Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]

2,211 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]

  1. 1. 1 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March 50 Shades of Crimeware Manu Quintans – Frank Ruiz
  2. 2. 2 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March WHO WE ARE? Manu Quintans - Threat Intelligence Manager at Buguroo / Deloitte Frank Ruiz - Intelligence Analyst at Fox IT And…yes!, we hunt malware like a sir.
  3. 3. 3 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March INDEX What we know about Cyber-Crime ? It’s Time Back to reality. Understand Cyber-Crime activities. Previously on … 2013 Reality bites Cyber-Crime Evolutions – 2013-2014 New trends at Cyber-Crime Examples (We have a Target… ) Infrastructure Demo Time (Yeah! We have a demo, please release your smartphone and enjoy…)
  4. 4. 4 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  5. 5. 5 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  6. 6. 6 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  7. 7. 7 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  8. 8. 8 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ?
  9. 9. 9 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March What we know about Cyber-Crime ? Brian Krebs Post Life Cycle WE NEED DIAGRAM.
  10. 10. 10 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  11. 11. 11 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  12. 12. 12 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  13. 13. 13 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March It’s Time Back to reality.
  14. 14. 14 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  15. 15. 15 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Undercoat Just for Kiddies HackForums Exploit.IN Antichat.RU Damagelabs DarkCode Indetectables LAYER#1
  16. 16. 16 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  17. 17. 17 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  18. 18. 18 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  19. 19. 19 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. THE UNDERCOAT
  20. 20. 20 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Limbo PSEUDO-PRO CPRO.SU Pustota Verified.msx x Infraud.su LAYER#2
  21. 21. 21 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  22. 22. 22 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  23. 23. 23 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.LAYER#3 Heaven’s door Gang’stah!-PRO
  24. 24. 24 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  25. 25. 25 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.
  26. 26. 26 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities.LAYER#4 Private семьяZeusP2P CryptoLocker Sinowallx Gozi
  27. 27. 27 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March VIDEO HISTORY
  28. 28. 28 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Understand Cyber-Crime activities. The Undercoat Just for Kiddies HackForums Exploit.IN Antichat.RU Damagelabs DarkCode Indetectables The Limbo PSEUDO-PRO CPRO.SU Pustota Verified.msx Infraud.su x Heaven’s door Gang’stah!-PRO Private семья ZeusP2P CryptoLocker Sinowall x Gozi
  29. 29. 29 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013
  30. 30. 30 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 First year, without new Banking Trojans. (Except’s KINS aka Kasper) Symlink Arrested (January) Paunch Arrested (BlackHole Exploit Kit) (OCTOBER) FBI shut down SilkRoad and they arrest Ross Willian Ulbrich. (OCTOBER) Target Breach. :-) – (NOVEMBER/DECEMBER) FBI With Spanish Police Cooperation take’s down Liberty Reserver and arrest CEO.– (MAY 2013)
  31. 31. 31 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 Has been a special year in the evolution of the industry of cybercrime: The feeling of impunity begins to disappear. Groups midlevel begin to close and professionalize their assets. Ironically, the vetted gang’s start to show some gaps.
  32. 32. 32 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 These changes are due to: Detentions. Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n stars) Insider Researchers. Leaks (Pasties, services…)
  33. 33. 33 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Previously on … 2013 / 2014 Conclusions: The “industry” of Cyber-Crime, now are more than closed than ever.
  34. 34. 34 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime
  35. 35. 35 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime We found new trends at Cyber- Crime Industry, like… : POS MALWARE (POINT OF SALES) SYSEM NEW MOBILE MALWARE (EG: TOR BASED) CRYPTOCURRENCIES
  36. 36. 36 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), but why? The lack of a Banking Trojan for sale and the large increase in demand for cards has moved many players in this business. Citadel users move there business to this new system. Grows offer POS malware sales.
  37. 37. 37 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), What We found on underground Market? Alina Malware The beauty, the Bad and the UglyDexter Malware BlackPos Malware
  38. 38. 38 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime POS (POINT OF SALE), and services? Of course! JackPos
  39. 39. 39 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware Increase of injections with support for mobile malware. Mobile malware for sale: iBanking (as Service). Perkele Uses new resources like TOR.
  40. 40. 40 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware IBanking
  41. 41. 41 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime Mobile Malware Perkele
  42. 42. 42 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  43. 43. 43 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  44. 44. 44 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies
  45. 45. 45 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March New trends at Cyber-Crime CryptoCurrencies TOTAL HASH RATE 24H HASH RATE
  46. 46. 46 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Let’s see some real examples about new trends.
  47. 47. 47 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  48. 48. 48 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example Timeline: Brian Krebs 18/Dec/2013: Sources: Target Investigating Data Breach 20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets 22/Dec/2013: Non-US Cards Used At Target Fetch Premium 24/Dec/2013: Who’s Selling Credit Cards from Target? 10/Jan/2014: Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen 15/Jan/2014: A First Look at the Target Intrusion, Malware 16/Jan/2014: A Closer Look at the Target Malware, Part II 29/Jan/2014: New Clues in the Target Breach 04/Feb/2014: These Guys Battled BlackPOS at a Retailer 05/Feb/2014: Target Hackers Broke in Via HVAC Company 12/Feb/2014: Email Attack on Vendor Set Up Breach at Target 19/Feb/2014: Fire Sale on Cards Stolen in Target Breach 25/Feb/2014: Card Backlog Extends Pain from Target Breach
  49. 49. 49 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  50. 50. 50 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Example
  51. 51. 51 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  52. 52. 52 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  53. 53. 53 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Intelligence
  54. 54. 54 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Cyber-Criminals Infrastructure
  55. 55. 55 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure BOTNETINTERNET Simple
  56. 56. 56 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Proxy BOTNETINTERNET VICTIMS PROXY
  57. 57. 57 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Duble Proxy BOTNETINTERNET VICTIMS PROXY - 1 PROXY - 2
  58. 58. 58 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Fastflux + C&C FAST FLUXBOTNET FASTFLUX VICTIM HTTP GET RESPONSE CONTENT GET REDIRECT RESPONSE CONTENT
  59. 59. 59 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure Fastflux + PROXY + C&C FAST FLUXBOTNET FASTFLUX VICTIM HTTP GET RESPONSE CONTENT GET REDIRECT RESPONSE CONTENT
  60. 60. 60 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure BP HOSTERS BP HOSTERINTERNET VICTIMS Backend Server
  61. 61. 61 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure OWN Infrastructures INTERNET IPIP Tunel OpenVPN Server VPN Client Backend Server Backend Server Backend Server Backend Server Backend Server VICTIMS
  62. 62. 62 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure P2P INTERNET P2P Network Web Panel Backup Server VICTIMS
  63. 63. 63 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March Infrastructure TOR INTERNET Web Panel TOR Network VICTIMS
  64. 64. 64 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
  65. 65. 65 Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

×