As threats change from blatant public displays to stealthy cybercriminal operations, the ability of traditional signature-based defenses to keep your organization safe is diminishing. Further, the attacks are becoming more focused and less public. McAfee Labs’ recent threats report confirms this. Botnets and malware continue to trend upwards, challenging organizations’ defenses. Not only is the volume of malware increasing, but with an increase of almost nine million new threats this past quarter – the biggest growth ever – it is accelerating.
In this post, we will autopsy a well-known bot to explain, in general terms, how traditional defenses are largely ineffective against this type of threat. Even with newer and more dangerous malware like Flame, Stuxnet, and Duqu, examining a bot from the past is more than sufficient to point out these weaknesses. At its peak, Kraken was the largest known botnet in the world, infecting about half a million machines. Kraken was known to push out nine billion spam messages per day. With many variants, a signature – if even available – would only be useful until another permutation came out. Clearly, a different approach is needed.
Let’s start by examining what Kraken actually does to assume control of machines and eventually send spam. It is known to have several phases of activity, some sequential, some in parallel, and always at random (sometimes extremely long) intervals.
- After slipping into the system, Kraken stealthily confirms it has Internet access
- Performs a connectivity test, typically to mx.google.com
- Tests download capabilities, usually the front page of three popular news websites (e.g., nytimes.com, cbsnews.com, news.com, cnn.com, reuters.com, msn.com, google.com)
- Once access is confirmed, it downloads the actual malware
- Looks for friends, often with DNS queries for a randomly generated URI based on dynamic DNS domains
- Connects to peer bots (frequently on UDP port 447 or on TCP port 80 or on TCP port 443) and downloads any updates
- Downloads a payload, normally a spam template, or another spam payload
- Spam is sent
Looking at this whole process, traditional signature-based defenses will have problems, but so will rudimentary behavior defenses that are gaining popularity today.
The first set of activities, confirming Internet access, could be legitimate web traffic by almost any live host. Traditional signature-based defenses would not – and probably should not – see any problems here. Behavior analysis certainly could detect this behavior, but this activity is almost always legitimate activity, so consistently blocking this traffic (behavior analysis cannot distinguish between the two) is likely to cause more trouble as a false positive than stopping a Kraken infection.
The second set of activities, where the actual payload is brought into the infected host, is also challenging. The payload is usually dynamic depending on the havoc the botnet will eventually wreak (different spam will have different payloads). Signatures are reactionary at best and are not likely to have a match. Further, it is likely that the payload will be encrypted or otherwise buried deep in legitimate looking files (e.g., compressed fragments layered into PDFs, etc.). Either way, signature-based defenses are ineffective. Behavior approaches also have challenges here – can you imagine the mass of alerts that would be generated each time any host initiated a TCP flow on either port 80 or 443 (especially if they are properly formed HTTP and HTTPS transactions)?
It is clear that signature-based defenses are inadequate for bots, even one that has been around for a while. However, rudimentary behavior-based defenses also fall short here. In fact, even combining both techniques into a single solution, Kraken is still likely to have its way with your hosts.
What is really needed is a system that can track suspicious behavior of hosts, but do this over a long period of time. In this way, small clues of suspicious behavior are analyzed in context with each other and identification of stealthy or even zero-day attacks is possible. Fortunately, this technology exists and McAfee has included it as part of its IPS solution. Stay tuned for the next blog to learn more about this technology.