SlideShare a Scribd company logo

Bots and malware

Download as PPTX, PDF
Doron Segal
Doron Segal

How to build bots / Malware and how Moles work

Technology
1 of 23
BOTNET
WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
HOW DOES IT WORKS
HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
SPREAD THE WORD… django unchained
SPREAD THE WORD… Affiliates?!?
C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
SEARCH FOR SYSTEM REGISTRY FOR OTHER MALICIOUS PROGRAM
BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
WAYS TO TRANSFER MONEY
REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”

Recommended

Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocol
Afnic
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 
microservice
microservicemicroservice
microservice
Doron Segal
 
Selenium
SeleniumSelenium
Selenium
Doron Segal
 
Microservice
MicroserviceMicroservice
Microservice
Doron Segal
 
Rest API's
Rest API'sRest API's
Rest API's
Doron Segal
 
Node.js
Node.js Node.js
Node.js
Doron Segal
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
Kirsty Hulse
 

Recommended

Securing Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocolSecuring Internet communications end-to-end with the DANE protocol
Securing Internet communications end-to-end with the DANE protocol
Afnic
 
Zeus
ZeusZeus
Zeus
MaGn3t0
 
microservice
microservicemicroservice
microservice
Doron Segal
 
Selenium
SeleniumSelenium
Selenium
Doron Segal
 
Microservice
MicroserviceMicroservice
Microservice
Doron Segal
 
Rest API's
Rest API'sRest API's
Rest API's
Doron Segal
 
Node.js
Node.js Node.js
Node.js
Doron Segal
 
SEO: Getting Personal
SEO: Getting PersonalSEO: Getting Personal
SEO: Getting Personal
Kirsty Hulse
 
Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
Senad Aruc
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
Aniq Eastrarulkhair
 
Botnets
BotnetsBotnets
Botnets
Vishwadeep Badgujar
 
Botnet
BotnetBotnet
Botnet
Joshin Gomez
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
Ashwin Patil, GCIH, GCIA, GCFE
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
DHRUV562167
 
Botnet
BotnetBotnet
Botnet
prisonbreak4950
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
London School of Cyber Security
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
Roel Palmaers
 
The malware effects
The malware effectsThe malware effects
The malware effects
Viral Parmar
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
smile790243
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
Rajat Jain
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Jishnu Pradeep
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal
Jaskaran Narula
 
31.ppt
31.ppt31.ppt
31.ppt
ssuserec53e73
 
31.ppt
31.ppt31.ppt
31.ppt
KarmanChandi
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
Sathish Kumar K
 
Web Security
Web SecurityWeb Security
Web Security
Bharath Manoharan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

More Related Content

Similar to Bots and malware

HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
DHRUV562167
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
André Fucs de Miranda
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
smile790243
 

Similar to Bots and malware (20)

Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.Famous C&C servers from inside to outside.
Famous C&C servers from inside to outside.
 
Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1Mcs2453 aniq mc101053-assignment1
Mcs2453 aniq mc101053-assignment1
 
Botnets
BotnetsBotnets
Botnets
 
Botnet
BotnetBotnet
Botnet
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECTHACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
HACKING DESCRIBE IN DETAIL FOR UNIVERSITY PROJECT
 
Botnet
BotnetBotnet
Botnet
 
How To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot AttacksHow To Protect Your Website From Bot Attacks
How To Protect Your Website From Bot Attacks
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Ransomware hostage rescue manual
Ransomware hostage rescue manualRansomware hostage rescue manual
Ransomware hostage rescue manual
 
The malware effects
The malware effectsThe malware effects
The malware effects
 
Lab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docxLab3code.c#include stdio.h#include stdlib.h#include.docx
Lab3code.c#include stdio.h#include stdlib.h#include.docx
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
 
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
Paper Presentation - "Your Botnet is my Botnet : Analysis of a Botnet Takeover"
 
News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal News Bytes by Jaskaran Narula - Null Meet Bhopal
News Bytes by Jaskaran Narula - Null Meet Bhopal
 
31.ppt
31.ppt31.ppt
31.ppt
 
31.ppt
31.ppt31.ppt
31.ppt
 
cyber attacks in May , breaches in May
cyber attacks in May , breaches in Maycyber attacks in May , breaches in May
cyber attacks in May , breaches in May
 
Web Security
Web SecurityWeb Security
Web Security
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

Bots and malware

  • 2. WILL NOT TALK ABOUT - How to flight a Boeing 787 - Or a Boeing 777 Blow computer remotely
  • 3. WILL TALK ABOUT - Basic introduction to internet security - What is Botnet? C & C? How does it get to your computer? - Different module - Real life story - Live example
  • 4. Bottom Line A Bot is simply an automated computer program, or robot. BOT Making your computer into Bot using Trojan, Malware, etc.. The Bot will installed on the victim computer and will be communicate with the C&C server.
  • 5. HOW DOES IT WORKS
  • 6.
  • 7. HOW YOU BUILD A BOT? Easy, Bot Builder. Although you can re-create one from scratch.
  • 8. SPREAD THE WORD… So, we create this great Bot now lets spread it via…. But how?!? Via affiliate program, torrent, emule any p2p that are out there. For example lets {Some.New.Movie}.blu.ray and yes we can make it be 5GB although our bot will be only 100KB. Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
  • 11. C&C Command and Control Server In the old day a server that collect the victim data. Today much more complicated - Encrypted network connections Botnet access to the Kad network
  • 12. AN ANTIVIRUS OF ITS OWN Bootkit will infects the MBR in order to launch itself This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
  • 13. SEARCH FOR SYSTEM REGISTRY FOR OTHER MALICIOUS PROGRAM
  • 14. BOTNET ACCESS TO THE KAD NETWORK So what do the cybercriminals want with a publicly accessible file exchange network? 1. Cybercriminals make a encrypted file the contains list of commands 2. Infected computer receive command to download and installing any module. 3. After the installation process the victim get the nodes which contains the publicly accessible list of IP addresses of network servers and clients (Kad server and clients). 4. The module then sends a request to the Kad network to search for the right file. 5. Once the files has been downloaded and encrypted, the dll file runs the commands
  • 15. PROXY MODULE Basically proxy server on the victim computer. - This module facilitates the anonymous viewing of Internet resources via infected machines. - New way making money $$, offering anonymous Internet access as a service, at a cost of roughly $100 per month. - Hiding the network and C&C servers.
  • 16. ANOTHER COOL WAY FOR PROXY FAST FLUX Fast flux DNS takes advantage of the way load balancing is built into the DNS. It allows an administrator to register a number of IP address with a single host name (for ex: google.com, facebook.com, etc…) And the secret is the TTL,
  • 18. REAL LIFE EXAMPLE :: TDL4 Couple of Facts: 1. TDSS is one of the most sophisticated threat. 2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection. 3. Uses encryption to facilitate communication between its bots and the botnet command and control center. 4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system. 5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers. 6. Kad.dll module which allows the TDSS botnet to access the Kad network. 7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer. 8. Smart ways to get command using encrypted files and different servers.
  • 19. WAYS TO SOLVE 1. Wireshark view logs and information 2. DNS server logs, when working under cooperation proxy server. 3. Bios , stop infection MBR.
  • 20. SOME MORE REAL LIFE STORIES • Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it mean nearly half of the users in Internet users in China. (There is lots of money involve!) Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of dollars from e-commerce users. • Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works. Basically a browser plugin that communicate with the “Criminal” server and send the user information whenever is logged in to one of the Brazilian banks.
  • 21. The email asks to send an advance payment to the lottery so that they can release the prize money. Lots of naive users get fooled by the scammers and end up wasting their money. 419 NIGERIAN SCAMS A sample 419 Scam email ------------------------------------Sender: uk_national_lottery_005@hotmail.com Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!! FROM THE LOTTERY PROMOTIONS MANAGER, THE UNITED KINGDOM INTERNATIONAL LOTTERY, PO BOX 287, WATFORD WD18 9TT, UNITED KINGDOM. We are delighted to inform you of your prize release from the United Kingdom International Lottery program. Your name was attached to Ticket number; 47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus number 29, which consequently won the lottery in the first category....
  • 22. SLIDESHARE.NET ATTACK Example 2: April 23, 2008 • Slideshare was down for a few days due to DDOS attack that originated from China. • The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China • 2.5 GB/sec?!?! Try to imagine how many bots were involve.
  • 23. HOPE YOU ALL ENJOY! “The quieter you become, the more you are able to hear…”

Editor's Notes

  1. Botnet access to the Kad networkOne of the most outstanding new features of TDL-4 is the kad.dll module, which allows the TDSS botnet to access the Kad network. So what do the cybercriminals want with a publicly accessible file exchange network?We have known about botnets controlled via P2P for some time now, although until now, these were closed protocol connections created by the cybercriminals themselves. In contrast, TDSS uses a public P2P network in order to transmit commands to all infected computers in the botnet. The initial steps of how TDSS makes use of Kad are given below: The cybercriminals make a file called ktzerules accessible on the Kad network. The file is encrypted and contains a list of commands for TDSS. Computers infected with TDSS receive the command to download and install the kad.dll module. Once installed, kad.dll downloads the file nodes.dat, which contains the publicly accessible list of IP addresses of Kad network servers and clients. The kad.dll module then sends a request to the Kad network to search for the ktzerules file. Once the ktzerules files has been downloaded and encrypted, kad.dll runs the commands which ktzerules contains.