SlideShare ist ein Scribd-Unternehmen logo

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"

StHack
StHack

The main idea behind this talk is to introduce the listeners of Sthack conference to the current landscape in the botnet threats. We'll begin talking about the main types of malware botnets: Trojan Bankers, Point of Sales and Credential Stealers, but we will focus on how some of these botnets operate in a technical level, specially, how the bots of Dyre, JackPoS and Pony are working nowadays in order to steal credit cards and banking credentials.

Bildung
1 von 45
Downloaden Sie, um offline zu lesen
Cyber threats – The reality March 2015
root [~]# crontab -l 05 14 27 3 4 wall "Cybercrime: Modus Operandi" 10 14 27 3 4 wall "Botnets Overview" 30 14 27 3 4 wall "How to deal with these threats"
Cyber Crime: Modus Operandi
root [~]# wall Cybercrime What’s the current landscape ? • Malware Botnets – Point of Sales (POS) – Trojan bankers – Credential Stealers – Ransomware
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Pre-attack – The attacker looks for possible targets and obtains any information he needs: – He also: • Weaponizes an application or common software • Weaponizes a website application • Nowadays you can acquire a great variety of bundles or kits: – Free kits like SET – Paying kits like Rock Phish kit, and others...
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Attackers working together to industrialize cybercrime: – Use of forums and marketplaces to rent or sell services – Service bundles • Creation of different deployment and weaponization kits: – Spam kits – Phishing kits
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Attack – The attacker launches a campaign to infect the victims • Via mail • Contracting the services of other attackers • Using deployment kits
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Commonly, the users are infected via a mailing campaign:
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Once the user is infected, the attacker uses a weaponized web application, or file to infect the user:
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • This web application or file, might be the result of a popular exploit kit. • Nuclear Pack – Updated with the last Flash vulnerability • Black Hole, Armitage, CrimePack, Eleonore, Firepack…
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Post-attack – The malware communicates with the C&C to download the config file – Begins the exfiltration of data to an exfiltration server.
Botnets overview
root [~]# wall Botnet Overview POS – I want to steal your credit cards • Most Active POS: – Dexter – Jackpos – Soraya – Backoff – BrutPos – ChewBacca – Decebal – RawPOS • Common Features: – Very targeted to POS systems (searching for installed software and applications) – Process Memmory Scrapping • Credit card Tracks 1 and 2 detection • Regex Card Detection – Luhn Validation – Keylogger – Exfiltration via FTP and HTTP
root [~]# wall Botnet Overview POS– A glance at JackPos • JackPOS: Infection Installs at %APPDATA% Set autostart reg. keyDrop watchdog The watchdog checks if Jackpos is running on the system. If it isn´t, it spawns a new jackpos process. Spawn jackposs process Begin memory scrapping Search CCExfiiltrate data Using the Createtoolhelp32Snaphot method, jackposs scraps memory from the different processes. Jackpos searches for CC using pattern maching methods, grabbing CC only from specific issuers. Jackposs spawns with names used by java processes: jusched.exe, javaw.exe..
root [~]# wall Botnet Overview POS– A glance at JackPos • JackPOS Data Extraction: mac  MAC Address Unique Identifier &t1  base64 encoded Track 1 data &t2  base64 encoded Track 2 data
root [~]# wall Botnet Overview POS– steal your credit cards • The C&C:
root [~]# wall Botnet Overview Trojan Bankers – I want to steal your money • Common Features – Steal Cookies, Certs and Passwords • Keylogger • Form HTTP/S grabbing • Screenshots – Search for local files – Inject into system process – Man In The Browser • HTTP / Socks Proxy • WebInjects • Automatic Transfer Systems (ATS) – DGA • Most Active Bankers: – Zeus – Citadel – Shylock – Gozi – Cridex / Feodo / Dridex – Sinowal / Torpig – Dyre
root [~]# wall Botnet Overview Trojan Bankers – I want to steal your money • What is a DGA? • Domain Generation Algorithm: • Many samples are using it: Zeus P2P, Dyre, shylock, …
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre: Malicious installer Persistence Basic sysinfo exfiltrationConfiguration Download Browser injection Wait for bank connection MiTM Bank info exfiltration and redirection to real bank website Spam Victim Dyre infects the victims and injects itself different processes
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre – Data Exfiltration: Request to the C&C
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre – Decrypting C&C communications:
root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre Configs (snipped): Trigger URLs “Auth Key” for The redirect
root [~]# wall Botnet Overview Credential Stealers– I want your passwords • Most Active Stealers: – Pony – Carbon Grabber – Betabot • Common Features: – Keylogger – Target software in order to steal vaults from (FTP, SSH, Telnet, etc.) – Targets browser’s vaults – HTTP/s Interception
Infection The pony obtains the list of users in the system and tries to login with a dictionary attack. Am I System? Proceed to steal creadentials Proceed to steal user creadentials Try to login with another user Post credentials to C&C Yes No root [~]# wall Botnet Overview Credential Stealers – A glance at Pony
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication:
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication: DATA
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication:
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel: • gate.php • PHP script to process all incomming traffic from Bots: Decryption and Depacking of HTTP Posts. • includes/password_modules.php • Contains array of all software it tries to steal credentials for • The malware can crack or decrypt quite complex passwords stored in various forms • includes/database.php • Contains db schema and accessors
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel – Password Modules:
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel:
root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel:
Demo: Pony Builder
How do we deal with this?
root [~]# wall Fighting back the current threats • Traditional solutions aren’t enough anymore • Organizations need to combine their internal knowledge with external intelligence Internal External Protection
root [~]# wall Fighting back the current threats • Information that can be gathered on the wild – C&C servers – Exfiltration servers – Bots IP – Domain reputation – Malware samples information – And a lot more • How can we gather all that data?
root [~]# wall Fighting back the current threats • Most effective technique is analysing samples:
root [~]# wall Fighting back the current threats • Once you have harvested data from the samples, you can feed it to a SIEM
root [~]# wall Kicking bad guys asses • Cyber threats are very much like an organism, mutating and improving with time • And so, we must evolve with them. We think that the future is to build collaborative models – Sharing information is the key – The cybercriminals build communities where they share information, and so must we – Only collaborating we’ll be able to keep up with the new threats
root [~]# wall Kicking’ bad guys asses • From Blueliv, we’re providing a free API with information about malicious servers https://map.blueliv.com
Demo: Free Tracker API https://map.blueliv.com https://github.com/BluelivSecurity
THANK YOU www.blueliv.com info@blueliv.com @blueliv linkedin.com/company/bluelivwww.blueliv.com community@blueliv.com

Empfohlen

Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionaryTabraiz Bukhari
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...RootedCON
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCUJose L. Quiñones-Borrero
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 

Empfohlen

Advances in Open Source Password Cracking
Advances in Open Source Password CrackingAdvances in Open Source Password Cracking
Advances in Open Source Password Crackingn|u - The Open Security Community
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionaryTabraiz Bukhari
 
Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Assessing a pen tester: Making the right choice when choosing a third party P...
Assessing a pen tester: Making the right choice when choosing a third party P...Jason Broz, CIPP/US
 
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...
Alfonso Muñoz y Miguel Hernandez - Playing with mastodon for fun and profit [...RootedCON
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCUJose L. Quiñones-Borrero
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly BrokenThe Security of Things Forum
 
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...
Infrastructure Tracking with Passive Monitoring and Active Probing: ShmooCon ...OpenDNS
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hackingbaabtra.com - No. 1 supplier of quality freshers
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)Thangaraj Murugananthan
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
NPTs
NPTsNPTs
NPTsBrandon Levene
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...StHack
 

Weitere ähnliche Inhalte

Ähnlich wie Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"

(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEric Vanderburg
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiJeremy Li
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the CloudTeri Radichel
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 

Ähnlich wie Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality" (20)

(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric VanderburgEradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Ethical hacking (legal)
Ethical hacking (legal)Ethical hacking (legal)
Ethical hacking (legal)
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
NPTs
NPTsNPTs
NPTs
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 

Mehr von StHack

Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashStHack
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...StHack
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...StHack
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...StHack
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceStHack
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack
 

Mehr von StHack (11)

Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cashSthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
Sthack 2015 - David Berard & Vincent Fargues - Attack the cache to get some cash
 
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
Sthack 2015 - Wilfrid "@WilfridBlanc" Blanc & Adrien Revol - Cybersécurité In...
 
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
Sthack 2015 - Aris "@aris_ada" Adamantiadis - DUAL_EC_DRBG : Une histoire de ...
 
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
Sthack 2015 - Jonathan "@JonathanSalwan" Salwan - Dynamic Behavior Analysis U...
 
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practiceSthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
Sthack 2015 - Renaud "@nono2357" Lifchitz - Quantum computing in practice
 
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFG
 
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injectionStHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
StHack 2013 - Florian "@agixid" Gaultier No SQL injection but NoSQL injection
 
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coinStHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
StHack 2013 - Nicolas "@baldanos" Oberli Please insert inject more coin
 
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy MimikatzStHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
StHack 2014 - Benjamin "@gentilkiwi" Delpy Mimikatz
 
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnetStHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
StHack 2014 - Jerome "@funoverip" Nokin Turning your managed av into my botnet
 
StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101StHack 2014 - Ninon Eyrolles Obfuscation 101
StHack 2014 - Ninon Eyrolles Obfuscation 101
 

Kürzlich hochgeladen

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Celine George
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSJoshuaGantuangco2
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 

Kürzlich hochgeladen (20)

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17Field Attribute Index Feature in Odoo 17
Field Attribute Index Feature in Odoo 17
 
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTSGRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
GRADE 4 - SUMMATIVE TEST QUARTER 4 ALL SUBJECTS
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 

Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"

  • 1. Cyber threats – The reality March 2015
  • 2. root [~]# crontab -l 05 14 27 3 4 wall "Cybercrime: Modus Operandi" 10 14 27 3 4 wall "Botnets Overview" 30 14 27 3 4 wall "How to deal with these threats"
  • 4. root [~]# wall Cybercrime What’s the current landscape ? • Malware Botnets – Point of Sales (POS) – Trojan bankers – Credential Stealers – Ransomware
  • 5. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
  • 6. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Pre-attack – The attacker looks for possible targets and obtains any information he needs: – He also: • Weaponizes an application or common software • Weaponizes a website application • Nowadays you can acquire a great variety of bundles or kits: – Free kits like SET – Paying kits like Rock Phish kit, and others...
  • 7. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Attackers working together to industrialize cybercrime: – Use of forums and marketplaces to rent or sell services – Service bundles • Creation of different deployment and weaponization kits: – Spam kits – Phishing kits
  • 8. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Attack – The attacker launches a campaign to infect the victims • Via mail • Contracting the services of other attackers • Using deployment kits
  • 9. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Commonly, the users are infected via a mailing campaign:
  • 10. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Once the user is infected, the attacker uses a weaponized web application, or file to infect the user:
  • 11. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • This web application or file, might be the result of a popular exploit kit. • Nuclear Pack – Updated with the last Flash vulnerability • Black Hole, Armitage, CrimePack, Eleonore, Firepack…
  • 12. root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain • Post-attack – The malware communicates with the C&C to download the config file – Begins the exfiltration of data to an exfiltration server.
  • 14. root [~]# wall Botnet Overview POS – I want to steal your credit cards • Most Active POS: – Dexter – Jackpos – Soraya – Backoff – BrutPos – ChewBacca – Decebal – RawPOS • Common Features: – Very targeted to POS systems (searching for installed software and applications) – Process Memmory Scrapping • Credit card Tracks 1 and 2 detection • Regex Card Detection – Luhn Validation – Keylogger – Exfiltration via FTP and HTTP
  • 15. root [~]# wall Botnet Overview POS– A glance at JackPos • JackPOS: Infection Installs at %APPDATA% Set autostart reg. keyDrop watchdog The watchdog checks if Jackpos is running on the system. If it isn´t, it spawns a new jackpos process. Spawn jackposs process Begin memory scrapping Search CCExfiiltrate data Using the Createtoolhelp32Snaphot method, jackposs scraps memory from the different processes. Jackpos searches for CC using pattern maching methods, grabbing CC only from specific issuers. Jackposs spawns with names used by java processes: jusched.exe, javaw.exe..
  • 16. root [~]# wall Botnet Overview POS– A glance at JackPos • JackPOS Data Extraction: mac  MAC Address Unique Identifier &t1  base64 encoded Track 1 data &t2  base64 encoded Track 2 data
  • 17. root [~]# wall Botnet Overview POS– steal your credit cards • The C&C:
  • 18. root [~]# wall Botnet Overview Trojan Bankers – I want to steal your money • Common Features – Steal Cookies, Certs and Passwords • Keylogger • Form HTTP/S grabbing • Screenshots – Search for local files – Inject into system process – Man In The Browser • HTTP / Socks Proxy • WebInjects • Automatic Transfer Systems (ATS) – DGA • Most Active Bankers: – Zeus – Citadel – Shylock – Gozi – Cridex / Feodo / Dridex – Sinowal / Torpig – Dyre
  • 19. root [~]# wall Botnet Overview Trojan Bankers – I want to steal your money • What is a DGA? • Domain Generation Algorithm: • Many samples are using it: Zeus P2P, Dyre, shylock, …
  • 20. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre: Malicious installer Persistence Basic sysinfo exfiltrationConfiguration Download Browser injection Wait for bank connection MiTM Bank info exfiltration and redirection to real bank website Spam Victim Dyre infects the victims and injects itself different processes
  • 21. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre
  • 22. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre
  • 23. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre – Data Exfiltration: Request to the C&C
  • 24. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre – Decrypting C&C communications:
  • 25. root [~]# wall Botnet Overview Trojan Bankers – A glance at Dyre • Dyre Configs (snipped): Trigger URLs “Auth Key” for The redirect
  • 26. root [~]# wall Botnet Overview Credential Stealers– I want your passwords • Most Active Stealers: – Pony – Carbon Grabber – Betabot • Common Features: – Keylogger – Target software in order to steal vaults from (FTP, SSH, Telnet, etc.) – Targets browser’s vaults – HTTP/s Interception
  • 27. Infection The pony obtains the list of users in the system and tries to login with a dictionary attack. Am I System? Proceed to steal creadentials Proceed to steal user creadentials Try to login with another user Post credentials to C&C Yes No root [~]# wall Botnet Overview Credential Stealers – A glance at Pony
  • 28. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication:
  • 29. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication: DATA
  • 30. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY – C&C Communication:
  • 31. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel: • gate.php • PHP script to process all incomming traffic from Bots: Decryption and Depacking of HTTP Posts. • includes/password_modules.php • Contains array of all software it tries to steal credentials for • The malware can crack or decrypt quite complex passwords stored in various forms • includes/database.php • Contains db schema and accessors
  • 32. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel – Password Modules:
  • 33. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel:
  • 34. root [~]# wall Botnet Overview Credential Stealers– A glance at Pony • PONY Control Panel:
  • 36. How do we deal with this?
  • 37. root [~]# wall Fighting back the current threats • Traditional solutions aren’t enough anymore • Organizations need to combine their internal knowledge with external intelligence Internal External Protection
  • 38. root [~]# wall Fighting back the current threats • Information that can be gathered on the wild – C&C servers – Exfiltration servers – Bots IP – Domain reputation – Malware samples information – And a lot more • How can we gather all that data?
  • 39. root [~]# wall Fighting back the current threats • Most effective technique is analysing samples:
  • 40. root [~]# wall Fighting back the current threats • Once you have harvested data from the samples, you can feed it to a SIEM
  • 41. root [~]# wall Kicking bad guys asses • Cyber threats are very much like an organism, mutating and improving with time • And so, we must evolve with them. We think that the future is to build collaborative models – Sharing information is the key – The cybercriminals build communities where they share information, and so must we – Only collaborating we’ll be able to keep up with the new threats
  • 42. root [~]# wall Kicking’ bad guys asses • From Blueliv, we’re providing a free API with information about malicious servers https://map.blueliv.com
  • 43. Demo: Free Tracker API https://map.blueliv.com https://github.com/BluelivSecurity
  • 44.
  • 45. THANK YOU www.blueliv.com info@blueliv.com @blueliv linkedin.com/company/bluelivwww.blueliv.com community@blueliv.com