Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Click to edit Master title style. Click to edit Master subtitle style.
Chapter 17: WEB COMPONENTS
By Hiranmayi Pai Neeraj Jain
IIS Technologies.
Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Automated Malware Analysis
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Linux Operations and Administration
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
HINARI/Basic Internet Concepts (module 1.1). Instructions - This part of the:  course is a PowerPoint demonstration intended to introduce you to Basic.
APT29 HAMMERTOSS Jayakrishnan M.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level 1 Using LinkedIn.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
Web Attacks— Offense… The Whole Story Yuri & The Cheeseheads Mark Glubisz, Jason Kemble, Yuri Serdyuk, Kandyce Giordano.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Advanced Persistent Threats (APT) Sasha Browning.
Malicious Software.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.
Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level 1 CustomerSoft ESP Contact Operations.
 AJAX technology  Rich User Experience  Characteristics  Real live examples  JavaScript and AJAX  Web application workflow model – synchronous vs.
Title of Presentation May Go Here Department Name Presentation for March 4, 2014 University Marketing.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist.
IN THIS LESSON WE WILL REVIEW THE STRUCTURE OF THE INTERNET AND HOW BROWSERS ASSEMBLE WEBSITES BASED ON INSTRUCTIONS THEY RECEIVE FROM SERVERS. Internet.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
NADAV PELEG HEAD OF MOBILE SECURITY The Mobile Threat: Consumer Devices Business Risks David Parkinson MOBILE SECURITY SPECIALIST, NER.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Headline sample style Intro sample style Click to edit Master text styles –Second level Third level –Fourth level o Fifth level.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Malware Reverse Engineering Process
Employee clicks on fake
Click to Add Title Click to Add Subtitle.
Malware Reverse Engineering Process
Click to Add Title Click to Add Subtitle.
NET 311 Information Security
SPRING DRAGON APT - A CASE STUDY OF TARGETED ATTACKS IN APAC COUNTRIES
Click to edit Master text styles
Click to Add Title Click to Add Subtitle.
Click to Add Title Click to Add Subtitle.
Author names here Author association names here
Click to edit Master text styles
Click to edit Master text styles
Slide Title Edit Master text styles Second level Third level
ОПШТЕСТВО ТЕМА: МЕСТОТО ВО КОЕ ЖИВЕАМ Скопје
Author names here Author associations here
Author names here Author associations here
Click to edit Master text styles
Author names here Author associations here
Test 3 review FTP & Cybersecurity
Click to edit Master text styles
Presentation transcript:

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Automated infection system: New generation of threats Based on a story of Gumblar trojan APRICOT, 1st – 5th of March 2010, Kuala Lumpur Michael Molsner Senior Malware Analyst

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) What is Gumblar? Components list

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components APRICOT, 1st – 5th of March 2010, Kuala Lumpur List of components: Exploits component: Adobe PDF exploits Adobe Flash exploits Win32 trojan application Server PHP backdoor HTTP redirector component (infected html) Injection component (html infector + server script spreader)

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Component tiers APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Data flows APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Speed of growth HTML Injection Count

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Speed of growth Number of server-side infections in October-November 2009 APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Global Location analysis Status Dec 04 th 2009

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Global Location analysis Status Feb 16th 2010

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Injection Statistics Japan Domestic Location analysis Local access count analysis

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Injection Statistics Malaysia Domestic Location analysis

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar-x vs Pegel Gumblar-xPegel Exploit Adobe Reader Targets FlashMDAC MSOffice WebComponentSnapShotViewer Internet ExplorerJRE Function FTP acc Rootkit Fake AV Botnet join JP Count

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Possible origins Timeline analysis

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Timeline analysis HTML injection time: APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Timeline analysis Daylight zones (05:00 UTC) APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Timeline analysis Daylight zones (15:00 UTC) APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Case study HTML Injected sites

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar Samples APRICOT, 1st – 5th of March 2010, Kuala Lumpur Many kind of web sites were found victimized. At especially high risk: Small businesses (lower IT skill; business loss) Admins using same Passwords for multiple sites (adult)

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar Samples APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar Samples Really ANY kind of web site can be a target. Some Police related samples: APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components Analysis of active components: HTTP redirector component (injected.htm*,.js) Injection component (html infector + server script spreader) APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components HTTP redirector component (infected html)

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components Analysis of active components: Exploits component: MSOfficeWeb exploit Adobe PDF exploits Adobe FLASH exploits WIN32 Trojan ROOTKIT DLL injection Web traffic hook APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Exploit layers Adobe PDF exploit shellcode downloads Win32 malware APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components Analysis Script exploit: APRICOT, 1st – 5th of March 2010, Kuala Lumpur Cookie,Referer,UA check Dynamic code on access ENV dependent attack Exploit downloader

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components Analysis PDF reader exploit: PDF file FlateDecode JavaScript Downloader APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components APRICOT, 1st – 5th of March 2010, Kuala Lumpur CWS file 1 FWS file 1 Binary Decrypt CWS file 2 FWS file 2 Strings ASCII  bin FWS file 3 (Downloader) Flash Player exploit:

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components APRICOT, 1st – 5th of March 2010, Kuala Lumpur Downloaded Exe... Creates DLL Restart … Process Injection Win32 trojan application

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar components APRICOT, 1st – 5th of March 2010, Kuala Lumpur Win32 trojan application C&C Communication Hidden in legit stream Self UPDATE FTP Acc data stolen

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) JAVASCRIPT Gumblar components APRICOT, 1st – 5th of March 2010, Kuala Lumpur REDIRECT BROWSER? Internet Explorer MSOfficeWeb EXPLOIT? DOWNLOADER PDFCWS EXE DOWNLOADER 404

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar Demo Infection procedure Live demonstration with Virtual machines as Server & Client (DEMO) APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Gumblar Demo Server PHP backdoor Command line level access to compromised machine (DEMO) APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Variable name analysis Eastern European name “iutka” - the only meaningful identifier APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Automated infection system Generalization of Gumblar threat

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Definition Automated Infection System (AIS) is a distributed multicomponent information system which has a viral nature and can grow on its own by establishing the data exchange between its components. The growth of the system is estimated by the number of computers which hosts the components of the system.

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Threat level estimation How dangerous is such system?

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Threat level estimation Risks: Very large scale Sensitive data leakage International Rapidly growing No human interaction required (self-sufficient) Has the power of server botnet APRICOT, 1st – 5th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Threat level estimation Weaknesses: Dependence on the root servers Elimination of root infector-servers stops system operation Dependence on stable data exchange Destruction of few communication channels (even basing on network filtering) stops system growth Compatibility problem (different platforms/interpreters) The code highly depends on usage of compatible (sometimes deprecated) functions to work correctly Can be simply honeypotted The system may be artificially fed with honeypot FTP credentials that will reveal active servers APRICOT, 1 st – 5 th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) Conclusion Success due to low profile visibility; Result - slow countermeasures by AV industry; Multiple infection routines & obfuscation; Frequent code changes to circumvent security software; APRICOT, 1 st – 5 th of March 2010, Kuala Lumpur

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title, place) APRICOT, 1 st – 5 th of March 2010, Kuala Lumpur Michael Molsner Thank you !

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.