Monday, December 22, 2014

Protect-the-business-from-Botnet-Attacks


IT Security Review and Recommendation to   protect your Business from BotNets. 


Copyright © 2014 by Shariyaz Abdeen

Contents


1.0 Overview.. 3

2.0 Root cause Analysis. 4

3.0 Threat Tests and subsequent Remedies. 4
3.1 secure NATting.. 4
3.2 run a reputable anti-spam/spyware tools on the Network and analyses the reports. 5
3.3 Run TCP view test and detect botnets in LAN.. 5
3.4 Restricted Email server open relay. 6
3.5 Run HELO check test 6
3.6 Centralized Detection. 6
3.6.1 Firewall logging - check the port 25 connections o.. 6
Occurring from the internal network. 6
3.7 Sniff port 6666 to detect Command and control bots which uses IRC to get instructions  6
3.8 Block IRC. 6
3.10 monitor quarantined ip addresses. 7

4.0 Evidence.. 7
4.1 System and reputation status after the sanitizing

5.0 Recommendations


1.0   Overview

As per the tests we have run on MNC IT infrastructure to Identify the Security threats, the systems and security recommendation are broadly categorized as follows.



2.0 Root cause Analysis 

Based on the Firewall logs and Senderbase.org and CBL abuse log we have conduct the root cause analysis in order to detect the attack history for MNC. Looking at the above log we were able to clarify that on MNC's public IP Address xxx.xxx.xxx.xxx is listed in the CBL. It appears to be infected with a spam sending trojan, proxy or other forms of botnet.
What this means in a layman terms is some malicious person or group is using MNC IP to launch intermediary attacks on others (whilst attacking MNC as well), which is detected by regulatory bodies such as Senderbase.org and CBL, who in turn have taken steps to block MNC IP or in other words blacklisted MNC IP preventing it communicating with the out-side world.
It was last detected at 2014-09-18 06:00 GMT (+/- 30 minutes), approximately 12 days ago.
This IP is infected (or NATting for a computer that is infected) with the asprox spambot. In other words, it's participating in a botnet.
If we simply remove the listing without ensuring that the infection is removed (or the NAT secured), it will probably relist again.

3.0 Threat Tests and subsequent Remedies.

3.1 secure NATting

 We have configured the secure NATting for mail server, Application server, domain server and MNC internal network as a precaution against Bot net attacks.

3.2 run a reputable anti-spam/spyware tools on the Network and analyses the reports.

Since average anti-Virus SW’s such as ESET has limitations in detecting advanced and sophisticated malicious programs such as BotNets (E.g MNC was attacked with Zeus) and trojons it is recommended to deploy a more potent anti-Virus/anti spyware program such as Symantec NPE to analyze and sanitize the network.

 

3.3 Run TCP view test and detect botnets in LAN


We have conduct a TCP view analysis on email server and follow the following steps in order to track down the Botnet which might be running in Microsoft Outlook.
Run the TCP view tool after closing the users email client and see whether there is connection for SMTP or port 25. If so there is another program which is running on the user’s pc / botnet, which is sending emails.
Then run it while the email client is open, because some botnets run within outlook.
The below mentioned processes were run and was executed on following hosts. Also the hosts which showed abnormal network activities was quarantined and Symantec NPE was run in order to perform a root kit scan and file reputation scan and remove the malicious files. These file were not able to detect by our existing viruses guard (Eset) or the ones which was detected by Eset was not able to clean by Eset. Therefore we have use Symantec NPE tool to clean the malware in the selected segment.

3.4 Restricted Email server open relay  

Through the firewall configured port 25(SMTP) telnet traffic to only to be requested by the mail server by authorize Internal Hosts. Which was done to mitigate the mail server been used as an open relay.


3.5 Run HELO check test

Mail server configured to detect blacklisted domains which originate mails and block them from the HELO command sent by the attacker.


3.6 Centralized Detection

 

3.6.1 Firewall logging - check the port 25 connections o

Occurring from the internal network

3.7 Sniff port 6666 to detect Command and control bots which uses IRC to get instructions

3.8 Block IRC.

The Instant Messaging protocols (example: MSN, AOL/AIM, Yahoo and Jabber based protocols) are generally not a problem in this way.

3.10 monitor quarantined ip addresses.






Firewall Log



Zeus Bot found for IP: 192.168.1.127
Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. [1] Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, [2] it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.[3]

SpyEye Trojan found in firewall Log for IP: 192.168.1.119

Spam attack on mail server
       Specially Taiwan, china, Japan was originating countries of attacks which has targeted mail.MNC.llk by sending spam mails continuously.MNC Mail servers were strong enough to identify spam mails but it was resource consuming process according to attack.



4.1 System and reputation status after the sanitizing


5.0 Recommendations


1.    Internal -> System -> Loop hole

·         Configure the firewall to only allow your DNS cache to send/receive DNS packets (UDP port 53) to/from the Internet.

This has a number of benefits, including disabling some bots, and completely disrupting DNS hijacking attacks, which are becoming a major hazard on the Internet (phishing, man-in-the-middle bank account attacks etc). This is fairly easy to do if you allocate most IPs via DHCP, but you will have to remember to check the DNS server settings on your static IP computers.


2.    Internal -> System -> Limitations

Recommend to create the following in order to track down.
·         MX query Source
Mail server MX query sources in order to track down BOT.

·         Log to track large amount of DNS NXDOMAINs
Some BOTs (eg: Conficker) use DNS to periodically find their command-and-control (C&C) servers. As a consequence such BOTS will do DNS A record queries in bursts, and often get a lot of "no such name" (NXDOMAIN) responses. Lots of "NXDOMAIN" isn't normal behavior, particularly for end-user computers.
We recommend to configure the DNS server of the internal Windows Active directory.


3.    Internal -> System -> New Systems
Windows Active Directory
Firewall upgrade (optional)
Security as a service (mandatory)
Endpoint Security 

4.    Internal -> Users

Formulate a comprehensive IT policy which governs the user activities which may put MNC IT infrastructure at risk.

Administrators have to create user awareness programs and educate the user on IT policy do and don’ts.

AV update and scan should be executed on the following

5.    Internal -> Policies

We have to create the following IT policies

Remove USB accessibility for the users
Block the unnecessary ports
Create password policy
Create an AV policy
We need to have proper documentation for the patch panel and internal network
Create a proper documentation for internal application and the firewall open ports
If a new application needs to be used, it should go through the IT team and properly documented the service and open ports before deploying to the productions environment

Port
Traffic
Application
Inspected Date
Administrator













6.    Internal -> Malicious

We have identify Zeus Bot uses the port 64660 combined with the service and block it through the firewall. But the botnet now seems to be using random ports combined with different service intelligently. Therefore our current security system doesn’t have the capabilities to mitigate this level of sophisticated attack. Therefore it’s recommended to look into the cloud security as a service which is capable of preventing these.


7.    External -> Malicious
Firewall should consists of HW UTM.  


8.    External -> Connect BP
We recommended to have a proper segregation with MNC and partner network.


Copyright © 2014 by Shariyaz Abdeen