Presentation is loading. Please wait.

Presentation is loading. Please wait.

A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

Published byBlaise Pollins Modified over 9 years ago

Similar presentations

Presentation on theme: "A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics"— Presentation transcript:

1 A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics ssofronie@bitdefender.com

2 Key points: -Why Forensics ? -How do we approach this -Attack vectors -Victim profile -Hacker profile -A botnet infrastructure that works -CryptoLocker -GameOver Zeus takedown -Hiding the Network behind the network -Knock Knock -Take-away -Q&A

3 Why Forensics ? Expertise from 350+ points of view (if needed) Honeypots (Malware samples, Spam, DriveBy) IP Reputation Systems URL Blacklists Correlated events and Machine Learning algorithms This is information from our own systems, NOT client data.

4 How do we approach this Step 1: Recognize a prevalent threat Step 2: Break it all apart Step 3: Understand what you’re seeing Step 4: Find the best course of action Step 5: Level UP towards the mothership Step 6: TakeDown

5 Attack vectors Let’s quickly look at Zeus : -drive-by downloads Unintended download of “software” from the Internet Web surfing, e-mail messages or deceptive pop-ups -phishing schemes Social Engineering type of attack Trying to get you to visit a specific website Specially crafted email, spear-phishing attack -Spam with malicious attachement

6 Victim profile Anyone could be a victim.

7 Hacker profile Hacktivism Cybercrime Groups

8 A botnet infrastructure that works http://blogs.it.ox.ac.uk/oxcert/2014/06/06/gameover-for-p2p-zeus/

9 CryptoLocker Calls home for key Encrypts file system GameOver Zeus distribution

10 GameOver Zeus takedown Operation Tovar: All domains for DGA are seized FBI,Europol, UK NCA 1000 random domains per week in the.biz,.com,.info,.net,.org and.ru TLDs

11 Hiding the Network behind the network At least 2 levels of proxies protecting the real C&C servers Currently, it has 10 “clients”, serving different types of malware Proxy level 1 is responsible for redirecting the UDP and HTTP traffic Proxy level 2 is where the redirected traffic arrives and is tunneled to other servers where the requests are processed

12 Hiding the Network behind the network Victim Client Y with service.xml IP: DNS SERVER; PORT 53 IP: PROXY LAYER 2; PORT 80 (Machine with IP Y1) Client Y with service.xml IP: DNS SERVER; PORT 53 IP: PROXY LAYER 2; PORT 80 (Machine with IP Y1) DNS SERVER PROXY LAYER 2 Port 53: ?domain Port BP + Y ?domain IP Y1, IP Y2, IP Y3, IP Y4 IP Y1, IP Y2, IP Y3, IP Y4 Port 80: IP Y1 PROXY LAYER 1

13 Knock After Operation Tovar, the backend is still operational and serving other botnet masters TOR functionality for the backend is being implemented Watching for update lookups between servers in backend, we could see more than 1700 requests in 24 hours (1 oct 2014)

14 Now, about TOR

15

16

17

18 To talk to a HSDir The first 3 relays in the consesus after this fingerprint are the HSDirs, for each replica index. Now, about TOR

19

20 The Client: -Has the.onion address -Decodes the base32 value of the.onion hostname -Computes the fingerprint for the hidden service (hash public key and timestamp and replica_index) - Get list of Hidden Service Directories (from consesus) -Gets the descriptors from the Hidden Service -The descriptors contain the Introduction Points for the Hidden Service -Establishes a connection to a Randevous Point (random relay) -Builds a circuit to one of the Introduction Points for the Hidden Service -Comunicates the Randevous Point to the Introduction Point -The Introduction Point calls back to the Hidden Service with the information about the Randevous Point -The Hidden Service creates a circuit to the Randevous Point -Connection Established between the Client and the Hidden Service Now, about TOR

21

22 Take-away Botnets are still growing in complexity This threat is not easily handled IP reputation mechanism could help URL blacklists could patch things up as well Private and LEA should work more closely on this Bitdefender is reaching out to CERTS with blacklists of IP addresses and URLs, botnet related If you want to help, hop on … we’re hiring as well Reach out to forensics@bitdefender.comforensics@bitdefender.com if you need our input

23 Q&A

24

Download ppt "A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics"

Similar presentations

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Threat infrastructure: proxies, botnets, fast-flux

Threat infrastructure: proxies, botnets, fast-flux
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.

MIRAGE CPSC 620 Project By Neeraj Jain Hiranmayi Pai.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Similar presentations

Ads by Google