first2011 gunterollmann ... · other zeus cnc structures zeus kit custom cnc url url type...
TRANSCRIPT
!"#$%&%'(")'(*++,#&-)./01(2,&)%&(2-.3'.)$(
456577( 8,+9#.$:&(;<=7=(>"?@"33"A(B)1C(D33(E.$:&/(E%/%#F%'(G,#3'H.'%C( 7(
About
• I-)&%#(*33?"))(– !"#$%#&'(')*+,-#.)/0)11)#23+4#– 5$)*6#$%#7689($*(-#2:7+;8'#23+4#
• 2#.%J(2.,K(– 5''3#93#2<#936=(>*?#%$*#>@$#6'+)6'(#A#5=91>#)36#*=3#93>'*3);$3)1#B'3>'(>#>')/(-#&C.#D*$=B(#)36#+$3(=1;3D#B*)+;+'(#)*$=36#>,'#@$*164##
– E$*/'*1?#F,9'%#G'+=*9>?#G>*)>'D9(>#%$*#25H-#.9*'+>$*#$%#IJE$*+'#%$*#2GG-#"*$%'((9$3)1#G'*89+'(#.9*'+>$*#%$*#KLG#G$M@)*'-#N')6#$%#7O)+P#G'*89+'(#QHQ7-#'>+4#
– E*'R='3>#@*9>'*-#+$1=/39(>#)36#01$DD'*#@9>,#1$>(#$%#@,9>'B)B'*(S#
• ,OBTUU01$D46)/0)11)4+$/#C#,OBTUU>'+,39+)193%$6$>3'>401$D(B$>4+$/U##
Targeted?
VUWUXX# Y#
Opportunistic?
VUWUXX# Z#
VUWUXX# [#
G:%#%(&,(2%$.)L(
!,,3/(")'(/%#F.1%/("F".3"@3%(J,#(/"3%A(#%)&(")'(3%"/%(
Today’s Threat Landscape
• G:"&M/(.&(&"N%(&,(@%1,?%("(19@%#1#.?.)"3L(
VUWUXX# V#
O),H(:,H(&,(-/%("(/%"#1:(%)$.)%(
[email protected].&9(&,(.)/&"33(/,PH"#%((,)(9,-#(,H)(1,?+-&%#(
• G:"&("@,-&(&:,/%(Q"'F")1%'R(&:#%"&/L(
S%'%#"&%'(%1,/9/&%?(,J(&,,3(")'(/%#F.1%(+#,F.'%#/(
T+%1."3./&(/%#F.1%/(")'($#"9U?"#N%&(%V+%#0/%(J,#(:.#%(
W.'%,(:,HU&,M/(")'("'F%#0X.)$(
Back in the old days!
• T%3JU1,)&".)%'(@,&)%&(@-.3'.)$(-).&(– GP911(#)11#+$3>)93'6#@9>,93#)#(93D1'#>')/#
• *)%U/&,+(1#.?%(/:,+(– 5=91693D-#/)3)D93D-#69(>*90=;3D##C#/$3';\93D#>,'#0$>3'>#
– 7=>$3$/$=(#+?0'*+*9/'#=39>################
VUWUXX# W#
H)1@)*'#7=>,$*# ]'0#.'8'1$B'*# Q/)91#G'36'*#Q^B1$9>#F$6'*# E*)=6#N)361'*#
A Brief History of Botnets
VUWUXX# _#
A Brief History of Botnets
VUWUXX# `#
<$$#/)3?#$B'*)>$*(#+$/B';3D#%$*#
69/939(,93D#*'>=*3(#
A Brief History of Botnets
VUWUXX# Xa#
H$*'#;/'#(B'3>#0)O193D##>,'9*#+$/B';>$*(#
b..$G-#()0$>)D'-#93%$*/)3>(-#'>+4c#
A Brief History of Botnets
VUWUXX# XX#
L*$@93D#6'D*''(#$%#
(B'+9)19\);$3#
H)3?#+*9/93)1#$B'*)>$*#>')/(#
69(($18'#
A Brief History of Botnets
VUWUXX# Xd#
E'6'*)>'6#('*89+'(#/$6'1#
23>*$6=+;$3#$%#3'@09'(#@9>,#/939/)1#
>'+,39+)1#(P911#
Service Specialization
• 8,)/,3.'"0,)(,J(%V+%#0/%(– .'69+)>'6#D=3(#%$*#,9*'#
• 2,-0Y-%(/+%1."3.X"0,)/(– <*)3(1);$3#('*89+'(#%$*#(B')*#B,9(,93D#+)/B)9D3(#– Q^B1$9>#@')B$39\);$3#%$*#736*$96#/)1@)*'#– 7*09>*);$3#('*89+'(#0'>@''3#0$>3'>#0=?'*(U('11'*(#
VUWUXX# XY#
5$>3'>#e9>#7=>,$*(# ",9(,93D#.'8'1$B'*(# 5=1P#GB)/#G'36'*(# .*98'J0?#F$6'*(# F)*6'*(#
VUWUXX# XZ#
D(W.@#")&(Z"#N%&(
Self-contained Ecosystem
• T%#F.1%(")'(&,,3(+#,F./.,).)$((– E*$/#+$O)D'J936=(>*?#>$#%=11J('*89+'#$f'*93D(#
• [#.1.)$(?,'%3/(&,(/-.&(")9(+,1N%&(– 5=?J>$J*'3>-#*'3>J>$J0=?#– G'*89+'#b)36#89+;/c#0)*>'*93D#
• D\3."&%(/9/&%?/(– &'('11'*(#– !)1='J)66#('*89+'(#
VUWUXX# X[#
The Business of Crimeware
• Z-30+3%(1,?+,)%)&/(&,(@,&)%&(@-.3'.)$(– F*');$3#$%#>,'#0$>3'>#+*9/'@)*'#– E$*+'U>*9+P#89+;/#>$#93(>)1193D#>,'#+*9/'@)*'#– 5=91693D#)#*$0=(>#F3F#93%*)(>*=+>=*'#– H$3';\);$3T#1)=36'*93D-#/=1'(-#'>+4#
• [3%)&9(,J(,++,#&-).&9(J,#(&:.#'U+"#0%/(
VUWUXX# XV#
",9(,93D#
>#.F.)$(&:%(W.10?(&,(&:%(2"')%//(
51)+P,)>#GQ:# N)+P'6#G9>'# 23g'+;$3# :=>J$%J0)36# 5)33'*(# G$+9)1#K'>@$*P#
An Infection Lifecycle
VUWUXX# XW#
[,/&(])+"1N(.9()01'#1$+)1#('+=*9>?#"*'8'3>#=B6)>'(UB)>+,'(#238'3>$*?#89+;/#
W.10?(>#,++%#^/_(
Dropper unpacks on the Victim machine and runs
]+'"&%(>,H)3,"'%#(F$3h*/#93(>)11);$3#2(#>,9(#)#*')1#/)+,93'i#N)8'#2#(''3#9>#0'%$*'i#!"#$%&'($)*$+&'),-$.,/'
[,/&(D$%)&(B)/&"33(.'1'>'#6*$BB'*U93(>)11'*#F1')*#1$D(#C#'8'3>(#F)>)1$D='#C#938'3>$*?#
>,H)3,"'(2,&(D$%)&(N$(>#0$>#)D'3>b(c#7D'3>#('1'+;$3#+*9>'*9)#],9>'19(>'6#*'B$(9>$*9'(#!/012&'3,%/&%'$4&/%'
>"&"(E%+,/.&,#9(j$DD93D#$%#93(>)11#(=++'(('(#Q3+*?B>'6#h1'(#%*$/#89+;/#G>$1'3#B)((@$*6(#C#"22#
8#.?.)"3(8,)&#,3(H=1;B1'#F3F#B*$^9'(#G'B)*)>'#F3F#B$*>)1(#kB6)>'(#>$#0$>#)D'3>#kB6)>'(#>$#19(>#$%#F3Fl(#7D'3>#93>'D*9>?#+,'+P93D#j$+P93D#$%#)D'3>#>$#89+;/#2((=93D#$%#0)>+,'6#+$//)36(#5&(,%&'$--&66'7'-,/%+,)''
CnC Proxies CnC Portals
]+'"&%#(
>,H)3,"'%#(
E%+,/.&,#9(
Malware Reviews
VUWUXX# X_#
AV Testing
VUWUXX# X`#
AV Testing
VUWUXX# da#
The service lowest prices on the market: $0.12 for one-time validation (6 cents per file) and $ 20 per month for full-NL(
Tutorials
VUWUXX# dX#
Bullet-proof Hosting
VUWUXX# dd#
Full Service Hosting Providers
• !"#$%&%'(/%#F.1%(,`%#.)$/(– F)>'*93D#'^+1=(98'1?#>$#+?0'*#
+*9/93)1(#
VUWUXX# dY#
VPN Services
VUWUXX# dZ#
VPN Services
VUWUXX# d[#
Call Service Translation
• S,#%.$)(3")$-"$%(/-++,#&(– F*9/'#(B'+9h+#
VUWUXX# dV#
Exploit packs
• a3%,),#%(aV+(F7C4C<(• [#.1.)$(
– ")+P)D'T#mdaaa#– kB6)>'(T#mXaa#– &'0=916#%$*#3'@#2"T#m[a#
• T+%1."3(+#.1.)$(– G=0)++#Q69;$3T#md[aa#– &'3>)1#Q69;$3T#mYaaa#
VUWUXX# dW#
Exploit Pack Diversity
VUWUXX# d_#
Exploit Pack Management
• S-33(1"+"@.3.&9(+,#&"3/(• Z-30+3%(%V+3,.&/(
– H=1;JB1)n$*/#C#)BB#
VUWUXX# d`#
DDoS for Rent
VUWUXX# Ya#
Botnet Selling
• 2-.3'U&,U/%33(?,'%3/(– "=019+#%$*=/#B$(;3D(#– "*98)>'#%$*=/#*'R='(>(#– H'69)>$*(#>$#%)+919>)>'#>*)3(%'*(#
VUWUXX# YX#
Buy Specific Bot Victims
• 8,?+#,?./%'(/9/&%?/(– N)+P'6#o/)3=)11?p#– N)+P'6#89)#L$$D1'6$*P(#– 5)+P6$$*#6'198'*?#
• 8"?+".$)/(– o:BB$*>=39(;+p#6'198'*?#– G9M93D#$%#89+;/#938'3>$*?#– GB'+9)19\'6#()1'#$%#3$>)01'#(?(>'/(#
PPI
VUWUXX# YY#
.9(>*90=>'6#<.jY#8)*9)3>(#
Full Service PPI
VUWUXX# YZ#
Gangstabucks
VUWUXX# Y[#
.9(>*90=>'6#<.jZ#8)*9)3>(#
VUWUXX# YV#
>./13".?%#/(b([#,&%10,)(
Disclaimers
• c%$.0?"&%(,#(J#"-'L(– F$//$3#=('#$%#69(+1)9/'*(#)36#)D*''/'3>(#
• Q[#,&%10,)R(")'(".#(,J("-&:%)01.&9(– "*$$%#$%#+$3+'B>#– K$>#%$*#+*9/93)1#=('#– "1')('#6$#3$>#=('#911'D)11?#– 23>'*3)1#>'(;3D#B=*B$('(#$31?#– ])**)3>?#8$96#9%#=('6#%$*#+*9/93)1#B=*B$('(#– F$//'*+9)1#3'>@$*P#)6/939(>*)>$*(#$31?#– F19+P#,'*'#>$#)++'B>#%=11#*'(B$3(90919>?#
VUWUXX# YW#
DDoSer Tool
7C G%("#%(),&(:%3'(#%/+,)/.@3%(J,#(")9("10,)/(9,-(-/%(,-#(/,JH"#%(J,#C(
d4 ]'#)*'#3$>#*'(B$3(901'#9%#?$=#B=*+,)('#>,9(#@9>,$=>#,)893D#)3?#=36'*(>)3693D#$%#,$@#9>#@$*P(4#
Y4 <,'*'#)*'#K:#*'%=36(-#)11#()1'(#)*'#!"#$4#Z4 2%#?$=*#B$*>)1#)++$=3>#D'>(#(>$1'3-#?$=#,)8'#>$#B*$896'#
$@3'*(,9B#$%#9>#0'%$*'#@'#@911#$f'*#(=BB$*>#$3#,'1B93D#?$=#D'>#9>#0)+P-#$>,'*@9('#9>(#3$>#$=*#B*$01'/4#b"=*+,)('#23%$*/);$3#'>+4c#
[4 ]'#$31?#$f'*#(=BB$*>#9%#9>(#($/'>,93D#$3#$=*#'36-#$>,'*@9('#@'#)*'#3$>#*'(B$3(901'#9%#?$=*#,)893D#B*$01'/(#@9>,#=(93D#$=*#($M@)*'4#b]'#)*'#,'*'#>$#,'1B-#3$>#(B$$3#%''64c#
V4 ]'#6$#3$>#(=BB$*>#*'($16#)++$=3>(q#G%("#%(),&(:%3'(#%/+,)/.@3%(.J(9,-("#%(/1"??%'(@9("(#%/%33%#A(&,(@%(/"J%(9,-(/:,-3'(,)39(@-9(>>,T%E(J#,?(-/C#2%#?$=#696#3$>#B=*+,)('#%*$/#=(#>,'3#@'#)*'#3$>#*'R=9*'6#>$#D98'#?$=#(=BB$*>4#
W4 r$=#/)?#D'>#>*$11'6#$3#93#sk('*#+,)>s-#@'#6$3t>#+)*'-#($#6$3>#+$/'#+*?93D#>$#=(#0'+)=('#9>(#3$>#$=*#B*$01'/#>,)>#?$=*#(>=B969>?#$8'*#+$/'(#?$=4#
VUWUXX# Y_#
DarkComet RAT Disclaimer
• 83.1NU&:#,-$:(a]cD5>./13".?%#/(
VUWUXX# Y`#
Scam Reporting
VUWUXX# Za#
VUWUXX# ZX#
2,&)%&(2-.3'.)$(b(*+%#"0,)/(
2010 Biggest Botnets
VUWUXX# Zd#
<=7=(2,&)%&# [%#1%)&"$%(,J(W.10?([,+-3"0,)#
<==d([,/.0,)#
7# <.j5$>3'>7#b&=6'])*1$+PH$0c# XZ4_u# JJ#
<# &$D='7!5$>3'>#bE*')P?GB96'*F)*>'1c# [4Wu# JJ#
e# v'=(5$>3'>5#bE$=*j)P'&96'*(c# [4Yu# JJ#
f# H$3P9%# [4du# [>,#
g# e$$0%)+'47# Z4au# w#>$BXa#
4# F$3h+P'*4F# d4_u# w#>$BXa#
6# N)/@'R#bL*)?G=3L9*1(c# d4[u# JJ#
h# 76@)*'<*$g)35$>3'>#b]9+P'6&$+PH$3(>'*(c# d4du# JJ#
d# G)19>?# d4Xu# w#>$BXa#
7=# GB?Q?'5$>3'>7#b:3'G>*''><*$$Bc# X4`u# JJ#
Feature Creep
Kit Development & Deployment
VUWUXX# ZZ#
i%-/(
T+9a9%(
!>TT(
Zeus
• *#.$.)"339(i@,&(H"/("(I"?.)$(Z,'58:%"&(@,&(
• B).0"339('%F%3,+%'(@9(T3"F.N(^"N"(Z,)/&#_(.)&,(&:%(i%-/(@,&(H%(N),H(&,'"9(
• S,#(H%33(,F%#(g(9%"#/(i%-/(^i@,&_(3%'(&:%(&,+(7=(?,/&(H")&%'(1#.?.)"3()%&H,#N/(
• a"/&%#)(a-#,+%")(@"/%'(,#$").X%'(1#.?.)"3(&:#%"&(
• B)(%"#39(j7(<=77(@%/&(,J(i%-/(H"/(?%#$%'(.)&,(T+9a9%(
• B)(3"&%(j7(<=77(/,-#1%(1,'%(J,#(F%#/.,)(<C=ChCd([email protected](3%"N%'(
2/15/2007 10/14/2011
1/1/2008 1/1/2009 1/1/2010 1/1/2011
2/28/2009Millions of Infections Identified
2/28/2008Phising with Zeus en’mass
11/3/2009Small Zeus Arrest
2/15/2007Zbot originally a Game Mod 7/31/2007
Zeus (Zbot) Identified
11/27/20099 Million Emails
7/10/2010International Banks Hit
10/15/201090 Zeus Arrests
10/1/2010$70M Reported Stolen
11/1/2010Zeus Source Passed
3/21/2011Zeus v2 Source Leaked
VUWUXX# ZV#
0
200,000
400,000
600,000
800,000
1,000,000
1,200,000
1,400,000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51
Major Zeus Botnets 2010
FourLakeRiders
GreenAlienRiders
RAT-ZU-91117
EightLakeRiders
Zeus
VUWUXX# ZW#
Zeus code for sale/grabs
VUWUXX# Z_#
ZeuS CnC Structures i%-T(O.&(>%J"-3&(]Ec( ]Ec(!9+%(
X%+:%:,,Y-C#-5@.)5&%%?"%N,C@.)( 8)8(
.F%%&%%+%HC#-5@.)5&%%?"%N,C@.)( CnC(
k,1-'".'.%C#-5@.)51":',.$-C@.)( CnC(
k,:$:%%k"%C#-5@.)5,,+".@,,C@.)( CnC(
N".&:--/:.C#-5@.)5".+:".+.C@.)( CnC(
'%.3"%9%%HC#-5@.)5-1-,/"%HC@.)( CnC(
"'".1:"%+,C#-5@.)5&:,,&:"?C@.)( CnC(
,,&".F.3%.C#-5@.)5&:,,&:"?C@.)( CnC(
F,#",k,,)$C#-5@.)5/"%k-,$.C@.)( CnC(
dahzunaeye.ru/bin/sofeigoo.bin CnC
,8"8$89&-8:+2;30/;3$012$$#:30/' CnC(
,8"8$89&-8:+2;30/;&&4,%,,<:30/' CnC(
,8"8$89&-8:+2;30/;82&480=$:30/' CnC(
,8"8$89&-8:+2;30/;)$$/40&%:30/' CnC(
,8"8$89&-8:+2;30/;,,(0&"8&:30/' CnC(
,8"8$89&-8:+2;30/;6$&>2,40:30/' CnC(
,8"8$89&-8:+2;30/;6829$0-$:30/' CnC(
,8"8$89&-8:+2;30/;%8,,%8$(:30/' CnC(
,8"8$89&-8:+2;30/;?,0+,,-,:30/' CnC(
,8"8$89&-8:+2;30/;?26,4$88:30/' CnC(
Other ZeuS CnC Structures
ZeuS Kit Custom Cnc URL URL Type
freehost21.tw/b/cfg375.bin CnC
www.technoplast.com.ua/catalog/nibco/tmc.bin CnC
askuv.com/percent/update.bin CnC
leadingcase.cc/20aug_old.cpm CnC
mswship.com/xed/config.bin CnC
nascetur.com:81/wc/cof58.bin CnC
nascetur.com:81/wc/g6.php Drop Site
nascetur.com:81/wc/512.exe Trojan
Kit Development & Deployment
VUWUXX# [X#
i%-/(
T+9a9%(
!>TT(
SpyEye
• >%F%3,+%'(@9(E,?")(^"N"(I#.@,5l.#,_(.)(?.'U<==d(
• E%3%"/%'(.)(3"&%(<==d(&,(1,?+%&%(H.&:(i%-/A("-&,?"01"339(#%?,F.)$(i%-/(-+,)(.)J%10,)(
• B)(jf(<=7=(E,?")(#%1%.F%'(/&%H"#'/:.+(,J(&:%(i%-/(@,&(/,-#1%(1,'%(J#,?(T3"F.N(
• B)(j7(<=77(T+9a9%(7Ce(%?%#$%'("/(&:%(@%/&(,J(i%-/(")'(T+9a9%(?%#$%'(H.&:()%H(J-)10,)"3.&9(
– H$091'#.'89+'(#– ..$G#– Q3,)3+'6#"'*(9(>'3+'#
6/15/2009 10/14/2011
1/1/2010 1/1/2011
6/15/2009Roman starts with SpyEye
11/3/2009SpyEye Discovered
1/31/2010SpyEye Competes w/Zeus
6/10/2010SpyEye Infiltrated
11/22/2010Dev team gets Zeus source
1/11/2011SpyEye 1.3 released
2/19/2011SpyEye DDoS'ing
2/28/2011SpyEye now Mobile
4/6/2010SpyEye Deleting Zeus
4/25/2011SpyEye #1 US Threat
SpyEye 1.3
VUWUXX# [Y#
WebInjects for SpyEye/Zeus
VUWUXX# [Z#
Mynet-Injects Service
VUWUXX# [[#
SpyEye
Type
barcalys-trial3.com/main/bin/build.exe Malware Drop
coundnes.com/cache/bin/build.exe Malware Drop
eu-analytics.com/sp4a/bin/1_sp4a_new.exe.crypted.exe Malware Drop
217.23.7.21/date/gate.php?guid=User!SANDBOX0!D06F0742&ver=10129&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=19&ccrc=3D893DD9&md5=60d6d584515e1925e0d0c9edd8b32eed
CnC
200.63.45.69/~datosco/main/gate.php?guid=User!SANDBOX2!D06F0742&ver=10132&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=690E5C55&md5=82beb808bef523b7660af10266377407
CnC
91.213.174.34/spyeye_main/gate.php?guid=User!SANDBOX2!D06F0742&ver=10200&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=22&ccrc=B144ABF5&md5=e8a713c24a38b9339474f71f5bcff78a
CnC
77.78.240.162/spye/gate.php?guid=User!SANDBOX0!D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&plg=ftpbc&cpu=100&ccrc=8CCFE0AB&md5=84a9aedb378c3ec297a775c1f7fc573a
CnC
113.11.194.173/eye/main/gate.php CnC
204.12.243.187/main/gate.php CnC
200.56.243.137/includes/admin/gate.php?guid=User!SANDBOX2!D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=80&ccrc=3FF0F25D&md5=86e1bb6f428421a06bdae1b2b55323d1
CnC
200.56.243.137/includes/phpbb/gate.php CnC
200.56.243.137/joomla/admin/gate.php CnC
cocainy.net/spmini/gate.php?guid=User!SANDBOX0!D06F0742&ver=10225&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=ED1A0A53&md5=1aa16572aee1486c7cd8c78dad9cb510
CnC
craken.biz/aimpis/gate.php?guid=User!SANDBOX2!D06F0742&ver=10211&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=3AF32A5D&md5=a5c67adc367e850f49c441b2cee4b59b
CnC
Kit Development & Deployment
VUWUXX# [W#
i%-/(
T+9a9%(
!>TT(
TDL/TDSS
• S.#/&("++%"#")1%(.)(<==h("/("(#,,&N.&/(H.&:(/&#.)$/(,J(!>TT(– <,'*'#D$#>,'#3)/'#<.GG#)#B1)?#$3#>,'#)+*$3?/#GG.<#@,9+,#9>#0*$P'#– <.j#+$/'(#%*$/##>,'#B1)?#$3#>,'#)+*$3?/#j.<#0=>#)1($#)(#>,'#o<?1'*#.=*6'3#j$)6'*p#
• 2%&H%%)(<==hU<=7=(F%#/.,)/(7Ue(m(B)J,(T&%"3%#/(b(',H)3,"'%#/(J,#(#,$-%(DW(")'(>nT(1:")$.)$(&#,k")/(^/-@3%"/.)$_(
• B)(je(<=7=(F%#/.,)(f(J,1-/%'(,)(.)U'%+&:(+%#/./&%)1%(Z2E(.)J%10,)(
• B)(j7(<=77(F%#/.,)(fC7(&:%#%(./(),H(4f@.&(/-++,#&(
• B)(j<(<=77(E%+,#&/(,J(Z"1(")'(Z,@.3%('%F.1%(/-++,#&(
• Z"#1:(<=77(o(.)/&"33/(,&:%#(?"3H"#%(– ]93YdUL1=B>'0)4.#bF19+Pg)+P93DUGQ:#0$>c#
4/15/2008 6/14/2011
1/1/2009 1/1/2010 1/1/2011
5/9/2008TDSS/TDL v1
First Discovered
2/17/2010TDSS/TDLv3 released
8/2/2010TDSS/TDLv4 released
4/26/2009TDSS/TDLv2 released
8/9/2009Millions of Infections
Reported
1/20/2011Added 64bit Support
11/1/2010Included Mobile Support
5/28/2011Linux/Mac OSX MBR
TDB
8/5/2010Includes MBR Infector2/5/2009
Business with FakeAV
4/30/2010Business w/DNS Changer
VUWUXX# [`#
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51
TDL3BotnetA (RudeWarlockMob) 2010
RudeWarlockMob
VUWUXX# Va#
TDL3 Driver Source
VUWUXX# VX#
TDL/TDSS Gang
Type
64.191.25.166/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/perce.jpg
CnC
69.10.35.251/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/perce.jpg
CnC
69.10.35.251/perce/465cbbfb5c459068718ea7c544e87ed2a776f651b13f6f75e085d95d0f16be4d73603cc8bfd83f316/d4f5b0c5628/qwerce.gif
CnC
69.10.35.251/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg
CnC
69.10.35.251/perce/96ec3b1bcc25c048614e07d5d478be22d7565661f17f1f754035b9cd3ff64ecde370eca8afa8ff01f/f0e/perce.jpg
CnC
88.214.201.132/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/perce.jpg
CnC
images-humanity.com/werber/30f/216.jpg CnC
imagesmonitor.com/werber/e4d08081926/216.jpg CnC
pictureswall.com/werber/b0f/216.jpg CnC
hipartsonline.com/werber/548582c8e44/217.gif
CnC
virtualartsonline.com/perce/23a8802761f8ac0664709edb14bbd80dee 020a2ca627fe38e60811523634ef62dc748b397c3e4cd0a/d4b8c69787c/qwerce.gif
CnC
videoartfilms.com/werber/34a826c797b/217.gif CnC
>."3.)$(.)(&:%(Dp"1N(
Opportunistic Building Strategy
• !:%#%M/("($%)%#"3(?9&:(&:"&(@,&)%&(,+%#"&,#/("#%(,++,#&-)./01(.)(&:%.#(@-.3'.)$(/&#"&%$9C((– 23#($/'#$16'*#)36#(1$BB9'*#+)('(#>,'?#)*'#0=>#>,93D(#,)8'#/$8'6#$34##
• >"?@"33"(&#"1N.)$(/%F%#"3(&:,-/")'/($#,-+/(– 7((9D393D#%=33?#3)/'(#'>+4#– GB'+9)19\'6#>)+;+(#
VUWUXX# VZ#
Major Attack “Classes”
VUWUXX# V[#
<)*D'>'6#
<*9B@9*'#
<*)@193D#
[#%'%q)%'#$0g'+;8'#)36#89+;/#19(>###x#7O)+P#8'+>$*(#>=3'6#>$#>)*D'>#*'R=9*'/'3>(###x#.'(;3);$3U=('#$%#(>$1'3#6)>)#B*'J)D*''6###x#E$+=('6#>$$1#6'(9D3#)36#/)3=)1#B*$+'(('(#
B)'./1#.?.)"&%#o@*$3D#B1)+'#)>#>,'#@*$3D#;/'p###x#G''693D#$%#B$B=1)*#(9>'(U1$+);$3(Uh1'(###x#:BB$*>=39(;+#*'>=*3#$3#89+;/(#A#($*>#)M'*@)*6(###x#E9*'#)36#%$*D'>#@9>,#3$U1$@#/)3)D'/'3>#+$(>(##E$+=('6#=B$3#)#>)*D'>#+#,q3%(##x#F)(;3D#)#@96'#3'>#$8'*#B$((901'#89+;/(###x#H$3';\);$3#)3D1'#)1*')6?#6'+96'6#=B$3###x#Qy+9'3>#)36#1)*D'1?#)=>$/)>'6#)BB*$)+,#
Attack Cost
• T1%)"#.,K(– XZ?*J$16#@)3;3D#>$#..$G#o%*9'36(p#$3#IJ5$^#– G''6#>$**'3>(#)36#3'@(D*$=B(#@9>,#0$>3'>#)D'3>#– <)*D'>#z#D*$@>,#*)>'#$%#Xaa#89+;/(#B'*#@''P#
VUWUXX# VV#
<*9B@9*'#
Setup Monthly Annually
Zeus DIY Kit • Pirated version
$0 $0 $0
Single CnC server • Home computer
$0 $30 $360
Dynamic DNS • Free DDNS for DHCP churn
$0 $0 $0
Total $0 $30 $360
Attack Cost
• T1%)"#.,K(– X_?*J$16#(>=6'3>#93#5*)\91#@)3;3D#kG7#89+;/#0)3P#)++$=3>(#– F)*0$3J+$B?#B,9(,93D#'389*$3/'3>#)36#'/)91(#– <)*D'>#z#d-[aa{#89+;/(#B'*#@''P#
VUWUXX# VW#
Setup Monthly Annually
SpyEye DIY Kit • Commercial version
$2,000 $0 $500
Two CnC servers • Bullet proof
$75 $30 $360
US Bank phishing SpyEye plug-in $50 $0 $0
Spam sending service • 100,000 emails per day
$0 $100 $1200
Total(s) $1,125 $130 $2,060
<*)@193D#
Attack Cost
• T1%)"#.,K(– "*$%'((9$3)1#+?0'*+*9/93)1#1$$P93D#%$*#09D#B)?/'3>#– j$+);3D#)36#'8'3>=)1#(B')*JB,9(,93D#$%#FE:#– <)*D'>#z#$0>)93#+$*B$*)>'#0)3P93D#+*'6'3;)1(#
VUWUXX# V_#
Setup Monthly Annually
Poison Ivy malware construction kit (licensed) $0 $0 $0
Armoring of malware & QA FUD testing $60 $20 $240
Obtaining corporate hierarchy details $499 $0 $0
Email, translation and spear-phishing design $200 $0 $0
Mule & transaction laundering service $0 $600 $0
Total(s) $759 $620 $240
<)*D'>'6U<*)@193D#
Attack Cost
• T1%)"#.,K(– 73$3?/$=(#'3;>?#b")>*9$;+#$*#"$19;+)11?#/$;8)>'6c#– 23h1>*)>'#)36#(>')1#($M@)*'#(9D393D#+'*;h+)>'#– <)*D'>#z#7#B$B=1)*#/9+*$B*$+'(($*#/)3=%)+>=*'*#
VUWUXX# V`#
Setup Monthly Annually
Commercial grade RAT $0k $0 $0
Commissioned spear-phishing campaigns • Guaranteed delivery, 24x7 support
$2k $2k $24k
Access to 2 (two) 0-day vulnerabilities • Replacement warranty if fixed/patched
$40k $0 $0
Rent-a-hacker • Experienced hacker & enterprise network navigator • 10 man-day retainer + hourly rate
$20k $0 $0
Total(s) $62 $2 $24
<)*D'>'6#
VUWUXX# Wa#
G#"++.)$(.&(-+r(
Keeping it simple (and wrong)
VUWUXX# WX#
W.10?( Dp"1N%#(
>%3.F%#9( Z"3H"#%(
S#"-'(
Federated Operations
VUWUXX# Wd#
W.10?(
Dp"1N%#(
>%3.F%#9(
Z"3H"#%(
D#?,#.)$(
aV+3,.&/(
S#"-'(
8,)/,3%(>%F%3,+%#/(
*#$").X%'(8#.?%(
T&"&%(T+,)/,#/(
Context Change
• 23-##%'(Q!"#$%&%'R(F/(Q*++,#&-)./01RL(– k3)y19)>'6#)O)+P#+$/B$3'3>(#– 236'B'36'3>#('*89+'#B*$89(9$393D#
• !"#$%&%'("p"1N/(– .$'(#o93>'3>p#/)O'*i#– o2>l(#g=(>#0=(93'((p#A##.$3l>#>)P'#9>#B'*($3)11?#
VUWUXX# WY#
Perspective
• B&M/("(?"p%#(,J(+%#/+%10F%(– 2>#%''1(#B'*($3)1S#
• !:%#%(?"9(@%(&"#$%&%'(,@k%10F%/(– .9f'*'3>#B)*>(#$%#>,'#o8)1='#+,)93p#
• Dp"1N('%3.F%#9(,++,#&-)./01(– H=1;B1'#+)/B)9D3(#C#B*$0)0919;'(#$%#(=++'((#– L*)?J)*')(#$%#$B'*);$3#
VUWUXX# WZ#
New Label?
• B/(&:%(Q!"#$%&%'(Dp"1NR(")(,-&'"&%'(&%#?L(– 5)O193D#)3#'+$(?(>'/#3$>#)3#9369896=)1#
• !cD("3&%#)"0F%(3"@%3/L(– 7"<#b768)3+'6#"'*(9(>'3>#<,*')>c#– 757#b7y19)>'J0)('6#7O)+Pc#– F.G#bF*9/'@)*'#.9(>*90=;$3#G?(>'/c#– ]"]<#b]*$3D#"1)+'-#]*$3D#<9/'c#
VUWUXX# W[#
Opportunity
VUWUXX# WV#I-)&%#(*33?"))A(@A'5&6&$+-8' $,33?"))s'"?@"33"C1,?'