inside a bbb malware scheme mapping and dissecting
play

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker - PowerPoint PPT Presentation

Sep 21, 2022 •253 likes •458 views

Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008 Why Should Incident Responders Care? + US Commercial Accounts

  1. Inside a BBB Malware Scheme: Mapping and Dissecting Attacker Infrastructure Prepared for FIRST 2008 Michael La Pilla VeriSign iDefense Malicious Code Operations Team June 26, 2008

  2. Why Should Incident Responders Care? + US Commercial Accounts (the current target) NOT covered by Regulation E (read http://www.gpoaccess.gov/ecfr/ for more details in US) + Businesses of all size losing money, not just the banks 2

  3. Retail vs. Commercial Trojan Attacker Consumer Level Attacks Business/Corporate Level Attacks Victim PC Victim PC Corporate System Custom Data: Custom Data: Standardized Data: Business Account Credentials Bank Account Credentials Credit Card Numbers Certificates Certificates Debit Card Numbers VPN Keys Security Questions Employee Data Contact Lists 3

  4. What is a “BBB Attack” + Targeted e-mail using social engineering + Coined after use of Better Business Bureau name + “BBB Attack” is like saying “Storm Worm” + 60+ documented attacks Feb 2007 – June 2008 4 4

  5. BBB Attacks - FTC 5 5

  6. US Courts – April 14, 2008 6 6

  7. US Courts – April 14, 2008 7 7

  8. US Courts – April 14, 2008 8 8

  9. Not Just BBB 9 9

  10. Multiple Attackers, Different Infrastructures 10 10

  11. The “A” Approach Attachment Install Site 1 (Hardcoded Tier 2) Real Government Web Site [attackrelatedname].php Legitimate PDF gl.php log to txt file Drop Site 1 (Tier 3) install.exe b.php 11

  12. The “A” Approach (continued) Drop Site 1 (Tier 3) install.exe b.php kit.zip DelZip179.dll Tier 1 server Victim Machine (hardcoded) svchost.exe nirsoft tools 301 Redirect Tier 2 (Dynamic) Drop Site 2 gl.php p.php b.php 12

  13. The “B” Approach C&C Site http://[realstic-domain].tld/something.php Victim Machine [clever name].dll Drop Site http://[bulletproof host]/[some letters]/parse.php 13

  14. Demo #1 - BBBMapper.py 14

  15. Attack Mitigation Strategies + Variations on MFA + Transaction Verification + Server-side Detection + Credential Recovery / Victim IP Flagging + User Education + Transaction Fraud Detection + IDS/IPS Exploiting Lack of Attacker Innovation 15

  16. User Education…Really? + Never 100 percent, but many success stories + Explain the situation, potential variations, and give a picture + Water-cooler effect in action 16

  17. Snort Sigs For FIRST Member Organizations + Available via e-mail for any members, can be shared with entire list if posting signatures to list is permissible 17

  18. Demo #2 – The Real Payload 18

  19. Q&A Special Thanks Matt Richard + FIRST SC and Members + The kind folks from Conference & Publication Services, LLC + for dealing with all our last minute changes Michael La Pilla mlapilla@idefense.com VeriSign iDefense Malicious Code Operations Team

Recommend

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement

Dissecting Android Malware: Characterization and Evolution 1 Problems to solve 18 Requirement 1: Sufficient Malware data set Anti Virus Communities or Researchers are hampered by the lack of malware data set. Req equires a a suf

649 views • 34 slides
The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen

The Design of Malware on Modern Hardware Malware inside Intel SGX enclaves Jeroen van Prooijen University of Amsterdam 29th June 2016 Introduction 2/18 What is Intel SGX? Intel Software Guard Extension (SGX) A vault (enclave) to

353 views • 19 slides
PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

847 views • 57 slides
Mapping data Representing data with maps Geographic analysis tasks Mapping where things are

Mapping data Representing data with maps Geographic analysis tasks Mapping where things are

Mapping data Representing data with maps Geographic analysis tasks Mapping where things are Mapping the most and the least Mapping density Finding whats inside Finding whats nearby Mapping changes in time Why

743 views • 55 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment

TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment

TEXTURE MAPPING 1 OUTLINE Introduce Mapping Methods Texture Mapping Environment Mapping Bump Mapping Basic mapping strategies Forward vs backward mapping Point sampling vs area averaging Introduce

775 views • 25 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping -

Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping -

Image Warping Image Mapping Image Mapping - Examples Forward Mapping Forward Mapping - Disadvantages Example Forward Mapping Original Rotated Zoom In Backward Mapping The Problem: (u,v) are not integers! "# Nearest Neighbor

715 views • 49 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile

What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile

What can Scheme learn from JavaScript? Scheme Workshop 2014 Andy Wingo Me and Scheme Guile co-maintainer since 2009 Publicly fumbling towards good Scheme compilers at wingolog.org Scheme rules everything around me Me and JS 2011:

528 views • 52 slides

More recommend