bots and malware

BOTNET

- How to flight a Boeing 787

- Or a Boeing 777

- Blow computer remotely

WILL NOT TALK ABOUT

- Basic introduction to internet security

- What is Botnet? C & C?

- How does it get to your computer?

- Different module

- Real life story

- Live example

WILL TALK ABOUT

Making your computer into Bot using Trojan, Malware, etc..

The Bot will installed on the victim computer and will be communicate with

the C&C server.

BOT

Bottom Line

A Bot is simply an automated computer

program, or robot.

HOW DOES IT WORKS

Easy, Bot Builder. Although you can re-create one from scratch.

HOW YOU BUILD A BOT?

Via affiliate program, torrent, emule any p2p that are out there.

For example lets {Some.New.Movie}.blu.ray and yes we can make it be

5GB although our bot will be only 100KB.

Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.

SPREAD THE WORD…So, we create this great Bot now lets spread it via….

But how?!?

SPREAD THE WORD…

django unchained

SPREAD THE WORD…

Affiliates?!?

In the old day a server that collect the victim data.

Today much more complicated

- Encrypted network connections

- Botnet access to the Kad network

C&CCommand and Control Server

Bootkit will infects the MBR in order to launch itself

This is a classic method used by downloaders which ensures a longer

malware lifecycle and makes it less visible to most security programs.

AN ANTIVIRUS OF ITS OWN

SEARCH FOR SYSTEM REGISTRY FOR

OTHER MALICIOUS PROGRAM

BOTNET ACCESS TO THE KAD NETWORK

So what do the cybercriminals want with a publicly accessible file exchange network?

1. Cybercriminals make a encrypted file the contains list of commands

2. Infected computer receive command to download and installing any module.

3. After the installation process the victim get the nodes which contains the publicly

accessible list of IP addresses of network servers and clients (Kad server and clients).

4. The module then sends a request to the Kad network to search for the right file.

5. Once the files has been downloaded and encrypted, the dll file runs the commands

PROXY MODULE

Basically proxy server on the victim computer.

- This module facilitates the anonymous viewing of Internet resources via infected machines.

- New way making money $$, offering anonymous Internet access as a service, at a cost of

roughly $100 per month.

- Hiding the network and C&C servers.

ANOTHER COOL WAY FOR PROXY

FAST FLUX

Fast flux DNS takes advantage of the way load balancing is built into the DNS.

It allows an administrator to register a number of IP address with a single host name (for ex:

google.com, facebook.com, etc…)

And the secret is the TTL,

WAYS TO TRANSFER MONEY

REAL LIFE EXAMPLE :: TDL4

Couple of Facts:

1. TDSS is one of the most sophisticated threat.

2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection.

3. Uses encryption to facilitate communication between its bots and the botnet command and control center.

4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.

5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers.

6. Kad.dll module which allows the TDSS botnet to access the Kad network.

7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer.

8. Smart ways to get command using encrypted files and different servers.

WAYS TO SOLVE

1. Wireshark view logs and information

2. DNS server logs, when working under cooperation proxy server.

3. Bios , stop infection MBR.

SOME MORE REAL LIFE STORIES

• Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it

mean nearly half of the users in Internet users in China. (There is lots of money involve!)

Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of

dollars from e-commerce users.

• Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has

infected several Brazilian Facebook users in recent days, works.

Basically a browser plugin that communicate with the “Criminal” server and send the user

information whenever is logged in to one of the Brazilian banks.

419 NIGERIAN SCAMS

A sample 419 Scam email

-------------------------------------

Sender: uk_national_lottery_005@hotmail.com

Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!!

FROM THE LOTTERY PROMOTIONS MANAGER,

THE UNITED KINGDOM INTERNATIONAL LOTTERY,

PO BOX 287, WATFORD WD18 9TT,

UNITED KINGDOM.

We are delighted to inform you of your prize release from the United Kingdom

International Lottery program. Your name was attached to Ticket number;

47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus

number 29, which consequently won the lottery in the first category....

The email asks to send an advance payment to the lottery so that they can

release the prize money.

Lots of naive users get fooled by the scammers and end up wasting their

money.

SLIDESHARE.NET ATTACK

Example 2: April 23, 2008

• Slideshare was down for a few days due to DDOS attack that originated from China.

• The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China

• 2.5 GB/sec?!?! Try to imagine how many bots were involve.

HOPE YOU ALL ENJOY!

“The quieter you become, the more you are able to hear…”