zeus financial malware
play

Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari - PowerPoint PPT Presentation

Sep 21, 2023 •360 likes •679 views

Why Them? Extracting Intelligence about Target Selection from Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari Carlos Gan Michel van Eeten Economics of Cybersecurity Group, Delft University of Technology Outline 1. Problem

  1. Why Them? Extracting Intelligence about Target Selection from Zeus Financial Malware Samaneh Tajalizadehkhoob Hadi Asghari Carlos Gañán Michel van Eeten Economics of Cybersecurity Group, Delft University of Technology

  2. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does inject code evolve? 10. Conclusion 2 Online Banking Fraud and Target Selection by Cybercriminals

  3. Online banking fraud • Fraud statistics for the Single European Payment area are around € 800 million (European Central Bank, 2014) • Different banks with different properties are targeted around the world • No clear patterns have been found till now • Little information is published about the targeted domains • Even when the information exists, it is incomplete and under/over counted 3 Online Banking Fraud and Target Selection by Cybercriminals

  4. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 4 Online Banking Fraud and Target Selection by Cybercriminals

  5. Targeted bank MiiB Bot Zeus C&C Bot Zeus C&C MiiB Bot Zeus Bot C&C 5 Online Banking Fraud and Target Selection by Cybercriminals

  6. Targeted bank MiiB Bot C&C Bot C&C MiiB Bot C&C Bot 11,000 config files targeting (2009 - 2013) 6 Online Banking Fraud and Target Selection by Cybercriminals

  7. 7 Online Banking Fraud and Target Selection by Cybercriminals

  8. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 8 Online Banking Fraud and Target Selection by Cybercriminals

  9. Targeted domains • Between January 2009 and March 2013, 2,131 unique botnets were in operation (based on different encrypted command and control channels) • These botnets targeted 2,412 unique domains – via 14,870 unique URLs • Located in 92 countries • Over 74% of the targets are financial service providers 9 Online Banking Fraud and Target Selection by Cybercriminals

  10. Attack persistence Briefly attacked Always attacked 10 Online Banking Fraud and Target Selection by Cybercriminals

  11. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 11 Online Banking Fraud and Target Selection by Cybercriminals

  12. Is target popularity related to its size? • Minor, but significant relationship between the size of a domain (measured by Alexa ranking) and the persistence of attacks 12 Online Banking Fraud and Target Selection by Cybercriminals

  13. Is target popularity related to its size? • United States: out of around 6,500 financial institutions with online presence, only 175 have been targeted • Almost all of the larger banks (48 of the top 50) are attacked • Size acts as a threshold for being attacked; it does not predict attack intensity 13 Online Banking Fraud and Target Selection by Cybercriminals

  14. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 14 Online Banking Fraud and Target Selection by Cybercriminals 14

  15. Trial of new targets • Average of 601attacked domains per month by Zeus malware • Average of 112 of these are new domains each month • There is a relatively stable ceiling in the peaks of overall attacked domains, as well as in the trial and error for new targets 15 Online Banking Fraud and Target Selection by Cybercriminals

  16. Trial of new targets • Seeking new targets across a larger area • In 2012, 17 new countries were targeted, but 18 countries from the previous years were no longer being attacked 16 Online Banking Fraud and Target Selection by Cybercriminals

  17. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 17 Online Banking Fraud and Target Selection by Cybercriminals

  18. Number of active botnets 18 Online Banking Fraud and Target Selection by Cybercriminals

  19. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 19 Online Banking Fraud and Target Selection by Cybercriminals

  20. Inject code development over time • 1.1m target URLs with ‘inject’ codes • On average, each inject code is repeated 27 times; 43% repeated over 1,000 times, and just 1% appears once! • Across all Zeus botnets and attackers, code similarity is over 90% from one attack to the next. 97% per URL per botnet • This suggests sharing, stealing or selling code across attackers 20 Online Banking Fraud and Target Selection by Cybercriminals

  21. Outline 1. Problem of online banking fraud 2. Zeus malware Capturing attackers’ instructions from infected machines 3. 4. Extracting intelligence from the instructions (targets, inject code) 5. Who is being targeted? 6. Do bigger targets attract more attacks? 7. How fast do attackers explore new targets? 8. Did the sudden availability of Zeus source code increase attacks? 9. How does attack code evolve? 10. Conclusion 21 Online Banking Fraud and Target Selection by Cybercriminals

  22. Conclusions • Although Zeus inject code was highly reused and Zeus source code became openly available, the criminal market of Zeus-based attacks did not expand as theory and experts predicted • Mitigating financial fraud might be more effective by allocating resources away from fighting freely available attacker resources 22 Online Banking Fraud and Target Selection by Cybercriminals

  23. Questions? 23 Online Banking Fraud and Target Selection by Cybercriminals

  24. Backup 24 Online Banking Fraud and Target Selection by Cybercriminals 24

  25. Inject Code Size vs. Repetition 25 Online Banking Fraud and Target Selection by Cybercriminals

  26. Summary • Not every Financial Service Provider is equally popular among criminals • Size is a threshold for getting attacked, but does not predict the intensity • Attack persistence varies widely. Half the domains are targeted briefly, mostly likely in search of new targets • Attack (and defense!) is less dynamic than often presumed 26 Online Banking Fraud and Target Selection by Cybercriminals

  27. Summary • The underground market for bots and malware may have lower economic entry barriers for criminals and reduced costs in the value chain of attacks, but it has not increased attack volume (number of botnets) or the number of targets • Attack ceiling suggests other bottlenecks in the criminal value chain, such as in cash out operations and mule recruitment • Defense should focus on these bottlenecks, not only on reducing abundant attacker resources (i.e., bots, malware and injects) 27 Online Banking Fraud and Target Selection by Cybercriminals

  28. Next steps • Map security properties of attacked services (e.g., authentication mechanism) • Study interaction among attack and defense (e.g., deterrence, waterbed effect?) • Statistically model factors that determine fraud levels in countries • Identify most cost-effective countermeasures 28 Online Banking Fraud and Target Selection by Cybercriminals

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ZEUS news Matthew Wing (UCL/DESY) ZEUS papers / analyses ZEUS meetings 2018

ZEUS news Matthew Wing (UCL/DESY) ZEUS papers / analyses ZEUS meetings 2018

ZEUS news Matthew Wing (UCL/DESY) ZEUS papers / analyses ZEUS meetings 2018 Miscellaneous British Museum ZEUS Collaboration Meeting 12 September 2017 ZEUS papers / analyses Further studies of isolated photon production

381 views • 4 slides
10/04/2017 C5th terracotta of Hera Hera Barberini Chiaramonti Museum, Vatican Hera and Zeus

10/04/2017 C5th terracotta of Hera Hera Barberini Chiaramonti Museum, Vatican Hera and Zeus

10/04/2017 C5th terracotta of Hera Hera Barberini Chiaramonti Museum, Vatican Hera and Zeus enthroned Zeus and Hera on Lebes Gamikos Marriage Vase Hera and Zeus from Metope of Temple of Hera at Palermo Hera and Zeus relaxing with other

752 views • 27 slides
ZEUS Novosibirsk, Russia 15-19 June, 2015 O U T L I N E Introduction and experimental set-up

ZEUS Novosibirsk, Russia 15-19 June, 2015 O U T L I N E Introduction and experimental set-up

Heavy flavour production at HERA Uri Karshon Weizmann Institute of Science, ISRAEL On behalf of the H1 and ZEUS Collaborations PHOTON-2015 Conference Budker Institute of Nuclear Physics, ZEUS Novosibirsk, Russia 15-19 June, 2015 O U T L I N

560 views • 22 slides
ZEUS TM Zeus Smoke Zeus Series 8 faces . 4 colors . 3 sizes PURE WARM MATT MATT R9 R9

ZEUS TM Zeus Smoke Zeus Series 8 faces . 4 colors . 3 sizes PURE WARM MATT MATT R9 R9

pietra SERIES TM ZEUS TM Zeus Smoke Zeus Series 8 faces . 4 colors . 3 sizes PURE WARM MATT MATT R9 R9 GRIGIO SMOKE MATT MATT R9 R9 Zeus Warm Sizes: 300x300/ 300 x 600/ 600 x 600 GRIGIO

421 views • 3 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Hercules MariahSummer and RavenT ownsley Hercules Hercules father was Zeus. He told his son

Hercules MariahSummer and RavenT ownsley Hercules Hercules father was Zeus. He told his son

Hercules MariahSummer and RavenT ownsley Hercules Hercules father was Zeus. He told his son that you can be a fu god Hercules said yes but Hera didn't like Hercules because Zeus cheated on Hera and Zeus was married to Hercules mom

345 views • 16 slides
QM2018 preliminary request: Search for collective effects in electron-proton collisions with ZEUS

QM2018 preliminary request: Search for collective effects in electron-proton collisions with ZEUS

QM2018 preliminary request: Search for collective effects in electron-proton collisions with ZEUS Jaap Onderwaater Ilya Selyuzhenkov Achim Geiser Silvia Masciocchi Stefan Floerchinger 27.04.2018 ZEUS QM preliminary release meeting

822 views • 34 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Latest Quarkonium results from HERA Alessandro Bertolin (INFN - Padova) on behalf of H1 and ZEUS

Latest Quarkonium results from HERA Alessandro Bertolin (INFN - Padova) on behalf of H1 and ZEUS

4 - 7 / 10 / 2011 GSI, Darmstadt Latest Quarkonium results from HERA Alessandro Bertolin (INFN - Padova) on behalf of H1 and ZEUS Collaborations Outline: the HERA collider and the experiments H1 and ZEUS charmonium production at HERA

401 views • 24 slides
Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone

Early Twentieth-Century Fiction e20fic14.blogs.rutgers.edu Prof. Andrew Goldstone (andrew.goldstone@rutgers.edu) (Murray 019, Mondays 2:304:30) CA: Evan Dresman (evan.dresman@rutgers.edu) (36 Union St. 217, Wednesdays 12:002:00) November

422 views • 16 slides
Supersymmetry searches in ATLAS and CMS in hadronic final

Supersymmetry searches in ATLAS and CMS in hadronic final

Supersymmetry searches in ATLAS and CMS in hadronic final states Sascha Caron (Nikhef and Radboud University Nijmegen) This presentaDon Searches

432 views • 41 slides
Embedding and Data Augmentation yanweifu@fudan.edu.cn

Embedding and Data Augmentation yanweifu@fudan.edu.cn

One-shot Learning in Semantic Embedding and Data Augmentation yanweifu@fudan.edu.cn http://yanweifu.github.io One-shot Learning: learning object categories from just a few images, by incorporating

724 views • 61 slides
GPU Panel for High-Throughput Compu7ng Jimmy Lin University

GPU Panel for High-Throughput Compu7ng Jimmy Lin University

GPU Panel for High-Throughput Compu7ng Jimmy Lin University of Maryland Dis7nguished Panelists Raju Namburu (Army Research Laboratory) George Stantchev

275 views • 8 slides
EHEALTH COMMISSION MEETING APRIL 11, 2018 APRIL AGENDA Call to Order 12:00 Roll Call and

EHEALTH COMMISSION MEETING APRIL 11, 2018 APRIL AGENDA Call to Order 12:00 Roll Call and

EHEALTH COMMISSION MEETING APRIL 11, 2018 APRIL AGENDA Call to Order 12:00 Roll Call and Introductions, Approval of February and March minutes, and April Agenda and Objectives Announcements 12:05 OeHI Updates State Agency, Community

324 views • 17 slides
Basic Structure of a Cell ppt viewing questions part 1 slides 1-26 Review List the main

Basic Structure of a Cell ppt viewing questions part 1 slides 1-26 Review List the main

Basic Structure of a Cell ppt viewing questions part 1 slides 1-26 Review List the main characteristics of living things . Write the levels of organization (living & nonliving) in order beginning with the atom. History & the Cell Theory

595 views • 3 slides
HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T.

HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T.

HIVE: Fault Containment for Shared-Memory Multiprocessors J. Chapin, M. Rosenblum, S. Devine, T. Lahiri, D. Teodosiu, A. Gupta CSE 598C Presented by: Sandra Rueda The Problem O.S. for managing FLASH architecture (large shared-memory

464 views • 22 slides
Lindenmayer Systems, Coalgebraically Baltasar Trancn y Widemann 1 Joost Winter 2 1 University

Lindenmayer Systems, Coalgebraically Baltasar Trancn y Widemann 1 Joost Winter 2 1 University

Introduction Principles Extensions Outlook Lindenmayer Systems, Coalgebraically Baltasar Trancn y Widemann 1 Joost Winter 2 1 University of Bayreuth, DE 2 CWI, Amsterdam, NL 11th CMCS, Tallinn, Estonia 2012-03-31 / -04-01 Trancn y

606 views • 38 slides

More recommend