Research and Education Cyberthreat Briefing (PDF)

Total Page:16

File Type:pdf, Size:1020Kb

Research and Education Cyberthreat Briefing (PDF) RESEARCH AND EDUCATION CYBERTHREAT BRIEFING Todd Herring, REN-ISAC Membership Services Director Kim Milford, REN-ISAC Executive Director © 2016 Internet2 REN-ISAC - Background ● Aid and promote cyber security operational protection and response within the higher education and research (R&E) communities. ● Within the context of a private community of trusted representatives at member institutions, and in service to the R&E community at-large. ● Serve as the R&E trusted partner for served networks, the formal ISAC community, and in other commercial, governmental, and private security information sharing relationships. [ 2 ] REN-ISAC - Background ▪ Hosted at Indiana University ▪ Board of Directors ▪ Advisory groups ▪ Ad hoc special interest groups and projects ▪ Over 480 member institutions and over 1400 member representatives [ 3 ] REN-ISAC Membership Type of Instuon Number Percent of Membership US College, Private for-profit 2 0.4% US College, Private not-for-profit 162 33.3% US College, Public 235 48.4% Medical Science / Medical Center 13 2.7% University Department, non-medical 2 0.4% Non-US College 31 6.4% Research Center 20 4.1% Network 8 1.7% Consorum 13 2.7% [ 4 ] REN-ISAC Growth Since August 2004 1600 1400 1200 1000 800 600 400 200 0 Instuons Member Reps [ 5 ] Membership Fees [ 6 ] Human-centered Intelligence Sharing • Community of trusted cybersecurity staff at R&E institutions • Sharing actionable information for operational protection and response • Confidentiality [ 7 ] Human-centered Intelligence Sharing o CSIRT for .EDU space o 24x7 support o Sector ISAC o Cybersecurity research and development o Education and training o Daily Watch Report o Friday Pulse [ 8 ] Automated Threat Intelligence • Security Event System (SES) • Passive DNS • Trusted Third Party Data • Automated Notifications [ 9 ] Threat Trends § Motive is espionage or financial 89% of the time § 80% of the time, the threat actor is external to the organization § Time to discover (more than 1 day over 68% of the time) is still way behind time to compromise (minutes 82% of the time § Mobile is not a big vector in data breaches § Our work is not done [ 10 ] REN-ISAC Malicious Actors Target US Colleges and Universities [ 11 ] Infosec is the #1 IT Issue in Higher Ed in 2016 [ 12 ] Data Breaches in Higher Education [ 13 ] Sensitive Data Breaches [ 14 ] [ 15 ] Vulnerabilities Attacks come in millions, exploits are automated [ 16 ] © 2016 Internet2 [ 17 ] [ 18 ] Ransomware [ 19 ] Recent Survey Results With regard to ransomware, how has the amount of time spent on incident response changed in the last 3 months? Increasing 4 Decreasing 3 About the same 18 [ 20 ] Recent Survey Results What are you doing to mitigate the risk of Ransomware? Increasing employee education and awareness efforts 19 Tightening spam filters on email systems 11 Accelerating the institution's move to cloud storage 1 Reminding system administrators to verify/test backups, check schedules 9 Updating institutional policies / standards 2 [ 21 ] [ 22 ] TGYFBFTDHA [ 23 ] Phishing, Spear-phishing, Whaling & Poison Harpooning § Nearly 50% of users open phishing email and click on the links within the first hour after they receive § Phishing is now the established initial attack vector for online crime [ 24 ] © 2016 Internet2 [ 25 ] Denial of Service Attacks § Amplification via vulnerable protocols, e.g. NTP § Increasing use of powerful cloud infrastructure, e.g., AWS [ 26 ] © 2016 Internet2 Denial of Service Attacks [ 27 ] [ 28 ] [ 29 ] Compromised Credentials [ 30 ] Future Possible Threat Vectors • Automated access controls • Industrial control system • Internet of things [ 31 ] Sources of Threat Indicator Information Jan. 2016 Feb. 2016 March 2016 April 2016 Total Notifications compromised machines 7,885 8,147 7,911 7,742 31,685 compromised credentials 6,889 4,698 1,575 7,267 20,429 spam or phish 42 29 46 29 146 vulnerable machines - - 1 1 2 open recursive DNS resolvers 263 168 362 239 1,032 open mail relays 21 17 14 11 63 other - - 1 - 1 total notifications: 15,100 13,059 9,910 15,289 53,358 [ 32 ] Sources of Threat Indicator Information Reported Malware Count Reported Malware Count Conficker 1861 Ramnit 50 Bedep 1446 Beebone 49 Gozi 816 Rovnix 36 Ponmocup 668 Locky 25 ZeroAccess 492 Corebot 24 Kelihos 432 Slenfbot 24 Fleercivet 265 Shiz 22 Pushdo 262 Murofet 20 Nivdort 184 Vawtrak 16 Dorkbot 142 Dridex 15 Zeus P2P 126 Pykspa 15 Zeus 124 ZeroAccess-Supernode 13 Nymaim 122 Torpig 12 Sality 113 Pony 10 Ramdo 107 Bamital 6 Qakbot 90 Vobfus 6 Virut 72 IRC bot 5 Tinba 67 scanner 4 [ 33 ] Sources of Threat Indicator Information [ 34 ] General Mitigation Recommendations • https://publicintelligence.net/dhs-university-cyber-threats/ • Educate and reinforce • Store data securely and have solid backup plans • Protect networks where sensitive data is stored • Enforce strong credentialing policies • Aggressively patch and use inspection tools to identify outdated applications • Employ active protections and detection technology • Collect and monitor logs • Be aware of risks and know your environment • EDUCAUSE Benchmarking Service [ 35 ] PRESENTATIONSubtitle (if any) TITLE PRESENTER NAME Presenter title, organization © 2016 Internet2 .
Recommended publications
  • Éric FREYSSINET Lutte Contre Les Botnets
    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
    [Show full text]
  • Download Slides
    Scott Wu Point in time cleaning vs. RTP MSRT vs. Microsoft Security Essentials Threat events & impacts More on MSRT / Security Essentials MSRT Microsoft Windows Malicious Software Removal Tool Deployed to Windows Update, etc. monthly since 2005 On-demand scan on prevalent malware Microsoft Security Essentials Full AV RTP Inception in Oct 2009 RTP is the solution One-off cleaner has its role Quiikck response Workaround Baseline ecosystem cleaning Industrypy response & collaboration Threat Events Worms (some are bots) have longer lifespans Rogues move on quicker MarMar 2010 2010 Apr Apr 2010 2010 May May 2010 2010 Jun Jun 2010 2010 Jul Jul 2010 2010 Aug Aug 2010 2010 1,237,15 FrethogFrethog 979,427 979,427 Frethog Frethog 880,246880,246 Frethog Frethog465,351 TaterfTaterf 5 1,237,155Taterf Taterf 797,935797,935 TaterfTaterf 451,561451,561 TaterfTaterf 497,582 497,582 Taterf Taterf 393,729393,729 Taterf Taterf447,849 FrethogFrethog 535,627535,627 AlureonAlureon 493,150 493,150 AlureonAlureon 436,566 436,566 RimecudRimecud 371,646 371,646 Alureon Alureon 308,673308,673 Alureon Alureon 441,722 RimecudRimecud 341,778341,778 FrethogFrethog 473,996473,996 BubnixBubnix 348,120 348,120 HamweqHamweq 289,603 289,603 Rimecud Rimecud289,629 289,629 Rimecud Rimecud318,041 AlureonAlureon 292,810 292,810 BubnixBubnix 471,243 471,243 RimecudRimecud 287,942287,942 ConfickerConficker 286,091286, 091 Hamwe Hamweqq 250,286250, 286 Conficker Conficker220,475220, 475 ConfickerConficker 237237,348, 348 RimecudRimecud 280280,440, 440 VobfusVobfus 251251,335, 335
    [Show full text]
  • Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men
    Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide
    [Show full text]
  • Mcafee Labs Threats Report August 2015 Ransomware Continues to Grow Very Rapidly— with the Number of New Samples Rising 58% in Q2
    Report McAfee Labs Threats Report August 2015 Ransomware continues to grow very rapidly— with the number of new samples rising 58% in Q2. About McAfee Labs Introduction McAfee Labs is one of the world’s leading sources for threat This month marks the five-year anniversary of Intel’s research, threat intelligence, and cybersecurity thought announcement that the company would acquire McAfee. leadership. With data from millions of sensors across key Much has changed in the security space since then, so we threats vectors—file, web, message, and network—McAfee decided to look back on these years and compare what we Labs delivers real-time threat intelligence, critical analysis, thought would happen with what actually happened. and expert thinking to improve protection and reduce risks. We interviewed a dozen key people who have been with McAfee is now part of Intel Security. Intel or McAfee since the acquisition to get their views on the major developments of the past five years around the www.mcafee.com/us/mcafee-labs.aspx cyber threat landscape, including how the types of threat actors have changed, how attackers’ behaviors and targets Follow McAfee Labs have changed, how the economics of cybercrime have changed, and how the industry has responded. We also wanted to know what they didn’t anticipate or what truly surprised them. We hope you enjoy the retrospective. This quarter, we also discuss two very interesting Key Topics. In McAfee Labs Threats Reports, we spend a lot of time examining ways in which attackers enter a trusted network or system, but we spend little time looking at how they exfiltrate the information they want to steal once they have successfully breached the network or system.
    [Show full text]
  • Microsoft | Security Intelligence Report
    Battling Botnets for Control of Computers Microsoft | Security Intelligence Report Volume 9 January through June 2010 Microsoft | Security Intelligence Report Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMA- TION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2010 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 January through June 2010 Authors David Anselmi Jimmy Kuo Navaneethan Santhanam Digital Crimes Unit Microsoft Malware Protection Center Bing Richard Boscovich Scott Molenkamp Christian Seifert Digital Crimes Unit Microsoft Malware Protection Center Bing T.J. Campana Michelle Meyer Frank Simorjay Digital Crimes Unit Microsoft Trustworthy Computing Microsoft Trustworthy Computing Neil Carpenter Bala Neerumalla Holly Stewart CSS Security Microsoft Secure SQL Initiative Team Microsoft Malware Protection Center Greg Cottingham Daryl Pecelj Adrian Stone CSS Security Microsoft IT Information Security and Risk Management Microsoft Security Response Center Joe Faulhaber Anthony Penta Matt Thomlinson Microsoft Malware Protection Center Microsoft Windows Safety Platform Microsoft Security Response Center Vinny Gullotto Paul Pottorff Jossie
    [Show full text]
  • Download Hong Kong Security Watch Report
    Hong Kong Security Watch Report 2019 Q1 1 Foreword Better Security Decision with Situational Awareness Nowadays, a lot of \invisible" compromised systems (computers and other devices) are controlled by attackers with the owner being unaware. The data on these systems may be mined and exposed every day, and the systems may be utilized in different kinds of abuse and criminal activities. The Hong Kong Security Watch Report aims to provide the public a better \visibility" of the situation of the compromised systems in Hong Kong so that they can make better decision in protecting their information security. The data in this report is about the activities of compromised systems in Hong Kong which suffer from, or par- ticipate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) or bots. Computers in Hong Kong are defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is \.hk". Capitalizing on the Power of Global Intelligence This report is the fruit of the collaboration of HKCERT and global security researchers. Many security researchers have the capability to detect attacks targeting their own or their customers' networks. Some of them provide the information of IP addresses of attack source or web links of malicious activities to other information security organizations with an aim to collaboratively improve the overall security of the cyberspace. They have good practice in sanitizing personal identifiable data before sharing information. HKCERT collects and aggregates such valuable data about Hong Kong from multiple information sources for analysis with Information Feed Analysis System (IFAS), a system developed by HKCERT.
    [Show full text]
  • Hong Kong Security Watch Report Q4 2013
    Hong Kong Security Watch Report Q4 2013 Foreword Better Security Decision with Situational Awareness Nowadays, a lot of “invisible” compromised computers are controlled by attackers with the owner being unaware. The data on these computers may be mined and exposed everyday and the computers may be utilized in different kinds of abuse and criminal activities. The Hong Kong Security Watch Report aims to provide the public a better “visibility” of the situation of the compromised computers in Hong Kong so that they can make better decision in protecting their information security. The report provides data about the activities of compromised computers in Hong Kong which suffer from, or participate in various forms of cyber attacks, including web defacement, phishing, malware hosting, botnet command and control centres (C&C) and bots. Computers in Hong Kong is defined as those whose network geolocation is Hong Kong, or the top level domain of their host name is “.hk” or “.香港”. Capitalizing on the Power of Global Intelligence This report is the fruit of the collaboration of HKCERT and global security researchers. Many security researchers have the capability to detect attacks targeting their own or their customers’ networks. Some of them provide the information of IP addresses of attack source or web links of malicious activities to other information security organizations with an aim to collaboratively improve the overall security of the cyberspace. They have good practice in sanitizing personal identifiable data before sharing information. HKCERT collects and aggregates such valuable data about Hong Kong from multiple information sources for analysis with Information Feed Analysis System (IFAS), a system developed by HKCERT.
    [Show full text]
  • Kelihos Botnet: a Never-Ending Saga
    2017 Annual ADFSL Conference on Digital Forensics, Security and Law Proceedings May 15th, 10:00 AM Kelihos Botnet: A Never-Ending Saga Arsh Arora University of Alabama, Birmingham, [email protected] Max Gannon University of Alabama, Birmingham, [email protected] Gary Warner University of Alabama, Birmingham, [email protected] Follow this and additional works at: https://commons.erau.edu/adfsl Part of the Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, OS and Networks Commons, Other Computer Sciences Commons, and the Science and Technology Studies Commons Scholarly Commons Citation Arora, Arsh; Gannon, Max; and Warner, Gary, "Kelihos Botnet: A Never-Ending Saga" (2017). Annual ADFSL Conference on Digital Forensics, Security and Law. 4. https://commons.erau.edu/adfsl/2017/papers/4 This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an (c)ADFSL authorized administrator of Scholarly Commons. For more information, please contact [email protected]. Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 KELIHOS BOTNET: A NEVER-ENDING SAGA Arsh Arora, Max Gannon, Gary Warner University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 fararora, gannonm, [email protected] ABSTRACT This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom.
    [Show full text]
  • Mcafee Labs Threats Report May 2015 Mcafee Labs Saw Almost Twice the Number of Ransomware Samples in Q1 Than in Any Other Quarter
    Report McAfee Labs Threats Report May 2015 McAfee Labs saw almost twice the number of ransomware samples in Q1 than in any other quarter. About McAfee Labs Introduction McAfee Labs is one of the world’s leading sources for threat This Threats Report marks the first time that we explore research, threat intelligence, and cybersecurity thought firmware-based attacks. In our lead Key Topic, we leadership. With data from millions of sensors across key provide new details about malware from a secretive threats vectors—file, web, message, and network—McAfee outfit calledthe Equation Group. This threat is capable Labs delivers real-time threat intelligence, critical analysis, of reprogramming hard disk drive firmware. Our analysis and expert thinking to improve protection and reduce risks. shows the reprogrammed firmware can reload associated malware each time the infected system boots and that McAfee is now part of Intel Security. it persists even if the hard drive is reformatted or the operating system is reinstalled. We suspect this type of www.mcafee.com/us/mcafee-labs.aspx threat will be a hot topic at Black Hat and DefCon this year. Follow McAfee Labs We also focus on two familiar faces—ransomware and Adobe Flash exploits—because McAfee Labs saw massive increases in new samples this quarter from both types of threat. For ransomware, we attribute much of its growth to a new, hard-to-detect ransomware family—CTB-Locker— and its use of an “affiliate” program to quickly flood the market with phishing campaigns, leading to CTB-Locker infections. And for the rise in Flash exploits, we attribute those to the growing number of Flash instances across many platforms (most notably mobile devices), the number of known, unpatched vulnerabilities, and the difficulty in detecting some Flash-based exploits.
    [Show full text]
  • CERT Prezentacija Palestina-V1
    IT security overview in Latvia 21.11.2012, Riga TAIEX Study Visit on Information & IT Security Outline • Legal environment and policies • CERT.LV overview • Current situation overview • CERT.LV activities and awareness raising Legal environment and policies IT Security Law • In force since 1 February 2011 • Sets CERT.LV tasks and responsibilities • Defines responsibilities for: • Public sector • ISPs • Critical IT infrastructure owners IT Security Law – Public sector • In every institution – IT security officer responsible for: • Creating IT security documents for institution • Organising IT security audits • Educating all employees at least once per year • Reporting to CERT.LV on security incidents • Participating in CERT.LV seminars IT Security Law - ISPs • All ISPs have to submit to CERT.LV “Action plan for continuous operations” • Report to CERT.LV on major incidents • CERT.LV can request • IT Security documentation • IT Security audits • Disconnection of an end user for 24h IT Security Law – Critical infrastructure • List – State secret • Report incidents to CERT.LV • Establishes IT Security documentation • CERT.LV can do penetration testing National IT Security Strategy • Improvement of legal regulations • Increasing human and material-technical resources for state institutions • Rising cooperation at a national scale • Intensifying international cooperation • Hardening of education, science and social responisbility MoU with NATO – January 2012 CERT.LV overview CERT.LV • Information technology security incident response institution
    [Show full text]
  • Microsoft Security Intelligence Report
    Security Intelligence Report MICROSOFT SECURITY INTELLIGENCE REPORT Volume 9 (January 2010 through June 2010) www.microsoft.com/sir About Security Intelligence Report volume 9 Malware Key findings covers – Vulnerability Disclosures – Usage Trends for Windows update, and Microsoft update – Security Breach Trends – Malware and Potentially Unwanted Software trends – Email Threats – Malicious and Compromised Websites – Phishing Sites and Traffic – Analysis of Malware Hosts Report Report – Analysis od Drive-By Downloads Sites – Automated SQL Injection Attacks Contains data and intelligence from the past several years, but focuses on the first two quarters of 2010 Intelligence (1Q10, 2Q10) Security Security Intelligence Report volume 9 Data sources Spyware and Potentially Main Customer Segment Malicious Software Available at Unwanted Software Main No Product Name Distribution Additional Scan and Real-time Scan and Real-time Methods Consumers Business Charge Remove Protection Remove Protection Prevalent Windows Malicious Software WU/AU ● Malware ● Removal Tool Download Center Families Download Center Windows Defender ● ● ● ● Windows Vista/ Windows 7 Windows Live OneCare ● ● ● ● Cloud safety scanner Microsoft Security Essentials ● ● ● ● ● ● Cloud Forefront Online Protection for ● ● ● Cloud Exchange Forefront Client Security ● ● ● ● ● Volume Licensing Report Report Hotmail - more than 280 million active users Internet Explorer the world’s most popular browser with SmartScreen, Microsoft Phishing Filter Microsoft Forefront Online Security for Exchange
    [Show full text]
  • Kelihos Botnet: a Never-Ending Saga CDFSL Proceedings 2017
    Kelihos Botnet: A Never-Ending Saga CDFSL Proceedings 2017 KELIHOS BOTNET: A NEVER-ENDING SAGA Arsh Arora, Max Gannon, Gary Warner University of Alabama at Birmingham 1201 University Blvd, Birmingham, AL 35233 fararora, gannonm, [email protected] ABSTRACT This paper investigates the recent behavior of the Kelihos botnet, a spam-sending botnet that accounts for many millions of emails sent each day. The paper demonstrates how a team of students are able to perform a longitudinal malware study, making significant observations and contributions to the understanding of a major botnet using tools and techniques taught in the classroom. From this perspective, the paper has two objectives: encouragement and observation. First, by providing insight into the methodology and tools used by student researchers to document and understand a botnet, the paper strives to embolden other academic programs to follow a similar path and to encourage such discovery. Second, the paper shares observations and insights gathered about the botnet's recent spam activity showing evidence of the \spam as a service" model and demonstrating a variety of unique and dangerous spam campaigns conducted via the Kelihos botnet, including banking trojans, credential phishing, and ransomware attacks. Keywords: Kelihos, Botnet, Malware, Spam, Ransomware, Banking Trojan, Pharma, Pump and Dump, Geo-Targeting 1. INTRODUCTION CrowdStrike, Dell Secureworks, Kaspersky, and others sinkholed 100,000 nodes of the While the Kelihos botnet first debuted in Kelihos.B malware [Kerkers et al., 2014]. At 2009, the current botnet is a functional deriva- RSA Conference 2013, CrowdStrike demon- tive of two other famous botnets, Waledac, strated a repeat performance, targeted Ke- and the Storm Worm [Adair, 2012, Bureau, lihos.C [Rossow et al., 2013, Werner, 2013].
    [Show full text]