3. • Generally
–Any code that perform evil…
• Today
–Executable content with unknown functionality that
is resident on a system of investigative interest
•Virus
•Worms
•Spyware
•Adware
•Rootkits
Malware?
HA HA
HAHAH
A..!
7. Attacks in Synerzip
• 2007
– DNS hacked
• 2008
– FTP Server Hacked
• 2010
– DDOS on the DNY Network
• 2011
– Dos attack on DNS Server
– False Dos attack on Firewall due to Quickoffice Connect Application bug
• 2013
– Router Hacked @ DNY, Botnet Zeroaccess
• 2014
– Zibmra VLAN MITM
• Note – No Network is 100% secured, but we can make things difficult
for the hackers
9. What is Cryptolocker?
• Began September 2013
• Encrypts victim’s files, asks for $300
ransom
• Impossible to recover files without a key
• Ransom increases after deadline
• Goal is monetary via Bitcoin
• 250,000+ victims worldwide
(According to Secureworks)
11. Who pays the ransom?
Police department paid $750 to decrypt images and word documents
12. NightHunter – Name explained
NightHunter, because of its use of SMTP (email) for data
exfiltration. Email is often overlooked, so it can be a more
stealthy way of data theft, akin to hunting at night.
13. NightHunter Infections To Date
There are at least 1,800 unique infections
3OWL
Ieindia
Drmike
Hanco
Gmail
Comcast
1000
350
200
150
100*
60
Number of unique
infections per
email server
25. Dynamic (Behavioral) Analysis
• Static Analysis will reveal some immediate
information
• Exhaustive static analysis could theoretically answer
any question, but it is slow and hard
• Usually you care more about “what” malware is
doing than “how” it is being accomplished
• Dynamic analysis is conducted by observing and
manipulating malware as it runs
26. System Monitoring
• What we are after
• Registry Activity
• File Activity
• Process Activity
• Network Traffic
30. Make your own Malware Analysis Toolkit Using Free Tools
31. Step 1: Allocate physical or virtual systems for the
analysis lab
• Virtualization software options include
– VMware Server
– Windows Virtual PC
– Microsoft Virtual Server
– VirtualBox
32. Step 2: Isolate laboratory systems from the
production environment
• Separate the laboratory network from production
using a firewall
• Don't connect laboratory and production networks
at all
• Use removable media to bring tools and malware
into the lab
• Don't use the physical machine that's hosting your
virtualized lab
for any other purpose.
33. Step 3: Install behavioral analysis tools
• File system and registry monitoring:
– Process Monitor
– Capture BAT
• Process monitoring:
– Process Explorer
– Process Hacker
• Network monitoring:
– Wireshark
– SmartSniff
• Change detection :
– Regshot
34. Step 4: Install code-analysis tools
• Disassembler and debugger:
– OllyDbg / Immunity Debugger
– IDA Pro
• Memory dumper:
– LordPE
– OllyDump
For those that aren’t aware of what encrypting ransomware is, its a cryptovirus that encrypts all your data from local hard drives, network shared drives, removable hard drives and USB. The encryption is done using an RSA -2048 asymmetric public key which makes decryption without the key impossible. Paying the ransom will net you the key which in turn leads to getting your data back.
http://www.webroot.com/blog/2014/05/05/evolution-encrypting-ransomware/
Ransom Cryptolocker is ransomware that on execution locks the user's system thereby leaving the system in an
unusable state. It also encrypts the list of file types present in the user’s system. The compromised user has to pay the
attacker with ransom to unlock the system and to get the files decrypted.
Malware first appeared September 2013
Encrypts computer files of its victims and forces them to pay hundreds of dollars to unlock.
If the victim does not pay the ransom, it is impossible to recover the files, due to the key length of Cryptolocker
To recover the files past the deadline, the price usually doubles or triples.
More than 250,000+ victims, mostly in USA and UK
Here are some examples of who actually paid. The department paid $750 for two Bitcoins - an online currency - to decrypt several images and word documents in its computer system, Swansea (Mass.) Police Lt. Gregory Ryan said.
It belongs to rootkit family Win32/Sirefef and Win64/Sirefef. ZeroAccess has been installed on computers over 9 million times.
Click fraud and Bitcoin mining can earn the botnet owners a potential $100,000 a day.
It consume network bandwidth 1,227,300 bytes per hour, 29,455,200 per day and 895,929,000 bytes per month. 895 MB per month per bot means a botnet with 1 million nodes could be producing as much as 895,000,000 MB or 895 Terabytes of network traffic per month.