The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab.

Slides:

Advertisements

Similar presentations

Malware Artifacts.

Advertisements

1 Computer and Internet Security JCCAA Presentation 03/14/2009 Yu-Min (Phillip) Hsieh Sr. System Administrator Information Technology Rice University.

By Hiranmayi Pai Neeraj Jain

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

SPAM/BOTNETS and Malware  Neil Warner, CIO, GoDaddy.com  Moderator: Dan Kaplan, deputy editor, SC Magazine.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

Introducing Kaspersky OpenSpace TM Security Introducing Kaspersky ® OpenSpace TM Security Available February 15, 2007.

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

LittleOrange Internet Security an Endpoint Security Appliance.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

Proxy servers By Akshit Y10. What is a proxy server O A proxy server is a computer that offers a computer network service to allow clients to make indirect.

© 2007 Cisco Systems, Inc. All rights reserved.ICND1 v1.0—4-1 LAN Connections Using a Cisco Router as a DHCP Server.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Client-Server collaborative scanning Dumitru Codreanu R&D, BitDefender.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.

The changing threat landscape: 2010 and beyond  Chester Wisniewski – Sophos  Eamonn Medlar - WPP  Moderator: Angela Moscaritolo.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

What’s New in WatchGuard XCS v9.1. Introducing WatchGuard XCS v9.1  Enhancements that improve ease of use Improved web-based installation wizard After.

Psiphon Program By Amine Moubtasim.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

CERN’s Computer Security Challenge

Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,

Bots Used to Facilitate Spam Matt Ziemniak. Discuss Snort lab improvements Spam as a vehicle behind cyber threats Bots and botnets What can be done.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

Botnet behavior and detection October RONOG Silviu Sofronie – a Head of Forensics.

Trojan Virus By Forbes and Mark. What is a Trojan virus Trojans are malicious programs that perform actions that have not been authorised by the user.

Click to edit Master title style Click to edit Master text styles –Second level Third level –Fourth level »Fifth level June 10 th, 2009Event details (title,

Recent Internet Viruses & Worms By Doppalapudi Raghu.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Module 7: Advanced Application and Web Filtering.

Module 8 : Configuration II Jong S. Bok

How to Deploy and Configure the Smart Net Total Care CSPC Collector

Module 10: Windows Firewall and Caching Fundamentals.

Big Bad Botnet Day! Xeno Kovah In association with the Corporation for Public Botcasting, and Viewers Like You! Xeno Kovah In association with the Corporation.

Linux Operations and Administration

W elcome to our Presentation. Presentation Topic Virus.

Types of Malware © 2014 Project Lead The Way, Inc.Computer Science and Software Engineering.

Chapter 38 Initialization & Configuration. Bootstrapping occurs during boot up to obtain boot program which may then load operating system may use network.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Rootkits Jonathan Barella Chad Petersen. Overview What are rootkits How do rootkits work How to detect rootkits How to remove rootkits.

1 Botnets Group 28: Sean Caulfield and Fredrick Young ECE 4112 Internetwork Security Prof. Henry Owen.

On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.

Virus, Spyware & Trojan Removal By 1Akal 1Akal – Technology Services for Home & Business.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Botnets A collection of compromised machines

Ilija Jovičić Sophos Consultant.

Module 3: Enabling Access to Internet Resources

Botnets A collection of compromised machines

Your Botnet is My Botnet: Analysis of a Botnet Takeover

How to install Kaspersky Antivirus. About Kaspersky Antivirus: Kaspersky Antivirus has many features which includes real time protection, removal of rootkits,

Web Servers / Deployment

Malicious Software Network security Master:Mr jangjou

An overview over Botnets

Presentation transcript:

The hidden part of TDSS Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab

Content 1.TDSS Overview 2.Reversing TDSS networking 3.Analyzing p2p functionality 4.Monitoring active bot 5.Getting CnC stats

TDSS Overview

Main modules MBR infector – bypass drivers digital signatures protection x64 rootkit – TDSS works on every modern Windows system Clicker – clicks banners and links Target on Black SEO – promoting web site via Google, Bing, Altavista and more

Affiliate Network Two Affiliate Networks are spreading TDSS USD for installs Affiliates installs TDSS via SPAM, Worms, Exploits and etc.

Malicious DHCP

Boot

Reversing TDSS networking.

Client to Server command|noname|30127|0|0.03|0.15| SP2.0|en-us|iexplore|351|0 and Benchmark( ,md5(1))| Original request 2. RC4 or its modification where Key is the targeted host name 3. BASE64 r1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3 4EszDdXaN1U+dP5qr1writ0aL0PIWZtL7hntuzRMB3hv0/cUQL4QRrxNIeB3DDr 4. Additional trash 5. HTTPS

Server to Client 1. Set Name parameter – additional unique key for RC4 or its modification

ANALYZING P2P FUNCTIONALITY

Analyzing p2p functionality KAD.DLL algorithm: 1.Share encrypted file named as “ktzrules” 2.Upload kad.dll on TDSS infected PCs 3.Kad.dll loads public nodes.dat file with KAD Client/Servers IPs 4.Kad.dll searchs for “ktzrules” file in public KAD network 5.Kad.dll downloads “ktzrules” and executes commands

Analyzing p2p functionality KAD.DLL functions: 1.SearchCfg – find “ktzrules” file with commands 2.LoadExe – Find and download exe file from KAD 3.ConfigWrite – write in configuration file 4.Search – find specified file in KAD 5.Publish – publish specified file 6.Knock – download new nodes.dat file Public KAD Net Default nodes. dat. TDSS KAD Net Nodes. dat with Clean and Infected users IPs

Monitoring active bot

Installs and proxy

Anti-Virus Gbot ZeuS Clishmic Optima Full list includes ~30 malware families name

Getting CnC stats

60 proxy CnCs 3 MySQL DBs 5M infected PCs in 3 months

Summary MBR infector – bypass drivers digital signatures protection x64 rootkit – TDSS works on every modern Windows system Clicker – click banners and links Target on Black SEO – promoting web site via Google, Bing, Altavista and more P2P botnet – no servers, no centers, sophisticated crypto protection for command file in hidden KAD network. Own AV – detects more then 30 malware families Clients Proxy –additional anonymizer via infected PCs 5 millions infected computers

| 12 October 2010Kaspersky Lab PowerPoint Template

Thank You Sergey (k1k) Golovanov, Malware Expert Global Research and Analysis Team Kaspersky Lab Qu35t10n5?