SlideShare una empresa de Scribd logo

Mengenal ZEUS Botnet Lebih Dekat

Charles Lim
Charles Lim
1 de 36
Descargar para leer sin conexión
Mengenal Zeus Botnet Lebih Dekat Charles Lim | Indonesia Chapter Lead 6 July 2015 Jakarta, Indonesia
Agenda • Introduction to The Honeynet Project & Indonesia Chapter • Profiling – Zeus • How Zeus botnet works • Tracking Zeus • New National Monitoring Center • Next Events
Speakers • Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI • More than 20+ year in IT services industry • IP networking, Software Automation, • Led Indonesia Chapter (2012) • Lecturer and Researcher at Swiss German University (Information Security Group) – http://people.sgu.ac.id/charleslim • Research Interest: Malware Detection, Intrusion Detection, Incident Handling, Cloud Security, Vulnerability Analysis
Introduction to The Honeynet Project • Volunteer open source computer security research organization since 1999 (US 501c3 non-profit) • Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ - http://www.honeynet.org
Introduction to The Honeynet Project • Know Your Enemy – Tracking the enemies is the passion of the HP (Honeynet Project) team • Know Your Tools – It is about open source tools to track the enemies  contribute to the world
Indonesia Chapter • 25 November 2011, about 15 people from academia, security professionals and government made the declaration during our yearly malware workshop at SGU (Swiss German University) • 19 January 2012 accepted as part of Honeynet Chapter • Members: 129 (today)
First Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Seminar 5 June 2012
First Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Workshop 6 June 2012
2015 Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Seminar 10-11 June 2015
2015 Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Workshop 10-11 June 2015
Zeus – Profile • First Appearance: 2007 • Type: Trojan • Payload: Very Light Footprint • Goal: Steal sensitive data stored on computers or transmitted through web browsers and protected storage. • Communication: Encrypted channel with C&C server • Obfuscation: Polymorphic encryption (re- encrypts itself automatically to create a new signature)
Bypassing Anti Virus
Another Zeus Version – P2P (2012)
Another Zeus Version – P2P (2012)
Another Zeus Version – P2P (2012)
Botnet Overview
Another Zeus Version – P2P (2012)
Another Zeus Version – P2P (2012)
Another Zeus Version – P2P (2012) Rank Country Unique Bot IDs Unique IPs 1 United States 150,201 (22.1%) 458,882 (29.2%) 2 Germany 48,853 (7.2%) 73,951 (4.7%) 3 Italy 34,361 (5.1%) 145,290 (9.2%) 4 Canada 27,150 (4.0%) 40,482 (2.6%) 5 Brazil 24,997 (3.7%) 120,497 (7.7%) 6 Mexico 24,143 (3.6%) 119,658 (7.6%) 7 India 23,811 (3.5%) 141,412 (9.0%) 8 Indonesia 19.146 (2.8%) 113,196 (7.2%) 9 Iran 18,948 (2.8%) 69,617 (4.4%) 10 Turkey 16,935 (2.5%) 104,391 (6.6%)
Zeus Gameover – Top 20 Countries Infections Country Total Japan 3,122 United States 1,482 Italy 1,367 United Kingdom 857 Ukraine 834 India 761 Indonesia 666 Vietnam 553 Thailand 458 Belarus 411 China 390 Germany 355 France 355 Turkey 306 Iran, Islamic Republic of 298 Saudi Arabia 272 Israel 244 Korea, Republic of 241 Poland 220 Philippines 214 https://goz.shadowserver.org/
Zeus Gameover – Top 20 Countries Infections https://goz.shadowserver.org/ ASN AS Name Country Total AS4713 OCN JP 830 AS3269 ASN IT 549 AS6697 BELPAK BY 378 AS8075 MICROSOFT- CORP-MSN-A US 372 AS2516 KDDI JP 371 AS17676 GIGAINFRA JP 365 AS17974 TELKOMNET-AS2 ID 349 AS45899 VNPT-AS VN 297 AS2856 BT-UK GB 269 AS12874 FASTWEB IT 237 AS9121 TTNET TR 222 AS9829 BSNL IN 205 AS6849 UKRTELNET UA 186 AS5384 EMIRATES AE 175 AS1267 ASN EU 163 AS9506 MAGIX-SG SG 158 AS3215 AS3215 FR 156 AS15169 GOOGLE US 150 AS8151 Uninet MX 140 AS4788 TMNET-AS MY 131
Zeus Communication (1/4)
Zeus Communication (2/4)
Zeus Communication (3/4)
Zeus Communication (3/4)
Botnet Takedown 2012 • March 2012 – Zeus Botnet Nitol Botnet • July 2012 - Grum Botnet • September 2012 – Nitol Botnet Important milestones • Previous takedown has been to kill off the C & C server • Microsoft maintain C & C server but redirect the traffic to Microsoft server to allow futher research
Tracking Zeus • https://zeustracker.abuse.ch/monitor.php
Tracking Zeus • https://zeustracker.abuse.ch/monitor.php
Tracking Zeus • https://zeustracker.abuse.ch/monitor.php
National Cyber Attack Monitoring
National Cyber Attack Monitoring
Call to participate • Call for more participation from universities, industry and government • Requirements: • A commitment from the top management • At least 1 public IP address to start • Fill out form to request to join • Willing to submit malware samples to central repository • You will get: • 1 Raspberry to be installed in your infra
Custom-built appliance • 1 U Rack Case • 5 Raspberry PI • 5 different honeypots: dionaea, glastopf, kippo, etc.
References • Gañán, Carlos, Orcun Cetin, and Michel van Eeten. "An Empirical Analysis of ZeuS C&C Lifetime." Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 2015. • Mohaisen, Abedelaziz, and Omar Alrawi. "Unveiling zeus: automated classification of malware samples." Proceedings of the 22nd international conference on World Wide Web companion. International World Wide Web Conferences Steering Committee, 2013. • http://www.symantec.com/connect/blogs/zeus-king- underground-crimeware-toolkits • http://www.symantec.com/connect/blogs/evolution-zeus-botnet • http://www.secureworks.com/cyber-threat- intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover _ZeuS/ • http://hypersecurity.blogspot.com/2009/11/dissecting-zeus- botnet.html
Further Information • The Honeynet Project (http://www.honeynet.org) • Indonesia Honeynet Project (http://www.honeynet.or.id) • Swiss German University (http://www.sgu.ac.id) • My Blog (http://people.sgu.ac.id/charleslim)
Indonesia Chapter • Indonesia Honeynet Project • Id_honeynet • http://www.honeynet.or.id • http://groups.google.com/group/id-honeynet

Recomendados

Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
Sistem pemantauan ancaman serangan siber di indonesia generasi baru public
Sistem pemantauan ancaman serangan siber di indonesia generasi baru publicSistem pemantauan ancaman serangan siber di indonesia generasi baru public
Sistem pemantauan ancaman serangan siber di indonesia generasi baru publicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 

Recomendados

Monitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionMonitoring indonesia darknets - Revealing the unseen security intrusion
Monitoring indonesia darknets - Revealing the unseen security intrusionCharles Lim
 
Toward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicToward revealing Advanced Persistence Threats in your organization - Public
Toward revealing Advanced Persistence Threats in your organization - PublicCharles Lim
 
Sistem pemantauan ancaman serangan siber di indonesia generasi baru public
Sistem pemantauan ancaman serangan siber di indonesia generasi baru publicSistem pemantauan ancaman serangan siber di indonesia generasi baru public
Sistem pemantauan ancaman serangan siber di indonesia generasi baru publicCharles Lim
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysisCharles Lim
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseLuca Simonelli
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)Lacoon Mobile Security
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingAPNIC
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case StudyLastline, Inc.
 
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...idsecconf
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damentalSatria Ady Pradana
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 

Más contenido relacionado

La actualidad más candente

The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project IntroductionJulia Yu-Chin Cheng
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftDamir Delija
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)Lacoon Mobile Security
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)mmubashirkhan
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionLastline, Inc.
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingAPNIC
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1 Lastline, Inc.
 
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...idsecconf
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...REVULN
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015Daniel Miessler
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismGlobal Micro Solutions
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?festival ICT 2016
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSECSean Whalen
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 

La actualidad más candente (20)

The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
Remote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draftRemote forensics fsec2016 delija draft
Remote forensics fsec2016 delija draft
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
BlackHat Europe 2013 - Practical Attacks against Mobile Device Management (MDM)
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 
Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
 
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
Charles Lim - Sistem pemantauan ancaman serangan siber di indonesia generasi ...
 
IOT Security FUN-damental
IOT Security FUN-damentalIOT Security FUN-damental
IOT Security FUN-damental
 
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
Yi-Lang Tsai - Cyber Security, Threat Hunting and Defence Challenge in Taiwan...
 
IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015IoT Attack Surfaces -- DEFCON 2015
IoT Attack Surfaces -- DEFCON 2015
 
Introduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivismIntroduction to the advanced persistent threat and hactivism
Introduction to the advanced persistent threat and hactivism
 
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
Advanced Persistent Threat: come muoversi tra il marketing e la realtà?
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015
 

Similar a Mengenal ZEUS Botnet Lebih Dekat

SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...Black Duck by Synopsys
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Intergen
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapePriyanka Aash
 
DBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentDBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentKyle Hailey
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
Cyber security event
Cyber security eventCyber security event
Cyber security eventTryzens
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botGroup of company MUK
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 

Similar a Mengenal ZEUS Botnet Lebih Dekat (20)

SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
Leveraging Black Duck Hub to Maximize Focus - Entersekt's Approach to Automat...
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
Windows Accelerate IT Pro Bootcamp: Security (Module 4 of 8)
 
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat LandscapeWeaponizing Intelligence: Interdiction in Today’s Threat Landscape
Weaponizing Intelligence: Interdiction in Today’s Threat Landscape
 
DBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application DevelopmentDBTA Data Summit : Eliminating the data constraint in Application Development
DBTA Data Summit : Eliminating the data constraint in Application Development
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
Crouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden TrojanCrouching powerpoint, Hidden Trojan
Crouching powerpoint, Hidden Trojan
 
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
Cyber security event
Cyber security eventCyber security event
Cyber security event
 
New Horizons SCYBER Presentation
New Horizons SCYBER PresentationNew Horizons SCYBER Presentation
New Horizons SCYBER Presentation
 
CheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving botCheckPoint: Anatomy of an evolving bot
CheckPoint: Anatomy of an evolving bot
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 

Más de Charles Lim

Cyber Security challenges in SMART city
Cyber Security challenges in SMART cityCyber Security challenges in SMART city
Cyber Security challenges in SMART cityCharles Lim
 
The indonesia darknets revealed– mapping the uncharted territory of the internet
The indonesia darknets revealed– mapping the uncharted territory of the internetThe indonesia darknets revealed– mapping the uncharted territory of the internet
The indonesia darknets revealed– mapping the uncharted territory of the internetCharles Lim
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceCharles Lim
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationCharles Lim
 
Malware threats in our cyber infrastructure
Malware threats in our cyber infrastructure Malware threats in our cyber infrastructure
Malware threats in our cyber infrastructure Charles Lim
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware LabCharles Lim
 

Más de Charles Lim (6)

Cyber Security challenges in SMART city
Cyber Security challenges in SMART cityCyber Security challenges in SMART city
Cyber Security challenges in SMART city
 
The indonesia darknets revealed– mapping the uncharted territory of the internet
The indonesia darknets revealed– mapping the uncharted territory of the internetThe indonesia darknets revealed– mapping the uncharted territory of the internet
The indonesia darknets revealed– mapping the uncharted territory of the internet
 
ICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security GovernanceICION 2016 - Cyber Security Governance
ICION 2016 - Cyber Security Governance
 
Managing Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your OrganizationManaging Cloud Security Risks in Your Organization
Managing Cloud Security Risks in Your Organization
 
Malware threats in our cyber infrastructure
Malware threats in our cyber infrastructure Malware threats in our cyber infrastructure
Malware threats in our cyber infrastructure
 
Workshop on Setting up Malware Lab
Workshop on Setting up Malware LabWorkshop on Setting up Malware Lab
Workshop on Setting up Malware Lab
 

Mengenal ZEUS Botnet Lebih Dekat

  • 1. Mengenal Zeus Botnet Lebih Dekat Charles Lim | Indonesia Chapter Lead 6 July 2015 Jakarta, Indonesia
  • 2. Agenda • Introduction to The Honeynet Project & Indonesia Chapter • Profiling – Zeus • How Zeus botnet works • Tracking Zeus • New National Monitoring Center • Next Events
  • 3. Speakers • Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI • More than 20+ year in IT services industry • IP networking, Software Automation, • Led Indonesia Chapter (2012) • Lecturer and Researcher at Swiss German University (Information Security Group) – http://people.sgu.ac.id/charleslim • Research Interest: Malware Detection, Intrusion Detection, Incident Handling, Cloud Security, Vulnerability Analysis
  • 4. Introduction to The Honeynet Project • Volunteer open source computer security research organization since 1999 (US 501c3 non-profit) • Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ - http://www.honeynet.org
  • 5. Introduction to The Honeynet Project • Know Your Enemy – Tracking the enemies is the passion of the HP (Honeynet Project) team • Know Your Tools – It is about open source tools to track the enemies  contribute to the world
  • 6. Indonesia Chapter • 25 November 2011, about 15 people from academia, security professionals and government made the declaration during our yearly malware workshop at SGU (Swiss German University) • 19 January 2012 accepted as part of Honeynet Chapter • Members: 129 (today)
  • 7. First Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Seminar 5 June 2012
  • 8. First Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Workshop 6 June 2012
  • 9. 2015 Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Seminar 10-11 June 2015
  • 10. 2015 Indonesia Honeynet Seminar & Workshop Honeynet Indonesia Workshop 10-11 June 2015
  • 11. Zeus – Profile • First Appearance: 2007 • Type: Trojan • Payload: Very Light Footprint • Goal: Steal sensitive data stored on computers or transmitted through web browsers and protected storage. • Communication: Encrypted channel with C&C server • Obfuscation: Polymorphic encryption (re- encrypts itself automatically to create a new signature)
  • 13. Another Zeus Version – P2P (2012)
  • 14. Another Zeus Version – P2P (2012)
  • 15. Another Zeus Version – P2P (2012)
  • 17. Another Zeus Version – P2P (2012)
  • 18. Another Zeus Version – P2P (2012)
  • 19. Another Zeus Version – P2P (2012) Rank Country Unique Bot IDs Unique IPs 1 United States 150,201 (22.1%) 458,882 (29.2%) 2 Germany 48,853 (7.2%) 73,951 (4.7%) 3 Italy 34,361 (5.1%) 145,290 (9.2%) 4 Canada 27,150 (4.0%) 40,482 (2.6%) 5 Brazil 24,997 (3.7%) 120,497 (7.7%) 6 Mexico 24,143 (3.6%) 119,658 (7.6%) 7 India 23,811 (3.5%) 141,412 (9.0%) 8 Indonesia 19.146 (2.8%) 113,196 (7.2%) 9 Iran 18,948 (2.8%) 69,617 (4.4%) 10 Turkey 16,935 (2.5%) 104,391 (6.6%)
  • 20. Zeus Gameover – Top 20 Countries Infections Country Total Japan 3,122 United States 1,482 Italy 1,367 United Kingdom 857 Ukraine 834 India 761 Indonesia 666 Vietnam 553 Thailand 458 Belarus 411 China 390 Germany 355 France 355 Turkey 306 Iran, Islamic Republic of 298 Saudi Arabia 272 Israel 244 Korea, Republic of 241 Poland 220 Philippines 214 https://goz.shadowserver.org/
  • 21. Zeus Gameover – Top 20 Countries Infections https://goz.shadowserver.org/ ASN AS Name Country Total AS4713 OCN JP 830 AS3269 ASN IT 549 AS6697 BELPAK BY 378 AS8075 MICROSOFT- CORP-MSN-A US 372 AS2516 KDDI JP 371 AS17676 GIGAINFRA JP 365 AS17974 TELKOMNET-AS2 ID 349 AS45899 VNPT-AS VN 297 AS2856 BT-UK GB 269 AS12874 FASTWEB IT 237 AS9121 TTNET TR 222 AS9829 BSNL IN 205 AS6849 UKRTELNET UA 186 AS5384 EMIRATES AE 175 AS1267 ASN EU 163 AS9506 MAGIX-SG SG 158 AS3215 AS3215 FR 156 AS15169 GOOGLE US 150 AS8151 Uninet MX 140 AS4788 TMNET-AS MY 131
  • 26. Botnet Takedown 2012 • March 2012 – Zeus Botnet Nitol Botnet • July 2012 - Grum Botnet • September 2012 – Nitol Botnet Important milestones • Previous takedown has been to kill off the C & C server • Microsoft maintain C & C server but redirect the traffic to Microsoft server to allow futher research
  • 32. Call to participate • Call for more participation from universities, industry and government • Requirements: • A commitment from the top management • At least 1 public IP address to start • Fill out form to request to join • Willing to submit malware samples to central repository • You will get: • 1 Raspberry to be installed in your infra
  • 33. Custom-built appliance • 1 U Rack Case • 5 Raspberry PI • 5 different honeypots: dionaea, glastopf, kippo, etc.
  • 34. References • Gañán, Carlos, Orcun Cetin, and Michel van Eeten. "An Empirical Analysis of ZeuS C&C Lifetime." Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 2015. • Mohaisen, Abedelaziz, and Omar Alrawi. "Unveiling zeus: automated classification of malware samples." Proceedings of the 22nd international conference on World Wide Web companion. International World Wide Web Conferences Steering Committee, 2013. • http://www.symantec.com/connect/blogs/zeus-king- underground-crimeware-toolkits • http://www.symantec.com/connect/blogs/evolution-zeus-botnet • http://www.secureworks.com/cyber-threat- intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover _ZeuS/ • http://hypersecurity.blogspot.com/2009/11/dissecting-zeus- botnet.html
  • 35. Further Information • The Honeynet Project (http://www.honeynet.org) • Indonesia Honeynet Project (http://www.honeynet.or.id) • Swiss German University (http://www.sgu.ac.id) • My Blog (http://people.sgu.ac.id/charleslim)
  • 36. Indonesia Chapter • Indonesia Honeynet Project • Id_honeynet • http://www.honeynet.or.id • http://groups.google.com/group/id-honeynet