Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Mariposa Botnet

on

  • 1,100 views

My presentation from CSI 2010

My presentation from CSI 2010

Statistics

Views

Total Views
1,100
Views on SlideShare
1,098
Embed Views
2

Actions

Likes
0
Downloads
17
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Mariposa Botnet Mariposa Botnet Presentation Transcript

  • Lessons Learned from Mariposa: Avoiding Disaster, Protecting from Cybercrime
    Sean-Paul Correll
    Threat Researcher
    Panda Security, USA
  • May 2009
    2
  • October 2009
    3
  • Mariposa Working Group
    Defence Intelligence
    Panda Security
    Georgia Tech Information Security Center
    Neustar
    Researchers who wish to remain anonymous
    In collaboration with:
    FBI
    Spanish Civil Guard
    4
  • Some of the DNS domain names observed as C&C servers:
    lalundelau.sinip.es
    bf2back.sinip.es
    thejacksonfive.mobi
    butterfly.BigMoney.biz
    bfisback.sinip.es
    qwertasdfg.sinip.es
    5
  • Early estimates
    6
    Command & Control
    SPAIN
    100,000 – 200,000 Victims
    USA
    PANAMA
    UDP COMMUNICATION
    ??????????
  • 7
    Command & Control
    SPAIN
    SINKHOLE
    100,000 – 200,000 Victims
    USA
    PANAMA
    ??????????
  • Timeline
    December 21st 2009Spanish LE visit to CDMON (Spanish ISP)
    December 23rd 2009All C&C domains pointed to sinkhole:Cdmon, ChangeIP, Directi, GetmyIP, DynDNS
    December 24th 2009New binary (2/24 @ VirusTotal) dropped.
    8
  • Staying undetected…
    9
    The botnet operators used Swedish VPN providers in order to avoid physical detection.
    The sinkhole caused the main botnet operator to panic and connect to the infrastructure using his home DSL connection.
  • Panic at the disco!
    C&C sinkhole panic allowed us to trace the botnet operators Internet connection back to Spain.
    Spanish LE visits ISP to retrieve DSL customer information
    Time to make some arrests!
    10
  • MWG: Let’s move on the arrest!Spain LE: Not so fast!
    Law enforcement roadblocks:
    Owning a botnet is not illegal in Spain
    Spanish law protects criminals
    Forensic skills are not up to par
    11
  • Timeline
    January 22nd 2010Bot master bribed CDMON tech support to recover booster.estr.es for €500.
    January 25th 2010Bot master launches DDOS against Defence Intelligence sustained 900MB/s traffic
    February 3rd 2010Bot master arrested at home by Spanish Civil Guard
    12
  • What did we uncover after the arrest?
    13
  • Stolen Credentials
    Personal information from over 1,000,000 victims
    Credit Cards
    Social Security numbers
    Bank Accounts
    Intranet credentials
    Data from universities, banks, + half of Fortune 1000 companies
    14
    What did we uncover after the arrest?
  • 15
  • Anti-detection/debugging tools…
    16
  • Anti-detection/debugging tools
    17
  • Licensing control system
    18
    Butterfly Bot Version
    Licensing control UID
  • Builder packed with Themida
    19
  • Timeline after initial arrest
    February 10th 2010
    Butterfly.bigmoney.biz recovered by Mariposa.
    Moved C&C servers to Israeli & Chinese domain registrars.
    February 24th 2010
    Ostiator & JonnyLoleante arrested
    March 3rd 2010
    Mariposa Final Takedown
    20
  • 21
    Infections in 189 different countries
  • Top 10 infected countries
    22
  • Infection statistics
    31,901 infected towns and cities
    23
  • Infection statistics
    24
    Over half of Fortune 1000’s infected
    Over 40 banks infected
  • Why was Mariposa so successful?
    25
  • Strong AV signature evasion + Botnet Infrastructure
    26
    +
    =
  • Peer to Peer (P2P)
    27
  • P2P – Strengths and Weaknesses
    28
    Low chance of infecting corporate networks (perimeter blocking)
    High chance of infecting home networks (piracy)
    APAC region had a high concentration of infections. High risk due to rampant piracy.
    65% of software is pirated in India according to Business Software Alliance Study: http://bit.ly/bLlN06
  • USB Distribution
    29
  • USB – Strengths and Weaknesses
    30
    Highchance of infection in corporate networks
    USB enabled by default in most organizations
    Working from home introduces threats into the workplace.
    High chance of infection in home networks
    We use USB devices every day
    Knowledge of USB threat vector low
  • MSN Messenger
    31
  • MSN Messenger
    32
  • MSN Messenger – Strengths and Weaknesses
    33
    Moderate chance of infection in corporate networks
    Sometimes used for interoffice communication
    31% of businesses use instant messaging according to Nielson
    High chance of infection in home networks
    40% of home users use instant messaging according to Nielson
    MSN usage ranks high in most affected countries
    Unique social engineering capability
  • Exploit Kits
    34
  • Exploit kits– Strengths and Weaknesses
    35
    Moderate chance of infection in corporate networks
    Operating system updates are most likely enforced via policy
    Non system software updates are most likely not enforced via policy
    Antivirus software installed by default
    High chance of infection in home networks
    Operating system updates not always installed.
    Non system software updates are almost never installed (unless forced)
    Antivirus software may not be installed
  • Mariposa Botnet Control Software
    36
  • Command and Control Software
    37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • Who are these guys?
    44
  • Members Arrested
    DDP Team:
    Dias De Pesadilla Team – Nightmare Days Team
    Netkairo, 31, Spain
    Ostiator, 25, Spain
    jonnyloleante, 30, Spain
    45
  • What were their roles?
    46
  • 47
  • Butterfly Bot Packages
    48
  • Butterfly Module Prices
    49
  • Howmuchmoneyweretheyearning?
    10,000€ / month (aroundeach 3,000)
    Ads
    Pay per click
    Rentingportions of thebotnet
    Post data grabber (stealingcredentials)
    50
  • 51
  • 52
  • 53
  • Monday, March 22nd
    54
  • 55
  • 56
  • Commenting on the blog
    57
  • 58
  • 59
  • 60
  • 61
    Iuis_corrons following Luis_Corrons
  • D’oh!
    62
  • What are we dealing with here?
    63
  • The Slovenian Connection
    64
  • 65
  • 66
  • Collateral Damage?
    67
    Dejan Janzekovic
  • Lessons Learned
    Just shutting down botnet C&C’s does not stop the bad guys.
    Arresting the bad guys doesn’t stop them either 
    Signature based Antivirus detection isn’t good enough. Signatures can take weeks to develop.
    Cyber legislation needs significant improvements to adapt to the current threat landscape situation
    Communication with law enforcement is often one-way and difficult, but results are better than simple shutdowns.
    68
  • Thank you!
    Sean-Paul Correll
    Threat Researcher
    Panda Security, USA
    Twitter: http://twitter.com/lithium
    E-mail: lithium@us.pandasecurity.com