!"#$%&%'(")'(*++,#&-)./01( - PowerPoint PPT Presentation

!"#$%&%'(")'(*++,#&-)./01( 2,&)%&(2-.3'.)$( 456577( 8,+9#.$:&(;<=7=(>"?@"33"A(B)1C(D33(E.$:&/(E%/%#F%'(G,#3'H.'%C( 7(

About • I-)&%#(*33?"))( – !"#$%#&'(')*+,-#.)/0)11)#23+4# – 5$)*6#$%#7689($*(-#2:7+;8'#23+4# • 2#.%J(2.,K( – 5''3#93#2<#936=(>*?#%$*#>@$#6'+)6'(#A#5=91>#)36#*=3#93>'*3);$3)1# B'3>'(>#>')/(-#&C.#D*$=B(#)36#+$3(=1;3D#B*)+;+'(#)*$=36#>,'# @$*164## – E$*/'*1?#F,9'%#G'+=*9>?#G>*)>'D9(>#%$*#25H-#.9*'+>$*#$%#IJE$*+'# %$*#2GG-#"*$%'((9$3)1#G'*89+'(#.9*'+>$*#%$*#KLG#G$M@)*'-#N')6#$%# 7O)+P#G'*89+'(#QHQ7-#'>+4# – E*'R='3>#@*9>'*-#+$1=/39(>#)36#01$DD'*#@9>,#1$>(#$%# @,9>'B)B'*(S# • ,OBTUU01$D46)/0)11)4+$/#C#,OBTUU>'+,39+)193%$6$>3'>401$D(B$>4+$/U##

Targeted? VUWUXX# Y#

Opportunistic? VUWUXX# Z#

G:%#%(&,(2%$.)L( VUWUXX# [#

Today’s Threat Landscape • G:"&M/(.&(&"N%(&,(@%1,?%("(19@%#1#.?.)"3L( O),H(:,H(&,(-/%( D@.3.&9(&,(.)/&"33(/,PH"#%(( "(/%"#1:(%)$.)%( ,)(9,-#(,H)(1,?+-&%#( • G:"&("@,-&(&:,/%(Q"'F")1%'R(&:#%"&/L( !,,3/(")'(/%#F.1%/("F".3"@3%( J,#(/"3%A(#%)&(")'(3%"/%( S%'%#"&%'(%1,/9/&%?(,J( T+%1."3./&(/%#F.1%/(")'( &,,3(")'(/%#F.1%(+#,F.'%#/( $#"9U?"#N%&(%V+%#0/%(J,#(:.#%( W.'%,(:,HU&,M/(")'("'F%#0X.)$( VUWUXX# V#

Back in the old days ! • T%3JU1,)&".)%'(@,&)%&(@-.3'.)$(-).&( – GP911(#)11#+$3>)93'6#@9>,93#)#(93D1'#>')/# H)1@)*'#7=>,$*# Q^B1$9>#F$6'*# ]'0#.'8'1$B'*# Q/)91#G'36'*# E*)=6#N)361'*# • *)%U/&,+(1#.?%(/:,+( – 5=91693D-#/)3)D93D-#69(>*90=;3D## C#/$3';\93D#>,'#0$>3'># – 7=>$3$/$=(#+?0'*+*9/'#=39>################ VUWUXX# W#

A Brief History of Botnets VUWUXX# _#

A Brief History of Botnets <$$#/)3?#$B'*)>$*(# +$/B';3D#%$*# 69/939(,93D#*'>=*3(# VUWUXX# `#

A Brief History of Botnets H$*'#;/'#(B'3>#0)O193D## >,'9*#+$/B';>$*(# b..$G-#()0$>)D'-#93%$*/)3>(-#'>+4c# VUWUXX# Xa#

A Brief History of Botnets L*$@93D# 6'D*''(#$%# (B'+9)19\);$3# H)3?#+*9/93)1# $B'*)>$*#>')/(# 69(($18'# VUWUXX# XX#

A Brief History of Botnets E'6'*)>'6# ('*89+'(# /$6'1# 23>*$6=+;$3#$%# 3'@09'(#@9>,#/939/)1# >'+,39+)1#(P911# VUWUXX# Xd#

Service Specialization • 8,)/,3.'"0,)(,J(%V+%#0/%( – .'69+)>'6#D=3(#%$*#,9*'# 5$>3'>#e9>#7=>,$*(# ",9(,93D#.'8'1$B'*(# 5=1P#GB)/#G'36'*(# .*98'J0?#F$6'*(# F)*6'*(# • 2,-0Y-%(/+%1."3.X"0,)/( – <*)3(1);$3#('*89+'(#%$*#(B')*#B,9(,93D#+)/B)9D3(# – Q^B1$9>#@')B$39\);$3#%$*#736*$96#/)1@)*'# – 7*09>*);$3#('*89+'(#0'>@''3#0$>3'>#0=?'*(U('11'*(# VUWUXX# XY#

D(W.@#")&(Z"#N%&( VUWUXX# XZ#

Self-contained Ecosystem • T%#F.1%(")'(&,,3(+#,F./.,).)$(( – E*$/#+$O)D'J936=(>*?#>$#%=11J('*89+'#$f'*93D(# • [#.1.)$(?,'%3/(&,(/-.&(")9(+,1N%&( – 5=?J>$J*'3>-#*'3>J>$J0=?# – G'*89+'#b)36#89+;/c#0)*>'*93D# • D\3."&%(/9/&%?/( – &'('11'*(# – !)1='J)66#('*89+'(# VUWUXX# X[#

The Business of Crimeware • Z-30+3%(1,?+,)%)&/(&,(@,&)%&(@-.3'.)$( – F*');$3#$%#>,'#0$>3'>#+*9/'@)*'# – E$*+'U>*9+P#89+;/#>$#93(>)1193D#>,'#+*9/'@)*'# – 5=91693D#)#*$0=(>#F3F#93%*)(>*=+>=*'# – H$3';\);$3T#1)=36'*93D-#/=1'(-#'>+4# • [3%)&9(,J(,++,#&-).&9(J,#(&:.#'U+"#0%/( >#.F.)$(&:%(W.10?(&,(&:%(2"')%//( ",9(,93D# 51)+P,)>#GQ:# N)+P'6#G9>'# 23g'+;$3# :=>J$%J0)36# 5)33'*(# G$+9)1#K'>@$*P# VUWUXX# XV#

An Infection Lifecycle ]+'"&%(>,H)3,"'%# ( Dropper unpacks on the F$3h*/#93(>)11);$3# Victim machine and runs 2(#>,9(#)#*')1#/)+,93'i# N)8'#2#(''3#9>#0'%$*'i# !"#$%&'($)*$+&'),-$.,/' >#,++%#^/_( W.10?( 8#.?.)"3(8,)&#,3 ( >,H)3,"'(2,&(D$%)& ( ]+'"&%#( H=1;B1'#F3F#B*$^9'(# N$(>#0$>#)D'3>b(c# [,/&(])+"1N ( G'B)*)>'#F3F#B$*>)1(# 7D'3>#('1'+;$3#+*9>'*9)# .9()01'#1$+)1#('+=*9>?# kB6)>'(#>$#0$>#)D'3># ],9>'19(>'6#*'B$(9>$*9'(# "*'8'3>#=B6)>'(UB)>+,'(# kB6)>'(#>$#19(>#$%#F3Fl(# !/012&'3,%/&%'$4&/%' 238'3>$*?#89+;/# 7D'3>#93>'D*9>?#+,'+P93D# >,H)3,"'%#( j$+P93D#$%#)D'3>#>$#89+;/# >"&"(E%+,/.&,#9 ( 2((=93D#$%#0)>+,'6#+$//)36(# j$DD93D#$%#93(>)11#(=++'(('(# 5&(,%&'$--&66'7'-,/%+,)'' Q3+*?B>'6#h1'(#%*$/#89+;/# G>$1'3#B)((@$*6(#C#"22# [,/&(D$%)&(B)/&"33 ( E%+,/.&,#9( .'1'>'#6*$BB'*U93(>)11'*# F1')*#1$D(#C#'8'3>(# F)>)1$D='#C#938'3>$*?# CnC Proxies CnC Portals VUWUXX# XW#

Malware Reviews VUWUXX# X_#

AV Testing VUWUXX# X`#

AV Testing The service lowest prices on the market: $0.12 for one-time validation (6 cents per file) and $ 20 per month for full-NL ( VUWUXX# da#

Tutorials VUWUXX# dX#

Bullet-proof Hosting VUWUXX# dd#

Full Service Hosting Providers • !"#$%&%'(/%#F.1%( ,`%#.)$/( – F)>'*93D#'^+1=(98'1?#>$#+?0'*# +*9/93)1(# VUWUXX# dY#

VPN Services VUWUXX# dZ#

VPN Services VUWUXX# d[#

Call Service Translation • S,#%.$)(3")$-"$%(/-++,#&( – F*9/'#(B'+9h+# VUWUXX# dV#

Exploit packs • a3%,),#%(aV+(F7C4C<( • [#.1.)$( – ")+P)D'T#mdaaa# – kB6)>'(T#mXaa# – &'0=916#%$*#3'@#2"T#m[a# • T+%1."3(+#.1.)$( – G=0)++#Q69;$3T#md[aa# – &'3>)1#Q69;$3T#mYaaa# VUWUXX# dW#

Exploit Pack Diversity VUWUXX# d_#

Exploit Pack Management • S-33(1"+"@.3.&9(+,#&"3/( • Z-30+3%(%V+3,.&/( – H=1;JB1)n$*/#C#)BB# VUWUXX# d`#

DDoS for Rent VUWUXX# Ya#

Botnet Selling • 2-.3'U&,U/%33(?,'%3/( – "=019+#%$*=/#B$(;3D(# – "*98)>'#%$*=/#*'R='(>(# – H'69)>$*(#>$#%)+919>)>'# >*)3(%'*(# VUWUXX# YX#

Buy Specific Bot Victims • 8,?+#,?./%'(/9/&%?/( – N)+P'6#o/)3=)11?p# – N)+P'6#89)#L$$D1'6$*P(# – 5)+P6$$*#6'198'*?# • 8"?+".$)/( – o:BB$*>=39(;+p#6'198'*?# – G9M93D#$%#89+;/#938'3>$*?# – GB'+9)19\'6#()1'#$%# 3$>)01'#(?(>'/(#

PPI .9(>*90=>'6#<.jY#8)*9)3>(# VUWUXX# YY#

Full Service PPI VUWUXX# YZ#

Gangstabucks .9(>*90=>'6#<.jZ#8)*9)3>(# VUWUXX# Y[#

>./13".?%#/(b([#,&%10,)( VUWUXX# YV#

Disclaimers • c%$.0?"&%(,#(J#"-'L( – F$//$3#=('#$%#69(+1)9/'*(#)36#)D*''/'3>(# • Q[#,&%10,)R(")'(".#(,J("-&:%)01.&9( – "*$$%#$%#+$3+'B># – K$>#%$*#+*9/93)1#=('# – "1')('#6$#3$>#=('#911'D)11?# – 23>'*3)1#>'(;3D#B=*B$('(#$31?# – ])**)3>?#8$96#9%#=('6#%$*#+*9/93)1#B=*B$('(# – F$//'*+9)1#3'>@$*P#)6/939(>*)>$*(#$31?# – F19+P#,'*'#>$#)++'B>#%=11#*'(B$3(90919>?# VUWUXX# YW#

DDoSer Tool 7C G%("#%(),&(:%3'(#%/+,)/.@3%(J,#(")9( "10,)/(9,-(-/%(,-#(/,JH"#%(J,#C( d4 ]'#)*'#3$>#*'(B$3(901'#9%#?$=#B=*+,)('#>,9(#@9>,$=># ,)893D#)3?#=36'*(>)3693D#$%#,$@#9>#@$*P(4# Y4 <,'*'#)*'#K:#*'%=36(-#)11#()1'(#)*'# !"#$ 4# Z4 2%#?$=*#B$*>)1#)++$=3>#D'>(#(>$1'3-#?$=#,)8'#>$#B*$896'# $@3'*(,9B#$%#9>#0'%$*'#@'#@911#$f'*#(=BB$*>#$3#,'1B93D# ?$=#D'>#9>#0)+P-#$>,'*@9('#9>(#3$>#$=*#B*$01'/4# b"=*+,)('#23%$*/);$3#'>+4c# [4 ]'#$31?#$f'*#(=BB$*>#9%#9>(#($/'>,93D#$3#$=*#'36-# $>,'*@9('#@'#)*'#3$>#*'(B$3(901'#9%#?$=*#,)893D# B*$01'/(#@9>,#=(93D#$=*#($M@)*'4#b]'#)*'#,'*'#>$# ,'1B-#3$>#(B$$3#%''64c# ]'#6$#3$>#(=BB$*>#*'($16#)++$=3>(q# G%("#%(),&( V4 :%3'(#%/+,)/.@3%(.J(9,-("#%(/1"??%'(@9("( #%/%33%#A(&,(@%(/"J%(9,-(/:,-3'(,)39(@-9( >>,T%E(J#,?(-/C # 2%#?$=#696#3$>#B=*+,)('#%*$/#=(# >,'3#@'#)*'#3$>#*'R=9*'6#>$#D98'#?$=#(=BB$*>4# W4 r$=#/)?#D'>#>*$11'6#$3#93#sk('*#+,)>s-#@'#6$3t>#+)*'-# ($#6$3>#+$/'#+*?93D#>$#=(#0'+)=('#9>(#3$>#$=*#B*$01'/# >,)>#?$=*#(>=B969>?#$8'*#+$/'(#?$=4# VUWUXX# Y_#

DarkComet RAT Disclaimer • 83.1NU&:#,-$:(a]cD5>./13".?%#/( VUWUXX# Y`#

Scam Reporting VUWUXX# Za#

2,&)%&(2-.3'.)$(b(*+%#"0,)/( VUWUXX# ZX#

2010 Biggest Botnets <=7=(2,&)%& # [%#1%)&"$%(,J( <==d( W.10?([,+-3"0,) # [,/.0,) # 7 # <.j5$>3'>7#b&=6'])*1$+PH$0c# XZ4_u# JJ# < # &$D='7!5$>3'>#bE*')P?GB96'*F)*>'1c# [4Wu# JJ# e # v'=(5$>3'>5#bE$=*j)P'&96'*(c# [4Yu# JJ# f # H$3P9%# [4du# [>,# g # e$$0%)+'47# Z4au# w#>$BXa# 4 # F$3h+P'*4F# d4_u# w#>$BXa# 6 # N)/@'R#bL*)?G=3L9*1(c# d4[u# JJ# h # 76@)*'<*$g)35$>3'>#b]9+P'6&$+PH$3(>'*(c# d4du# JJ# d # G)19>?# d4Xu# w#>$BXa# 7= # GB?Q?'5$>3'>7#b:3'G>*''><*$$Bc# X4`u# JJ# VUWUXX# Zd#

Feature Creep

Kit Development & Deployment i%-/( T+9a9%( !>TT( VUWUXX# ZZ#