Your SlideShare is downloading. ×
  • Like
Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]

  • 882 views
Published

 

Published in Technology , News & Politics
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
882
On SlideShare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
11
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • AlinaVacariuDexter MorganSergey Taraspov

Transcript

  • 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 50 Shades of Crimeware Manu Quintans – Frank Ruiz
  • 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March WHO WE ARE? Manu Quintans - Threat Intelligence Manager at Buguroo / Deloitte Frank Ruiz - Intelligence Analyst at Fox IT And…yes!, we hunt malware like a sir.
  • 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March INDEX What we know about Cyber-Crime ? It’s Time Back to reality. Understand Cyber-Crime activities. Previously on … 2013 Reality bites Cyber-Crime Evolutions – 2013-2014 New trends at Cyber-Crime Examples (We have a Target… ) Infrastructure Demo Time (Yeah! We have a demo, please release your smartphone and enjoy…)
  • 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  • 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  • 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  • 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  • 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  • 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ? Brian Krebs Post Life Cycle WE NEED DIAGRAM.
  • 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  • 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  • 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  • 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  • 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  • 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Undercoat Just for Kiddies HackForums Exploit.IN Antichat.RU Damagelabs DarkCode Indetectables LAYER#1
  • 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  • 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  • 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  • 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  • 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Limbo PSEUDO-PRO CPRO.SU Pustota Verified.msx x Infraud.su LAYER#2
  • 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  • 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  • 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.LAYER#3 Heaven’s door Gang’stah!-PRO
  • 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  • 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  • 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.LAYER#4 Private семьяZeusP2P CryptoLocker Sinowallx Gozi
  • 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March VIDEO HISTORY
  • 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Undercoat Just for Kiddies HackForums Exploit.IN Antichat.RU Damagelabs DarkCode Indetectables The Limbo PSEUDO-PRO CPRO.SU Pustota Verified.msx Infraud.su x Heaven’s door Gang’stah!-PRO Private семья ZeusP2P CryptoLocker Sinowall x Gozi
  • 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013
  • 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 First year, without new Banking Trojans. (Except’s KINS aka Kasper) Symlink Arrested (January) Paunch Arrested (BlackHole Exploit Kit) (OCTOBER) FBI shut down SilkRoad and they arrest Ross Willian Ulbrich. (OCTOBER) Target Breach. :-) – (NOVEMBER/DECEMBER) FBI With Spanish Police Cooperation take’s down Liberty Reserver and arrest CEO.– (MAY 2013)
  • 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 Has been a special year in the evolution of the industry of cybercrime: The feeling of impunity begins to disappear. Groups midlevel begin to close and professionalize their assets. Ironically, the vetted gang’s start to show some gaps.
  • 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 These changes are due to: Detentions. Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n stars) Insider Researchers. Leaks (Pasties, services…)
  • 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 Conclusions: The “industry” of Cyber-Crime, now are more than closed than ever.
  • 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime
  • 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime We found new trends at Cyber- Crime Industry, like… : POS MALWARE (POINT OF SALES) SYSEM NEW MOBILE MALWARE (EG: TOR BASED) CRYPTOCURRENCIES
  • 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), but why? The lack of a Banking Trojan for sale and the large increase in demand for cards has moved many players in this business. Citadel users move there business to this new system. Grows offer POS malware sales.
  • 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), What We found on underground Market? Alina Malware The beauty, the Bad and the UglyDexter Malware BlackPos Malware
  • 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), and services? Of course! JackPos
  • 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware Increase of injections with support for mobile malware. Mobile malware for sale: iBanking (as Service). Perkele Uses new resources like TOR.
  • 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware IBanking
  • 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware Perkele
  • 42. 42 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  • 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  • 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  • 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies TOTAL HASH RATE 24H HASH RATE
  • 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Let’s see some real examples about new trends.
  • 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  • 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example Timeline: Brian Krebs 18/Dec/2013: Sources: Target Investigating Data Breach 20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets 22/Dec/2013: Non-US Cards Used At Target Fetch Premium 24/Dec/2013: Who’s Selling Credit Cards from Target? 10/Jan/2014: Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen 15/Jan/2014: A First Look at the Target Intrusion, Malware 16/Jan/2014: A Closer Look at the Target Malware, Part II 29/Jan/2014: New Clues in the Target Breach 04/Feb/2014: These Guys Battled BlackPOS at a Retailer 05/Feb/2014: Target Hackers Broke in Via HVAC Company 12/Feb/2014: Email Attack on Vendor Set Up Breach at Target 19/Feb/2014: Fire Sale on Cards Stolen in Target Breach 25/Feb/2014: Card Backlog Extends Pain from Target Breach
  • 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  • 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  • 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  • 52. 52 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  • 53. 53 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  • 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Cyber-Criminals Infrastructure
  • 55. 55 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure BOTNETINTERNET Simple
  • 56. 56 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Proxy BOTNETINTERNET VICTIMS PROXY
  • 57. 57 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Duble Proxy BOTNETINTERNET VICTIMS PROXY - 1 PROXY - 2
  • 58. 58 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Fastflux + C&C FAST FLUXBOTNET FASTFLUX VICTIM HTTP GET RESPONSE CONTENT GET REDIRECT RESPONSE CONTENT
  • 59. 59 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Fastflux + PROXY + C&C FAST FLUXBOTNET FASTFLUX VICTIM HTTP GET RESPONSE CONTENT GET REDIRECT RESPONSE CONTENT
  • 60. 60 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure BP HOSTERS BP HOSTERINTERNET VICTIMS Backend Server
  • 61. 61 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure OWN Infrastructures INTERNET IPIP Tunel OpenVPN Server VPN Client Backend Server Backend Server Backend Server Backend Server Backend Server VICTIMS
  • 62. 62 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure P2P INTERNET P2P Network Web Panel Backup Server VICTIMS
  • 63. 63 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure TOR INTERNET Web Panel TOR Network VICTIMS
  • 64. 64 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  • 65. 65 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March