Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

1. Insights of a brute-forcing botnet Veronica Valeros Cognitive Threat Analytics Cisco Systems, Czech Republic

2. About me Malware Researcher Cognitive Threat Analytics (cognitive.cisco.com) What I do? •  Analysis of network traﬃc •  Behavioral analysis of malware •  Threat categorization •  Malware sandboxing Also: •  Quadcopters, lockpicking, gaming, traveling Twi$er: @verovaleros LinkedIn: /in/veronicavalerossaracho Github: /verovaleros Cisco: blogs.cisco.com/author/valeros

3. Hunting threats:  what do we know about malware?

4. Intelligence gathering Threat identiﬁcation Blogs reports trackers Real traﬃc sandboxing twi$er forums

5. Most of what we know about malware is from 1-5 minutes sandbox executions Most sandbox solutions (1-5 minutes)

6. How does the malware behave after 5 minutes? After 1 hour?

7. There is just one way to know:  to try it.

8. Experiment Setup Gamarue sample Sanboxing environment: •  VirtualBox •  WindowsXP •  No guest additions •  No user interaction •  No hardening measures for   VM-aware malware

9. Infection Overview

10. Gamarue C&C CharacterisEcs: •  HTTP Based C&C •  HTTP POST requests •  Encrypted data sent/received •  Custom User-Agent “Mozilla/4.0” •  Contacted C&C servers: •  okiijlijlili.eu •  w4gvnlw4kjbvrbvshkvbsd.ru •  f34234f234f2sdcsv.info

11. The main C&C is the one in charge of shaping the infection scenario

12. The main C&C is the one in charge of shaping the infection scenario X X X X X X X X X X X X X = no change on the behavior of the botnet New malware 9583ad7f17aa0d63a48aac802d08a7e

13. Brute-forcing botnet behavior 1.  Obtain a list of target WordPress sites to attempt to login from the C&C server. 2.  Attempt to login to the next site on the list with chosen credentials in order to gain access. 3.  If the login attempt was successful, report it to the C&C server. 4.  If the login attempt was unsuccessful, iterate from step 2) until exhausting the targets.

14. Brute-forcing C&C requests (1) REPORT STATUS http://g.commandocenter.ru/default.aspx ?guid=dca94d1f- f7eb-487f-ad24- 923cd1b4f946&gate=1&good=- 1&bad=0&unlucky=1&ip=&fn= (2) RETRIEVE TARGETS http://g.commandocenter.ru/ﬁles/2/9d753bd0-33a5- 46ac-841d-f99d9ace3446.txt (3) SEND SUCCESS DATA http://g.commandocenter.ru/col.aspx ?t=wp b&g=1&gid=1

15. Brute-forcing C&C: report status

16. Brute-forcing C&C: retrieve targets

17. Brute-forcing C&C: send successful data

18. Brute-forcing C&C overview REPORT STATUS RETRIEVE TARGETS SEND SUCCESS DATA

19. +86k custom passwords used techno sciento biblioteka wroclaw media momb biblioteca teens cafe benessere playground helena guide mullion-shop albers-wende svenska-spelautomater survivalb raumklimadecke dana capavle bondage bibliotheque modeistanbul virgulina svenskaspelautomater stephanierhea ravenna playgroundmusic pierrederoche pierre svet guidedtherapy galaktika enﬂick dajuroka teentalk charlesmyrick businesscoaching business advertising advertise zorgverzekering xmarkstheearth xlgirls williampopp williammillsagency teens-generation tausend-moeglichkeiten sverigemastareiseo2011 surveyquest socialanna sochy-14 shawnewbank shawkeller scienceofsexy rgb rautenstrauch playguitar ohiohypnosiscenter modedesign-studium mode-estah mode-b modculture merkur mediacube mediaclipsaustralia mediabiz-group marihuana

20. Highly aggressive botnet: thousands of targets attempted per day

21. +160k attempted logins    23 success cases

22. 1 bot  Every 7000 sites, 1 success  1 access every ~3.5 hours  6 accessed sites per day

23. Not a targeted attack: well distributed

24. Conclusions •  Running malware for long term periods is worth trying. •  Realistic sandbox environment is vital: without internet access we wouldn’t discovered this behavior. •  The weakest link in security are still humans. •  Education is the only long term solution.

25. Questions? Veronica Valeros vvaleros@cisco.com Cognitive Threat Analytics Cisco Systems, Czech Republic

26. Thank you.

27. Cisco Cognitive Threat Analytics (CTA) is a cloud-based breach detection and analytics technology focused on discovering novel and emerging threats by identifying C&C activity of malware. CTA processes web access logs from the Cisco Cloud Web Security (CWS), Cisco Web Security Appliance (WSA), or 3rd party web proxies such as Blue Coat ProxySG. CTA reduces time to discovery (TTD) of threats operating inside the network. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. The technology relies on advanced statistical modeling and machine learning to independently identify new threats, while constantly learning from what it sees and adapting over time. Through additional careful correlation, CTA presents 100% conﬁrmed breaches to keep security teams focused on the particular devices that require a remediation. Focusing on C&C activity detection, CTA addresses a security visibility gap by discovering threats that may have entirely bypassed web as an infection vector (infections delivered through email, infected USB stick, BYOD). About Cisco Cognitive Threat Analytics

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

Du liest eine Vorschau.

Hier ansehen

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Ähnlich wie Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO] (20)

Weitere von Security Session (20)

Aktuellste (20)