Your SlideShare is downloading. ×

Mariposa Botnet

886

Published on

My presentation from CSI 2010

My presentation from CSI 2010

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
886
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. www.pandasecurity.com Lessons Learned from Mariposa: Avoiding Disaster, Protecting from Cybercrime Sean-Paul Correll Threat Researcher Panda Security, USA
  • 2. www.pandasecurity.com May 2009 2
  • 3. www.pandasecurity.com October 2009 3
  • 4. www.pandasecurity.com Mariposa Working Group Defence Intelligence Panda Security Georgia Tech Information Security Center Neustar Researchers who wish to remain anonymous In collaboration with: FBI Spanish Civil Guard 4
  • 5. www.pandasecurity.com Some of the DNS domain names observed as C&C servers: lalundelau.sinip.es bf2back.sinip.es thejacksonfive.mobi butterfly.BigMoney.biz bfisback.sinip.es qwertasdfg.sinip.es 5
  • 6. www.pandasecurity.com Early estimates 6 ?????????? Command & Control SPAIN USA 100,000 – 200,000 Victims PANAMA
  • 7. www.pandasecurity.com7 ?????????? Command & Control SPAIN USA PANAMA 100,000 – 200,000 Victims SINKHOLE
  • 8. www.pandasecurity.com Timeline December 21st 2009 Spanish LE visit to CDMON (Spanish ISP) December 23rd 2009 All C&C domains pointed to sinkhole: Cdmon, ChangeIP, Directi, GetmyIP, DynDNS December 24th 2009 New binary (2/24 @ VirusTotal) dropped. 8
  • 9. www.pandasecurity.com Staying undetected… 9 The botnet operators used Swedish VPN providers in order to avoid physical detection. The sinkhole caused the main botnet operator to panic and connect to the infrastructure using his home DSL connection.
  • 10. www.pandasecurity.com Panic at the disco! C&C sinkhole panic allowed us to trace the botnet operators Internet connection back to Spain. Spanish LE visits ISP to retrieve DSL customer information Time to make some arrests! 10
  • 11. www.pandasecurity.com MWG: Let’s move on the arrest! Spain LE: Not so fast! Law enforcement roadblocks: Owning a botnet is not illegal in Spain Spanish law protects criminals Forensic skills are not up to par 11
  • 12. www.pandasecurity.com Timeline January 22nd 2010 Bot master bribed CDMON tech support to recover booster.estr.es for €500. January 25th 2010 Bot master launches DDOS against Defence Intelligence sustained 900MB/s traffic February 3rd 2010 Bot master arrested at home by Spanish Civil Guard 12
  • 13. www.pandasecurity.com What did we uncover after the arrest? 13
  • 14. www.pandasecurity.com Stolen Credentials • Personal information from over 1,000,000 victims Credit Cards Social Security numbers Bank Accounts Intranet credentials Data from universities, banks, + half of Fortune 1000 companies 14 What did we uncover after the arrest?
  • 15. www.pandasecurity.com15
  • 16. www.pandasecurity.com Anti-detection/debugging tools… 16
  • 17. www.pandasecurity.com Anti-detection/debugging tools 17
  • 18. www.pandasecurity.com Licensing control system 18 Butterfly Bot Version Licensing control UID
  • 19. www.pandasecurity.com Builder packed with Themida 19
  • 20. www.pandasecurity.com Timeline after initial arrest February 10th 2010 Butterfly.bigmoney.biz recovered by Mariposa. Moved C&C servers to Israeli & Chinese domain registrars. February 24th 2010 Ostiator & JonnyLoleante arrested March 3rd 2010 Mariposa Final Takedown 20
  • 21. www.pandasecurity.com21 Infections in 189 different countries
  • 22. www.pandasecurity.com Top 10 infected countries 22
  • 23. www.pandasecurity.com Infection statistics 31,901 infected towns and cities 23
  • 24. www.pandasecurity.com Infection statistics 24 Over half of Fortune 1000’s infected Over 40 banks infected
  • 25. www.pandasecurity.com Why was Mariposa so successful? 25
  • 26. www.pandasecurity.com Strong AV signature evasion + Botnet Infrastructure 26 + =
  • 27. www.pandasecurity.com Peer to Peer (P2P) 27
  • 28. www.pandasecurity.com P2P – Strengths and Weaknesses 28 Low chance of infecting corporate networks (perimeter blocking) High chance of infecting home networks (piracy) APAC region had a high concentration of infections. High risk due to rampant piracy. 65% of software is pirated in India according to Business Software Alliance Study: http://bit.ly/bLlN06
  • 29. www.pandasecurity.com USB Distribution 29
  • 30. www.pandasecurity.com USB – Strengths and Weaknesses 30 High chance of infection in corporate networks USB enabled by default in most organizations Working from home introduces threats into the workplace. High chance of infection in home networks We use USB devices every day Knowledge of USB threat vector low
  • 31. www.pandasecurity.com MSN Messenger 31
  • 32. www.pandasecurity.com MSN Messenger 32
  • 33. www.pandasecurity.com MSN Messenger – Strengths and Weaknesses 33 Moderate chance of infection in corporate networks Sometimes used for interoffice communication 31% of businesses use instant messaging according to Nielson High chance of infection in home networks 40% of home users use instant messaging according to Nielson MSN usage ranks high in most affected countries Unique social engineering capability
  • 34. www.pandasecurity.com Exploit Kits 34
  • 35. www.pandasecurity.com Exploit kits– Strengths and Weaknesses 35 Moderate chance of infection in corporate networks Operating system updates are most likely enforced via policy Non system software updates are most likely not enforced via policy Antivirus software installed by default High chance of infection in home networks Operating system updates not always installed. Non system software updates are almost never installed (unless forced) Antivirus software may not be installed
  • 36. www.pandasecurity.com Mariposa Botnet Control Software 36
  • 37. www.pandasecurity.com Command and Control Software 37
  • 38. www.pandasecurity.com38
  • 39. www.pandasecurity.com39
  • 40. www.pandasecurity.com40
  • 41. www.pandasecurity.com41
  • 42. www.pandasecurity.com42
  • 43. www.pandasecurity.com43
  • 44. www.pandasecurity.com Who are these guys? 44
  • 45. www.pandasecurity.com Members Arrested Netkairo, 31, Spain Ostiator, 25, Spain jonnyloleante, 30, Spain 45 DDP Team: Dias De Pesadilla Team – Nightmare Days Team
  • 46. www.pandasecurity.com What were their roles? 46
  • 47. www.pandasecurity.com47
  • 48. www.pandasecurity.com Butterfly Bot Packages 48
  • 49. www.pandasecurity.com Butterfly Module Prices 49
  • 50. www.pandasecurity.com How much money were they earning? 10,000€ / month (around each 3,000) Ads Pay per click Renting portions of the botnet Post data grabber (stealing credentials) 50
  • 51. www.pandasecurity.com51
  • 52. www.pandasecurity.com52
  • 53. www.pandasecurity.com53
  • 54. www.pandasecurity.com Monday, March 22nd 54
  • 55. www.pandasecurity.com55
  • 56. www.pandasecurity.com56
  • 57. www.pandasecurity.com Commenting on the blog 57
  • 58. www.pandasecurity.com58
  • 59. www.pandasecurity.com59
  • 60. www.pandasecurity.com60
  • 61. www.pandasecurity.com61 Iuis_corrons following Luis_Corrons
  • 62. www.pandasecurity.com D’oh! 62
  • 63. www.pandasecurity.com What are we dealing with here? 63
  • 64. www.pandasecurity.com The Slovenian Connection 64
  • 65. www.pandasecurity.com65
  • 66. www.pandasecurity.com66
  • 67. www.pandasecurity.com Collateral Damage? 67 Dejan Janzekovic
  • 68. www.pandasecurity.com Lessons Learned Just shutting down botnet C&C’s does not stop the bad guys. Arresting the bad guys doesn’t stop them either  Signature based Antivirus detection isn’t good enough. Signatures can take weeks to develop. Cyber legislation needs significant improvements to adapt to the current threat landscape situation Communication with law enforcement is often one-way and difficult, but results are better than simple shutdowns. 68
  • 69. www.pandasecurity.com Thank you! Sean-Paul Correll Threat Researcher Panda Security, USA Twitter: http://twitter.com/lithium E-mail: lithium@us.pandasecurity.com

×