Presentation is loading. Please wait.

Presentation is loading. Please wait.

For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation.

Published byPaulina Willis Modified over 10 years ago

Similar presentations

Presentation on theme: "For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation."— Presentation transcript:

1 For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation

2 For Distribution Copyright 2006 Secure Science Corp. 2 What this talk is about? Malware Malware In regards to incident response In regards to incident response Pre-emptive Techniques Pre-emptive Techniques Research & Development Research & Development Related mainly to theft-intended malware Related mainly to theft-intended malware What is Malware? What is Malware? Malicious Software/Hardware Malicious Software/Hardware Designed to be harmful Designed to be harmful

3 For Distribution 3 Copyright 2006 Secure Science Corp. High Low 1980198519901995 2000+ password guessing self-replicating code password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sweepers sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools Cross site scripting Staged attack Cyber Attack Sophistication Continues To Evolve bots Source: CERT

4 For Distribution 4 Copyright 2006 Secure Science Corp. And Continue To Grow… Data theft grew more than 650% over the past 3 years — CSI/FBI 137,000 security incidents in 2003, nearly twice as many as in 2002 — CERT Avg reported loss from attacks was $2.7M per incident — CSI/FBI survey 85% of respondents had breaches — CSI/FBI survey 85% of the critical infrastructure is owned or operated by the private sector Source : Carnegie Mellon

5 For Distribution 5 Copyright 2006 Secure Science Corp. Growth Or Liability? Over twenty per cent of Internet users now access online banking services. Over twenty per cent of Internet users now access online banking services. This total will reach 33% by 2006, according to The Online Banking Report. This total will reach 33% by 2006, according to The Online Banking Report. By 2010, over 55 million US households will use online banking and ePayments services, which are tipped as "growth areas". By 2010, over 55 million US households will use online banking and ePayments services, which are tipped as "growth areas". Wamu buys Providian, BofA buys MBNA Wamu buys Providian, BofA buys MBNA And so what about the ‘Phishing’ threat to e-commerce? And so what about the ‘Phishing’ threat to e-commerce? Source: ePaynews

6 For Distribution 6 Copyright 2006 Secure Science Corp. What Is Phishing? Phishing, also referred to as brand spoofing, as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. Phishing, also referred to as brand spoofing, as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. Phishing is the act of sending a communication to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. Phishing is the act of sending a communication to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The communication (usually email) directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. The communication (usually email) directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has.Web siteWeb site The Web site, however, is bogus or hostile and set up only to steal the user’s information. The Web site, however, is bogus or hostile and set up only to steal the user’s information.

7 For Distribution 7 Copyright 2006 Secure Science Corp. What’s Worse? Email Phish or Phishing Malware? Email Phish or Phishing Malware? Some of the larger phishing groups have associations with both phishing emails and key-logging malware. Some of the larger phishing groups have associations with both phishing emails and key-logging malware. While phishing email is very effective, the number of victims is significantly smaller than the victims of phishing malware. While phishing email is very effective, the number of victims is significantly smaller than the victims of phishing malware. Logs recovered from base camps for phishing emails and malware show a startling difference. Logs recovered from base camps for phishing emails and malware show a startling difference.

8 For Distribution 8 Copyright 2006 Secure Science Corp. Email –vs- Malware A single key logging Trojan can generate hundreds of megabytes of data in a week. The data is not processed by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process. Each victim = < 500 bytes of data. 1 week = < 50Kbytes. A single person can process the data in minutes. Volume of data generated Account login, or credit card number with expiration and address. Generally, a single victim only loses a single amount of information. Few victims lose more than one type of information. And the information compromised may not match the information desired by the phisher. Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother’s maiden name or the answer to the “forgot your password” prompt. Generally, victims provide all of the information asked. Type of information compromised 500,000100Average number of accounts compromised in a week Phishing Malware / KeyloggersPhishing Emails

9 For Distribution 9 Copyright 2006 Secure Science Corp. Email –vs- Malware (cont.) A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop. When generic anti- virus signatures appear, redevelopment may take weeks or months. A single phishing server may take one week to develop. The server may then be applied to hundreds of blind drop servers and reused for weeks or longer. Changes to the phishing email content (bait) can be measured in hours and may not need a change to the phishing server. Total development cost to the phishers? Most malware is effective for a week before anti-virus vendors develop signatures. Some phishing groups use malware in limited distributions. While these programs may exist for much longer durations, they generally collect less information. A single person that is infected may compromise the same information multiple times. Reused regularly for weeks or months before requiring a change. Due to simple changes in the mailing list, a variety of people can be solicited – information is almost never collected from the same person twice. How often is the method viable? Phishing Malware / Key loggersPhishing Emails

10 For Distribution 10 Copyright 2006 Secure Science Corp. Phishing Malware (cont.) In November of 2003, the concept of a single mega-virus changed. In November of 2003, the concept of a single mega-virus changed. Gaobot, followed by Sasser and Berbew, took a different tact: rather than one mega-worm, these consisted of hundreds of variants – each slightly different. Gaobot, followed by Sasser and Berbew, took a different tact: rather than one mega-worm, these consisted of hundreds of variants – each slightly different. The goal of the variant was not to become a mega- worm, but rather to infect a small group of systems. The goal of the variant was not to become a mega- worm, but rather to infect a small group of systems.

11 For Distribution 11 Copyright 2006 Secure Science Corp. Phishing Malware (cont.) This approach provided two key benefits to the malware authors: This approach provided two key benefits to the malware authors: Limited distribution; limited detection. As long as the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a detection signature for the virus.) Limited distribution; limited detection. As long as the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a detection signature for the virus.) Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, carders, and generic malware authors that are not detected by anti-virus software. Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, carders, and generic malware authors that are not detected by anti-virus software. Rapid deployment.. Nearly a hundred variants of Sasser were identified in less than three months. Each variant requires a different detection signature. The rapid modification and deployment ensures that anti-virus vendors will overtax their available resources, becoming less responsive to new strains. It also ensures that some variants will not be detected. Rapid deployment.. Nearly a hundred variants of Sasser were identified in less than three months. Each variant requires a different detection signature. The rapid modification and deployment ensures that anti-virus vendors will overtax their available resources, becoming less responsive to new strains. It also ensures that some variants will not be detected.

12 For Distribution 12 Copyright 2006 Secure Science Corp. Phishing Malware (cont.) We’re seeing a significant increase in malware used by phishing groups. We’re seeing a significant increase in malware used by phishing groups. IE exploitation via ActiveX Blended Threats IE exploitation via ActiveX Blended Threats Let’s take a closer look at the malware, and the threat model behind phishers and their malware. Let’s take a closer look at the malware, and the threat model behind phishers and their malware. Malware key-logging myths Malware key-logging myths

13 For Distribution 13 Copyright 2006 Secure Science Corp. Phishing Malware (cont.) A few phishing groups have been associated with specific malware. A few phishing groups have been associated with specific malware. The malware is used for a variety of purposes: The malware is used for a variety of purposes: Compromising hosts for operating the phishing server; Compromising hosts for operating the phishing server; Compromising hosts for relaying the bulk mailing; Compromising hosts for relaying the bulk mailing; Directly attacking clients with key-logging software. Directly attacking clients with key-logging software. A single piece of malware may serve any or all of these purposes. A single piece of malware may serve any or all of these purposes.

14 For Distribution 14 Copyright 2006 Secure Science Corp. Malware Trends In early 2004, the malware associated with phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on botnet* attributes: In early 2004, the malware associated with phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on botnet* attributes: Email relay. The software opens network services that can be used to relay email anonymously. This is valuable to phishers, and spammers in general. Email relay. The software opens network services that can be used to relay email anonymously. This is valuable to phishers, and spammers in general. Data mining. The malware frequently contains built-in functions for gathering information from the local system. The gathering usually focuses on software licenses (for game players, warez, or serialz dealers**) and Internet Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets. Data mining. The malware frequently contains built-in functions for gathering information from the local system. The gathering usually focuses on software licenses (for game players, warez, or serialz dealers**) and Internet Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets. * A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. ** Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and propagated through the underground software community.

15 For Distribution 15 Copyright 2006 Secure Science Corp. Malware Trends (cont.) Remote control. The malware usually has backdoor capabilities. This permits a remote user to control and access the compromised host. For a phisher, there is little advantage to having a backdoor to a system unless they plan to use the server for hosting a phishing site. But for other people, such as virus writers or botnet farmers*, remote control is an essential attribute. Remote control. The malware usually has backdoor capabilities. This permits a remote user to control and access the compromised host. For a phisher, there is little advantage to having a backdoor to a system unless they plan to use the server for hosting a phishing site. But for other people, such as virus writers or botnet farmers*, remote control is an essential attribute. * A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The botnet farmers generate revenue by selling systems or CPU time to other people. Essentially, the botnet becomes a large timeshare computer network.

16 For Distribution 16 Copyright 2006 Secure Science Corp. Malware Trends (cont.) By Q3 of 2004, a few, large phishing groups had evolved to support their own specific malware. By Q3 of 2004, a few, large phishing groups had evolved to support their own specific malware. While the malware did contain email relays, data mining functions, and remote control services, these had been tuned to support phishing specifically. While the malware did contain email relays, data mining functions, and remote control services, these had been tuned to support phishing specifically. Viruses such as W32.Spybot.Worm included specific code to harvest bank information from compromised hosts. Viruses such as W32.Spybot.Worm included specific code to harvest bank information from compromised hosts.

17 For Distribution 17 Copyright 2006 Secure Science Corp. Malware Trends (cont.) A few phishing groups also appeared associated with key logging software. A few phishing groups also appeared associated with key logging software. While not true “key logging”, these applications capture data submitted (posted) to web servers. While not true “key logging”, these applications capture data submitted (posted) to web servers. A true key logger would generate massive amounts of data and would be difficult for an automated system to identify account and login information. A true key logger would generate massive amounts of data and would be difficult for an automated system to identify account and login information.

18 For Distribution 18 Copyright 2006 Secure Science Corp. Malware Trends (cont.) Instead, these applications hook into Internet Explorer’s (IE) form submission system. Instead, these applications hook into Internet Explorer’s (IE) form submission system. All data from the submitted form is relayed to a blind drop operated by the phishers. All data from the submitted form is relayed to a blind drop operated by the phishers. The logs contain information about the infected system, as well as the URL and submitted form values. The logs contain information about the infected system, as well as the URL and submitted form values. More importantly, the malware intercepts the data before it enters any secure network tunnel, such as SSL or HTTPS. More importantly, the malware intercepts the data before it enters any secure network tunnel, such as SSL or HTTPS.

19 For Distribution 19 Copyright 2006 Secure Science Corp. Malware Trends (cont.) Examples of data output: Examples of data output: Recent examples of HaxDoor, Berbew and PWS.Banker reveal similar “Formgrabbing” Recent examples of HaxDoor, Berbew and PWS.Banker reveal similar “Formgrabbing” reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer _Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=******* reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer _Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=******* onlineid.bankofamerica.com/cgi-bin/sso.login.controller onlineid.bankofamerica.com/cgi-bin/sso.login.controller [11023586123662948896] [11023586123662948896] [IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32] [IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32] Distributed through IE Class-ID attacks Distributed through IE Class-ID attacks ADB/CHM ADB/CHM IFRAME TAG IFRAME TAG Javaprxy??? Javaprxy???

20 For Distribution 20 Copyright 2006 Secure Science Corp. Side-Bar, Case Example Anti-Malware Snake-Oil Anti-Malware Snake-Oil Virtual Keyboards Virtual Keyboards Key-board Logging Protection Key-board Logging Protection Scramble Pads Scramble Pads Anti-Spyware Desktop software Anti-Spyware Desktop software 99% of Information Theft Malware doesn’t log key strokes! (it’s unscalable) 99% of Information Theft Malware doesn’t log key strokes! (it’s unscalable)

21 For Distribution 21 Copyright 2006 Secure Science Corp. Side-Bar, Case Example (cont)

22 For Distribution 22 Copyright 2006 Secure Science Corp. Malware Trends (cont.) The end of 2004 showed a significant modification to the malware used by some phishing groups. The end of 2004 showed a significant modification to the malware used by some phishing groups. The prior key logging systems generated gigabytes of data in a very short time. This made data mining difficult, since only a few sites were of interest to the phishers. The prior key logging systems generated gigabytes of data in a very short time. This made data mining difficult, since only a few sites were of interest to the phishers. By the end of 2004 and into 2005, the phishers had evolved their software. By the end of 2004 and into 2005, the phishers had evolved their software. Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was collected. It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was collected. More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware developers associated with phishers are in communication or have a common influencing source. More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware developers associated with phishers are in communication or have a common influencing source.

23 For Distribution 23 Copyright 2006 Secure Science Corp. Malware Trends (cont.) PG02 significant attack pattern identified PG02 significant attack pattern identified Cpanel (WebISP in a box) exploitation Cpanel (WebISP in a box) exploitation System compromise System compromise Payload launch Payload launch www.site.com/images/newex.html www.site.com/images/newex.html www.site.com/images/newex.html Hijacks Network or Box for Spamming Hijacks Network or Box for Spamming Sending Spam Sending Spam Uses DMS generation 2 Uses DMS generation 2 Enabling anonymity Enabling anonymity Uses Dark IP space for forged receive header Uses Dark IP space for forged receive header Object Class Exploits for IE Object Class Exploits for IE Trojan Downloader payload Trojan Downloader payload Classifies malware as “MSITS.exe” Classifies malware as “MSITS.exe” Reference to MS-ITS protocol attacks Reference to MS-ITS protocol attacks Uses GPL code from www.edup.tudelft.nl/~bjwever/ Uses GPL code from www.edup.tudelft.nl/~bjwever/www.edup.tudelft.nl/~bjwever/ Berend-Jan Wever website Berend-Jan Wever website

24 For Distribution 24 Copyright 2006 Secure Science Corp. Malware Trends (cont.) Object Class attacks not “brand new” Object Class attacks not “brand new” Uses older ADB Exploit even though newer attacks exist Uses older ADB Exploit even though newer attacks exist January-February 2005 haxdoor variants existed on for win98 January-February 2005 haxdoor variants existed on for win98 Suggests targeting “End of Life” product Suggests targeting “End of Life” product Win98 EOL on security upgrades Win98 EOL on security upgrades No education on phishing No education on phishing No SP2, built in pop-up blockers No SP2, built in pop-up blockers Evolutionary pattern Evolutionary pattern Suggests Path of Least Resistance Suggests Path of Least Resistance Evolve when necessary Evolve when necessary Win98 is plentiful and best target! Win98 is plentiful and best target! Why Move?? Why Move??

25 For Distribution 25 Copyright 2006 Secure Science Corp. Latest Threats WMF exploit WMF exploit Discovered by Dan Hubbard (WebSense) Discovered by Dan Hubbard (WebSense) Found in the wild as a 0-day Found in the wild as a 0-day Phishers were using it from Day 0 Phishers were using it from Day 0 It was supposed to be patched in November It was supposed to be patched in November MS05-053 MS05-053 Nuclear Grabber used by Phishing Group #02 Nuclear Grabber used by Phishing Group #02 Written by Corpse (Author of A-311 Death and Nuclear Grabber) Written by Corpse (Author of A-311 Death and Nuclear Grabber) AV Vendors call it Haxdoor AV Vendors call it Haxdoor Sells software on Corpsespyware.net from $250.00 to $2500.00 Sells software on Corpsespyware.net from $250.00 to $2500.00 Russian sales only Russian sales only

26 For Distribution 26 Copyright 2006 Secure Science Corp. Phishing Trends (cont.) Serial Pattern for process of Haxdoor Serial Pattern for process of Haxdoor Successor to Berbew malware from 2004 Successor to Berbew malware from 2004 Very likely relation to original Berbew authors Very likely relation to original Berbew authors ’05 Berbew marked with Corpse’s Signature ’05 Berbew marked with Corpse’s Signature Haxdoor malware written in Assembly Haxdoor malware written in Assembly Trojan Creation Kit Trojan Creation Kit Compiles with permutations Compiles with permutations Packed with FSG Packed with FSG Easy for Phishers to compile on the fly with customized Settings. Easy for Phishers to compile on the fly with customized Settings.

27 For Distribution 27 Copyright 2006 Secure Science Corp. Latest Threats

28 For Distribution 28 Copyright 2006 Secure Science Corp. Email from Phishing Group for WMF exploit Email from Phishing Group for WMF exploit Dear Friend, Friends [ fromfriends at aol.com ] has sent you an e-card from Friends [ fromfriends at aol.com ] has sent you an e-card fromfromfriends at aol.comfromfriends at aol.com 123Greetings.com. 123Greetings.com. 123Greetings.com is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music. 123Greetings.com is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music. Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may save it on your computer or take a print. To view your e-card, choose from any of the following options: To view your e-card, choose from any of the following options: http://www.123greetings.com/NY2006z3 http://www.123greetings.com/NY2006z3 http://www.123greetings.com/NY2006z3http://mujergorda.bitacoras.com/base/index.html"http://www.123greetings.com/NY2006z3</tdhttp://www.123greetings.com/NY2006z3http://mujergorda.bitacoras.com/base/index.html"http://www.123greetings.com/NY2006z3</td Latest Threats

29 For Distribution 29 Copyright 2006 Secure Science Corp. Identify the Threat, Label it - Here’s their analysis Identify the Threat, Label it - Here’s their analysis What AV does with this?

30 For Distribution 30 Copyright 2006 Secure Science Corp. Problem exists here Problem exists here Labeled Low Threat based on AV metrics Labeled Low Threat based on AV metrics Shoved in with the rest of the Trojan.small.em Shoved in with the rest of the Trojan.small.em No known resolve other than desktop prevention No known resolve other than desktop prevention Very reactive, (as we all know) Very reactive, (as we all know) Evolving malware disables AV (common knowledge) Evolving malware disables AV (common knowledge) How do we change this? How do we change this? Change the AV metric Change the AV metric Use common sense Use common sense Proactive, not reactive Proactive, not reactive Serial Pattern analysis w/ common sense is key Serial Pattern analysis w/ common sense is key Problem?

31 For Distribution 31 Copyright 2006 Secure Science Corp. Incident Response Emerging Threats Emerging Threats Management by Objective Management by Objective Per incident basis Per incident basis Threat modelling necessary (but usually never happens) Threat modelling necessary (but usually never happens) Malware author grouping Malware author grouping Serial Pattern Serial Pattern Pre-emptive Signatures Pre-emptive Signatures Forces them to evolve (ROI lowers) Forces them to evolve (ROI lowers) Possible Apprehension Possible Apprehension

32 For Distribution 32 Copyright 2006 Secure Science Corp. R&D + IR=Proactive Research for Haxdoor Research for Haxdoor http://imkportedoor.com/images/ny.wmf" Grabs msits.exe from www.site.com/images/msits.exe Grabs msits.exe from www.site.com/images/msits.exewww.site.com/images/msits.exe Packed with FSG (marked with Corpse Signature within Packing) Packed with FSG (marked with Corpse Signature within Packing) 003C1BD1 PUSH ies4dll.003C1165 ASCII www.pcpeek-webcam-sex.com www.pcpeek-webcam-sex.com 003C1BE0 PUSH ies4dll.003C11C9 ASCII "images/data.php“ Blind drop Identified Blind drop Identified Data recovered in realtime Data recovered in realtime Phishing the Phishers Phishing the Phishers

33 For Distribution 33 Copyright 2006 Secure Science Corp. Data Recovery

34 For Distribution 34 Copyright 2006 Secure Science Corp. Impact DOA Blind drop log monitoring Blind drop log monitoring Data returned to institution that’s compromised Data returned to institution that’s compromised Real-time risk mitigation Real-time risk mitigation Pre-emptive Action Pre-emptive Action What do we know? What do we know? Packed with FSG Packed with FSG How many non-malicious executables are packed with FSG How many non-malicious executables are packed with FSG Talks to /images/data.php Talks to /images/data.php Some versions /images/dat7.php and /images/bsrv.php Some versions /images/dat7.php and /images/bsrv.php Group titles it msits.exe and msys.exe Group titles it msits.exe and msys.exe Bleeding-Edge Snort Bleeding-Edge Snort alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan- activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan- activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan- activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan- activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)

35 For Distribution 35 Copyright 2006 Secure Science Corp. Outcome Snort Sigs Snort Sigs Prevent a large amount of new phishing malware Prevent a large amount of new phishing malware Corpse has to change his method Corpse has to change his method Many other phishing malware packed same way Many other phishing malware packed same way Problem response vs Incident Response Problem response vs Incident Response Look at overall problem Look at overall problem Example:Form Grabbing Example:Form Grabbing Assume everyone is infected Assume everyone is infected How do we solve this? How do we solve this?

36 For Distribution 36 Copyright 2006 Secure Science Corp. Example: Form Grabbing

37 For Distribution 37 Copyright 2006 Secure Science Corp. So you’re not a RCE Tricks for IR Tricks for IR IEHTTPHEADERS IEHTTPHEADERS BHO and IE hooks BHO and IE hooks Uses IE as Agent Uses IE as Agent Locate Blind Drop Locate Blind Drop Monitor and Mitigate Monitor and Mitigate VMWare VMWare Sandbox (with snapshots) Sandbox (with snapshots) Tools like sysinternals, Ollydbg, winpooch Tools like sysinternals, Ollydbg, winpooch Joe Stewart has some new tools for sandnet Joe Stewart has some new tools for sandnet As it becomes more prevalent As it becomes more prevalent More tools available for the common response team More tools available for the common response team Common sense is sometimes the best weapon Common sense is sometimes the best weapon

38 For Distribution 38 Copyright 2006 Secure Science Corp. Contact Info Secure Science Corporation 7770 Regents Rd. Suite 113-535 San Diego, CA. 92122-1967 (877)570-0455 http://www.securescience.net Email: info@securescience.net info@securescience.net Lance James ~ CTO

39 For Distribution 39 Copyright 2006 Secure Science Corp. Questions

Download ppt "For Distribution Copyright 2006 Secure Science Corp. 1 Trojans & Botnets & Malware, Oh My! Shmoocon ‘06 Lance James Secure Science Corporation."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.

© 2014 wheresjenny.com Cyber crime CYBER CRIME. © 2014 wheresjenny.com Cyber crime Vocabulary Defacement : An attack on a website that changes the visual.
Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.

Computer Ethics Ms. Scales. Computer Ethics Ethics  the right thing to do Acceptable Use Policy  A set of rules and guidelines that are set up to regulate.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Threats To A Computer Network

Threats To A Computer Network
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Similar presentations

Ads by Google