Botnets, malware and network attacks
49
Botnets, malware and… …network attacks Pablo González Carmen Torrano Juan Antonio Calles
-
Upload
carmen-torrano-gimenez -
Category
Technology
-
view
827 -
download
4
description
Presentation about Flu project, malware, botnets and some network attacks. SBC2012
Transcript of Botnets, malware and network attacks
Botnets, malware and……network attacks
Pablo GonzálezCarmen Torrano
Juan Antonio Calles
I am…
• Carmen Torrano Giménez
• Phd Student at CSIC
• Research on Computer Security
• www.flu-project.com
I am…
• Pablo González (@fluproject)
• Head of security department
at Informatica 64
• www.flu-project.com
• www.seguridadapple.com
I am…
• Juan Antonio Calles (@jantonioCalles)
• Security Team Leader at Everis Spain
• elblogdecalles.blogspot.com
• www.flu-project.com
Timeline
What is Flu Project?
Malware and Botnets
Data Network Attacks!
What is…
What is… Flu?
Free Communit
y
Ethical Hacking
Social Awareness
Anti cybergrooming with Anti
Depredadores
Application development
Application development
• Flu• Anubis (footprinting and
fingerprinting)• Liberad a Wifi (default key
generation for Wifi routers)• Flunym0us (vulnerability scanner
Moodle, Wordpress)
Collaboration
Cybergrooming
So, Flu really is…
Knowledge… …Learning……Concepts…
…Security……Collaboration…
…Awareness…You… …Freedom
Malware
Malware Classes
• Viruses• Worms• Trojans• Rootkits• Spyware• Time bombs
Viruses
• They are only a kind of malware
• What is their goal? Destruction!
• Flu is not a virus
Virus Phases
Dormant
Propagation
Attack
Types…
• Boot
• Files
• Polymorphic
• Macro
Worms
• What are they?
• Key feature: Replication
• Flu is not a worm
Trojans
• What are they? Powerful!
• Remote control
• Direct and reverse
• Yeah! Flu is a trojan but……It’s a educational trojan
Rootkits
• What are they?
• Rootkit != management OR remote control software
• Key feature: they hide things…
Spyware
• What is it?
• Not harmful malware but attempts against privacy
• Key feature: Spy & Statistics
Time bombs
• What are they? Simple code but… destructive!
• Key feature: delayed action• Bash, Sh, Ksh, Dash, cmd, PowerShell
…• …And, Flu is not a time bomb
Botnets
Botnets
• What are they? • Bots, zombies, botmaster• Flu• Statistics: 10% of you belong to a
botnet!!• DOS attack – Anonymous (against
Internet censhorship- hacked CIA webpage)
Flu Features
• Hidden in the user folder, hidden process
• HaaS: Hacking as a Service
• Bot generator
• Client-server architecture
• WAMP (Windows, Apache, MySql
and PHP)
• Windows + .Net Framework
Flu architecture
Flu architecture
Flu Features
Keylogger Remote CMD & Powershell
Screenshot
Capture Microphone Steal Files Manageme
nt Registry
MSN Information
Web History
Passwords
And More…
Flu features
• Dynamic ID in XML file
• Commands directed to:– A specific computer– The whole botnet
Flu features
• AES encription (128 bits)• Hash of the files• GUI for Android• Undergraduate thesis at Deusto
University
Practical example
Dem
o
Data Network Attacks
1- Sniffing
PC HACKER
PC 1
PC 2 PC 3
PC 4
Sniffer
Filtra Filtra
Sniffing: hub
Hub
Datos PC 4
Sniffer
MAC 1
MAC 2 MAC H MAC 3
MAC 4
Port 1 MAC 1Port 2 MAC 2Port 6 MAC HPort 11 MAC 3Port 12 MAC 4
Sniffing: Switch
Switch
PC HACKER
PC 1
PC 2 PC 3
PC 4
Data PC 4
2- ARP Spoofing(MITM)
IP: MAC:
10.0.0.10 – ALICE 00:00:00:00:00:50 - ATTACKER
IP: MAC:
10.0.0.20 – BOB 00:00:00:00:00:50 - ATTACKER
Alice
IP: MAC:IP: MAC:IP: MAC:
10.0.0.20 – BOB 00:00:00:00:00:20 – BOB
IP: MAC:
10.0.0.10 – ALICE 00:00:00:00:00:10 – ALICE
Who is 10.0.0.20?
Who is 10.0.0.20?
10.0.0.20 is in 00:00:00:00:00:20
ARP Reply
ARP Request
10.0.0.10 is in
00:00:00:00:00:50
Bob
IP 10.0.0.50MAC 00:00:00:00:00:50
Eve
IP 10.0.0.10MAC 00:00:00:00:10
IP 10.0.0.20MAC 00:00:00:00:20
TABLA ARP ALICE TABLA ARP BOB
10.0.0.20 is in
00:00:00:00:00:50
Goals of MITM• Stealing:
– passwords
–hashes
–files
–sessions
Demo: MItM
3 - Hijacking
• Goal: Steal user identity/session (impersonation)
• Types: transport layer, application layer
• We focus on HTTP Communication
• Social Networks, Webmails…
Hijacking
Hijacking• I do not need your password!• HTTPs (authentication), HTTP
(rest of the session)• Insecure communications- Cookie Stolen… Ouch!• Firesheep
Demo: Hijacking
Finally…
Proud…
• Juanan and…
• “La biblia del Footprinting”
• Free!!!
…And Proud… :D
• Pablo and… his book
• “PowerShell: La navaja suiza de los administradores de sistemas”
• Sad… Not Free :(
Shopping!
• 5 Euros!• Really?? Yeah! • Finance… for Project!
Thank you!
www.flu-project.com
@fluproject@jantonioCalles@ctorranog
Grupo Flu Project
Grupo Flu Project
Feeds.feedburner.com/FluProject
Contact
