Greek Malware: A “success” story Dimotikalis Panagiotis
C:\whoami BSc, MCITP, MCSA, MCTS 13th IEEE Conference on Technologies for Homeland Security “Proactive Forensics: Three case studies”, Boston, MA BSODAnalyzer creator, ITPPRO|DEV 2012 Antimalware guy Θ. Διόγος wannabe
The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»
The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»
The malware Sysinternals Process Explorer Sysinternals Autoruns
The malware Sysinternals Process Explorer continued “C:\Users\Gi0\appdata\roaming”
The malware Cleaning Delete aba32.exe & sys32.exe “C:\Users\username\appdata\roaming” Προαιρετικά Delete Sys32 Registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
The malware: Analysis Sys32.exe MD5: 82589104DF4EFCAAB513FB1EB12FFA8E Detection: 28/47 Undetectable, μεταξύ άλλων, από: Eset NOD32, F-Secure, Malwarebytes, Microsoft Security Essentials
The malware: Analysis abab32.exe MD5: B145635F5EC250B8D4B389CD33BEEBB4 Detection: 10/46 Detectable, μεταξύ άλλων, από: McAfee-GW-Edition, Comodo, DrWeb, Panda
The malware: Analysis abab32.exe Sysinternals Strings strings.exe c:\abab32.exe ???!!!?? jgarzik’s CPU miner (minerd.exe)
Intervention: Bitcoin 101 “Bitcoin is an open source peer-to-peer electronic money and payment network introduced in 2009 by pseudonymous developer "Satoshi Nakamoto". Bitcoin has been called a cryptocurrency because it uses cryptography to secure transactions.” Wikipedia Δύο τρόποι απόκτησης Bitcoin mining Αγορά με πραγματικά χρήματα
Intervention: Bitcoin 101 Tι είναι το Bitcoin mining; “Mining is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain.” Bitcoin.org Ουσιαστικα μιλαμε για hashes και επιβεβαιωση τους μεσω brute forcing. O miner που θα επιβεβαιωσει το εκαστοτε hash (transaction) ανταμοιβεται με 25 BTC. 1 BTC = 1039 $ 25 BTC = 25975 $
Intervention: Bitcoin 101 Mining : CPU GPU FPGA ASIC
Intervention: Bitcoin 101
The malware: Analysis abab32.exe Sys32.exe Autoruns Infects USB drives jgarzik’s CPU miner Sys32.exe ? Autoruns Infects USB drives Sneaks abab32.exe into the system strings.exe c:\Sys32.exe
The malware: Analysis Sys32.exe PEiD: “Detects most common packers, cryptors and compilers for PE files and currently it can detect more than 600 different signatures in PE files”, Softpedia PeStudio: “a free tool performing the static investigation of any Windows executable binary”, Winitor.com
The malware: Analysis Sys32.exe “The image contains a hardcoded IP address” Filter: !(ip.dst == 192.168.226.139)&&!(ip.dst == 239.255.255.250)&&!(eth.dst == 00:0c:29:42:36:58)&&!(ipv6.dst == ff02::1:2)&&!(eth.dst == ff:ff:ff:ff:ff:ff) 2 IPs: 65.55.10.11 και 178.128.71.3 65.55.10.11: Microsoft Co. 178.128.71.3: Forthnet SA
The malware: Analysis Sys32.exe .NET Reflector 8: “Seamlessly debug into third-party code and assemblies”, red-gate.com Assembly Visualizer: Data visualization plugin for .NET decompilers Εναλλακτικά ILSpy: “The open-source .NET assembly browser and decompiler”, ilspy.net
The malware: Analysis Sys32.exe findTaskMgr(): Task Manager είσαι εδώ; halfCPU(): Κάνε χρήση του 50% της CPU runProc(String, String): Εντοπισε το AVG και το AVAST antivirus installStartup(): Autorun keepMinerAlive() : Κράτησε ζωντανό τον miner Πως επικοινωνείς με τον δημιουργό σου;
The malware: Analysis Sys32.exe 178.128.71.3 : Forthnet SA
Intervention: Botnets 101 “A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks”, Wikipedia World map showing the 460 Million IP addresses that responded to ICMP ping requests or port scans from June and October 2012 Internet Census
The malware: Reconnaissance Απλή αναζητησή για το username του miner (aprovos.miner): Bitcoin forums Πόλη, Skype username Όνομα, φωτογραφια
The malware: Reconnaissance Αναζήτηση με τελεστή για το username του miner (aprovos.miner): “site:gr aprovos”
The malware: Aftermath @aantonop is Andreas M. Antonopoulos, author of the upcoming “Mastering Bitcoin and other digital crypto-currencies”, O'Reilly Media
The malware: Aftermath Meanwhile… “Once on the internet always on the internet”
The malware: Aftermath “Once on the internet always on the internet”
The malware: Aftermath Proactive Μην βασιζέστε στα αποτελεσματα ενός μόνο antivirus/antimalware/utility Firewall σε interactive mode ή τουλάχιστον σε mode με καλά προσδιορισμένους κανόνες Μετονομασία των .exes των εργαλείων που χρησιμοποιείτε Windows 8.1 EMET 4.1 Photo courtesy of @Malwaremustdie, http://malwaremustdie.blogspot.jp/2013/10/and-again-zeroaccesssirefef-is-not-dead.html
The malware: Aftermath Windows 8 Improved Windows Defender Secure Boot: Protecting the boot sector Early Launch Anti-Malware (ELAM) Technology: Anti-malware is the first non-Microsoft process that runs on boot Improved ASLR, DEP, Windows Heap TPM 2.0 (Trusted Platform Module) Biometrics
The malware: Aftermath Enhanced Mitigation Experience Toolkit EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. “EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.”, Technet Must read: “EMET 4.1 Uncovered”, Melissa Elliott
The malware: Aftermath Reactive Μην πανικοβαλεστε Back up (..με προσοχή) Disconnect (Internet, lan, etc) Μην εμπιστεύεστε εύκολα οτιδήποτε διαβάζετε στο internet Εάν είναι δυνατόν κρατήστε δείγματα
The malware: Aftermath
The malware: Aftermath @ wannabe malware authors Pauchy, Blackhole kit creator Hamza Bendelladj, Zeus botmaster Hacker από το Μπραχάμι
Thank you
Get in touch @sitoiG Nope! gi0tis@ath.forthnet.gr http://giot.is gi0tis@giot.is
Sponsors