Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Tracking P2P Cybercrime
Infraestructures
Marc Rivero | (@seifreed) | www.ecrime.info
#who
Marc Rivero López
Ponente en eventos nacionales (No cON Name,
Owasp, Navaja Negra) e internacionales (DragonJAR
CON -...
Infraestructure
* [ Elements…]
Dropzone
C&C Config Server
Exploit Kit
Binary Server
User
* [ Process infection…]
•The victim visits a compromised website
•The website redirects the user to an Exploit Kit
•The ex...
* [ Type of servers…]
* [ Type of servers…]
* [ Type of servers…]
Bulletproof hosting features
Send to /dev/null abuse requests
DDoS protection
Change IP for protecti...
* [ Enemy wanted…]
* [ Zeus P2P features…]
Main differences in P2P variant :
•Use P2P network
•Daily DGA domains
•All Resources with the botm...
* [ Daily DGA domains…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Oraculo…]
A tool for tracking P2P campaigns (Only DGA at
the moment)
Principal elements:
Monitor: tracking all the cha...
* [ Oraculo…]
The tool collects:
Country
Web Server
IP Address
Whois
And more information…
* [ Oraculo…]
pDNS information
* [ Oraculo…]
Email reports..
We integrate third party tools in
the report
* [ Oraculo…]
Domains with more
changes
Domains more time UP
* [ Oraculo…]
Sinkhole VS malicious domains (Experimental feature)
Countries source with more malicious activity
* [ Oraculo…]
Search feature:
Search using REGEX, TLD, countries all the
information is indexed
The tool shows if the doma...
* [ Oraculo…]
Domain details
Geoposition in a Map
Activity related
History activity
* [ Oraculo…]
* [ Oraculo…]
Upcoming SlideShare
Loading in …5
×

Como hacer seguimiento de una campaña P2P

620 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Como hacer seguimiento de una campaña P2P

  1. 1. Tracking P2P Cybercrime Infraestructures Marc Rivero | (@seifreed) | www.ecrime.info
  2. 2. #who Marc Rivero López Ponente en eventos nacionales (No cON Name, Owasp, Navaja Negra) e internacionales (DragonJAR CON - Colombia). Miembro de asociaciones y grupos de research como la HoneyNet Project, Owasp, SySsec etc.. También soy el organizador de las conferencias Hack&Beers en Barcelona Miembro de Malw.re
  3. 3. Infraestructure
  4. 4. * [ Elements…] Dropzone C&C Config Server Exploit Kit Binary Server User
  5. 5. * [ Process infection…] •The victim visits a compromised website •The website redirects the user to an Exploit Kit •The exploits Kit infects the machine
  6. 6. * [ Type of servers…]
  7. 7. * [ Type of servers…]
  8. 8. * [ Type of servers…] Bulletproof hosting features Send to /dev/null abuse requests DDoS protection Change IP for protecting end customer Any activity allowed
  9. 9. * [ Enemy wanted…]
  10. 10. * [ Zeus P2P features…] Main differences in P2P variant : •Use P2P network •Daily DGA domains •All Resources with the botmaster signature •DDoS capabilities
  11. 11. * [ Daily DGA domains…]
  12. 12. * [ Statistics…]
  13. 13. * [ Statistics…]
  14. 14. * [ Statistics…]
  15. 15. * [ Statistics…]
  16. 16. * [ Statistics…]
  17. 17. * [ Statistics…]
  18. 18. * [ Statistics…]
  19. 19. * [ Oraculo…] A tool for tracking P2P campaigns (Only DGA at the moment) Principal elements: Monitor: tracking all the changes in a domain Scheduler: Checking all the changes in all the malware domains Focused on P2P campaigns, but adaptable to track other families Possibility to check sinkholed domains Tool developed in Python (Backend) + Django (FrontEnd)
  20. 20. * [ Oraculo…] The tool collects: Country Web Server IP Address Whois And more information…
  21. 21. * [ Oraculo…] pDNS information
  22. 22. * [ Oraculo…] Email reports.. We integrate third party tools in the report
  23. 23. * [ Oraculo…] Domains with more changes Domains more time UP
  24. 24. * [ Oraculo…] Sinkhole VS malicious domains (Experimental feature) Countries source with more malicious activity
  25. 25. * [ Oraculo…] Search feature: Search using REGEX, TLD, countries all the information is indexed The tool shows if the domain it’s active or not Can show a graphic showing the infrastructure
  26. 26. * [ Oraculo…] Domain details Geoposition in a Map Activity related History activity
  27. 27. * [ Oraculo…]
  28. 28. * [ Oraculo…]

×