SlideShare a Scribd company logo

2010 za con_barry_irwin

J
Johan Klerk
1 of 42
Download to read offline
Barry Irwin bvi@moria.org @barryirwin Darknetproject.org CONFICKER: ~687 DAYS LATER
INTRO
WHATISINANAME? •  Conficker - also known as Downup, Downadup and Kido •  The origin of the name Conficker thought to be blend of the English term "configure" and the German word “Ficker” •  Alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz •  Five variants •  Conficker A, B, C, D and E •  Discovered 21/11/2008, 29/12/2008, 20/2/2009, 4/3/2009 and 7/4/2009 •  Microsoft Naming is the more popular one used •  The Conficker Working Group uses •  A, B, B++, C, and E for the same variants respectively. •  (CWG) B++  (MSFT) C && (CWG) C  (MSFT) D.
RPC/DCOM-NOTPRETTY
MS08-067-OWCH
HISTORY
OUTBREAK •  Aug. 20: Gimmiv Trojan, first spotted running on a server in South Korea •  ~Mid Sept. Chinese malware brokers are spotted selling a $37 tool •  Sept. 29: Gimmiv seen in the wild (Vietnam). Mistakes limit its ability to spread •  Oct. 15. Dr. Ronald Rivest publishes “MIT MD6 hashing algorithm.” •  Oct. 23. Microsoft issues emergency patch for RPC-DCOM vuln MS08-067 •  Oct. 26: Chinese toolkit is given away for free. Bloom of related malware. •  Oct. – early Nov. Gimmiv attacks unfold against unpatched PCs in Asia. Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs – Blaster Redone ?
OUTBREAK •  Nov. 20. Conficker A, a self-replicating worm begins to spread. •  Nov. 22. Microsoft issues a security alert recommending immediate patching. •  Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions. •  late Nov. Conficker A census: 500,000 infected machines. •  Dec 1 Infected machines check for downloads at trafficconverter.biz •  Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup. •  Dec. 24 -Dec. 27. Conficker A census: 1.5 million infected machines. •  late Dec. Conficker B begins spreading. Incorporates MIT MD6 hashing algorithm to obscure communications.
OUTBREAK •  Jan. 1. Conficker B initiates its own domain generation logic: 250 points/day •  Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker. •  Jan. 15. MIT discloses security hole in MIT MD6 hashing algorithm. •  mid Jan. to early Feb. Conficker A and Conficker B population of machines explode: Estimates range from 3 million -12 million infected. •  Feb. 12. Microsoft forms Conficker Cabal; offers $250,000 bounty (still unclaimed) •  Feb 16. Conficker.B++ (aka C) is spotted. Introduces p2p protocol. •  mid Feb.-Mar. The Cabal works to stop daily RV points, by registering domains generated by A & B variants
OUTBREAK •  Mar. 5. Conficker C begins updating B and B++. •  Halts the Internet-wide scanning •  Organizes the infected PCs into P2P networks •  Instructions on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. •  Finally, Conficker C also patches the security hole in MIT MD6 hashing algorithm. •  Mar. 31. IBM reverses Conficker’s P2P client; •  Asia has 45%; Europe 32%; •  South America 14%; North America 6%. •  Apr. 1. Infected systems begin checking 500/50K RV points •  Impossible to defeat using previous methods •  Apr. 8. An update begins spreading via P2P to Conficker C machines. •  The update begins propagation anew, •  Improved stealth •  Installs Waledac antivirus patches. •  SPAM components •  Current : ~8-10 million infected
RESPONSE
THEEYECHART http://www.joestewart.org/cfeyechart.html
THEEYECHART
MALWARE ACTION
MA LW ARE’ S DEF ENS E http://en.wikipedia.org/wiki/Conficker
SPREAD
Spread http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution
Spread http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution
THOUGH THE TELESCOPE
TELE-WHAT?
REFLECTION
WHATWEHAVELEARNED •  Highly sophisticated •  Well planned/executed •  Nation state/Corporate/Underground support is highly likely •  People still don’t patch •  SQL Slammer proves this too! •  Researchers still uncertain as to purpose •  It was the next big thing….until the advent of STUXNET
QUESTIONS…. Twitter: @barryirwin Web: darknetproject.org Email: bvi@moria.org
OUTBREAK Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild. (Source: BBC) Sept. Chinese malware brokers are spotted selling a $37 tool kit that allows anyone to exploit this newly-discovered security hole in a component of Windows, called RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations – most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC) Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security technique, called the “MIT MD6 hashing algorithm.” Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed — and exploited by — the $37 malware kit. Oct. 26: Word spreads about the $37 Chinese toolkit; they are forced to give it away. The release of the exploit code prompts many to craft malware that can seek out machines with the bug. (Source: BBC) Oct. – early Nov. Isolated Gimmiv attacks unfold against unpatched PCs in Asia. Sunbelt Software reverse engineers one of the early attacks-in-the-wild. Sunbelt researcher Eric Sites discovers that gimmev installs a new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker. Security experts begin to worry that someone will get the bright idea to create a self- replicating worm to seek out unpatched PCs. “If other bad people find out how to use this, we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and wreak havoc.”
OUTBREAK Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread. Nov. 22. Microsoft issues a securit alert recommending immediate patching. Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions. late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines. Dec 1. Conficker A-infected machines check in at trafficconverter.biz, following instructions hard-coded into Conficker. “This was not part of the domain generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a download but the file wasn’t there.” Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup. Dec. 24 -Dec. 27. Research firm SRI issues Conficker A census: 1.5 million infected machines. late Dec. Conficker B begins spreading. It incorporates the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms from inserting instructions to disinfect PCs.
OUTBREAK Jan. 1. Conficker B initiates its own domain generation logic; infected PCs begin checking in at different sets of 250 rendezvous points . Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the department two weeks to clear up the damage. (Source: BBC) Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker. Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means the coding used to obscure communications in Conficker A and Conficker B, unless patched, are vulnerable to hacks. mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines. Estimates range from 3 million to 12 million machines infected. Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for information leading to the arrest of Conficker’s creators. Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in direct response to Cabal’s efforts to disable Conficker’s communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address. (Source: BBC) mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren’t already registered.
OUTBREAK Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B+ +. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm. early March. While working on this 60-Minutes feature story, CBS News gets hit by Conficker, causing major disruption. Mar. 31. IBM announces that it has cracked Conficker’s customized P2P client; and can see Conficker P2P signatures across the globe. Asia has 45% of infections; Europe 32%; South America 14%; North America 6%. Apr. 1. All PCs updated with Conficker C begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions. Apr. 8. An update begins spreading via P2P to Conficker C machines. The update begins propagation anew, covers its tracks better, and installs Waledac antivirus pitches. Researched by LastWatchdog. Gratitude extended to Microsoft, SRI International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab, Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS, Trend Micro.

Recommended

FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
Bud Siddhisena
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
n|u - The Open Security Community
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
haneefvf1
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
MAFANTIRI SELLO
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
P-e-t-a-r
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
Mikko Hypponen
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
Avast
 
Timeline of computer viruses
Timeline of computer virusesTimeline of computer viruses
Timeline of computer viruses
Smart Technology Services, Inc.
 

Recommended

FOSS and Security
FOSS and SecurityFOSS and Security
FOSS and Security
Bud Siddhisena
 
News Bytes - May 2015
News Bytes - May 2015News Bytes - May 2015
News Bytes - May 2015
n|u - The Open Security Community
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
haneefvf1
 
Ratzan2
Ratzan2Ratzan2
Ratzan2
MAFANTIRI SELLO
 
78751355 cryptomorphosis
78751355 cryptomorphosis78751355 cryptomorphosis
78751355 cryptomorphosis
P-e-t-a-r
 
AusCERT - Mikko Hypponen
AusCERT - Mikko HypponenAusCERT - Mikko Hypponen
AusCERT - Mikko Hypponen
Mikko Hypponen
 
Avast Q1 Security Report 2015
Avast Q1 Security Report 2015Avast Q1 Security Report 2015
Avast Q1 Security Report 2015
Avast
 
Timeline of computer viruses
Timeline of computer virusesTimeline of computer viruses
Timeline of computer viruses
Smart Technology Services, Inc.
 
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]
Mikko Hypponen
 
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisRSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
Felipe Prado
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
Mikko Hypponen
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
khansalman19
 
Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth
Mamoon Ismail Khalid
 
Conficker worm
Conficker wormConficker worm
Conficker worm
ssuser1eca7d
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
chauhananand17
 
Know Your Worm (Conficker)
Know Your Worm (Conficker)Know Your Worm (Conficker)
Know Your Worm (Conficker)
avahe
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Jay Beale
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
Sathish Kumar K
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introductionsunnysmith
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
Blueliv
 
Lazarus talk tlp white
Lazarus talk tlp whiteLazarus talk tlp white
Lazarus talk tlp white
Christopher Doman
 
Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Umang Patel
 
Historyofviruses
HistoryofvirusesHistoryofviruses
HistoryofvirusesFathoni Mahardika II
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Conficker
ConfickerConficker
ConfickerBobmathews
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
Rajat Jain
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
BHack Conference
 

More Related Content

What's hot

Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Mikko Hypponen
 
Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]
Mikko Hypponen
 
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisRSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
Felipe Prado
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
Mikko Hypponen
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
khansalman19
 
Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth
Mamoon Ismail Khalid
 

What's hot (6)

Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
Governments As Malware Authors - Mikko Hypponen at Black Hat 2014
 
Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]Guerilla warfare by means of netwarfare [2001]
Guerilla warfare by means of netwarfare [2001]
 
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysisRSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
RSA Conference 2017- ROBERT GRAHAM - mirai and iot botnet analysis
 
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-statesSecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
SecTor 2011 Keynote: Online Attacks and Espionage by Nation-states
 
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common KeywordsComputer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
Computer Security,Types of Hackers,Installation of Kali Linux, Common Keywords
 
Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth Case study cybersecurity industry birth and growth
Case study cybersecurity industry birth and growth
 

Similar to 2010 za con_barry_irwin

Conficker worm
Conficker wormConficker worm
Conficker worm
ssuser1eca7d
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
chauhananand17
 
Know Your Worm (Conficker)
Know Your Worm (Conficker)Know Your Worm (Conficker)
Know Your Worm (Conficker)
avahe
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Jay Beale
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec Technology and Consulting
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
Sathish Kumar K
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
Lior Rotkovitch
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introductionsunnysmith
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
Blueliv
 
Lazarus talk tlp white
Lazarus talk tlp whiteLazarus talk tlp white
Lazarus talk tlp white
Christopher Doman
 
Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Umang Patel
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
Rajat Jain
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
BHack Conference
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company Data
Parsons Behle & Latimer
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
null Bangalore meet Feb 2010 - news Bytes
null Bangalore meet Feb 2010 - news Bytesnull Bangalore meet Feb 2010 - news Bytes
null Bangalore meet Feb 2010 - news Bytes
n|u - The Open Security Community
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
Andrea Bissoli
 

Similar to 2010 za con_barry_irwin (20)

Conficker worm
Conficker wormConficker worm
Conficker worm
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
Know Your Worm (Conficker)
Know Your Worm (Conficker)Know Your Worm (Conficker)
Know Your Worm (Conficker)
 
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
Crypto-Jacking, Ransomware & Worming Malware's Frightening Future (Keynote an...
 
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updatesBriskinfosec - Threatsploit Report Augest 2021- Cyber security updates
Briskinfosec - Threatsploit Report Augest 2021- Cyber security updates
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
 
Software management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdfSoftware management, the seasonal return of DDoS - This Week in Security.pdf
Software management, the seasonal return of DDoS - This Week in Security.pdf
 
C|EH Introduction
C|EH IntroductionC|EH Introduction
C|EH Introduction
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
 
Lazarus talk tlp white
Lazarus talk tlp whiteLazarus talk tlp white
Lazarus talk tlp white
 
Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006Ethical hacking presentation_october_2006
Ethical hacking presentation_october_2006
 
Historyofviruses
HistoryofvirusesHistoryofviruses
Historyofviruses
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Conficker
ConfickerConficker
Conficker
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
 
Palestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry morePalestra Jeferson Propheta - Wanna Cry more
Palestra Jeferson Propheta - Wanna Cry more
 
HR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company DataHR's Critical Role in Protecting Company Data
HR's Critical Role in Protecting Company Data
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
null Bangalore meet Feb 2010 - news Bytes
null Bangalore meet Feb 2010 - news Bytesnull Bangalore meet Feb 2010 - news Bytes
null Bangalore meet Feb 2010 - news Bytes
 
The EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systemsThe EternalBlue Exploit: how it works and affects systems
The EternalBlue Exploit: how it works and affects systems
 

More from Johan Klerk

2010 za con_daniel_cuthbert
2010 za con_daniel_cuthbert2010 za con_daniel_cuthbert
2010 za con_daniel_cuthbertJohan Klerk
 
2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschkeJohan Klerk
 
2010 za con_haroon_meer
2010 za con_haroon_meer2010 za con_haroon_meer
2010 za con_haroon_meerJohan Klerk
 
2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiersJohan Klerk
 
2010 za con_ivan_burke
2010 za con_ivan_burke2010 za con_ivan_burke
2010 za con_ivan_burkeJohan Klerk
 
2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejeeJohan Klerk
 
2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merweJohan Klerk
 
2010 za con_simeon_miteff
2010 za con_simeon_miteff2010 za con_simeon_miteff
2010 za con_simeon_miteffJohan Klerk
 
2010 za con_roelof_temmingh
2010 za con_roelof_temmingh2010 za con_roelof_temmingh
2010 za con_roelof_temminghJohan Klerk
 
2010 za con_stephen_kreusch
2010 za con_stephen_kreusch2010 za con_stephen_kreusch
2010 za con_stephen_kreuschJohan Klerk
 
2010 za con_todor_genov
2010 za con_todor_genov2010 za con_todor_genov
2010 za con_todor_genovJohan Klerk
 

More from Johan Klerk (11)

2010 za con_daniel_cuthbert
2010 za con_daniel_cuthbert2010 za con_daniel_cuthbert
2010 za con_daniel_cuthbert
 
2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke2010 za con_georg-christian_pranschke
2010 za con_georg-christian_pranschke
 
2010 za con_haroon_meer
2010 za con_haroon_meer2010 za con_haroon_meer
2010 za con_haroon_meer
 
2010 za con_ian_de_villiers
2010 za con_ian_de_villiers2010 za con_ian_de_villiers
2010 za con_ian_de_villiers
 
2010 za con_ivan_burke
2010 za con_ivan_burke2010 za con_ivan_burke
2010 za con_ivan_burke
 
2010 za con_jameel_haffejee
2010 za con_jameel_haffejee2010 za con_jameel_haffejee
2010 za con_jameel_haffejee
 
2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe
 
2010 za con_simeon_miteff
2010 za con_simeon_miteff2010 za con_simeon_miteff
2010 za con_simeon_miteff
 
2010 za con_roelof_temmingh
2010 za con_roelof_temmingh2010 za con_roelof_temmingh
2010 za con_roelof_temmingh
 
2010 za con_stephen_kreusch
2010 za con_stephen_kreusch2010 za con_stephen_kreusch
2010 za con_stephen_kreusch
 
2010 za con_todor_genov
2010 za con_todor_genov2010 za con_todor_genov
2010 za con_todor_genov
 

2010 za con_barry_irwin

  • 3. WHATISINANAME? •  Conficker - also known as Downup, Downadup and Kido •  The origin of the name Conficker thought to be blend of the English term "configure" and the German word “Ficker” •  Alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz •  Five variants •  Conficker A, B, C, D and E •  Discovered 21/11/2008, 29/12/2008, 20/2/2009, 4/3/2009 and 7/4/2009 •  Microsoft Naming is the more popular one used •  The Conficker Working Group uses •  A, B, B++, C, and E for the same variants respectively. •  (CWG) B++  (MSFT) C && (CWG) C  (MSFT) D.
  • 4.
  • 8.
  • 9. OUTBREAK •  Aug. 20: Gimmiv Trojan, first spotted running on a server in South Korea •  ~Mid Sept. Chinese malware brokers are spotted selling a $37 tool •  Sept. 29: Gimmiv seen in the wild (Vietnam). Mistakes limit its ability to spread •  Oct. 15. Dr. Ronald Rivest publishes “MIT MD6 hashing algorithm.” •  Oct. 23. Microsoft issues emergency patch for RPC-DCOM vuln MS08-067 •  Oct. 26: Chinese toolkit is given away for free. Bloom of related malware. •  Oct. – early Nov. Gimmiv attacks unfold against unpatched PCs in Asia. Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs – Blaster Redone ?
  • 10. OUTBREAK •  Nov. 20. Conficker A, a self-replicating worm begins to spread. •  Nov. 22. Microsoft issues a security alert recommending immediate patching. •  Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions. •  late Nov. Conficker A census: 500,000 infected machines. •  Dec 1 Infected machines check for downloads at trafficconverter.biz •  Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup. •  Dec. 24 -Dec. 27. Conficker A census: 1.5 million infected machines. •  late Dec. Conficker B begins spreading. Incorporates MIT MD6 hashing algorithm to obscure communications.
  • 11. OUTBREAK •  Jan. 1. Conficker B initiates its own domain generation logic: 250 points/day •  Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker. •  Jan. 15. MIT discloses security hole in MIT MD6 hashing algorithm. •  mid Jan. to early Feb. Conficker A and Conficker B population of machines explode: Estimates range from 3 million -12 million infected. •  Feb. 12. Microsoft forms Conficker Cabal; offers $250,000 bounty (still unclaimed) •  Feb 16. Conficker.B++ (aka C) is spotted. Introduces p2p protocol. •  mid Feb.-Mar. The Cabal works to stop daily RV points, by registering domains generated by A & B variants
  • 12. OUTBREAK •  Mar. 5. Conficker C begins updating B and B++. •  Halts the Internet-wide scanning •  Organizes the infected PCs into P2P networks •  Instructions on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. •  Finally, Conficker C also patches the security hole in MIT MD6 hashing algorithm. •  Mar. 31. IBM reverses Conficker’s P2P client; •  Asia has 45%; Europe 32%; •  South America 14%; North America 6%. •  Apr. 1. Infected systems begin checking 500/50K RV points •  Impossible to defeat using previous methods •  Apr. 8. An update begins spreading via P2P to Conficker C machines. •  The update begins propagation anew, •  Improved stealth •  Installs Waledac antivirus patches. •  SPAM components •  Current : ~8-10 million infected
  • 21.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 33. WHATWEHAVELEARNED •  Highly sophisticated •  Well planned/executed •  Nation state/Corporate/Underground support is highly likely •  People still don’t patch •  SQL Slammer proves this too! •  Researchers still uncertain as to purpose •  It was the next big thing….until the advent of STUXNET
  • 35.
  • 36.
  • 37.
  • 38.
  • 39. OUTBREAK Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild. (Source: BBC) Sept. Chinese malware brokers are spotted selling a $37 tool kit that allows anyone to exploit this newly-discovered security hole in a component of Windows, called RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations – most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC) Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security technique, called the “MIT MD6 hashing algorithm.” Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed — and exploited by — the $37 malware kit. Oct. 26: Word spreads about the $37 Chinese toolkit; they are forced to give it away. The release of the exploit code prompts many to craft malware that can seek out machines with the bug. (Source: BBC) Oct. – early Nov. Isolated Gimmiv attacks unfold against unpatched PCs in Asia. Sunbelt Software reverse engineers one of the early attacks-in-the-wild. Sunbelt researcher Eric Sites discovers that gimmev installs a new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker. Security experts begin to worry that someone will get the bright idea to create a self- replicating worm to seek out unpatched PCs. “If other bad people find out how to use this, we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and wreak havoc.”
  • 40. OUTBREAK Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread. Nov. 22. Microsoft issues a securit alert recommending immediate patching. Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions. late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines. Dec 1. Conficker A-infected machines check in at trafficconverter.biz, following instructions hard-coded into Conficker. “This was not part of the domain generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a download but the file wasn’t there.” Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup. Dec. 24 -Dec. 27. Research firm SRI issues Conficker A census: 1.5 million infected machines. late Dec. Conficker B begins spreading. It incorporates the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms from inserting instructions to disinfect PCs.
  • 41. OUTBREAK Jan. 1. Conficker B initiates its own domain generation logic; infected PCs begin checking in at different sets of 250 rendezvous points . Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the department two weeks to clear up the damage. (Source: BBC) Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker. Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means the coding used to obscure communications in Conficker A and Conficker B, unless patched, are vulnerable to hacks. mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines. Estimates range from 3 million to 12 million machines infected. Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for information leading to the arrest of Conficker’s creators. Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in direct response to Cabal’s efforts to disable Conficker’s communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address. (Source: BBC) mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren’t already registered.
  • 42. OUTBREAK Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B+ +. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm. early March. While working on this 60-Minutes feature story, CBS News gets hit by Conficker, causing major disruption. Mar. 31. IBM announces that it has cracked Conficker’s customized P2P client; and can see Conficker P2P signatures across the globe. Asia has 45% of infections; Europe 32%; South America 14%; North America 6%. Apr. 1. All PCs updated with Conficker C begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions. Apr. 8. An update begins spreading via P2P to Conficker C machines. The update begins propagation anew, covers its tracks better, and installs Waledac antivirus pitches. Researched by LastWatchdog. Gratitude extended to Microsoft, SRI International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab, Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS, Trend Micro.