SlideShare uma empresa Scribd logo

Malware Threats in Cyber Infrastructure

Charles Lim
Charles Lim

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Tecnologia
1 de 55
Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, Indonesia Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown Summary Faculty of Engineering and IT 2
Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware. Faculty of Engineering and IT 3
Malware History 1970’s Experimental replicating program (Creeper &Reaper) Faculty of Engineering and IT 4
Malware History Early 1980’s From thesis to real virus … Faculty of Engineering and IT 5
Malware History Late 1980’s From Apple II virus to First Internet Worm … Faculty of Engineering and IT 6
Malware History Early 1990’s Polymorphic Viruses to First Macro viruses Faculty of Engineering and IT 7
Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm … Faculty of Engineering and IT 8
Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm) Faculty of Engineering and IT 9
Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker worm Faculty of Engineering and IT 10
Malware History 2010 – now Stuxnet to Banking Trojan to Android Malware Faculty of Engineering and IT 11
Malware History From 2004 till now … From Symbian based malware to Android Malware Faculty of Engineering and IT 12
Recent Malware Attack South Korean TV Broadcaster and Banks attack Faculty of Engineering and IT 13
Recent Malware Attack The Attack Process Faculty of Engineering and IT 14
Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network) Faculty of Engineering and IT 15
Recent Malware Attack Check for existing remote management tools Faculty of Engineering and IT 16
Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 17
Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 18
Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.html Faculty of Engineering and IT 19
Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sample Faculty of Engineering and IT 20
BOTNET Faculty of Engineering and IT 21
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 22
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 23
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 24
Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR) Faculty of Engineering and IT 25
Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30r Faculty of Engineering and IT 26
Botnet – Underground Botnet Underground Source: FireEye on Botnet Grum Faculty of Engineering and IT 27
Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & C Faculty of Engineering and IT 28
Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C Server Faculty of Engineering and IT
Botnet C&C Evolution (cont.) P2P network E.g. Kelihos Botnet Faculty of Engineering and IT
Botnet C&C Evolution (cont.) Kelihos infections Faculty of Engineering and IT
Botnet C&C Evolution (cont.) TOR-based C&C Faculty of Engineering and IT
Botnet Evolution & Takedown Faculty of Engineering and IT 33
Botnet Evolution & Takedown Faculty of Engineering and IT 34
Declining Botnets Faculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
Botnets Alive Today Source: Mcafee Q4 2012 Report Faculty of Engineering and IT 36
New Botnets Faculty of Engineering and IT 37
Botnet – Some stats Faculty of Engineering and IT 38
Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5) Faculty of Engineering and IT
Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C down Faculty of Engineering and IT
Grum Botnet Characteristics Faculty of Engineering and IT
Grum Botnet (cont.) Conversation with Primary C&C Faculty of Engineering and IT
Grum Botnet (cont.) Conversation with Secondary C&C Faculty of Engineering and IT
Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012) 190.123.46.91 Master PANAMA Active 190.123.46.92 Master PANAMA Suspended or abandoned 91.239.24.251 Master RUSSIAN Active FEDERATION 94.102.51.226 Secondary NETHERLANDS Active 94.102.51.227 Secondary NETHERLANDS Active 94.102.51.228 Secondary NETHERLANDS Suspended or abandoned 94.102.51.229 Secondary NETHERLANDS Suspended or abandoned 94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segments Faculty of Engineering and IT
Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activities Faculty of Engineering and IT
Bamital – Botnet Takedown Method: Click Fraud Faculty of Engineering and IT
Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital Trojan Faculty of Engineering and IT
Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs: Faculty of Engineering and IT
Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together … Faculty of Engineering and IT
Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, Jakarta Faculty of Engineering and IT
References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071 Faculty of Engineering and IT
References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malware Faculty of Engineering and IT
References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/ Faculty of Engineering and IT
Thank You

Recomendados

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware LabCharles Lim
 
Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 

Recomendados

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware LabCharles Lim
 
Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganographyAnkit Negi
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentationkirubavenkat
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and BotnetHicube Infosec
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)sadique_ghitm
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Conficker worm
Conficker wormConficker worm
Conficker wormssuser1eca7d
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Mais conteúdo relacionado

Semelhante a Malware Threats in Cyber Infrastructure

Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganographyAnkit Negi
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentationkirubavenkat
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)sadique_ghitm
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
 

Semelhante a Malware Threats in Cyber Infrastructure (20)

BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganography
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentation
 
Botnet
BotnetBotnet
Botnet
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer worms
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) Attack
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 
Conficker worm
Conficker wormConficker worm
Conficker worm
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
 

Último

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Malware Threats in Cyber Infrastructure

  • 1. Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, Indonesia Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  • 2. AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown Summary Faculty of Engineering and IT 2
  • 3. Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware. Faculty of Engineering and IT 3
  • 4. Malware History 1970’s Experimental replicating program (Creeper &Reaper) Faculty of Engineering and IT 4
  • 5. Malware History Early 1980’s From thesis to real virus … Faculty of Engineering and IT 5
  • 6. Malware History Late 1980’s From Apple II virus to First Internet Worm … Faculty of Engineering and IT 6
  • 7. Malware History Early 1990’s Polymorphic Viruses to First Macro viruses Faculty of Engineering and IT 7
  • 8. Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm … Faculty of Engineering and IT 8
  • 9. Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm) Faculty of Engineering and IT 9
  • 10. Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker worm Faculty of Engineering and IT 10
  • 11. Malware History 2010 – now Stuxnet to Banking Trojan to Android Malware Faculty of Engineering and IT 11
  • 12. Malware History From 2004 till now … From Symbian based malware to Android Malware Faculty of Engineering and IT 12
  • 13. Recent Malware Attack South Korean TV Broadcaster and Banks attack Faculty of Engineering and IT 13
  • 14. Recent Malware Attack The Attack Process Faculty of Engineering and IT 14
  • 15. Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network) Faculty of Engineering and IT 15
  • 16. Recent Malware Attack Check for existing remote management tools Faculty of Engineering and IT 16
  • 17. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 17
  • 18. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 18
  • 19. Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.html Faculty of Engineering and IT 19
  • 20. Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sample Faculty of Engineering and IT 20
  • 22. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 22
  • 23. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 23
  • 24. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 24
  • 25. Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR) Faculty of Engineering and IT 25
  • 26. Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30r Faculty of Engineering and IT 26
  • 27. Botnet – Underground Botnet Underground Source: FireEye on Botnet Grum Faculty of Engineering and IT 27
  • 28. Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & C Faculty of Engineering and IT 28
  • 29. Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C Server Faculty of Engineering and IT
  • 30. Botnet C&C Evolution (cont.) P2P network E.g. Kelihos Botnet Faculty of Engineering and IT
  • 31. Botnet C&C Evolution (cont.) Kelihos infections Faculty of Engineering and IT
  • 32. Botnet C&C Evolution (cont.) TOR-based C&C Faculty of Engineering and IT
  • 33. Botnet Evolution & Takedown Faculty of Engineering and IT 33
  • 34. Botnet Evolution & Takedown Faculty of Engineering and IT 34
  • 35. Declining Botnets Faculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
  • 36. Botnets Alive Today Source: Mcafee Q4 2012 Report Faculty of Engineering and IT 36
  • 37. New Botnets Faculty of Engineering and IT 37
  • 38. Botnet – Some stats Faculty of Engineering and IT 38
  • 39. Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5) Faculty of Engineering and IT
  • 40. Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C down Faculty of Engineering and IT
  • 41. Grum Botnet Characteristics Faculty of Engineering and IT
  • 42. Grum Botnet (cont.) Conversation with Primary C&C Faculty of Engineering and IT
  • 43. Grum Botnet (cont.) Conversation with Secondary C&C Faculty of Engineering and IT
  • 44. Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012) 190.123.46.91 Master PANAMA Active 190.123.46.92 Master PANAMA Suspended or abandoned 91.239.24.251 Master RUSSIAN Active FEDERATION 94.102.51.226 Secondary NETHERLANDS Active 94.102.51.227 Secondary NETHERLANDS Active 94.102.51.228 Secondary NETHERLANDS Suspended or abandoned 94.102.51.229 Secondary NETHERLANDS Suspended or abandoned 94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
  • 45. Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segments Faculty of Engineering and IT
  • 46. Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activities Faculty of Engineering and IT
  • 47. Bamital – Botnet Takedown Method: Click Fraud Faculty of Engineering and IT
  • 48. Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital Trojan Faculty of Engineering and IT
  • 49. Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs: Faculty of Engineering and IT
  • 50. Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together … Faculty of Engineering and IT
  • 51. Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, Jakarta Faculty of Engineering and IT
  • 52. References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071 Faculty of Engineering and IT
  • 53. References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malware Faculty of Engineering and IT
  • 54. References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/ Faculty of Engineering and IT