Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Nächste SlideShare
Sangfor ngfw 修订版
Sangfor ngfw 修订版
Wird geladen in …3
×

Hier ansehen

1 von 27 Anzeige

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

Herunterladen, um offline zu lesen

The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Botnets are driven by profit, consequently, bots are expected to be profitable. If goals are not as expected, the bots can be instructed to switch their behavior to serve a better purpose. The aim of this talk is to present a detailed analysis of a network traffic capture of a machine originally infected by a Gamarue variant. The analysis will uncover the behavior of the bot since the initial infection, inactivity period, delivery of new payloads and the following switch of behavior of the bot. Additionally, we will present details on a barely known new botnet capable of performing horizontal brute-forcing of WordPress-based websites.

The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Botnets are driven by profit, consequently, bots are expected to be profitable. If goals are not as expected, the bots can be instructed to switch their behavior to serve a better purpose. The aim of this talk is to present a detailed analysis of a network traffic capture of a machine originally infected by a Gamarue variant. The analysis will uncover the behavior of the bot since the initial infection, inactivity period, delivery of new payloads and the following switch of behavior of the bot. Additionally, we will present details on a barely known new botnet capable of performing horizontal brute-forcing of WordPress-based websites.

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Andere mochten auch (20)

Anzeige

Ähnlich wie Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO] (20)

Weitere von Security Session (20)

Anzeige

Aktuellste (20)

Insights of a brute-forcing botnet / VERONICA VALEROS [CISCO]

  1. 1. Insights of a brute-forcing botnet Veronica Valeros Cognitive Threat Analytics Cisco Systems, Czech Republic
  2. 2. About me Malware Researcher Cognitive Threat Analytics (cognitive.cisco.com) What I do? •  Analysis of network traffic •  Behavioral analysis of malware •  Threat categorization •  Malware sandboxing Also: •  Quadcopters, lockpicking, gaming, traveling Twi$er: @verovaleros LinkedIn: /in/veronicavalerossaracho Github: /verovaleros Cisco: blogs.cisco.com/author/valeros
  3. 3. Hunting threats:
 what do we know about malware?
  4. 4. Intelligence gathering Threat identification Blogs reports trackers Real traffic sandboxing twi$er forums
  5. 5. Most of what we know about malware is from 1-5 minutes sandbox executions Most sandbox solutions (1-5 minutes)
  6. 6. How does the malware behave after 5 minutes? After 1 hour?
  7. 7. There is just one way to know:
 to try it.
  8. 8. Experiment Setup Gamarue sample Sanboxing environment: •  VirtualBox •  WindowsXP •  No guest additions •  No user interaction •  No hardening measures for 
 VM-aware malware
  9. 9. Infection Overview
  10. 10. Gamarue C&C CharacterisEcs: •  HTTP Based C&C •  HTTP POST requests •  Encrypted data sent/received •  Custom User-Agent “Mozilla/4.0” •  Contacted C&C servers: •  okiijlijlili.eu •  w4gvnlw4kjbvrbvshkvbsd.ru •  f34234f234f2sdcsv.info
  11. 11. The main C&C is the one in charge of shaping the infection scenario
  12. 12. The main C&C is the one in charge of shaping the infection scenario X X X X X X X X X X X X X = no change on the behavior of the botnet New malware 9583ad7f17aa0d63a48aac802d08a7e
  13. 13. Brute-forcing botnet behavior 1.  Obtain a list of target WordPress sites to attempt to login from the C&C server. 2.  Attempt to login to the next site on the list with chosen credentials in order to gain access. 3.  If the login attempt was successful, report it to the C&C server. 4.  If the login attempt was unsuccessful, iterate from step 2) until exhausting the targets.
  14. 14. Brute-forcing C&C requests (1) REPORT STATUS http://g.commandocenter.ru/default.aspx ?guid=dca94d1f- f7eb-487f-ad24- 923cd1b4f946&gate=1&good=- 1&bad=0&unlucky=1&ip=&fn= (2) RETRIEVE TARGETS http://g.commandocenter.ru/files/2/9d753bd0-33a5- 46ac-841d-f99d9ace3446.txt (3) SEND SUCCESS DATA http://g.commandocenter.ru/col.aspx ?t=wp b&g=1&gid=1
  15. 15. Brute-forcing C&C: report status
  16. 16. Brute-forcing C&C: retrieve targets
  17. 17. Brute-forcing C&C: send successful data
  18. 18. Brute-forcing C&C overview REPORT STATUS RETRIEVE TARGETS SEND SUCCESS DATA
  19. 19. +86k custom passwords used techno sciento biblioteka wroclaw media momb biblioteca teens cafe benessere playground helena guide mullion-shop albers-wende svenska-spelautomater survivalb raumklimadecke dana capavle bondage bibliotheque modeistanbul virgulina svenskaspelautomater stephanierhea ravenna playgroundmusic pierrederoche pierre svet guidedtherapy galaktika enflick dajuroka teentalk charlesmyrick businesscoaching business advertising advertise zorgverzekering xmarkstheearth xlgirls williampopp williammillsagency teens-generation tausend-moeglichkeiten sverigemastareiseo2011 surveyquest socialanna sochy-14 shawnewbank shawkeller scienceofsexy rgb rautenstrauch playguitar ohiohypnosiscenter modedesign-studium mode-estah mode-b modculture merkur mediacube mediaclipsaustralia mediabiz-group marihuana
  20. 20. Highly aggressive botnet: thousands of targets attempted per day
  21. 21. +160k attempted logins
 
 23 success cases
  22. 22. 1 bot
 Every 7000 sites, 1 success
 1 access every ~3.5 hours
 6 accessed sites per day
  23. 23. Not a targeted attack: well distributed
  24. 24. Conclusions •  Running malware for long term periods is worth trying. •  Realistic sandbox environment is vital: without internet access we wouldn’t discovered this behavior. •  The weakest link in security are still humans. •  Education is the only long term solution.
  25. 25. Questions? Veronica Valeros vvaleros@cisco.com Cognitive Threat Analytics Cisco Systems, Czech Republic
  26. 26. Thank you.
  27. 27. Cisco Cognitive Threat Analytics (CTA) is a cloud-based breach detection and analytics technology focused on discovering novel and emerging threats by identifying C&C activity of malware. CTA processes web access logs from the Cisco Cloud Web Security (CWS), Cisco Web Security Appliance (WSA), or 3rd party web proxies such as Blue Coat ProxySG. CTA reduces time to discovery (TTD) of threats operating inside the network. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. The technology relies on advanced statistical modeling and machine learning to independently identify new threats, while constantly learning from what it sees and adapting over time. Through additional careful correlation, CTA presents 100% confirmed breaches to keep security teams focused on the particular devices that require a remediation. Focusing on C&C activity detection, CTA addresses a security visibility gap by discovering threats that may have entirely bypassed web as an infection vector (infections delivered through email, infected USB stick, BYOD). About Cisco Cognitive Threat Analytics

×