P3tg»«ord1js1| Bday | AcIn^R■:!!■; PdcfcciAnatizaj Remote SW! kiw י־;׳.•

DaptyNam• P i* Deacflpicr! ז<ז« SUA* Startup Type log on i f

* A M * AfcilSfa Oe*c« Dii STOPPED D1.4M

DMee Dii ®TOPPED Dlu*M

AM • •rftcliijuti Shmd Sor STOPPED D1 :.:tM Nl AllTHtlP T- 4cc.< m«

% '־-«».*> on l«* Alb C WNK*ANS1*>1}2W• M fV*d»l i'XIBUil 19! Slandaid ל STOPPED M«»*l Nl «UTH0n1TY<ioc4S«.

% w r l D<Mca D1I STOPPFD Di.a>1 AjS*׳ S־* C VW st M t n fV»*d«1 nftivmh., Shotd 5w STOI'TCD

% <fcp \$> ifcari 0 0 i^jy DR IVE R Dwce Dii RUNNING A«jiorr>ab3

Copyright © by E&Cawcil All Rights Reserved Reproduction is Strictly Prohibited.

P o i s o n I v y : B o t n e t C o m m a n d C o n t r o l C e n t e r

Poison Ivy is an ad va n ce d e n c ry p te d "re v e rs e c o n n e c tio n " fo r fire w a ll bypassing

re m o te a d m in is tra tio n to o ls It gives an a tta c k e r th e o p tio n to access, m o n ito r, o r even ta k e

c o n tro l o f a c o m p ro m is e d syste m Using th is to o l, a tta c k e rs can steal p a ssw ords, b a n k in g o r

c re d it card in fo rm a tio n , as w e ll as o th e r p e rso n a l in fo rm a tio n

FIGURE 10.13: Poison Ivy: Botnet Comm and Control Center