Presentation is loading. Please wait.

Presentation is loading. Please wait.

國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage.

Published byTyrone George Modified over 9 years ago

Similar presentations

Presentation on theme: "國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage."— Presentation transcript:

1 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage Frankie Li, Anthony Lai, Ddl Ddl Valkyrie-X Security Research Group 2011 6th International Conference on Malicious and Unwanted Software Presenter: 劉力瑋 1/9

2 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Outline APT A case in Hong Kong Analysis Conclusion 2/9

3 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Advanced Persistent Threats (APT) This paper consider an APT as a cyber attack launched by a group of sophisticated, determined, and coordinated attackers who systematically compromise the network of a specific target machine or entity for a prolonged period. 3/9

4 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory A case in Hong Kong A well design email (2011/7/7) Title : Democracy Depot meeting Sender : first_name.p0on@.org.hk Attachments : Democracy Depot meeting Second email was received on 2011/7/14 It is sent by a political group about the news of a riot in 廣州 4/9

5 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis The attachments(malware) which you download will be a dropper, its “Property” field contains the command. Then it creates a Malicious DLL (droppee)to inject your explorer.exe. It also creates a mutex to avoid duplication of malware installation on the victim’s machine. 5/9

6 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis First,it tries several non- resolved DNS names and a non-routed IP address. The droppee triggers the download of additional binaries that act as core modules performing the actual malicious functions. After several trails, it contact the single valid IP address, using TCP port number 8080. Then it run into an infinite loop and waited for the response from the C&C 6/9

7 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis Additional binaries downloaded by droppee perform the actual malicious functions. All passwords from “foxmail,” “outlook,” “outlook express,” “IE Form Storage,” “MSN,” “Passport DotNet,” and “protected storage,” were collected from the infected machine. The screen captures will also be collected and uploaded to the C&C. 7/9

8 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Analysis Filtered information is collected, compressed and then uploaded through encrypted HTTP traffic. Afterwards, the information is removed to hide its temporary presence. 8/9

9 國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Discussion and Conclusion APT-type malware does not carry obvious malicious functions. Unlike the other malware it seldom changes the infected system as a zombie machine. How to avoid it 9/9

Download ppt "國立清華大學高速通訊與計算實驗室 NTHU High-Speed Communication & Computing Laboratory Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage."

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,

Monnappa KA  Info Security Cisco  Core Member of SecurityXploded  Focus on Threat Intelligence  Reverse Engineering, Malware Analysis,
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Threats To A Computer Network

Threats To A Computer Network
PDS 無線網路概論 Introduction to Wireless Networks 王國禎 國立交通大學 資訊工程系 行動計算與寬頻網路實驗室

PDS 無線網路概論 Introduction to Wireless Networks 王國禎 國立交通大學 資訊工程系 行動計算與寬頻網路實驗室
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
After this session, you should be able to:

After this session, you should be able to:
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
APT29 HAMMERTOSS Jayakrishnan M.

APT29 HAMMERTOSS Jayakrishnan M.
Online Game Trojan SecurityLabs.websense.com Hermes Li.

Online Game Trojan SecurityLabs.websense.com Hermes Li.

Similar presentations

Ads by Google