1 / 35

Greek Malware: A “success” story

Greek Malware: A “success” story. Dimotikalis Panagiotis. C:whoami. BSc, MCITP, MCSA, MCTS 13 th IEEE Conference on Technologies for Homeland Security “Proactive Forensics: Three case studies” , Boston, MA BSODAnalyzer creator, ITPPRO|DEV 2012 Antimalware guy Θ. Διόγος wannabe.

ronni
Download Presentation

Greek Malware: A “success” story

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Greek Malware: A “success” story DimotikalisPanagiotis

  2. C:\whoami • BSc, MCITP, MCSA, MCTS • 13th IEEE Conference on Technologies for Homeland Security “Proactive Forensics: Three case studies”, Boston, MA • BSODAnalyzer creator, ITPPRO|DEV 2012 • Antimalware guy • Θ. Διόγοςwannabe

  3. The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»

  4. The malware Σύμπτωμα 1ο: «’Εχασα τα αρχεία από το φλασάκι μου!» Σύμπτωμα 2ο: «Κολλάει!»

  5. The malware Sysinternals Process Explorer SysinternalsAutoruns

  6. The malware Sysinternals Process Explorer continued “C:\Users\Gi0\appdata\roaming”

  7. The malware Cleaning • Delete aba32.exe & sys32.exe “C:\Users\username\appdata\roaming” Προαιρετικά • Delete Sys32 Registry key “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”

  8. The malware: Analysis Sys32.exe MD5: 82589104DF4EFCAAB513FB1EB12FFA8E Detection: 28/47 Undetectable, μεταξύάλλων, από: Eset NOD32, F-Secure, Malwarebytes, Microsoft Security Essentials

  9. The malware: Analysis abab32.exe MD5: B145635F5EC250B8D4B389CD33BEEBB4 Detection: 10/46 Detectable, μεταξύάλλων, από: McAfee-GW-Edition, Comodo, DrWeb, Panda

  10. The malware: Analysis abab32.exe Sysinternals Strings strings.exe c:\abab32.exe ???!!!?? jgarzik’s CPU miner (minerd.exe)

  11. Intervention: Bitcoin 101 “Bitcoinis an open source peer-to-peer electronic money and payment network introduced in 2009 by pseudonymous developer "Satoshi Nakamoto". Bitcoin has been called a cryptocurrency because it uses cryptography to secure transactions.” Wikipedia Δύο τρόποι απόκτησης • Bitcoin mining • Αγορά με πραγματικά χρήματα

  12. Intervention: Bitcoin 101 Tι είναι το Bitcoinmining; “Mining is a distributed consensus system that is used to confirm waiting transactions by including them in the block chain.” Bitcoin.org Ουσιαστικα μιλαμε για hashes και επιβεβαιωση τους μεσω brute forcing. O miner που θα επιβεβαιωσει το εκαστοτε hash (transaction) ανταμοιβεται με 25 BTC. 1 BTC = 1039 $ 25 BTC = 25975 $

  13. Intervention: Bitcoin 101 Mining ASIC : CPU GPU FPGA

  14. Intervention: Bitcoin 101

  15. The malware: Analysis abab32.exe jgarzik’s CPU miner Sys32.exe ? • Autoruns • Infects USB drives • Sneaks abab32.exe into the system • strings.exe c:\Sys32.exe

  16. The malware: Analysis Sys32.exe PEiD: “Detects most common packers, cryptors and compilers for PE files and currently it can detect more than 600 different signatures in PE files”, Softpedia PeStudio: “a free tool performing the static investigation of any Windows executable binary”, Winitor.com

  17. The malware: Analysis Sys32.exe “The image contains a hardcoded IP address” Filter: !(ip.dst == 192.168.226.139)&&!(ip.dst == 239.255.255.250)&&!(eth.dst == 00:0c:29:42:36:58)&&!(ipv6.dst == ff02::1:2)&&!(eth.dst == ff:ff:ff:ff:ff:ff) 2 IPs: 65.55.10.11και 178.128.71.3 65.55.10.11: Microsoft Co. 178.128.71.3: Forthnet SA

  18. The malware: Analysis Sys32.exe .NET Reflector 8: “Seamlessly debug into third-party code and assemblies”, red-gate.com Assembly Visualizer: Data visualization plugin for .NET decompilers Εναλλακτικά ILSpy: “The open-source .NET assembly browser and decompiler”, ilspy.net

  19. The malware: Analysis Sys32.exe • findTaskMgr(): Task Manager είσαι εδώ; • halfCPU(): Κάνε χρήση του 50% της CPU • runProc(String, String): Εντοπισε το AVG και το AVASTantivirus • installStartup(): Autorun • keepMinerAlive() : Κράτησε ζωντανό τον miner Πως επικοινωνείς με τον δημιουργό σου;

  20. The malware: Analysis Sys32.exe 178.128.71.3: Forthnet SA

  21. Intervention: Botnets 101 “A botnet is a collection of Internet-connected programs communicating with other similar programs in order to perform tasks. This can be as mundane as keeping control of an Internet Relay Chat (IRC) channel, or it could be used to send spam email or participate in distributed denial-of-service attacks”, Wikipedia World map showing the 460 Million IP addresses that responded to ICMP ping requests or port scans from June and October 2012 Internet Census

  22. The malware: Reconnaissance Απλή αναζητησή για το username του miner (aprovos.miner): Bitcoin forums Πόλη, Skype username Όνομα, φωτογραφια

  23. The malware: Reconnaissance Αναζήτηση με τελεστήγια το username του miner (aprovos.miner): “site:graprovos”

  24. The malware: Aftermath @aantonop is Andreas M. Antonopoulos, author of the upcoming “Mastering Bitcoin and other digital crypto-currencies”, O'Reilly Media

  25. The malware: Aftermath Meanwhile… “Once on the internet always on the internet”

  26. The malware: Aftermath “Once on the internet always on the internet”

  27. The malware: Aftermath Proactive • Μην βασιζέστε στα αποτελεσματα ενός μόνο antivirus/antimalware/utility • Firewall σε interactive mode ή τουλάχιστονσε mode με καλά προσδιορισμένους κανόνες • Μετονομασία των .exes των εργαλείων που χρησιμοποιείτε • Windows 8.1 • EMET 4.1 Photo courtesy of @Malwaremustdie, http://malwaremustdie.blogspot.jp/2013/10/and-again-zeroaccesssirefef-is-not-dead.html

  28. The malware: Aftermath Windows 8 • Improved Windows Defender • Secure Boot: Protecting the boot sector • Early Launch Anti-Malware (ELAM) Technology: Anti-malware is the first non-Microsoft process that runs on boot • Improved ASLR, DEP, Windows Heap • TPM 2.0 (Trusted Platform Module) • Biometrics

  29. The malware: Aftermath Enhanced Mitigation Experience Toolkit EMET anticipates the most common techniques adversaries might use and shields computer systems against those security threats. “EMET uses security mitigation technologies such as Data Execution Prevention (DEP), Mandatory Address Space Layout Randomization (ASLR), Structured Exception Handler Overwrite Protection (SEHOP), Export Address Table Access Filtering (EAF), Anti-ROP, and SSL/TLS Certificate Trust Pinning, to help protect computer systems from new or undiscovered threats. EMET can also protect legacy applications or third party line of business applications where you do not have access to the source code.”, Technet Must read: “EMET 4.1 Uncovered”, Melissa Elliott

  30. The malware: Aftermath Reactive • Μην πανικοβαλεστε • Back up (..με προσοχή) • Disconnect (Internet, lan, etc) • Μην εμπιστεύεστε εύκολα οτιδήποτε διαβάζετε στο internet • Εάν είναι δυνατόν κρατήστε δείγματα

  31. The malware: Aftermath

  32. The malware: Aftermath @ wannabe malware authors Pauchy, Blackhole kit creator Hamza Bendelladj, Zeus botmaster Hacker από το Μπραχάμι

  33. Thank you

  34. Get in touch @sitoiG Nope! http://giot.is gi0tis@ath.forthnet.gr gi0tis@giot.is

More Related