SlideShare ist ein Scribd-Unternehmen logo

Malware threats in our cyber infrastructure

Charles Lim
Charles Lim

Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?

Technologie
1 von 55
Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, Indonesia Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown Summary Faculty of Engineering and IT 2
Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware. Faculty of Engineering and IT 3
Malware History 1970’s Experimental replicating program (Creeper &Reaper) Faculty of Engineering and IT 4
Malware History Early 1980’s From thesis to real virus … Faculty of Engineering and IT 5
Malware History Late 1980’s From Apple II virus to First Internet Worm … Faculty of Engineering and IT 6
Malware History Early 1990’s Polymorphic Viruses to First Macro viruses Faculty of Engineering and IT 7
Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm … Faculty of Engineering and IT 8
Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm) Faculty of Engineering and IT 9
Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker worm Faculty of Engineering and IT 10
Malware History 2010 – now Stuxnet to Banking Trojan to Android Malware Faculty of Engineering and IT 11
Malware History From 2004 till now … From Symbian based malware to Android Malware Faculty of Engineering and IT 12
Recent Malware Attack South Korean TV Broadcaster and Banks attack Faculty of Engineering and IT 13
Recent Malware Attack The Attack Process Faculty of Engineering and IT 14
Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network) Faculty of Engineering and IT 15
Recent Malware Attack Check for existing remote management tools Faculty of Engineering and IT 16
Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 17
Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 18
Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.html Faculty of Engineering and IT 19
Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sample Faculty of Engineering and IT 20
BOTNET Faculty of Engineering and IT 21
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 22
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 23
Botnet – What is it? What is Botnet? Faculty of Engineering and IT 24
Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR) Faculty of Engineering and IT 25
Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30r Faculty of Engineering and IT 26
Botnet – Underground Botnet Underground Source: FireEye on Botnet Grum Faculty of Engineering and IT 27
Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & C Faculty of Engineering and IT 28
Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C Server Faculty of Engineering and IT
Botnet C&C Evolution (cont.) P2P network E.g. Kelihos Botnet Faculty of Engineering and IT
Botnet C&C Evolution (cont.) Kelihos infections Faculty of Engineering and IT
Botnet C&C Evolution (cont.) TOR-based C&C Faculty of Engineering and IT
Botnet Evolution & Takedown Faculty of Engineering and IT 33
Botnet Evolution & Takedown Faculty of Engineering and IT 34
Declining Botnets Faculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
Botnets Alive Today Source: Mcafee Q4 2012 Report Faculty of Engineering and IT 36
New Botnets Faculty of Engineering and IT 37
Botnet – Some stats Faculty of Engineering and IT 38
Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5) Faculty of Engineering and IT
Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C down Faculty of Engineering and IT
Grum Botnet Characteristics Faculty of Engineering and IT
Grum Botnet (cont.) Conversation with Primary C&C Faculty of Engineering and IT
Grum Botnet (cont.) Conversation with Secondary C&C Faculty of Engineering and IT
Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012) 190.123.46.91 Master PANAMA Active 190.123.46.92 Master PANAMA Suspended or abandoned 91.239.24.251 Master RUSSIAN Active FEDERATION 94.102.51.226 Secondary NETHERLANDS Active 94.102.51.227 Secondary NETHERLANDS Active 94.102.51.228 Secondary NETHERLANDS Suspended or abandoned 94.102.51.229 Secondary NETHERLANDS Suspended or abandoned 94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segments Faculty of Engineering and IT
Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activities Faculty of Engineering and IT
Bamital – Botnet Takedown Method: Click Fraud Faculty of Engineering and IT
Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital Trojan Faculty of Engineering and IT
Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs: Faculty of Engineering and IT
Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together … Faculty of Engineering and IT
Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, Jakarta Faculty of Engineering and IT
References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071 Faculty of Engineering and IT
References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malware Faculty of Engineering and IT
References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/ Faculty of Engineering and IT
Thank You

Empfohlen

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware LabCharles Lim
 
Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 

Empfohlen

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware LabCharles Lim
 
Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Analysis of rxbot
Analysis of rxbotAnalysis of rxbot
Analysis of rxbotUltraUploader
 
Botnets
BotnetsBotnets
BotnetsKavisha Miyan
 
BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet AttacksRangana lakmal
 
Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganographyAnkit Negi
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentationkirubavenkat
 
Botnet
BotnetBotnet
BotnetJoshin Gomez
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and BotnetHicube Infosec
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)sadique_ghitm
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Conficker worm
Conficker wormConficker worm
Conficker wormssuser1eca7d
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet ArchitectureBhagath Singh Jayaprakasam
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Weitere ähnliche Inhalte

Ähnlich wie Malware threats in our cyber infrastructure

Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganographyAnkit Negi
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentationkirubavenkat
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worriesUltraUploader
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...IRJET Journal
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The BotmasterIJERA Editor
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer wormsjyoti_lakhani
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)INSIGHT FORENSIC
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackPrathan Phongthiproek
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Aniq Eastrarulkhair
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)sadique_ghitm
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet PhenomenonDr. Amarjeet Singh
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”iosrjce
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniquesijsrd.com
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24
 

Ähnlich wie Malware threats in our cyber infrastructure (20)

BotNet Attacks
BotNet AttacksBotNet Attacks
BotNet Attacks
 
Virus ,Worms and steganography
Virus ,Worms and steganographyVirus ,Worms and steganography
Virus ,Worms and steganography
 
Synopsis viva presentation
Synopsis viva presentationSynopsis viva presentation
Synopsis viva presentation
 
Botnet
BotnetBotnet
Botnet
 
Bot software spreads, causes new worries
Bot software spreads, causes new worriesBot software spreads, causes new worries
Bot software spreads, causes new worries
 
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
 
Tracing Back The Botmaster
Tracing Back The BotmasterTracing Back The Botmaster
Tracing Back The Botmaster
 
Ids 006 computer worms
Ids 006 computer wormsIds 006 computer worms
Ids 006 computer worms
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
(120715) #fitalk the era of cyber sabotage and warfare (case study - stuxnet)
 
The Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) AttackThe Dynamite of Next Generation (Y) Attack
The Dynamite of Next Generation (Y) Attack
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)Detecting HTTP Botnet using Artificial Immune System (AIS)
Detecting HTTP Botnet using Artificial Immune System (AIS)
 
Understanding the Botnet Phenomenon
Understanding the Botnet PhenomenonUnderstanding the Botnet Phenomenon
Understanding the Botnet Phenomenon
 
“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”“Design and Detection of Mobile Botnet Attacks”
“Design and Detection of Mobile Botnet Attacks”
 
A Survey of Botnet Detection Techniques
A Survey of Botnet Detection TechniquesA Survey of Botnet Detection Techniques
A Survey of Botnet Detection Techniques
 
Conficker worm
Conficker wormConficker worm
Conficker worm
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
Outpost24 webinar - Winning the cybersecurity race with predictive vulnerabil...
 

Kürzlich hochgeladen

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 

Kürzlich hochgeladen (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Malware threats in our cyber infrastructure

  • 1. Malware Threats in our Cyber Infrastructure 13th April 2013 Hotel Royal Ambarukmo Yogyakarta Yogyakarta, Indonesia Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
  • 2. AGENDA About me Malware History Malware Current Attack Malware Profiles Botnet Botnet Takedown Summary Faculty of Engineering and IT 2
  • 3. Malware History What is Malware? Stand for Malicious Software Early Days Viruses or Trojan Today Viruses, worms, backdoors, Trojans, keyloggers, password stealers, script viruses, rootkits, macro viruses, spyware or even adware. Faculty of Engineering and IT 3
  • 4. Malware History 1970’s Experimental replicating program (Creeper &Reaper) Faculty of Engineering and IT 4
  • 5. Malware History Early 1980’s From thesis to real virus … Faculty of Engineering and IT 5
  • 6. Malware History Late 1980’s From Apple II virus to First Internet Worm … Faculty of Engineering and IT 6
  • 7. Malware History Early 1990’s Polymorphic Viruses to First Macro viruses Faculty of Engineering and IT 7
  • 8. Malware History Late 1990’s DOS 16-bit viruses to Melissa Worm … Faculty of Engineering and IT 8
  • 9. Malware History Early 2000’s I LOVE YOU virus to MyDOOM (fastest spreading worm) Faculty of Engineering and IT 9
  • 10. Malware History Late 2000’s First ever Mac OS X malware to rogue AV to conficker worm Faculty of Engineering and IT 10
  • 11. Malware History 2010 – now Stuxnet to Banking Trojan to Android Malware Faculty of Engineering and IT 11
  • 12. Malware History From 2004 till now … From Symbian based malware to Android Malware Faculty of Engineering and IT 12
  • 13. Recent Malware Attack South Korean TV Broadcaster and Banks attack Faculty of Engineering and IT 13
  • 14. Recent Malware Attack The Attack Process Faculty of Engineering and IT 14
  • 15. Recent Malware Attack Attack started on 20 March 2013 at 2:20 pm Three broadcaster KBS, MBC and YTN hit Three banks (제주은행) Jeju, (농협생명) Nonghyup (Bank and Insurance) and (신한은행) Shinhan hit knocked offline after PCs were infected by data- deleting malware (from server update in the network) Faculty of Engineering and IT 15
  • 16. Recent Malware Attack Check for existing remote management tools Faculty of Engineering and IT 16
  • 17. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 17
  • 18. Recent Malware Attack Target: To corrupt the Master Boot Record (MBR) as well as the Volume Boot Record (VMR) Check time Kills 2 popular anti virus software Reboot system unusable Faculty of Engineering and IT 18
  • 19. Recent Malware Attack Malware involved: File Name: ApcRunCmd_DB4BBDC36A78A8807AD9B15A562515C4.exe MD5: db4bbdc36a78a8807ad9b15a562515c4 File Type: Win32 EXE File Name: OthDown.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: AmAgent.exe MD5: 5fcd6e1dace6b0599429d913850f0364 File Type: Win32 EXE File Name: vti-rescan.exe MD5: 9263e40d9823aecf9388b64de34eae54 File Type: Win32 EXE Malware Samples: http://contagiodump.blogspot.nl/2013/03/darkseoul-jokra-mbr- wiper-samples.html Faculty of Engineering and IT 19
  • 20. Recent Malware Attack According to Mcafee (refer to reference), the malware samples used the existing malware found in August and October 2012 in the wild as a template to develop new malware It has a new capability: MBR-killing 2 Popular Anti Virus-killing NEW sample OLD sample Faculty of Engineering and IT 20
  • 22. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 22
  • 23. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 23
  • 24. Botnet – What is it? What is Botnet? Faculty of Engineering and IT 24
  • 25. Botnet – Stats What is Botnet? Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR) Faculty of Engineering and IT 25
  • 26. Botnet – Underground Botnet Underground Source: http://goo.gl/Vq30r Faculty of Engineering and IT 26
  • 27. Botnet – Underground Botnet Underground Source: FireEye on Botnet Grum Faculty of Engineering and IT 27
  • 28. Botnet Evolution • Centralized C & C Server 1st • IRC-based communication • P2P C & C Server 2nd • IRC C & C server • HTTP-based C & C 3rd • P2P C & C Server • Encrypted communication 4th • P2P C & C Faculty of Engineering and IT 28
  • 29. Botnet C&C Evolution Two most common method of C&C: Central control C&C P2P Network Central C&C Server Faculty of Engineering and IT
  • 30. Botnet C&C Evolution (cont.) P2P network E.g. Kelihos Botnet Faculty of Engineering and IT
  • 31. Botnet C&C Evolution (cont.) Kelihos infections Faculty of Engineering and IT
  • 32. Botnet C&C Evolution (cont.) TOR-based C&C Faculty of Engineering and IT
  • 33. Botnet Evolution & Takedown Faculty of Engineering and IT 33
  • 34. Botnet Evolution & Takedown Faculty of Engineering and IT 34
  • 35. Declining Botnets Faculty of Engineering and IT 35 Source: Mcafee Q4 2012 Report
  • 36. Botnets Alive Today Source: Mcafee Q4 2012 Report Faculty of Engineering and IT 36
  • 37. New Botnets Faculty of Engineering and IT 37
  • 38. Botnet – Some stats Faculty of Engineering and IT 38
  • 39. Third Larget Botnet Takedown Code name: Grum Botnet Impact Size: 18% SPAM volumes (18 billion SPAM a day) C & C: Panama & Netherland Takedown: Tuesday, 12 July 2012 Alive again: Thursday, 14 July 2012 (C&C: Russia) Difficulty of takedown: 2 (1 to 5) Faculty of Engineering and IT
  • 40. Grum Botnet Characteristics C&C Servers: Primary C&C for configuration files and initial registration Secondary C&C for spam related activities Hard-coded IP Addresses (instead of domain names) Infected machines segmented into different C&C No fall back mechanism if Primary and Secondary C&C down Faculty of Engineering and IT
  • 41. Grum Botnet Characteristics Faculty of Engineering and IT
  • 42. Grum Botnet (cont.) Conversation with Primary C&C Faculty of Engineering and IT
  • 43. Grum Botnet (cont.) Conversation with Secondary C&C Faculty of Engineering and IT
  • 44. Grum Botnet (cont.) IP address Type Geo Location Status (as of July 6 2012) 190.123.46.91 Master PANAMA Active 190.123.46.92 Master PANAMA Suspended or abandoned 91.239.24.251 Master RUSSIAN Active FEDERATION 94.102.51.226 Secondary NETHERLANDS Active 94.102.51.227 Secondary NETHERLANDS Active 94.102.51.228 Secondary NETHERLANDS Suspended or abandoned 94.102.51.229 Secondary NETHERLANDS Suspended or abandoned 94.102.51.230 Secondary NETHERLANDS Suspended or abandoned Faculty of Engineering and IT
  • 45. Grum Botnet - Lesson Learned Strong Points: C&C Servers are located at the countries where government are reluctant to care for abuse notification historically Servers are scattered across multiple data centers Botnet divided into segments (Bad part: unless all C&C dead, botnet is still alive) Weak Points: No Fallback mechanism C&C dead, no connection possible Handful of hard-coded IP addresses Data centers easily identified (easy to deal with) Small segments, easily dead for some segments Faculty of Engineering and IT
  • 46. Grum Botnet - Lesson Learned Summarized Strategy to takedown botnet Research which C&C Architecture they are using Intelligence on real-time traffic Takedown Methodology 24/7 Surveillance Actual Takedown Surprise will com – be prepared Post takedown activities Faculty of Engineering and IT
  • 47. Bamital – Botnet Takedown Method: Click Fraud Faculty of Engineering and IT
  • 48. Bamital – Botnet Takedown User search Pornographic web site Then users are directed to these web site: Downloaded Bamital Trojan Faculty of Engineering and IT
  • 49. Bamital – Botnet Takedown These “random” web sites (pseudo- random generated) that serve the exploit packs: Faculty of Engineering and IT
  • 50. Summary We have seen how malware evolved with more and more advanced and sophisticated methods The Tasks are very challenging … Research in Malware is in huge demand … We need to work together … Faculty of Engineering and IT
  • 51. Other Security Events 13-15 May 2013 ACAD-CSIRT in Bali 19-20 June 2013 Honeynet Indonesia Chapter Workshop 2013, Jakarta 18 Sept 2013 Cloud Security Alliance Summit, Jakarta Faculty of Engineering and IT
  • 52. References http://blogs.mcafee.com/mcafee-labs/an- overview-of-messaging-botnets http://www.fireeye.com/blog/technical/botnet- activities-research/2012/07/grum-botnet-no- longer-safe-havens.html http://voices.washingtonpost.com/securityfix/pu shdo.htm http://voices.washingtonpost.com/securityfix/200 9/06/ftc_sues_shuts_down_n_calif_we.html http://blog.gdatasoftware.com/blog/article/botnet -command-server-hidden-in-tor.html http://www.securelist.com/en/blog/208193438/FA Q_Disabling_the_new_Hlux_Kelihos_Botnet https://www.brighttalk.com/webcast/7451/53071 Faculty of Engineering and IT
  • 53. References http://www.tripwire.com/state-of-security/it- security-data-protection/cyber-security/south- korean-attack-malware-analysis/ http://download.bitdefender.com/resources/fil es/Main/file/Malware_History.pdf http://blogs.mcafee.com/mcafee-labs/south- korean-banks-media-companies-targeted-by- destructive-malware Faculty of Engineering and IT
  • 54. References http://www.sophos.com/en-us/threat- center/threat-monitoring/malware- dashboard.aspx http://www.mcafee.com/us/mcafee- labs/threat-intelligence.aspx http://www.virusradar.com/ Faculty of Engineering and IT