SlideShare a Scribd company logo

Extracting Forensic Information From Zeus Derivatives

Download as PPTX, PDF
Source Conference
Source Conference

Extracting Forensic Information from Zeus Derivatives James Wyke, Sophos

Technology
1 of 47
1 James Wyke Senior Threat Researcher Extracting Forensic Information from Zeus Derivatives SOURCE Dublin 2014
22 Agenda
3 Agenda • Zeus and derivatives overview • What information do we want to extract and why? • How do we extract the information? • Automation • Conclusion
44 Zeus and Derivatives
5 Zeus and Derivatives • Highly successful kit • Source code leaked 2011 • New variants – Citadel, IceIX, KINS, Gameover + many more • Leaked code also widely used with few or no modifications • Many variants successful in their own right • More builders leaked
6 Zeus and Derivatives • Variant prevalence: Citadel 19% Ice9 8% P2P 31% 2.0.8.9 Based 17% KINS 12% Other 13% Typical Weekly Breakdown Citadel Ice9 P2P 2.0.8.9 Based KINS Other
77 What information do we want to extract?
8 High Level Goals • What was stolen? ○ Network traffic ○ Cache data • Where was data sent? ○ Drop zone URLs ○ Config file URLs ○ Backup URLs • What changes were made? ○ Commands executed ○ Web injects – config data • Who were the attackers? ○ Tracking
9 How to Achieve These Goals? • C2 addresses ○ Extract from binary, config file, network traffic captures • Stolen data ○ Decrypt network data, cache files • Configuration files ○ Obtain, decrypt, decipher config data ○ Webinjects, filters, targeted processes • Runtime information ○ Exe path, registry keys etc • Store and track data ○ Keys, URLs, customisations
1010 How do we extract the information?
11 Key Variants • Leaked Zeus (2.0.8.9) ○ Original codebase ○ Same process will work for many minor variations • IceIX ○ Encryption algorithm changes ○ Config file retrieval complications • Citadel (1.3.5.1) ○ Encryption heavily rewritten ○ More config file retrieval changes • Gameover ○ Peer 2 peer • KINS ○ VM based decryption routine
12 Zeus 2.0.8.9 • Config file URL • Retrieve, decrypt, decipher config file • Assess stolen data – decrypt network traffic, cache file • Read runtime information
13 Zeus 2.0.8.9 • Static config details embedded in binary • Config block XOR encrypted • Find block offset and XOR key Config file URL
14 Zeus 2.0.8.9 Config URL
15 Zeus 2.0.8.9 • Regexp search, e.g: ○ "[x50-x57][xb8-xbf].{2}x00x00[x50-x57]x68.{4}[x50- x57]xe8.{4}x8b.{5}x03“ • Key always at start of ‘.reloc’ section • Key length = size of StaticConfig • StaticConfig also contains RC4 key Config URL
16 Zeus 2.0.8.9 • Retrieved with simple Get request to URL • RC4 decrypt ○ Using key from StaticConfig (no key scheduling stage) • VisualDecrypt ○ for (m = (Size-1); m >0; m--) ○ Data[m] = Data[m] ^ Data[m-1] • Decompress compressed blocks ○ nrv2b • Covert to something more readable ○ XML is an option Config File
17 Zeus 2.0.8.9 • Common to many subsequent variants • Config header structure: Config file structure Offset Size Value 0x0 0x14 Random data 0x14 0x4 Size of config file 0x18 0x4 Flags (usually 0) 0x1c 0x4 Number of Blocks 0x20 0x10 MD5 of data 0x30 … Config blocks
18 Zeus 2.0.8.9 • Config blocks – header then data • Config block header structure: Config file structure Offset Size Value 0x0 0x4 Block ID 0x4 0x4 Flags, e.g. compressed 0x8 0x4 Compressed size 0xc 0x4 Decompressed size
19 Zeus 2.0.8.9 • Block ID identifies specific type of config entry e.g. version, new exe url, drop zone url, web injects • Leaked source indicates what each binary value means • Conversion to XML makes the data easier to interpret: Config file structure
20 Zeus 2.0.8.9 • Network data ○ RC4 decrypt using key from StaticConfig ○ Data is structured similar to config data • Cache data ○ Temporary store of data before sending back to drop zone ○ Structure: Stolen data Offset Size Value 0x0 0x4 Xor encoded size of block 0x4 0x1 0 0x5 ?? First encrypted block
21 Zeus 2.0.8.9 • XOR key stored in runtime data at offset 0x1e2 • Blocks encrypted with VisualEncrypt + RC4 • New RC4 key from runtime data • Blocks have same structure as network data • Cache gets deleted when data sent over network Cache data
22 Zeus 2.0.8.9 • Dynamically created block written by dropper • See https://code.google.com/p/volatility/source/browse/trunk/con trib/plugins/malware/zeusscan.py for structure • Key fields: ○ RC4 key – encrypting cache data ○ XORkey – cache data block sizes • Also, registry keys, exe file name, cache file name etc. Runtime information
23 Zeus 2.0.8.9 • Find block in dump: • Often appended to file Runtime information
24 IceIX • Same goals ○ Config file URL ○ Retrieve, decrypt, decipher config file ○ Assess stolen data – decrypt network traffic, cache file ○ Read runtime information • How do we identify? • What are the differences?
25 IceIX • Config file URL by default ends with config.php • Strings: “bn=1” and “&sk=1” • Modified RC4 routine: Identification
26 IceIX • RC4 changes • Config file retrieval requires structured POST request Modifications
27 IceIX • Classic: • Modified: RC4 changes
28 IceIX • POST request requires special format or config file is not delivered • POST data format: bn=<BOTID string>&sk=<MD5 of encrypted BOTID string> • BOTID generated per machine, e.g.: MYPC_737574566769_474 • Encrypted using modified RC4 with key from StaticConfig • All POST data encrypted before being sent Config file retrieval
29 Citadel • Giveaway string: ○ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘ • Version number: • Maybe further strings: ○ cit_ffcookie.module, cit_video.module Identification
30 Citadel • Encryption process rewritten – AES + RC4, multiple keys • Formatted POST request for config file retrieval • Backup config file URLs Modifications
31 Citadel • RC4 has XOR on top with LOGIN_KEY ○ Extra key generated at build time e.g.: ○ "C1F20D2340B519056A7D89B7DF4B0FFF" • Config data encrypted with AES • Network traffic requires generating a new RC4 key Encryption process
32 • Extra non-standard permutation • Need to extract salt value • All network traffic encrypted in this way Citadel Config file retrieval
33 Citadel • Formatted similar to config data – header with 2 data blocks • Block ID 0x2725 – contains the login_key • Block ID 0x2726 – file name from config URL: ○ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll ○ Everything after the ‘|’ goes in the block data POST data
34 Citadel • Switch case based on DWORD value: POST data custom permutation
35 Citadel • Python: POST data custom permutation
36 Citadel Config file decryption • RC4 key from StaticConfig • login_key • 128-bit config XOR key
37 Citadel • Found in the AES routine: Extra config key
38 Gameover/P2P • Command strings used in the P2P protocol: ○ OPTIONS ○ PROPFIND ○ PROPPATCH ○ SEARCH ○ UNLOCK ○ REPORT ○ MKACTIVITY ○ CHECKOUT ○ M-SEARCH ○ NOTIFY ○ SUBSCRIBE ○ UNSUBSCRIBE Identification
39 Gameover/P2P • Static peer list ○ Each peer has its own RC4 key • Connect to P2P network to retrieve config • Zlib compression • https://github.com/arbor/zeus_gameover-re Modifications
40 KINS/VMZeus • VM based StaticConfig decryption • Embedded byte code determines which VM handler is executed on which byte of ciphertext • Embedded opcode handler table • Each element of bytecode is an index into the handler table Modifications
41 KINS/VMZeus • Find the entry to the VM handler: Identification
42 KINS • RC4 key is in the StaticConfig but now much harder to decrypt • Need to replicate the handler sequence by running the bytecode through the handler table • Leaked KINS source: source/common/configcrypt.cpp • But handler table order is shuffled by the builder so we must work out the correct order dynamically for each sample Key extraction
4343 Automation
44 Automation • As part of sandbox analysis – e.g. cuckoo ○ Process dump ○ Key extraction and data decryption as part of a processing module ○ Analyzer module to perform the retrieval for non-executing samples • Volatility ○ Key and data extraction from a memory dump ○ https://code.google.com/p/volatility/source/browse/trunk/contrib/plugin s/malware/zeusscan.py
4545 Conclusion
46 Conclusion • Many successful and widespread variants spawned from Zeus code • More builders and source code leaked, many variants still being actively developed • Despite some significant modifications, new variants are incremental • Tools can be updated relatively easy for modifications
47© Sophos Ltd. All rights reserved.

Recommended

Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat Security Conference
 
Ipfs
IpfsIpfs
Ipfs
承翰 蔡
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 

Recommended

Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018Powering up on power shell avengercon - 2018
Powering up on power shell avengercon - 2018
Fernando Tomlinson, CISSP, MBA
 
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat Security Conference
 
Ipfs
IpfsIpfs
Ipfs
承翰 蔡
 
FreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of LinuxFreeIPA - Attacking the Active Directory of Linux
FreeIPA - Attacking the Active Directory of Linux
Julian Catrambone
 
Scaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ngScaling your logging infrastructure using syslog-ng
Scaling your logging infrastructure using syslog-ng
Peter Czanik
 
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat v17 || Detecting Compromise on Windows Endpoints with Osquery
BlueHat Security Conference
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
Peter Czanik
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
BalaBit
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
markmcclain
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
markmcclain
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
Deploy360 Programme (Internet Society)
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
Niraj on Financial Derivatives
Niraj on Financial DerivativesNiraj on Financial Derivatives
Niraj on Financial Derivatives
CA Niraj Thapa
 

More Related Content

What's hot

Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
APNIC
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
Peter Czanik
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
BalaBit
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
markmcclain
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
markmcclain
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
Deploy360 Programme (Internet Society)
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
Positive Hack Days
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
inaz2
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
Sam Bowne
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
Ajay Choudhary
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
Jisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
RootedCON
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
Deploy360 Programme (Internet Society)
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
Alex Mayrhofer
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
Sam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
Sam Bowne
 

What's hot (20)

Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 

Viewers also liked

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
Source Conference
 
Niraj on Financial Derivatives
Niraj on Financial DerivativesNiraj on Financial Derivatives
Niraj on Financial Derivatives
CA Niraj Thapa
 
Guide to Financial Derivatives
Guide to Financial DerivativesGuide to Financial Derivatives
Guide to Financial Derivatives
Ruben Garcia Navarro
 
Derivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductionDerivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductioniipmff2
 
Financial Derivatives
Financial DerivativesFinancial Derivatives
Financial Derivatives
Maroof Hussain Sabri
 
Applications of Derivatives
Applications of DerivativesApplications of Derivatives
Applications of Derivatives
Iram Khan
 
Derivatives basic concept
Derivatives basic conceptDerivatives basic concept
Derivatives basic concept
Sweta Agarwal
 
Derivatives market
Derivatives marketDerivatives market
Derivatives marketNikhiliit
 
Derivatives - Classroom Presentation
Derivatives - Classroom PresentationDerivatives - Classroom Presentation
Derivatives - Classroom Presentation
Ragumoorthy Nehrumoorthy
 

Viewers also liked (10)

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
Niraj on Financial Derivatives
Niraj on Financial DerivativesNiraj on Financial Derivatives
Niraj on Financial Derivatives
 
Guide to Financial Derivatives
Guide to Financial DerivativesGuide to Financial Derivatives
Guide to Financial Derivatives
 
Derivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductionDerivatives lecture1& 2-introduction
Derivatives lecture1& 2-introduction
 
Financial Derivatives
Financial DerivativesFinancial Derivatives
Financial Derivatives
 
Applications of Derivatives
Applications of DerivativesApplications of Derivatives
Applications of Derivatives
 
Derivatives basic concept
Derivatives basic conceptDerivatives basic concept
Derivatives basic concept
 
Derivatives market
Derivatives marketDerivatives market
Derivatives market
 
Derivatives - Classroom Presentation
Derivatives - Classroom PresentationDerivatives - Classroom Presentation
Derivatives - Classroom Presentation
 
Financial derivatives ppt
Financial derivatives pptFinancial derivatives ppt
Financial derivatives ppt
 

Similar to Extracting Forensic Information From Zeus Derivatives

CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
Sam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
Sam Bowne
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
NETWAYS
 
.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis
VMware Tanzu
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
Sam Bowne
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
Chris Sistrunk
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded System
John Efstathiades
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
DefconRussia
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Michele Orru
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
Fabio Codebue
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
HostedbyConfluent
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018
Fernando Tomlinson, CISSP, MBA
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
Scott Sutherland
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014
Yubei Li
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
Jason Gerard
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
NETWAYS
 

Similar to Extracting Forensic Information From Zeus Derivatives (20)

CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
 
.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded System
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
 

More from Source Conference

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
Source Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
Source Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
Source Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
Source Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
Source Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
Source Conference
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
Source Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
Source Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
Source Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
Source Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
Source Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
JSF Security
JSF SecurityJSF Security
JSF Security
Source Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 
Keynote
KeynoteKeynote
Keynote
Source Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

Extracting Forensic Information From Zeus Derivatives

  • 1. 1 James Wyke Senior Threat Researcher Extracting Forensic Information from Zeus Derivatives SOURCE Dublin 2014
  • 3. 3 Agenda • Zeus and derivatives overview • What information do we want to extract and why? • How do we extract the information? • Automation • Conclusion
  • 5. 5 Zeus and Derivatives • Highly successful kit • Source code leaked 2011 • New variants – Citadel, IceIX, KINS, Gameover + many more • Leaked code also widely used with few or no modifications • Many variants successful in their own right • More builders leaked
  • 6. 6 Zeus and Derivatives • Variant prevalence: Citadel 19% Ice9 8% P2P 31% 2.0.8.9 Based 17% KINS 12% Other 13% Typical Weekly Breakdown Citadel Ice9 P2P 2.0.8.9 Based KINS Other
  • 7. 77 What information do we want to extract?
  • 8. 8 High Level Goals • What was stolen? ○ Network traffic ○ Cache data • Where was data sent? ○ Drop zone URLs ○ Config file URLs ○ Backup URLs • What changes were made? ○ Commands executed ○ Web injects – config data • Who were the attackers? ○ Tracking
  • 9. 9 How to Achieve These Goals? • C2 addresses ○ Extract from binary, config file, network traffic captures • Stolen data ○ Decrypt network data, cache files • Configuration files ○ Obtain, decrypt, decipher config data ○ Webinjects, filters, targeted processes • Runtime information ○ Exe path, registry keys etc • Store and track data ○ Keys, URLs, customisations
  • 10. 1010 How do we extract the information?
  • 11. 11 Key Variants • Leaked Zeus (2.0.8.9) ○ Original codebase ○ Same process will work for many minor variations • IceIX ○ Encryption algorithm changes ○ Config file retrieval complications • Citadel (1.3.5.1) ○ Encryption heavily rewritten ○ More config file retrieval changes • Gameover ○ Peer 2 peer • KINS ○ VM based decryption routine
  • 12. 12 Zeus 2.0.8.9 • Config file URL • Retrieve, decrypt, decipher config file • Assess stolen data – decrypt network traffic, cache file • Read runtime information
  • 13. 13 Zeus 2.0.8.9 • Static config details embedded in binary • Config block XOR encrypted • Find block offset and XOR key Config file URL
  • 15. 15 Zeus 2.0.8.9 • Regexp search, e.g: ○ "[x50-x57][xb8-xbf].{2}x00x00[x50-x57]x68.{4}[x50- x57]xe8.{4}x8b.{5}x03“ • Key always at start of ‘.reloc’ section • Key length = size of StaticConfig • StaticConfig also contains RC4 key Config URL
  • 16. 16 Zeus 2.0.8.9 • Retrieved with simple Get request to URL • RC4 decrypt ○ Using key from StaticConfig (no key scheduling stage) • VisualDecrypt ○ for (m = (Size-1); m >0; m--) ○ Data[m] = Data[m] ^ Data[m-1] • Decompress compressed blocks ○ nrv2b • Covert to something more readable ○ XML is an option Config File
  • 17. 17 Zeus 2.0.8.9 • Common to many subsequent variants • Config header structure: Config file structure Offset Size Value 0x0 0x14 Random data 0x14 0x4 Size of config file 0x18 0x4 Flags (usually 0) 0x1c 0x4 Number of Blocks 0x20 0x10 MD5 of data 0x30 … Config blocks
  • 18. 18 Zeus 2.0.8.9 • Config blocks – header then data • Config block header structure: Config file structure Offset Size Value 0x0 0x4 Block ID 0x4 0x4 Flags, e.g. compressed 0x8 0x4 Compressed size 0xc 0x4 Decompressed size
  • 19. 19 Zeus 2.0.8.9 • Block ID identifies specific type of config entry e.g. version, new exe url, drop zone url, web injects • Leaked source indicates what each binary value means • Conversion to XML makes the data easier to interpret: Config file structure
  • 20. 20 Zeus 2.0.8.9 • Network data ○ RC4 decrypt using key from StaticConfig ○ Data is structured similar to config data • Cache data ○ Temporary store of data before sending back to drop zone ○ Structure: Stolen data Offset Size Value 0x0 0x4 Xor encoded size of block 0x4 0x1 0 0x5 ?? First encrypted block
  • 21. 21 Zeus 2.0.8.9 • XOR key stored in runtime data at offset 0x1e2 • Blocks encrypted with VisualEncrypt + RC4 • New RC4 key from runtime data • Blocks have same structure as network data • Cache gets deleted when data sent over network Cache data
  • 22. 22 Zeus 2.0.8.9 • Dynamically created block written by dropper • See https://code.google.com/p/volatility/source/browse/trunk/con trib/plugins/malware/zeusscan.py for structure • Key fields: ○ RC4 key – encrypting cache data ○ XORkey – cache data block sizes • Also, registry keys, exe file name, cache file name etc. Runtime information
  • 23. 23 Zeus 2.0.8.9 • Find block in dump: • Often appended to file Runtime information
  • 24. 24 IceIX • Same goals ○ Config file URL ○ Retrieve, decrypt, decipher config file ○ Assess stolen data – decrypt network traffic, cache file ○ Read runtime information • How do we identify? • What are the differences?
  • 25. 25 IceIX • Config file URL by default ends with config.php • Strings: “bn=1” and “&sk=1” • Modified RC4 routine: Identification
  • 26. 26 IceIX • RC4 changes • Config file retrieval requires structured POST request Modifications
  • 28. 28 IceIX • POST request requires special format or config file is not delivered • POST data format: bn=<BOTID string>&sk=<MD5 of encrypted BOTID string> • BOTID generated per machine, e.g.: MYPC_737574566769_474 • Encrypted using modified RC4 with key from StaticConfig • All POST data encrypted before being sent Config file retrieval
  • 29. 29 Citadel • Giveaway string: ○ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘ • Version number: • Maybe further strings: ○ cit_ffcookie.module, cit_video.module Identification
  • 30. 30 Citadel • Encryption process rewritten – AES + RC4, multiple keys • Formatted POST request for config file retrieval • Backup config file URLs Modifications
  • 31. 31 Citadel • RC4 has XOR on top with LOGIN_KEY ○ Extra key generated at build time e.g.: ○ "C1F20D2340B519056A7D89B7DF4B0FFF" • Config data encrypted with AES • Network traffic requires generating a new RC4 key Encryption process
  • 32. 32 • Extra non-standard permutation • Need to extract salt value • All network traffic encrypted in this way Citadel Config file retrieval
  • 33. 33 Citadel • Formatted similar to config data – header with 2 data blocks • Block ID 0x2725 – contains the login_key • Block ID 0x2726 – file name from config URL: ○ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll ○ Everything after the ‘|’ goes in the block data POST data
  • 34. 34 Citadel • Switch case based on DWORD value: POST data custom permutation
  • 35. 35 Citadel • Python: POST data custom permutation
  • 36. 36 Citadel Config file decryption • RC4 key from StaticConfig • login_key • 128-bit config XOR key
  • 37. 37 Citadel • Found in the AES routine: Extra config key
  • 38. 38 Gameover/P2P • Command strings used in the P2P protocol: ○ OPTIONS ○ PROPFIND ○ PROPPATCH ○ SEARCH ○ UNLOCK ○ REPORT ○ MKACTIVITY ○ CHECKOUT ○ M-SEARCH ○ NOTIFY ○ SUBSCRIBE ○ UNSUBSCRIBE Identification
  • 39. 39 Gameover/P2P • Static peer list ○ Each peer has its own RC4 key • Connect to P2P network to retrieve config • Zlib compression • https://github.com/arbor/zeus_gameover-re Modifications
  • 40. 40 KINS/VMZeus • VM based StaticConfig decryption • Embedded byte code determines which VM handler is executed on which byte of ciphertext • Embedded opcode handler table • Each element of bytecode is an index into the handler table Modifications
  • 41. 41 KINS/VMZeus • Find the entry to the VM handler: Identification
  • 42. 42 KINS • RC4 key is in the StaticConfig but now much harder to decrypt • Need to replicate the handler sequence by running the bytecode through the handler table • Leaked KINS source: source/common/configcrypt.cpp • But handler table order is shuffled by the builder so we must work out the correct order dynamically for each sample Key extraction
  • 44. 44 Automation • As part of sandbox analysis – e.g. cuckoo ○ Process dump ○ Key extraction and data decryption as part of a processing module ○ Analyzer module to perform the retrieval for non-executing samples • Volatility ○ Key and data extraction from a memory dump ○ https://code.google.com/p/volatility/source/browse/trunk/contrib/plugin s/malware/zeusscan.py
  • 46. 46 Conclusion • Many successful and widespread variants spawned from Zeus code • More builders and source code leaked, many variants still being actively developed • Despite some significant modifications, new variants are incremental • Tools can be updated relatively easy for modifications
  • 47. 47© Sophos Ltd. All rights reserved.

Editor's Notes

  1. Typical weekly breakdown of Zeus variants seen by SophosLabs.
  2. Ref: http://nakedsecurity.sophos.com/2012/12/05/the-citadel-crimeware-kit-under-the-microscope/