SlideShare ist ein Scribd-Unternehmen logo

AtlSecCon 2016

E
Earl Carter

Here are the slides that I presented at the Atlantic Security Conference this year (2016).

Technologie
1 von 57
Downloaden Sie, um offline zu lesen
Emerging Threats The State of Cyber Security E a r l C a r t e r / @ k u n g c h i u T h r e a t R e s e a r c h e r, C i s c o Ta l o s
About Myself •  Earl Carter •  Threat Researcher, Cisco Talos •  Over 20 Years in Network Security •  3rd Degree Black Belt Taekwondo
Cloud to Core Visibility web requests a day 16 BILLION email messages a day 600 BILLIONEndpoint malware queries a day 18.5 BILLION
Professional Appearance •  Talos discovered email campaign •  Began shortly after Windows 10 release Windows 10 Spam
Payload: CTB-Locker Ransomware
Simple But Effective Resume Spam Campaign •  Pretends to be employee resume •  Short-lived and Effective •  Includes Zip file attachment
The Infection Chain
Tax Scams Gone International
Overview •  9 Different Countries •  English & 3 Other Languages •  Occurring year round •  Attacks •  HTML Forms & Malicious Attachments •  Links to Malicious Sites Tax Scams Gone International
One Campaign Spanning 3 Countries US, UK & Canada
Common Subjects Claim your tax refund You are eligible to receive a tax refund Tax Refund Notification Australian Taxation Office tax refund confirmation! Tax Refund New Message Alert! Tax Refund (Ref # 782167) - $687.00 CDN Tax Refund (Ref # 782167) 687.00 GBP Tax Refund (Ref# 782167) $687.00 USD Tilbagebetaling af skat - DKK 7122,00 Skatteåterbäring: 6120.20 SEK Rimborso fiscale per 2014-2015
Interesting IRS Twists IRS Forgiving Debt? Your Identity was Stolen
Impersonating Tax Seminars IRS: Tax and Payroll Updates for 2016 Reminder: Annual Tax Update Handling Federal and State Tax Levies With Ease. Register Now! Sample Subjects
Attacking SSH Servers SSHPsychos •  Brute Force SSH Attacks until password guess •  300K Unique Passwords •  Login from different address space •  Drop DDoS Rootkit on server •  Accounted for 1/3 of all SSH Traffic ON THE INTERNET SSH Brute Force Attempts
Collaborating with Level 3 SSHPsychos ACTION TAKEN: •  Engaged Level 3… and other providers •  Sudden Pivot •  Null Routed •  Call to Action •  Effectively Limited
VICTORY AfterAction •  Multiple Pivots •  Continuous Blocks •  Group Effort •  Eventually They Stopped
Angler Exposed
Drive-by Download Attacks •  The act of downloading something unintentionally, usually malicious •  No need to click to download •  Malvertising is a common vector
Malvertising •  Content varies by system •  Content varies by user •  Content varies by visit
Lots of Noise CNN 26 Domains 39 Hosts 171 Objects 557 Connections
What is an exploit kit? •  A software package designed to exploit vulnerable browsers and plugins •  Blackhole was the first major exploit kit
Monetization of Hacking There are three main payload types: •  Ransomware •  Cryptowall, Teslacrypt •  Click-fraud agents •  Bedep •  Miscellaneous •  trojans, keyloggers, spyware
Taking a Close Look •  Deep Data Analytics July 2015 •  Telemetry from compromised users •  ~1000 Sandbox Runs •  July 2015 •  Angler Underwent several URL Changes •  Multiple “Hacking Team” 0-Days added •  Ended with tons of data
Detection Challenges •  Hashes •  Found 3,000+ Unique Hashes •  6% in VT •  Most detection <10 •  Encrypted Payloads •  Using Diffie Helman Encryption for IE Exploit •  Unique to each user •  Domain Behavior •  DDNS •  Domain Shadowing •  Adversary Owned Domains •  Hard Coded IP
Exploit Details “Hacking Team” Adobe Flash 0days CVE-2015-5119, CVE-2015-5122 IE 10 and 11 JScript9 Memory Corruption Vulnerability CVE-2015-2419 IE OLE Vulnerability CVE 2014-6332 Adobe Flash CVE 2014-6332 Silverlight
Unique Referers Unique Referers By Day July 2015
Unique IP Addresses Per Day
IP Address / ASN Relationship Angler HTTP Requests by Provider July 2015
Shutting Down the Source •  Partnered with Limestone Networks •  Angler Infrastructure •  Level-3 •  Magnitude and Scale •  Collaborated with OpenDNS •  Visibility into DNS Infrastructure
The Backend Infrastructure
Angler Victims
Potential Revenue To play with the numbers, please visit: http://talosintel.com/angler-exposed/
CryptoWall Version 4 The Evolution Continues
Overview •  Notorious ransomware •  Version 1 first seen in 2014 •  Distributed via Exploitkits and Phishing Emails •  Fast Evolution CRYPTOWALL 4.0
File Encryption Temp. AES256 key15/10/07 12:39 <DIR> . 15/10/07 12:39 <DIR> .. 15/10/07 12:36 78,971 1.jpg 15/10/07 12:39 154,330 2.jpg 15/10/07 12:36 123,240 3.jpg … 1.jpg RSA public key random.xyz Encrypted AES256 key Other data Encrypted 1.jpg Temporary AES key can only be decrypted with the private RSA key
Network Communication Initial announcement to C2 C2 Server ACK Send PubKey, TOR domains, PNG wallpaper Request PubKey, TOR domains, PNG wallpaper Operation successful. Files encrypted. Done. Verify PubKey and start encrypting files …. CryptoWallMalware CommandandControlServer C2 Server ACK
Excluded Local Regions •  CryptoWall 4 checks local region settings with an undocumented API Call •  Following regions are excluded from infections: •  Russian •  Kazakh •  Ukrainian •  Uzbek •  Belarusian •  Azeri •  Armenian •  … other Eastern Europe countries 
Excluded Dir/Files/Ext Extensions: exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf Directories: windows, temp, cache, sample pictures, default pictures, Sample Music, program files, program files (x86), games, sample videos, user account pictures, packages Files: help_your_files.txt, help_your_files.html, help_your_files.png, thumbs.db 
Victims View – Full Localization
Detailed Instructions
SamSam: The Doctor Will See You, After He Pays The Ransom
Sam Sam Targets Healthcare •  Exploits Jboss Vulnerability •  Moves Laterally •  Targeted Across Organization •  Used recently against multiple hospitals
Communicating with Threat Actors
Payment Process
Payment Evolution
Summary •  Exploiting Network Vulnerabilities •  JBoss •  Laterally targets multiple systems •  Payment is in Bitcoin •  Obtain Private Key via Blog Comment
Smoke & Mirrors Rombertik •  Multiple layers of obfuscation •  Hooks into user’s browser to read credentials & other sensitive info •  Propagates via spam and phishing
Hard to Detect Anti-analysis1 User downloads packed executable Packed Executable performs excessive activity to flood tracing tools. Performs series of checks to make sure environment is safe for it to proceed in. Decrypts unpacking shellcode to memory and executes. Rombertik ACTION TAKEN: •  Identify malware •  Encourage best security practices •  AMP, CWS, ESA, Network Security, WSA
Hard to Kill Launches copy from desired location. Preparation is complete. Persistence2 Checks to see if executable is in desired location, copies to desired location if not. Decrypts executable. Unpacking shellcode 11111111110000000111111110000000000110100 0000000000000000000111111000000111111000000011111111111100001010110 000001111100000111111111111100000000111111000001111111110101101011 000000000011111000000000000000000000111111111100000000000010001100 100000011111100000000000000111111000000001111111111111010010110 000111100000000111100010010 Executable launches self again and overwrites new copy with unpacked executable code. Rombertik
Software Integrity & Nasty Surprises RombertikMalicious Behavior3 Compute 32 bit hash from resource, compare values. If values do not match, encrypt and wipe victim’s data. If values match, inject spy code into web browsers. Send intercepted data to web server. Unpacked executable 001101001100010 101100101101011 001000110010100 101101001001010 110010110101001 011010001011010 110101101001000 100100010101110 010100101101010 011101011100101 010010010101100 101110000011 11110001110011 1110001111001111 0000011000000 000110010000000 010001100000110 101101100111111000 0000000011 11000000000001 11000111110001 110001110000001 00111100000001110 001001111111110 110000000000110 = http:// http://
Angler Exploit Kit Evolves Again •  Parameter Changes: •  New Gate •  Registered Domains
URL Changes Old Format New Format
New Gate
New Gate
New Actor
talosintel.com @TalosSecurity @kungchiu

Empfohlen

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysisinder_barara
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationHostway|HOSTING
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicTripwire
 

Empfohlen

Bitcoin and Ransomware Analysis
Bitcoin and Ransomware AnalysisBitcoin and Ransomware Analysis
Bitcoin and Ransomware Analysisinder_barara
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionAPNIC
 
Assingement on dos ddos
Assingement on dos ddosAssingement on dos ddos
Assingement on dos ddoskalyan kumar
 
Dos n d dos
Dos n d dosDos n d dos
Dos n d dossadhana21297
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationHostway|HOSTING
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicTripwire
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service AttackVishnuvardhan Reddy
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationSophos Benelux
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFAndy Thompson
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident HandlingMarcelo Silva
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attackmarada0033
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing RansomwareNapier University
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacksRollingsherman
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Bsides angler-evolution talk
Bsides angler-evolution talkBsides angler-evolution talk
Bsides angler-evolution talkEarl Carter
 

Weitere ähnliche Inhalte

Was ist angesagt?

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationSophos Benelux
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesQuick Heal Technologies Ltd.
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PROIDEA
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFAndy Thompson
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident HandlingMarcelo Silva
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attackmarada0033
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacksRollingsherman
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 

Was ist angesagt? (20)

12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacks
 
Denial Of Service Attack
Denial Of Service AttackDenial Of Service Attack
Denial Of Service Attack
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
The EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organizationThe EU Data Protection Regulation and what it means for your organization
The EU Data Protection Regulation and what it means for your organization
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
DoS Attack - Incident Handling
DoS Attack - Incident HandlingDoS Attack - Incident Handling
DoS Attack - Incident Handling
 
Dos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle AttackDos & Ddos Attack. Man in The Middle Attack
Dos & Ddos Attack. Man in The Middle Attack
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
An introduction to denial of service attacks
An introduction to denial of service attacksAn introduction to denial of service attacks
An introduction to denial of service attacks
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 

Ähnlich wie AtlSecCon 2016

How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Bsides angler-evolution talk
Bsides angler-evolution talkBsides angler-evolution talk
Bsides angler-evolution talkEarl Carter
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapePriyanka Aash
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber worldNikhil Tripathi
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Apurv Singh Gautam
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...Felipe Prado
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis MPhil/MRes/BSc
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version Brian Pichman
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceBrian Pichman
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.pptKaukau9
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityCisco Canada
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOsama Mustafa
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 

Ähnlich wie AtlSecCon 2016 (20)

How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Bsides angler-evolution talk
Bsides angler-evolution talkBsides angler-evolution talk
Bsides angler-evolution talk
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
hacking
hackinghacking
hacking
 
Attacks on the cyber world
Attacks on the cyber worldAttacks on the cyber world
Attacks on the cyber world
 
Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)Security News Bytes (Aug Sept 2017)
Security News Bytes (Aug Sept 2017)
 
Ransomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant MaliRansomware : A cyber crime without solution ? by Prashant Mali
Ransomware : A cyber crime without solution ? by Prashant Mali
 
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
DEF CON 27 - MASARAH PAQUET CLOUSTON and OLIVER BILODEAU - the industry of so...
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Meletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information securityMeletis Belsis - Introduction to information security
Meletis Belsis - Introduction to information security
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
It security the condensed version
It security the condensed version It security the condensed version
It security the condensed version
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Implementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day ConferenceImplementing security for your library | PLAN Tech Day Conference
Implementing security for your library | PLAN Tech Day Conference
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Emerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber SecurityEmerging Threats - The State of Cyber Security
Emerging Threats - The State of Cyber Security
 
Oracle database threats - LAOUC Webinar
Oracle database threats - LAOUC WebinarOracle database threats - LAOUC Webinar
Oracle database threats - LAOUC Webinar
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

AtlSecCon 2016

  • 1. Emerging Threats The State of Cyber Security E a r l C a r t e r / @ k u n g c h i u T h r e a t R e s e a r c h e r, C i s c o Ta l o s
  • 2. About Myself •  Earl Carter •  Threat Researcher, Cisco Talos •  Over 20 Years in Network Security •  3rd Degree Black Belt Taekwondo
  • 3. Cloud to Core Visibility web requests a day 16 BILLION email messages a day 600 BILLIONEndpoint malware queries a day 18.5 BILLION
  • 4. Professional Appearance •  Talos discovered email campaign •  Began shortly after Windows 10 release Windows 10 Spam
  • 6. Simple But Effective Resume Spam Campaign •  Pretends to be employee resume •  Short-lived and Effective •  Includes Zip file attachment
  • 8. Tax Scams Gone International
  • 9. Overview •  9 Different Countries •  English & 3 Other Languages •  Occurring year round •  Attacks •  HTML Forms & Malicious Attachments •  Links to Malicious Sites Tax Scams Gone International
  • 10. One Campaign Spanning 3 Countries US, UK & Canada
  • 11. Common Subjects Claim your tax refund You are eligible to receive a tax refund Tax Refund Notification Australian Taxation Office tax refund confirmation! Tax Refund New Message Alert! Tax Refund (Ref # 782167) - $687.00 CDN Tax Refund (Ref # 782167) 687.00 GBP Tax Refund (Ref# 782167) $687.00 USD Tilbagebetaling af skat - DKK 7122,00 Skatteåterbäring: 6120.20 SEK Rimborso fiscale per 2014-2015
  • 12. Interesting IRS Twists IRS Forgiving Debt? Your Identity was Stolen
  • 13. Impersonating Tax Seminars IRS: Tax and Payroll Updates for 2016 Reminder: Annual Tax Update Handling Federal and State Tax Levies With Ease. Register Now! Sample Subjects
  • 14. Attacking SSH Servers SSHPsychos •  Brute Force SSH Attacks until password guess •  300K Unique Passwords •  Login from different address space •  Drop DDoS Rootkit on server •  Accounted for 1/3 of all SSH Traffic ON THE INTERNET SSH Brute Force Attempts
  • 15. Collaborating with Level 3 SSHPsychos ACTION TAKEN: •  Engaged Level 3… and other providers •  Sudden Pivot •  Null Routed •  Call to Action •  Effectively Limited
  • 16. VICTORY AfterAction •  Multiple Pivots •  Continuous Blocks •  Group Effort •  Eventually They Stopped
  • 18. Drive-by Download Attacks •  The act of downloading something unintentionally, usually malicious •  No need to click to download •  Malvertising is a common vector
  • 19.
  • 20. Malvertising •  Content varies by system •  Content varies by user •  Content varies by visit
  • 21. Lots of Noise CNN 26 Domains 39 Hosts 171 Objects 557 Connections
  • 22. What is an exploit kit? •  A software package designed to exploit vulnerable browsers and plugins •  Blackhole was the first major exploit kit
  • 23. Monetization of Hacking There are three main payload types: •  Ransomware •  Cryptowall, Teslacrypt •  Click-fraud agents •  Bedep •  Miscellaneous •  trojans, keyloggers, spyware
  • 24. Taking a Close Look •  Deep Data Analytics July 2015 •  Telemetry from compromised users •  ~1000 Sandbox Runs •  July 2015 •  Angler Underwent several URL Changes •  Multiple “Hacking Team” 0-Days added •  Ended with tons of data
  • 25. Detection Challenges •  Hashes •  Found 3,000+ Unique Hashes •  6% in VT •  Most detection <10 •  Encrypted Payloads •  Using Diffie Helman Encryption for IE Exploit •  Unique to each user •  Domain Behavior •  DDNS •  Domain Shadowing •  Adversary Owned Domains •  Hard Coded IP
  • 26. Exploit Details “Hacking Team” Adobe Flash 0days CVE-2015-5119, CVE-2015-5122 IE 10 and 11 JScript9 Memory Corruption Vulnerability CVE-2015-2419 IE OLE Vulnerability CVE 2014-6332 Adobe Flash CVE 2014-6332 Silverlight
  • 29. IP Address / ASN Relationship Angler HTTP Requests by Provider July 2015
  • 30. Shutting Down the Source •  Partnered with Limestone Networks •  Angler Infrastructure •  Level-3 •  Magnitude and Scale •  Collaborated with OpenDNS •  Visibility into DNS Infrastructure
  • 33. Potential Revenue To play with the numbers, please visit: http://talosintel.com/angler-exposed/
  • 34. CryptoWall Version 4 The Evolution Continues
  • 35. Overview •  Notorious ransomware •  Version 1 first seen in 2014 •  Distributed via Exploitkits and Phishing Emails •  Fast Evolution CRYPTOWALL 4.0
  • 36. File Encryption Temp. AES256 key15/10/07 12:39 <DIR> . 15/10/07 12:39 <DIR> .. 15/10/07 12:36 78,971 1.jpg 15/10/07 12:39 154,330 2.jpg 15/10/07 12:36 123,240 3.jpg … 1.jpg RSA public key random.xyz Encrypted AES256 key Other data Encrypted 1.jpg Temporary AES key can only be decrypted with the private RSA key
  • 37. Network Communication Initial announcement to C2 C2 Server ACK Send PubKey, TOR domains, PNG wallpaper Request PubKey, TOR domains, PNG wallpaper Operation successful. Files encrypted. Done. Verify PubKey and start encrypting files …. CryptoWallMalware CommandandControlServer C2 Server ACK
  • 38. Excluded Local Regions •  CryptoWall 4 checks local region settings with an undocumented API Call •  Following regions are excluded from infections: •  Russian •  Kazakh •  Ukrainian •  Uzbek •  Belarusian •  Azeri •  Armenian •  … other Eastern Europe countries 
  • 39. Excluded Dir/Files/Ext Extensions: exe, dll, pif, scr, sys, msi, msp, com, hta, cpl, msc, bat, cmd, scf Directories: windows, temp, cache, sample pictures, default pictures, Sample Music, program files, program files (x86), games, sample videos, user account pictures, packages Files: help_your_files.txt, help_your_files.html, help_your_files.png, thumbs.db 
  • 40. Victims View – Full Localization
  • 42. SamSam: The Doctor Will See You, After He Pays The Ransom
  • 43. Sam Sam Targets Healthcare •  Exploits Jboss Vulnerability •  Moves Laterally •  Targeted Across Organization •  Used recently against multiple hospitals
  • 47. Summary •  Exploiting Network Vulnerabilities •  JBoss •  Laterally targets multiple systems •  Payment is in Bitcoin •  Obtain Private Key via Blog Comment
  • 48. Smoke & Mirrors Rombertik •  Multiple layers of obfuscation •  Hooks into user’s browser to read credentials & other sensitive info •  Propagates via spam and phishing
  • 49. Hard to Detect Anti-analysis1 User downloads packed executable Packed Executable performs excessive activity to flood tracing tools. Performs series of checks to make sure environment is safe for it to proceed in. Decrypts unpacking shellcode to memory and executes. Rombertik ACTION TAKEN: •  Identify malware •  Encourage best security practices •  AMP, CWS, ESA, Network Security, WSA
  • 50. Hard to Kill Launches copy from desired location. Preparation is complete. Persistence2 Checks to see if executable is in desired location, copies to desired location if not. Decrypts executable. Unpacking shellcode 11111111110000000111111110000000000110100 0000000000000000000111111000000111111000000011111111111100001010110 000001111100000111111111111100000000111111000001111111110101101011 000000000011111000000000000000000000111111111100000000000010001100 100000011111100000000000000111111000000001111111111111010010110 000111100000000111100010010 Executable launches self again and overwrites new copy with unpacked executable code. Rombertik
  • 51. Software Integrity & Nasty Surprises RombertikMalicious Behavior3 Compute 32 bit hash from resource, compare values. If values do not match, encrypt and wipe victim’s data. If values match, inject spy code into web browsers. Send intercepted data to web server. Unpacked executable 001101001100010 101100101101011 001000110010100 101101001001010 110010110101001 011010001011010 110101101001000 100100010101110 010100101101010 011101011100101 010010010101100 101110000011 11110001110011 1110001111001111 0000011000000 000110010000000 010001100000110 101101100111111000 0000000011 11000000000001 11000111110001 110001110000001 00111100000001110 001001111111110 110000000000110 = http:// http://
  • 52. Angler Exploit Kit Evolves Again •  Parameter Changes: •  New Gate •  Registered Domains