SlideShare une entreprise Scribd logo

Dissecting ZeuS malware

C
Cyphort

Zeus, one of the stealthiest advanced malware has ruled the world of botnets and still posses a significant security risk. In the US alone, Zeus is estimated to have control over 4 million devices. Banks, social networks and email accounts, all have fallen prey to its might and despite of its years in service, no anti virus vendor can claim to detect it reliably. Join Cyphort research team as we explain the inner working of Zeus. www.cyphort.com for more information

TechnologieDesign
1  sur  29
Télécharger pour lire hors ligne
Target  threats  that  target  you.   1  
Target  threats  that  target  you.  Target  threats  that  target  you.   Dissec2ng  the     Zeus  Malware   Cyphort  Labs   Malware’s  Most  Wanted  Series     April  2014  
Your  speakers  today   3   Nick  Bilogorskiy   Director  of  Security  Research     Anthony  James   VP  of  Marke5ng  and  Products  
Agenda   o  What  is  Zeus   o  Major  incidents  involving  Zeus   o  Dissec2ng  the  malware   o  Zeus  advanced  tricks   o  Wrap-­‐up  and  Q&A   4   Cyphort  Labs  T-­‐shirt  
We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   •••••   Best  of  3rd  Party  threat   data   We  enhance  malware   detec2on  accuracy   •••••   False  posi2ves/nega2ves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   5  
Poll  #1   What  is  the  most  prevalent  use  of  Zeus  malware?   o  Espionage   o  Stealing  banking  creden2als  and  informa2on   o  Impac2ng  industrial  control  systems   6  
What  is  Zeus?   o  Zeus  is  the  most  successful  banking  malware  to  date.   o  Trojan  horse  targeted  at  Windows  opera2ng  systems   o  Tens  of  millions  of  computers  worldwide  infected   o  Capable  of  “form-­‐grabbing”  and  “man  in  the  middle”   a`acks  to  steal  financial  informa2on   o  Distributed  as  a  toolkit   o  Ac2ve  since  2007,  s2ll  used  heavily   o  Evasive  and  challenging  for  detec2on  and  mi2ga2on   7  
Zeus:  S2ll  causing  havoc,  several  years  ader  its  birth     8  
Zeus  History   9   2007   2008   Apr   2010   April   2011   October   2011   March   2012   December   2013   Peer  to  Peer   version  –  Zeus   Gameover  -­‐   removes  the   centralized  CnC   infrastructure   Microsod  legal   ac2on  through  a   civil  lawsuit   dubbed     Opera1on  b71   64-­‐bit   version  of   Zeus   appears   ZeuS  source  code  of   version  2.0.8.9   leaked     Version  2.0  Zeus  version   1.0  
Zeus  Stats   o  Zeus  is  now  being  used  not  just  to  a`ack  financial   ins2tu2ons  but  also  stock  trading,  social-­‐networking   and  e-­‐mail  services,  plus  portals  for  entertainment   or  da2ng,  and  even  Salesforce.com   10  
Zeus  Hos2ng   11   2%   3%   11%   84%   Zeus  Hos1ng  Breakdown   Bulletproof  hosted   Hosted  on  a  FastFlux  botnet   Free  hos2ng  service   Hacked  webserver   Data  from  ZeuS  Tracker  
Zeus  Author   12   ZeuS  author  —  known  variously  as  “Slavik”  and  “Monstr”  on   criminal  forums  —  in  2010  gave  the  SpyEye   author  Harderman  stewardship  over  the  ZeuS  code  base,  on   the  condi2on  that  Gribodemon  agreed  to  provide  ongoing   support  for  exis2ng  ZeuS  clients.   Good  day!   I  will  service  the  Zeus  product  beginning  today  and  from  here  on…  All  clients   who  bought  the  soEware  from  Slavik  will  be  serviced  from  me  on  the  same   condi5ons  as  previously.  Harderman  
Jabber  Zeus  Crew   13   Nine  people  listed  in  the  indictment  that  has  been  sealed  since   August  of  2012,  including  Kulibaba,  Konovalenko  
Jabber  Zeus  Crew   14   Stole  more  than  $70  million  from  banks  worldwide   Ringleader,  32-­‐year-­‐old     Ukrainian  property     developer  Yevhen  Kulibaba   Kulibaba’s  right-­‐hand  man,     28-­‐year-­‐old  Yuriy   Konovalenko   Karina   Kostromina,  wife   of  Kulibaba,     33-­‐year-­‐old   Latvian  woman   jailed  for  money   laundering   Photos  from  krebsonsecurity.com  
Zeus  Opera2ons   15   Source:  Brian  Krebs  
Zeus  architecture   16   •  Used  to  build  the  exe  file   •  Unique  to  each  owner   •  URL  and  encryp2on  key  different  for  each  owner   The  Builder   •  Entry,  Sta2c  and  Dynamic  sec2ons   •  Download  URL  and  exfiltra2on  URL     The   Configura2on  File   •  Unique  executable  file  built  by  the  bot  owner   The  Exe  File   •  PHP  scripts  for  monitoring  and  managing  bots  The  Server  
Zeus  architecture:  Builder   o  With  a  li`le  technical  knowledge  you  can  run  your     own  botnet.    Screenshot  of  Zeus  builder   17  
Zeus  architecture:  Config  file   18   Zeus  config  file    
Zeus  architecture:  Config  file   19   Zeus  config  file  contains  the  following:         •  url_config  -­‐  where  the  config  is  downloaded.     •  url_loader  -­‐where  new  bot  executable  is  downloaded     •  url_server  -­‐  where  the  stolen  data  is  sent     •  AdvancedConfigs  alternate  loca2ons    for    config     •  webFilters  and  WebDataFilters  -­‐ list  of  websites  monitored.  When  these  sites  are  visite dby  the  infected  user,  any  data  sent  to  the  site  is  also     sent  to  the  url_server.     •  WebFakes    list  of  websites  to  redirects  to  a  fake  site.    
Func2onality  of  the  Zbot  binary   20   • Copy,  execute  and  delete  itself   • Change  browser  sevngs   • Code  injec2on   • Creden2al  thed   • Data  exfiltra2on   • Evasion   v Rootkit   v Digital  cer2ficate   v DGA   v Steganography  
Poll  #2   Ques2on-­‐2:  Do  you  think  you  (or  your  organiza2on)   have  been  impacted  by  Zeus?   o  Yes   o  No   21  
Zeus  Advanced  Tricks  –  Rootkit   22   Necurs  Rootkit  Component     When  GameOver  /  Necurs  is  fully  installed,  it  will  become  difficult  to  remove  the   threat  using  tradi2onal  methods.     It’s  impossible  to  access  the  process  to  retrieve  informa2on  or  to  terminate  the   process.       Access  is  denied  when  dele2ng   the  malware  files.  
Signed  malware  is  quite  rare.     Stuxnet  rootkit  components   were  digitally  signed  with   cer2ficates  stolen  from  Realtek   and  Jmicron.    Flame  used   fraudulent  cer2ficates  as  well  .     Zeus  used  the  same  trick,   authors  got  access  to  a   cer2ficate  of    isonet  ag   Microsod-­‐registered  third-­‐   party  developer  in  Switzerland.   Zeus  Advanced  Tricks  –  Digital  Cer2ficates   23  
It  also  employs  DGA  –  Domain  Genera1on  Algorithm.  DGA  is  a  way  for  malware   to  prevent  blacklis2ng  of  its  CnC  site,  where  an  infected  machine  creates   thousands  of  domain  names  such    as:  www.<gibberish>.com  and  would  a`empt   to  contact  a  por2on  of  these  with  the  purpose  of  receiving  an  update  or   commands.  The  technique  was  popularized  by  Conficker  worm,  which   generated  50,000  domains  a  day.   Zeus  Advanced  Tricks  -­‐  DGA   24  
Zeus  advanced  tricks  -­‐  Steganography   o  Steganography  –  concealing  messages  or  images  in   other  messages  or  images.   o  Zeus  hides  its  config  file  inside  a  jpeg  image   25   Vic2m  opens  up     suspicious  mail  a`achment     Executes  File  in  A`achment     Decrypted  config  file     has  bank  sites  to     monitor  for  thed   JPEG  files  dowloaded   (configura2on  file     embedded)  
Zeus  advanced  tricks  -­‐  Steganography   o  Image  looks  innocent     o  But  it  has  appended  encrypted  data  –  Zeus  config.   26  
Zeus  advanced  tricks  -­‐  Steganography   o  This  data  is  encrypted  with  base64,  RC4  and  XORed.   Decrypted,  we  see  urls  and  banking  sites  it  targeted.   27  
Conclusions   28     •  Zeus  has  grown  into  one  of  the  most  popular  and   widespread  crimeware  kits  on  the    market.  Its  ease  of  use   and  effec2veness  make  it  an  a`rac2ve  choice  for  today’s   cyber  criminals.     •  Check  for  presence  of  unfamiliar  network  callbacks   •  Zeus  malware  is  very  complex  and  is  wri`en  with  extra   care  to  avoid  detec2on,  so  it  is  not  trivial  to  tell  if  you  are   infected.  You  need  to  use  a  professional  grade  APT  solu2on   to  detect  this.    
Q  and  A   29   o  Informa2on  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  iden2fying   malware  

Recommandé

Zeus Dissected
Zeus DissectedZeus Dissected
Zeus DissectedCyphort
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyNick Bilogorskiy
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting CryptowallCyphort
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 

Recommandé

Zeus Dissected
Zeus DissectedZeus Dissected
Zeus DissectedCyphort
 
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...
Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...Cyphort
 
Dissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyDissecting Zeus by Nick Bilogorskiy
Dissecting Zeus by Nick BilogorskiyNick Bilogorskiy
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting CryptowallCyphort
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Zeus' Not Dead Yet
Zeus' Not Dead YetZeus' Not Dead Yet
Zeus' Not Dead Yetpinkflawd
 
Living off the land and fileless attack techniques
Living off the land and fileless attack techniquesLiving off the land and fileless attack techniques
Living off the land and fileless attack techniquesSymantec Security Response
 
EverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityEverSec + Cyphort: Big Trends in Cybersecurity
EverSec + Cyphort: Big Trends in CybersecurityCyphort
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)雅太 西田
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 

Contenu connexe

Tendances

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentNahidul Kibria
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksJermund Ottermo
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowSymantec Security Response
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Marci Bontadelli
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezEC-Council
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesCyphort
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat Security Conference
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareKaspersky
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!Nahidul Kibria
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat Security Conference
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)雅太 西田
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacNCCOMMS
 

Tendances (19)

Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
Adaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber AttacksAdaptive Defense - Understanding Cyber Attacks
Adaptive Defense - Understanding Cyber Attacks
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
WannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to knowWannaCry ransomware outbreak - what you need to know
WannaCry ransomware outbreak - what you need to know
 
MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence
 
Hunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul AlvarezHunting Layered Malware by Raul Alvarez
Hunting Layered Malware by Raul Alvarez
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
MMW Anti-Sandbox Techniques
MMW Anti-Sandbox TechniquesMMW Anti-Sandbox Techniques
MMW Anti-Sandbox Techniques
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
 
What you need to know about ExPetr ransomware
What you need to know about ExPetr ransomwareWhat you need to know about ExPetr ransomware
What you need to know about ExPetr ransomware
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Breaking the cyber kill chain!
Breaking the cyber kill chain!Breaking the cyber kill chain!
Breaking the cyber kill chain!
 
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerDEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summer
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
BlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, pleaseBlueHat v18 || May i see your credentials, please
BlueHat v18 || May i see your credentials, please
 
AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)AVTOKYO2012 Android Malware Heuristics(en)
AVTOKYO2012 Android Malware Heuristics(en)
 
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha KranjacCSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
CSF18 - The Digital Threat of the Decade (Century) - Sasha Kranjac
 

Similaire à Dissecting ZeuS malware

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanCyphort
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud EnvironmentShapeBlue
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesMaxime ALAY-EDDINE
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017chauhananand17
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking MalwareShaik Anisa
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?Saumil Shah
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataInderjeet Singh
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanBlueliv
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Peter Kálnai
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.Cyphort
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?HackIT Ukraine
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Stephan Chenette
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】Hacks in Taiwan (HITCON)
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The EnterprisePriyanka Aash
 

Similaire à Dissecting ZeuS malware (20)

Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware TrojanMalware's Most Wanted: CryptoLocker—The Ransomware Trojan
Malware's Most Wanted: CryptoLocker—The Ransomware Trojan
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
Introduction to Software Security and Best Practices
Introduction to Software Security and Best PracticesIntroduction to Software Security and Best Practices
Introduction to Software Security and Best Practices
 
News Bytes - December 2015
News Bytes - December 2015News Bytes - December 2015
News Bytes - December 2015
 
NewsByte Mumbai October 2017
NewsByte Mumbai October 2017NewsByte Mumbai October 2017
NewsByte Mumbai October 2017
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking Malware
 
2012: The End of the World?
2012: The End of the World?2012: The End of the World?
2012: The End of the World?
 
Ransomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your DataRansomware- What you need to know to Safeguard your Data
Ransomware- What you need to know to Safeguard your Data
 
Webinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking TrojanWebinar: Vawtrak v2 the next big Banking Trojan
Webinar: Vawtrak v2 the next big Banking Trojan
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
Virus Bulletin 2018: Lazarus Group a mahjong game played with different sets ...
 
Advanced Malware Analysis
Advanced Malware AnalysisAdvanced Malware Analysis
Advanced Malware Analysis
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Malware cryptomining uploadv3
Malware cryptomining uploadv3Malware cryptomining uploadv3
Malware cryptomining uploadv3
 
Data breach at Target, demystified.
Data breach at Target, demystified.Data breach at Target, demystified.
Data breach at Target, demystified.
 
Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?Алексей Старов - Как проводить киберраследования?
Алексей Старов - Как проводить киберраследования?
 
Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012Watchtowers of the Internet - Source Boston 2012
Watchtowers of the Internet - Source Boston 2012
 
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
【HITCON FreeTalk 2021 - SolarWinds 供應鏈攻擊事件分析】
 
Advanced Threats In The Enterprise
Advanced Threats In The EnterpriseAdvanced Threats In The Enterprise
Advanced Threats In The Enterprise
 

Plus de Cyphort

MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler Cyphort
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrixCyphort
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedCyphort
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyphort
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCyphort
 
Mmw anti sandbox_techniques
Mmw anti sandbox_techniquesMmw anti sandbox_techniques
Mmw anti sandbox_techniquesCyphort
 
Mmw anti sandboxtricks
Mmw anti sandboxtricksMmw anti sandboxtricks
Mmw anti sandboxtricksCyphort
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareCyphort
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansCyphort
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLCyphort
 
Malware Most Wanted: Evil Bunny
Malware Most Wanted: Evil BunnyMalware Most Wanted: Evil Bunny
Malware Most Wanted: Evil BunnyCyphort
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemCyphort
 
If you have three wishes
If you have three wishesIf you have three wishes
If you have three wishesCyphort
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the TCyphort
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareCyphort
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing KeynoteCyphort
 
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware Cyphort
 

Plus de Cyphort (20)

MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler MMW June 2016: The Rise and Fall of Angler
MMW June 2016: The Rise and Fall of Angler
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Malware self protection-matrix
Malware self protection-matrixMalware self protection-matrix
Malware self protection-matrix
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
Cyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_riseCyber espionage nation state-apt_attacks_on_the_rise
Cyber espionage nation state-apt_attacks_on_the_rise
 
Cybersecurity 5 road_blocks
Cybersecurity 5 road_blocksCybersecurity 5 road_blocks
Cybersecurity 5 road_blocks
 
Mmw anti sandbox_techniques
Mmw anti sandbox_techniquesMmw anti sandbox_techniques
Mmw anti sandbox_techniques
 
Mmw anti sandboxtricks
Mmw anti sandboxtricksMmw anti sandboxtricks
Mmw anti sandboxtricks
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-mac
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
 
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOLMalware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
Malware's Most Wanted: Malvertising Attacks on Huffingtonpost, Yahoo, AOL
 
Malware Most Wanted: Evil Bunny
Malware Most Wanted: Evil BunnyMalware Most Wanted: Evil Bunny
Malware Most Wanted: Evil Bunny
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Malware Most Wanted: Security Ecosystem
Malware Most Wanted: Security EcosystemMalware Most Wanted: Security Ecosystem
Malware Most Wanted: Security Ecosystem
 
If you have three wishes
If you have three wishesIf you have three wishes
If you have three wishes
 
The A and the P of the T
The A and the P of the TThe A and the P of the T
The A and the P of the T
 
Malware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adwareMalware's Most Wanted: How to tell BADware from adware
Malware's Most Wanted: How to tell BADware from adware
 
ISC2014 Beijing Keynote
ISC2014 Beijing KeynoteISC2014 Beijing Keynote
ISC2014 Beijing Keynote
 
Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware Malware's Most Wanted (MMW): Backoff POS Malware
Malware's Most Wanted (MMW): Backoff POS Malware
 

Dernier

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Dissecting ZeuS malware

  • 1. Target  threats  that  target  you.   1  
  • 2. Target  threats  that  target  you.  Target  threats  that  target  you.   Dissec2ng  the     Zeus  Malware   Cyphort  Labs   Malware’s  Most  Wanted  Series     April  2014  
  • 3. Your  speakers  today   3   Nick  Bilogorskiy   Director  of  Security  Research     Anthony  James   VP  of  Marke5ng  and  Products  
  • 4. Agenda   o  What  is  Zeus   o  Major  incidents  involving  Zeus   o  Dissec2ng  the  malware   o  Zeus  advanced  tricks   o  Wrap-­‐up  and  Q&A   4   Cyphort  Labs  T-­‐shirt  
  • 5. We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   •••••   Best  of  3rd  Party  threat   data   We  enhance  malware   detec2on  accuracy   •••••   False  posi2ves/nega2ves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   5  
  • 6. Poll  #1   What  is  the  most  prevalent  use  of  Zeus  malware?   o  Espionage   o  Stealing  banking  creden2als  and  informa2on   o  Impac2ng  industrial  control  systems   6  
  • 7. What  is  Zeus?   o  Zeus  is  the  most  successful  banking  malware  to  date.   o  Trojan  horse  targeted  at  Windows  opera2ng  systems   o  Tens  of  millions  of  computers  worldwide  infected   o  Capable  of  “form-­‐grabbing”  and  “man  in  the  middle”   a`acks  to  steal  financial  informa2on   o  Distributed  as  a  toolkit   o  Ac2ve  since  2007,  s2ll  used  heavily   o  Evasive  and  challenging  for  detec2on  and  mi2ga2on   7  
  • 8. Zeus:  S2ll  causing  havoc,  several  years  ader  its  birth     8  
  • 9. Zeus  History   9   2007   2008   Apr   2010   April   2011   October   2011   March   2012   December   2013   Peer  to  Peer   version  –  Zeus   Gameover  -­‐   removes  the   centralized  CnC   infrastructure   Microsod  legal   ac2on  through  a   civil  lawsuit   dubbed     Opera1on  b71   64-­‐bit   version  of   Zeus   appears   ZeuS  source  code  of   version  2.0.8.9   leaked     Version  2.0  Zeus  version   1.0  
  • 10. Zeus  Stats   o  Zeus  is  now  being  used  not  just  to  a`ack  financial   ins2tu2ons  but  also  stock  trading,  social-­‐networking   and  e-­‐mail  services,  plus  portals  for  entertainment   or  da2ng,  and  even  Salesforce.com   10  
  • 11. Zeus  Hos2ng   11   2%   3%   11%   84%   Zeus  Hos1ng  Breakdown   Bulletproof  hosted   Hosted  on  a  FastFlux  botnet   Free  hos2ng  service   Hacked  webserver   Data  from  ZeuS  Tracker  
  • 12. Zeus  Author   12   ZeuS  author  —  known  variously  as  “Slavik”  and  “Monstr”  on   criminal  forums  —  in  2010  gave  the  SpyEye   author  Harderman  stewardship  over  the  ZeuS  code  base,  on   the  condi2on  that  Gribodemon  agreed  to  provide  ongoing   support  for  exis2ng  ZeuS  clients.   Good  day!   I  will  service  the  Zeus  product  beginning  today  and  from  here  on…  All  clients   who  bought  the  soEware  from  Slavik  will  be  serviced  from  me  on  the  same   condi5ons  as  previously.  Harderman  
  • 13. Jabber  Zeus  Crew   13   Nine  people  listed  in  the  indictment  that  has  been  sealed  since   August  of  2012,  including  Kulibaba,  Konovalenko  
  • 14. Jabber  Zeus  Crew   14   Stole  more  than  $70  million  from  banks  worldwide   Ringleader,  32-­‐year-­‐old     Ukrainian  property     developer  Yevhen  Kulibaba   Kulibaba’s  right-­‐hand  man,     28-­‐year-­‐old  Yuriy   Konovalenko   Karina   Kostromina,  wife   of  Kulibaba,     33-­‐year-­‐old   Latvian  woman   jailed  for  money   laundering   Photos  from  krebsonsecurity.com  
  • 15. Zeus  Opera2ons   15   Source:  Brian  Krebs  
  • 16. Zeus  architecture   16   •  Used  to  build  the  exe  file   •  Unique  to  each  owner   •  URL  and  encryp2on  key  different  for  each  owner   The  Builder   •  Entry,  Sta2c  and  Dynamic  sec2ons   •  Download  URL  and  exfiltra2on  URL     The   Configura2on  File   •  Unique  executable  file  built  by  the  bot  owner   The  Exe  File   •  PHP  scripts  for  monitoring  and  managing  bots  The  Server  
  • 17. Zeus  architecture:  Builder   o  With  a  li`le  technical  knowledge  you  can  run  your     own  botnet.    Screenshot  of  Zeus  builder   17  
  • 18. Zeus  architecture:  Config  file   18   Zeus  config  file    
  • 19. Zeus  architecture:  Config  file   19   Zeus  config  file  contains  the  following:         •  url_config  -­‐  where  the  config  is  downloaded.     •  url_loader  -­‐where  new  bot  executable  is  downloaded     •  url_server  -­‐  where  the  stolen  data  is  sent     •  AdvancedConfigs  alternate  loca2ons    for    config     •  webFilters  and  WebDataFilters  -­‐ list  of  websites  monitored.  When  these  sites  are  visite dby  the  infected  user,  any  data  sent  to  the  site  is  also     sent  to  the  url_server.     •  WebFakes    list  of  websites  to  redirects  to  a  fake  site.    
  • 20. Func2onality  of  the  Zbot  binary   20   • Copy,  execute  and  delete  itself   • Change  browser  sevngs   • Code  injec2on   • Creden2al  thed   • Data  exfiltra2on   • Evasion   v Rootkit   v Digital  cer2ficate   v DGA   v Steganography  
  • 21. Poll  #2   Ques2on-­‐2:  Do  you  think  you  (or  your  organiza2on)   have  been  impacted  by  Zeus?   o  Yes   o  No   21  
  • 22. Zeus  Advanced  Tricks  –  Rootkit   22   Necurs  Rootkit  Component     When  GameOver  /  Necurs  is  fully  installed,  it  will  become  difficult  to  remove  the   threat  using  tradi2onal  methods.     It’s  impossible  to  access  the  process  to  retrieve  informa2on  or  to  terminate  the   process.       Access  is  denied  when  dele2ng   the  malware  files.  
  • 23. Signed  malware  is  quite  rare.     Stuxnet  rootkit  components   were  digitally  signed  with   cer2ficates  stolen  from  Realtek   and  Jmicron.    Flame  used   fraudulent  cer2ficates  as  well  .     Zeus  used  the  same  trick,   authors  got  access  to  a   cer2ficate  of    isonet  ag   Microsod-­‐registered  third-­‐   party  developer  in  Switzerland.   Zeus  Advanced  Tricks  –  Digital  Cer2ficates   23  
  • 24. It  also  employs  DGA  –  Domain  Genera1on  Algorithm.  DGA  is  a  way  for  malware   to  prevent  blacklis2ng  of  its  CnC  site,  where  an  infected  machine  creates   thousands  of  domain  names  such    as:  www.<gibberish>.com  and  would  a`empt   to  contact  a  por2on  of  these  with  the  purpose  of  receiving  an  update  or   commands.  The  technique  was  popularized  by  Conficker  worm,  which   generated  50,000  domains  a  day.   Zeus  Advanced  Tricks  -­‐  DGA   24  
  • 25. Zeus  advanced  tricks  -­‐  Steganography   o  Steganography  –  concealing  messages  or  images  in   other  messages  or  images.   o  Zeus  hides  its  config  file  inside  a  jpeg  image   25   Vic2m  opens  up     suspicious  mail  a`achment     Executes  File  in  A`achment     Decrypted  config  file     has  bank  sites  to     monitor  for  thed   JPEG  files  dowloaded   (configura2on  file     embedded)  
  • 26. Zeus  advanced  tricks  -­‐  Steganography   o  Image  looks  innocent     o  But  it  has  appended  encrypted  data  –  Zeus  config.   26  
  • 27. Zeus  advanced  tricks  -­‐  Steganography   o  This  data  is  encrypted  with  base64,  RC4  and  XORed.   Decrypted,  we  see  urls  and  banking  sites  it  targeted.   27  
  • 28. Conclusions   28     •  Zeus  has  grown  into  one  of  the  most  popular  and   widespread  crimeware  kits  on  the    market.  Its  ease  of  use   and  effec2veness  make  it  an  a`rac2ve  choice  for  today’s   cyber  criminals.     •  Check  for  presence  of  unfamiliar  network  callbacks   •  Zeus  malware  is  very  complex  and  is  wri`en  with  extra   care  to  avoid  detec2on,  so  it  is  not  trivial  to  tell  if  you  are   infected.  You  need  to  use  a  professional  grade  APT  solu2on   to  detect  this.    
  • 29. Q  and  A   29   o  Informa2on  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  iden2fying   malware