View
362
Download
0
Category
Preview:
Citation preview
Insights of a brute-forcing botnet
Veronica Valeros Cognitive Threat Analytics
Cisco Systems, Czech Republic
About me Malware Researcher Cognitive Threat Analytics (cognitive.cisco.com) What I do?
• Analysis of network traffic • Behavioral analysis of malware • Threat categorization • Malware sandboxing
Also: • Quadcopters, lockpicking, gaming, traveling
Twi$er:@verovaleros
LinkedIn:/in/veronicavalerossaracho
Github:/verovaleros
Cisco:blogs.cisco.com/author/valeros
Hunting threats: what do we know about malware?
Intelligence gathering
Threat identification
Blogs
reports
trackers
Realtrafficsandboxing
twi$er
forums
Most of what we know about malware is from 1-5 minutes sandbox executions
Most sandbox solutions(1-5 minutes)
How does the malware behave after 5 minutes? After 1 hour?
There is just one way to know: to try it.
Experiment Setup Gamarue sample
Sanboxing environment: • VirtualBox • WindowsXP • No guest additions
• No user interaction • No hardening measures for
VM-aware malware
Infection Overview
Gamarue C&C CharacterisEcs:
• HTTPBasedC&C• HTTPPOSTrequests• Encrypteddatasent/received• CustomUser-Agent“Mozilla/4.0”
• ContactedC&Cservers:• okiijlijlili.eu• w4gvnlw4kjbvrbvshkvbsd.ru• f34234f234f2sdcsv.info
The main C&C is the one in charge of shaping the infection scenario
The main C&C is the one in charge of shaping the infection scenario
XX
XX
XXX
XXX
XX
X=nochangeonthebehaviorofthebotnet
Newmalware
Brute-forcing botnet behavior
1. Obtain a list of target WordPress sites to attempt to login from the C&C server.
2. Attempt to login to the next site on the list with chosen credentials in order to gain access.
3. If the login attempt was successful, report it to the C&C server.
4. If the login attempt was unsuccessful, iterate from step 2) until exhausting the targets.
Brute-forcing C&C requests
(1) REPORT STATUS http://g.commandocenter.ru/default.aspx ?guid=dca94d1f-f7eb-487f-ad24- 923cd1b4f946&gate=1&good=- 1&bad=0&unlucky=1&ip=&fn= (2) RETRIEVE TARGETS http://g.commandocenter.ru/files/2/9d753bd0-33a5- 46ac-841d-f99d9ace3446.txt (3) SEND SUCCESS DATA http://g.commandocenter.ru/col.aspx ?t=wp b&g=1&gid=1
Brute-forcing C&C: report status
Brute-forcing C&C: retrieve targets
Brute-forcing C&C: send successful data
Brute-forcing C&C overview
REPORTSTATUS RETRIEVETARGETS SENDSUCCESSDATA
+86k custom passwords used
techno sciento biblioteka wroclaw media momb biblioteca teens cafe benessere playground helena guide mullion-shop albers-wende svenska-spelautomater survivalb
raumklimadecke dana capavle bondage bibliotheque modeistanbul virgulina svenskaspelautomater stephanierhea ravenna playgroundmusic pierrederoche pierre svet guidedtherapy galaktika enflick
dajuroka teentalk charlesmyrick businesscoaching business advertising advertise zorgverzekering xmarkstheearth xlgirls williampopp williammillsagency teens-generation tausend-moeglichkeiten sverigemastareiseo2011 surveyquest socialanna
sochy-14 shawnewbank shawkeller scienceofsexy rgb rautenstrauch playguitar ohiohypnosiscenter modedesign-studium mode-estah mode-b modculture merkur mediacube mediaclipsaustralia mediabiz-group marihuana
Highly aggressive botnet: thousands of targets attempted per day
+160k attempted logins
23 success cases
1 bot Every 7000 sites, 1 success 1 access every ~3.5 hours 6 accessed sites per day
Not a targeted attack: well distributed
Conclusions
• Running malware for long term periods is worth trying.
• Realistic sandbox environment is vital: without internet access we wouldn’t discovered this behavior.
• The weakest link in security are still humans.
• Education is the only long term solution.
Questions?
Veronica Valeros vvaleros@cisco.com
Cognitive Threat Analytics Cisco Systems, Czech Republic
Thank you.
Cisco Cognitive Threat Analytics (CTA) is a cloud-based breach detection and analytics technology focused on discovering novel and emerging threats by identifying C&C activity of malware. CTA processes web access logs from the Cisco Cloud Web Security (CWS), Cisco Web Security Appliance (WSA), or 3rd party web proxies such as Blue Coat ProxySG. CTA reduces time to discovery (TTD) of threats operating inside the network. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. The technology relies on advanced statistical modeling and machine learning to independently identify new threats, while constantly learning from what it sees and adapting over time. Through additional careful correlation, CTA presents 100% confirmed breaches to keep security teams focused on the particular devices that require a remediation. Focusing on C&C activity detection, CTA addresses a security visibility gap by discovering threats that may have entirely bypassed web as an infection vector (infections delivered through email, infected USB stick, BYOD).
About Cisco Cognitive Threat Analytics
Recommended