I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF...

28
I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY

TAGS:

Transcript of I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF...

Page 1: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

I LIKE FANCY SLIDESBECAUSE I CAN, THAT’S WHY

Page 2: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

LET’S PLAY:IS IT INFECTED?

THREE EXAMPLES OF MALWARE WACKINESS

Page 3: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WHO AM I

• JimmyJohn• SysAdmin turned security enthusiast• (Thanks Angelina Jolie!)

• Interested in Malware Research

Page 4: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

FIRST ONE IS KIND OF OBVIOUS

Page 5: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

KULUOZ.D?

I THINK YOU MEAN … KULU`LOL’Z!

BUT SERIOUSLY ITS NOT GOOD

Page 6: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WIN32/KULUOZ.D CHECKIN ALERTFirst Contact…

Page 7: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.
Page 8: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WHAT MORE CAN WE FIND OUT?

Page 9: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

"SHOOT IT," SAID MY ATTORNEY."NOT YET," I SAID. "I WANT TO STUDY ITS HABITS.”

Page 10: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WHAT DO WE FIND IN THAT LOCATION?

cudmgthj.exedhbnwbgf.exe

mnaumjjk.exe

Page 11: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WHAT’S THIS MEVADE CRAP?

Page 12: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

MEVADE CHECKIN ALERT

First Contact…

Page 13: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.
Page 14: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.
Page 15: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

MEVADE ATTEMPTS TO FIND OUT WHERE ITS INSTALLED

Page 16: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WHAT ELSE CAN WE TELL?

Time to research

Page 17: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

MEVADE CHARACTERISTICS

• Mevade.A installed via a fake Flash player update (FlashPlayerUpdateService.exe)

• Mevade communicates with the C&C server using the following URL format:• http://{malicious domain}/updater/{32 random hexadecimal characters}/{1 digit number}

• Mevade will use SSH over port 443 to exfiltrate stolen data via an encrypted channel

• Mevade.B and Mevade.C have either abandoned SSH over 443 in favor of using Tor, or do not rely on it as much• This change came on August 19, 2014, on that date over one million new Tor users suddenly

appeared, bringing to light a botnet which had previously been undiscovered! But nice try Mevade! Maybe next time!

Page 18: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

• Argus is network monitoring software that tracks “network flows”, IE TCP sessions

• When coupled with PF_RING in a Linux environment, a single process seems to be able to adequately monitor at least ~ 2 Gbps network links ( < 1% loss)• This is further reduced with the use of DNA specific drivers, but is not

supported

• Can capture the first X bytes of a TCP session, letting you reduce the size of archived network traffic to fit your needs

• Oh yeah, its free, and is still very much maintained by one very awesome but kind of eccentric guy named Carter Bullard

ENTER ARGUSHI

GUYS!

Page 19: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.
Page 20: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

SHOULD WE HAVE SEEN OTHER ALERTS?

SHORT ANSWER: YES … BUT NO

Page 21: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

SOURCES

• http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284

• http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/

• https://blog.damballa.com/archives/2135• http://

securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html

http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284
http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284
http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284
http://threatpost.com/moving-to-tor-a-bad-move-for-massive-botnet/102284
http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/
http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/
http://blog.trendmicro.com/trendlabs-security-intelligence/us-taiwan-most-affected-by-mevade-malware/
https://blog.damballa.com/archives/2135
https://blog.damballa.com/archives/2135
http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html
http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html
http://securityaffairs.co/wordpress/17601/cyber-crime/botnet-behind-tor-traffic-surge.html
Page 22: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

DAMN JIMMY – YOU’RE TWO FOR TWO

BUT WAIT …

THERE’S MORE

Page 23: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

OH NO! ZBOT! … I THINK!

Page 24: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

IS THIS A ZBOT?

IS THIS A ZBOT?

IS THIS A ZBOT?

No … that’s Adobe Flash Player

No … that’s Windows Updates

No … that’s Windows updates download through 360 Safe ...

Well maybe THAT one is a ZBot

Page 25: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

THERE ARE SO MANY HITS ON THIS RULE …

Page 26: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

WAIT A MINUTE … WHAT’S THIS ONE?

IT’S A ZBOT … PROBABLY!

Page 27: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.
Page 28: I LIKE FANCY SLIDES BECAUSE I CAN, THAT’S WHY. LET’S PLAY: IS IT INFECTED? THREE EXAMPLES OF MALWARE WACKINESS.

MORAL OF THE STORY, IT’S PROBABLY NOT A ZBOT

• But does it have to be?• Single rules are very tough to have confidence in• Need to look at overall behavior• Alerting needs to happen on data correlation


FOUR REASONS NOT TO NUKE AN INFECTED MACHINEdocs.media.bitpipe.com/io_12x/io_121339/item... · In today’s world of Zero-day malware and advanced multi-stage threats, it sometimes

FOUR REASONS NOT TO NUKE AN INFECTED MACHINEdocs.media.bitpipe.com/io_12x/io_121339/item... · In today’s world of Zero-day malware and advanced multi-stage threats, it sometimes

16 Plant Automation Weathering the perfect storm...(supervisory control and data acquisition) system in Pennsylvania was infected with malware and spyware through an employee’s laptop

16 Plant Automation Weathering the perfect storm...(supervisory control and data acquisition) system in Pennsylvania was infected with malware and spyware through an employee’s laptop

Running head: THE DANGERS OF MOBILE COMPUTING › 9db4 › c31ad912146b... · high-speed connections, unpatched operating systems, devices infected with spyware, malware, viruses,

Running head: THE DANGERS OF MOBILE COMPUTING › 9db4 › c31ad912146b... · high-speed connections, unpatched operating systems, devices infected with spyware, malware, viruses,

Malware Defense I - ida.liu.seTDDD17/lectures/slides/tddd17-malware-I.pdf · • Ransomware either lock the GUI of infected computer or encrypt all files on hard drive. Then requires

Malware Defense I - ida.liu.seTDDD17/lectures/slides/tddd17-malware-I.pdf · • Ransomware either lock the GUI of infected computer or encrypt all files on hard drive. Then requires

Securing hacked website // Malware infected website filled with backdoors

Securing hacked website // Malware infected website filled with backdoors

Modeling Internet-Scale Policies for Cleaning up Malwareweis2011.econinfosec.org/papers/Modeling Internet... · malicious software, or malware. Malware can harm the infected computer

Modeling Internet-Scale Policies for Cleaning up Malwareweis2011.econinfosec.org/papers/Modeling Internet... · malicious software, or malware. Malware can harm the infected computer

SAS and all other SAS Institute Inc. product or service ... · malware will survive the restart of an infected operating system. Malware might use genetic and polymorphic obfuscation

SAS and all other SAS Institute Inc. product or service ... · malware will survive the restart of an infected operating system. Malware might use genetic and polymorphic obfuscation

Mobile Malware - Sharifsharif.edu/~kharrazi/courses/40442-952/18-mobile-malware.pdf · bank and mobile accounts associated with infected devices. ... • Mobile malware

Mobile Malware - Sharifsharif.edu/~kharrazi/courses/40442-952/18-mobile-malware.pdf · bank and mobile accounts associated with infected devices. ... • Mobile malware

Mens fancy dress costumes from Universal Fancy Dress

Mens fancy dress costumes from Universal Fancy Dress

What to do if My PC is Infected With Malware

What to do if My PC is Infected With Malware

Today’s Vision and Tomorrow's Reality · 2018-04-02 · 4/17/2015 3 Sasha Panin’s malware Atlanta prison in April 2017 ZeuS malware ZeuS, created in 2007, had infected more than

Today’s Vision and Tomorrow's Reality · 2018-04-02 · 4/17/2015 3 Sasha Panin’s malware Atlanta prison in April 2017 ZeuS malware ZeuS, created in 2007, had infected more than

Volume 37 June 2012 Number 6 - wordpress.semco.org · scheme that infected millions of computers worldwide with a “DNS Changer” malware that redirected legitimate commercial transactions

Volume 37 June 2012 Number 6 - wordpress.semco.org · scheme that infected millions of computers worldwide with a “DNS Changer” malware that redirected legitimate commercial transactions

Malware & Anti-Malware

Malware & Anti-Malware

Use of Fancy Bear Android Malware in Tracking of Ukrainian Field ...

Use of Fancy Bear Android Malware in Tracking of Ukrainian Field ...

Nearly 400 Dairy Queen Locations Infected with Backoff Malware · 2014-11-13 · 300 Stores in 20 States Infected with Malware Payment Card Data Exposed

Nearly 400 Dairy Queen Locations Infected with Backoff Malware · 2014-11-13 · 300 Stores in 20 States Infected with Malware Payment Card Data Exposed

Handle andle with Care - Bitpipeviewer.media.bitpipe.com/1229465404_952/1301076816...malware and other scams aimed at luring the unwary to infected websites. For instance, security

Handle andle with Care - Bitpipeviewer.media.bitpipe.com/1229465404_952/1301076816...malware and other scams aimed at luring the unwary to infected websites. For instance, security

Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.

Oregon Presented by: John Ritchie Date: August 9 th, 2011 – GFIRST7 INFECTED! Using the Oregon SIRT Malware Toolkit to Safely Determine Source, Vector.

ADVANCED MALWARE PROTECTION/media/scansource-kbz... · Use case: roaming workforce, off-network protection Challenge § Roaming laptops getting infected off network § Users going

ADVANCED MALWARE PROTECTION/media/scansource-kbz... · Use case: roaming workforce, off-network protection Challenge § Roaming laptops getting infected off network § Users going

VM INTROSPECTION - Inspiratron.orginspiratron.org/Malware History.pdf · VM INTROSPECTION ISSUE 16 AUGUST 2013 ... V-sign is another virus that also infected the ... a self-replicating

VM INTROSPECTION - Inspiratron.orginspiratron.org/Malware History.pdf · VM INTROSPECTION ISSUE 16 AUGUST 2013 ... V-sign is another virus that also infected the ... a self-replicating

Isolation - Sharifsharif.edu/~kharrazi/courses/40442-952/03-isolation.pdf– VMI: Virtual Machine Introspection • Allows VMM to check Guest OS internals Dan Boneh Infected VM malware

Isolation - Sharifsharif.edu/~kharrazi/courses/40442-952/03-isolation.pdf– VMI: Virtual Machine Introspection • Allows VMM to check Guest OS internals Dan Boneh Infected VM malware