Presentation is loading. Please wait.

Presentation is loading. Please wait.

securing and enabling dynamic business

Published byBudi Muljana Modified over 5 years ago

Similar presentations

Presentation on theme: "securing and enabling dynamic business"— Presentation transcript:

1 securing and enabling dynamic business
Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21st, 2011

2 Lance James Lance James Brief Bio:
Director of Intelligence, Vigilant, LLC Founder of Secure Science Corporation Brief Bio: Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight Author of “Phishing Exposed”, Co-Author of “Emerging Threat Analysis” 3rd Book on it’s way (counter-intelligence) Loves Karaoke Very Hyper (but I am getting old)

3 Research SpyEye Law Web Panel based C&C DIY Builder Kits
Merging with Zeus $1000-$3000 WMZ Law Title 18 USC 1030 Color of Right Expectation of Privacy

4 SpyEye

5 Components of SpyEye Trojan Build it yourself Data interception
Formgrabs Credit Cards Software Collection Process hooking Kills Zeus/Zeus Merger UPX Packed (most cases)

6 Components of SpyEye Web-based Panel SYN 1 (Blind Drop)
Formgrabber/Data Manager FTP Theft Bank of America Theft Stats CN 1 (Command & Control) Binary Updates Configuration Updates Statistic collection Plugins Backconnect (SOCKS5/FTP)

7 Builder

8 Web Panel (SYN 1)

9 Web Panel (CN 1)

10 Web Panel Investigation
What we know Web Panel Investigation Build Inference (directories and files) Debug.log (general traffic) Error.log (possible leaked IP’s and other info) Tasks.log (what it’s doing) Backup.sh (sql dump and passwords) Config.ini (settings) Understand the code AJAX driven AJAX queries and refreshes for data

11 Debug.log

12 Case Study CnC Host: 91.211.117.25/sp/admin (currently down)
History: specific URI discovered publicly 09/07/2010 Prior attacks from this IP discovered 07/26/2010 (same operator) ASN (known for malicious activity) Location: Ukraine (UA) AS Name: Private Entrepreneur Zharkov Mukola Mukolayovuch Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) Unique computers infected: 28,590 Unique binaries distributed: 2,325

13 C&C Activity

14 Botnet Infections

15 C&C has many world readable files Including Frm_grab.php
C&C Advancement & Law C&C has many world readable files Including Frm_grab.php Doesn’t work without AJAX environment Same concept as request 1 world readable file Many requests at once Very useful intelligence Very complicated Legally Explain what we did to a jury or judge Explain it to attorney DOJ conservative to risk

16 How it works C&C Target (SYN 1) main page password protected (illegal in US to log in)

17 Log in to local C&C setup
Eating Dog Food Log in to local C&C setup Fire up Proxy, Set Servers to Stun!

18 Kibbles & Bits Proxy Setup – either with burp or netsed
Header Modification Browser proxy configuration

19 Target Acquired When this changes we know we are connected

20 All data compromised in real time Bot GUIDS per data compromise
Results All data compromised in real time Bot GUIDS per data compromise Dates of compromises Bonus points! Bad guy activity The day before 0 Settings We can update the botnets (Not Approved)

21 Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council
Disciplined Philosophy Jedi skill Limited by Law

22 Be the Smart Jedi May the Force Be With Us Do or Do Not!
We’re gonna need it Do or Do Not! There is no try Yoda is awesome

23 Contact Thank You! Lance James Director of Intelligence

Download ppt "securing and enabling dynamic business"

Similar presentations

Www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,

Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Protecting the irreplaceable | f-secure.com Internet threat monitoring and reporting service Idar Kvernevik Senior Researcher, Network Security Security.

Protecting the irreplaceable | f-secure.com Internet threat monitoring and reporting service Idar Kvernevik Senior Researcher, Network Security Security.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.

Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Securing Information Systems

Securing Information Systems
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel 434920317 1.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
In Dire Straits: Straight Talk on Dyre

In Dire Straits: Straight Talk on Dyre
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali
2002 Symantec Corporation, All Rights Reserved The dilemma European Security Policy and Privacy Ilias Chantzos Government Relations EMEA Terena Conference,

2002 Symantec Corporation, All Rights Reserved The dilemma European Security Policy and Privacy Ilias Chantzos Government Relations EMEA Terena Conference,
Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Trend Micro Confidential 9/23/2015 Threat Rules Sharing Advanced Threats Research.

Similar presentations

Ads by Google