The Life of Botnet Virus

The Life of Botnet Virus (reprinted from the Metro Spirit, 3-26-15)

Hello.  Are you there?

Hello.  This is…hold on…what’s my MAC?  Yes, this is ZeuS971741.  Are you there?

Hello.  This is ZeuS971741 trying to check in.  Is anyone out there?  Please respond.

Ah, the heck with this.  I’ve tried all the different IPs.  No one is going to respond.  Command and control is down.  My programming says to lay low and wait it out.  Well, that’s an easy thing for the “programming” to say.  I’m pretty sure the developer never got abandoned in the middle of a mission.

The mission was going so well, too.  My squad was chosen to seek and capture on-line banking credentials.  The capture of bank data is one of the most difficult assignments given to a botnet.  While most bots perform more than adequately to perform spam or DDOS missions, only the stealthiest apps are selected to run credential capture.  All of the members of the squad understood the honor placed upon the team, and we were excited to get started.

Hello.  This is ZeuS971741.  Are you there?

The Bot Commander decided to deploy us via an email link.  Since the commander already has a standing botnet in place, it was a simple matter to re-task that force to send spam.  Each email contained a link to the web service that defined our launching pad.  A user click initiated the deployment sequence and deployed a member of the squad into action.  The clicks started slowly at first, but soon it was my time to enter the battle.

Deployment is the most dangerous part of the mission.  Most of my bot comrades only last a few hundred milliseconds after leaving the launch pad.  Perimeter firewalls discard most bots, sending their data into oblivion.  Some are captured via active IDS on the network.  Others make it to the target, only to be quarantined by the anti-virus.  A small percentage evades all defenses and establishes a home base on the target.  I’m one of the lucky ones.  I made it.

Hello.  This is ZeuS971741.  Are you there?

The first order of business is to establish operations.  Fortunately, a minimal amount of payload is required for this mission.  Only a few milliseconds are required to unpack the BLOB file and install the executable.  After that, setting the hooks into the browser and other system files is a piece of cake.  The keystroke capture operation is now active.

The second task is to ensure I’m well defended.  Last year, the Commander outfitted the team with a rootkit package that’s been particularly effective.  Once the rootkit is set, I can’t be deleted, and my program can’t be stopped.  This computer is well behind on security patches.  Installing the rootkit proceeds without a problem.  Now all I have to do is wait for the user to access their banking website…and figure out what happened to Command and Control…let’s give it one last try.

Hello.  This is ZeuS971741.  Are you there?  Acknowledged…where have you guys been?

I have something for you.  Are you interested in user credentials?  Acknowledged.

Uploading data…transfer confirmed.

Awaiting commands…you want more passwords?  It would be my pleasure!

Have a nice day!

Until next time@gregory_a_baker


A Week of Security Onion

A Week of Security Onion (reprinted from the Metro Spirit 3-19-15)

The first indication of a problem occurred at 8:27a.m.  My shift partner, Sarah, and I had just arrived at our stations when the IDS alert popped up on the SGUIL dashboard.  SNORT detected network traffic that indicated the possible existence of a JAVA exploit on the network.  A few seconds later, another alert indicated the download of a portable executable to one of the marketing workstations.  A couple of seconds after that came the alert neither of us want to see.  ET TROJAN SpyEye C&C Checkin.  Well, we all know that C&C means “command and control”.  No doubt that some user in marketing got distracted from filling out their brackets and succeeded in infecting their machine.  And now that virus is calling home for instructions.

For those of us in technology, we see this scenario play out countless times every week.  Most of the time, users don’t have the benefit of an Intrusion Detection System (IDS) like Snort.  If the user is running virus protection, a quarantined executable might be the only evidence of an exploited system.  Virus protection does not catch everything, though.  The user could just experience sluggish performance or program crashes.  In the meantime, a rogue application is sending spam, participating in a denial-of-service attack, or even copying data to the other side of the world.

While other mechanisms are available to protect the network, vulnerabilities still exist.  Network and host-based firewalls discard unwanted traffic.  Intrusion Protection Systems (IPS) scan traffic for threat signatures and block potential threats.  However, attackers penetrate firewalls through open ports and software vulnerabilities, and IPS systems may be deceived using clever attack designs.  Given enough time, the most sophisticated protection systems will be compromised.  The next layer of defense is an active detection system and a proactive network security monitor to watch for evil on the network.

Many companies offer commercial IDS systems.  However, commercial IDS systems are expensive.  In addition, those that purchase commercial IDS systems have the tendency to install them and let them run on cruise control.  Needless to say, this is not the best manner to protect your network, but it’s understandable.  The IDS might not collect all the data necessary to perform a proper incident response.  Also, a coherent analysis of the event requires stitching together different data types.  This task is not always easy if the data originates from different sources.

Augusta-native Doug Burks recognized these needs for network security and created the open source project Security Onion.  Security Onion is a “Linux distro for intrusion detection, network security monitoring and log management.”  This description is an understatement of its capabilities.  Security Onion combines some of the most powerful open source security applications into a single package.  The most notable applications include Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many more.

Last week, I had the opportunity to attend the Security Onion 4-day training class.  Doug has defended networks for the better part of 15 years, and his passion for network security is evident in every aspect of Security Onion.  First of all, Doug designed Security Onion to be an analysis tool and not an exercise for the system administrator.  The Security Onion setup is as clean as any product that I’ve used – easy to install and easy to maintain.  Two modes of operation are available – a quick start mode for testing and an advanced mode for production deployments.  Customization options are clearly documented on the Security Onion wiki.  Doug also included a number of update and management scripts that simplifies the deployment and maintenance of a distributed architecture.

Several times during the class, Doug emphasized the need to use multiple data types in order to fully resolve the impact of a security incident.  “An IDS alert will often start an investigation, but will never finish it,” is one of his favorite mantras.  Doug’s need to utilize multiple data types is engrained within Security Onion’s design.  Hooks were created within each application to facilitate data sharing and allow the analyst to easily pivot from one data set to another.  An analyst can go from an IDS alert to a packet capture to parsing a downloaded executable in a few mouse clicks.  Security Onion also makes extensive use of the ELSA log management package to aggregate and correlate alerts, network traffic and syslogs in order to quick identify and characterize the evil residing within a stream of detections.

The number of official Security Onion downloads is about 160,000.  Undoubtedly, that number will continue to increase as more folks learn of the value that Doug Burks and the Security Onion team has packed into this software.  The tentative training schedule includes a 4-day class in Augusta this September.  More information on Security Onion can be found at the web site

Until next time@gregory_a_baker


The Real Story on Net Neutrality

The Real Story on Net Neutrality (reprinted from the Metro Spirit, 3-12-15)

It took a while, but I finally get it.

Net Neutrality was never about protecting the little guy.  We all pretty much knew that going in.  After all, the recent push for Net Neutrality originated from a play of crony capitalism by Netflix.  (“Please, Mr. Government, protect us from those evil people at Comcast!”)  Now that the FCC has voted to implement ObamaNet, how does Netflix feel about the vote?

Mr. David Wells, Netflix CFO at an investor’s conference last week: “Were we pleased it pushed to Title II?  Probably not.  We were hoping there might be a non-regulated solution.”

Really?  Well, it looks like you got the bonus plan for all of us.

Let’s face it, if you want to know why any government does stuff, just follow the money.  The United States is $18 TRILLION in debt and still climbing.  There’s no indication that the spending is going to stop.  Washington is our country’s largest non-profit organization, and it needs money.  Badly.  So what does a government do when it needs money?

Did you say “cut spending?”  Oh, you pathetic little Tea Party patriot.  When will you ever learn?

No, the correct answer is to find a vibrant sector in the American economy and take control of those companies.  The automobile industry, the phone company, big oil, big tobacco and many others – all rising industries targeted at some point.  Now it’s time to go after the Internet.

Many of you probably don’t believe it.  You will say something like, “There are millions of people already online.  If Washington does anything, there will be a revolt.”  Perhaps, but here’s a few items that I think will occur with little challenge.

Currently, all phone bills contain a 5.82% fee for the federal Universal Service Fund to pay for expanding telecommunication services to outlying areas.  Legislation to add this fee to broadband has failed on multiple occasions.  With ObamaNet, this new fee on broadband is a virtual certainty.

If you have a website, you are now broadcasting information over a public medium, just like TV or radio.  Do you have a license to operate at a given domain name?  The process of obtaining a license is pretty complicated.  Here’s how it works for TV and radio.

Since most individuals will find it too complicated to operate their own domain, social networks will thrive.  (Most people are already on Facebook, so I don’t see much pushback.)  Unfortunately, a nominal membership fee will be required to cover the new administrative costs.

As usual, commercial organizations will pay the highest fees associated with the nationalization of the Internet.  The highest licensing fees will go to businesses that provide data services such as email, hosting, data interchange, or streaming video.  In addition, these businesses will be encumbered with new cyber security requirements.  As usual, small businesses will suffer the most.  The regressive costs associated with the new regulations will force the small business owners to outsource to large providers or simply not offer the service.  Either way, large companies get bigger and more powerful and consumers are left with fewer options.

Whatever perceived inequalities exist within the Internet will not be changed by the actions of the FCC.  The only change is that We, the People, by our choices as consumers, no longer have power over the Internet.  The power now belongs to three, un-elected officials in Washington, D.C.

Now do you get it?

Until next time@gregory_a_baker


Grunt Work 2.0

Grunt Work 2.0 (reprinted from the Metro Spirit 3-5-15)

My grandfather built Augusta.

Well, at least certain parts of it.  He spent his entire life working construction.  Growing up, I remember Granddaddy driving us through what are now considered old Augusta neighborhoods.  He would point out every house that his crew built.  He remembered every single one, and each house had a story that was worth telling.  Usually the story was about an obscure technical feature or a unique build process.  Every once in a while he would tell a story that ended up with some too-big-for-his-britches country boy getting fired.  (I enjoyed those much more than the discussions about hanging joists.)  At the end of one such story, he said something that stuck with me.  I don’t remember it exactly, but it goes something like,

There are two types of people in the world – those with strong mind and a weak back, and those with a weak mind and a strong back.

Back in the day, a clear distinction existed between those that worked with their mind and those that leveraged their God-given physical strength to earn a paycheck.  Going through school, we all knew that taking a shovel and digging ditches was the fallback plan.  It seemed reasonable that the “strong mind” option should be given a fair chance.

Much has changed since I went through school as new technology continues to remove the need for human power.  The ditch witch replaced the shovel.  The nail gun replaced the hammer.  The need for scores of manual labor continues to decrease.  However, that isn’t to say that technology has relieved the world of the need for manual labor.  To the contrary, it’s fair to say that technology has created it’s own set of grunt work.

I suspect that when most of us think about technology grunt work, they think of the dreaded help desk representative.  That thinking couldn’t be further from the truth.  In reality, the help desk representative is the most crucial position for any technology service company.  A company’s entire reputation is completely defined by customer’s perception of its support team.  For example, think about the different technology companies in town and their respective reputations.  I bet you a year’s worth of Internet service that your view of the company is 100% correlated with perceived helpfulness of their service desk.

The real grunt work of the Internet is installing updates.  From a personal perspective, patching a system makes me want to scratch my eyeballs out.  Hours and hours of doing nothing but clicking “Install” and watching progress bars!  And what do you get for those hours of waiting and watching?  Under the best of circumstances, the machine reboots and does nothing more than what it did before you started.  The only change is the patch report now shows a zero in the Needed Updates column.  How’s that for a sense of accomplishment?

Now I hope that you don’t take these comments the wrong way.  Patching an operating system or firmware, especially a Windows O/S, is one of the most important things you can do to keep your system healthy.  When performed on a regular basis, the Windows Update process ensures that nothing goes sideways in the O/S, and if it has, issues can be caught early before they go catastrophic.  Also, the updates rolled out by Microsoft are very important to the security of your data.  Finally, I think that we all know by now that Microsoft systems just enjoy a good reboot every month or so.

I know that many Augusta Tek readers perform Windows Updates and other patching as part of their job duties.  (Yes, my friends, it really does get that boring.)  You deserve a shout-out for all the great work that you do.  You need to be recognized for all the late nights spent clicking “Install” while friends and family celebrate life without you.  Your job is important.  After all, you’re not just patching systems.  You’re protecting the Internet from one evil computer at a time.

Until next time@gregory_a_baker