Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010).

Slides:

Advertisements

Similar presentations

BlueRedGreenPurpleOrange.

Advertisements

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Lesson 4: Web Browsing.

Attacking Session Management Juliette Lessing

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.

Introduction to Web Database Processing

Cross-Site Scripting (XSS) Attack Lab

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Sample School Website Sydney Region ITSU School Support

Squid Proxy CentOS 6.4 Prepared by : Mr. Sopheap Position : IT Support Location : Deam Computer Date : 24/July/2013.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

INTRODUCTION TO WEB DATABASE PROGRAMMING

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Social Media Attacks By Laura Jung. How the Attacks Start Popularity of these sites with millions of users makes them perfect places for cyber attacks.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

An Introduction to IBM Systems Director

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,

Adrian Crenshaw. Darknets  There are many definitions, but mine is “anonymizing private networks ”  Use of encryption.

TCP/IP Protocols Dr. Sharon Hall Perkins Applications World Wide Web(HTTP) Presented by.

15 Semester 1 JEOPARDY IndirectnetworksupportDNSDNSNetworkApps.NetworkApps.MoreNetworkApps.Misc.Misc

HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

Toward the Next Generation of Ingres Administration Tools UKIUA 2010 June 8, 2010.

Web Engineering we define Web Engineering as follows: 1) Web Engineering is the application of systematic and proven approaches (concepts, methods, techniques,

Appear in IEEE TDSC 2008 Presented by Wei-Cheng Xiao.

Types of Electronic Infection

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.

Application Layer Honolulu Community College Cisco Academy Training Center Semester 1 Version

Software Architecture in Practice Practical Exercise in Performance Engineering.

Oracle Data Integrator Agents. 8-2 Understanding Agents.

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Measurements and Mitigation of Peer-to-peer Botnets: A Case Study on Storm Worm Thorsten Holz, Moritz Steiner, Frederic Dahl, Ernst Biersack, Felix Freiling.

0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August

On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

ECMM6018 Enterprise Networking For Electronic Commerce Tutorial 1 Installing A Web Server.

Published: USENIX HotBots, 2007 Presented: Wei-Cheng Xiao 2016/10/11.

Tonga Institute of Higher Education IT 141: Information Systems

Social Media Attacks.

Affinity Depending on the application and client requirements of your Network Load Balancing cluster, you can be required to select an Affinity setting.

ISYM 540 Current Topics in Information System Management

Application Layer Honolulu Community College

Lesson 4: Web Browsing.

Tonga Institute of Higher Education IT 141: Information Systems

Tonga Institute of Higher Education IT 141: Information Systems

Lesson 4: Web Browsing.

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Presented by Aaron Ballew

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010).

Outline Introduction Botnet Developments KOOBFACE Development Timeline Summary

Introduction In the following paper, TrendLabs exposes the latest developments made to the KOOBFACE botnet in order to keep it running and to secure its transactions from the prying eyes of security researchers and law enforcers alike.

Botnet Developments Some of these developments are implemented in order to make analysis and reverse engineering difficult for researchers. The introduction of a second layer of servers called proxy command-and-control (C&C) servers, essentially making their creation more resilient to C&C takedown.

Recent KOOBFACE botnet architecture development

Botnet Developments KOOBFACE URLs The sites capable of banning the IP addresses of users who tried, on more than one occasion, to access them. Through this, the gang’s members were able to prevent constant monitoring by security researchers using a single IP address. Each KOOBFACE-controlled URL now has a local copy of banned IP addresses

Spammed URLs They tried to trick users into viewing a bogus video by accessing the spammed link. The KOOBFACE-spammed URLs have started coming in different forms. In the past, users only had to click a single link to end up on a page where the KOOBFACE binary could be downloaded. The new URLs either use the old template or encoded IP addresses. Botnet Developments

Old KOOBFACE URL spamming style KOOBFACE-spammed URL with hex-encoded IP address parts

URL Redirectors In the past, users who clicked KOOBFACE-spammed URLs went through a few redirections before landing on a fake YouTube or Facebook site with the help of an unobfuscated JavaScript. Another change the gang has implemented is to obfuscate such scripts using string replacement. After deobfuscation, the IP addresses that point to fake YouTube pages where KOOBFACE binaries could be downloaded (final landing pages) have been seen to have random ports. Botnet Developments

Old KOOBFACE redirector script

Obfuscated KOOBFACE redirector script

Deobfuscated KOOBFACE redirector script

Final Landing URLs The more recently discovered final landing pages (fake YouTube pages) sported URLs with random ports and randomly named subdirectories. Botnet Developments

Final landing URL that serves a fake YouTube page sporting the new theme

C&C Proxy URLs C&C proxy URLs can be extracted from the KOOBFACE loader and social networking components. Old C&C proxy URLs were still being used, the KOOBFACE scripts were installed in the.sys subdirectory. New C&C proxy URLs have been found with randomly named subdirectories. Botnet Developments

Old C&C proxy URL format New proxy C&C URL format that uses randomly named subdirectories instead of just.sys

Proxy C&C Communications The KOOBFACE gang already encrypts their C&C communications using the Data Encryption Standard (DES). The encrypted data is found after the new command #BLUELABEL and can only be decrypted using a key defined by the gang itself. Botnet Developments

Sample DES-encrypted data and its decrypted form

KOOBFACE Development Timeline

Summary Changed the manner by which the spammed URLs were formatted, started using random ports instead of just the usual HTTP port. Banned IP addresses to prevent frequent access to and monitoring of KOOBFACE-controlled sites. Began encrypting their C&C communications