Presentation is loading. Please wait.

Presentation is loading. Please wait.

FBI Malware Overview - EDUs

Published byGerald Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "FBI Malware Overview - EDUs"— Presentation transcript:

1 FBI Malware Overview - EDUs
Vincent J. Rowe, Intelligence Analyst Andy Czyzewski, Intelligence Analyst FBI Cyber Division Washington, DC UNCLASSIFIED

2 Overview FBI’s mission Intelligence initiatives Analysis objectives
Cycle of malicious code Case Studies: FooNet, Mytob Implications for universities (“EDUs”) Questions UNCLASSIFIED

3 FBI’s Priorities 1. Protect the US from terrorist attack.
2. Protect the US against foreign intelligence operations and espionage. 3. Protect the US against cyber-based attacks and high-technology crimes. 4. Combat public corruption at all levels. 5. Protect civil rights. 6. Combat transnational and national criminal organizations and enterprises. 7. Combat major white-collar crime. 8. Combat significant violent crime. 9. Support federal, state, county, municipal, and international partners. 10. Upgrade technology to successfully perform the FBI's mission. UNCLASSIFIED

4 FBI Cyber Division Mission
Stop those behind the most serious computer intrusions and the spread of malicious code Identify and thwart online sexual predators who use the Internet to meet and exploit children and to produce, share, or possess child pornography Counteract operations that target U.S. intellectual property Dismantle national and transnational organized criminal enterprises engaging in Internet fraud. UNCLASSIFIED

5 Analysis Objectives What is the author’s skill level?
What does the code do? What OSs are affected? When was it written? Who wrote the code? What is the purpose? What contacts does the subject have? What type of connection did he make? UNCLASSIFIED

6 Cycle of Malicious Code
UNCLASSIFIED

7 Harvesting Phase From January to April over 75 pieces of malcode were released into the wild MyDoom (15), Netsky (30), and Beagle (30) Mass mailing worm arrives as attachment Establish listen threads on TCP ports Creates a notification thread that will contact to a remote site Enables the intruder to download and execute arbitrary files Forensic analysis revealed an online war of words between the authors Economic damage was estimated at over 100 billion worldwide Vendors estimated that MyDoom was the most successful (450k compromised) Targeting SCO with a DDoS masked the author’s true intention UNCLASSIFIED

8 Harnessing Phase The next phase is to herd the victimized systems into a botnet by gaining unauthorized access left behind by the worm infections Backdoor command and control software is then executed on the victimized system from the holes left behind by the worms Allows the intruder to remotely control a compromised system and perform: Download/execute files Deliver system/network info to the author Harvest address Act as a proxy Host phishing pages UNCLASSIFIED

9 Execution Phase The victimized boxes are herded into a botnet to launch DDoS attacks DDoS attacks are used extort money out of victim companies to have access to the Internet Botnets can be used as a platform to launch next-generation malware Botnets can be sold to spammers Info resides on the compromised system is stolen and sold to different organized groups Credit card info Social security numbers Banking login ID and passwords Corporate secrets UNCLASSIFIED

10 Case Study: FooNet In January 2003, an FBI investigation centered around a group of individuals launching DDoS attacks Forensic analysis of victims’ logs lead the FBI to UK subject using an IRC channel hosted by FooNet Individuals from this group launched numerous DDoS attacks, driving victims to FooNet for protection UNCLASSIFIED

11 Case Study: FooNet (cont)
UNCLASSIFIED

12 Case Study: FooNet (cont)
UNCLASSIFIED

13 Case Study: FooNet (cont)
FBIHQ coordinated with New Scotland Yard on the arrest and interview of the UK subject Implicated the owner of a webhosting provider in Columbus, OH UK subject commanded an army of 20,000-50,000 bots SDbot and Agobot UNCLASSIFIED

14 Case Study: FooNet (cont)
Columbus subject owned and operated a web hosting provider in his home, with some legitimate clients On February 14, 2004, “Cyber St. Valentine’s Day Massacre,” the FBI executed a search warrant on FooNet Over 299 systems were seized, the largest takedown in FBI cyber history UNCLASSIFIED

15 Case Study: FooNet (cont)
UNCLASSIFIED

16 Case Study: FooNet (cont)
Through forensic analysis and interviews with the subject, the FBI determined that FooNet administrators hired DDoS henchmen to knock entities off the Internet The group had about 20 members that design, develop, and test code UNCLASSIFIED

17 Case Study: Mytob Computers affected: CNN, ABC News, The New York Times, the U.S. Senate, the Centers For Disease Control and Prevention, Daimler Chrysler and U.S. Immigration and Customs Enforcement and others Writer was paid to create malware Likely profit motive for deployment UNCLASSIFIED

18 Case Study: Mytob (cont)
Cooperation: FBI, law enforcement in Morocco and Turkey, and Microsoft Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0" Atilla Ekici, aka "Coder," a 21-year old resident of Turkey Local prosecutions UNCLASSIFIED

19 Why Universities (EDUs)?
EDU networks are targeted in order to carry out further attacks (botnets, host phishing, test malware, etc) Large volume of networked computers Significant Internet presence (“wired”) High bandwidth EDU networks hold large amounts of valuable data (SSNs) that can be trafficked UNCLASSIFIED

20 EDUs/Law Enforcement Success
A university experienced a DDoS attack Administrators and tech professionals gathered information They forwarded the information to their local FBI field office UNCLASSIFIED

21 EDUs/LE Success (cont)
FBI opened an investigation University provided information critical in locating the perpetrator Further investigation revealed that others were involved in the attack Other schools were also victimized Investigation continues UNCLASSIFIED

22 What Can EDUs Do? Report intrusion incidents to your local FBI field office Participate in your local Infragard chapter Once established, maintain contact with your local FBI cyber personnel Proactive UNCLASSIFIED

23 Questions? IA Vince Rowe Vincent.Rowe@ic.fbi.gov IA Andy Czyzewski
UNCLASSIFIED

Download ppt "FBI Malware Overview - EDUs"

Similar presentations

Its a new digital world with new digital dangers….

Its a new digital world with new digital dangers….
LEADS Law Enforcement Agencies Data System

LEADS Law Enforcement Agencies Data System
Introduction and Overview of Digital Crime and Digital Terrorism

Introduction and Overview of Digital Crime and Digital Terrorism
Copyright 2005 - 2009: Hi Tech Criminal Justice, Raymond E. Foster Police Technology Police Technology Chapter Sixteen Police Technology Hi-Tech Crime.

Copyright : Hi Tech Criminal Justice, Raymond E. Foster Police Technology Police Technology Chapter Sixteen Police Technology Hi-Tech Crime.
C YBER T HREATS AND R ESPONSE Unclassified Continuity Insights Conference Chicago June 18-19, 2013.

C YBER T HREATS AND R ESPONSE Unclassified Continuity Insights Conference Chicago June 18-19, 2013.
2 Language of Computer Crime Investigation

2 Language of Computer Crime Investigation
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Cyber Crime The current threat to the UK Security Marking.

Cyber Crime The current threat to the UK Security Marking.
Mohd Taufik Abdullah Department of Computer Science

Mohd Taufik Abdullah Department of Computer Science
Computer and Internet Crimes By: Tracey Ross & Tommy Brown.

Computer and Internet Crimes By: Tracey Ross & Tommy Brown.
1. 2 A High Tech Crime Investigation Lessons learned by the National High Tech Crime Center Hans Oude Alink, project leader NHTCC November 2005.

1. 2 A High Tech Crime Investigation Lessons learned by the National High Tech Crime Center Hans Oude Alink, project leader NHTCC November 2005.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
CRIMINAL JUSTICE A Brief Introduction, 5/E by Frank Schmalleger ©2004 Pearson Education, Inc. Pearson Prentice Hall Upper Saddle River, NJ 07458 Police.

CRIMINAL JUSTICE A Brief Introduction, 5/E by Frank Schmalleger ©2004 Pearson Education, Inc. Pearson Prentice Hall Upper Saddle River, NJ Police.
CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.

CJ © 2011 Cengage Learning Chapter 17 Cyber Crime and The Future of Criminal Justice.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
By: Lukas Touder Cortney Warrick Jennifer Wehner Zachary Westpy Nicholas Whelan Cybercrime.

By: Lukas Touder Cortney Warrick Jennifer Wehner Zachary Westpy Nicholas Whelan Cybercrime.
Cyber Crime & Security Raghunath M D BSNL Mobile Services,

Cyber Crime & Security Raghunath M D BSNL Mobile Services,
1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB

1 Group-IB: Digital investigations and forensic Ilya Sachkov Group-IB
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.

© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license.
BotNet Detection Techniques By Shreyas Sali

BotNet Detection Techniques By Shreyas Sali

Similar presentations

Ads by Google