Malware Threats in our    Cyber Infrastructure              13th April 2013  Hotel Royal Ambarukmo Yogyakarta         Yogy...
AGENDA   About me   Malware History   Malware Current Attack   Malware Profiles   Botnet   Botnet Takedown   SummaryFacult...
Malware History   What is Malware?         Stand for Malicious Software   Early Days         Viruses or Trojan   Today    ...
Malware History    1970’s          Experimental replicating program (Creeper &Reaper)Faculty of Engineering and IT        ...
Malware History    Early 1980’s          From thesis to real virus …Faculty of Engineering and IT          5
Malware History    Late 1980’s          From Apple II virus to First Internet Worm …Faculty of Engineering and IT          6
Malware History    Early 1990’s          Polymorphic Viruses to First Macro virusesFaculty of Engineering and IT          7
Malware History    Late 1990’s          DOS 16-bit viruses to Melissa Worm …Faculty of Engineering and IT          8
Malware History    Early 2000’s          I LOVE YOU virus to MyDOOM (fastest spreading          worm)Faculty of Engineerin...
Malware History    Late 2000’s          First ever Mac OS X malware to rogue AV to          conficker wormFaculty of Engin...
Malware History    2010 – now          Stuxnet to Banking Trojan to Android MalwareFaculty of Engineering and IT          11
Malware History    From 2004 till now …          From Symbian based malware to Android MalwareFaculty of Engineering and I...
Recent Malware Attack   South Korean TV Broadcaster and Banks   attackFaculty of Engineering and IT             13
Recent Malware Attack   The Attack ProcessFaculty of Engineering and IT             14
Recent Malware Attack   Attack started on 20 March 2013 at 2:20 pm         Three broadcaster KBS, MBC and YTN hit         ...
Recent Malware Attack                                    Check for existing remote                                    mana...
Recent Malware Attack                                          Target:                                               To co...
Recent Malware Attack                                          Target:                                               To co...
Recent Malware Attack   Malware involved:         File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe         MD5: d...
Recent Malware Attack   According to Mcafee (refer to reference), the   malware samples used the existing malware   found ...
BOTNETFaculty of Engineering and IT      21
Botnet – What is it?   What is Botnet?Faculty of Engineering and IT             22
Botnet – What is it?   What is Botnet?Faculty of Engineering and IT             23
Botnet – What is it?   What is Botnet?Faculty of Engineering and IT             24
Botnet – Stats   What is Botnet?                                Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)Facul...
Botnet – Underground   Botnet Underground                                                  Source: http://goo.gl/Vq30rFacu...
Botnet – Underground   Botnet Underground                                                  Source: FireEye on Botnet GrumF...
Botnet Evolution                  • Centralized C & C Server     1st          • IRC-based communication                  •...
Botnet C&C Evolution   Two most common method of C&C:         Central control C&C         P2P Network   Central C&C Server...
Botnet C&C Evolution (cont.)   P2P network         E.g. Kelihos BotnetFaculty of Engineering and IT
Botnet C&C Evolution (cont.)   Kelihos infectionsFaculty of Engineering and IT
Botnet C&C Evolution (cont.)   TOR-based C&CFaculty of Engineering and IT
Botnet Evolution & TakedownFaculty of Engineering and IT    33
Botnet Evolution & TakedownFaculty of Engineering and IT    34
Declining BotnetsFaculty of Engineering and IT           35   Source: Mcafee Q4 2012 Report
Botnets Alive Today                                              Source: Mcafee Q4 2012 ReportFaculty of Engineering and I...
New BotnetsFaculty of Engineering and IT        37
Botnet – Some statsFaculty of Engineering and IT            38
Third Larget Botnet Takedown   Code name: Grum Botnet   Impact Size: 18% SPAM volumes (18   billion SPAM a day)   C & C: P...
Grum Botnet Characteristics   C&C Servers:         Primary C&C for configuration files and initial         registration   ...
Grum Botnet CharacteristicsFaculty of Engineering and IT
Grum Botnet (cont.)Conversation with Primary C&CFaculty of Engineering and IT
Grum Botnet (cont.)Conversation with Secondary C&CFaculty of Engineering and IT
Grum Botnet (cont.) IP address         Type         Geo Location   Status (as of                                          ...
Grum Botnet - Lesson Learned   Strong Points:         C&C Servers are located at the countries where government         ar...
Grum Botnet - Lesson Learned   Summarized Strategy to takedown   botnet         Research which C&C Architecture they are u...
Bamital – Botnet Takedown   Method: Click FraudFaculty of Engineering and IT
Bamital – Botnet Takedown   User search Pornographic web site   Then users are directed to these web   site:   Downloaded ...
Bamital – Botnet Takedown   These “random” web sites (pseudo-   random generated) that serve the exploit   packs:Faculty o...
Summary   We have seen how malware evolved with   more and more advanced and sophisticated   methods   The Tasks are very ...
Other Security Events   13-15 May 2013                      ACAD-CSIRT in Bali   19-20 June 2013  Honeynet Indonesia   Cha...
References   http://blogs.mcafee.com/mcafee-labs/an-   overview-of-messaging-botnets   http://www.fireeye.com/blog/technic...
References   http://www.tripwire.com/state-of-security/it-   security-data-protection/cyber-security/south-   korean-attac...
References   http://www.sophos.com/en-us/threat-   center/threat-monitoring/malware-   dashboard.aspx   http://www.mcafee....
Thank You
Upcoming SlideShare
Loading in...5
×

Malware threats in our cyber infrastructure

1,252

Published on

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,252
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Malware threats in our cyber infrastructure

  1. 1. Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, IndonesiaCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  2. 2. AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown SummaryFaculty of Engineering and IT 2
  3. 3. Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware.Faculty of Engineering and IT 3
  4. 4. Malware History 1970’s Experimental replicating program (Creeper &Reaper)Faculty of Engineering and IT 4
  5. 5. Malware History Early 1980’s From thesis to real virus …Faculty of Engineering and IT 5
  6. 6. Malware History Late 1980’s From Apple II virus to First Internet Worm …Faculty of Engineering and IT 6
  7. 7. Malware History Early 1990’s Polymorphic Viruses to First Macro virusesFaculty of Engineering and IT 7
  8. 8. Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm …Faculty of Engineering and IT 8
  9. 9. Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm)Faculty of Engineering and IT 9
  10. 10. Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker wormFaculty of Engineering and IT 10
  11. 11. Malware History 2010 – now Stuxnet to Banking Trojan to Android MalwareFaculty of Engineering and IT 11
  12. 12. Malware History From 2004 till now … From Symbian based malware to Android MalwareFaculty of Engineering and IT 12
  13. 13. Recent Malware Attack South Korean TV Broadcaster and Banks attackFaculty of Engineering and IT 13
  14. 14. Recent Malware Attack The Attack ProcessFaculty of Engineering and IT 14
  15. 15. Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network)Faculty of Engineering and IT 15
  16. 16. Recent Malware Attack Check for existing remote management toolsFaculty of Engineering and IT 16
  17. 17. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 17
  18. 18. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 18
  19. 19. Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.htmlFaculty of Engineering and IT 19
  20. 20. Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sampleFaculty of Engineering and IT 20
  21. 21. BOTNETFaculty of Engineering and IT 21
  22. 22. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 22
  23. 23. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 23
  24. 24. Botnet – What is it? What is Botnet?Faculty of Engineering and IT 24
  25. 25. Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)Faculty of Engineering and IT 25
  26. 26. Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30rFaculty of Engineering and IT 26
  27. 27. Botnet – Underground Botnet Underground Source: FireEye on Botnet GrumFaculty of Engineering and IT 27
  28. 28. Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & CFaculty of Engineering and IT 28
  29. 29. Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C ServerFaculty of Engineering and IT
  30. 30. Botnet C&C Evolution (cont.) P2P network E.g. Kelihos BotnetFaculty of Engineering and IT
  31. 31. Botnet C&C Evolution (cont.) Kelihos infectionsFaculty of Engineering and IT
  32. 32. Botnet C&C Evolution (cont.) TOR-based C&CFaculty of Engineering and IT
  33. 33. Botnet Evolution & TakedownFaculty of Engineering and IT 33
  34. 34. Botnet Evolution & TakedownFaculty of Engineering and IT 34
  35. 35. Declining BotnetsFaculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
  36. 36. Botnets Alive Today Source: Mcafee Q4 2012 ReportFaculty of Engineering and IT 36
  37. 37. New BotnetsFaculty of Engineering and IT 37
  38. 38. Botnet – Some statsFaculty of Engineering and IT 38
  39. 39. Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5)Faculty of Engineering and IT
  40. 40. Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C downFaculty of Engineering and IT
  41. 41. Grum Botnet CharacteristicsFaculty of Engineering and IT
  42. 42. Grum Botnet (cont.)Conversation with Primary C&CFaculty of Engineering and IT
  43. 43. Grum Botnet (cont.)Conversation with Secondary C&CFaculty of Engineering and IT
  44. 44. Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012)190.123.46.91 Master PANAMA Active190.123.46.92 Master PANAMA Suspended or abandoned91.239.24.251 Master RUSSIAN Active FEDERATION94.102.51.226 Secondary NETHERLANDS Active94.102.51.227 Secondary NETHERLANDS Active94.102.51.228 Secondary NETHERLANDS Suspended or abandoned94.102.51.229 Secondary NETHERLANDS Suspended or abandoned94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
  45. 45. Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segmentsFaculty of Engineering and IT
  46. 46. Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activitiesFaculty of Engineering and IT
  47. 47. Bamital – Botnet Takedown Method: Click FraudFaculty of Engineering and IT
  48. 48. Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital TrojanFaculty of Engineering and IT
  49. 49. Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs:Faculty of Engineering and IT
  50. 50. Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together …Faculty of Engineering and IT
  51. 51. Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, JakartaFaculty of Engineering and IT
  52. 52. References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071Faculty of Engineering and IT
  53. 53. References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malwareFaculty of Engineering and IT
  54. 54. References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/Faculty of Engineering and IT
  55. 55. Thank You

×