tracking and detecting trojan command and control servers
play

Tracking and Detecting Trojan Command and Control Servers Ryan - PowerPoint PPT Presentation

Mar 25, 2023 •114 likes •378 views

Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008 Outline + What do we Track and Why? + Overview of Information Stealing Trojans How/What they steal Phoning Home Popular Kits + Detecting C&C

  1. Tracking and Detecting Trojan Command and Control Servers Ryan Olson FIRST 2008

  2. Outline + What do we Track and Why? + Overview of Information Stealing Trojans ▪ How/What they steal ▪ Phoning Home ▪ Popular Kits + Detecting C&C Traffic ▪ IDS Signatures: Specific Trojans ▪ Detecting Static Characteristics with Signatures + Trojan C&C Network Clusters ▪ Frequently Used Networks ▪ Countries Hosting C&C Servers

  3. What do we Track and Why? + Information Stealing Trojans ▪ Stealing Credentials for Online Sites ▪ Primarily Financial Institutions + Generated by Toolkits ▪ Built by Technically Skilled Criminals ▪ Used by Criminals with Other Skills ▪ Trojans Reporting to Many C&Cs (No Single Mothership) + C&C Servers Store Stolen Data ▪ Commonly Hosted on Bullet-Proof Networks ▪ Multiple Servers Frequently Clustered in Small IP Space ▪ Knowing IP Allows for Blocking/Monitoring

  4. Information Stealing Trojans Steal Website Login/Password + ▪ Form Grabbing ▪ Protected Storage Dump ▪ Key-logging (Becoming less-common) Phoning Home + ▪ In the Past (and Easily Blocked) – Email – FTP ▪ Current Most Popular – HTTP POST Requests – Rarely Blocked

  5. Information Stealing Trojans Popular Tool Kits + ▪ Limbo/Nethell ▪ Zeus/PRG/NTOS/WNSPOEM ▪ AgentDQ/Bzub/Metafisher Used by Many Attackers + ▪ C&C/Targets Configurable ▪ Simple for Non-Technical Attackers to Use – Web Interface ▪ Common Attributes Despite Configuration – Possible to Detect Traffic from Trojans Generated by Specific Kit

  6. Information Stealing Trojans

  7. Network-based Intrusion Detection Systems IDS Internal Network

  8. Detecting a Toolkit + Step 1: Get a Copy of the Code (Preferably a few) + Step 2: Run it in Controlled Environment to Capture Traffic + Step 3: Determine Why/What/When of Communication + Step 4: Determine Static Characteristics of Traffic + Step 5: Create IDS Signature to Detect Static Characteristics

  9. Detecting a Toolkit (Limbo) + 3 Primary Types of Messages ▪ Registration – Report a New Infection – As Soon as Infection Occurs (and Each Time IE is Launched) ▪ Command Update – Retrieved Updated Commands and Target List – Each Time IE is Launched ▪ Report Data – Sends Captured Data to C&C – When User Submits a Web-Form – Steals Files from System

  10. HTTP Headers Detecting a Toolkit (Limbo) Registration Message

  11. URL Detecting a Toolkit (Limbo) Command Update Message

  12. POST Data Detecting a Toolkit (Limbo) Report Data Message

  13. Basic Snort Rule Components alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"VRSN - LIMBO Web Based Toolkit Detected"; flow:established,to_server; sid:5544332211; classtype:misc-activity; rev:1; ) Snort Users Manual: http://www.snort.org/docs/snort_manual/

  14. Detecting a Toolkit (Limbo) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"VRSN - LIMBO Web Based Toolkit Detected"; uricontent:"userid="; pcre:"/userid=\d{8}_\d{6}_\d{5}/U"; flow:established,to_server; sid:5544332211; classtype:misc-activity; rev:1; )

  15. Detecting a Toolkit (Limbo) alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"VRSN - LIMBO Web Based Toolkit Detected"; content:"POST|20|"; offset:0; depth:5; flow:established,to_server; sid:5544332211; content:"Referer|3A||20| lol|0D0A|"; pcre:"/\d{8}_\d{6}_\d{5}/R"; classtype:misc-activity; rev:1; )

  16. Tracking C&C Servers + February/March 2008 ▪ 130 Information Stealing Trojan C&C Servers ▪ Hosted on 61 Networks ▪ Network Information Determined Using Team Cymru IP->ASN Mapping Number: 7342 BGP Prefix: 65.205.249.0/24 Country Code: US Registry: arin Date Allocated: 2000-10-27 Name: VERISIGN-AS - VeriSign Infrastructure & Operations Team Cymru IP to ASN Lookup - https://asn.cymru.com/

  17. Frequently Used Networks 3% 3% 3% Other 3% INTERCAGE 4% TTNET-MY 4% AGAVA SAVVIS 4% TTNET 4% ANC 4% 58% DBANK HOPEONE 4% TMIDC 6% ELTEL STARHUBINTERNET

  18. Frequently Used Networks INTERCAGE AS IP Address BGP Prefix CC 27595 58.65.239.13 58.65.239.0/24 HK 27595 58.65.239.27 58.65.239.0/24 HK 27595 58.65.239.29 58.65.239.0/24 HK 27595 58.65.239.3 58.65.239.0/24 HK 27595 58.65.239.84 58.65.239.0/24 HK 27595 69.50.191.203 69.50.160.0/19 US 27595 85.255.119.100 85.255.119.0/24 UA 27595 85.255.121.190 85.255.121.0/24 UA

  19. Frequently Used Networks TTNET-MY AS IP Address BGP Prefix CC 9930 124.217.246.225 124.217.240.0/20 MY 9930 124.217.248.140 124.217.240.0/20 MY 9930 124.217.248.170 124.217.240.0/20 MY 9930 124.217.249.5 124.217.240.0/20 MY 9930 124.217.251.118 124.217.240.0/20 MY 9930 124.217.252.193 124.217.240.0/20 MY 9930 124.217.253.6 124.217.240.0/20 MY

  20. Determining Network “Maliciousness” C&C Known BGP Prefix Total IPs Network IPs Malicious 72.232.225.0/24 5 256 1.9531% DBANK 81.222.138.0/24 4 256 1.5625% ELTEL 79.135.165.0/24 4 256 1.5625% TTNET 122.152.130.0/24 4 256 1.5625% ANC 78.157.192.0/24 3 256 1.1719% WEDARE 202.71.106.0/24 3 256 1.1719% EASTGATE-AP 202.83.212.0/24 2 256 0.7813% SINGTEL 195.5.116.0/24 2 256 0.7813% COMPIC BUILDHOUSE- 195.93.218.0/23 3 512 0.5859% AS 195.2.252.0/23 3 512 0.5859% DINET-AS 124.217.240.0/20 7 4096 0.1709% TTNET-MY 202.75.32.0/20 4 4096 0.0977% TMIDC-AP 89.108.64.0/19 6 8192 0.0732% Agava HOPONE- 209.160.64.0/20 3 4096 0.0732% GLOBAL 72.232.0.0/18 4 16384 0.0244% SAVVIS 62.149.0.0/19 2 8192 0.0244% COLOCALL

  21. Countries Frequently Hosting C&C Servers 4% 9% 4% 4% US RU 3% 10% MY UA 3% 2% HK TR 2% 2% NL DE 12% 7% SG JP 2% LU GB 1% EE CZ 1% TH CN 16% 1% 26% CA

  22. Countries Frequently Hosting C&C Servers Comparison: October 2007 Data (Before RBN Went Down) 9% US 9% RU 4% 3% HK 3% MY 33% DE 7% 1% ES 1% UA 1% BY CA 36% LU

  23. Generic Detection Based on Destination + Highly Malicious Networks Probably Contain Other Bad Servers + Deploy IDS Rules to Detect ANY Traffic to/from Network + Detect Trojans Without Specific Signatures + False Positives More Likely

  24. Conclusions + Toolkit-based Information Stealing Trojans Very Common ▪ Can Have Major Financial Impact ▪ Many Attackers Using Same Trojans + IDS Can Detect Trojan C&C Communications ▪ Identify Infected Hosts ▪ Identify C&C Servers + Since RBN went Offline, Attackers Spread More/Smaller Networks ▪ Less Obvious ▪ Harder to Detect and Track Bulletproof Hosts ▪ But C&C Servers Still Found in Clusters

  25. Questions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie

BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic Guofei Gu, Junjie Zhang, and Wenke Lee College of Computing Georgia Institute of Technology 2008-2-25 Guofei Gu NDSS08 BotSniffer: Detecting Botnet C&C

379 views • 27 slides
TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS

TRACER TUTORIAL: TEXT REUSE DETECTION INTRODUCTION TO THE COMMAND LINE AND ACCESSING SERVERS REMOTELY M arco B uchler, Emily Franzini and Greta Franzini TABLE OF CONTENTS 1. C onnecting to the server 2. Command line introduction 2/100

679 views • 19 slides
RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By Olivier Cabana, Amr M. Youssef,

RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By Olivier Cabana, Amr M. Youssef,

DETECTING, FINGERPRINTING AND TRACKING RECONNAISSANCE CAMPAIGNS TARGETING INDUSTRIAL CONTROL SYSTEMS By Olivier Cabana, Amr M. Youssef, Mourad Debbabi, Bernard Lebel, Marthe Kassouf & Basile L. Agba June 17, 2019 Detecting, Fingerprinting

631 views • 35 slides
Outline ! Control-theoretic Framework ! Service delay control on Web servers ! On-line data

Outline ! Control-theoretic Framework ! Service delay control on Web servers ! On-line data

Outline ! Control-theoretic Framework ! Service delay control on Web servers ! On-line data migration in storage servers ! ControlWare: adaptive QoS control middleware 36 # Online Data Migration in Storage Systems ! Enterprise storage servers

761 views • 26 slides
Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien

Static Analysis of Control-Command Systems: Floating-Point and Integer Invariants Vivien Maisonneuve Thesis supervisors: Olivier Hermant Franois Irigoin Thesis defense Paris, February 6, 2015 Control-Command Systems A control-command

1.17k views • 83 slides
Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2

Command and Control Command and Control Warfare Demonstrator Warfare Demonstrator (C 2 WS) (C 2 WS) 2005-2007 2005-2007 Magdalena Hammervik Jenny Lindoff Martin Castor Lars Tydn Purpose of this presentation Purpose of this presentation

530 views • 24 slides
A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and

A Date with Data Botnet Command and Control Through Tinder A Date with Data Botnet Command and Control Through Tinder (Almost) $whoami Nathaniel Beckstead Interests Blue team Homelab Network Security Find Me github.com/becksteadn

500 views • 22 slides
Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the

Trojan Horse Zion Maxwell and Kaylie Davis The Trojan horse The Greeks had a war against the Trojans for ten years. The Torjan horse So they build the Trojan horse the Greeks Gene The Trojan horse After they built it they put a

392 views • 5 slides
Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

Key Human System Integration Plan Elements for Command & Control Acquisition Michael B.

2010 Command and Control Research and Technology Symposium Key Human System Integration Plan Elements for Command & Control Acquisition Michael B. Cowen, Ph.D. SPAWAR Systems Center Pacific Code 53621 53560 Hull Street San Diego, CA 92152

492 views • 13 slides
Introduction to command line and accessing servers remotely Marco Bchler, Emily Franzini, Greta

Introduction to command line and accessing servers remotely Marco Bchler, Emily Franzini, Greta

Introduction to command line and accessing servers remotely Marco Bchler, Emily Franzini, Greta Franzini, Maria Moritz eTRAP Research Group Gttingen Centre for Digital Humanities Institute of Computer Science Georg August University

560 views • 15 slides
The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to

The Environment in Network Centric Operations: A Framework for Command and Control Presented to the 12th International Command and Control Research and Technology Symposium Paper I-156 Dr. Michael R. Hieb Sean Mackay Michael Powers Martin

332 views • 19 slides
SeizSmart A mobile application for detecting, tracking, and reporting seizures in real time.

SeizSmart A mobile application for detecting, tracking, and reporting seizures in real time.

SeizSmart A mobile application for detecting, tracking, and reporting seizures in real time. Feasibility Presentation CS 410 Spring 2019 Team Silver Abel Weldergay, Kevin Sokol Alpha Din Gabisi, Jeffrey McAteer Danielle Luckraft, Peter

479 views • 27 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk Black Hat USA 2017, Las Vegas Agenda User kernel communication pitfalls in modern operating systems Introduction

1.21k views • 120 slides
Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors

Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors

Freezing of Gait Modeling, Detecting, and Tracking of Freezing of Gait in Parkinson Disease using Inertial Sensors Prateek Gundannavar Vijay Advisor: Arye Nehorai Research Overview Preston M. Green Department of Electrical & Systems

491 views • 21 slides
Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Response: WCC, SDC & Partners Multi-Agency Command and Control - 4 Cs - Command, Control

Emergency Planning in Stratford Scrutiny Committee Michael Enderby Head of Service, CSW Resilience 6 th September 2017 04/09/2017 Civil Contingencies Act 2004 THE 7 DUTIES A single framework for civil protection in the United Kingdom to

419 views • 4 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages

Automated Translation Automated Translation Between Attack Languages Between Attack Languages (Translating Snort rules to STATL scenarios) (Translating Snort rules to STATL scenarios) Steven T. Eckmann Eckmann Steven T. Reliable Software

296 views • 27 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion

Signature Based Intrusion Detection Systems Philip Chan CS 598 MCC Spring 2013 Intrusion Detection Systems Detect malicious Raise alarms activities/attacks Alert administrators Hacking/ unauthorized access Trigger defense

217 views • 21 slides
Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan

Compiling PCRE to FPGA for Accelerating SNORT IDS Abhishek Mitra Walid Najjar Laxmi N Bhuyan QuickTime and a QuickTime and a decompressor decompressor are needed to see this picture. are needed to see this picture. Outline FPGA

316 views • 27 slides
DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1),

DarkNOC Dashboard for Honeypot Management Bertrand Sobesto(1), Michel Cukier(1), Ma9 Hiltunen(2), David Kormann(2), Gregory Vesonder(2), Robin Berthier(3) (1)

437 views • 22 slides
Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF)

Suricata, the Terminator of IDS/IPS world ric Leblond OISF July 9, 2013 ric Leblond (OISF) Suricata, the Terminator of IDS/IPS world July 9, 2013 1 / 40 Some word about me Eric Leblond French Previously, co-founder and CTO of EdenWall

2.73k views • 62 slides
SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang

SymTCP: Eluding Stateful Deep Packet Inspection with Automated Discrepancy Discovery Zhongjie Wang , Shitong Zhu, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth Krishnamurthy, Kevin Chan, and Tracy Braun What is DPI (Deep Packet Inspection)?

205 views • 19 slides
Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com

Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com

Cyber@UC; Meeting 28 Cyber Kill Chain If Youre New! Join our Slack ucyber.slack.com Follow us on Twitter @UCyb3r and Facebook UC.yber; University of Cincinnati OWASP Chapter Feel free to get involved with one of our committees:

430 views • 23 slides

More recommend