Upload
doron-segal
View
230
Download
3
Tags:
Embed Size (px)
DESCRIPTION
How to build bots / Malware and how Moles work
Citation preview
BOTNET
- How to flight a Boeing 787
- Or a Boeing 777
- Blow computer remotely
WILL NOT TALK ABOUT
- Basic introduction to internet security
- What is Botnet? C & C?
- How does it get to your computer?
- Different module
- Real life story
- Live example
WILL TALK ABOUT
Making your computer into Bot using Trojan, Malware, etc..
The Bot will installed on the victim computer and will be communicate with
the C&C server.
BOT
Bottom Line
A Bot is simply an automated computer
program, or robot.
HOW DOES IT WORKS
Easy, Bot Builder. Although you can re-create one from scratch.
HOW YOU BUILD A BOT?
Via affiliate program, torrent, emule any p2p that are out there.
For example lets {Some.New.Movie}.blu.ray and yes we can make it be
5GB although our bot will be only 100KB.
Yes, sometimes will see {some.great.movie.avi} 565KB, Yeah right.
SPREAD THE WORD…So, we create this great Bot now lets spread it via….
But how?!?
SPREAD THE WORD…
django unchained
SPREAD THE WORD…
Affiliates?!?
In the old day a server that collect the victim data.
Today much more complicated
- Encrypted network connections
- Botnet access to the Kad network
C&CCommand and Control Server
Bootkit will infects the MBR in order to launch itself
This is a classic method used by downloaders which ensures a longer
malware lifecycle and makes it less visible to most security programs.
AN ANTIVIRUS OF ITS OWN
SEARCH FOR SYSTEM REGISTRY FOR
OTHER MALICIOUS PROGRAM
BOTNET ACCESS TO THE KAD NETWORK
So what do the cybercriminals want with a publicly accessible file exchange network?
1. Cybercriminals make a encrypted file the contains list of commands
2. Infected computer receive command to download and installing any module.
3. After the installation process the victim get the nodes which contains the publicly
accessible list of IP addresses of network servers and clients (Kad server and clients).
4. The module then sends a request to the Kad network to search for the right file.
5. Once the files has been downloaded and encrypted, the dll file runs the commands
PROXY MODULE
Basically proxy server on the victim computer.
- This module facilitates the anonymous viewing of Internet resources via infected machines.
- New way making money $$, offering anonymous Internet access as a service, at a cost of
roughly $100 per month.
- Hiding the network and C&C servers.
ANOTHER COOL WAY FOR PROXY
FAST FLUX
Fast flux DNS takes advantage of the way load balancing is built into the DNS.
It allows an administrator to register a number of IP address with a single host name (for ex:
google.com, facebook.com, etc…)
And the secret is the TTL,
WAYS TO TRANSFER MONEY
REAL LIFE EXAMPLE :: TDL4
Couple of Facts:
1. TDSS is one of the most sophisticated threat.
2. TDSS uses a range of methods to evade signature, heuristic, and proactive detection.
3. Uses encryption to facilitate communication between its bots and the botnet command and control center.
4. powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
5. Algorithm encrypting the protocol used for communication between infected computers and botnet command and control servers.
6. Kad.dll module which allows the TDSS botnet to access the Kad network.
7. Socks.dll has been added to TDSS‟s svchost.exe; it is used to establish a proxy server on an infected computer.
8. Smart ways to get command using encrypted files and different servers.
WAYS TO SOLVE
1. Wireshark view logs and information
2. DNS server logs, when working under cooperation proxy server.
3. Bios , stop infection MBR.
SOME MORE REAL LIFE STORIES
• Chinese banker Trojan: There are 242 million e-commerce users (according to Dec 2012), it
mean nearly half of the users in Internet users in China. (There is lots of money involve!)
Win32.Bancyn.a, was named „Floating Cloud‟, and was used to steal several millions of
dollars from e-commerce users.
• Social Network Trojan (Brazil): "PimpMyWindow", an adware and click-fraud scheme that has
infected several Brazilian Facebook users in recent days, works.
Basically a browser plugin that communicate with the “Criminal” server and send the user
information whenever is logged in to one of the Brazilian banks.
419 NIGERIAN SCAMS
A sample 419 Scam email
-------------------------------------
Sender: [email protected]
Subject: !!!CONGRATULATIONS YOU ARE A WINNER!!!
FROM THE LOTTERY PROMOTIONS MANAGER,
THE UNITED KINGDOM INTERNATIONAL LOTTERY,
PO BOX 287, WATFORD WD18 9TT,
UNITED KINGDOM.
We are delighted to inform you of your prize release from the United Kingdom
International Lottery program. Your name was attached to Ticket number;
47061725, Batch number; 7056490902, Winning number; 07-14-24-37-43-48 bonus
number 29, which consequently won the lottery in the first category....
The email asks to send an advance payment to the lottery so that they can
release the prize money.
Lots of naive users get fooled by the scammers and end up wasting their
money.
SLIDESHARE.NET ATTACK
Example 2: April 23, 2008
• Slideshare was down for a few days due to DDOS attack that originated from China.
• The attack reached a peak of 2.5GB/sec and consisted entirely of packets sent from China
• 2.5 GB/sec?!?! Try to imagine how many bots were involve.
HOPE YOU ALL ENJOY!
“The quieter you become, the more you are able to hear…”