2. Agenda
• Introduction to The Honeynet Project &
Indonesia Chapter
• Profiling – Zeus
• How Zeus botnet works
• Tracking Zeus
• New National Monitoring Center
• Next Events
3. Speakers
• Charles Lim, Msc., ECSA, ECSP, ECIH,
CEH, CEI
• More than 20+ year in IT services industry
• IP networking, Software Automation,
• Led Indonesia Chapter (2012)
• Lecturer and Researcher at Swiss German
University (Information Security Group) –
http://people.sgu.ac.id/charleslim
• Research Interest: Malware Detection,
Intrusion Detection, Incident Handling,
Cloud Security, Vulnerability Analysis
4. Introduction to The Honeynet
Project
• Volunteer open source computer security
research organization since 1999 (US 501c3
non-profit)
• Mission: ¨learn the tools, tactics and motives
involved in computer and network attacks, and
share the lessons learned¨ -
http://www.honeynet.org
5. Introduction to The Honeynet
Project
• Know Your Enemy – Tracking the enemies is
the passion of the HP (Honeynet Project) team
• Know Your Tools – It is about open source
tools to track the enemies contribute to the
world
6. Indonesia Chapter
• 25 November 2011, about 15
people from academia, security
professionals and government
made the declaration during
our yearly malware workshop
at SGU (Swiss German
University)
• 19 January 2012 accepted as
part of Honeynet Chapter
• Members: 129 (today)
11. Zeus – Profile
• First Appearance: 2007
• Type: Trojan
• Payload: Very Light Footprint
• Goal: Steal sensitive data stored on computers
or transmitted through web browsers and
protected storage.
• Communication: Encrypted channel with C&C
server
• Obfuscation: Polymorphic encryption (re-
encrypts itself automatically to create a new
signature)
19. Another Zeus Version – P2P
(2012)
Rank Country Unique Bot IDs Unique IPs
1 United States 150,201 (22.1%) 458,882 (29.2%)
2 Germany 48,853 (7.2%) 73,951 (4.7%)
3 Italy 34,361 (5.1%) 145,290 (9.2%)
4 Canada 27,150 (4.0%) 40,482 (2.6%)
5 Brazil 24,997 (3.7%) 120,497 (7.7%)
6 Mexico 24,143 (3.6%) 119,658 (7.6%)
7 India 23,811 (3.5%) 141,412 (9.0%)
8 Indonesia 19.146 (2.8%) 113,196 (7.2%)
9 Iran 18,948 (2.8%) 69,617 (4.4%)
10 Turkey 16,935 (2.5%) 104,391 (6.6%)
20. Zeus Gameover –
Top 20 Countries Infections
Country Total
Japan 3,122
United States 1,482
Italy 1,367
United Kingdom 857
Ukraine 834
India 761
Indonesia 666
Vietnam 553
Thailand 458
Belarus 411
China 390
Germany 355
France 355
Turkey 306
Iran, Islamic Republic of 298
Saudi Arabia 272
Israel 244
Korea, Republic of 241
Poland 220
Philippines 214
https://goz.shadowserver.org/
21. Zeus Gameover –
Top 20 Countries Infections
https://goz.shadowserver.org/
ASN AS Name Country Total
AS4713 OCN JP 830
AS3269 ASN IT 549
AS6697 BELPAK BY 378
AS8075
MICROSOFT-
CORP-MSN-A
US 372
AS2516 KDDI JP 371
AS17676 GIGAINFRA JP 365
AS17974 TELKOMNET-AS2 ID 349
AS45899 VNPT-AS VN 297
AS2856 BT-UK GB 269
AS12874 FASTWEB IT 237
AS9121 TTNET TR 222
AS9829 BSNL IN 205
AS6849 UKRTELNET UA 186
AS5384 EMIRATES AE 175
AS1267 ASN EU 163
AS9506 MAGIX-SG SG 158
AS3215 AS3215 FR 156
AS15169 GOOGLE US 150
AS8151 Uninet MX 140
AS4788 TMNET-AS MY 131
26. Botnet Takedown 2012
• March 2012 – Zeus Botnet Nitol Botnet
• July 2012 - Grum Botnet
• September 2012 – Nitol Botnet
Important milestones
• Previous takedown has been to kill off the C
& C server
• Microsoft maintain C & C server but redirect
the traffic to Microsoft server to allow futher
research
32. Call to participate
• Call for more participation from universities,
industry and government
• Requirements:
• A commitment from the top management
• At least 1 public IP address to start
• Fill out form to request to join
• Willing to submit malware samples to central
repository
• You will get:
• 1 Raspberry to be installed in your infra
33. Custom-built appliance
• 1 U Rack Case
• 5 Raspberry PI
• 5 different honeypots: dionaea, glastopf, kippo,
etc.
34. References
• Gañán, Carlos, Orcun Cetin, and Michel van Eeten. "An
Empirical Analysis of ZeuS C&C Lifetime." Proceedings of
the 10th ACM Symposium on Information, Computer and
Communications Security. ACM, 2015.
• Mohaisen, Abedelaziz, and Omar Alrawi. "Unveiling zeus:
automated classification of malware samples." Proceedings
of the 22nd international conference on World Wide Web
companion. International World Wide Web Conferences
Steering Committee, 2013.
• http://www.symantec.com/connect/blogs/zeus-king-
underground-crimeware-toolkits
• http://www.symantec.com/connect/blogs/evolution-zeus-botnet
• http://www.secureworks.com/cyber-threat-
intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover
_ZeuS/
• http://hypersecurity.blogspot.com/2009/11/dissecting-zeus-
botnet.html
35. Further Information
• The Honeynet Project
(http://www.honeynet.org)
• Indonesia Honeynet Project
(http://www.honeynet.or.id)
• Swiss German University
(http://www.sgu.ac.id)
• My Blog
(http://people.sgu.ac.id/charleslim)
36. Indonesia Chapter
• Indonesia Honeynet Project
• Id_honeynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet