Yong Chuan Koh, MWR Infosecurity
The MS Office Protected-View is unlike any other sandboxes; it aims to provide only a text-view of the document contents and therefore does not have to provide full functionalities of the application. As a result, the broker-sandbox Inter-Process Communication (IPC) attack surface is greatly reduced. However this does not mean there are no vulnerabilities. This talk will discuss the methodology for fuzzing this IPC attack surface, from the test-case generation to the discovery and analysis of MSRC case 3800.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Scaling your logging infrastructure using syslog-ngPeter Czanik
This talk was presented at All Things Open: https://allthingsopen.org/talk/scaling-your-logging-infrastructure/
Event logging is important not only for IT security and operations, but also for business decisions. The syslog-ng application is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources, processes and filters them and finally it stores them or routes them for further analysis.
From this session you will learn (using examples from syslog-ng) why and how to parse important information from incoming messages, and how to route logs, feeding downstream systems using arbitrary formats. We will also discuss how the client – relay – server architecture can solve scalability problems. Also, I will present some of the recently introduced “Big Data” destinations of syslog-ng, which can help to scale your infrastructure even further.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
Yong Chuan Koh, MWR Infosecurity
The MS Office Protected-View is unlike any other sandboxes; it aims to provide only a text-view of the document contents and therefore does not have to provide full functionalities of the application. As a result, the broker-sandbox Inter-Process Communication (IPC) attack surface is greatly reduced. However this does not mean there are no vulnerabilities. This talk will discuss the methodology for fuzzing this IPC attack surface, from the test-case generation to the discovery and analysis of MSRC case 3800.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Scaling your logging infrastructure using syslog-ngPeter Czanik
This talk was presented at All Things Open: https://allthingsopen.org/talk/scaling-your-logging-infrastructure/
Event logging is important not only for IT security and operations, but also for business decisions. The syslog-ng application is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources, processes and filters them and finally it stores them or routes them for further analysis.
From this session you will learn (using examples from syslog-ng) why and how to parse important information from incoming messages, and how to route logs, feeding downstream systems using arbitrary formats. We will also discuss how the client – relay – server architecture can solve scalability problems. Also, I will present some of the recently introduced “Big Data” destinations of syslog-ng, which can help to scale your infrastructure even further.
Nick Anderson, Facebook
Just as Microsoft grows to embrace the open source community more and more, we must use open source tools to help us grow as a community. In this talk we'll explore the various advanced detection techniques we employ at Facebook using osquery for Windows. Specifically, we will examine instrumenting Windows Event Log data, inspecting detailed attack patterns on processes such as path hijacking, and mapping operating system state to detect deviations of a healthy system - all at Facebook scale. Building on these detection capabilities, we will then consider different response features currently available in osquery and how one can extend these capabilities to suit the needs of their own enterprise. By striving to make these advanced detection capabilities more approachable we hope to raise the bar of defenses employed by companies everywhere and encourage the security community to take a more proactive role in developing detection features used to catch advanced exploitation.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
Get the most out of your security logs using syslog-ngPeter Czanik
Event logging is a central source of information for IT security. The syslog-ng application collects logs from many different sources, performs real-time log analysis by processing and filtering them, and finally it stores the logs or routes them for further analysis. This session focuses on how syslog-ng parses important information from incoming messages, enriches them with additional contextual information, and concludes with demonstrating how all of this can be used for alerting or for dashboards.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
syslog-ng is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources, processes and filters them and forwards them to a destination. This session focuses on how syslog-ng parses important information from incoming messages, how to send this information to “big data” destinations, like HDFS, Kafka, ElasticSearch or MongoDB.
Abstract: syslog-ng is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources.
Raw log messages come in a variety of formats:
- lacking any structure most are usually just an almost proper English sentence with some variable parts in it, like user names or IP addresses.
- Fix table-like structure, like Apache access logs.
- A small minority of logs arrive in an already structured form: JSON.
Parsers in syslog-ng make it possible to extract important information from any of these messages and create name-value pairs.Once you have name-value pairs instead of raw log messages, you have many possibilities. On the syslog-ng side, you can use them for filtering, for example, to send an alert if the username is “root”. You can also use them in file names, or messages can be modified to facilitate log rotation or better suit applications processing the logs.
Parsing and preprocessing log messages also allows you to store them more effectively:
- you can send them to the destination (for example, ElasticSearch or MongoDB) in a format that can be easy to process (for example, JSON),
- you can filter irrelevant data, and forward only what is really needed,
- processing is off-loaded to very effective C code.
Finally you will learn about the “big data” destinations that syslog-ng supports, and how they benefit from message parsing:
- Hadoop Distributed File System ( HDFS ),
- Apache Kafka,
- ElasticSearch and Kibana, and
- MongoDB.
And if syslog-ng cannot already do something that you need, and you are not afraid of writing some code, you can learn about how language bindings of syslog-ng make it possible to add new destinations, not only in C, but also in Java, Lua, Perl, or Python.
Bio: Peter Czanik is community manager at Balabit, developers of syslog-ng. He helps distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly at conferences (FOSDEM, Libre Software Meeting, LOADays, Scale, etc.) In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.
С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
ION Cape Town, 8 September 2015 - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
Signing DNSSEC answers on the fly at the edge: challenges and solutions, by Jono Bergquist.
A presentation given at the APNIC 40 APOPS 2 session on Tue, 8 Sep 2015.
Get the most out of your security logs using syslog-ngPeter Czanik
Event logging is a central source of information for IT security. The syslog-ng application collects logs from many different sources, performs real-time log analysis by processing and filtering them, and finally it stores the logs or routes them for further analysis. This session focuses on how syslog-ng parses important information from incoming messages, enriches them with additional contextual information, and concludes with demonstrating how all of this can be used for alerting or for dashboards.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
syslog-ng is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources, processes and filters them and forwards them to a destination. This session focuses on how syslog-ng parses important information from incoming messages, how to send this information to “big data” destinations, like HDFS, Kafka, ElasticSearch or MongoDB.
Abstract: syslog-ng is an enhanced logging daemon, with a focus on central log collection. It collects logs from many different sources.
Raw log messages come in a variety of formats:
- lacking any structure most are usually just an almost proper English sentence with some variable parts in it, like user names or IP addresses.
- Fix table-like structure, like Apache access logs.
- A small minority of logs arrive in an already structured form: JSON.
Parsers in syslog-ng make it possible to extract important information from any of these messages and create name-value pairs.Once you have name-value pairs instead of raw log messages, you have many possibilities. On the syslog-ng side, you can use them for filtering, for example, to send an alert if the username is “root”. You can also use them in file names, or messages can be modified to facilitate log rotation or better suit applications processing the logs.
Parsing and preprocessing log messages also allows you to store them more effectively:
- you can send them to the destination (for example, ElasticSearch or MongoDB) in a format that can be easy to process (for example, JSON),
- you can filter irrelevant data, and forward only what is really needed,
- processing is off-loaded to very effective C code.
Finally you will learn about the “big data” destinations that syslog-ng supports, and how they benefit from message parsing:
- Hadoop Distributed File System ( HDFS ),
- Apache Kafka,
- ElasticSearch and Kibana, and
- MongoDB.
And if syslog-ng cannot already do something that you need, and you are not afraid of writing some code, you can learn about how language bindings of syslog-ng make it possible to add new destinations, not only in C, but also in Java, Lua, Perl, or Python.
Bio: Peter Czanik is community manager at Balabit, developers of syslog-ng. He helps distributions to maintain the syslog-ng package, follows bug trackers, helps users and talks regularly at conferences (FOSDEM, Libre Software Meeting, LOADays, Scale, etc.) In his limited free time he is interested in non-x86 architectures, and works on one of his PPC or ARM machines.
С переходом на новую версию интернет-протокола (IPv6) изменились и правила игры «Сетевая разведка»: использовать метод перебора адресов, как в случае с IPv4, не представляется возможным, так как на каждую подсеть приходится 264 адреса. На мастер-классе вы узнаете о новейших технологиях в области исследования сетей IPv6, описанных в RFC 7707. Вашему вниманию будет представлен интенсивный мастер-класс, посвященный отработке методов исследования и взлома сетей IPv6.
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Andrew Brandt, Symantec
Back in 2014 and 2015, the Dyre (sometimes called Dyreza) Trojan was a distinctive crimeware tool for the simple reason that it appeared to employ, and experiment with, a whole range of sophisticated tactics, techniques and procedures: It was the first Trojan which exclusively employed HTTPS for its C2 traffic; It operated on a modular basis with a small cadre of other malware families, such as the Upatre downloader, which seemed to support it exclusively, as well as email address scraping tools and spam mail relayers; and it was at least as interested in profiling the environment it had infected as it was in exfiltrating any data it could find on the victim's machine. Then it disappeared suddenly, but re-emerged this year in the form of a Trojan now called Trickbot (aka Trickybot), completely rewritten but with many of the same features. In the lab, we permit Trickbot samples to persist on infected machines for days to weeks in order to perform man-in-the-middle SSL decryption on their C2 traffic. In this session, attendees will get a detailed forensic analysis of the content of some of this C2 traffic and the endpoint behavior of various machines (virtual and bare-metal) when left infected for an extended period of time. Finally, we will share what we know about the botnet's C2 infrastructure and its historical reputation. By understanding how Trickbot functions, and to where it communicates, we hope we can help identify infections more rapidly and, maybe, interpret the motives of whoever is operating this shadowy botnet to predict its next course of action.
Practical Red Teaming is a hands-on class designed to teach participants with various techniques and tools for performing red teaming attacks. The goal of the training is to give a red teamer’s perspective to participants who want to go beyond VAPT. This intense course immerses students in a simulated enterprise environment, with multiple domains, up-to-date and patched operating systems. We will cover several phases of a Red Team engagement in depth – Local Privilege escalation, Domain Enumeration, Admin Recon, Lateral movement, Domain Admin privileges etc.
If you want to learn how to perform Red Team operations, sharpen your red teaming skillset, or understand how to defend against modern attacks, Practical Red Teaming is the course for you.
Topics :
• Red Team philosophy/overview
• Red Teaming vs Penetration Testing
• Active Directory Fundamentals – Forests, Domains, OU’s etc
• Assume Breach Methodology
• Insider Attack Simulation
• Introduction to PowerShell
• Initial access methods
• Privilege escalation methods through abuse of misconfigurations
• Domain Enumeration
• Lateral Movement and Pivoting
• Single sign-on in Active Directory
• Abusing built-in functionality for code execution
• Credential Replay
• Domain privileges abuse
• Dumping System and Domain Secrets
• Kerberos – Basics and its Fundamentals
• Kerberos Attack and Defense (Kerberoasting, Silver ticket, Golden ticket attack etc)
https://bsidessg.org/schedule/2019-ajaychoudhary-and-niteshmalviya/
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F18.shtml
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
En los últimos años, el término "side-channel" a pasado de ser un concepto únicamente conocido en el sector de hardware hacking a ser un término popular dentro de la industria debido a las vulnerabilidades que se han ido publicando. CRIME, BREACH o FIESTA son claros ejemplos de vulnerabilidades que explotan un side-channel en TLS. Más recientemente, también hemos visto vulnerabilidades empleando este mismo concepto en procesadores, como Spectre o Meltdown.
En esta charla, repasaremos el concepto de "side-channel" y haremos un repaso por las diferentes vulnerabilidades que se han ido publicando a lo largo de estos últimos años, explicando en que consisten y que limitaciones tienen.
ION Cape Town, 8 September 2015 - Jan Zorz set up DNSSEC, DANE, and TLS in his go6lab and then tested the implementations in the top one million Alexa domains. Jan will share his experiences deploying, testing, and evaluating DNSSEC, DANE, and TLS in his own lab and explain the process he used.
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
Encryption is coming to mainstream DNS. This briefing discusses the history, protocols and architecture of encrypted DNS, specifically DNS over TLS and DNS over HTTPS. It also describes the impact of DoT and DoH on various operational models.
This briefing was given during DNSheads Vienna #5 at the nic.at office in Vienna on Jan 30 2018.
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Used in this "DNS Security" course:
https://samsclass.info/40/40_F17.shtml
Based on "DNS Security" by Anestis Karasaridis, Amazon Digital Services, Inc., ASIN: B007ZW50WE
Stephen Doherty, Symantec - iBanking is a relative newcomer to the mobile malware scene whose use was first identified in August of 2013. The Trojan targets Android devices and can be remotely controlled over SMS and HTTP. iBanking began life as a simple SMS stealer and call redirector, but has undergone significant development since then. iBanking is available for purchase on a private underground forum for between $4k - $5k, with the next release expected to include a 0-day exploit for the Android operating system. This presentation will discuss iBanking - it's capabilities and the reasons for targeting mobile devices.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, at City College San Francisco.
Website: https://samsclass.info/152/152_F18.shtml
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuNETWAYS
The Beats are a friendly army of lightweight agents that installed on your servers capture operational data and ship it to Elasticsearch for analysis. They are open source, written in Golang, and maintained by Elastic, the company behind Elasticsearch, Logstash, and Kibana.
This talk will present the first three Beats: Topbeat for system level metrics, Filebeat for log files and Packetbeat for wire data. It will also demonstrate how to combine them with Logstash and Kibana in one advanced monitoring solution, unifying log management, metrics monitoring and system stats. Finally, you will learn how to create a new Beat from scratch using Golang and the libbeat framework to capture any type of information and ship it to Elasticsearch.
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Adding Support for Networking and Web Technologies to an Embedded SystemJohn Efstathiades
These are the slides for a presentation we gave at Device Developer Conference 2014 in the UK. The presentation discusses the work done, experiences, and lessons learnt from adding an open source TCP/IP network stack and web server to an existing industrial control system running on an ARM Cortex M3-based processor from TI.
The presentation covers the following:
· Integrating the network stack into the existing software base
· Configuring and using the network stack and web server
· Adding support for HTTP basic authentication to restrict user access
· Using HTTP to remotely access the target system and retrieve operational data
· Debugging hints and tips
· Pitfalls to avoid and other lessons learnt
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Advancing Apache Nifi Framework Security With David Handermann | Current 2022HostedbyConfluent
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
As a flexible system for processing data to and from a variety of services, Apache NiFi provides a powerful set of capabilities. Configuration integrity and access security are essential framework features.
Recent Apache NiFi releases have included a number of security-oriented improvements, ranging from automated HTTPS configuration to externalization of sensitive application properties. This presentation covers the implementation details involved with automatic certificate generation, password-based key derivation, JSON Web Token signing, repository encryption, and sensitive property management using external services.
Through a combination of relevant code samples and capability demonstrations, this presentation describes framework security advances that involve both user interaction and application configuration.
Providing a basic summary of selected cryptographic algorithm differences, along with code changes, will enable participants to understand the impact of various improvements. Walking through new and improved configuration capabilities allows administrators to optimize deployment security. Highlighting key implementation details encourages software developers to review and incorporate applicable security strategies.
This presentation is intended to provide an overview of vulnerabilities and attack techniques that are popular in penetration testing at the moment. This talk includes real-world examples of attacks that they use on a daily basis, and some reflections on what techniques have changed over the last year. Vulnerabilities related to the application, network, and server layers will all be covered along with current anti-virus bypass and privilege escalation techniques used by attackers and penetration testers. This presentation should be interesting to security professionals and system administrators looking for more insight into real world attacks.
More security blogs by the authors can be found @
https://www.netspi.com/blog/
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
Monica ist Mit-Schöpferin von Elastic Beats. Bevor sie Beats erfand, arbeitete sie als Core Developer für IPTEGO, einem Start-Up Unternehmen aus Berlin, das eine komplette Monitoring und Trouble-Shooting Solution für VoIP Netzwerke anbietet. Das Produkt wurde weltweit verkauft, und wird derzeit von großen Firmen der Telekommunikationsbranche verwendet.
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuNETWAYS
Beats sind eine freundliche Armee von leichtgewichtigen Agenten die, wenn sie auf dem Server installiert sind, Betriebsdaten erfassen und sie zur Analyse an Elasticsearch senden.
Sie sammeln die Logdaten ihrer Server und erhalten so Statistiken von CPU, Disk- und Speicherauslastung. Durch regelmäßige Abfragen sammeln sie Metriken von externen Systemen wie MySQL, Docker und Zookeeper und können die Kommunikation zwischen den Servern durch sniffen der entsprechenden Netzwerkverbindungen visualisieren.
Dieser Vortrag erläutert wie Sie Beats mit Elasticsearch und Kibana in einer kompletten Open Source Monitoring Lösung kombinieren können und sie ihnen helfen ihre verzweigte Infrastruktur zu überwachen und Fehler zu beheben.
Similar to Extracting Forensic Information From Zeus Derivatives (20)
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
Matt Summers, NCC Group - Web technology has changed a lot in the last 25 years but the underlying transport mechanism has stayed the same. The web we have today was not designed for the plethora of new device types and communication methods but things are changing and you probably don’t even know it. You probably don’t even notice the problem because it is so ingrained. In this presentation we are going to delve into the problems with the web and how we use it today. We will also take an in depth look at the proposed solutions for the next generation web and the implications that come with it.
Mathieu Letourneau, Andrei Saygo, Eoin Ward, Microsoft
This talk will present our research project on .Net file clustering based on their respective basic blocks and the parallel that can be made with DNA sequence variation analysis. We implemented a system that extracts the basic blocks on each file and creates clusters based on them. We also developed an IDA plugin to make use of that data and speed up our analysis of .Net files.
Andrei Saygo, Eoin Ward and Mathieu Letourneau all work as Anti-Malware Security Engineers in the AM Scan team of Microsoft’s Product Release & Security Services group in Dublin, Ireland.
Brian Honan, IRISSCERT
Social media networks provide individuals and businesses with exciting opportunities to communicate and collaborate with others throughout the world. But with these opportunities come a number of security challenges and risks. This talk will outline how social media networks can pose various threats to businesses, from information leakage, reputational damage, to social engineering profiling, and vectors for enabling compromise of corporate systems. Social media networks also enable the rapid dissemination of news which in the event of an information security breach could either save or destroy an organisations reputation. Understanding and dealing with these challenges will enable companies to like and favourite social media networks in a secure way.
Brian Honan is an independent security consultant based in Dublin, Ireland, and is the founder and head of IRISSCERT, Ireland's first CERT. He is a Special Advisor to Europol's Cybercrime Centre (EC3), an adjunct lecturer on Information Security in University College Dublin. He is the author of the book "ISO 27001 in a Windows Environment" and co-author of "The Cloud Security Rules", and regularly speaks at major industry conferences. In 2013 Brian was awarded SC Magazine's Information Security Person of the year for his contribution to the computer security industry.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
3. 3
Agenda
• Zeus and derivatives overview
• What information do we want to extract and why?
• How do we extract the information?
• Automation
• Conclusion
5. 5
Zeus and Derivatives
• Highly successful kit
• Source code leaked 2011
• New variants – Citadel, IceIX, KINS, Gameover + many more
• Leaked code also widely used with few or no modifications
• Many variants successful in their own right
• More builders leaked
6. 6
Zeus and Derivatives
• Variant prevalence:
Citadel
19%
Ice9
8%
P2P
31%
2.0.8.9 Based
17%
KINS
12%
Other
13%
Typical Weekly Breakdown
Citadel
Ice9
P2P
2.0.8.9 Based
KINS
Other
8. 8
High Level Goals
• What was stolen?
○ Network traffic
○ Cache data
• Where was data sent?
○ Drop zone URLs
○ Config file URLs
○ Backup URLs
• What changes were made?
○ Commands executed
○ Web injects – config data
• Who were the attackers?
○ Tracking
9. 9
How to Achieve These Goals?
• C2 addresses
○ Extract from binary, config file, network traffic captures
• Stolen data
○ Decrypt network data, cache files
• Configuration files
○ Obtain, decrypt, decipher config data
○ Webinjects, filters, targeted processes
• Runtime information
○ Exe path, registry keys etc
• Store and track data
○ Keys, URLs, customisations
11. 11
Key Variants
• Leaked Zeus (2.0.8.9)
○ Original codebase
○ Same process will work for many minor variations
• IceIX
○ Encryption algorithm changes
○ Config file retrieval complications
• Citadel (1.3.5.1)
○ Encryption heavily rewritten
○ More config file retrieval changes
• Gameover
○ Peer 2 peer
• KINS
○ VM based decryption routine
12. 12
Zeus 2.0.8.9
• Config file URL
• Retrieve, decrypt, decipher config file
• Assess stolen data – decrypt network traffic, cache file
• Read runtime information
13. 13
Zeus 2.0.8.9
• Static config details embedded in binary
• Config block XOR encrypted
• Find block offset and XOR key
Config file URL
15. 15
Zeus 2.0.8.9
• Regexp search, e.g:
○ "[x50-x57][xb8-xbf].{2}x00x00[x50-x57]x68.{4}[x50-
x57]xe8.{4}x8b.{5}x03“
• Key always at start of ‘.reloc’ section
• Key length = size of StaticConfig
• StaticConfig also contains RC4 key
Config URL
16. 16
Zeus 2.0.8.9
• Retrieved with simple Get request to URL
• RC4 decrypt
○ Using key from StaticConfig (no key scheduling stage)
• VisualDecrypt
○ for (m = (Size-1); m >0; m--)
○ Data[m] = Data[m] ^ Data[m-1]
• Decompress compressed blocks
○ nrv2b
• Covert to something more readable
○ XML is an option
Config File
17. 17
Zeus 2.0.8.9
• Common to many subsequent variants
• Config header structure:
Config file structure
Offset Size Value
0x0 0x14 Random data
0x14 0x4 Size of config file
0x18 0x4 Flags (usually 0)
0x1c 0x4
Number of
Blocks
0x20 0x10 MD5 of data
0x30 … Config blocks
18. 18
Zeus 2.0.8.9
• Config blocks – header then data
• Config block header structure:
Config file structure
Offset Size Value
0x0 0x4 Block ID
0x4 0x4
Flags, e.g.
compressed
0x8 0x4
Compressed
size
0xc 0x4
Decompressed
size
19. 19
Zeus 2.0.8.9
• Block ID identifies specific type of config entry e.g. version,
new exe url, drop zone url, web injects
• Leaked source indicates what each binary value means
• Conversion to XML makes the data easier to interpret:
Config file structure
20. 20
Zeus 2.0.8.9
• Network data
○ RC4 decrypt using key from StaticConfig
○ Data is structured similar to config data
• Cache data
○ Temporary store of data before sending back to drop zone
○ Structure:
Stolen data
Offset Size Value
0x0 0x4
Xor encoded
size of block
0x4 0x1 0
0x5 ??
First encrypted
block
21. 21
Zeus 2.0.8.9
• XOR key stored in runtime data at offset 0x1e2
• Blocks encrypted with VisualEncrypt + RC4
• New RC4 key from runtime data
• Blocks have same structure as network data
• Cache gets deleted when data sent over network
Cache data
22. 22
Zeus 2.0.8.9
• Dynamically created block written by dropper
• See
https://code.google.com/p/volatility/source/browse/trunk/con
trib/plugins/malware/zeusscan.py for structure
• Key fields:
○ RC4 key – encrypting cache data
○ XORkey – cache data block sizes
• Also, registry keys, exe file name, cache file name etc.
Runtime information
24. 24
IceIX
• Same goals
○ Config file URL
○ Retrieve, decrypt, decipher config file
○ Assess stolen data – decrypt network traffic, cache file
○ Read runtime information
• How do we identify?
• What are the differences?
25. 25
IceIX
• Config file URL by default ends with config.php
• Strings: “bn=1” and “&sk=1”
• Modified RC4 routine:
Identification
28. 28
IceIX
• POST request requires special format or config file is not
delivered
• POST data format:
bn=<BOTID string>&sk=<MD5 of encrypted BOTID string>
• BOTID generated per machine, e.g.: MYPC_737574566769_474
• Encrypted using modified RC4 with key from StaticConfig
• All POST data encrypted before being sent
Config file retrieval
29. 29
Citadel
• Giveaway string:
○ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘
• Version number:
• Maybe further strings:
○ cit_ffcookie.module, cit_video.module
Identification
30. 30
Citadel
• Encryption process rewritten – AES + RC4, multiple keys
• Formatted POST request for config file retrieval
• Backup config file URLs
Modifications
31. 31
Citadel
• RC4 has XOR on top with LOGIN_KEY
○ Extra key generated at build time e.g.:
○ "C1F20D2340B519056A7D89B7DF4B0FFF"
• Config data encrypted with AES
• Network traffic requires generating a new RC4 key
Encryption process
33. 33
Citadel
• Formatted similar to config data – header with 2 data blocks
• Block ID 0x2725 – contains the login_key
• Block ID 0x2726 – file name from config URL:
○ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll
○ Everything after the ‘|’ goes in the block data
POST data
39. 39
Gameover/P2P
• Static peer list
○ Each peer has its own RC4 key
• Connect to P2P network to retrieve config
• Zlib compression
• https://github.com/arbor/zeus_gameover-re
Modifications
40. 40
KINS/VMZeus
• VM based StaticConfig decryption
• Embedded byte code determines which VM handler is
executed on which byte of ciphertext
• Embedded opcode handler table
• Each element of bytecode is an index into the handler table
Modifications
42. 42
KINS
• RC4 key is in the StaticConfig but now much harder to decrypt
• Need to replicate the handler sequence by running the
bytecode through the handler table
• Leaked KINS source: source/common/configcrypt.cpp
• But handler table order is shuffled by the builder so we must
work out the correct order dynamically for each sample
Key extraction
44. 44
Automation
• As part of sandbox analysis – e.g. cuckoo
○ Process dump
○ Key extraction and data decryption as part of a processing module
○ Analyzer module to perform the retrieval for non-executing samples
• Volatility
○ Key and data extraction from a memory dump
○ https://code.google.com/p/volatility/source/browse/trunk/contrib/plugin
s/malware/zeusscan.py
46. 46
Conclusion
• Many successful and widespread variants spawned from Zeus
code
• More builders and source code leaked, many variants still
being actively developed
• Despite some significant modifications, new variants are
incremental
• Tools can be updated relatively easy for modifications