Botnets have increased not only in numbers but also in sophistication of carrying out its design purpose. What are the lesson learned so far from the recent Botnet takedown?
Strategies for Landing an Oracle DBA Job as a Fresher
Malware threats in our cyber infrastructure
1. Malware Threats in our
Cyber Infrastructure
13th April 2013
Hotel Royal Ambarukmo Yogyakarta
Yogyakarta, Indonesia
Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
2. AGENDA
About me
Malware History
Malware Current Attack
Malware Profiles
Botnet
Botnet Takedown
Summary
Faculty of Engineering and IT 2
3. Malware History
What is Malware?
Stand for Malicious Software
Early Days
Viruses or Trojan
Today
Viruses, worms, backdoors, Trojans, keyloggers,
password stealers, script viruses, rootkits, macro
viruses, spyware or even adware.
Faculty of Engineering and IT 3
4. Malware History
1970’s
Experimental replicating program (Creeper &Reaper)
Faculty of Engineering and IT 4
5. Malware History
Early 1980’s
From thesis to real virus …
Faculty of Engineering and IT 5
6. Malware History
Late 1980’s
From Apple II virus to First Internet Worm …
Faculty of Engineering and IT 6
7. Malware History
Early 1990’s
Polymorphic Viruses to First Macro viruses
Faculty of Engineering and IT 7
8. Malware History
Late 1990’s
DOS 16-bit viruses to Melissa Worm …
Faculty of Engineering and IT 8
9. Malware History
Early 2000’s
I LOVE YOU virus to MyDOOM (fastest spreading
worm)
Faculty of Engineering and IT 9
10. Malware History
Late 2000’s
First ever Mac OS X malware to rogue AV to
conficker worm
Faculty of Engineering and IT 10
11. Malware History
2010 – now
Stuxnet to Banking Trojan to Android Malware
Faculty of Engineering and IT 11
12. Malware History
From 2004 till now …
From Symbian based malware to Android Malware
Faculty of Engineering and IT 12
13. Recent Malware Attack
South Korean TV Broadcaster and Banks
attack
Faculty of Engineering and IT 13
15. Recent Malware Attack
Attack started on 20 March 2013 at 2:20 pm
Three broadcaster KBS, MBC and YTN hit
Three banks (제주은행) Jeju, (농협생명) Nonghyup
(Bank and Insurance) and (신한은행) Shinhan hit
knocked offline after PCs were infected by data-
deleting malware (from server update in the network)
Faculty of Engineering and IT 15
16. Recent Malware Attack
Check for existing remote
management tools
Faculty of Engineering and IT 16
17. Recent Malware Attack
Target:
To corrupt the Master Boot
Record (MBR) as well as
the Volume Boot Record
(VMR)
Kills 2 popular anti virus
software
Reboot system
unusable
Faculty of Engineering and IT 17
18. Recent Malware Attack
Target:
To corrupt the Master Boot
Record (MBR) as well as
the Volume Boot Record
(VMR)
Check time
Kills 2 popular anti virus
software
Reboot system
unusable
Faculty of Engineering and IT 18
20. Recent Malware Attack
According to Mcafee (refer to reference), the
malware samples used the existing malware
found in August and October 2012 in the wild
as a template to develop new malware
It has a new capability:
MBR-killing
2 Popular Anti Virus-killing
NEW sample OLD sample
Faculty of Engineering and IT 20
22. Botnet – What is it?
What is Botnet?
Faculty of Engineering and IT 22
23. Botnet – What is it?
What is Botnet?
Faculty of Engineering and IT 23
24. Botnet – What is it?
What is Botnet?
Faculty of Engineering and IT 24
25. Botnet – Stats
What is Botnet?
Source: 2013 GLOBAL THREAT INTELLIGENCE REPORT (GTIR)
Faculty of Engineering and IT 25
26. Botnet – Underground
Botnet Underground
Source: http://goo.gl/Vq30r
Faculty of Engineering and IT 26
27. Botnet – Underground
Botnet Underground
Source: FireEye on Botnet Grum
Faculty of Engineering and IT 27
28. Botnet Evolution
• Centralized C & C Server
1st • IRC-based communication
• P2P C & C Server
2nd • IRC C & C server
• HTTP-based C & C
3rd • P2P C & C Server
• Encrypted communication
4th • P2P C & C
Faculty of Engineering and IT 28
29. Botnet C&C Evolution
Two most common method of C&C:
Central control C&C
P2P Network
Central C&C Server
Faculty of Engineering and IT
30. Botnet C&C Evolution (cont.)
P2P network
E.g. Kelihos Botnet
Faculty of Engineering and IT
38. Botnet – Some stats
Faculty of Engineering and IT 38
39. Third Larget Botnet Takedown
Code name: Grum Botnet
Impact Size: 18% SPAM volumes (18
billion SPAM a day)
C & C: Panama & Netherland
Takedown: Tuesday, 12 July 2012
Alive again: Thursday, 14 July 2012
(C&C: Russia)
Difficulty of takedown: 2 (1 to 5)
Faculty of Engineering and IT
40. Grum Botnet Characteristics
C&C Servers:
Primary C&C for configuration files and initial
registration
Secondary C&C for spam related activities
Hard-coded IP Addresses (instead of domain
names)
Infected machines segmented into different
C&C
No fall back mechanism if Primary and
Secondary C&C down
Faculty of Engineering and IT
44. Grum Botnet (cont.)
IP address Type Geo Location Status (as of
July 6 2012)
190.123.46.91 Master PANAMA Active
190.123.46.92 Master PANAMA Suspended or
abandoned
91.239.24.251 Master RUSSIAN Active
FEDERATION
94.102.51.226 Secondary NETHERLANDS Active
94.102.51.227 Secondary NETHERLANDS Active
94.102.51.228 Secondary NETHERLANDS Suspended or
abandoned
94.102.51.229 Secondary NETHERLANDS Suspended or
abandoned
94.102.51.230 Secondary NETHERLANDS Suspended or
abandoned
Faculty of Engineering and IT
45. Grum Botnet - Lesson Learned
Strong Points:
C&C Servers are located at the countries where government
are reluctant to care for abuse notification historically
Servers are scattered across multiple data centers
Botnet divided into segments (Bad part: unless all C&C dead,
botnet is still alive)
Weak Points:
No Fallback mechanism C&C dead, no connection
possible
Handful of hard-coded IP addresses
Data centers easily identified (easy to deal with)
Small segments, easily dead for some segments
Faculty of Engineering and IT
46. Grum Botnet - Lesson Learned
Summarized Strategy to takedown
botnet
Research which C&C Architecture they are using
Intelligence on real-time traffic
Takedown Methodology
24/7 Surveillance
Actual Takedown
Surprise will com – be prepared
Post takedown activities
Faculty of Engineering and IT
47. Bamital – Botnet Takedown
Method: Click Fraud
Faculty of Engineering and IT
48. Bamital – Botnet Takedown
User search Pornographic web site
Then users are directed to these web
site:
Downloaded Bamital Trojan
Faculty of Engineering and IT
49. Bamital – Botnet Takedown
These “random” web sites (pseudo-
random generated) that serve the exploit
packs:
Faculty of Engineering and IT
50. Summary
We have seen how malware evolved with
more and more advanced and sophisticated
methods
The Tasks are very challenging …
Research in Malware is in huge demand …
We need to work together …
Faculty of Engineering and IT
51. Other Security Events
13-15 May 2013 ACAD-CSIRT in Bali
19-20 June 2013 Honeynet Indonesia
Chapter Workshop 2013, Jakarta
18 Sept 2013 Cloud Security Alliance
Summit, Jakarta
Faculty of Engineering and IT
52. References
http://blogs.mcafee.com/mcafee-labs/an-
overview-of-messaging-botnets
http://www.fireeye.com/blog/technical/botnet-
activities-research/2012/07/grum-botnet-no-
longer-safe-havens.html
http://voices.washingtonpost.com/securityfix/pu
shdo.htm
http://voices.washingtonpost.com/securityfix/200
9/06/ftc_sues_shuts_down_n_calif_we.html
http://blog.gdatasoftware.com/blog/article/botnet
-command-server-hidden-in-tor.html
http://www.securelist.com/en/blog/208193438/FA
Q_Disabling_the_new_Hlux_Kelihos_Botnet
https://www.brighttalk.com/webcast/7451/53071
Faculty of Engineering and IT
53. References
http://www.tripwire.com/state-of-security/it-
security-data-protection/cyber-security/south-
korean-attack-malware-analysis/
http://download.bitdefender.com/resources/fil
es/Main/file/Malware_History.pdf
http://blogs.mcafee.com/mcafee-labs/south-
korean-banks-media-companies-targeted-by-
destructive-malware
Faculty of Engineering and IT
54. References
http://www.sophos.com/en-us/threat-
center/threat-monitoring/malware-
dashboard.aspx
http://www.mcafee.com/us/mcafee-
labs/threat-intelligence.aspx
http://www.virusradar.com/
Faculty of Engineering and IT