Botnets:
The Advanced Malware Threat
in Kenya's Cyberspace
AfricaHackon 28th February 2014
Who we Are!
Paula Musuva-Kigen
Research Associate Director, Centre for Informatics Research and Innovation (CIRI) Lecturer in Cyber-security and Digital Forensics, USIU
MSc, CCSP, CISA
Christian Kisutsa
Information Security Consultant – Serianu Limited Computer Forensics & Cyber Crime Graduate (USIU)
Introduction: What is a bot(net)
Bot
– type of malicious software
Places the infected machine (
zombie
) under the control of
an attacker (
bot herder
or
bot master
)
Zombie connects to a
Command and Control (C&C)
server
Initially Internet Relay Chat (IRC) used to connect to C&C
These days use HTTP to connect to C&C because its NOT blocked
on firewalls
Botnet
- Network of machines infected with a particular bot
Common Command and Control (C&C) server
Often infected machines are designed to use automated infection
Introduction: Worldwide Statistics
Top Banking Botnets of 2013 – Released Feb 2014
Dell Secure Works Counter Threat Unit (CTU)
Over 900 financial institutions around the globe are being targeted
Banks and Corporate Finance providers
Also providers of corporate payroll services, stock trading, social
networking, email services, mail delivery services, employment portals, entertainment and dating portals
Top Botnets in Kenya - 2013 [exclusive statistics]
What do Botnets Do?
Theft of Information (keyloggers)
Login credetials leading to Identity Theft Financial data especially Credit Card data
IP/Trade secrets on espionage basis and Identity theft
Financial fraud:
E-banking and Mobile banking Consumer Accounts – Online shopping (Jambopay/Jumia/Pesapal) Business Accounts – Online Banking (Corporate/Retail)
Spam/Phishing:
Infected machines relay spam
Click Fraud:
Automated clicks of Web advertising links for revenue DDoS:
Zombies can be co-ordinated to launch massive attacks
Pay per Install:
malware distribution. Bot masters get paid for every 1,000 infected machinesTactics for Botnet malware delivery
Cracked softwares
or Free wares
Clicking links to
infected sites
e.g link on email/social media
Drive by downloads
:
visiting site with malicious scripts, automaticdownload through browser without user’s interaction/knowledge
Malicious
PDFs
’
Malicious
images/photos
e.g. On social media
Creating
FUD
(Fully Undetectable) files by use of cryptors
that evade anti-virus detection
Executable
flash disks
Background of Zeus, Citadel and Spyeye
Zeus creator called Slavik aka Monstr
Released 2007. Zeus code publicly leaked in May 2011 (Many variants thereafter SpyEye creator called Gribodemon, aka Harderman
Released 2009. Initially a competitor to Zeus (removed Zeus)
Author Aleksander Panin arrested in Jan 2014
Citadel and Ice IX considered by-products of Zeus
Released in 2011
Citadel’s creator called Aquabox
Improved ZeuS’s code by making its control panel more user-friendly Very good customer support network for buyers in underground
Ice IX creator called nvidiag
Gameover– P2P Zeus variant released in 2011. Highest infection. P2P
ZitMO– Zeus in The Mobile since 2010. Intercepts SMS and 2F authentication KINS – latest Zeus variant since 2013
Timeline of Zeus and its variants
ZEUS AND CITADEL
Building the botnet
Builder
–
Bot preparation and compilation
Configuration file
–
Contains settings for the Bot
Web injects
– Man-in-the-Browser customizations.
These show extra fields in the log-in screens
Control Panel
– Bot Master’s screen where they control
all the Bots under their control.
Remote Scripts
– The Bot Master’s tools to send
ONLINE BANKING, PAYMENT & SHOPPING
Online Services
Measures Taken to Secure Online Banking in East Africa
Virtual Keyboards
Randomized Keys Hover-mode
Encryption
SSL over HTTP - HTTPS Client Side Encryption
2 page authentication
Measures Taken to Secure Online Payment and Shopping
Encryption
Statistics: Online Banking - Kenya
Banks using 2PG – 4/33 Banks
Online Banking - Kenya
Banks with client side encryption – 2/33 Banks
Banks with NO client side encryption : 31/33 Banks
Online Banking - East Africa
Banks using 2PG – 6/46 Banks
Banks using virtual keyboards – 9/46 Banks
Online Banking - East Africa
Banks with NO client side encryption : 40/46 Banks
Banks with client side encryption : 6/46 Banks
Online Payment and Shopping
Top Online Payment Sites in Kenya with NO client side encryption : 4/4 sites
Top Online Shopping Sites in Kenya with NO client side encryption : 6/6 sites
Mobile Malware
ZitMo for Mobile banking
Version of Zeus that infects Mobile Phones
Mobile Banking is the new “thing” in Kenya hence users
exposed to this Mobile Trojan and other mobile malware.
M-pesa users at risk as Android malware is on the rise.
Only a matter of time before a custom malware is made
Botnet Evolution
Domain Generation Algorithms (DGA)
Tor Botnets - Anonymized
WHAT DO WE NEED TO DO?
Prevention
Patch systems:
bots exploit known vulnerabilities for
infection especially browsers and Windows OS
Anti-malware
tools: antivirus makers have signatures for
the well known bot types
Use Browser protection
Use latest anti-malware updates and signatures
User Information Security Education, Training and
Awareness Program
(SETA)
Use reports like those by Serianu and Tespok Cyberusalama to
How do I know I’m Infected
Process Monitoring:
e.g. use of CrowdInspect and
Sysinternals TCP View
Registry Entries
with sdra64.exe
How do I know I’m Infected
CrowdInspect
– highly recommended for Microsoft users
Multiple sources of information, including VirusTotal, Web of Trust (WOT), and Team
Cymru's Malware Hash Registry
Host-based process inspection for Forensic analysis
Remediation: Network Side
Detecting C&C traffic
Examine networktrafficforcertain known patterns Use logging information from IDS/IPS, Firewalls
E.g BotHunter and BotSniffer
Honeypots/Honeybots: www.honeynet.org Dionaea, Spam traps,
Open Proxies, URL analysis
Correlate using SIEM tools
Sinkholing
Hijacking Botnet traffic, redirecting it to analysis servers
Done by CERTs and Security Researchers in collaboration with ISPs
and Domain Registrars
E.g. by Microsoft (Mar 2012) , Polish CERT, Team Cymru
Remediation: Network Side
Zeus Tracker and SpyEye Tracker (abuse.ch)
Provide domain- and IP-blocklist of known ZeuS Command&Control servers (hosts) around the world
pmusuva@usiu.ac.ke
christian.kisutsa@serianu.com