Η παρουσίαση φορτώνεται. Παρακαλείστε να περιμένετε

Η παρουσίαση φορτώνεται. Παρακαλείστε να περιμένετε

The cutting edge event for ITPros and Devs December 7-8, 2013 Athens, Greece Greek Malware: A “success” story Dimotikalis Panagiotis.

Παρόμοιες παρουσιάσεις

Παρουσίαση με θέμα: "The cutting edge event for ITPros and Devs December 7-8, 2013 Athens, Greece Greek Malware: A “success” story Dimotikalis Panagiotis."— Μεταγράφημα παρουσίασης:

1 the cutting edge event for ITPros and Devs December 7-8, 2013 Athens, Greece Greek Malware: A “success” story Dimotikalis Panagiotis

2 C:\WHOAMI •BSc, MCITP, MCSA, MCTS •13 th IEEE Conference on Technologies for Homeland Security “Proactive Forensics: Three case studies”, Boston, MA •BSODAnalyzer creator, ITPPRO|DEV 2012 •Antimalware guy •Θ. Διόγος wannabe

3 The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»

4 The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»

5 The malware Sysinternals Autoruns Sysinternals Process Explorer

6 The malware Sysinternals Process Explorer continued “C:\Users\Gi0\appdata\roaming”

7 The malware Cleaning • Delete aba32.exe & sys32.exe “C:\Users\username\appdata\roaming” • Delete Sys32 Registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” Προαιρετικά

8 The malware: Analysis Sys32.exe MD5: 82589104DF4EFCAAB513FB1EB12FFA8E Undetectable, μεταξύ άλλων, από: Detection: 28/47 Eset NOD32, F-Secure, Malwarebytes, Microsoft Security Essentials

9 The malware: Analysis abab32.exe MD5: B145635F5EC250B8D4B389CD33BEEBB4 Detection: 10/46 Detectable, μεταξύ άλλων, από: McAfee-GW-Edition, Comodo, DrWeb, Panda

10 The malware: Analysis abab32.exe Sysinternals Strings strings.exe c:\abab32.exe jgarzik’s CPU miner (minerd.exe) ???!!!??

11 Intervention: Bitcoin 101 “Bitcoin is an open source peer-to-peer electronic money and payment network introduced in 2009 by pseudonymous developer "Satoshi Nakamoto". Bitcoin has been called a cryptocurrency because it uses cryptography to secure transactions.” Wikipedia Δύο τρόποι απόκτησης • Bitcoin mining • Αγορά με πραγματικά χρήματα

12 Intervention: Bitcoin 101 Tι είναι το Bitcoin mining; “Mining is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain.” Bitcoin.org 1 BTC = 1039 $ Ουσιαστικα μιλαμε για hashes και επιβεβαιωση τους μεσω brute forcing. O miner που θα επιβεβαιωσει το εκαστοτε hash (transaction) ανταμοιβεται με 25 BTC. 25 BTC = 25975 $

13 Intervention: Bitcoin 101 Mining : CPU GPUFPGA ASIC

14 Intervention: Bitcoin 101

15 The malware: Analysis abab32.exe jgarzik’s CPU miner Sys32.exe ? • strings.exe c:\Sys32.exe • Autoruns • Sneaks abab32.exe into the system • Infects USB drives

16 The malware: Analysis Sys32.exe PEiD: “Detects most common packers, cryptors and compilers for PE files and currently it can detect more than 600 different signatures in PE files”, Softpedia PeStudio: “a free tool performing the static investigation of any Windows executable binary”, Winitor.com

17 The malware: Analysis Sys32.exe “The image contains a hardcoded IP address” Filter: !(ip.dst ==!(ip.dst ==!(eth.dst == 00:0c:29:42:36:58)&&!(ipv6.dst == ff02::1:2)&&!(eth.dst == ff:ff:ff:ff:ff:ff) 2 IPs: και Microsoft Co. Forthnet SA

18 The malware: Analysis Sys32.exe.NET Reflector 8: “Seamlessly debug into third-party code and assemblies”, red-gate.com Assembly Visualizer: Data visualization plugin for.NET decompilers Εναλλακτικά ILSpy: “The open-source.NET assembly browser and decompiler”, ilspy.net

19 The malware: Analysis Sys32.exe • findTaskMgr(): Task Manager είσαι εδώ; • halfCPU(): Κάνε χρήση του 50% της CPU • runProc(String, String): Εντοπισε το AVG και το AVAST antivirus • installStartup(): Autorun • keepMinerAlive() : Κράτησε ζωντανό τον miner Πως επικοινωνείς με τον δημιουργό σου;

20 The malware: Analysis Sys32.exe : Forthnet SA

21 Intervention: Botnets 101 “A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial- of-service attacks”, Wikipedia World map showing the 460 Million IP addresses that responded to ICMP ping requests or port scans from June and October 2012 Internet Census

22 The malware: Reconnaissance Απλή αναζητησή για το username του miner (aprovos.miner): Bitcoin forums Πόλη, Skype username Όνομα, φωτογραφια

23 The malware: Reconnaissance Αναζήτηση με τελεστή για το username του miner (aprovos.miner): “site:gr aprovos”

24 The malware: Aftermath @aantonop is Andreas M. Antonopoulos, author of the upcoming “Mastering Bitcoin and other digital crypto-currencies”, O'Reilly Media

25 The malware: Aftermath Meanwhile… “Once on the internet always on the internet”

26 The malware: Aftermath “Once on the internet always on the internet”

27 The malware: Aftermath • Μην βασιζέστε στα αποτελεσματα ενός μόνο antivirus/antimalware/utility • Firewall σε interactive mode ή τουλάχιστον σε mode με καλά προσδιορισμένους κανόνες • Μετονομασία των.exes των εργαλείων που χρησιμοποιείτε Photo courtesy of @Malwaremustdie, http://malwaremustdie.blogspot.jp/2013/10/and-again- zeroaccesssirefef-is-not-dead.htmlhttp://malwaremustdie.blogspot.jp/2013/10/and-again- zeroaccesssirefef-is-not-dead.html • Windows 8.1 • EMET 4.1 Proactive

28 The malware: Aftermath • Improved Windows Defender Windows 8 • Secure Boot: Protecting the boot sector • Early Launch Anti-Malware (ELAM) Technology: Anti-malware is the first non-Microsoft process that runs on boot • Improved ASLR, DEP, Windows Heap • TPM 2.0 (Trusted Platform Module) • Biometrics

29 The malware: Aftermath Enhanced Mitigation Experience Toolkit “EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.”, Technet EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. Must read: “EMET 4.1 Uncovered”, Melissa Elliott

30 The malware: Aftermath • Μην πανικοβαλεστε Reactive • Εάν είναι δυνατόν κρατήστε δείγματα • Μην εμπιστεύεστε εύκολα οτιδήποτε διαβάζετε στο internet • Back up (..με προσοχή) • Disconnect (Internet, lan, etc)

31 The malware: Aftermath

32 @ wannabe malware authors Pauchy, Blackhole kit creator Hamza Bendelladj, Zeus botmaster Hacker από το Μπραχάμι

33 Thank you

34 @sitoiGNope! http://giot.is gi0tis@ath.forthnet.gr GET IN TOUCH gi0tis@giot.is


Κατέβασμα ppt "The cutting edge event for ITPros and Devs December 7-8, 2013 Athens, Greece Greek Malware: A “success” story Dimotikalis Panagiotis."

Παρόμοιες παρουσιάσεις

Διαφημίσεις Google