SlideShare a Scribd company logo
1 of 81
Download to read offline
Carberp Evolution and BlackHole:
  Investigation Beyond the Event Horizon

     Aleksandr Matrosov, ESET
     Eugene Rodionov, ESET
     Dmitry Volkov, Group-IB
     Vladimir Kropotov, TNK-BP
Agenda

 Carberp cybercrime group investigation
    evolution of botnet
    tracking Carberp affiliate people
 What are the next steps of investigation?

 Evolution of Carberp distribution scheme
 Carberp in-depth analysis

 Domain shadow games
 Infected legitimate web sites
Carberp cybercrime group investigation
Cybercrime group #1
                        Carberp



                            ???




                            GizmoSB



                NeoSploit             Carberp 1


                BlackHole             RDPdoor


                                      Shelldor


                                      Autoload
Cybercrime group #1
                        Carberp



                            Freeq




                            GizmoSB



                NeoSploit             Carberp 1


                BlackHole             RDPdoor


                                      Shelldor


                                      Autoload
Cybercrime group #1
                        Carberp



                            Freeq




                            GizmoSB



                NeoSploit             Carberp 1


                BlackHole             RDPdoor


                                      Shelldor


                                      Autoload
Win32/Sheldor C&C
Win32/RDPdoor C&C
                      Carberp



                          Freeq




                          GizmoSB



              NeoSploit             Carberp 1


              BlackHole             RDPdoor


                                    Shelldor


                                    Autoload
Autoload C&C
Arrest
Cybercrime group #2
                 Carberp




                                                           Pasha aka
                      ???                                              Qruiokd
                                                            Klasvas




                     GizmoSB               «Who?»



         NeoSploit             Carberp 1             Carberp 2


         BlackHole             RDPdoor
                                             Krys Sploit

                               Sheldor


                               Autoload
Cybercrime group #2
Cybercrime group #2
D****** I*** (10th June Arrested)
 D****** I***, 1989, Russia – Botnet administrator («who?» aka
  benq-sim, also possible Sw1nDleR, Opsos)

 Maxim Glotov, 1987, Russia – Malware developer («Robusto»,
  aka «Den Adel», «Mobyart», «On1iner»)
Cybercrime group #3

            Carberp



                                                     Pasha aka
                 ???                                             Qruiokd
                                                      Klasvas



                GizmoSB               «Who?»                         Hodprot



    NeoSploit             Carberp 1             Carberp 2


    BlackHole             RDPdoor
                                       Krys Sploit

                          Shelldor


                          Autoload
Cybercrime group #3
Blackhole C&C
Blackhole C&C
Cybercrime group #3
Cybercrime group #3
Cybercrime group #3
Carberp & Facebook
  neauihfndcp8uihfedc.com (146.185.242.31)
Carberp & Facebook
  neauihfndcp8uihfedc.com (146.185.242.31)
Carberp 3 Sell video

 Active sell – January 2011
 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
Carberp 3 Sell video

 Active sell – January 2011
 C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
Evolution drive by downloads: Carberp case
Exploit kits used in distribution scheme
 Impact since 2010 (probivaites.in)
   •   Java/Exploit.CVE-2010-0840
   •   Java/Exploit.CVE-2010-0842
   •   Java/TrojanDownloader.OpenConnection


 Blackhole since 2011 (lifenews-sport.org)
   •   JS/Exploit.JavaDepKit (CVE-2010-0886)
   •   Java/Exploit.CVE-2011-3544
   •   Java/Exploit.CVE-2012-0507
   •   Java/Agent


 Nuclear Pack since 2012 (nod32-matrosov-pideri.org)
   •   Java/Exploit.CVE-2012-0507
Blackhole drive by download scheme


legitimate
    site


                                  TRUE   search       FALSE
                                          vuln



             exploitation stage
             /getJavaInfo.jar               dropper execution
             /content/obe.jar              /w.php?f=17&e=2
             /content/rino.jar
Blackhole drive by download scheme


legitimate
    site


                                  TRUE   search       FALSE
                                          vuln



             exploitation stage
             /getJavaInfo.jar               dropper execution
             /content/obe.jar              /w.php?f=17&e=2
             /content/rino.jar
Blackhole drive by download scheme


legitimate
    site


                                  TRUE   search       FALSE
                                          vuln



             exploitation stage
             /getJavaInfo.jar               dropper execution
             /content/obe.jar              /w.php?f=17&e=2
             /content/rino.jar
Blackhole drive by download scheme


legitimate
    site


                                  TRUE   search       FALSE
                                          vuln



             exploitation stage
             /getJavaInfo.jar               dropper execution
             /content/obe.jar              /w.php?f=17&e=2
             /content/rino.jar
Exploit kit migration reasons


            • most popular = most detected
       1

            • frequently leaked exploit kit
       2    • most popular exploit kit for research


            • auto detections by AV-crawlers
       3    • non-detection period is less than two hours
Blackhole migration to Nuclear Pack
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Nuclear pack drive by download scheme

  legitimate
      site


  check real
    user
                                                TRUE     search          FALSE
                                                          vuln




             exploitation stage                                   dropper execution
//images/274e0118278c38ab7f4ef5f98b71d9dc.jar          /server_privileges.php?<gate_id>=<exp_id>
Carberp detection statistics
Carberp detection statistics by country
Cloud data from Live Grid


                               Russia
                               Ukraine
                               Belarus
                               Kazakhstan
                               Turkey
                               United Kingdom
                               Spain
                               United States
                               Italy
                               Rest of the world
Carberp detections over time in Russia
       Cloud data from Live Grid

0.18
0.16
0.14
0.12
 0.1
0.08
0.06
0.04
0.02
  0
Evolution of Carberp modifications
Different groups, different bots, different C&C’s



                            Gizmo




                  D******


                                    Hodprot
functionality           Gizmo              D******                Hodprot
Dedicated dropper                                              Win32/Hodprot
Java patcher                                                       
Bootkit                                                       based on Rovnix
RDP backconnect                         Win32/RDPdoor          Win32/RDPdoor
TV backconnect      Win32/Sheldor        Win32/Sheldor          Win32/Sheldor
HTML injections     IE, Firefox, Opera   IE, Firefox, Opera,    IE, Firefox, Opera,
                                               Chrome                 Chrome
Autoloads                                                            
Unique plugins         minav.plug           sbtest.plug             sber.plug
                       passw.plug         cyberplat.plug            ddos.plug
                       killav.plug
commands Gizmo     D******   Hodprot                 Description
ddos                                download DDoS plugin and start attack
updatehosts                         modify hosts file on infected system
alert                               show message box on infected system
update                              download new version of Carberp
updateconfig                        download new version of config file
download                            download and execute PE-file
loaddll                             download plugin and load into memory
bootkit                             download and install bootkit
grabber                             grab HTML form data and send to C&C
killos                              modify boot code and delete system
                                       files
killuser                            delete user Windows account
killbot                             delete all files and registry keys
updatepatch                         download and modify java runtime
deletepatch                         delete java runtime modifications
The Story of BK-LOADER
    from Rovnix.A to Carberp
Interesting Carberp sample (October 2011)
Interesting Carberp sample (October 2011)
Interesting strings inside Carberp with bootkit
Carberp bootkit functionality


                                Inject user-mode
                                     payload




          Bootkit                Load unsigned
       bootstrap code            driver injector
Carberp bootkit functionality


                                Inject user-mode
                                     payload




          Bootkit                Load unsigned
       bootstrap code            driver injector
Carberp bootkit functionality


                                Inject user-mode
                                     payload




          Bootkit                Load unsigned
       bootstrap code            driver injector
Callgraph of bootkit installation routine
Rovnix kit hidden file systems comparison

functionality          Rovnix.A      Carberp with bootkit   Rovnix.B
VBR modification                                             
polymorphic VBR                                               
Malware driver                                                
storage
Driver encryption        custom             custom            custom
algorithm              (ROR + XOR)        (ROR + XOR)       (ROR + XOR)

Hidden file system                         FAT16             FAT16
                                          modification      modification
File system                                 RC6               RC6
encryption algorithm                      modification      modification
Comparison of Carberp file system with Rovnix.B
Comparison of Carberp file system with Rovnix.B
AntiRE tricks
Removing AV hooks before installation
Calling WinAPI functions by hash
Plugin encryption algorithm
Communication protocol encryption algorithm
Banks attacking algorithms
Bank attacking algorithm              Gizmo     D******   Hodprot
HTML injections                                             
autoload                                 2010             2011 (Sep)
dedicated plugins for major banks                           
intercepting client-banks activity                          
patching java                                               
webmoney/cyberplat                                          
stealing money from private persons                         
Statistics of real attacks with Carberp
How we get statistics

o Large guest network segments and wired Internet
  access monitored by IDS

o Attack attempts on corporate PCs

o Attack reproduction to collect exploit and payload
  samples

o Targeted infections of dedicated hosts for activity
  monitoring
Carberp C&C location
        Date            Domain name           IP-Address
02/Apr/2012    mn9gf8weoiludjc90ufo.org      62.122.79.3
03/Apr/2012    mw8f0ieohcjs9n498feuij.org    62.122.79.4
03/Apr/2012    nrf98uehiojsd9jfe.org         62.122.79.3
20/Apr/2012    mn9gf8weoiludjc90ufo.org      62.122.79.9
23/Apr/2012    mn9gf8weoiludjc90ufo.org      62.122.79.72
23/Apr/2012    newf7s9uhdf7ewuhfeh.org       62.122.79.11
23/Apr/2012:   ne789gfiujdf98ewyfuhef.org    62.122.79.46
23/Apr/2012    supermegasoftenwe.com         62.122.79.59
02/May/2012    rgn7er8yafh89cehuighv.org    91.228.134.210
Hacked web servers stats Q4 2011 - Q2 2012
   Domain      Resource type       Infection period      Times seen   Unique hosts
ria.ru             news           02.11.11 – 01.03.12       10          527064
kp.ru              news            04.10.11 – 13.10.11      10          427534
gazeta.ru          news              24 Feb 2012             1          380459
newsru.com         news              05 Mar 2012             1          321314
lifenews.ru        news             26 Mar 2012              1          183984
pravda.ru          news              20 Apr 2012             1          164271
eg.ru              news           08.10.11 – 13.10.11        6          137332
topnews.ru         news              06 Feb 2012             1          139003
infox.ru           news              05 Mar 2012             1          137396
rzd.ru        National Railroad   13.10.11-24.10.11         12          131578
inosmi.ru          news           02.11.2011 -15.02.12       5          113374
Top targeted auditory Domains



  Domain      Resource type    Infection period     Times seen   Unique hosts
klerk.ru      accountants     20.04.12 - 03.05.12       3          147518
banki.ru         finance         24 Feb 2012            1           67804
glavbukh.ru   accountants     06.02.12 – 03.05.12       4           43606
tks.ru           finance      01.02.12 - 03.05.12       3           23067
bankir.ru        finance      24.01.12 - 11.05.12       2           44542
References
 Exploit Kit plays with smart redirection
http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection

 Facebook Fakebook: New Trends in Carberp Activity
http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity

 Blackhole, CVE-2012-0507 and Carberp
http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

 Evolution of Win32Carberp: going deeper
http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper

 Rovnix Reloaded: new step of evolution
http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution

 Hodprot: Hot to Bot
http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf

 Cybercrime in Russia: Trends and issues
http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
Thank you for your attention!


Aleksandr Matrosov          Eugene Rodionov         Dmitry Volkov
matrosov@eset.sk            rodionov@eset.sk        volkov@group-ib.ru
@matrosov                   @vxradius               @groupib

                            Vladimir Kropotov
                            vbkropotov@tnk-bp.com
                            @vbkropotov

More Related Content

Viewers also liked

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralContributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralBarkha Manral
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 

Viewers also liked (20)

Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorer
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha ManralContributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
Contributor Personality Development on Mr.Sandeep Maheshwari by Barkha Manral
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 

Similar to Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityGene Gotimer
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Mauricio Velazco
 
Syllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxSyllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxsachinsb1980
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияdefcon_kz
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CDSimon Bennetts
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortCyphort
 
ChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselMatt Ray
 
Aloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyAloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyCharles Nutter
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Charles Nutter
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 

Similar to Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon (10)

A Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes SecurityA Developer’s Guide to Kubernetes Security
A Developer’s Guide to Kubernetes Security
 
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
Derbycon 2019 - I simulate therefore i catch: enhancing detection engineering...
 
Syllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptxSyllabus of Ethical HACKING computer.pptx
Syllabus of Ethical HACKING computer.pptx
 
Год в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участияГод в Github bugbounty, опыт участия
Год в Github bugbounty, опыт участия
 
2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD2021 ZAP Automation in CI/CD
2021 ZAP Automation in CI/CD
 
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with CyphortDigging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
Digging deeper into the IE vulnerability CVE-2014-1776 with Cyphort
 
ChefConf 2012 Spiceweasel
ChefConf 2012 SpiceweaselChefConf 2012 Spiceweasel
ChefConf 2012 Spiceweasel
 
Aloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRubyAloha RubyConf 2012 - JRuby
Aloha RubyConf 2012 - JRuby
 
Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012Why JRuby? - RubyConf 2012
Why JRuby? - RubyConf 2012
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 

Recently uploaded

Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfalexjohnson7307
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...SOFTTECHHUB
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxjbellis
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireExakis Nelite
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdfMuhammad Subhan
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTopCSSGallery
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxFIDO Alliance
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctBrainSell Technologies
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfAnubhavMangla3
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform EngineeringMarcus Vechiato
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)Wonjun Hwang
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch TuesdayIvanti
 

Recently uploaded (20)

Generative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdfGenerative AI Use Cases and Applications.pdf
Generative AI Use Cases and Applications.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 
Vector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptxVector Search @ sw2con for slideshare.pptx
Vector Search @ sw2con for slideshare.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
“Iamnobody89757” Understanding the Mysterious of Digital Identity.pdf
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider  Progress from Awareness to Implementation.pptxTales from a Passkey Provider  Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)CORS (Kitworks Team Study 양다윗 발표자료 240510)
CORS (Kitworks Team Study 양다윗 발표자료 240510)
 
2024 May Patch Tuesday
2024 May Patch Tuesday2024 May Patch Tuesday
2024 May Patch Tuesday
 

Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon

  • 1. Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon Aleksandr Matrosov, ESET Eugene Rodionov, ESET Dmitry Volkov, Group-IB Vladimir Kropotov, TNK-BP
  • 2. Agenda  Carberp cybercrime group investigation  evolution of botnet  tracking Carberp affiliate people  What are the next steps of investigation?  Evolution of Carberp distribution scheme  Carberp in-depth analysis  Domain shadow games  Infected legitimate web sites
  • 3. Carberp cybercrime group investigation
  • 4.
  • 5. Cybercrime group #1 Carberp ??? GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 6. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 7. Cybercrime group #1 Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 9. Win32/RDPdoor C&C Carberp Freeq GizmoSB NeoSploit Carberp 1 BlackHole RDPdoor Shelldor Autoload
  • 12. Cybercrime group #2 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Sheldor Autoload
  • 15. D****** I*** (10th June Arrested)  D****** I***, 1989, Russia – Botnet administrator («who?» aka benq-sim, also possible Sw1nDleR, Opsos)  Maxim Glotov, 1987, Russia – Malware developer («Robusto», aka «Den Adel», «Mobyart», «On1iner»)
  • 16. Cybercrime group #3 Carberp Pasha aka ??? Qruiokd Klasvas GizmoSB «Who?» Hodprot NeoSploit Carberp 1 Carberp 2 BlackHole RDPdoor Krys Sploit Shelldor Autoload
  • 23. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 24. Carberp & Facebook neauihfndcp8uihfedc.com (146.185.242.31)
  • 25. Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 26. Carberp 3 Sell video  Active sell – January 2011  C&C Video : http://www.sendspace.com/file/iquzl6 (BpgzsvrN)
  • 27. Evolution drive by downloads: Carberp case
  • 28. Exploit kits used in distribution scheme  Impact since 2010 (probivaites.in) • Java/Exploit.CVE-2010-0840 • Java/Exploit.CVE-2010-0842 • Java/TrojanDownloader.OpenConnection  Blackhole since 2011 (lifenews-sport.org) • JS/Exploit.JavaDepKit (CVE-2010-0886) • Java/Exploit.CVE-2011-3544 • Java/Exploit.CVE-2012-0507 • Java/Agent  Nuclear Pack since 2012 (nod32-matrosov-pideri.org) • Java/Exploit.CVE-2012-0507
  • 29. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 30. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 31. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 32. Blackhole drive by download scheme legitimate site TRUE search FALSE vuln exploitation stage /getJavaInfo.jar dropper execution /content/obe.jar /w.php?f=17&e=2 /content/rino.jar
  • 33. Exploit kit migration reasons • most popular = most detected 1 • frequently leaked exploit kit 2 • most popular exploit kit for research • auto detections by AV-crawlers 3 • non-detection period is less than two hours
  • 34. Blackhole migration to Nuclear Pack
  • 35. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 36. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 37. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 38. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 39. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 40. Nuclear pack drive by download scheme legitimate site check real user TRUE search FALSE vuln exploitation stage dropper execution //images/274e0118278c38ab7f4ef5f98b71d9dc.jar /server_privileges.php?<gate_id>=<exp_id>
  • 42. Carberp detection statistics by country Cloud data from Live Grid Russia Ukraine Belarus Kazakhstan Turkey United Kingdom Spain United States Italy Rest of the world
  • 43. Carberp detections over time in Russia Cloud data from Live Grid 0.18 0.16 0.14 0.12 0.1 0.08 0.06 0.04 0.02 0
  • 44. Evolution of Carberp modifications
  • 45. Different groups, different bots, different C&C’s Gizmo D****** Hodprot
  • 46. functionality Gizmo D****** Hodprot Dedicated dropper   Win32/Hodprot Java patcher    Bootkit    based on Rovnix RDP backconnect  Win32/RDPdoor Win32/RDPdoor TV backconnect Win32/Sheldor Win32/Sheldor Win32/Sheldor HTML injections IE, Firefox, Opera IE, Firefox, Opera, IE, Firefox, Opera, Chrome Chrome Autoloads    Unique plugins minav.plug sbtest.plug sber.plug passw.plug cyberplat.plug ddos.plug killav.plug
  • 47. commands Gizmo D****** Hodprot Description ddos    download DDoS plugin and start attack updatehosts    modify hosts file on infected system alert    show message box on infected system update    download new version of Carberp updateconfig    download new version of config file download    download and execute PE-file loaddll    download plugin and load into memory bootkit    download and install bootkit grabber    grab HTML form data and send to C&C killos    modify boot code and delete system files killuser    delete user Windows account killbot    delete all files and registry keys updatepatch    download and modify java runtime deletepatch    delete java runtime modifications
  • 48. The Story of BK-LOADER from Rovnix.A to Carberp
  • 49.
  • 50.
  • 51.
  • 52.
  • 53. Interesting Carberp sample (October 2011)
  • 54. Interesting Carberp sample (October 2011)
  • 55. Interesting strings inside Carberp with bootkit
  • 56. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 57. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 58. Carberp bootkit functionality Inject user-mode payload Bootkit Load unsigned bootstrap code driver injector
  • 59. Callgraph of bootkit installation routine
  • 60. Rovnix kit hidden file systems comparison functionality Rovnix.A Carberp with bootkit Rovnix.B VBR modification    polymorphic VBR    Malware driver    storage Driver encryption custom custom custom algorithm (ROR + XOR) (ROR + XOR) (ROR + XOR) Hidden file system  FAT16 FAT16 modification modification File system  RC6 RC6 encryption algorithm modification modification
  • 61. Comparison of Carberp file system with Rovnix.B
  • 62. Comparison of Carberp file system with Rovnix.B
  • 64. Removing AV hooks before installation
  • 69. Bank attacking algorithm Gizmo D****** Hodprot HTML injections    autoload 2010  2011 (Sep) dedicated plugins for major banks    intercepting client-banks activity    patching java    webmoney/cyberplat    stealing money from private persons   
  • 70.
  • 71.
  • 72.
  • 73.
  • 74.
  • 75. Statistics of real attacks with Carberp
  • 76. How we get statistics o Large guest network segments and wired Internet access monitored by IDS o Attack attempts on corporate PCs o Attack reproduction to collect exploit and payload samples o Targeted infections of dedicated hosts for activity monitoring
  • 77. Carberp C&C location Date Domain name IP-Address 02/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.3 03/Apr/2012 mw8f0ieohcjs9n498feuij.org 62.122.79.4 03/Apr/2012 nrf98uehiojsd9jfe.org 62.122.79.3 20/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.9 23/Apr/2012 mn9gf8weoiludjc90ufo.org 62.122.79.72 23/Apr/2012 newf7s9uhdf7ewuhfeh.org 62.122.79.11 23/Apr/2012: ne789gfiujdf98ewyfuhef.org 62.122.79.46 23/Apr/2012 supermegasoftenwe.com 62.122.79.59 02/May/2012 rgn7er8yafh89cehuighv.org 91.228.134.210
  • 78. Hacked web servers stats Q4 2011 - Q2 2012 Domain Resource type Infection period Times seen Unique hosts ria.ru news 02.11.11 – 01.03.12 10 527064 kp.ru news 04.10.11 – 13.10.11 10 427534 gazeta.ru news 24 Feb 2012 1 380459 newsru.com news 05 Mar 2012 1 321314 lifenews.ru news 26 Mar 2012 1 183984 pravda.ru news 20 Apr 2012 1 164271 eg.ru news 08.10.11 – 13.10.11 6 137332 topnews.ru news 06 Feb 2012 1 139003 infox.ru news 05 Mar 2012 1 137396 rzd.ru National Railroad 13.10.11-24.10.11 12 131578 inosmi.ru news 02.11.2011 -15.02.12 5 113374
  • 79. Top targeted auditory Domains Domain Resource type Infection period Times seen Unique hosts klerk.ru accountants 20.04.12 - 03.05.12 3 147518 banki.ru finance 24 Feb 2012 1 67804 glavbukh.ru accountants 06.02.12 – 03.05.12 4 43606 tks.ru finance 01.02.12 - 03.05.12 3 23067 bankir.ru finance 24.01.12 - 11.05.12 2 44542
  • 80. References  Exploit Kit plays with smart redirection http://blog.eset.com/2012/04/05/blackhole-exploit-kit-plays-with-smart-redirection  Facebook Fakebook: New Trends in Carberp Activity http://blog.eset.com/2012/01/26/facebook-fakebook-new-trends-in-carberp-activity  Blackhole, CVE-2012-0507 and Carberp http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp  Evolution of Win32Carberp: going deeper http://blog.eset.com/2011/11/21/evolution-of-win32carberp-going-deeper  Rovnix Reloaded: new step of evolution http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution  Hodprot: Hot to Bot http://go.eset.com/us/resources/white-papers/Hodprot-Report.pdf  Cybercrime in Russia: Trends and issues http://go.eset.com/us/resources/white-papers/CARO_2011.pdf
  • 81. Thank you for your attention! Aleksandr Matrosov Eugene Rodionov Dmitry Volkov matrosov@eset.sk rodionov@eset.sk volkov@group-ib.ru @matrosov @vxradius @groupib Vladimir Kropotov vbkropotov@tnk-bp.com @vbkropotov