0
NO BULLSHIT Underground crime: traces, trends, attribution, and more   <ul><li>Fyodor Y., Grugq and a whole bunch of unnam...
Agenda <ul><li>Overview </li></ul><ul><li>APT vs. Commercialized crime </li></ul><ul><li>Data sources </li></ul><ul><li>An...
Still .. meet the “authors”.. :) http://null.co.in/ http://nullcon.net/ Started as hobby project We talked about this At c...
Чтобы заработь на Интернете не нужно ничего и даже мозгов  ничего и даже мозгов  <ul><li>“ 想要在網路賺錢 - 連腦袋也不需要用”  -  網路的 tut...
But it is not only about money
Attack attribution http://null.co.in/ http://nullcon.net/
General: $$ vs. APT <ul><li>$$ -> attacks en masse; social engineering is common; doesn’t relay on 0day; rapid outbreaks <...
A word on attribution <ul><li>Attribution is not just the malware analysis </li></ul>http://null.co.in/ http://nullcon.net/
Points to note <ul><li>Binary analysis (reversing) </li></ul><ul><li>Exploit coding style and encoding </li></ul><ul><li>I...
Brief: Data sources and Tools (covered in workshop) http://null.co.in/ http://nullcon.net/
Data analysis and sources <ul><li>Dealing with large volume of data (public forums, bbs, manual follow up) </li></ul><ul><...
Intelligence Gathering <ul><li>Automated and manual analysis of publicly available data </li></ul>http://null.co.in/ http:...
Automation:  difficulties difficulties <ul><li>Language: complicated for automated processing (slang, misspellings, multip...
Ex.: What does this say? http://null.co.in/ http://nullcon.net/
Good luck w/ automated translation <ul><li>After language adaption filter: </li></ul>http://null.co.in/ http://nullcon.net/
Slang sources <ul><li>Fenya - Russian prison slang </li></ul><ul><li>Anglonims - English loan words </li></ul><ul><li>Rhym...
Tools of trade <ul><li>Covered in workshop. So we’ll skip that part </li></ul>http://null.co.in/ http://nullcon.net/
So, russian underground - mafia or geeks? :) http://null.co.in/ http://nullcon.net/
From russia with ... <ul><li>What is the biggest russian export besides oil, gas and nuclear scientists?? :) </li></ul>htt...
-malware - http://null.co.in/ http://nullcon.net/ Stuff that lives in your PC Against your will :)
Typical export sample: <ul><li>Targets MS platforms </li></ul><ul><li>Often - multi-component (loader, payload functions i...
Looks familiar? http://null.co.in/ http://nullcon.net/
Моscow arest (31/08/2010) http://null.co.in/ http://nullcon.net/ Annual income: over 500,000 rubles (100,000USD) One unloc...
Scale: big http://null.co.in/ http://nullcon.net/
“export” through legitimate sites http://null.co.in/ http://nullcon.net/
Which end up in  Google blacklist Google blacklist http://null.co.in/ http://nullcon.net/
Why such spike? <ul><li>Fun? </li></ul><ul><li>Profit! </li></ul>http://null.co.in/ http://nullcon.net/
But there’s much more.. http://null.co.in/ http://nullcon.net/ malware OTHER COOL STUFF :-)
That’s not a russian hax0r http://null.co.in/ http://nullcon.net/
This is closer..  http://null.co.in/ http://nullcon.net/
Insight on underground market <ul><li>:-) </li></ul>http://null.co.in/ http://nullcon.net/
We don’t sell or advertize any service <ul><li>We simply look at the trades :-) </li></ul>http://null.co.in/ http://nullco...
“We are after the money!” ;-) <ul><li>Banking credentials </li></ul><ul><li>Credit cards </li></ul><ul><li>Shops and goods...
“Ликбез” <ul><li>WMZ - web money - one wmz = one USD </li></ul><ul><li>Drop - money mule </li></ul><ul><li>CC - creditcard...
Online currencies <ul><li>Web Money (WMZ) </li></ul><ul><li>Yandex Money </li></ul><ul><li>LR (liberty reserve </li></ul><...
More payment systems http://null.co.in/ http://nullcon.net/
Exchange points http://null.co.in/ http://nullcon.net/
Trading rules http://null.co.in/ http://nullcon.net/ Guarantee service
Service verification http://null.co.in/ http://nullcon.net/
blacklists http://null.co.in/ http://nullcon.net/
White lists http://null.co.in/ http://nullcon.net/
Credit cards http://null.co.in/ http://nullcon.net/ Very accessible
CC deals made easy http://null.co.in/ http://nullcon.net/
Cards, burners http://null.co.in/ http://nullcon.net/
And more http://null.co.in/ http://nullcon.net/
Bad $$ => good $$ :P http://null.co.in/ http://nullcon.net/
Other  Online goods Online goods http://null.co.in/ http://nullcon.net/
Professional mass infection infection http://null.co.in/ http://nullcon.net/ <--Pricing (per 1000 installs) <--Pricing (pe...
ICQ - elite nums :p http://null.co.in/ http://nullcon.net/
Mail cracking -:) http://null.co.in/ http://nullcon.net/ ~65USD Price in rubles
Looks familiar? http://null.co.in/ http://nullcon.net/
Passport scans http://null.co.in/ http://nullcon.net/ 4-5USD/scan avg .eu, .ru, .us, asian One-hand sales Also offered - s...
Full package is also available http://null.co.in/ http://nullcon.net/
“Business package” Pa Includes.. Includes.. http://null.co.in/ http://nullcon.net/ Под средства любой загрязненности!  For...
Drop: http://null.co.in/ http://nullcon.net/ Another way to turn dirty cash into profit
Saw the news? :) http://null.co.in/ http://nullcon.net/
Zeus witchunt :) http://null.co.in/ http://nullcon.net/ Not sure if this would change things :)
New bots - custom made http://null.co.in/ http://nullcon.net/ http://www.nomina.ru/search/alternatives_by_value.php?paid_t...
Or pre-built http://null.co.in/ http://nullcon.net/ Why “zeus” when you can buy this?! :p
Comes with handy Admin panel Admin panel http://null.co.in/ http://nullcon.net/
Traf + loader = $$$$ http://null.co.in/ http://nullcon.net/
Costs <ul><li>AU - 300-550$ </li></ul><ul><li>UK - 220-300$ </li></ul><ul><li>IT - 200-350$ </li></ul><ul><li>NZ - 200-250...
Mass domain theft theft http://null.co.in/ http://nullcon.net/
DDOS Very affordable Very affordable http://null.co.in/ http://nullcon.net/ We remove sites of your concurrents with DDOS ...
Abuse resistant hosting http://null.co.in/ http://nullcon.net/
Malware A/V QA http://null.co.in/ http://nullcon.net/
Hash cracking In cloud In cloud http://null.co.in/ http://nullcon.net/
Captcha In cloud In cloud http://null.co.in/ http://nullcon.net/
Exploit packs http://null.co.in/ http://nullcon.net/
With nice stats http://null.co.in/ http://nullcon.net/
Stats per country http://null.co.in/ http://nullcon.net/ Clicks, loads (pwned ;), percentage)
Need to build  Botnet? http://null.co.in/ http://nullcon.net/
Welcome TDS  system TDS  system http://null.co.in/ http://nullcon.net/
Seller http://null.co.in/ http://nullcon.net/
Buyer http://null.co.in/ http://nullcon.net/
Owner http://null.co.in/ http://nullcon.net/
“Game” rules :) http://null.co.in/ http://nullcon.net/ Iframe traff. 4USD/1000 clicks No bot traf (ruclicks) Payday  - eve...
Making money together http://null.co.in/ http://nullcon.net/ Fake AV affiliation program
Fake AV payouts http://null.co.in/ http://nullcon.net/ Balance Login
Crimeware: trends And research And research http://null.co.in/ http://nullcon.net/
Moving mobile <ul><li>Steal a dollar from million - still a million dollars </li></ul><ul><li>Trojaned handsets on sale </...
Brief on antiy rep http://null.co.in/ http://nullcon.net/
Spreading vector http://null.co.in/ http://nullcon.net/
Mobile Malware http://null.co.in/ http://nullcon.net/
A case study <ul><li>Available from a WAP site </li></ul><ul><li>X-rated version of python game </li></ul><ul><li>With a s...
Taking a glance http://null.co.in/ http://nullcon.net/
The trick! http://null.co.in/ http://nullcon.net/ Press the button “stop” as soon as possible!
SEO spam http://null.co.in/ http://nullcon.net/ <*bad* word (rus)
Now - delivered professionally :) http://null.co.in/ http://nullcon.net/
malwertising http://null.co.in/ http://nullcon.net/
Malware infection Hidden behind login screens Hidden behind login screens <ul><li>Frequent in banking or other online cred...
Anti-DDOS el russo http://null.co.in/ http://nullcon.net/
Research <ul><li>Monetization schemes </li></ul><ul><li>Taking over the existing ifrastructures for forensics analysis and...
Hunt the hunter <ul><li>Pwnkit - automated exploitkit pwner </li></ul><ul><ul><li>Automated exploit kit fingerprinting </l...
Botnet cost estimation :) http://null.co.in/ http://nullcon.net/
DIY botnet ;) <ul><li>aim: build a 1000000 node networks   </li></ul><ul><li>No skills required </li></ul><ul><li>Buy thes...
How much it costs <ul><li>Traffic - 10-15KUSD (mixed) infection ratio around 10-20% (depending on exploit pack) </li></ul>...
So what’s up with russian authorities?!  :) http://null.co.in/ http://nullcon.net/
No words ;-) http://null.co.in/ http://nullcon.net/
What’s next? http://null.co.in/ http://nullcon.net/
Get some edukation :-) http://null.co.in/ http://nullcon.net/
finale <ul><li>Computer users ultimately trust their PC and follow its instructions (please download XX to disinfect YY :p...
Thanks! Throw your questions! <ul><li>[email_address]   http://www.o0o.nu </li></ul>http://null.co.in/ http://nullcon.net/
Upcoming SlideShare
Loading in...5
×

nullcon 2011 - No bullshit on underground crime: traces, trends, attribution, techniques and more

13,437

Published on

No bullshit on underground crime: traces, trends, attribution, techniques and more by Fyodor Yarochkin

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
13,437
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
67
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "nullcon 2011 - No bullshit on underground crime: traces, trends, attribution, techniques and more"

  1. 1. NO BULLSHIT Underground crime: traces, trends, attribution, and more <ul><li>Fyodor Y., Grugq and a whole bunch of unnamed people :) </li></ul>http://null.co.in/ http://nullcon.net/
  2. 2. Agenda <ul><li>Overview </li></ul><ul><li>APT vs. Commercialized crime </li></ul><ul><li>Data sources </li></ul><ul><li>Analysis techniques </li></ul><ul><li>Attribution </li></ul><ul><li>APT, greed and more </li></ul><ul><li>Final words </li></ul>http://null.co.in/ http://nullcon.net/
  3. 3. Still .. meet the “authors”.. :) http://null.co.in/ http://nullcon.net/ Started as hobby project We talked about this At c0c0n Here you’ll see Some fresh stuff Why? ... Something we do When we need a Good laugh :)
  4. 4. Чтобы заработь на Интернете не нужно ничего и даже мозгов ничего и даже мозгов <ul><li>“ 想要在網路賺錢 - 連腦袋也不需要用” - 網路的 tutorial ;) </li></ul>My favorite quote:
  5. 5. But it is not only about money
  6. 6. Attack attribution http://null.co.in/ http://nullcon.net/
  7. 7. General: $$ vs. APT <ul><li>$$ -> attacks en masse; social engineering is common; doesn’t relay on 0day; rapid outbreaks </li></ul><ul><li>APT -> multi-staged; single targeted exploit; mostly “spear-phishing” or variants; </li></ul>http://null.co.in/ http://nullcon.net/
  8. 8. A word on attribution <ul><li>Attribution is not just the malware analysis </li></ul>http://null.co.in/ http://nullcon.net/
  9. 9. Points to note <ul><li>Binary analysis (reversing) </li></ul><ul><li>Exploit coding style and encoding </li></ul><ul><li>Infection vectors (iframing, malvert, mass mailing etc) </li></ul><ul><li>Bits and pieces in binary and deobfuscated code </li></ul>http://null.co.in/ http://nullcon.net/
  10. 10. Brief: Data sources and Tools (covered in workshop) http://null.co.in/ http://nullcon.net/
  11. 11. Data analysis and sources <ul><li>Dealing with large volume of data (public forums, bbs, manual follow up) </li></ul><ul><li>Mostly public data (reading, scrapping, post analysis etc) </li></ul><ul><li>Often: post mortem analysis of compromised systems </li></ul>http://null.co.in/ http://nullcon.net/
  12. 12. Intelligence Gathering <ul><li>Automated and manual analysis of publicly available data </li></ul>http://null.co.in/ http://nullcon.net/
  13. 13. Automation: difficulties difficulties <ul><li>Language: complicated for automated processing (slang, misspellings, multiple spellings) </li></ul><ul><li>Context evaluation for new items of trade requires manual analysis </li></ul>http://null.co.in/ http://nullcon.net/
  14. 14. Ex.: What does this say? http://null.co.in/ http://nullcon.net/
  15. 15. Good luck w/ automated translation <ul><li>After language adaption filter: </li></ul>http://null.co.in/ http://nullcon.net/
  16. 16. Slang sources <ul><li>Fenya - Russian prison slang </li></ul><ul><li>Anglonims - English loan words </li></ul><ul><li>Rhyming slang - Sounds like the English word </li></ul><ul><li>Direct translation </li></ul>http://null.co.in/ http://nullcon.net/ Team Cymru has a nice research on russian slang. Not repeated here
  17. 17. Tools of trade <ul><li>Covered in workshop. So we’ll skip that part </li></ul>http://null.co.in/ http://nullcon.net/
  18. 18. So, russian underground - mafia or geeks? :) http://null.co.in/ http://nullcon.net/
  19. 19. From russia with ... <ul><li>What is the biggest russian export besides oil, gas and nuclear scientists?? :) </li></ul>http://null.co.in/ http://nullcon.net/
  20. 20. -malware - http://null.co.in/ http://nullcon.net/ Stuff that lives in your PC Against your will :)
  21. 21. Typical export sample: <ul><li>Targets MS platforms </li></ul><ul><li>Often - multi-component (loader, payload functions in form of DLL etc) </li></ul><ul><li>Sensitive information collection (data, keystrokes and credential information) </li></ul><ul><li>Turns computer into web proxy, smtp proxy, socks etc (useful for rent, spamming etc) </li></ul><ul><li>May extort money from end user </li></ul>http://null.co.in/ http://nullcon.net/
  22. 22. Looks familiar? http://null.co.in/ http://nullcon.net/
  23. 23. Моscow arest (31/08/2010) http://null.co.in/ http://nullcon.net/ Annual income: over 500,000 rubles (100,000USD) One unlock charged at 300 rubles (10USD) Via SMS
  24. 24. Scale: big http://null.co.in/ http://nullcon.net/
  25. 25. “export” through legitimate sites http://null.co.in/ http://nullcon.net/
  26. 26. Which end up in Google blacklist Google blacklist http://null.co.in/ http://nullcon.net/
  27. 27. Why such spike? <ul><li>Fun? </li></ul><ul><li>Profit! </li></ul>http://null.co.in/ http://nullcon.net/
  28. 28. But there’s much more.. http://null.co.in/ http://nullcon.net/ malware OTHER COOL STUFF :-)
  29. 29. That’s not a russian hax0r http://null.co.in/ http://nullcon.net/
  30. 30. This is closer.. http://null.co.in/ http://nullcon.net/
  31. 31. Insight on underground market <ul><li>:-) </li></ul>http://null.co.in/ http://nullcon.net/
  32. 32. We don’t sell or advertize any service <ul><li>We simply look at the trades :-) </li></ul>http://null.co.in/ http://nullcon.net/ Disclaimer:
  33. 33. “We are after the money!” ;-) <ul><li>Banking credentials </li></ul><ul><li>Credit cards </li></ul><ul><li>Shops and goods </li></ul><ul><li>Online goods and services </li></ul><ul><li>Online currencies </li></ul><ul><li>Monetization via Carrier providers and more </li></ul>http://null.co.in/ http://nullcon.net/
  34. 34. “Ликбез” <ul><li>WMZ - web money - one wmz = one USD </li></ul><ul><li>Drop - money mule </li></ul><ul><li>CC - creditcards </li></ul><ul><li>Abuse resistant - Safe to host any kind of fraudulent service </li></ul><ul><li>Partnerka - partnership program </li></ul>http://null.co.in/ http://nullcon.net/
  35. 35. Online currencies <ul><li>Web Money (WMZ) </li></ul><ul><li>Yandex Money </li></ul><ul><li>LR (liberty reserve </li></ul><ul><li>Epassporte (dead!) </li></ul>http://null.co.in/ http://nullcon.net/
  36. 36. More payment systems http://null.co.in/ http://nullcon.net/
  37. 37. Exchange points http://null.co.in/ http://nullcon.net/
  38. 38. Trading rules http://null.co.in/ http://nullcon.net/ Guarantee service
  39. 39. Service verification http://null.co.in/ http://nullcon.net/
  40. 40. blacklists http://null.co.in/ http://nullcon.net/
  41. 41. White lists http://null.co.in/ http://nullcon.net/
  42. 42. Credit cards http://null.co.in/ http://nullcon.net/ Very accessible
  43. 43. CC deals made easy http://null.co.in/ http://nullcon.net/
  44. 44. Cards, burners http://null.co.in/ http://nullcon.net/
  45. 45. And more http://null.co.in/ http://nullcon.net/
  46. 46. Bad $$ => good $$ :P http://null.co.in/ http://nullcon.net/
  47. 47. Other Online goods Online goods http://null.co.in/ http://nullcon.net/
  48. 48. Professional mass infection infection http://null.co.in/ http://nullcon.net/ <--Pricing (per 1000 installs) <--Pricing (per 1000 installs)
  49. 49. ICQ - elite nums :p http://null.co.in/ http://nullcon.net/
  50. 50. Mail cracking -:) http://null.co.in/ http://nullcon.net/ ~65USD Price in rubles
  51. 51. Looks familiar? http://null.co.in/ http://nullcon.net/
  52. 52. Passport scans http://null.co.in/ http://nullcon.net/ 4-5USD/scan avg .eu, .ru, .us, asian One-hand sales Also offered - scan “redraw” Special prices for bulk
  53. 53. Full package is also available http://null.co.in/ http://nullcon.net/
  54. 54. “Business package” Pa Includes.. Includes.. http://null.co.in/ http://nullcon.net/ Под средства любой загрязненности! For money of any state of dirtiness В комплект входит: Pack includes 1.Банковский акк(online доступ) Online bank account access 2.АТМ картa(Дневной лимит на снятие средств 1000$/6000$ В МЕСЯЦ-Возможно увеличение лимита +30$-) ATM card (1000/6000USD per month withdrawal limit) 3.Карта кодов (для online доступа) online access passwords 4 .Копия паспорта дропа Passport copy of “poor john” 5.Sim-ka SIM card Also can be pre-ordered on custom passport scan (25USD)
  55. 55. Drop: http://null.co.in/ http://nullcon.net/ Another way to turn dirty cash into profit
  56. 56. Saw the news? :) http://null.co.in/ http://nullcon.net/
  57. 57. Zeus witchunt :) http://null.co.in/ http://nullcon.net/ Not sure if this would change things :)
  58. 58. New bots - custom made http://null.co.in/ http://nullcon.net/ http://www.nomina.ru/search/alternatives_by_value.php?paid_till=2010-09-06&domain=rundll32.ru
  59. 59. Or pre-built http://null.co.in/ http://nullcon.net/ Why “zeus” when you can buy this?! :p
  60. 60. Comes with handy Admin panel Admin panel http://null.co.in/ http://nullcon.net/
  61. 61. Traf + loader = $$$$ http://null.co.in/ http://nullcon.net/
  62. 62. Costs <ul><li>AU - 300-550$ </li></ul><ul><li>UK - 220-300$ </li></ul><ul><li>IT - 200-350$ </li></ul><ul><li>NZ - 200-250$ </li></ul><ul><li>ES,DE,FR - 170-250$ </li></ul><ul><li>US - 100-150$ </li></ul><ul><li>RU, UA, KZ, KG .. 10-40$ </li></ul>http://null.co.in/ http://nullcon.net/ Per 1000 Unique visitors
  63. 63. Mass domain theft theft http://null.co.in/ http://nullcon.net/
  64. 64. DDOS Very affordable Very affordable http://null.co.in/ http://nullcon.net/ We remove sites of your concurrents with DDOS attack. Fast and effective. Supported: Prices (in WMZ ~= USD) Discounts for bulk
  65. 65. Abuse resistant hosting http://null.co.in/ http://nullcon.net/
  66. 66. Malware A/V QA http://null.co.in/ http://nullcon.net/
  67. 67. Hash cracking In cloud In cloud http://null.co.in/ http://nullcon.net/
  68. 68. Captcha In cloud In cloud http://null.co.in/ http://nullcon.net/
  69. 69. Exploit packs http://null.co.in/ http://nullcon.net/
  70. 70. With nice stats http://null.co.in/ http://nullcon.net/
  71. 71. Stats per country http://null.co.in/ http://nullcon.net/ Clicks, loads (pwned ;), percentage)
  72. 72. Need to build Botnet? http://null.co.in/ http://nullcon.net/
  73. 73. Welcome TDS system TDS system http://null.co.in/ http://nullcon.net/
  74. 74. Seller http://null.co.in/ http://nullcon.net/
  75. 75. Buyer http://null.co.in/ http://nullcon.net/
  76. 76. Owner http://null.co.in/ http://nullcon.net/
  77. 77. “Game” rules :) http://null.co.in/ http://nullcon.net/ Iframe traff. 4USD/1000 clicks No bot traf (ruclicks) Payday - every monday
  78. 78. Making money together http://null.co.in/ http://nullcon.net/ Fake AV affiliation program
  79. 79. Fake AV payouts http://null.co.in/ http://nullcon.net/ Balance Login
  80. 80. Crimeware: trends And research And research http://null.co.in/ http://nullcon.net/
  81. 81. Moving mobile <ul><li>Steal a dollar from million - still a million dollars </li></ul><ul><li>Trojaned handsets on sale </li></ul><ul><li>WAP sites spreading trojaned games are very popular </li></ul><ul><li>Android trojan samples from china: </li></ul><ul><ul><li>http://www.antiy.com/cn/news/android_adrd.htm </li></ul></ul><ul><ul><li>Geinimi </li></ul></ul>http://null.co.in/ http://nullcon.net/
  82. 82. Brief on antiy rep http://null.co.in/ http://nullcon.net/
  83. 83. Spreading vector http://null.co.in/ http://nullcon.net/
  84. 84. Mobile Malware http://null.co.in/ http://nullcon.net/
  85. 85. A case study <ul><li>Available from a WAP site </li></ul><ul><li>X-rated version of python game </li></ul><ul><li>With a secret inside :) </li></ul>http://null.co.in/ http://nullcon.net/
  86. 86. Taking a glance http://null.co.in/ http://nullcon.net/
  87. 87. The trick! http://null.co.in/ http://nullcon.net/ Press the button “stop” as soon as possible!
  88. 88. SEO spam http://null.co.in/ http://nullcon.net/ <*bad* word (rus)
  89. 89. Now - delivered professionally :) http://null.co.in/ http://nullcon.net/
  90. 90. malwertising http://null.co.in/ http://nullcon.net/
  91. 91. Malware infection Hidden behind login screens Hidden behind login screens <ul><li>Frequent in banking or other online credential targeted attacks </li></ul><ul><li>Effectively prevents services like google blacklist, HA and other from identifying infections </li></ul>http://null.co.in/ http://nullcon.net/
  92. 92. Anti-DDOS el russo http://null.co.in/ http://nullcon.net/
  93. 93. Research <ul><li>Monetization schemes </li></ul><ul><li>Taking over the existing ifrastructures for forensics analysis and statistics </li></ul><ul><li>Hunt the hunters </li></ul>http://null.co.in/ http://nullcon.net/
  94. 94. Hunt the hunter <ul><li>Pwnkit - automated exploitkit pwner </li></ul><ul><ul><li>Automated exploit kit fingerprinting </li></ul></ul><ul><ul><li>Password bruteforce </li></ul></ul><ul><ul><li>Exploiting bugs and common misconfigurations </li></ul></ul><ul><ul><li>Generates statistics on exploit pack usage :in the wild: </li></ul></ul>
  95. 95. Botnet cost estimation :) http://null.co.in/ http://nullcon.net/
  96. 96. DIY botnet ;) <ul><li>aim: build a 1000000 node networks </li></ul><ul><li>No skills required </li></ul><ul><li>Buy these (available on sale): </li></ul><ul><ul><li>Traffic </li></ul></ul><ul><ul><li>Abuse-resistant service </li></ul></ul><ul><ul><li>Exploitpack </li></ul></ul><ul><ul><li>Botnet gear </li></ul></ul>http://null.co.in/ http://nullcon.net/
  97. 97. How much it costs <ul><li>Traffic - 10-15KUSD (mixed) infection ratio around 10-20% (depending on exploit pack) </li></ul><ul><li>Abuse resistant server 300USD/month </li></ul><ul><li>Exploitpack 200-2000USD </li></ul><ul><li>Botnet gear 500- 10,000USD </li></ul><ul><li>= 15-20,000USD total + 1-2 months of work </li></ul>http://null.co.in/ http://nullcon.net/
  98. 98. So what’s up with russian authorities?! :) http://null.co.in/ http://nullcon.net/
  99. 99. No words ;-) http://null.co.in/ http://nullcon.net/
  100. 100. What’s next? http://null.co.in/ http://nullcon.net/
  101. 101. Get some edukation :-) http://null.co.in/ http://nullcon.net/
  102. 102. finale <ul><li>Computer users ultimately trust their PC and follow its instructions (please download XX to disinfect YY :p) </li></ul><ul><li>You can be victim, even if you paid for Kaspersky and apply patches regularly :) </li></ul><ul><li>While malware is what you mostly see, cybercrime is not about malware, it is about money </li></ul><ul><li>Global economy - global fraud - global fun? :p </li></ul><ul><li>0day is not important. Volume is important </li></ul><ul><li>(Mostly) not organized crime but ecosystem </li></ul>http://null.co.in/ http://nullcon.net/
  103. 103. Thanks! Throw your questions! <ul><li>[email_address] http://www.o0o.nu </li></ul>http://null.co.in/ http://nullcon.net/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×