Gunter Ollmann, vice president of research at Damballa, Inc. explains what researchers have learned from the Aurora attacks in January against Google Inc. and nearly two dozen other companies. Thousands of botnet operators now launch targeted botnet campaigns with the help of automated tools, Ollmann said. He explains why it is difficult for law enforcement to track down and prosecute cybercriminals, whether the Microsoft legal action to shut down the command and control network of the Waladec botnet will have any affect and he describes what future attacks may look like using "modern malware." Ollmann was interviewed at RSA Conference 2010 in San Francisco.
Read the full transcript from this video below:
Botnets, malware and capturing cybercriminals
Robert Westervelt: Gunther, thanks very much for joining us.
Gunter Ollmann: Yes, thank you very much.
Robert Westervelt: I thought we'd just start off with some of the research into
operation Aurora that you guys have conducted. It's a fairly
unsophisticated botnet, isn't it?
Gunter Ollmann: That's correct. We're looking very closely at the network
activities and the way that the botnet operators constructed their botnets.
Their command and control and actually how they launch their attacks.
Based on the analysis there, we found that, frankly, it's a fact of yet
another botnet operator and much more amateurish than average.
Robert Westervelt: If it's not sophisticated, what's really happening? Is it the
automated tools maybe, that are becoming more mature and more sophisticated?
Gunter Ollmann: I think there's a few different things that will be going on
there. I think we've seen a change in the way botnets are built, and who
the bad guys actually are. Today we see literally thousands of botnet
operators. The way that they function are really to run botnet campaigns.
They typically run multiple botnets at that the same time and they are
cycling different content and different tools. Generally, to get started in
the botnet industry, today, you don't need to be particularly technically
proficient. You just need how to get a hold of the particular tools and be willing to use them and point them at targets.
Robert Westervelt: So as a researcher yourself, take us through a little bit of what
you're looking at when you take a look at some of the code. I mean, how can
you use the code to pick up clues and trace it back to
possibly the source?
Gunter Ollmann: Sure. Some of the interesting things we're, obviously, we track
thousands and thousands of different botnets all the time. Generally,
almost none of them have a unique name. We know roughly who the operators
are and which botnets they're running at any particular time. There are so
many of them, though. What we're looking at, once operation Aurora was
announced, and command and controls have been extracted from some of the
malware samples. We're able to look inside our systems about where we've
seen those command and controls used before.We found multiple botnets, I
think we found four different botnets at that point, that were used as
command and controls. We're able to link those together and be able to
track back further into their history. We're able then to see when the
criminal operators first set up their DNS, registered their domains, got it
all set up. Set up the management. We saw the first time that the operators
actually used and tested their domain names, for the command and control.
We also see blips during that timeline All the way from July 2009 through
to even today, these botnets are operating. We see the blips of where they
were testing this software.
Where they did their first campaigns and launched model book campaigns.
Where they were successful, where they weren't successful. We also saw a
lot of links between all the different command and controls that were being
recycled and reused for different campaigns. Using different delivery
techniques and different victims that they were targeting. From that we're
also able to see all the different malware and malware families that they
were using during the attacks. While there's an awful lot being played
about the Trojan hijack, and many people have commented on how run of the
mill and unsophisticated it is. We're able to look at all the other malware
that the same criminal operations team have been using. We saw that was
pretty much their tactics. The malware they were using was very
unsophisticated and we're able to do a complete chain of all the different
families based on the command and control, all the way back to even
earlier. We were able to identify that there were multiple malware
developers who developed the malware. It wasn't just a single developer
that developed all of them.
Robert Westervelt: You did some research into modern malware. In a previous conversation
with you that I had, you talked a little bit about the seriousness of the
malware that we don't even know about right now. First, what's your
definition of modern malware? What does that mean? That it's malware that's
basically designed to change into a new variant?
Gunter Ollmann: Modern malware, is the stuff that's being used by professional
criminals. The feature set is pretty much standard between both the amateur
and the professional. They all have the ability to take a remote control.
The ability to navigate networks to keylog, to all these sorts of
features. What really changes between the professional practice and the
amateur operator, is the way that they have hardened their malware. You see
things such as armoring the malware to make sure that if a sample is
obtained that it cannot be automatically used for deconstructing who the
command and control chains are for ensuring that security researchers can't
perform static analysis or dynamic analysis on the malware and identify
all the other hidden features. But we also see, with particularly
enterprises and enterprise malware that's being developed by these
professional operators, they're using the features such as being proxy
aware. For general Internet type of malware, you don't need to be proxy
aware. With an enterprise, though, most enterprises protect their
enterprises by using primitive proxies and forcing all Internet traffic
So malware that's targeting an enterprise has to be proxy aware. We also
saw things such as protecting the malware from detection at the host. The
lack of root kit technologies. The lack of other installer components. The
lack of disrupting host-based protection systems. That’s typical of learner
malware and really unsophisticated malware. When we looked at the multiple
families that were being used and being developed, that was a consistent
theme, there. When you compare to the advanced malware that's being used.
Many of the advanced malware is actually available in kit form. You can
literally purchase these kits for a few hundred, normally a few thousand
dollars and create new variants of the malware yourself. That's the
intermediate level. To go below that then, is going to be rank amateur
Robert Westervelt: At a keynote session with some government officials on the issue of
privacy. There was talk about using deep packet inspection on private
networks and that this would help alleviate all the malware and that
regulators could force ISP's to do this. Do you think we'll ever come to
that point where ISP's would be forced to do some sort of deep packet
inspection? Are there really privacy issues there?
Gunter Ollmann: I think they're probably not going to be forced. Because they're
going to do it anyway before they're forced. Traditionally there's been
great push back on deep packet inspection, because the ramifications on the
existing telecommunication laws and corporate laws. Which is meant in
layman's terms, what is traditionally meant is that if you have the ability
to inspect and stop one particular threat, therefore you have the ability
to stop all threats. That’s not something that any ISP, in their right mind,
would want to step up to this. I think there's been great advancements in
the last year. Even just looking at things like botnets or botnet
protection. Being able to identify victim IP addresses within ISP's that
are part of the botnets. That gives a fair bit of visibility of which
particular machines are being compromised and part of the botnets, but it's
only some of the high level. They need to go deeper and do deep packet
inspection to be able to see and identify more of these types of victims.
Traditionally there's been a lot of push back about the invasion of
privacy. But I think things are changing for the end consumer as well. They
know, and becoming more aware, that traditional anti-virus has a value, but
it's depreciating considerably. They're really looking for, "I need more
protection." Don't tell me to install my patches and keep up all my patches
and everything like that. How can you, Mr. ISP, protect me? I'm buying a service from you." And so the ISP's, themselves, are re-evaluating
this. While there are specific laws about un-consented deep packet
inspection, the customers are coming to them. Saying, "I'm willing to pay
for this. I'm willing to sign whatever you need for you to protect me."
That's going to allow them to do the deep packet inspection, and actually
provide that level of protection for their organizations, as well. That's
why I think we're really solidly moving down that path. Forced regulation
isn't going to be needed because the ISP's are already moving that way.
Robert Westervelt: Koobface, Zeus, and Tidserv I think it is called?
Gunter Ollmann: Tidserv.
Robert Westervelt: Tidserv? Are the top three botnet malware families. Do they all have
similar capabilities and features?
Gunter Ollmann: Yes. They all have almost identical features. The feature set, the
command languages have pretty much become standardized now. That's because
there are third party plugins for all these types of technologies. It's a
cottage industry of suppliers and features and tool sets that can sort of
get around all this. The feature sets remain the same. There's a little bit
of sophistication that increases over time, but is almost a light for light
matching. The development of this type of malware and the use of this type
of malware is financially driven. There’s a lot of competition, a lot of
features that get added, but a lot of copying and mimicking of those
features. It's not surprising that they all have pretty much the same
feature sets and that they tend to specialize in slightly different types
of attacks based on the plugins and surrounding management frameworks.
Robert Westervelt: One last question. You mentioned Microsoft taking legal action to
take down the command and control servers, command and control servers,
domain servers, right? Domain name servers.
Gunter Ollmann: Domain names.
Robert Westervelt: Of the Waledac botnet. Is that something that is going to have a big
effect? Do you think it's really shut down Waledac?
Gunter Ollmann: No, and as we've seen for the last three to five years. Simply
shutting down the command and control domains, that doesn't really affect
the bad guys at all. Most of the larger botnets and more sophisticated
professional operators manage tens of thousands of domains that they use
for command and control. So taking a few hundred or a few thousand down,
doesn't really affect them. Microsoft knows this. Microsoft has a lot of
smart security people. They know that taking down individual domains
doesn't really do anything. They have other motivations, they must have
other motivations. Going down that legal route of closing down those
domains, has more to do with education about the type of threat. But also
it sets the framework for legal prosecution at a criminal and a private
level of taking and going after the actual operators themselves. I think
that's more important than actually dealing with the individual domains.
It's focusing in on the bad guys that are actually responsible for this and
managing these things. If you take them out of the equation, then you've
shut down the botnets.