SlideShare a Scribd company logo

Bots and malware

Download as PPTX, PDF
Doron Segal
Doron Segal

How to build bots / Malware and how Moles work

Technology
1 of 23
BOTNET
WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
HOW DOES IT WORKS
HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
SPREAD THE WORD… django unchained
SPREAD THE WORD… Affiliates?!?
C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
SEARCH FOR SYSTEM REGISTRY FOR OTHER MALICIOUS PROGRAM
BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
WAYS TO TRANSFER MONEY
REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”

Recommended

Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolAfnic
 
Zeus
ZeusZeus
ZeusMaGn3t0
 
microservice
microservicemicroservice
microserviceDoron Segal
 
Selenium
SeleniumSelenium
SeleniumDoron Segal
 
Microservice
MicroserviceMicroservice
MicroserviceDoron Segal
 
Rest API's
Rest API'sRest API's
Rest API'sDoron Segal
 
Node.js
Node.js Node.js
Node.js Doron Segal
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 

Recommended

Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolAfnic
 
Zeus
ZeusZeus
ZeusMaGn3t0
 
microservice
microservicemicroservice
microserviceDoron Segal
 
Selenium
SeleniumSelenium
SeleniumDoron Segal
 
Microservice
MicroserviceMicroservice
MicroserviceDoron Segal
 
Rest API's
Rest API'sRest API's
Rest API'sDoron Segal
 
Node.js
Node.js Node.js
Node.js Doron Segal
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting PersonalKirsty Hulse
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Botnets
BotnetsBotnets
BotnetsVishwadeep Badgujar
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011Ashwin Patil, GCIH, GCIA, GCFE
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTDHRUV562167
 
Botnet
BotnetBotnet
Botnetprisonbreak4950
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksLondon School of Cyber Security
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manualRoel Palmaers
 
The malware effects
The malware effectsThe malware effects
The malware effectsViral Parmar
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentationRajat Jain
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal Jaskaran Narula
 
31.ppt
31.ppt31.ppt
31.pptssuserec53e73
 
31.ppt
31.ppt31.ppt
31.pptKarmanChandi
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in MaySathish Kumar K
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

More Related Content

Similar to Bots and malware

Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Senad Aruc
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTDHRUV562167
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manualRoel Palmaers
 
The malware effects
The malware effectsThe malware effects
The malware effectsViral Parmar
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxsmile790243
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentationRajat Jain
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Jishnu Pradeep
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal Jaskaran Narula
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in MaySathish Kumar K
 

Similar to Bots and malware (20)

Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Botnets
BotnetsBotnets
Botnets
 
Botnet
BotnetBotnet
Botnet
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
 
Botnet
BotnetBotnet
Botnet
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
 
The malware effects
The malware effectsThe malware effects
The malware effects
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal
 
31.ppt
31.ppt31.ppt
31.ppt
 
31.ppt
31.ppt31.ppt
31.ppt
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
 
Web Security
Web SecurityWeb Security
Web Security
 

Recently uploaded

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Recently uploaded (20)

Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Bots and malware

  • 2. WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
  • 3. WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
  • 4. Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
  • 5. HOW DOES IT WORKS
  • 6.
  • 7. HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
  • 8. SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
  • 11. C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
  • 12. AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
  • 13. SEARCH FOR SYSTEM REGISTRY FOR OTHER MALICIOUS PROGRAM
  • 14. BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
  • 15. PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
  • 16. ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
  • 18. REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
  • 19. WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
  • 20. SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
  • 21. The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
  • 22. SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
  • 23. HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”

Editor's Notes

  1. Botnet access to the Kad networkOne of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below: The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS. Computers infected with TDSS receive the command to download and install the kad.dll module. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients. The kad.dll module then sends a request to the Kad network to search for the ktzerules file. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.