1 / 23

March 21 st , 2011

securing and enabling dynamic business. Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC. March 21 st , 2011. Lance James. Lance James Director of Intelligence, Vigilant, LLC Founder of Secure Science Corporation Brief Bio:

cliff
Download Presentation

March 21 st , 2011

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. securing and enabling dynamic business Spy VS Spy Countering SpyEye with SpyEyeLance JamesDirector of IntelligenceVigilant, LLC March 21st, 2011

  2. Lance James • Lance James • Director of Intelligence, Vigilant, LLC • Founder of Secure Science Corporation • Brief Bio: • Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight • Author of “Phishing Exposed”, • Co-Author of “Emerging Threat Analysis” • 3rd Book on it’s way (counter-intelligence) • Loves Karaoke • Very Hyper (but I am getting old)

  3. Research • SpyEye • Web Panel based C&C • DIY Builder Kits • Merging with Zeus • $1000-$3000 WMZ • Law • Title 18 USC 1030 • Color of Right • Expectation of Privacy

  4. SpyEye

  5. Components of SpyEye • Trojan • Build it yourself • Data interception • Formgrabs • Credit Cards • Software Collection • Process hooking • Kills Zeus/Zeus Merger • UPX Packed (most cases)

  6. Components of SpyEye • Web-based Panel • SYN 1 (Blind Drop) • Formgrabber/Data Manager • FTP Theft • Bank of America • Theft Stats • CN 1 (Command & Control) • Binary Updates • Configuration Updates • Statistic collection • Plugins • Backconnect (SOCKS5/FTP)

  7. Builder

  8. Web Panel (SYN 1)

  9. Web Panel (CN 1)

  10. What we know • Web Panel Investigation • Build Inference (directories and files) • Debug.log (general traffic) • Error.log (possible leaked IP’s and other info) • Tasks.log (what it’s doing) • Backup.sh (sql dump and passwords) • Config.ini (settings) • Understand the code • AJAX driven • AJAX queries and refreshes for data

  11. Debug.log

  12. Case Study • CnCHost: 91.211.117.25/sp/admin (currently down) • History: specific URI discovered publicly 09/07/2010 • Prior attacks from this IP discovered 07/26/2010 (same operator) • ASN 48587 (known for malicious activity) • Location: Ukraine (UA) • AS Name: Private Entrepreneur ZharkovMukolaMukolayovuch • Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) • Unique computers infected: 28,590 • Unique binaries distributed: 2,325

  13. C&C Activity

  14. Botnet Infections

  15. C&C Advancement & Law • C&C has many world readable files • Including Frm_grab.php • Doesn’t work without AJAX environment • Same concept as request 1 world readable file • Many requests at once • Very useful intelligence • Very complicated Legally • Explain what we did to a jury or judge • Explain it to attorney • DOJ conservative to risk

  16. How it works • C&C Target (SYN 1) main page password protected (illegal in US to log in)

  17. Eating Dog Food • Log in to local C&C setup Fire up Proxy, Set Servers to Stun!

  18. Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration

  19. Target Acquired When this changes we know we are connected

  20. Results • All data compromised in real time • Bot GUIDS per data compromise • Dates of compromises • Bonus points! • Bad guy activity • The day before 0 • Settings • We can update the botnets (Not Approved)

  21. Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law

  22. Be the Smart Jedi • May the Force Be With Us • We’re gonna need it • Do or Do Not! • There is no try • Yoda is awesome

  23. Contact Thank You! Lance James Director of Intelligence ljames@thevigilant.com http://www.thevigilant.com

More Related