• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Sans Fire09 Pedro Bueno Rev1
 

Sans Fire09 Pedro Bueno Rev1

on

  • 1,533 views

My presenation at SANS Fire 2009.

My presenation at SANS Fire 2009.

Statistics

Views

Total Views
1,533
Views on SlideShare
1,521
Embed Views
12

Actions

Likes
0
Downloads
0
Comments
0

3 Embeds 12

http://www.slideshare.net 6
http://www.linkedin.com 5
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Sans Fire09 Pedro Bueno Rev1 Sans Fire09 Pedro Bueno Rev1 Presentation Transcript

    • Malwares, Money and Criminal/Terror Activity The Dangerous Relationship Pedro Bueno, SANS GCIA,GREM pbueno@avertlabs.com pbueno@isc.sans.org Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Warming up... “Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the bombed Pentagon. Wily-fingered hackers had nothing to do with it.” fingered CNet Article called Cyberterror and professional paranoiacs - 2003 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Agenda ● Introduction ● The Motivations ● The Methods Used ● What About Cyber War? ● Conclusion Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Introduction ● Significant change from 4 years ago to these days on the hacking world… ● Some years ago we had hackers “a la’ Mitnik”, or hacking for fame looking for better raking on (R.I.P.) Alldas.de defacement mirror ● Now, we have hackers directly involved with cyber crime, which is also sponsored by real world organized crime! ● Now, we have hackers directly involved with cyber crime, which is also sponsoring real world organized crime! Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Introduction ● Money Money Money Money Money! ● Virus customized for a specific company of your choice = $50,000 USD ● Recycled virus (modified to avoid signature detection) = $200 USD ● 10 million email addresses = $160 USD ● Credit card number = $2~6 USD ● Credit card number with security code = $20~60 USD ● Renting a laptop which controls botnet of 5,000~10,000 computers = $100/day Source: G G-Data Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Introduction ● Nowadays, the Cyber crime is changing the concept of cyber terrorism: ● Cyber Terrorism as we know: 1 - “the use of information technology by terrorist the groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. ”- NCSL ● Cyber Terrorism as we should understand: “[1] + the use of cyber crimes to sponsor real world terrorism activity” Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Introduction Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Cyber Crimes - Motivation ● Illegal Financing ● Terrorism ● Mafia Style Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● Ilegal Financing – As any other organized crime group, like regular organized crime or terrorism, with whatever objective, like buying arms from illegal arm dealers, establish a cell in a country, training and operational actions. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● Terrorism and Cyber terrorism X Myth Reality Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● While Terrorism and Cyber terrorism are two different terms, they are highly linked to each other. ● Terrorism: the calculated use of violence (or the threat of violence) against civilians in order to attain goals that are political or religious ● Cyberterrorism: According to the U.S. Federal Bureau of Investigation, cyberterrorism is any "premeditated, politically motivated attack against information, computer systems, computer programs, and data which results in violence against non-combatant targets by sub combatant sub-national groups or clandestine agents." ● But, what about Terror acts achieved with Cyber help? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● Cyber <-> Terror – 1999 – Hacking was used to obtain the AirBus A300 structural plan. Those plans were essential to the successful hijack of the Indian AirLines airplane in December 1999. – 2001 – in February, a hacker was contacted to get the structural plans of other airplanes, identical to those used on the 9/11 attack. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● Terrorism (cont.) – Bali 2002 – a bombing attack on the tourist district of Kuta on the Indonesian island of Bali. Investigations leads the information that the attack was sponsoring by frauds involving Credit Cards. Iman Samudra, author of the attacks, published a book with a chapter entitled "Hacking, Why Not?" – 2004 – A research revealed that ALL terrorists groups have some kind of ‘virtual cell’ on Internet. – April 2006 – 5 family members of a Jordanian person with American citizenship, accused to be a Al Qaeda contact, were arrested in California, for banking fraud, with identity thief. Some of the money were transferred to an account on Ama, in Jordanian. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● 2003-2006 - Al Qaeda cells that put their victims execution videos on internet had members with Computer Science degrees from Baghdad University. ● November 2008 – coordinated shooting and bombing attacks in Mumbai, India. The terrorists used handhelds with GPS to establish proper location, Skype to get encrypted communication over internet and Google Earth to plan and establish the targets for the attack. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation The Mafia style ● The Amateurs… – CardPlanet ● Uses same schema as the Italian Mafia ● Some “affiliates”: – Mazafara (aka Network Terrorism) – ShadowCrew – IAACA – International Association for the Advanced of Criminal Activity Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● The Mafia Style ● On January 2008, the famous Russian site MP3Spack.com was banned from UK backbone after by doing business with a web host that has been linked to a cybercrime syndicate. ● Using webhosting of Abdallah, from a Turkish network that have been serving malwares from years. ● The Turkish network also had links with RBN (Russian Business Network) that has also been serving malwares from many years… Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation The Mafia style ● The professionals… ● The Russian Boniness Network – Russian ISP originally based on Saint Petersburg, RU (v1) – Famous for host all kind of illegal “business”, from Child Pornography to Malwares… – Very (I)responsive to take downs – Best known for their Criminal online intents… – Has affiliate networks in different countries which help to distribute their malicious content make harder to remove. – Strong links with the Russian Mob… Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Motivation ● The RBN (cont.) ● The ZeuS toolkit, Mpack, Storm Worm are examples of malwares/kits linked to it. ● Went down in Nov 2007 to come back months later… ● Now it uses different small ISPs as front end of their activities. ● As for today, their status is Active! Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● Identity Theft ● Phishing and Phishing Kits ● PWS trojans ● Virtual Money Laudering ● Botnets Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● Identity Theft Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● Identity Theft – The usage of the identities of others to carry out violations of federal criminal law – More than 25 types of ID Theft investigated by the USSS. – Way to obtain Driver's Licenses, bank and credit card accounts through which terrorism financing is facilitated – Al-Qaeda terrorist cell in Spain used stolen credit cards Qaeda in fictitious sales scams and for numerous other purchases for the cell and also used stolen telephone and credit cards for communications back to Pakistan, Afghanistan, Lebanon, etc. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● Phishing – Traditional – Very common method to get personal data as SSN, Birth Date, Family Names, as well bank data, forging the bank webpage. - Old, but still functional! - “U.S. consumers lost roughly $3.2 billion to phishing scams in 2007” – Gartner Survey Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods - Phishing Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods - Phishing ● Global Cyber Organized Crime ● In May 2008 FBI arrested 38 people linked to a fraud schema, involving U.S., Portugal, Romania, Pakistan and Canada. ● Source: FBI ● Group “A” in Romania (mostly) run the spam with phishy message, leading the victim to a phishing site where they were able to get most personal information, such as PIN, SSN, CCN… ● Group “A” send the info to Group “B” in U.S., which manufactured their own credid,debit,gift card to be used in the Real World! Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ● Created as PHP based malware ‘Kits’ ● Usually developed by Russian criminals (and RBN) ● Also presents a C&C ● Examples of such kits are: – Mpack/IcePack – ZeuS ● Costs around $700-$1000 USD $1000 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits Mpack/IcePack Kits- ● The latest version exploits the following Client Side Vulnerabilities: CVE-2008-2992 - buffer overflow in Adobe Acrobat and Reader in util.printf CVE-2009-0927 - buffer overflow in Adobe Reader and Acrobat via the getIcon CVE-2006-5198 - WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability CVE-2007-0015 - Buffer overflow in Apple QuickTime 7.1.3 MS06-006 - Firefox 1.5.x/Opera 7.x WMP plugin vuln MS06-014 - ADODB/MDAC vuln MS06-057 - WebViewFolderIcon ActiveX vuln MS06-071 - XML setRequestHeader vuln MS07-017 – ANI vuln CVE-2007-3147 - Buffer overflow in the Yahoo! Webcam Upload ActiveX MS05-052 - Internet Explorer COM objects vuln MS06-024 - Vulnerability in Windows Media Player Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits Mpack/IcePack Kits- ● Some highlights: – Uses iFrame to determine the best attack model – Control the machine remotely through HTTP – Serve exploits based on country, using GeoIP – Serve exploits based on browser type, including MSIE, Opera and Firefox – Allows different statistics – Offers a Admin panel for updates, views,etc… Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits Mpack/IcePack Kits- ● Mpack Statistics page: Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● Another type of PHP kit – A mix of Server side phish and client malware – Also creates a Botnet based on Http protocol – Also has a C&C – Bank oriented! – Targets US banks: ● Bank of America ● Chase ● Citibank Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● European Banks: – Santander – HSBC in UK – Lloyd – Halifax – Barclays – Banco Popular ● And more… – …<insert your bank here> Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● The Zeus client is created based on a builder application: ● Information screen, also removes it from the machine Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● The client offers some builder options: – Can choose and modify the configuration file Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● Creates two files: – Cfg.bin – the configuration file – loader.exe – the actual malware Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Phishing Kits ZeuS Kits- ● The Logs are encoded. However the builder provides a way to decode the logs generated by the client. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● PWS Trojans – Stands for Password Stealers trojans – Steals passwords for bank accounts, called PWS PWS- Bankers – Steals password used on online games, called PWS-OnlineGames Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● PWS Trojans ● Basic PWS-Banker “Modus Operandi”: Banker User receives email with fake juicy message User clicks on link User downloads a small file and runs it File opens an error message and closes and downloads another big file on the background The big file will intercept bank website access attempt and prompt fake login to retrieve the user’s bank credentials Trojan send email to the hacker with the bank credentials. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● PWS-Bankers ● New features: ● Targeted banking! ● Steals certificate files used by banks, like *.crt and *.key ● Modular – Downloader – Url List – Redundancy! ● Grabs screenshots and records video clips ● Encrypt the data sent to the hacker Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods PWS Bankers trojans ● Moves about 200 million USD/year in South America ● Started with 3 major malware writers group in Brazil ● About year ago, the groups started to develop special versions for other countries in Latin America, like Argentina and Colombia ● Peru and Mexico has its own versions ● The money was mostly used to buy expensive cars ● Now, it is also used to sponsor real world organized crime Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● PWS-Bankers Questions to be answered about South America schema: •Is the money shared between Brazil and Argentina Is groups? •Is the code been sold to argentinian groups or modified? Is •Is there brazilian organized crime acting in Argentina Is territory? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods ● PWS Bankers trojans newest feature! DOJ NSA SSN http://www.avertlabs.com/research/blog/index.php/2009/05/01/a-closer-look-at-a-swine-flu-spam/ http://www.avertlabs.com/research/blog/index.php/2009/05/01/a Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Bankers Methods – PWS-Bankers Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – PWS Online Games Trojans PWS OnlineGames – virtual money becomes money in real world! Source: SANS ISC Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – PWS Online Games Trojans These trojans attempt to steal the games credentials and steal/transfer/sell all gold (virtual money) 100,000 Gold Farmers world wide $ 1.8 Billion / year traded in virtual items. Source: SANS ISC Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Virtual Money Laundering ● Uses Online Games as a vector ● Second Life example: – “9 million of residents are able to move about, interact with and/or chat privately with other residents, participate in activities and trade or buy virtual items and/or services from other residents. Additionally, virtual real estate may be purchased, sold and rented and virtual casinos are plentiful.” – BankInfo Security – Gambling on 2nd Life was available until 2007 – Currency is Linden Dollars, which can be exchanged by USD Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets 1. Scan&Exploit machines compromises new machines 2. The compromised machines join an IRC network, controled by a remote person 3. The remote person can now order a number of activities from the compromised machines, like a DDoS Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets ● Boom happened in 2004/2005 – In april 2004, more than 900 bot variants •In 2005, it raised more than 175% when compared to 2004 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets ● Example of a bot source code, under GNU license...(GPL!) Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets • Easy to modify... Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets FAQ! Server User parameters Parameters Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets ● Why? – Profit ● Spam, Password stealers... – Piracy ● warez, videos, books... – Profit ● DDoS for hire! – CyberSpace power ● Did I hear cyberwar?? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets ● Fonte: F-Secure Weblog (http://www.f Secure (http://www.f-secure.com/weblog) Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Botnets usage... ● “...Saad Echouafni, head of a satellite communications company, is wanted in Los Angeles, California for allegedly hiring computer hackers to launch attacks against his company's competitors. On August 25, 2004, Echouafni was indicted by a federal grand jury in Los Angeles in connection with the first successful investigation of a large-scale distributed denial of service attack (DDOS) used for a commercial purpose in the United States....” ● “...That business, as well as others both private and government in the United States, were temporarily disrupted by these attacks which resulted in losses ranging from $200,000 to over $1 million...” ● Source: FBI Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets Bots Activities Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets [17:11] <randomnick> .up [17:11] <[x]12212893> [MAIN]: Uptime: 1d 8h 50m. [17:11] <[x]55483161> [MAIN]: Uptime: 2d 8h 18m. [17:11] <[x]32705837> [MAIN]: Uptime: 2d 6h 49m. [17:11] <[x]66729140> [MAIN]: Uptime: 0d 4h 2m. [17:11] <[x]62694986> [MAIN]: Uptime: 0d 7h 0m. [17:11] <[x]77045269> [MAIN]: Uptime: 23d 8h 10m. [17:11] <[x]10568877> [MAIN]: Uptime: 0d 8h 8m. [17:11] <[x]43332600> [MAIN]: Uptime: 0d 5h 8m. [17:11] <[x]38093578> [MAIN]: Uptime: 0d 9h 14m. [17:11] <[x]59464173> [MAIN]: Uptime: 29d 9h 14m. [17:11] <[x]59968649> [MAIN]: Uptime: 23d 8h 9m. [17:11] <[x]29780258> [MAIN]: Uptime: 0d 6h 29m. [17:11] <[x]70324359> [MAIN]: Uptime: 23d 8h 10m. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets ● Packet Dumps... Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets – the new generation ● StormWorm case...(aka Nuwar, postcard worm...) – P2P based ● Say bye-bye to a central C&C! bye ● Hard to detect on the infected machine (uses rootkit) ● Many different binaries ● Use of Fast-Flux networks ● Quite complex P2P network Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets – the new generation ● Storm worm allows: – Pump and Dump spams (stock spams) ● “involving use of false or misleading statements to hype stocks, which are "dumped" on the public at inflated prices.” – Company price goes high, so it is possible to sell the stocks at a higher price! ● Using different file formats, like PDF, DOC, Excel, plain text… – Phishing emails that leads to sites with client side exploits (RBN again…) – DDoS attacks and Auto DDoS – High-availability due Fast availability Fast-Flux networks Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets – the new generation ● A quick highlight on Fast Flux schema: Source: Honeynet project Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Methods – Bots/Botnets – the new generation ● Example: ● giftapplys.cn IN A 0:89.228.78.213 giftapplys.cn IN A 0:98.14.181.131 giftapplys.cn IN A 0:64.53.130.14 giftapplys.cn IN A 0:70.121.217.6 giftapplys.cn IN A 0:220.248.169.116 giftapplys.cn IN A 0:71.226.85.20 giftapplys.cn IN A 0:81.132.159.4 giftapplys.cn IN A 0:190.50.120.156 giftapplys.cn IN A 0:68.90.143.63 giftapplys.cn IN A 0:67.187.207.126 giftapplys.cn IN A 0:12.214.208.136 giftapplys.cn IN A 0:98.212.18.73 giftapplys.cn IN A 0:71.197.38.110 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? X Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● What is Cyber Warfare? ● “It can include defending information and computer networks, deterring information attacks, as well as denying an adversary’s ability to do the same. It can include offensive information operations mounted against an adversary, or even dominating information on the battlefield.” - CSR Report for Congress ● Remember that if we think about 4th generation warfare, the “adversary” can be a nation, state, group: – Israel x Hamas – Russia x Georgia/Estonia, – PCA (Pakistan Cyber Army) x HGM (Hindu Militant Group) Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● Some highlights… ● “China has an active cyber espionage program” -USCC 2008 Annual Report ● “Cyber and sabotage attacks on critical US economic, energy, and transportation infrastructures might be viewed by some adversaries as a way to circumvent US strengths on the battlefield and attack directly US interests at home. – Global Trends 2025: A Transformed World November 2008 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare Of course, those are critical items and have to be taken seriously, but do we really need to worry about high skilled government sponsored hacker groups when so many less sophisticated attacks are happening? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● France Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● Germany Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● UK Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● US Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? ● Many critical environments are still being affected by Worms, that spreads exploiting months old Patched vulnerabilities, open network shares with write permission, and USB sticks ● Is it realistic to think that a significant amount of systems were/are already owned? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • What About Cyber Warfare? …but we have AV!!! "The agency was running desktop malware software, but it had not been updated for more than three years -- even though the agency had paid for upgrades to newer versions that protect against Neeris. In addition, Microsoft has issued two patches, one in 2006 and one in October, to close holes in its software exploited by Neeris." Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Conclusion ● The Cyber Crime industry moves about 100 Billion USD/year and is the most successful sector of the organized crime…growing 40%/year ● There is no way to threat cyber crimes and real world crimes in different ways ● Both causes billion of loses ● Both are used to sponsor illegal activities ● Both can be used to sponsor real world terror ● …and Cyber Warfare is just around the corner… Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Conclusion ● May 2008 ● IDG: Do you see any areas of the world that are emerging sources of concern when it comes to cybercrime? INTERPOL Executive Director DirectorJean-Michel Louboutin: Terrorism. I think the main concern for the world is terrorism, fraud. This is very important. They use the Internet a lot. We can have different networks of terrorism using Internet, because it is very easy to create a site. You can create propaganda. You can recruit. Now the main recruitment for Afghanistan is over the Internet. Terrorists are chatting on Internet sites. They can provide tools for training. They can set up rendezvous. They can use encrypted language to give orders. It is a major trend. Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Remember this? “Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the bombed Pentagon. Wily-fingered hackers had nothing to do with it.” fingered CNet Article called Cyberterror and professional paranoiacs - 2003 Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
    • Questions! [The End!] pbueno@isc.sans.org / pbueno@avertlabs.com Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD