DOCSLIB.ORG

Dgarchive a Deep Dive Into Domain Generating Malware

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dgarchive a Deep Dive Into Domain Generating Malware DGArchive A deep dive into domain generating malware Daniel Plohmann [email protected] 2015-12-03 | Botconf, Paris © 2015 Fraunhofer FKIE 1 About me Daniel Plohmann PhD candidate at University of Bonn, Germany Security Researcher at Fraunhofer FKIE Focus: Reverse Engineering / Malware Analysis / Automation Projects ENISA Botnet Study 2011 [1] Analysis Tools PyBox, IDAscope, DGArchive, … Botnet Analysis Gameover Zeus / P2P protocols [2] DGA-based Malware [1] http://www.enisa.europa.eu/act/res/botnets/botnets-measurement-detection-disinfection-and-defence [2] http://christian-rossow.de/publications/p2pwned-ieee2013.pdf © 2015 Fraunhofer FKIE 2 Agenda Intro: Domain Generation Algorithms / DGArchive Comparison of DGA Features Registration Status of DGA Domain Space Case Studies © 2015 Fraunhofer FKIE 3 Intro Domain Generation Algorithms © 2015 Fraunhofer FKIE 4 Domain Generation Algorithms Definitions Concept first described ~2008: Domain Flux Domain Generation Algorithm (DGA) An algorithm producing Command & Control rendezvous points dynamically Shared secret between malware running on compromised host and botmaster Seeds Collection of parameters influencing the output of the algorithm Algorithmically-Generated Domain (AGD) Domains resulting from a DGA © 2015 Fraunhofer FKIE 5 Domain Generation Algorithms Origin & History Feb 2006 Sality: dynamically generates 3rd-level domain part July 2007 Torpig: Report by Verisign includes DGA-like domains July 2007 Kraken: VirusTotal upload of binary using DDNS April 2008 Kraken DGA first publicly mentioned 3 big events in November 2008 – April 2009: Szribi: Takedown, but botmaster regained control through DGA Conficker: Well, you probably know about that one… Torpig: DGA-based takeover http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=138354 http://fserror.com/pdf/Torpig.pdf ©https://isc.sans.edu/forums/diary/Kr 2015 Fraunhofer FKIE aken+Technical+Details+UPDATED+x3/4256/ https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html https://seclab.cs.ucsb.edu/media/uploads/papers/torpig.pdf 6 Domain Generation Algorithms Motivation for Usage Aggravation of Analysis No hardcoded domains / dumping -> code analysis needed Evasion Many DGAs have short-lived domains -> avoid domain reputation Backup Registration only when needed Asymmetry Attacker needs one domain, defender needs to prohibit access to all Feasability of DGAs Domains are cheap (compared to profits) © 2015 Fraunhofer FKIE 7 DGArchive The idea DGAs are annoying! :( Idea: Reverse DGA, then generate and archive all possible domains since first spotting of a malware family pcxeyx.biz? Domain Blocklist Lookups Generation [...] Nymaim! "qetyxeg.com","simda" "puvywup.com","simda" Valid on: "gahyfow.com","simda" 2014-04-19 "lyryxen.com","simda" "vocyquc.com","simda" 2014-03-20 "qegyfil.com","simda" 2015-12-11 "puryxag.com","simda" DGArchive "gacyqys.com","simda" [...] © 2015 Fraunhofer FKIE 8 DGArchive Status Botconf 2014: Lightning talk 8 families, ~20 seeds, ~ 4 million domains DGArchive Today 43 families/variants, ~280 seeds, 20+ million domains © 2015 Fraunhofer FKIE 9 Finding DGAs Mining a Sandbox DNS feed Remix of academic approaches and common sense Input: List of domains, queried during a sandbox run DNS Feed by THANK YOU!!! 1,235,443 sandbox runs; 15,660,256 DNS queries (959,607 unique) 1. Alexa 1 million 2. Self-curated blacklist 1) Filtering 3. Query vs DGArchive 1. N-gram frequency New Seed? 2. Entropy 2) Scoring 3. Domain length ? tch 4. NX domain? a M Known Patterns of DGAs 1. Length 3) Matching New DGA? 2. Alphabets No Match / 3. TLDs © 2015 Fraunhofer FKIE Inconsistency 10 Parameter Extraction Automate all the things! Customized sandboxing system for selected malware families Processing malware feeds (<- THANK YOU) Part of TinyBanker DGA config in memory: Regex for extraction of relevant fields: 0000000: f9 b0 20 f3 aa 61 e8 00 00 00 00 58 2d 1b 68 40 .. ..a.....X‐.h@ 0000010: 00 ff 75 10 ff 75 0c ff 75 08 ff 90 33 4d 40 00 ..u..u..u...3M@. regex_config = ( 0000020: 83 c4 0c c9 c3 90 90 90 90 90 90 90 90 90 90 90 ................ r"\x90{4,16} " 0000030: 73 70 61 69 6e 65 73 2e 70 77 00 00 00 00 00 00 spaines.pw...... r"(?P<domain_name>[\S\s]{30})" 0000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 ...............P r"(?P<unknown_word>[\S\s]{2})" 0000050: 2f 45 69 44 51 6a 4e 62 57 45 51 2f 00 00 00 00 /EiDQjNbWEQ/.... r"(?P<uri>[\S\s]{32})" 0000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ r"(?P<rc4_key>[a‐zA‐Z0‐9]{16})" 0000070: 47 50 51 61 74 5a 37 79 43 6b 4c 78 73 54 76 46 GPQatZ7yCkLxsTvF r"(?P<unknown_str>[\S\s]{8})" 0000080: 30 30 30 30 30 30 30 32 70 77 00 30 30 30 2c 01 00000002pw.000,. r"(?P<dga_tld>[\S\s]{6})" 0000090: 0a 00 e8 03 8c 00 00 00 45 ce a3 46 7d 32 b9 cc ........E..F}2.. r"(?P<unknown_dword>[\S\s]{4})" 00000a0: 1a 55 80 de f2 8e f3 a7 e4 53 60 ca 11 6f 08 55 .U.......S`..o.U r"(?P<num_dga_domains>[\S\s]{2})" 00000b0: 14 ad 76 a6 12 67 8f 7e dd 49 fe 04 b0 b5 08 c8 ..v..g.~.I...... r"(?P<static_config_len>[\S\s]{4})") © 2015 Fraunhofer FKIE 11 Comparison of DGA Features © 2015 Fraunhofer FKIE 12 DGA Features Intro Examples of DGA characteristics DGA class and generation scheme (+ use of well-known algorithms) Domain structure (length, alphabet) and TLDs Domain validity period and domains per cycle (covered indirectly) Domain randomness C&C Priority In short: DGA is basically always „last priority“ but 28 of 40 families use DGA as only C&C rendezvous method! (5 of them have hardcoded but basically unused domains) © 2015 Fraunhofer FKIE 13 DGA Features Taxonomy and Generation Schemes DGA Classes (Taxonomy by Barabosch et al. [1]): Type Time dependent Deterministic Example TID Kraken, TinyBanker TDD Conficker, Gameover Zeus TDN Torpig, Bedep TIN - Generation Schemes Type Example Family Example Domain Arithmetic (A) DirCrypt vlbqryjd.com Wordlist (W) Matsnu termacceptyear.com Hashing (H) Bamital b83ed4877eec1997fcc39b7ae590007a.info Permutation (P) VolatileCedar dotnetexplorer.info [1] https://net.cs.uni-bonn.de/fileadmin/user_upload/wichmann/Extraction_DNGA_Malware.pdf © 2015 Fraunhofer FKIE 14 Bamital Fobber Mewsei Pykspa 2 Simda Banjori Geodo Murofet 1 Suppobox QakBot Bedep Gameover DGA Murofet 2 Szribi Ramdo Conficker Gameover P2P Necurs Tempedreve Ramnit CoreBot Gozi Nymaim Ranbyus TinyBanker Cryptolocker Hesperbot Pushdo Redyms Torpig DirCrypt Kraken Pushdo TID UrlZone Rovnix Dyre Matsnu Pykspa 1 VolatileCedar Shifu Names© 2015 Fraunhofercontain FKIE clickable links to references for these families. 15 Bamital Fobber Mewsei Pykspa 2 Simda TDD TID TDD TDD TID Banjori Geodo Murofet 1 Suppobox QakBot TID TDD TDD TDD TDD Bedep Gameover DGA Murofet 2 Szribi Ramdo TDN TDD TDD TID TDD Conficker Gameover P2P Necurs Tempedreve Ramnit TDD TDD TDD TID TID CoreBot Gozi Nymaim Ranbyus TinyBanker TDD TDD TDD TDD TID Cryptolocker Hesperbot Pushdo Redyms Torpig TDD TID TDD TID TDD / TDN DirCrypt Kraken Pushdo TID UrlZone Rovnix TID TID TID TID TID Dyre Matsnu Pykspa 1 VolatileCedar Shifu TDD TDD TDD TID TID © 2015 Fraunhofer FKIE Classes: 22 (55%) TDD, 16 (40%) TID, 2 (5%) TDN 16 Bamital Fobber Mewsei Pykspa 2 Simda H (MD5) A (LCG) A (LCG) A( LCG) A Banjori Geodo Murofet 1 Suppobox QakBot A A A (MD5) A (Mersenne) W Bedep Gameover DGA Murofet 2 Szribi Ramdo A A (MD5) A (MD5) A A Conficker Gameover P2P Necurs Tempedreve Ramnit A A (MD5) A A (LCG) A (LCG) CoreBot Gozi Nymaim Ranbyus TinyBanker A (LCG) W (LCG) A (Xorshift) A A Cryptolocker Hesperbot Pushdo Redyms Torpig A A A (MD5) A A DirCrypt Kraken Pushdo TID UrlZone Rovnix A (LCG) A A (LCG) A (LCG) A Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P © 2015 Fraunhofer FKIE Classes: 34 (85%) A, 3 (7.5%) W, 2 (5%) H, 1 (2.5%) P 17 Bamital Fobber Mewsei Pykspa 2 Simda The Linear Congruential Generator (LCG) H A (LCG) A (LCG) A( LCG) A Pseudo-RandomBanjori NumberGeodo GeneratorMurofet (PRNG)1 QakBot Suppobox AXn+1 = ( a * Xn + c)A mod m A (MD5) A (Mersenne) W BedepNumerous variantsGameoverofDGA LCG withMurofetregard2 to parameters (a, c, m) Szribi Ramdo Numerical Recipes, MSVC, Park & Miller, own values, … A A (MD5) A (MD5) A A Conficker Gameover P2P Necurs Ramnit Tempedreve Trivial example DGA: Pushdo TID A A (MD5) A A (LCG) A (LCG) def generateDomain(): CoreBot Gozi Nymaim Ranbyus TinyBanker domain = "" A (LCG)tlds = [".com",W (LCG) ".net", ".org",A (Xorshift) ".ru", ".tv"] A A for i in xrange(10): Cryptolocker domain Hesperbot+= chr(0x61 + lcg()Pushdo % 26) Redyms Torpig domain += tlds[lcg() % 5] A return domain A A (MD5) A A DirCrypt Kraken Pushdo TID UrlZone ################# Rovnix A"xirgbebore.tv" (LCG) A A (LCG) A (LCG) A "bsbuhapqbw.org" "pgdudgjypi.ru"Dyre Matsnu Pykspa 1 VolatileCedar Shifu H (SHA256) W A A (LCG) P Digression© 2015 Fraunhofer FKIE Time! 18 Bamital Fobber Mewsei Pykspa 2 Simda Banjori Geodo Murofet 1 Suppobox QakBot Bedep Gameover DGA Murofet 2 Szribi Ramdo Conficker Gameover P2P Necurs Tempedreve Ramnit CoreBot Gozi Nymaim Ranbyus TinyBanker Cryptolocker Hesperbot Pushdo Redyms Torpig DirCrypt Kraken Pushdo TID UrlZone Rovnix Dyre Matsnu Pykspa 1 Shifu VolatileCedar © 2015 Fraunhofer FKIE Domain Structure. 19 Bamital Fobber Mewsei Pykspa 2 Simda 32 | 4 | 16 10 - 17 | 2 | 26 8 - 15 | 1 | 23 6 - 12 | 4 | 26 5 - 11 (F) | 4 | 26 Banjori Geodo Murofet 1 Suppobox QakBot 11 – 26 (F) | 1 | 26 16 | 1 | 25 8 - 15 | 5 | 26 8 - 25 | 5 | 26 8
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Internet Security Threat Report Volume 24 | February 2019
    ISTRInternet Security Threat Report Volume 24 | February 2019 THE DOCUMENT IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENT. THE INFORMATION CONTAINED IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. INFORMATION OBTAINED FROM THIRD PARTY SOURCES IS BELIEVED TO BE RELIABLE, BUT IS IN NO WAY GUARANTEED. SECURITY PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT (“CONTROLLED ITEMS”) ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER FOR YOU TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT SUCH CONTROLLED ITEMS. TABLE OF CONTENTS 1 2 3 BIG NUMBERS YEAR-IN-REVIEW FACTS AND FIGURES METHODOLOGY Formjacking Messaging Cryptojacking Malware Ransomware Mobile Living off the land Web attacks and supply chain attacks Targeted attacks Targeted attacks IoT Cloud Underground economy IoT Election interference MALICIOUS
    [Show full text]
  • 1.Computer Virus Reported (1) Summary for This Quarter
    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
    [Show full text]
  • Miscellaneous: Malware Cont'd & Start on Bitcoin
    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
    [Show full text]
  • An Introduction to Malware
    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
    [Show full text]
  • Iptrust Botnet / Malware Dictionary This List Shows the Most Common Botnet and Malware Variants Tracked by Iptrust
    ipTrust Botnet / Malware Dictionary This list shows the most common botnet and malware variants tracked by ipTrust. This is not intended to be an exhaustive list, since new threat intelligence is always being added into our global Reputation Engine. NAME DESCRIPTION Conficker A/B Conficker A/B is a downloader worm that is used to propagate additional malware. The original malware it was after was rogue AV - but the army's current focus is undefined. At this point it has no other purpose but to spread. Propagation methods include a Microsoft server service vulnerability (MS08-067) - weakly protected network shares - and removable devices like USB keys. Once on a machine, it will attach itself to current processes such as explorer.exe and search for other vulnerable machines across the network. Using a list of passwords and actively searching for legitimate usernames - the ... Mariposa Mariposa was first observed in May 2009 as an emerging botnet. Since then it has infected an ever- growing number of systems; currently, in the millions. Mariposa works by installing itself in a hidden location on the compromised system and injecting code into the critical process ͞ĞdžƉůŽƌĞƌ͘ĞdžĞ͘͟/ƚŝƐknown to affect all modern Windows versions, editing the registry to allow it to automatically start upon login. Additionally, there is a guard that prevents deletion while running, and it automatically restarts upon crash/restart of explorer.exe. In essence, Mariposa opens a backdoor on the compromised computer, which grants full shell access to ... Unknown A botnet is designated 'unknown' when it is first being tracked, or before it is given a publicly- known common name.
    [Show full text]
  • Symantec Intelligence Report: June 2011
    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
    [Show full text]
  • Contents in This Issue
    FEBRUARY 2014 Covering the global threat landscape CONTENTS IN THIS ISSUE 2 COMMENT A LIFE OF GRIME It is time for defenders to go on the offence Cross-platform execution is one of the promises of Java – but cross-platform infection is probably 3 NEWS not what the designers had in mind. Nevertheless, that was clearly in the mind of the author of Law minister is former spammer W32/Java.Grimy, a virus for the Windows platform, Cash for hacks which infects Java class fi les. Peter Ferrie has the details. MALWARE ANALYSES page 4 4 Getting one’s hands dirty LAME DUCK 6 Salted algorithm – part 2 Sometimes what looks like a genuine MP3 encoder 11 Inside W32.Xpaj.B’s infection – part 2 library, and even works as a functional encoder, actually hides malicious code deep amongst a 19 FEATURE pile of clean code. Gabor Szappanos reveals the Needle in a haystack lengths to which one piece of malware goes to hide its tracks. page 19 27 BOOK REVIEW Don’t forget to write READING CORNER Industry veteran, prolifi c writer and educator David 30 SPOTLIGHT Harley reviews two recently published eBooks that aim to provide security guidance for consumers: Greetz from academe: Full frontal ‘Improve Your Security’ by Sorin Mustaca, and ‘One Parent to Another’ by Tony Anscombe. 31 END NOTES & NEWS page 27 ISSN 1749-7027 COMMENT ‘Challenge for example, an IPS or anti-virus product will still do some level of good if you do no more than install it on [defenders] to your network and make sure it gets updated occasionally, take a penetration a SIEM will not do anything except generate a (huge) bill.
    [Show full text]
  • The Trojan Wars: Building the Big Picture to Combat Efraud
    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
    [Show full text]
  • Download Slides
    Scott Wu Point in time cleaning vs. RTP MSRT vs. Microsoft Security Essentials Threat events & impacts More on MSRT / Security Essentials MSRT Microsoft Windows Malicious Software Removal Tool Deployed to Windows Update, etc. monthly since 2005 On-demand scan on prevalent malware Microsoft Security Essentials Full AV RTP Inception in Oct 2009 RTP is the solution One-off cleaner has its role Quiikck response Workaround Baseline ecosystem cleaning Industrypy response & collaboration Threat Events Worms (some are bots) have longer lifespans Rogues move on quicker MarMar 2010 2010 Apr Apr 2010 2010 May May 2010 2010 Jun Jun 2010 2010 Jul Jul 2010 2010 Aug Aug 2010 2010 1,237,15 FrethogFrethog 979,427 979,427 Frethog Frethog 880,246880,246 Frethog Frethog465,351 TaterfTaterf 5 1,237,155Taterf Taterf 797,935797,935 TaterfTaterf 451,561451,561 TaterfTaterf 497,582 497,582 Taterf Taterf 393,729393,729 Taterf Taterf447,849 FrethogFrethog 535,627535,627 AlureonAlureon 493,150 493,150 AlureonAlureon 436,566 436,566 RimecudRimecud 371,646 371,646 Alureon Alureon 308,673308,673 Alureon Alureon 441,722 RimecudRimecud 341,778341,778 FrethogFrethog 473,996473,996 BubnixBubnix 348,120 348,120 HamweqHamweq 289,603 289,603 Rimecud Rimecud289,629 289,629 Rimecud Rimecud318,041 AlureonAlureon 292,810 292,810 BubnixBubnix 471,243 471,243 RimecudRimecud 287,942287,942 ConfickerConficker 286,091286, 091 Hamwe Hamweqq 250,286250, 286 Conficker Conficker220,475220, 475 ConfickerConficker 237237,348, 348 RimecudRimecud 280280,440, 440 VobfusVobfus 251251,335, 335
    [Show full text]
  • Peerpress: Utilizing Enemies' P2P Strength Against Them
    PeerPress: Utilizing Enemies’ P2P Strength against Them Zhaoyan Xu Lingfeng Chen SUCCESS Lab SUCCESS Lab Texas A&M University Texas A&M University [email protected] [email protected] Guofei Gu Christopher Kruegel SUCCESS Lab Dept. of Computer Science Texas A&M University UC Santa Barbara [email protected] [email protected] ABSTRACT Malicious software (malware) is a serious threat to Inter- We propose a new, active scheme for fast and reliable de- net security. While many early botnets use centralized C&C tection of P2P malware by exploiting the enemies' strength architecture, botmasters have realized its limitations and be- against them. Our new scheme works in two phases: host- gun to use more advanced and robust peer-to-peer (P2P) level dynamic binary analysis to automatically extract built- architectures for C&C [27]. For example, several contempo- in remotely-accessible/controllable mechanisms (referred to rary successful botnets such as Storm/Peacomm and Con- as Malware Control Birthmarks or MCB) in P2P malware, ficker have infected millions of computers and adopted P2P followed by network-level informed probing for detection. techniques in their C&C coordination [2,48]. As stated in a Our new design demonstrates a novel combination of the recent report [26], the Kaspersky Security Network detected strengths from both host-based and network-based approaches. more than 2.5 million P2P malware incidents per month in Compared with existing detection solutions, it is fast, reli- March 2010, a high water mark reached for the first time able, and scalable in its detection scope.
    [Show full text]
  • Banking Trojans: from Stone Age to Space Era
    Europol Public Information Europol Public Information Banking Trojans: From Stone Age to Space Era A Joint Report by Check Point and Europol The Hague, 21/03/2017 Europol Public Information 1 / 16 Europol Public Information Contents 1 Introduction .............................................................................................................. 3 2 The Founding Fathers ................................................................................................ 3 3 The Current Top Tier ................................................................................................. 5 4 The Latest .................................................................................................................. 9 5 Mobile Threat .......................................................................................................... 10 6 Evolutionary Timeline ............................................................................................. 11 7 Impressions/Current Trends ................................................................................... 11 8 Banking Trojans: The Law Enforcement View ......................................................... 12 9 How are Banking Trojans used by Criminals? ......................................................... 13 10 How are the Criminals Structured? ......................................................................... 14 11 Building on Public-Private-Partnerships - The Law Enforcement Response ........... 15 12 How to Protect Yourself .........................................................................................
    [Show full text]