This presentation originally developed as part of FOSSSL 2006 (FOSSMil), was recently slightly updated and delivered at CERT SL Conference.
In my talk, I discuss why FOSS is generally considered to be more secure than proprietary software.
The Avast Threat Report provides an overview of global threat activity for Q1 2015.
Avast malware researchers and Avast customers work 24/7 to protect each other. Avast protects 230 million people worldwide in more than 186 different countries — we are present in more countries than McDonalds and protect more people than any other antivirus security provider.
The Q1 security report looks at the state of cyberthreats as it relates to Wi-Fi, PC threats, mobile threats, and the steady evolution of ransomware.
This presentation originally developed as part of FOSSSL 2006 (FOSSMil), was recently slightly updated and delivered at CERT SL Conference.
In my talk, I discuss why FOSS is generally considered to be more secure than proprietary software.
The Avast Threat Report provides an overview of global threat activity for Q1 2015.
Avast malware researchers and Avast customers work 24/7 to protect each other. Avast protects 230 million people worldwide in more than 186 different countries — we are present in more countries than McDonalds and protect more people than any other antivirus security provider.
The Q1 security report looks at the state of cyberthreats as it relates to Wi-Fi, PC threats, mobile threats, and the steady evolution of ransomware.
Through this case study the reader will find a brief introduction to ideas such as:
- How the antivirus market emerged globally
- Who the key stakeholders were
- When did the prominent names we see today start appearing
- Factors (technology + human) that stimulated competitive drive and rapid growth
- Revenue and sales insight for antivirus software sales by regions
The Conficker worm is notable because of its strong infection ability and sophisticated malware techniques. Learn what Conficker is and more related info here.
In the last nine months, crypto-mining malware and crypto-jacking have taken center stage in cybercrime news. We’ll discuss the most recent events and see how this links to ransomware, which dominated the cybercrime news last year, where one outbreak cost seven companies over one billion dollars.
Both crypto-mining malware and ransomware, aside from gathering headlines, demonstrate that cybercriminals and nation state actors are building capabilities for worming malware that could have the ability to do far greater damage than has yet been seen.
Come to this talk, learn what’s been going on, where it’s likely going, and how to avoid being a victim of a headline-generating event.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Webinar: Vawtrak v2 the next big Banking TrojanBlueliv
A few years ago we entered a new era of cyber threats.
At the beginning of the Internet, most intrusions and ‘hacks’ were committed for the sole purpose of proving that it was possible, basically because the authors could do it.
At some point though, someone realized that hacking could generate a revenue, there was information that could be stolen and sold, and services that could be provided to make it easier, and thus, the cybercrime industry was born.
Through this case study the reader will find a brief introduction to ideas such as:
- How the antivirus market emerged globally
- Who the key stakeholders were
- When did the prominent names we see today start appearing
- Factors (technology + human) that stimulated competitive drive and rapid growth
- Revenue and sales insight for antivirus software sales by regions
The Conficker worm is notable because of its strong infection ability and sophisticated malware techniques. Learn what Conficker is and more related info here.
In the last nine months, crypto-mining malware and crypto-jacking have taken center stage in cybercrime news. We’ll discuss the most recent events and see how this links to ransomware, which dominated the cybercrime news last year, where one outbreak cost seven companies over one billion dollars.
Both crypto-mining malware and ransomware, aside from gathering headlines, demonstrate that cybercriminals and nation state actors are building capabilities for worming malware that could have the ability to do far greater damage than has yet been seen.
Come to this talk, learn what’s been going on, where it’s likely going, and how to avoid being a victim of a headline-generating event.
Welcome to the Threatsploit Report of covering some of the important cybersecurity events, incidents and exploits that occurred this month such as Application Security, Mobile App Security, Network Security, Website Security, API Security, Cloud Security, Host Level Security, Cyber Intelligence, Thick Client Security, Threat Vulnerability, Database Security, IOT Security, Wireless Security.
Webinar: Vawtrak v2 the next big Banking TrojanBlueliv
A few years ago we entered a new era of cyber threats.
At the beginning of the Internet, most intrusions and ‘hacks’ were committed for the sole purpose of proving that it was possible, basically because the authors could do it.
At some point though, someone realized that hacking could generate a revenue, there was information that could be stolen and sold, and services that could be provided to make it easier, and thus, the cybercrime industry was born.
This talk revisits the 2016 Mirai attack which targeted IoT devices including IP cameras, WiFi-connected refrigerators, home routers, and more. The resulting botnet was used to attack Dyn’s DNS platform, which affected many websites including Twitter, SoundCloud, Airbnb, and Spotify.
You will learn and discuss the answers to these questions and more:
• What is the current state of Mirai and Mirai variants?
• What Distributed Denial of Service (DDoS) defenses do you have in place?
• How can you prepare to detect and defend against them botnet malware?
• What is recommended in the September 2018 NISTIR Draft,
Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks.
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations.
3. WHATISINANAME?
• Conficker - also known as Downup, Downadup and Kido
• The origin of the name Conficker thought to be blend of
the English term "configure" and the German word “Ficker”
• Alternative interpretation of the name, describing it as a rearrangement
of portions of the domain name trafficconverter.biz
• Five variants
• Conficker A, B, C, D and E
• Discovered 21/11/2008, 29/12/2008, 20/2/2009, 4/3/2009 and
7/4/2009
• Microsoft Naming is the more popular one used
• The Conficker Working Group uses
• A, B, B++, C, and E for the same variants respectively.
• (CWG) B++ (MSFT) C && (CWG) C (MSFT) D.
9. OUTBREAK
• Aug. 20: Gimmiv Trojan, first spotted running on a server in South
Korea
• ~Mid Sept. Chinese malware brokers are spotted selling a $37 tool
• Sept. 29: Gimmiv seen in the wild (Vietnam). Mistakes limit its ability
to spread
• Oct. 15. Dr. Ronald Rivest publishes “MIT MD6 hashing algorithm.”
• Oct. 23. Microsoft issues emergency patch for RPC-DCOM vuln
MS08-067
• Oct. 26: Chinese toolkit is given away for free. Bloom of related
malware.
• Oct. – early Nov. Gimmiv attacks unfold against unpatched PCs in
Asia. Security experts begin to worry that someone will get the bright
idea to create a self-replicating worm to seek out unpatched PCs –
Blaster Redone ?
10. OUTBREAK
• Nov. 20. Conficker A, a self-replicating worm begins to spread.
• Nov. 22. Microsoft issues a security alert recommending
immediate patching.
• Nov. 26. Conficker A’s “domain generation algorithm”
activates. Infected PCs begin trying to contact a different set of
250 web domains daily for further instructions.
• late Nov. Conficker A census: 500,000 infected machines.
• Dec 1 Infected machines check for downloads at
trafficconverter.biz
• Trafficconverter is a site well known for fake security product. It
becomes the basis for naming the worm Conficker. Prior to this
the worm had been referred to as Downadup.
• Dec. 24 -Dec. 27. Conficker A census: 1.5 million infected
machines.
• late Dec. Conficker B begins spreading. Incorporates MIT
MD6 hashing algorithm to obscure communications.
11. OUTBREAK
• Jan. 1. Conficker B initiates its own domain generation logic:
250 points/day
• Jan. 11: Microsoft updates its cleanup tool so that it can scan
for and clean up early variants of Conficker.
• Jan. 15. MIT discloses security hole in MIT MD6 hashing
algorithm.
• mid Jan. to early Feb. Conficker A and Conficker B population
of machines explode: Estimates range from 3 million -12
million infected.
• Feb. 12. Microsoft forms Conficker Cabal; offers $250,000
bounty (still unclaimed)
• Feb 16. Conficker.B++ (aka C) is spotted. Introduces p2p
protocol.
• mid Feb.-Mar. The Cabal works to stop daily RV points, by
registering domains generated by A & B variants
12. OUTBREAK
• Mar. 5. Conficker C begins updating B and B++.
• Halts the Internet-wide scanning
• Organizes the infected PCs into P2P networks
• Instructions on April 1, to begin checking a random group of 500
rendezvous points selected from 50,000 domains.
• Finally, Conficker C also patches the security hole in MIT MD6
hashing algorithm.
• Mar. 31. IBM reverses Conficker’s P2P client;
• Asia has 45%; Europe 32%;
• South America 14%; North America 6%.
• Apr. 1. Infected systems begin checking 500/50K RV points
• Impossible to defeat using previous methods
• Apr. 8. An update begins spreading via P2P to Conficker C machines.
• The update begins propagation anew,
• Improved stealth
• Installs Waledac antivirus patches.
• SPAM components
• Current : ~8-10 million infected
33. WHATWEHAVELEARNED
• Highly sophisticated
• Well planned/executed
• Nation state/Corporate/Underground support
is highly likely
• People still don’t patch
• SQL Slammer proves this too!
• Researchers still uncertain as to purpose
• It was the next big thing….until the advent of
STUXNET
39. OUTBREAK
Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first
spotted running in a virtual machine on a server in South Korea. Experts speculate this was a
a test run prior to it being released in the wild. (Source: BBC)
Sept. Chinese malware brokers are spotted selling a $37 tool kit that allows anyone to
exploit this newly-discovered security hole in a component of Windows, called RPC-DCOM,
which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage
and earlier, some 800 million machines worldwide
Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few
weeks it manages to infect 200 more machines in 23 nations – most of which were in
Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC)
Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security technique, called the
“MIT MD6 hashing algorithm.”
Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed
— and exploited by — the $37 malware kit.
Oct. 26: Word spreads about the $37 Chinese toolkit; they are forced to give it away. The
release of the exploit code prompts many to craft malware that can seek out machines with
the bug. (Source: BBC)
Oct. – early Nov. Isolated Gimmiv attacks unfold against unpatched PCs in Asia. Sunbelt
Software reverse engineers one of the early attacks-in-the-wild. Sunbelt researcher Eric
Sites discovers that gimmev installs a new Dynamic Link Library, or DLL, so that the next
time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in
the background. Every 10 minutes, it copies all registry information, all logons stored by the
Web browser and a bunch of other information and sends it back to the attacker.
Security experts begin to worry that someone will get the bright idea to create a self-
replicating worm to seek out unpatched PCs. “If other bad people find out how to use this,
we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and
wreak havoc.”
40. OUTBREAK
Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other
unpatched PCs to infect, begins to spread.
Nov. 22. Microsoft issues a securit alert recommending immediate patching.
Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs
begin trying to contact a different set of 250 web domains daily for further
instructions.
late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected
machines.
Dec 1. Conficker A-infected machines check in at trafficconverter.biz, following
instructions hard-coded into Conficker. “This was not part of the domain
generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a
download but the file wasn’t there.”
Trafficconverter is a site well known for fake security product. It becomes the
basis for naming the worm Conficker. Prior to this the worm had been referred to
as Downadup.
Dec. 24 -Dec. 27. Research firm SRI issues Conficker A census: 1.5 million
infected machines.
late Dec. Conficker B begins spreading. It incorporates the MIT MD6 hashing
algorithm to obscure all communications moving between infected PCs and the
rendezvous points. This is done to prevent rival botnet groups from taking control;
it also prevents security firms from inserting instructions to disinfect PCs.
41. OUTBREAK
Jan. 1. Conficker B initiates its own domain generation logic; infected PCs begin
checking in at different sets of 250 rendezvous points .
Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the
department two weeks to clear up the damage. (Source: BBC)
Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up
early variants of Conficker.
Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm
and also delivers the patch. This means the coding used to obscure
communications in Conficker A and Conficker B, unless patched, are vulnerable
to hacks.
mid Jan. to early Feb. Conficker A and Conficker B population of machines
explodes, grabbing news headlines. Estimates range from 3 million to 12 million
machines infected.
Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for
information leading to the arrest of Conficker’s creators.
Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in
direct response to Cabal’s efforts to disable Conficker’s communications strategy.
It no longer needs to contact internet rendezvous points for updates, instead these
can be flashed centrally from any internet address. (Source: BBC)
mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of
250 rendezvous points. This is accomplished by registering the known set of
Conficker A and Conficker B domains, at least those that aren’t already registered.
42. OUTBREAK
Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B+
+. Conficker C halts the Internet-wide scanning; it organizes the infected PCs
into P2P networks; and it also embeds instructions for each infected PC, on
April 1, to begin checking a random group of 500 rendezvous points selected
from 50,000 domains. Finally, Conficker C also patches the security hole in
the MIT MD6 hashing algorithm.
early March. While working on this 60-Minutes feature story, CBS News gets
hit by Conficker, causing major disruption.
Mar. 31. IBM announces that it has cracked Conficker’s customized P2P
client; and can see Conficker P2P signatures across the globe. Asia has 45%
of infections; Europe 32%; South America 14%; North America 6%.
Apr. 1. All PCs updated with Conficker C begin checking 500 rendezvous
points randomly selected from 50,000 web addresses for further instructions.
Apr. 8. An update begins spreading via P2P to Conficker C machines. The
update begins propagation anew, covers its tracks better, and installs
Waledac antivirus pitches.
Researched by LastWatchdog. Gratitude extended to Microsoft, SRI
International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab,
Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS,
Trend Micro.