Archives For botnet

assessmentOne Thing to Look For In Your Next Security Assessment…

If You Want To Convert To Projects & Managed Services

Are you assessing your client’s data security? More importantly, is your assessment turning up urgent issues.  A week or so ago I posted on finding urgent issues – The Bot is your client’s number one enemy.  Do you know what you’re looking for?

We’ve become lazy. Too many security assessments depend on scanners to find open ports and missing patches. But as I mentioned in a recent post, missing patches are not urgent. However they may be one of the reasons your client has bots on their network.  But if you can’t come up with any bot activity, it’s kind of hard to get the client to see why the patches are so important.

$1 HC Book Ad

More On How To Close Security Business!

So Exactly What Are We Looking For? How Do You Find A Bot?

In the House & Cloud book I recommend using a pro-bono assessment to build justification. If the company you’re calling on sees value in you, there may be an opportunity to actually do some business. If not, you can’t expect them to just sign up and try you.  The assessment is the perfect service to both build justification and rapport.  But you had better find something urgent if you’re going to unseat the competition.  The Bot is your answer.

This is especially true in the small and midsize businesses. They lack the sophisticated security technologies needed to detect and stop the installation of botware on their computers. So chances are, if you look, you’ll find it.  So what is a bot?  It’s software, from an unauthorized user, used to gain access to your client’s computers. It comes in through email and infected websites, or downloads.

Your job in a pro-bono assessment is simply to find evidence of bots (or something else that just as urgent.) Don’t worry about over analyzing what they are and where they came from. If they exist, it means botware can get in, and the company is not properly detecting and stopping it. You job is not to prove an eminent disaster. Bots are bad, even if they are dormant when you find them.

Bot Symptoms – Like Burglars, They Make Noise

When a bot hits a computer, that computer becomes a zombie.  The bot software is installed and begins to execute it’s function on that system – a set of instructions to do something. That “something” is often detectable! While no one can physically stop all bots, early detection and response is the key to minimizing the impact.  Some of these symptoms include:

  • PCs begin communicating with known Command and Control Servers (C&C). “In the traditional botnet, which includes a C&C server, the bots are typically infected with aTrojan horse and subsequently communicate with a central server using IRC. The botnet might be used to gather information such as credit card numbers. Depending on the purpose and structure of the botnet, the C&C server might also issue commands to start sending spam or begin a DDoS (distributed denial of service) attack,” – WhatIs.Com
  • IRC stands for Internet Relay Chat. While there may be some good uses for this type of traffic, chances are your SMB client is not purposely using this method of communication. So if IRC traffic is detected, you should assume there is something wrong.  Further investigation may be needed, but it would be out of scope – so report it as being “highly likely” symptomatic of malware.
  • There may also be DNS requests coming from these systems in an effort to spoof…or there may just be reports of slow computers that are bogged down by running these background processes.  Of course, this may just be a cluttered Windows Computer in need of repair.

How Do You Detect A Bot?

Most of the assessments I review never mention botware or zombies. They only talk about patches and ports. The scans they are using have little or no information that the client will find interesting.

While it is possible to run some detection tools on each PC,”polymorphic viruses” have pretty much defeated traditional AV technology. Your client may need some education on this before moving ahead.

The alternative is to look at the network.  As we mentioned, IRC traffic is probably not authorized traffic. So that’s the first thing I would look for. While it is possible to use a packet sniffer here, network switches make this more difficult – basically you would be looking for unencrypted keywords sent on IRC channels. IRC runs on port is 6667 by default, but the entire port range (6660-6669 and 7000) must be checked.

If you have the ability to access firewall logging, mass mailing can be detected over SMTP from a central location. This is often a sign of botware being using to send spam.  Is spam urgent? Yes! It’s illegal in and of itself. But chances are it contains something worse such as illegal pharmacy marketing or worse, child pornography.  Make sure your client understands what would happen if they were suspected of distributing either one. For one, their family would be ruined long before they could prove their innocence.

If endpoints on the network are simultaneously hitting a single external site, that can also be a sign.  This would be true if the C&C had instructed these bots to launch a distributed denial of service attach (DDOS).

Note: Don’t bother checking server and email logs for this type of activity. Bots don’t go through the normal channels of communication and will not show up in your client’s log files.

This May Sound Technical But It’s Not

In most cases you have someone technical working with you, if you yourself are not that technical. If you’re in sales and you don’t really understand the urgencies listed on the deliverable, neither will your client.

There are a few terms here that border on bits and bites, but with a few Google searches you should be able to nail down these terms and be able to communicate them in simple language to your client.

There’s a enormous amount of business waiting on the other side if this blog post. Learn these few concepts, locate the urgent issues in your next assessment, and be able to share the results (business impact) with your prospect. The rest is easy.

…quod erat demonstrandum

Copyright 2015, David Stelzl

 

 

 

Advertisements

zeusHave You Heard of Gameover Zeus?

If you’ve encountered Cryptolocker – it’s just one of many attacks that have come out of the Gameover Zeus Gang.  But the story is just now unfolding. The Gameover Zeus Gang refers to itself as The BusinessClub.  Their botnet has been one of the most destructive forces in cybercrime over the past few years – focusing on espionage, bank account sifting, and ransomware. Small and large businesses have been impacted – this is important! Rather than rewriting all the details, there are two ways to get more insight on this:

The FOX IT Report on Gameover Zeus

Read two reports – Krebs on Security does a nice job of summarizing.  The Fox IT report contains more details, and looks to be the primary source for Krebs.

The Fox IT Report  << Click Here to Access it

Brian Krebs Summary Report  << Click Here and Consider Subscribing

Interview: Get The Inside Scoop on Gameover Zeus

On August 11th, I’ll be interviewing former NSA Agent Summer Worden – who has been collaborating with investigators on this major crime break over the past several months. Summer Worden is the founder and chief executive director of Filly Intelligence LLC, an advisory firm focused on applying an intelligence-based approach to secure enterprise vulnerabilities using military cyber and intelligence best practices.  Ms. Worden is a 13-year veteran of the U.S. military and Intelligence Community (IC).  During this time she served as an operational intelligence officer in a variety of leadership roles; her positions held within the IC were served at both the field level and at the heartbeat of our nation’s highest authority for strategic national intelligence. Her strong competencies within sensitive intelligence operations were recognized when she was selected to lead one of the five operational teams of the National Security Agency (NSA). These five teams serve as a direct asset of the Director of the NSA, and their mission delivers 24-7 national support for critical events and clandestine operations across the globe.

You don’t want to miss this….

To join us on August 11th, simply join the SVLC Insider’s Circle today – there’s no obligation to stay long term, however this is one of the best ways to stay on top of security trends, as well as sales and marketing strategies needed to serve the security market.  CLICK HERE to read more  << Discover the SVLC Insider’s Circle.

© 2015, David Stelzl

“It turned out that the botnet runners had infected computers by instant-messaging malicious links to contacts on infected computers. They also got viruses onto removable thumb drives and through peer-to-peer networks. The program used to create the botnet was known as Mariposa, from the Spanish word for “butterfly.” – From Today’s USA Today….

A few notes on this

  • These were business guys, not geeks, running a for-profit business.  Mistakes made by senior management allowed authorities to track down the people in charge.  According to the article, this is rarely the case – generally the people at the top don’t get caught.
  • The goal is profit, the tool is the botnet – this botnet has been around for years, stealing millions of credit card numbers along with other sensitive data.  Over 13Million computers are involved, and I assume the owners of these systems have no idea who they are.  Likely, some of them are our clients.
  • Instant messaging, P2P networking, and thumb drives – this is typical.  Instant messaging means people were receiving links and clicking on them to infect their computers, P2P is on more computers  than you might imagine – used by many to exchange free music among other things.  Look for people using home computers for work purposes, or taking work computers home and allowing their kids to use them.  This is a sure sign that data is at risk.
  • Thumb drives – this is the oldest trick in the book…yet hackers still win with it.

Assessments are still the number one way to create immediate justification for project work and managed services.  The question is, are you finding urgent issues?  Make sure your team is trained the find the things that lead to justification – this is not always the focus for high end security consultants.  I find companies continue to lead with policy projects, architectural issues, and highly technical rhetoric which generally lands the sales person back with (unqualified) IT people that want to fix it themselves.

One final note – this is not just about finding security project work…whatever you sell can start with risk issues.  Whether you sell storage, servers, UC, applications…it doesn’t really matter. The issue sales people are facing right now is budget constraints, and this type of risk opens the door to assess risk, upgrade core systems, modify architecture, and implement managed services over every aspect of the IT architecture – if data is present, data is at risk.  THIS is the topic of my March Teleseminar…

We

Traveling in Sydney, Canberra, and Melbourne this week, I’ve had opportunity to work with many local integrators, IBM, Cisco, HP, and local telcos on their security strategy.  It’s a global issue, and for those on the selling side, a global opportunity.  One workshop attendee passed on this attached article offering some insights and new sound bites on how powerful some of these botnets really are:

http://www.itnews.com.au/News/102493,researchers-hijack-torpig-botnet.aspx

Here are some highlights:

“In that time (10 days of observation), researchers estimate that they (the botnet under observation) collected some 70GB worth of uploaded information from roughly 180,000 infected machines. The harvested information included bank details and system information”.

“The researchers also found that Torpig (this botnet we’re talking about in this article) collects far more than just bank and credit card details. Data uploaded to the command server included user login credentials and email account data, suggesting that the botnet could also be used for spamming runs”.