!"#$%&%'(")'(*++,#&-)./01( - - PowerPoint PPT Presentation

01 2 2 3
SMART_READER_LITE
LIVE PREVIEW

!"#$%&%'(")'(*++,#&-)./01( - - PowerPoint PPT Presentation

Apr 11, 2024 452 likes •1.23k views

!"#$%&%'(")'(*++,#&-)./01( 2,&)%&(2-.3'.)$( 456577( 8,+9#.$:&(;<=7=(>"?@"33"A(B)1C(D33(E.$:&/(E%/%#F%'(G,#3'H.'%C( 7( About I-)&%#(*33?"))(

slide-1
SLIDE 1

!"#$%&%'(")'(*++,#&-)./01( 2,&)%&(2-.3'.)$(

456577( 8,+9#.$:&(;<=7=(>"?@"33"A(B)1C(D33(E.$:&/(E%/%#F%'(G,#3'H.'%C( 7(

slide-2
SLIDE 2

About

  • I-)&%#(*33?"))(

– !"#$%#&'(')*+,-#.)/0)11)#23+4# – 5$)*6#$%#7689($*(-#2:7+;8'#23+4#

  • 2#.%J(2.,K(

– 5''3#93#2<#936=(>*?#%$*#>@$#6'+)6'(#A#5=91>#)36#*=3#93>'*3);$3)1# B'3>'(>#>')/(-#&C.#D*$=B(#)36#+$3(=1;3D#B*)+;+'(#)*$=36#>,'# @$*164## – E$*/'*1?#F,9'%#G'+=*9>?#G>*)>'D9(>#%$*#25H-#.9*'+>$*#$%#IJE$*+'# %$*#2GG-#"*$%'((9$3)1#G'*89+'(#.9*'+>$*#%$*#KLG#G$M@)*'-#N')6#$%# 7O)+P#G'*89+'(#QHQ7-#'>+4# – E*'R='3>#@*9>'*-#+$1=/39(>#)36#01$DD'*#@9>,#1$>(#$%# @,9>'B)B'*(S#

  • ,OBTUU01$D46)/0)11)4+$/#C#,OBTUU>'+,39+)193%$6$>3'>401$D(B$>4+$/U##
slide-3
SLIDE 3

Targeted?

VUWUXX# Y#

slide-4
SLIDE 4

Opportunistic?

VUWUXX# Z#

slide-5
SLIDE 5

VUWUXX# [#

G:%#%(&,(2%$.)L(

slide-6
SLIDE 6

!,,3/(")'(/%#F.1%/("F".3"@3%( J,#(/"3%A(#%)&(")'(3%"/%(

Today’s Threat Landscape

  • G:"&M/(.&(&"N%(&,(@%1,?%("(19@%#1#.?.)"3L(

VUWUXX# V#

O),H(:,H(&,(-/%( "(/%"#1:(%)$.)%( D@.3.&9(&,(.)/&"33(/,PH"#%(( ,)(9,-#(,H)(1,?+-&%#(

  • G:"&("@,-&(&:,/%(Q"'F")1%'R(&:#%"&/L(

S%'%#"&%'(%1,/9/&%?(,J( &,,3(")'(/%#F.1%(+#,F.'%#/( T+%1."3./&(/%#F.1%/(")'( $#"9U?"#N%&(%V+%#0/%(J,#(:.#%( W.'%,(:,HU&,M/(")'("'F%#0X.)$(

slide-7
SLIDE 7

Back in the old days!

  • T%3JU1,)&".)%'(@,&)%&(@-.3'.)$(-).&(

– GP911(#)11#+$3>)93'6#@9>,93#)#(93D1'#>')/#

  • *)%U/&,+(1#.?%(/:,+(

– 5=91693D-#/)3)D93D-#69(>*90=;3D## C#/$3';\93D#>,'#0$>3'># – 7=>$3$/$=(#+?0'*+*9/'#=39>################

VUWUXX# W#

H)1@)*'#7=>,$*# ]'0#.'8'1$B'*# Q/)91#G'36'*# Q^B1$9>#F$6'*# E*)=6#N)361'*#

slide-8
SLIDE 8

A Brief History of Botnets

VUWUXX# _#

slide-9
SLIDE 9

A Brief History of Botnets

VUWUXX# `#

<$$#/)3?#$B'*)>$*(# +$/B';3D#%$*# 69/939(,93D#*'>=*3(#

slide-10
SLIDE 10

A Brief History of Botnets

VUWUXX# Xa#

H$*'#;/'#(B'3>#0)O193D## >,'9*#+$/B';>$*(#

b..$G-#()0$>)D'-#93%$*/)3>(-#'>+4c#

slide-11
SLIDE 11

A Brief History of Botnets

VUWUXX# XX#

L*$@93D# 6'D*''(#$%# (B'+9)19\);$3# H)3?#+*9/93)1# $B'*)>$*#>')/(# 69(($18'#

slide-12
SLIDE 12

A Brief History of Botnets

VUWUXX# Xd#

E'6'*)>'6# ('*89+'(# /$6'1# 23>*$6=+;$3#$%# 3'@09'(#@9>,#/939/)1# >'+,39+)1#(P911#

slide-13
SLIDE 13

Service Specialization

  • 8,)/,3.'"0,)(,J(%V+%#0/%(

– .'69+)>'6#D=3(#%$*#,9*'#

  • 2,-0Y-%(/+%1."3.X"0,)/(

– <*)3(1);$3#('*89+'(#%$*#(B')*#B,9(,93D#+)/B)9D3(# – Q^B1$9>#@')B$39\);$3#%$*#736*$96#/)1@)*'# – 7*09>*);$3#('*89+'(#0'>@''3#0$>3'>#0=?'*(U('11'*(#

VUWUXX# XY#

5$>3'>#e9>#7=>,$*(# ",9(,93D#.'8'1$B'*(# 5=1P#GB)/#G'36'*(# .*98'J0?#F$6'*(# F)*6'*(#

slide-14
SLIDE 14

VUWUXX# XZ#

D(W.@#")&(Z"#N%&(

slide-15
SLIDE 15

Self-contained Ecosystem

  • T%#F.1%(")'(&,,3(+#,F./.,).)$((

– E*$/#+$O)D'J936=(>*?#>$#%=11J('*89+'#$f'*93D(#

  • [#.1.)$(?,'%3/(&,(/-.&(")9(+,1N%&(

– 5=?J>$J*'3>-#*'3>J>$J0=?# – G'*89+'#b)36#89+;/c#0)*>'*93D#

  • D\3."&%(/9/&%?/(

– &'('11'*(# – !)1='J)66#('*89+'(#

VUWUXX# X[#

slide-16
SLIDE 16

The Business of Crimeware

  • Z-30+3%(1,?+,)%)&/(&,(@,&)%&(@-.3'.)$(

– F*');$3#$%#>,'#0$>3'>#+*9/'@)*'# – E$*+'U>*9+P#89+;/#>$#93(>)1193D#>,'#+*9/'@)*'# – 5=91693D#)#*$0=(>#F3F#93%*)(>*=+>=*'# – H$3';\);$3T#1)=36'*93D-#/=1'(-#'>+4#

  • [3%)&9(,J(,++,#&-).&9(J,#(&:.#'U+"#0%/(

VUWUXX# XV#

",9(,93D# >#.F.)$(&:%(W.10?(&,(&:%(2"')%//( 51)+P,)>#GQ:# N)+P'6#G9>'# 23g'+;$3# :=>J$%J0)36# 5)33'*(# G$+9)1#K'>@$*P#

slide-17
SLIDE 17

An Infection Lifecycle

VUWUXX# XW#

[,/&(])+"1N(

.9()01'#1$+)1#('+=*9>?# "*'8'3>#=B6)>'(UB)>+,'(# 238'3>$*?#89+;/#

W.10?( >#,++%#^/_(

Dropper unpacks on the Victim machine and runs

]+'"&%(>,H)3,"'%#(

F$3h*/#93(>)11);$3# 2(#>,9(#)#*')1#/)+,93'i# N)8'#2#(''3#9>#0'%$*'i# !"#$%&'($)*$+&'),-$.,/'

[,/&(D$%)&(B)/&"33(

.'1'>'#6*$BB'*U93(>)11'*# F1')*#1$D(#C#'8'3>(# F)>)1$D='#C#938'3>$*?#

>,H)3,"'(2,&(D$%)&(

N$(>#0$>#)D'3>b(c# 7D'3>#('1'+;$3#+*9>'*9)# ],9>'19(>'6#*'B$(9>$*9'(# !/012&'3,%/&%'$4&/%'

>"&"(E%+,/.&,#9(

j$DD93D#$%#93(>)11#(=++'(('(# Q3+*?B>'6#h1'(#%*$/#89+;/# G>$1'3#B)((@$*6(#C#"22#

8#.?.)"3(8,)&#,3(

H=1;B1'#F3F#B*$^9'(# G'B)*)>'#F3F#B$*>)1(# kB6)>'(#>$#0$>#)D'3># kB6)>'(#>$#19(>#$%#F3Fl(# 7D'3>#93>'D*9>?#+,'+P93D# j$+P93D#$%#)D'3>#>$#89+;/# 2((=93D#$%#0)>+,'6#+$//)36(# 5&(,%&'$--&66'7'-,/%+,)''

CnC Proxies CnC Portals

]+'"&%#( >,H)3,"'%#( E%+,/.&,#9(

slide-18
SLIDE 18

Malware Reviews

VUWUXX# X_#

slide-19
SLIDE 19

AV Testing

VUWUXX# X`#

slide-20
SLIDE 20

AV Testing

VUWUXX# da#

The service lowest prices on the market: $0.12 for one-time validation (6 cents per file) and $ 20 per month for full-NL(

slide-21
SLIDE 21

Tutorials

VUWUXX# dX#

slide-22
SLIDE 22

Bullet-proof Hosting

VUWUXX# dd#

slide-23
SLIDE 23

Full Service Hosting Providers

  • !"#$%&%'(/%#F.1%(

,`%#.)$/(

– F)>'*93D#'^+1=(98'1?#>$#+?0'*# +*9/93)1(#

VUWUXX# dY#

slide-24
SLIDE 24

VPN Services

VUWUXX# dZ#

slide-25
SLIDE 25

VPN Services

VUWUXX# d[#

slide-26
SLIDE 26

Call Service Translation

  • S,#%.$)(3")$-"$%(/-++,#&(

– F*9/'#(B'+9h+#

VUWUXX# dV#

slide-27
SLIDE 27

Exploit packs

  • a3%,),#%(aV+(F7C4C<(
  • [#.1.)$(

– ")+P)D'T#mdaaa# – kB6)>'(T#mXaa# – &'0=916#%$*#3'@#2"T#m[a#

  • T+%1."3(+#.1.)$(

– G=0)++#Q69;$3T#md[aa# – &'3>)1#Q69;$3T#mYaaa#

VUWUXX# dW#

slide-28
SLIDE 28

Exploit Pack Diversity

VUWUXX# d_#

slide-29
SLIDE 29

Exploit Pack Management

  • S-33(1"+"@.3.&9(+,#&"3/(
  • Z-30+3%(%V+3,.&/(

– H=1;JB1)n$*/#C#)BB#

VUWUXX# d`#

slide-30
SLIDE 30

DDoS for Rent

VUWUXX# Ya#

slide-31
SLIDE 31

Botnet Selling

  • 2-.3'U&,U/%33(?,'%3/(

– "=019+#%$*=/#B$(;3D(# – "*98)>'#%$*=/#*'R='(>(# – H'69)>$*(#>$#%)+919>)>'# >*)3(%'*(#

VUWUXX# YX#

slide-32
SLIDE 32

Buy Specific Bot Victims

  • 8,?+#,?./%'(/9/&%?/(

– N)+P'6#o/)3=)11?p# – N)+P'6#89)#L$$D1'6$*P(# – 5)+P6$$*#6'198'*?#

  • 8"?+".$)/(

– o:BB$*>=39(;+p#6'198'*?# – G9M93D#$%#89+;/#938'3>$*?# – GB'+9)19\'6#()1'#$%# 3$>)01'#(?(>'/(#

slide-33
SLIDE 33

PPI

VUWUXX# YY#

.9(>*90=>'6#<.jY#8)*9)3>(#

slide-34
SLIDE 34

Full Service PPI

VUWUXX# YZ#

slide-35
SLIDE 35

Gangstabucks

VUWUXX# Y[#

.9(>*90=>'6#<.jZ#8)*9)3>(#

slide-36
SLIDE 36

VUWUXX# YV#

>./13".?%#/(b([#,&%10,)(

slide-37
SLIDE 37

Disclaimers

  • c%$.0?"&%(,#(J#"-'L(

– F$//$3#=('#$%#69(+1)9/'*(#)36#)D*''/'3>(#

  • Q[#,&%10,)R(")'(".#(,J("-&:%)01.&9(

– "*$$%#$%#+$3+'B># – K$>#%$*#+*9/93)1#=('# – "1')('#6$#3$>#=('#911'D)11?# – 23>'*3)1#>'(;3D#B=*B$('(#$31?# – ])**)3>?#8$96#9%#=('6#%$*#+*9/93)1#B=*B$('(# – F$//'*+9)1#3'>@$*P#)6/939(>*)>$*(#$31?# – F19+P#,'*'#>$#)++'B>#%=11#*'(B$3(90919>?#

VUWUXX# YW#

slide-38
SLIDE 38

DDoSer Tool

7C G%("#%(),&(:%3'(#%/+,)/.@3%(J,#(")9( "10,)/(9,-(-/%(,-#(/,JH"#%(J,#C(

d4 ]'#)*'#3$>#*'(B$3(901'#9%#?$=#B=*+,)('#>,9(#@9>,$=># ,)893D#)3?#=36'*(>)3693D#$%#,$@#9>#@$*P(4# Y4 <,'*'#)*'#K:#*'%=36(-#)11#()1'(#)*'#!"#$4# Z4 2%#?$=*#B$*>)1#)++$=3>#D'>(#(>$1'3-#?$=#,)8'#>$#B*$896'# $@3'*(,9B#$%#9>#0'%$*'#@'#@911#$f'*#(=BB$*>#$3#,'1B93D# ?$=#D'>#9>#0)+P-#$>,'*@9('#9>(#3$>#$=*#B*$01'/4# b"=*+,)('#23%$*/);$3#'>+4c# [4 ]'#$31?#$f'*#(=BB$*>#9%#9>(#($/'>,93D#$3#$=*#'36-# $>,'*@9('#@'#)*'#3$>#*'(B$3(901'#9%#?$=*#,)893D# B*$01'/(#@9>,#=(93D#$=*#($M@)*'4#b]'#)*'#,'*'#>$# ,'1B-#3$>#(B$$3#%''64c# V4 ]'#6$#3$>#(=BB$*>#*'($16#)++$=3>(q#G%("#%(),&(

:%3'(#%/+,)/.@3%(.J(9,-("#%(/1"??%'(@9("( #%/%33%#A(&,(@%(/"J%(9,-(/:,-3'(,)39(@-9( >>,T%E(J#,?(-/C#2%#?$=#696#3$>#B=*+,)('#%*$/#=(#

>,'3#@'#)*'#3$>#*'R=9*'6#>$#D98'#?$=#(=BB$*>4# W4 r$=#/)?#D'>#>*$11'6#$3#93#sk('*#+,)>s-#@'#6$3t>#+)*'-# ($#6$3>#+$/'#+*?93D#>$#=(#0'+)=('#9>(#3$>#$=*#B*$01'/# >,)>#?$=*#(>=B969>?#$8'*#+$/'(#?$=4#

VUWUXX# Y_#

slide-39
SLIDE 39

DarkComet RAT Disclaimer

  • 83.1NU&:#,-$:(a]cD5>./13".?%#/(

VUWUXX# Y`#

slide-40
SLIDE 40

Scam Reporting

VUWUXX# Za#

slide-41
SLIDE 41

VUWUXX# ZX#

2,&)%&(2-.3'.)$(b(*+%#"0,)/(

slide-42
SLIDE 42

2010 Biggest Botnets

VUWUXX# Zd#

<=7=(2,&)%&#

[%#1%)&"$%(,J( W.10?([,+-3"0,)#

<==d( [,/.0,)# 7# <.j5$>3'>7#b&=6'])*1$+PH$0c# XZ4_u# JJ# <# &$D='7!5$>3'>#bE*')P?GB96'*F)*>'1c# [4Wu# JJ# e# v'=(5$>3'>5#bE$=*j)P'&96'*(c# [4Yu# JJ# f# H$3P9%# [4du# [>,# g# e$$0%)+'47# Z4au# w#>$BXa# 4# F$3h+P'*4F# d4_u# w#>$BXa# 6# N)/@'R#bL*)?G=3L9*1(c# d4[u# JJ# h# 76@)*'<*$g)35$>3'>#b]9+P'6&$+PH$3(>'*(c# d4du# JJ# d# G)19>?# d4Xu# w#>$BXa# 7=# GB?Q?'5$>3'>7#b:3'G>*''><*$$Bc# X4`u# JJ#

slide-43
SLIDE 43

Feature Creep

slide-44
SLIDE 44

Kit Development & Deployment

VUWUXX# ZZ#

i%-/( T+9a9%( !>TT(

slide-45
SLIDE 45

Zeus

  • *#.$.)"339(i@,&(H"/("(I"?.)$(Z,'58:%"&(@,&(
  • B).0"339('%F%3,+%'(@9(T3"F.N(^"N"(Z,)/&#_(.)&,(&:%(i%-/(@,&(H%(N),H(

&,'"9(

  • S,#(H%33(,F%#(g(9%"#/(i%-/(^i@,&_(3%'(&:%(&,+(7=(?,/&(H")&%'(1#.?.)"3(

)%&H,#N/(

  • a"/&%#)(a-#,+%")(@"/%'(,#$").X%'(1#.?.)"3(&:#%"&(
  • B)(%"#39(j7(<=77(@%/&(,J(i%-/(H"/(?%#$%'(.)&,(T+9a9%(
  • B)(3"&%(j7(<=77(/,-#1%(1,'%(J,#(F%#/.,)(<C=ChCd(+-@3.139(3%"N%'(

2/15/2007 10/14/2011 1/1/2008 1/1/2009 1/1/2010 1/1/2011 2/28/2009 Millions of Infections Identified 2/28/2008 Phising with Zeus en’mass 11/3/2009 Small Zeus Arrest 2/15/2007 Zbot originally a Game Mod 7/31/2007 Zeus (Zbot) Identified 11/27/2009 9 Million Emails 7/10/2010 International Banks Hit 10/15/2010 90 Zeus Arrests 10/1/2010 $70M Reported Stolen 11/1/2010 Zeus Source Passed 3/21/2011 Zeus v2 Source Leaked

slide-46
SLIDE 46

VUWUXX# ZV#

200,000 400,000 600,000 800,000 1,000,000 1,200,000 1,400,000 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51

Major Zeus Botnets 2010

FourLakeRiders GreenAlienRiders RAT-ZU-91117 EightLakeRiders

slide-47
SLIDE 47

Zeus

VUWUXX# ZW#

slide-48
SLIDE 48

Zeus code for sale/grabs

VUWUXX# Z_#

slide-49
SLIDE 49

ZeuS CnC Structures

i%-T(O.&(>%J"-3&(]Ec( ]Ec(!9+%( X%+:%:,,Y-C#-5@.)5&%%?"%N,C@.)( 8)8( .F%%&%%+%HC#-5@.)5&%%?"%N,C@.)( CnC( k,1-'".'.%C#-5@.)51":',.$-C@.)( CnC( k,:$:%%k"%C#-5@.)5,,+".@,,C@.)( CnC( N".&:--/:.C#-5@.)5".+:".+.C@.)( CnC( '%.3"%9%%HC#-5@.)5-1-,/"%HC@.)( CnC( "'".1:"%+,C#-5@.)5&:,,&:"?C@.)( CnC( ,,&".F.3%.C#-5@.)5&:,,&:"?C@.)( CnC( F,#",k,,)$C#-5@.)5/"%k-,$.C@.)( CnC( dahzunaeye.ru/bin/sofeigoo.bin CnC ,8"8$89&-8:+2;30/;3$012$$#:30/' CnC( ,8"8$89&-8:+2;30/;&&4,%,,<:30/' CnC( ,8"8$89&-8:+2;30/;82&480=$:30/' CnC( ,8"8$89&-8:+2;30/;)$$/40&%:30/' CnC( ,8"8$89&-8:+2;30/;,,(0&"8&:30/' CnC( ,8"8$89&-8:+2;30/;6$&>2,40:30/' CnC( ,8"8$89&-8:+2;30/;6829$0-$:30/' CnC( ,8"8$89&-8:+2;30/;%8,,%8$(:30/' CnC( ,8"8$89&-8:+2;30/;?,0+,,-,:30/' CnC( ,8"8$89&-8:+2;30/;?26,4$88:30/' CnC(

slide-50
SLIDE 50

Other ZeuS CnC Structures

ZeuS Kit Custom Cnc URL URL Type freehost21.tw/b/cfg375.bin CnC www.technoplast.com.ua/catalog/nibco/tmc.bin CnC askuv.com/percent/update.bin CnC leadingcase.cc/20aug_old.cpm CnC mswship.com/xed/config.bin CnC nascetur.com:81/wc/cof58.bin CnC nascetur.com:81/wc/g6.php Drop Site nascetur.com:81/wc/512.exe Trojan

slide-51
SLIDE 51

Kit Development & Deployment

VUWUXX# [X#

i%-/( T+9a9%( !>TT(

slide-52
SLIDE 52

SpyEye

  • >%F%3,+%'(@9(E,?")(^"N"(I#.@,5l.#,_(.)(?.'U<==d(
  • E%3%"/%'(.)(3"&%(<==d(&,(1,?+%&%(H.&:(i%-/A("-&,?"01"339(#%?,F.)$(

i%-/(-+,)(.)J%10,)(

  • B)(jf(<=7=(E,?")(#%1%.F%'(/&%H"#'/:.+(,J(&:%(i%-/(@,&(/,-#1%(1,'%(

J#,?(T3"F.N(

  • B)(j7(<=77(T+9a9%(7Ce(%?%#$%'("/(&:%(@%/&(,J(i%-/(")'(T+9a9%(?%#$%'(

H.&:()%H(J-)10,)"3.&9(

– H$091'#.'89+'(# – ..$G# – Q3,)3+'6#"'*(9(>'3+'#

6/15/2009 10/14/2011 1/1/2010 1/1/2011 6/15/2009 Roman starts with SpyEye 11/3/2009 SpyEye Discovered 1/31/2010 SpyEye Competes w/Zeus 6/10/2010 SpyEye Infiltrated 11/22/2010 Dev team gets Zeus source 1/11/2011 SpyEye 1.3 released 2/19/2011 SpyEye DDoS'ing 2/28/2011 SpyEye now Mobile 4/6/2010 SpyEye Deleting Zeus 4/25/2011 SpyEye #1 US Threat

slide-53
SLIDE 53

SpyEye 1.3

VUWUXX# [Y#

slide-54
SLIDE 54

WebInjects for SpyEye/Zeus

VUWUXX# [Z#

slide-55
SLIDE 55

Mynet-Injects Service

VUWUXX# [[#

slide-56
SLIDE 56

SpyEye

Type barcalys-trial3.com/main/bin/build.exe Malware Drop coundnes.com/cache/bin/build.exe Malware Drop eu-analytics.com/sp4a/bin/1_sp4a_new.exe.crypted.exe Malware Drop 217.23.7.21/date/gate.php?guid=User!SANDBOX0! D06F0742&ver=10129&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=19&ccrc=3D893DD9&md5=60d6d 584515e1925e0d0c9edd8b32eed CnC 200.63.45.69/~datosco/main/gate.php?guid=User!SANDBOX2! D06F0742&ver=10132&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=690E5C55&md5=82be b808bef523b7660af10266377407 CnC 91.213.174.34/spyeye_main/gate.php?guid=User!SANDBOX2! D06F0742&ver=10200&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=22&ccrc=B144ABF5&md5=e8a71 3c24a38b9339474f71f5bcff78a CnC 77.78.240.162/spye/gate.php?guid=User!SANDBOX0! D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&plg=ftpbc&cpu=100&ccrc=8CCFE0AB &md5=84a9aedb378c3ec297a775c1f7fc573a CnC 113.11.194.173/eye/main/gate.php CnC 204.12.243.187/main/gate.php CnC 200.56.243.137/includes/admin/gate.php?guid=User!SANDBOX2! D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=80&ccrc=3FF0F25D&md5=86e1b b6f428421a06bdae1b2b55323d1 CnC 200.56.243.137/includes/phpbb/gate.php CnC 200.56.243.137/joomla/admin/gate.php CnC cocainy.net/spmini/gate.php?guid=User!SANDBOX0! CnC

slide-57
SLIDE 57

Kit Development & Deployment

VUWUXX# [W#

i%-/( T+9a9%( !>TT(

slide-58
SLIDE 58

TDL/TDSS

  • S.#/&("++%"#")1%(.)(<==h("/("(#,,&N.&/(H.&:(/&#.)$/(,J(!>TT(

– <,'*'#D$#>,'#3)/'#<.GG#)#B1)?#$3#>,'#)+*$3?/#GG.<#@,9+,#9>#0*$P'# – <.j#+$/'(#%*$/##>,'#B1)?#$3#>,'#)+*$3?/#j.<#0=>#)1($#)(#>,'#o<?1'*#.=*6'3#j$)6'*p#

  • 2%&H%%)(<==hU<=7=(F%#/.,)/(7Ue(m(B)J,(T&%"3%#/(b(',H)3,"'%#/(J,#(#,$-%(

DW(")'(>nT(1:")$.)$(&#,k")/(^/-@3%"/.)$_(

  • B)(je(<=7=(F%#/.,)(f(J,1-/%'(,)(.)U'%+&:(+%#/./&%)1%(Z2E(.)J%10,)(
  • B)(j7(<=77(F%#/.,)(fC7(&:%#%(./(),H(4f@.&(/-++,#&(
  • B)(j<(<=77(E%+,#&/(,J(Z"1(")'(Z,@.3%('%F.1%(/-++,#&(
  • Z"#1:(<=77(o(.)/&"33/(,&:%#(?"3H"#%(

– ]93YdUL1=B>'0)4.#bF19+Pg)+P93DUGQ:#0$>c#

4/15/2008 6/14/2011 1/1/2009 1/1/2010 1/1/2011 5/9/2008 TDSS/TDL v1 First Discovered 2/17/2010 TDSS/TDL v3 released 8/2/2010 TDSS/TDL v4 released 4/26/2009 TDSS/TDL v2 released 8/9/2009 Millions of Infections Reported 1/20/2011 Added 64bit Support 11/1/2010 Included Mobile Support 5/28/2011 Linux/Mac OSX MBR TDB 8/5/2010 Includes MBR Infector 2/5/2009 Business with FakeAV 4/30/2010 Business w/DNS Changer

slide-59
SLIDE 59

VUWUXX# [`#

500,000 1,000,000 1,500,000 2,000,000 2,500,000 3,000,000 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51

TDL3BotnetA (RudeWarlockMob) 2010

RudeWarlockMob

slide-60
SLIDE 60

VUWUXX# Va#

slide-61
SLIDE 61

TDL3 Driver Source

VUWUXX# VX#

slide-62
SLIDE 62

TDL/TDSS Gang

Type

64.191.25.166/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/ perce.jpg

CnC

69.10.35.251/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/ perce.jpg

CnC

69.10.35.251/perce/465cbbfb5c459068718ea7c544e87ed2a776f651b13f6f75e085d95d0f16be4d73603cc8bfd83f316/ d4f5b0c5628/qwerce.gif

CnC

69.10.35.251/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/ perce.jpg

CnC

69.10.35.251/perce/96ec3b1bcc25c048614e07d5d478be22d7565661f17f1f754035b9cd3ff64ecde370eca8afa8ff01f/f0e/ perce.jpg

CnC

88.214.201.132/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/ perce.jpg

CnC

images-humanity.com/werber/30f/216.jpg

CnC

imagesmonitor.com/werber/e4d08081926/216.jpg

CnC

pictureswall.com/werber/b0f/216.jpg

CnC

hipartsonline.com/werber/548582c8e44/217.gif

CnC

virtualartsonline.com/perce/23a8802761f8ac0664709edb14bbd80dee 020a2ca627fe38e60811523634ef62dc748b397c3e4cd0a/d4b8c69787c/qwerce.gif

CnC

videoartfilms.com/werber/34a826c797b/217.gif

CnC

slide-63
SLIDE 63

>."3.)$(.)(&:%(Dp"1N(

slide-64
SLIDE 64

Opportunistic Building Strategy

  • !:%#%M/("($%)%#"3(?9&:(&:"&(@,&)%&(,+%#"&,#/(

"#%(,++,#&-)./01(.)(&:%.#(@-.3'.)$(/&#"&%$9C((

– 23#($/'#$16'*#)36#(1$BB9'*#+)('(#>,'?#)*'#0=># >,93D(#,)8'#/$8'6#$34##

  • >"?@"33"(&#"1N.)$(/%F%#"3(&:,-/")'/($#,-+/(

– 7((9D393D#%=33?#3)/'(#'>+4# – GB'+9)19\'6#>)+;+(#

VUWUXX# VZ#

slide-65
SLIDE 65

Major Attack “Classes”

VUWUXX# V[#

<)*D'>'6# <*9B@9*'# <*)@193D#

[#%'%q)%'#$0g'+;8'#)36#89+;/#19(># ##x#7O)+P#8'+>$*(#>=3'6#>$#>)*D'>#*'R=9*'/'3>(# ##x#.'(;3);$3U=('#$%#(>$1'3#6)>)#B*'J)D*''6# ##x#E$+=('6#>$$1#6'(9D3#)36#/)3=)1#B*$+'(('(# B)'./1#.?.)"&%#o@*$3D#B1)+'#)>#>,'#@*$3D#;/'p# ##x#G''693D#$%#B$B=1)*#(9>'(U1$+);$3(Uh1'(# ##x#:BB$*>=39(;+#*'>=*3#$3#89+;/(#A#($*>#)M'*@)*6(# ##x#E9*'#)36#%$*D'>#@9>,#3$U1$@#/)3)D'/'3>#+$(>(# # E$+=('6#=B$3#)#>)*D'>#+#,q3%( ##x#F)(;3D#)#@96'#3'>#$8'*#B$((901'#89+;/(# ##x#H$3';\);$3#)3D1'#)1*')6?#6'+96'6#=B$3# ##x#Qy+9'3>#)36#1)*D'1?#)=>$/)>'6#)BB*$)+,#

slide-66
SLIDE 66

Attack Cost

  • T1%)"#.,K(

– XZ?*J$16#@)3;3D#>$#..$G#o%*9'36(p#$3#IJ5$^# – G''6#>$**'3>(#)36#3'@(D*$=B(#@9>,#0$>3'>#)D'3># – <)*D'>#z#D*$@>,#*)>'#$%#Xaa#89+;/(#B'*#@''P#

VUWUXX# VV#

<*9B@9*'#

Setup Monthly Annually

Zeus DIY Kit

  • Pirated version

$0 $0 $0 Single CnC server

  • Home computer

$0 $30 $360 Dynamic DNS

  • Free DDNS for DHCP churn

$0 $0 $0 Total $0 $30 $360

slide-67
SLIDE 67

Attack Cost

  • T1%)"#.,K(

– X_?*J$16#(>=6'3>#93#5*)\91#@)3;3D#kG7#89+;/#0)3P#)++$=3>(# – F)*0$3J+$B?#B,9(,93D#'389*$3/'3>#)36#'/)91(# – <)*D'>#z#d-[aa{#89+;/(#B'*#@''P#

VUWUXX# VW#

Setup Monthly Annually

SpyEye DIY Kit

  • Commercial version

$2,000 $0 $500 Two CnC servers

  • Bullet proof

$75 $30 $360 US Bank phishing SpyEye plug-in $50 $0 $0 Spam sending service

  • 100,000 emails per day

$0 $100 $1200 Total(s) $1,125 $130 $2,060 <*)@193D#

slide-68
SLIDE 68

Attack Cost

  • T1%)"#.,K(

– "*$%'((9$3)1#+?0'*+*9/93)1#1$$P93D#%$*#09D#B)?/'3># – j$+);3D#)36#'8'3>=)1#(B')*JB,9(,93D#$%#FE:# – <)*D'>#z#$0>)93#+$*B$*)>'#0)3P93D#+*'6'3;)1(#

VUWUXX# V_#

Setup Monthly Annually

Poison Ivy malware construction kit (licensed) $0 $0 $0 Armoring of malware & QA FUD testing $60 $20 $240 Obtaining corporate hierarchy details $499 $0 $0 Email, translation and spear-phishing design $200 $0 $0 Mule & transaction laundering service $0 $600 $0 Total(s) $759 $620 $240 <)*D'>'6U<*)@193D#

slide-69
SLIDE 69

Attack Cost

  • T1%)"#.,K(

– 73$3?/$=(#'3;>?#b")>*9$;+#$*#"$19;+)11?#/$;8)>'6c# – 23h1>*)>'#)36#(>')1#($M@)*'#(9D393D#+'*;h+)>'# – <)*D'>#z#7#B$B=1)*#/9+*$B*$+'(($*#/)3=%)+>=*'*#

VUWUXX# V`#

Setup Monthly Annually

Commercial grade RAT

$0k $0 $0

Commissioned spear-phishing campaigns

  • Guaranteed delivery, 24x7 support

$2k $2k $24k

Access to 2 (two) 0-day vulnerabilities

  • Replacement warranty if fixed/patched

$40k $0 $0

Rent-a-hacker

  • Experienced hacker & enterprise network navigator
  • 10 man-day retainer + hourly rate

$20k $0 $0 Total(s) $62 $2 $24

<)*D'>'6#

slide-70
SLIDE 70

VUWUXX# Wa#

G#"++.)$(.&(-+r(

slide-71
SLIDE 71

Keeping it simple (and wrong)

VUWUXX# WX#

W.10?( Dp"1N%#(

>%3.F%#9( Z"3H"#%( S#"-'(

slide-72
SLIDE 72

Federated Operations

VUWUXX# Wd#

W.10?( Dp"1N%#(

>%3.F%#9( Z"3H"#%(

D#?,#.)$( aV+3,.&/(

S#"-'(

8,)/,3%(

>%F%3,+%#/(

*#$").X%'( 8#.?%( T&"&%( T+,)/,#/(

slide-73
SLIDE 73

Context Change

  • 23-##%'(Q!"#$%&%'R(F/(Q*++,#&-)./01RL(

– k3)y19)>'6#)O)+P#+$/B$3'3>(# – 236'B'36'3>#('*89+'#B*$89(9$393D#

  • !"#$%&%'("p"1N/(

– .$'(#o93>'3>p#/)O'*i# – o2>l(#g=(>#0=(93'((p#A## .$3l>#>)P'#9>#B'*($3)11?#

VUWUXX# WY#

slide-74
SLIDE 74

Perspective

  • B&M/("(?"p%#(,J(+%#/+%10F%(

– 2>#%''1(#B'*($3)1S#

  • !:%#%(?"9(@%(&"#$%&%'(,@k%10F%/(

– .9f'*'3>#B)*>(#$%#>,'#o8)1='#+,)93p#

  • Dp"1N('%3.F%#9(,++,#&-)./01(

– H=1;B1'#+)/B)9D3(#C#B*$0)0919;'(#$%#(=++'((# – L*)?J)*')(#$%#$B'*);$3#

VUWUXX# WZ#

slide-75
SLIDE 75

New Label?

  • B/(&:%(Q!"#$%&%'(Dp"1NR(")(,-&'"&%'(&%#?L(

– 5)O193D#)3#'+$(?(>'/#3$>#)3#9369896=)1#

  • !cD("3&%#)"0F%(3"@%3/L(

– 7"<#b768)3+'6#"'*(9(>'3>#<,*')>c# – 757#b7y19)>'J0)('6#7O)+Pc# – F.G#bF*9/'@)*'#.9(>*90=;$3#G?(>'/c# – ]"]<#b]*$3D#"1)+'-#]*$3D#<9/'c#

VUWUXX# W[#

slide-76
SLIDE 76

Opportunity

VUWUXX# WV#

I-)&%#(*33?"))A(@A'5&6&$+-8' $,33?"))s'"?@"33"C1,?'