SlideShare una empresa de Scribd logo

Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

Aditya K Sood
Aditya K Sood

HOPE 2012 Presentation

Tecnología
1 de 45
Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
About Us  Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood  Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb  Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2
Agenda  Malware Paradigm  Browser Malware Taxonomy  Present-day Malware Propagation Tactics  Information Stealing Tactics  Conclusion 3
FUD (Fear, Uncertainty & Doubt)  FUD – FUD || ─ Three pillars of robust malware design 4
Malware Paradigm 5
The Reality of Internet ! 6
Browser Malware Taxonomy  Class A – Browser Malware 7
Browser Malware Taxonomy  Class B – Browser Malware 8
Browser Malware Taxonomy  Class C – Browser Malware 9
Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10
Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11
Malware Lifecycle – Java Exploit  Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12
Implanting Malware (Bots) Present-day Propagation Tactics 13
Exploiting Web Hosting  Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14
Exploiting Web Hosting  Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15
Exploiting Web Hosting  Remote shell in action 16
Infection through Glype Proxies  Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17
Demonstration 18
Obfuscated Iframes 19
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21
Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22
Drive-by Frameworks 23
Drive-by Frameworks 24
Demonstration 25
Malware on the Cloud  AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26
Malware on the Cloud  AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27
Malware on the Cloud  AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28
Malvertisements  Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29
Exploiting Social Networks  Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30
Demonstration 31
Present-day Botnets Information Stealing and Manipulation Tactics 32
Man-in-the-Browser (MitB)  Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online banking http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33
Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34
Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35
Web Injects – Action 36
Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37
Web Fakes – Function Calls 38
Web Fakes – Real Example 39
Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40
Browsers - Form Grabbing  Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41
Demonstration 42
Other Information Stealing Tactics ..  Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43
Questions ! 44
Thanks  HOPE Conference Crew ● http://www.hope.net  SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com  Contact Me ─ Email : adi_ks [at] secniche.org 45

Recomendados

from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the moviesAleksandr Yampolskiy
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Abdul Zameer S
Abdul Zameer SAbdul Zameer S
Abdul Zameer SAbdul Zameer Subhan
 
Resume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanResume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanSuresh Kumar
 
HatsOff-m1027118-133
HatsOff-m1027118-133HatsOff-m1027118-133
HatsOff-m1027118-133Prabhat Tiwari
 
Graph of UK train stations
Graph of UK train stationsGraph of UK train stations
Graph of UK train stationsDaniyar Mukhanov
 
Malicious url detection using machine learning
Malicious url detection using machine learningMalicious url detection using machine learning
Malicious url detection using machine learningCysinfo Cyber Security Community
 

Recomendados

from 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootfrom 33 to 0 - A journey to be root
from 33 to 0 - A journey to be rootAmmar WK
 
Malware goes to the movies
Malware goes to the moviesMalware goes to the movies
Malware goes to the moviesAleksandr Yampolskiy
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
Abdul Zameer S
Abdul Zameer SAbdul Zameer S
Abdul Zameer SAbdul Zameer Subhan
 
Resume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanResume-Suresh Kumar Natesan
Resume-Suresh Kumar NatesanSuresh Kumar
 
HatsOff-m1027118-133
HatsOff-m1027118-133HatsOff-m1027118-133
HatsOff-m1027118-133Prabhat Tiwari
 
Graph of UK train stations
Graph of UK train stationsGraph of UK train stations
Graph of UK train stationsDaniyar Mukhanov
 
Malicious url detection using machine learning
Malicious url detection using machine learningMalicious url detection using machine learning
Malicious url detection using machine learningCysinfo Cyber Security Community
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007ClubHack
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 

Más contenido relacionado

Similar a Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007ClubHack
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript ExploitationRashid feroz
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008Ali Ikinci
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsRahul Mohandas
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinPhillip Maddux
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 

Similar a Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks (20)

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Code
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007Rahul - Analysis Of Adversarial Code - ClubHack2007
Rahul - Analysis Of Adversarial Code - ClubHack2007
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
Javascript Exploitation
Javascript ExploitationJavascript Exploitation
Javascript Exploitation
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008MonkeySpider at Sicherheit 2008
MonkeySpider at Sicherheit 2008
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
Analysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware KitsAnalysis Of Adverarial Code - The Role of Malware Kits
Analysis Of Adverarial Code - The Role of Malware Kits
 
Honeypots, Deception, and Frankenstein
Honeypots, Deception, and FrankensteinHoneypots, Deception, and Frankenstein
Honeypots, Deception, and Frankenstein
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 

Más de Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

Más de Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Último

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

  • 1. Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. About Us  Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood  Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb  Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2
  • 3. Agenda  Malware Paradigm  Browser Malware Taxonomy  Present-day Malware Propagation Tactics  Information Stealing Tactics  Conclusion 3
  • 4. FUD (Fear, Uncertainty & Doubt)  FUD – FUD || ─ Three pillars of robust malware design 4
  • 6. The Reality of Internet ! 6
  • 7. Browser Malware Taxonomy  Class A – Browser Malware 7
  • 8. Browser Malware Taxonomy  Class B – Browser Malware 8
  • 9. Browser Malware Taxonomy  Class C – Browser Malware 9
  • 10. Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10
  • 11. Malware Lifecycle – Java Exploit  Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11
  • 12. Malware Lifecycle – Java Exploit  Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12
  • 13. Implanting Malware (Bots) Present-day Propagation Tactics 13
  • 14. Exploiting Web Hosting  Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14
  • 15. Exploiting Web Hosting  Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15
  • 16. Exploiting Web Hosting  Remote shell in action 16
  • 17. Infection through Glype Proxies  Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17
  • 20. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20
  • 21. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21
  • 22. Browser Exploit Packs (BEPs)  Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22
  • 26. Malware on the Cloud  AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26
  • 27. Malware on the Cloud  AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27
  • 28. Malware on the Cloud  AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28
  • 29. Malvertisements  Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29
  • 30. Exploiting Social Networks  Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30
  • 32. Present-day Botnets Information Stealing and Manipulation Tactics 32
  • 33. Man-in-the-Browser (MitB)  Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online banking http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33
  • 34. Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34
  • 35. Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35
  • 36. Web Injects – Action 36
  • 37. Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37
  • 38. Web Fakes – Function Calls 38
  • 39. Web Fakes – Real Example 39
  • 40. Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40
  • 41. Browsers - Form Grabbing  Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41
  • 43. Other Information Stealing Tactics ..  Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43
  • 45. Thanks  HOPE Conference Crew ● http://www.hope.net  SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com  Contact Me ─ Email : adi_ks [at] secniche.org 45