Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010).

Published byChastity Phelps Modified over 9 years ago

Similar presentations

Presentation on theme: "Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010)."— Presentation transcript:

1 Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010).

2 Outline Introduction Botnet Developments KOOBFACE Development Timeline Summary

3 Introduction In the following paper, TrendLabs exposes the latest developments made to the KOOBFACE botnet in order to keep it running and to secure its transactions from the prying eyes of security researchers and law enforcers alike.

4 Botnet Developments Some of these developments are implemented in order to make analysis and reverse engineering difficult for researchers. The introduction of a second layer of servers called proxy command-and-control (C&C) servers, essentially making their creation more resilient to C&C takedown.

5 Recent KOOBFACE botnet architecture development

6 Botnet Developments KOOBFACE URLs The sites capable of banning the IP addresses of users who tried, on more than one occasion, to access them. Through this, the gang’s members were able to prevent constant monitoring by security researchers using a single IP address. Each KOOBFACE-controlled URL now has a local copy of banned IP addresses

7

8 Spammed URLs They tried to trick users into viewing a bogus video by accessing the spammed link. The KOOBFACE-spammed URLs have started coming in different forms. In the past, users only had to click a single link to end up on a page where the KOOBFACE binary could be downloaded. The new URLs either use the old template or encoded IP addresses. Botnet Developments

9 Old KOOBFACE URL spamming style KOOBFACE-spammed URL with hex-encoded IP address parts

10 URL Redirectors In the past, users who clicked KOOBFACE-spammed URLs went through a few redirections before landing on a fake YouTube or Facebook site with the help of an unobfuscated JavaScript. Another change the gang has implemented is to obfuscate such scripts using string replacement. After deobfuscation, the IP addresses that point to fake YouTube pages where KOOBFACE binaries could be downloaded (final landing pages) have been seen to have random ports. Botnet Developments

11 Old KOOBFACE redirector script

12 Obfuscated KOOBFACE redirector script

13 Deobfuscated KOOBFACE redirector script

14 Final Landing URLs The more recently discovered final landing pages (fake YouTube pages) sported URLs with random ports and randomly named subdirectories. Botnet Developments

15 Final landing URL that serves a fake YouTube page sporting the new theme

16 C&C Proxy URLs C&C proxy URLs can be extracted from the KOOBFACE loader and social networking components. Old C&C proxy URLs were still being used, the KOOBFACE scripts were installed in the.sys subdirectory. New C&C proxy URLs have been found with randomly named subdirectories. Botnet Developments

17 Old C&C proxy URL format New proxy C&C URL format that uses randomly named subdirectories instead of just.sys

18 Proxy C&C Communications The KOOBFACE gang already encrypts their C&C communications using the Data Encryption Standard (DES). The encrypted data is found after the new command #BLUELABEL and can only be decrypted using a key defined by the gang itself. Botnet Developments

19 Sample DES-encrypted data and its decrypted form

20 KOOBFACE Development Timeline

21 Summary Changed the manner by which the spammed URLs were formatted, started using random ports instead of just the usual HTTP port. Banned IP addresses to prevent frequent access to and monitoring of KOOBFACE-controlled sites. Began encrypting their C&C communications

Download ppt "Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010)."

Similar presentations

200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 BlueRedGreenPurpleOrange.

BlueRedGreenPurpleOrange.
CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.

CHAPTER 15 WEBPAGE OPTIMIZATION. LEARNING OBJECTIVES How to test your web-page performance How browser and server interactions impact performance What.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.

INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.
Introduction to Web Database Processing

Introduction to Web Database Processing
Cross-Site Scripting (XSS) Attack Lab

Cross-Site Scripting (XSS) Attack Lab
CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.

CP476 Internet Computing Browser and Web Server 1 Web Browsers A client software program that allows you to access and view Web pages on the Internet –Examples.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)

Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)
Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
Sample School Website Sydney Region ITSU School Support 2007.

Sample School Website Sydney Region ITSU School Support
Squid Proxy CentOS 6.4 Prepared by : Mr. Sopheap Position : IT Support Location : Deam Computer Date : 24/July/2013.

Squid Proxy CentOS 6.4 Prepared by : Mr. Sopheap Position : IT Support Location : Deam Computer Date : 24/July/2013.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

Similar presentations

Ads by Google