botnets, malware and network attacks
DESCRIPTION
Presentation about Flu project, malware, botnets and some network attacks. SBC2012TRANSCRIPT
![Page 1: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/1.jpg)
Botnets, malware and……network attacks
Pablo GonzálezCarmen Torrano
Juan Antonio Calles
![Page 2: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/2.jpg)
I am…
• Carmen Torrano Giménez
• Phd Student at CSIC
• Research on Computer Security
• www.flu-project.com
![Page 3: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/3.jpg)
I am…
• Pablo González (@fluproject)
• Head of security department
at Informatica 64
• www.flu-project.com
• www.seguridadapple.com
![Page 4: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/4.jpg)
I am…
• Juan Antonio Calles (@jantonioCalles)
• Security Team Leader at Everis Spain
• elblogdecalles.blogspot.com
• www.flu-project.com
![Page 5: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/5.jpg)
Timeline
What is Flu Project?
Malware and Botnets
Data Network Attacks!
![Page 6: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/6.jpg)
What is…
![Page 7: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/7.jpg)
What is… Flu?
Free Communit
y
Ethical Hacking
Social Awareness
Anti cybergrooming with Anti
Depredadores
Application development
![Page 8: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/8.jpg)
Application development
• Flu• Anubis (footprinting and
fingerprinting)• Liberad a Wifi (default key
generation for Wifi routers)• Flunym0us (vulnerability scanner
Moodle, Wordpress)
![Page 9: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/9.jpg)
Collaboration
Cybergrooming
![Page 10: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/10.jpg)
So, Flu really is…
Knowledge… …Learning……Concepts…
…Security……Collaboration…
…Awareness…You… …Freedom
![Page 11: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/11.jpg)
Malware
![Page 12: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/12.jpg)
Malware Classes
• Viruses• Worms• Trojans• Rootkits• Spyware• Time bombs
![Page 13: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/13.jpg)
Viruses
• They are only a kind of malware
• What is their goal? Destruction!
• Flu is not a virus
![Page 14: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/14.jpg)
Virus Phases
Dormant
Propagation
Attack
![Page 15: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/15.jpg)
Types…
• Boot
• Files
• Polymorphic
• Macro
![Page 16: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/16.jpg)
Worms
• What are they?
• Key feature: Replication
• Flu is not a worm
![Page 17: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/17.jpg)
Trojans
• What are they? Powerful!
• Remote control
• Direct and reverse
• Yeah! Flu is a trojan but……It’s a educational trojan
![Page 18: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/18.jpg)
Rootkits
• What are they?
• Rootkit != management OR remote control software
• Key feature: they hide things…
![Page 19: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/19.jpg)
Spyware
• What is it?
• Not harmful malware but attempts against privacy
• Key feature: Spy & Statistics
![Page 20: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/20.jpg)
Time bombs
• What are they? Simple code but… destructive!
• Key feature: delayed action• Bash, Sh, Ksh, Dash, cmd, PowerShell
…• …And, Flu is not a time bomb
![Page 21: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/21.jpg)
Botnets
![Page 22: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/22.jpg)
Botnets
• What are they? • Bots, zombies, botmaster• Flu• Statistics: 10% of you belong to a
botnet!!• DOS attack – Anonymous (against
Internet censhorship- hacked CIA webpage)
![Page 23: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/23.jpg)
Flu Features
• Hidden in the user folder, hidden process
• HaaS: Hacking as a Service
• Bot generator
• Client-server architecture
![Page 24: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/24.jpg)
• WAMP (Windows, Apache, MySql
and PHP)
• Windows + .Net Framework
![Page 25: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/25.jpg)
Flu architecture
![Page 26: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/26.jpg)
Flu architecture
![Page 27: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/27.jpg)
Flu Features
Keylogger Remote CMD & Powershell
Screenshot
Capture Microphone Steal Files Manageme
nt Registry
MSN Information
Web History
Passwords
And More…
![Page 28: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/28.jpg)
Flu features
• Dynamic ID in XML file
• Commands directed to:– A specific computer– The whole botnet
![Page 29: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/29.jpg)
Flu features
• AES encription (128 bits)• Hash of the files• GUI for Android• Undergraduate thesis at Deusto
University
![Page 30: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/30.jpg)
Practical example
![Page 31: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/31.jpg)
Dem
o
![Page 32: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/32.jpg)
Data Network Attacks
![Page 33: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/33.jpg)
1- Sniffing
![Page 34: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/34.jpg)
PC HACKER
PC 1
PC 2 PC 3
PC 4
Sniffer
Filtra Filtra
Sniffing: hub
Hub
Datos PC 4
![Page 35: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/35.jpg)
Sniffer
MAC 1
MAC 2 MAC H MAC 3
MAC 4
Port 1 MAC 1Port 2 MAC 2Port 6 MAC HPort 11 MAC 3Port 12 MAC 4
Sniffing: Switch
Switch
PC HACKER
PC 1
PC 2 PC 3
PC 4
Data PC 4
![Page 36: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/36.jpg)
2- ARP Spoofing(MITM)
![Page 37: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/37.jpg)
IP: MAC:
10.0.0.10 – ALICE 00:00:00:00:00:50 - ATTACKER
IP: MAC:
10.0.0.20 – BOB 00:00:00:00:00:50 - ATTACKER
Alice
IP: MAC:IP: MAC:IP: MAC:
10.0.0.20 – BOB 00:00:00:00:00:20 – BOB
IP: MAC:
10.0.0.10 – ALICE 00:00:00:00:00:10 – ALICE
Who is 10.0.0.20?
Who is 10.0.0.20?
10.0.0.20 is in 00:00:00:00:00:20
ARP Reply
ARP Request
10.0.0.10 is in
00:00:00:00:00:50
Bob
IP 10.0.0.50MAC 00:00:00:00:00:50
Eve
IP 10.0.0.10MAC 00:00:00:00:10
IP 10.0.0.20MAC 00:00:00:00:20
TABLA ARP ALICE TABLA ARP BOB
10.0.0.20 is in
00:00:00:00:00:50
![Page 38: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/38.jpg)
Goals of MITM• Stealing:
– passwords
–hashes
–files
–sessions
![Page 39: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/39.jpg)
Demo: MItM
![Page 40: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/40.jpg)
3 - Hijacking
![Page 41: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/41.jpg)
• Goal: Steal user identity/session (impersonation)
• Types: transport layer, application layer
• We focus on HTTP Communication
• Social Networks, Webmails…
Hijacking
![Page 42: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/42.jpg)
Hijacking• I do not need your password!• HTTPs (authentication), HTTP
(rest of the session)• Insecure communications- Cookie Stolen… Ouch!• Firesheep
![Page 43: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/43.jpg)
Demo: Hijacking
![Page 44: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/44.jpg)
Finally…
![Page 45: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/45.jpg)
Proud…
• Juanan and…
• “La biblia del Footprinting”
• Free!!!
![Page 46: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/46.jpg)
…And Proud… :D
• Pablo and… his book
• “PowerShell: La navaja suiza de los administradores de sistemas”
• Sad… Not Free :(
![Page 47: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/47.jpg)
Shopping!
• 5 Euros!• Really?? Yeah! • Finance… for Project!
![Page 48: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/48.jpg)
Thank you!
![Page 49: Botnets, malware and network attacks](https://reader035.vdocument.in/reader035/viewer/2022062319/55759596d8b42ae7708b5288/html5/thumbnails/49.jpg)
www.flu-project.com
@fluproject@jantonioCalles@ctorranog
Grupo Flu Project
Grupo Flu Project
Feeds.feedburner.com/FluProject
Contact