There is no doubt that the fight against botnets is something that concerns the different governments around the world and it is something that has also transferred to other environments such as businesses and, to a lesser extent, due to the lack of awareness, to citizens. Likewise, this is a setting in which it is difficult for the individual "fight" to achieve results since the field of play is very wide and it affects many players, from a normal user to ISPs to law enforcement forces and agencies. Taking this premise as a starting point and with the aim of achieving European-wide cooperation involving players from different environments, both public and private entities, a pilot has been carried out over the past two and a half years in which 28 partners from 14 countries participated. These partners included INCIBE, which had a dual role, developing and providing tools, and coordinating the work package in charge of the experiments.
The pilot, called ACDC Advanced Cyber Defence Centre , brought together security tools with different scopes and developed a data-sharing platform at a European level in which each stakeholder provides information about incidents that it has detected, which is subsequently sent to those in charge of managing it, such as the CERTs of each country, NSCs, ISPs or other stakeholders. Thanks to this, notifications can be carried out, as well as actions to raise awareness amongst citizens, improve detection systems, analyse samples suspected of being malware and undertake investigations. In this way, the community benefits since the different partners enrich and add value to the resources analysed in accordance with their expertise.
Illustration 1 - Architecture at a high level of the ACDC project
Apart from the technical effort made, considerable work had to be carried out to study the viability of the model at the legal level. This analysis was complex since it was necessary to deal with a very heterogeneous scenario, because each country has different legislation. However, in the end, it was possible to establish formulas and mechanisms that allowed an exchange of data in accordance with the regulations.
From the technical point of view, the wide range of detection and analysis tools contributed by the different partners allowed there to be visibility with regard to a large number of incidents, yielding results such as that relatively old threats continue to be active and are distributed across the internet. A specific case of this is Conficker (a 2008 worm, whose distribution was resolved in October of the same year with the Microsoft security update MS08-067), as well as its various mutations, since it was repeatedly detected during the project.
Illustration 2 - Malware samples - Conficker and its variants
The pilot focussed on detecting five different types of attacks/threats relating to botnets, through carrying out five experiments: spam, fast flux domains, malicious or vulnerable websites, DDoS attacks and incidents on mobile devices. As mentioned previously, thanks to the collaboration between partners it is possible to enrich the elements detected. This can easily be seen with an example: an attack originating from a bot in Spain attempts to leave a malware sample in a Slovenian host. The latter is detected and both the bot and the malware sample are sent to ACDC. The malware sample is analysed by a German partner and it is confirmed that it really is malware. The information then reaches the Spanish CERT, which proceeds to notify the host that carried out the attack. Without this international collaboration mechanism the Spanish bot could have gone undetected and could have continued with its malicious activity for longer.
To detect the five types of threats, various techniques were used that occasionally yielded results that could be included in different categories, since, for example, a spam message may contain a url that is, in turn, a malicious website.
Honeytokens and spamtraps are amongst the tools used that were very useful when obtaining malicious elements in spam messages. Once the spam was obtained, through a processing thereof, the campaigns and the spambots in charge of sending this spam were extracted. The campaigns were detected through algorithms that calculate similarities between spam messages. Likewise, the spambots associated with a campaign were identified through the grouping of IPs and ASNs that send the same message. Another method used to detect spambots consists of locating patterns in reverse DNS lookups.
Malicious or vulnerable websites
To detect malicious or vulnerable websites, two different approaches were used. On one hand, honeypots and honeynets that allowed potential bots to be discovered that attempt to attack websites, obtaining malware for its subsequent analysis. On the other hand, another type of tool aimed at the analysis of a specific URL. These tools, in turn, are capable of obtaining the malware that, where appropriate, tries to download itself from the URL analysed. In this way, it was possible to highlight websites using drive by download or phishing techniques or attempting to exploit exploits in the visitor’s browser. The main type of attack found was the use of suspicious HTTP requests; this technique consists of using a HTTP HEAD request with the aim of obtaining meta-information extracted from the header in the response. In this way, information about the server or web application can be obtained.
Illustration 3 - Main types of attacks against websites
Analysis of the main potentially vulnerable websites demonstrates that relatively old vulnerabilities continue to be present. This fact, in addition to what was previously mentioned, that Conficker may continue to be active, indicates that many computers are still not updated.
Illustration 4 - Top 10 CVEs
To detect domains that use Fast Flux and the computers, presumably bots, to which these domains resolve, techniques based on TTL, the domain name and the DNS response obtained were employed, searching for patterns or other clues that indicate the use of Fast Flux. Likewise, a study of the different techniques used was carried out and it can be concluded that due to its simplicity, good performance and the ratio of detections achieved, TTL-based analysis is the most recommended technique. However, it should be noted that it is advisable to implement all of the techniques since they complement one another and allow a higher number of detections to be achieved.
In this experiment, various techniques were used to detect different distributed denial-of-service attacks, such as DNS amplification, SYN flood or TCP flood attacks, and we highlight the use of DDoS Blackholing, since it contributed to the analysis of many DDoS attacks. These analyses allowed the CERTs involved to be notified about attacking IPs belonging to their constituency. However, the process could not be automatic in all cases, since the CERTs must verify that the IP had not been spoofed. From this verification, the main clues observed that indicate that there was a spoofed IP were: the use of UDP, that the IP had been seen in the attack just once or that the IP and the timestamp did not correspond to any client.
Moreover, it was possible to distinguish DDoS attacks that were carried out from a mobile network range belonging to certain ASNs. Amongst all of the attacks carried out from IPs of these ASNs around 10% belong to mobile network ranges. This result could be indicating a new trend in which these devices are being used to carry out DDoS attacks.
Within the scope of the project, two tools for mobile devices were developed:
- Device Monitor play.google.com/store/apps/details?id=eu.acdc.xlab.devicemonitor&hl=en (Link currently unavailable)
Thanks to these tools, it was possible to deduce the state of security of mobile devices at a European level by checking certain parameters in the configuration of devices and through the classification of the connections made. The conclusion can be reached that only a small percentage of the devices seems to belong to a botnet.
Illustration 5 - Classification of the connections made from mobile devices
As can be observed in the graph, most connections were normal or classified as phishing or malicious websites, which can be explained due to mobile devices normally being used to read e-mails. Connections to malicious sites could indicate that they are carried out from malicious APKs or they could be due to the user having followed a link found in a malicious e-mail. However, today it seems that there is a low incidence in the number of botnets or threats affecting mobile devices. Nevertheless, this number is now increasing and it is expected that it will continue doing so over time, since the focus of the attackers is being directed at trying to undermine the devices in order to take advantage of bank services and NFC payments, in short monetize "investment", as is apparent from several studies such as the following: https://securelist.com/analysis/quarterly-malware-reports/69872/it-threat-evolution-in-q1-2015/
To conclude, thanks to projects of this type and despite their complexity, there is the need to have mechanisms to detect, analyse, study and act at a European level and they likewise demonstrate the viability of the system. It is important to be able to have a common point between the different players that simplifies and, insofar as possible, automates the mechanisms of notification between them and allows management of the incidents whose origin is a specific country but whose destination is a different country.
ACDC has been a success considering that it has shown both the technical and legal viability of the system and has allowed the complete cycle to occur, detecting botnet attacks against networks and notifying those involved. However, there is still a long road ahead, but at the moment, thanks to initiatives such as this, the necessary steps to take this road are being provided. This process is not something isolated, since there are similar initiatives, with a greater or lesser scope than ACDC. Amongst others, in the world of finance, there are already in production security incident-sharing systems such as the Soltra initiative and at a governmental level in Japan a similar pilot is being carried out to attempt to unite different players (users, ISPs, public and private companies) in the fight against malware: (https://www.ict-isac.jp/active/en/).
More information about ACDC:
To obtain the deliverables generated in the project visit: http://acdc-project.eu/documents/
To obtain some of the tools developed visit: http://acdc-project.eu/software/