Malware threats in our cyber infrastructure

1,569 views
1,436 views

Published on

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,569
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware threats in our cyber infrastructure

  1. 1. Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, IndonesiaCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  2. 2. AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown SummaryFaculty of Engineering and IT 2
  3. 3. Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware.Faculty of Engineering and IT 3
  4. 4. Malware History 1970’s Experimental replicating program (Creeper &Reaper)Faculty of Engineering and IT 4
  5. 5. Malware History Early 1980’s From thesis to real virus …Faculty of Engineering and IT 5
  6. 6. Malware History Late 1980’s From Apple II virus to First Internet Worm …Faculty of Engineering and IT 6
  7. 7. Malware History Early 1990’s Polymorphic Viruses to First Macro virusesFaculty of Engineering and IT 7
  8. 8. Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm …Faculty of Engineering and IT 8
  9. 9. Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm)Faculty of Engineering and IT 9
  10. 10. Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker wormFaculty of Engineering and IT 10
  11. 11. Malware History 2010 – now Stuxnet to Banking Trojan to Android MalwareFaculty of Engineering and IT 11
  12. 12. Malware History From 2004 till now … From Symbian based malware to Android MalwareFaculty of Engineering and IT 12
  13. 13. Recent Malware Attack South Korean TV Broadcaster and Banks attackFaculty of Engineering and IT 13
  14. 14. Recent Malware Attack The Attack ProcessFaculty of Engineering and IT 14
  15. 15. Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network)Faculty of Engineering and IT 15
  16. 16. Recent Malware Attack Check for existing remote management toolsFaculty of Engineering and IT 16
  17. 17. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 17
  18. 18. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 18
  19. 19. Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.htmlFaculty of Engineering and IT 19
  20. 20. Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sampleFaculty of Engineering and IT 20
  21. 21. BOTNETFaculty of Engineering and IT 21
  22. 22. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 22
  23. 23. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 23
  24. 24. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 24
  25. 25. Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)Faculty of Engineering and IT 25
  26. 26. Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30rFaculty of Engineering and IT 26
  27. 27. Botnet – Underground Botnet Underground Source: FireEye on Botnet GrumFaculty of Engineering and IT 27
  28. 28. Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & CFaculty of Engineering and IT 28
  29. 29. Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C ServerFaculty of Engineering and IT
  30. 30. Botnet C&C Evolution (cont.) P2P network E.g. Kelihos BotnetFaculty of Engineering and IT
  31. 31. Botnet C&C Evolution (cont.) Kelihos infectionsFaculty of Engineering and IT
  32. 32. Botnet C&C Evolution (cont.) TOR-based C&CFaculty of Engineering and IT
  33. 33. Botnet Evolution & TakedownFaculty of Engineering and IT 33
  34. 34. Botnet Evolution & TakedownFaculty of Engineering and IT 34
  35. 35. Declining BotnetsFaculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
  36. 36. Botnets Alive Today Source: Mcafee Q4 2012 ReportFaculty of Engineering and IT 36
  37. 37. New BotnetsFaculty of Engineering and IT 37
  38. 38. Botnet – Some statsFaculty of Engineering and IT 38
  39. 39. Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5)Faculty of Engineering and IT
  40. 40. Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C downFaculty of Engineering and IT
  41. 41. Grum Botnet CharacteristicsFaculty of Engineering and IT
  42. 42. Grum Botnet (cont.)Conversation with Primary C&CFaculty of Engineering and IT
  43. 43. Grum Botnet (cont.)Conversation with Secondary C&CFaculty of Engineering and IT
  44. 44. Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012)190.123.46.91 Master PANAMA Active190.123.46.92 Master PANAMA Suspended or abandoned91.239.24.251 Master RUSSIAN Active FEDERATION94.102.51.226 Secondary NETHERLANDS Active94.102.51.227 Secondary NETHERLANDS Active94.102.51.228 Secondary NETHERLANDS Suspended or abandoned94.102.51.229 Secondary NETHERLANDS Suspended or abandoned94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
  45. 45. Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segmentsFaculty of Engineering and IT
  46. 46. Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activitiesFaculty of Engineering and IT
  47. 47. Bamital – Botnet Takedown Method: Click FraudFaculty of Engineering and IT
  48. 48. Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital TrojanFaculty of Engineering and IT
  49. 49. Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs:Faculty of Engineering and IT
  50. 50. Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together …Faculty of Engineering and IT
  51. 51. Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, JakartaFaculty of Engineering and IT
  52. 52. References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071Faculty of Engineering and IT
  53. 53. References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malwareFaculty of Engineering and IT
  54. 54. References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/Faculty of Engineering and IT
  55. 55. Thank You

×