Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,

Published byJaiden Caplin Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,"— Presentation transcript:

1 www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st, 2011 securing and enabling dynamic business

2 4-May-15 2 Lance James – Director of Intelligence, Vigilant, LLC – Founder of Secure Science Corporation Brief Bio: – Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight – Author of “Phishing Exposed”, – Co-Author of “Emerging Threat Analysis” – 3 rd Book on it’s way (counter-intelligence) – Loves Karaoke – Very Hyper (but I am getting old)

3 4-May-15 3 Research – SpyEye Web Panel based C&C DIY Builder Kits Merging with Zeus $1000-$3000 WMZ – Law Title 18 USC 1030 Color of Right Expectation of Privacy

4 4-May-15 4 SpyEye

5 4-May-15 5 Components of SpyEye Trojan – Build it yourself – Data interception – Formgrabs – Credit Cards – Software Collection – Process hooking – Kills Zeus/Zeus Merger – UPX Packed (most cases)

6 4-May-15 6 Components of SpyEye Web-based Panel – SYN 1 (Blind Drop) Formgrabber/Data Manager FTP Theft Bank of America Theft Stats – CN 1 (Command & Control) Binary Updates Configuration Updates Statistic collection Plugins Backconnect (SOCKS5/FTP)

7 4-May-15 7 Builder

8 4-May-15 8 Web Panel (SYN 1)

9 4-May-15 9 Web Panel (CN 1)

10 4-May-15 10 What we know Web Panel Investigation – Build Inference (directories and files) Debug.log (general traffic) Error.log (possible leaked IP’s and other info) Tasks.log (what it’s doing) Backup.sh (sql dump and passwords) Config.ini (settings) – Understand the code – AJAX driven AJAX queries and refreshes for data

11 4-May-15 11 Debug.log

12 4-May-15 12 Case Study  CnC Host: 91.211.117.25/sp/admin (currently down)  History: specific URI discovered publicly 09/07/2010  Prior attacks from this IP discovered 07/26/2010 (same operator)  ASN 48587 (known for malicious activity)  Location: Ukraine (UA)  AS Name: Private Entrepreneur Zharkov Mukola Mukolayovuch  Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days)  Unique computers infected: 28,590  Unique binaries distributed: 2,325

13 4-May-15 13 C&C Activity

14 4-May-15 14 Botnet Infections

15 4-May-15 15 C&C Advancement & Law C&C has many world readable files Including Frm_grab.php – Doesn’t work without AJAX environment – Same concept as request 1 world readable file Many requests at once Very useful intelligence – Very complicated Legally Explain what we did to a jury or judge Explain it to attorney DOJ conservative to risk

16 4-May-15 16 How it works C&C Target (SYN 1) main page password protected (illegal in US to log in)

17 4-May-15 17 Eating Dog Food Log in to local C&C setup Fire up Proxy, Set Servers to Stun!

18 4-May-15 18 Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration

19 4-May-15 19 Target Acquired When this changes we know we are connected

20 4-May-15 20 Results All data compromised in real time Bot GUIDS per data compromise Dates of compromises Bonus points! – Bad guy activity – The day before 0 – Settings – We can update the botnets (Not Approved)

21 4-May-15 21 Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law

22 4-May-15 22 Be the Smart Jedi May the Force Be With Us – We’re gonna need it Do or Do Not! – There is no try Yoda is awesome

23 4-May-15 23 Contact Thank You! Lance James Director of Intelligence ljames@thevigilant.com http://www.thevigilant.com

Download ppt "Www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,"

Similar presentations

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Protecting the irreplaceable | f-secure.com Internet threat monitoring and reporting service Idar Kvernevik Senior Researcher, Network Security Security.

Protecting the irreplaceable | f-secure.com Internet threat monitoring and reporting service Idar Kvernevik Senior Researcher, Network Security Security.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
ZeuS: God of All Cyber-Theft

ZeuS: God of All Cyber-Theft
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.

Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

Similar presentations

Ads by Google