Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Город никогда не спит / The City Never Sleeps

484 views

Published on

Ведущие: Денис Макрушин и Юрий Наместников

Среди прочих мер, направленных на защиту корпоративной инфраструктуры от злоумышленников, специалисты по безопасности полагаются на строгую политику ограничения доступа приложений к интернету. Защита информационных систем предприятия основана главным образом на принципе «запретить все, что не разрешено». Тем временем угрозы безопасности притаились в недрах корпоративных сетей и ждут, когда у сотрудников закончится рабочий день. Мы расскажем вам, как с наступлением темноты киберпреступники используют Notepad, AutoCAD, Tomcat и SQL Server в своих целях.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Город никогда не спит / The City Never Sleeps

  1. 1. THE CITY NEVER SLEEPS Yury Namestnikov, Denis Makrushin Global Research and Analysis Team, Kaspersky Lab
  2. 2. YOU MIGHT THINK I’M BULLETPROOF. BUT I’M NOT.
  3. 3. “WHITE” TECHNOLOGIES FROM THE “WHITE” SIDE 3
  4. 4. 4Security Analyst Summit 2016
  5. 5. 5Security Analyst Summit 2016
  6. 6. 30 000 connection attempts in 94 countries
  7. 7. 8 EXPLOTING, DLL HIJACKING… PFFFFFF…
  8. 8. 9 IE IS A “BUG” OF THE ERP SYSTEM
  9. 9. 4th of December 06:36 am hxxp://202.68.226.59:8000/x/tm/one.zip
  10. 10. 12 MALWARE.MOF
  11. 11. 13 OH MY… SQL! Malicious Link Application http://222.186.15.215:8080/Autoexed.bat sqlservr.exe http://222.186.34.180/svshost.exe sqlservr.exe http://104.149.7.196:8080/SB1.exe sqlservr.exe http://216.99.150.246:8080/12.exe sqlservr.exe http://121.41.40.17:8888/SB360.exe sqlservr.exe http://198.13.101.85:8080/CleanReg.bat sqlservr.exe http://117.21.226.123:8080/Seymtre.exe sqlservr.exe http://173.82.68.163:8080/1.exe sqlservr.exe http://45.34.1.179:8080/Cacrk.exe sqlservr.exe http://65.49.70.102:8080/q.exe sqlservr.exe http://65.49.70.102:8080/ccavwm.exe sqlservr.exe http://104.217.216.190/svshost.exe sqlservr.exe http://121.139.205.78:8888/svchost.exe sqlservr.exe http://45.34.1.160:8000/SB360.exe sqlservr.exe http://45.34.1.152:8080/1.exe sqlservr.exe http://198.13.119.36:8080/svshost.exe sqlservr.exe http://27.50.136.47/SB360.exe sqlservr.exe http://61.147.103.178:8082/get.exe sqlservr.exe seg:http://61.147.103.178:8082/get.exe sqlservr.exe http://222.186.34.147:8080/serr.exe sqlservr.exe http://122.226.223.77:8080/btc530.exe sqlservr.exe http://boxpro.cn/boxpro/publishdownload/TecJwI Y_GG?fileName=look2015.pif sqlservr.exe Malicious Link Application http://173.254.203.93:8080/MFMS.exe sqlservr.exe http://www.k1001.com/rj/good.exe sqlservr.exe http://111.73.45.126:8080/123.exe sqlservr.exe http://appdown.keyipin.com/ss.exe sqlservr.exe http://23.91.15.215:8080/Autoexec.exe sqlservr.exe http://150.242.248.132/Serve.exe sqlservr.exe http://manhack.f3322.net:8080/mysql.exe sqlservr.exe http://123.249.45.183:8000/SB360.exe sqlservr.exe http://114.37.133.174:8080/1.exe sqlservr.exe http://60.172.229.71:8080/he.exe sqlservr.exe http://1.93.10.119/3.0.exe sqlservr.exe http://60.190.216.240:8080/123.exe sqlservr.exe http://222.186.21.119:8888/get.exe sqlservr.exe http://119.29.85.139:8888/wincj.exe sqlservr.exe http://120.132.178.112/360Save.exe sqlservr.exe http://114.80.100.14:8080/svshost.exe sqlservr.exe http://222.186.34.136:81/server.exe sqlservr.exe http://123.249.56.196/1.exe sqlservr.exe http://222.186.56.17:8080/server.exe sqlservr.exe http://115.29.39.152:8080/svshost.exe sqlservr.exe http://199.83.94.67:8080/1.exe sqlservr.exe http://104.149.88.222:8080/winlogon.exe sqlservr.exe http://112.124.58.140:8080/server.exe sqlservr.exe http://222.186.34.196/1.exe sqlservr.exe http://119.90.45.98:8080/erloseo.exe sqlservr.exe http://113.10.242.125:8080/SB360.exe sqlservr.exe http://58.221.47.41:8080/1.exe sqlservr.exe http://216.99.158.168:8080/jiujie.exe sqlservr.exe
  12. 12. 16Security Analyst Summit 2016
  13. 13. 17 ILL DLL HIJACKING Mr. Insecure Load Library: “One my DLL could pwn you without talking with DEP, ASLR and Whitelist”
  14. 14. 18
  15. 15. APT STORY: FROM CHINA WITH LOVE DLL… 19 Very popular technique among chinese APT groups: PlugX, Emissary Panda, Wonknu and etc • 7 zip archive • Legit signed EXE • With malicious DLL • Legit file name • Legit name of a function. But this function contains malicious code
  16. 16. …DLL HIJACKING 20 Example: • Dll can do two things: xor and load code in the memory • In the same directory there is a *.url file with xored backdoor code
  17. 17. India 33% Russia 11% China 10% Brazil 5% Iran 4% Vietnam 4% Turkey 3% Ukraine 2% Bangladesh 2% Taiwan 2% Other 24% Victims
  18. 18. “KNOWLEDGE IS A BEST FORM OF PROTECTION”. DUDE, GIVE ME THIS “BEST FORM”! 23
  19. 19. 24Security Analyst Summit 2016 SILVER BULLET
  20. 20. THANKS. NO QUESTIONS. Denis.Makrushin@Kaspersky.com Yury.Namestnikov@Kaspersky.com

×