• Save
Malware threats in our cyber infrastructure
Upcoming SlideShare
Loading in...5
×
 

Malware threats in our cyber infrastructure

on

  • 1,192 views

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Statistics

Views

Total Views
1,192
Views on SlideShare
1,187
Embed Views
5

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 5

http://www.linkedin.com 3
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Malware threats in our cyber infrastructure  Malware threats in our cyber infrastructure Presentation Transcript

  • Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, IndonesiaCharles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  • AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown SummaryFaculty of Engineering and IT 2
  • Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware.Faculty of Engineering and IT 3
  • Malware History 1970’s Experimental replicating program (Creeper &Reaper)Faculty of Engineering and IT 4
  • Malware History Early 1980’s From thesis to real virus …Faculty of Engineering and IT 5
  • Malware History Late 1980’s From Apple II virus to First Internet Worm …Faculty of Engineering and IT 6
  • Malware History Early 1990’s Polymorphic Viruses to First Macro virusesFaculty of Engineering and IT 7
  • Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm …Faculty of Engineering and IT 8
  • Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm)Faculty of Engineering and IT 9
  • Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker wormFaculty of Engineering and IT 10
  • Malware History 2010 – now Stuxnet to Banking Trojan to Android MalwareFaculty of Engineering and IT 11
  • Malware History From 2004 till now … From Symbian based malware to Android MalwareFaculty of Engineering and IT 12
  • Recent Malware Attack South Korean TV Broadcaster and Banks attackFaculty of Engineering and IT 13
  • Recent Malware Attack The Attack ProcessFaculty of Engineering and IT 14
  • Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network)Faculty of Engineering and IT 15
  • Recent Malware Attack Check for existing remote management toolsFaculty of Engineering and IT 16
  • Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 17
  • Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusableFaculty of Engineering and IT 18
  • Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.htmlFaculty of Engineering and IT 19
  • Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sampleFaculty of Engineering and IT 20
  • BOTNETFaculty of Engineering and IT 21
  • Botnet – What is it? What is Botnet?Faculty of Engineering and IT 22
  • Botnet – What is it? What is Botnet?Faculty of Engineering and IT 23
  • Botnet – What is it? What is Botnet?Faculty of Engineering and IT 24
  • Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)Faculty of Engineering and IT 25
  • Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30rFaculty of Engineering and IT 26
  • Botnet – Underground Botnet Underground Source: FireEye on Botnet GrumFaculty of Engineering and IT 27
  • Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & CFaculty of Engineering and IT 28
  • Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C ServerFaculty of Engineering and IT
  • Botnet C&C Evolution (cont.) P2P network E.g. Kelihos BotnetFaculty of Engineering and IT
  • Botnet C&C Evolution (cont.) Kelihos infectionsFaculty of Engineering and IT
  • Botnet C&C Evolution (cont.) TOR-based C&CFaculty of Engineering and IT
  • Botnet Evolution & TakedownFaculty of Engineering and IT 33
  • Botnet Evolution & TakedownFaculty of Engineering and IT 34
  • Declining BotnetsFaculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
  • Botnets Alive Today Source: Mcafee Q4 2012 ReportFaculty of Engineering and IT 36
  • New BotnetsFaculty of Engineering and IT 37
  • Botnet – Some statsFaculty of Engineering and IT 38
  • Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5)Faculty of Engineering and IT
  • Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C downFaculty of Engineering and IT
  • Grum Botnet CharacteristicsFaculty of Engineering and IT
  • Grum Botnet (cont.)Conversation with Primary C&CFaculty of Engineering and IT
  • Grum Botnet (cont.)Conversation with Secondary C&CFaculty of Engineering and IT
  • Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012)190.123.46.91 Master PANAMA Active190.123.46.92 Master PANAMA Suspended or abandoned91.239.24.251 Master RUSSIAN Active FEDERATION94.102.51.226 Secondary NETHERLANDS Active94.102.51.227 Secondary NETHERLANDS Active94.102.51.228 Secondary NETHERLANDS Suspended or abandoned94.102.51.229 Secondary NETHERLANDS Suspended or abandoned94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
  • Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segmentsFaculty of Engineering and IT
  • Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activitiesFaculty of Engineering and IT
  • Bamital – Botnet Takedown Method: Click FraudFaculty of Engineering and IT
  • Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital TrojanFaculty of Engineering and IT
  • Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs:Faculty of Engineering and IT
  • Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together …Faculty of Engineering and IT
  • Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, JakartaFaculty of Engineering and IT
  • References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071Faculty of Engineering and IT
  • References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malwareFaculty of Engineering and IT
  • References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/Faculty of Engineering and IT
  • Thank You