Download presentation
Presentation is loading. Please wait.
Published byJaiden Caplin Modified over 9 years ago
1
www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st, 2011 securing and enabling dynamic business
2
4-May-15 2 Lance James – Director of Intelligence, Vigilant, LLC – Founder of Secure Science Corporation Brief Bio: – Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight – Author of “Phishing Exposed”, – Co-Author of “Emerging Threat Analysis” – 3 rd Book on it’s way (counter-intelligence) – Loves Karaoke – Very Hyper (but I am getting old)
3
4-May-15 3 Research – SpyEye Web Panel based C&C DIY Builder Kits Merging with Zeus $1000-$3000 WMZ – Law Title 18 USC 1030 Color of Right Expectation of Privacy
4
4-May-15 4 SpyEye
5
4-May-15 5 Components of SpyEye Trojan – Build it yourself – Data interception – Formgrabs – Credit Cards – Software Collection – Process hooking – Kills Zeus/Zeus Merger – UPX Packed (most cases)
6
4-May-15 6 Components of SpyEye Web-based Panel – SYN 1 (Blind Drop) Formgrabber/Data Manager FTP Theft Bank of America Theft Stats – CN 1 (Command & Control) Binary Updates Configuration Updates Statistic collection Plugins Backconnect (SOCKS5/FTP)
7
4-May-15 7 Builder
8
4-May-15 8 Web Panel (SYN 1)
9
4-May-15 9 Web Panel (CN 1)
10
4-May-15 10 What we know Web Panel Investigation – Build Inference (directories and files) Debug.log (general traffic) Error.log (possible leaked IP’s and other info) Tasks.log (what it’s doing) Backup.sh (sql dump and passwords) Config.ini (settings) – Understand the code – AJAX driven AJAX queries and refreshes for data
11
4-May-15 11 Debug.log
12
4-May-15 12 Case Study CnC Host: 91.211.117.25/sp/admin (currently down) History: specific URI discovered publicly 09/07/2010 Prior attacks from this IP discovered 07/26/2010 (same operator) ASN 48587 (known for malicious activity) Location: Ukraine (UA) AS Name: Private Entrepreneur Zharkov Mukola Mukolayovuch Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) Unique computers infected: 28,590 Unique binaries distributed: 2,325
13
4-May-15 13 C&C Activity
14
4-May-15 14 Botnet Infections
15
4-May-15 15 C&C Advancement & Law C&C has many world readable files Including Frm_grab.php – Doesn’t work without AJAX environment – Same concept as request 1 world readable file Many requests at once Very useful intelligence – Very complicated Legally Explain what we did to a jury or judge Explain it to attorney DOJ conservative to risk
16
4-May-15 16 How it works C&C Target (SYN 1) main page password protected (illegal in US to log in)
17
4-May-15 17 Eating Dog Food Log in to local C&C setup Fire up Proxy, Set Servers to Stun!
18
4-May-15 18 Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration
19
4-May-15 19 Target Acquired When this changes we know we are connected
20
4-May-15 20 Results All data compromised in real time Bot GUIDS per data compromise Dates of compromises Bonus points! – Bad guy activity – The day before 0 – Settings – We can update the botnets (Not Approved)
21
4-May-15 21 Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law
22
4-May-15 22 Be the Smart Jedi May the Force Be With Us – We’re gonna need it Do or Do Not! – There is no try Yoda is awesome
23
4-May-15 23 Contact Thank You! Lance James Director of Intelligence ljames@thevigilant.com http://www.thevigilant.com
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.