Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Black Energy18 - Russian botnet package analysis

Download as PPT, PDF
Roberto Suggi Liverani
Roberto Suggi Liverani

From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.

Related slideshows

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
1 of 48
© 2008 Security-Assessment.com Black Energy 1.8 Russian web-based botnet package analysis Presented By Roberto Suggi Liverani
Agenda Background What’s In The Package? Building The Backdoor Infection Analysis Command and Control System Architecture Botnet Communication Attacks Analysis Defensive Measures Conclusions Demo
Background A little bit of background… Web-based distributed denial of service (DDoS) botnet Probably developed by one or more Russian hackers Version 1.8 seems to be the most recent Has been hosted in Malaysia and Russia and actively used against Russian targets Communication is entirely based on HTTP The command and control (C&C) system is based on PHP language and Mysql database Version 1.7 was sold for 40 USD in Russian hacker forums Version 1.8 has been downloaded from download.xakepok.org after visiting affiliate links
What’s in the package? The package format… The package comes in a rar archive (blackenergy18.rar). Package listings Bot files: builder.exe builds two versions of the same backdoor (encrypted and unencrypted) crypt.exe is required by builder.exe to encrypt the backdoor cadt.dll is required by crypt.exe to encrypt the backdoor
What’s in the package? The C&C files: db.sql is the Mysql database structure of the C&C system www directory contains all PHP scripts used by the C&C index.php is the main C&C web interface page. stat.php – core HTTP communication engine of the botnet. It receives and send responses. flags folder contains flag icons used to identify bot country config.php is the C&C interface config file. common.php – common php functions used by the C&C components cmdhelp.html – command listings and help syntax in Russian language Net folder contains GeoIP.php application used to associate bot IP to a country
Building the backdoor Builder.exe creates two backdoor executables. Some interesting options:
Building the backdoor Output results… The _bot.exe is created within the same folder where builder.exe is located. _bot.exe is the decrypted backdoor version. crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”). Both executables are fully functional. crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering. The backdoor decrypted file size is 23040 bytes The backdoor encrypted/packed file size is 12871 bytes
Infection Analysis Infection scenario… Black Energy backdoor does not exploit any vulnerability in the OS system. The victim needs to execute the malware in order to be infected. The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites.
Infection Analysis - Methodology Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology Dynamic and Static analysis: To properly analyse the infection, the backdoor need to be tested in a controlled environment In this way, it is possible to “detect” changes that affect the controlled environment Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor It is recommended to use both methods when analysing any malware. Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa.
Infection Analysis – Dynamic/Static Analysis Dynamic Analysis Overview Scope: Analysis of local system interaction using multiple tools Any changes to the following components must be detected: Windows Register File System Memory/Processes Network Traffic Static Analysis Overview Scope: Full deep analysis of the disassembly code of the backdoor executable A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used.
Dynamic Analysis – Tools The environment and the monitor tools in the dynamic analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Regmon.exe – tool used to monitor any changes on the Windows Register Filemon.exe – any file system activities is recorded by this tool Diskmon.exe – any disk activity is recorded by this tool SysInternals Process Explorer – like windows task manager tool + additional features Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS Wireshark and tcpdump – network analyser and sniffer
Dynamic Analysis – Windows Register Tool: regmon.exe Two Windows Register keys have been created and one modified. [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicessupdate] [HKEY_LOCAL_MACHINEYSTEMontrolSet001ervicessupdate] [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicesFDarameters]
Dynamic Analysis – File System Tools: Rapier with WinAudit and Chksum, filemon.exe A new file called mssrv32.exe is created in C:indowsystem32 File size is 12780 bytes. Other files added with the infection: 4c380647cca89aacd29ed5f7430b2151 _BOT.EXE-160375AD.pf Filemon.exe is used to list all files activities in the system.
Dynamic Analysis – File System The following file system activities are related to the creation of mssrv32.exe: Note that the mssrv32.exe is the same size of _bot.exe .
Dynamic Analysis – Network/Processes Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit Tcpview output: A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. 192.168.0.34 is the C&C master server in this instance. The properties of the process shows a connection between the botnet and svchost.exe.
Dynamic Analysis – Network/Processes Rapier with Network Netstat result: (192.168.1.1 is the C&C server) Rapier with Network module result: Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated. These results are confirmed by the GDI Procs scan analysis as well:
Dynamic Analysis – Network/Processes WinAudit Result: Note that there is no information associated to Process Description and Process Manufacturer
Static Analysis – Reversing malware The environment and the monitor tools in the static analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files
Static Analysis – Reversing malware Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed Let’s dump basic headers and imports/export entries in the malware executable. Export table only contains a reference to start function which is the OEP (Original Execution Point). Imports are mainly related to the following APIs and DLLs:
Static Analysis – Reversing malware Some interesting functions imported:
Static Analysis – Reversing malware Backdoor Installation When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself. This is done by calling GetModuleFileName to obtain the primary executable’s file name If nothing is found, it copies itself to C:INDOWSYSTEM32ssrv32.exe
Static Analysis – Reversing malware The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance. The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice.
Static Analysis – Reversing malware During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot: The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS):
Static Analysis – Reversing malware After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe.
Static Analysis – Reversing malware Botnet communication Then it starts to communicate with the server through POST request.
Static Analysis – Reversing malware Crypted__bot.exe – some words about to defeat the protector used by Black Energy Some AV identify the packer as “Stalin” but no information is available about this packer. Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 . At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory. The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes. The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code.
Static Analysis – Reversing malware Finding the OEP of the backdoor decrypted… Crypted _bot.exe is stored at 13112000 Crypted_.131111b9 decrypts _bot.exe to 00320000 Note that the different size: 6000 and 3000
C&C System Architecture Command and Control System architecture requires: Mysql Server Any web server supporting PHP and PHP-Mysql The C&C is ideal for vulnerable LAMP environments Mysql Database Overview – the database is composed by three tables: Files – id, url, dnum, dtotal, country Opt – name, value Stat – id, build_id, files, ip, last, country, country_full Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works. It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files).
C&C System Architecture The Opt Table store the commands list: attack_mode – a numerical value for the type of attack (default, drop by socket, drop by timeout) cmd – the command to send to the bot http_freq – how many requests per second to send in HTTP GET flood mode http_threads – how many program threads to create for the HTTP flood icmp_freq – how many ICMP packets to send in an ICMP attack mode icmp_size – how large of ICMP packets to send in ICMP attack mode max_sessions – for ‘drop by timeout’ spoof_ip – Boolean, used in raw packet flooding attacks syn_freq – how frequently to send packets during a TCP SYN flood tcpudp_freq – how often to send TCP or UDP traffic tcp_size – how large the TCP packets should be udp_size – how large the UDP packets should be ufreq – how long (in minutes) to wait before checking for another command
C&C System Architecture This is the opt table after a flood http localhost command sent to the bot:
C&C System Architecture The Stat table contains all the statistics of the botnet: ID is built from the system’s SMB hostname and the System Volume ID from the C:drive of the infected machine build_id is the string value set by builder.exe (can be changed at the building time) Files is a reference to the files table. Last is a time value in the format of time() and measures the bot heartbeat Country and country_full are used by the web interface to display the relative country flag of the bot
C&C System Architecture C&C system web interface (index.php) From here, commands can be sent and stat can be accessed.
C&C System Architecture Sending the commands to the zombie… The command entered through the web interface (index.php) is saved into the database (table opt). The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server.
C&C System Architecture stat.php is responsible to retrieve commands from the database and then output them in base64 format.
C&C System Architecture Commands Available: Refresh Rate – change the refresh rate Flood – Network DDoS attacks icmp - a basic ICMP ping flood syn - a basic TCP SYN flood udp - a basic UDP traffic flood http - an HTTP GET request flooder. data - a basic binary packet flooder dns – a DNS request flooder Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands. Stop – stop any attack currently running. Die – this deletes the backdoor on the infected machine
C&C System Architecture Commands Syntax: flood http 192.168.1.1 index.htm flood icmp 192.168.2.2 index.php flood syn 192.168.3.2 Multiple Commands can be specified using semicolon: dns; icmp; http; syn; 192.168.1.1#15#xHOST Normally, DDoS options are passed in the command syntax as well: '10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’ In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id.
Botnet Communication Botnet communication from a network perspective: Tools: tcpdump and wireshark. HTTP POST request from bot: Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot. HTTP Response from Master Server: Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1#
DDoS Attacks Overview DDoS Attacks with flood command overview Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random. Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily)
DDoS Attacks Overview Flood HTTP – this involves GET requests to the specified URL on the command syntax. Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet.
Defenses and Countermeasures AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead. The service that has been used is provided by virustotal.com _bot.exe results available here: http://www.virustotal.com/analisis/c88ba95b30d2fe50bc612ab73b922fc2 Crypted_bot.exe results available here: http://www.virustotal.com/analisis/12cc7b4378f7ce90963232423590068b
Defenses and Countermeasures _bot.exe results: Detected by 23/32 AVs (71.88%)
Defenses and Countermeasures Crypted__bot.exe results: Detected by 17/32 AV (53.12%)
Defenses and Countermeasures Backdoor Variants: Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server. First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’) Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address.
Conclusions Black energy botnet package is not difficult to obtain C&C system is trivial to install and can be easily installed in any compromised LAMP environment C&C system is easy to use and manage (script-kiddies style) Some AV still do not detect the Black Energy backdoor although it is there since mid 2007. Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon. Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature. It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features.
Demo Time for a Demo!  Demo in VMware environments Only 2 hosts: C&C master server – Ubuntu 6.10 + LAMP – 192.168.1.1 Bot Machine: WinXP with SP2 – 192.168.1.2
Questions? © 2007 Security-Assessment.com http://www.security-assessment.com [email_address]
References Websites Reversing Engineering Malware - http://www.zeltser.com/reverse-malware-paper/ The Science of Malware Analysis - http://www.osix.net/modules/article/?id=760 BlackEnergy DDoS Bot - http://www.castlecops.com/p1020284-Black_Energy_DDoS_bot.html BlackEnergy DDoS Bot Download File: http://download.xakepok.org/4108126?ints_code=tGdsXA%2FvQR5Rmvk%2BzFVXFHKaGn%2Ffu2aI Fake gamings sites spawns dangerous Trojan - http://sunbeltblog.blogspot.com/2007/11/fake-gaming-site-spawns-dangerous.html BlackEnergy DDoS Bot – HTTP based - http://www.offensivecomputing.net/?q=node/557
References Books/WhitePapers Black Energy DDoS Bot Analysis - http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf Wiley – Reversing – The Secrets of Reverse Engineering - 2005

More Related Content

What's hot

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
Rian Yulian
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
Sam Bowne
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
Rhydham Joshi
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
Sam Bowne
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
securityxploded
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
Balaji Rajasekaran
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
Sam Bowne
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
Martin Cabrera
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
securityxploded
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
MNCERT
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
Teymur Kheirkhabarov
 
Windows Crash Dump Analysis
Windows Crash Dump AnalysisWindows Crash Dump Analysis
Windows Crash Dump Analysis
Microsoft TechNet - Belgium and Luxembourg
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 

What's hot (20)

SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012SANS Windows Artifact Analysis 2012
SANS Windows Artifact Analysis 2012
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1Anomalies Detection: Windows OS - Part 1
Anomalies Detection: Windows OS - Part 1
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Catching fileless attacks
Catching fileless attacksCatching fileless attacks
Catching fileless attacks
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Hunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of MemoryHunting Rootkit From the Dark Corners Of Memory
Hunting Rootkit From the Dark Corners Of Memory
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Hunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows EnvironmentHunting for Privilege Escalation in Windows Environment
Hunting for Privilege Escalation in Windows Environment
 
Windows Crash Dump Analysis
Windows Crash Dump AnalysisWindows Crash Dump Analysis
Windows Crash Dump Analysis
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 

Viewers also liked

Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and Mitigation
Ajit Skanda Kumaraswamy
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet Detector
Brenton Mallen
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet new
kirubavenkat
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & Communication
ArturBalanuta
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défense
ESD Cybersecurity Academy
 
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
Gianluca Stringhini
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
Mahdi Sayyad
 
Cryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
Cryptovirology Introduction, SecurityThreats, Safeguards and CountermeasuresCryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
Cryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
M Mehdi Ahmadian
 
Barcamp2015 cyberguerre et-botnet
Barcamp2015 cyberguerre et-botnetBarcamp2015 cyberguerre et-botnet
Barcamp2015 cyberguerre et-botnet
BarcampCameroon
 
آشنایی با جرم‌یابی قانونی رایانه‌ای
آشنایی با جرم‌یابی قانونی رایانه‌ایآشنایی با جرم‌یابی قانونی رایانه‌ای
آشنایی با جرم‌یابی قانونی رایانه‌ای
Ramin Najjarbashi
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
securityxploded
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
Bhagath Singh Jayaprakasam
 

Viewers also liked (12)

Botnets - Detection and Mitigation
Botnets - Detection and MitigationBotnets - Detection and Mitigation
Botnets - Detection and Mitigation
 
Global Botnet Detector
Global Botnet DetectorGlobal Botnet Detector
Global Botnet Detector
 
2 dc meet new
2 dc meet new2 dc meet new
2 dc meet new
 
The Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & CommunicationThe Godfather - P2P Botnets: Security & Communication
The Godfather - P2P Botnets: Security & Communication
 
Création d'un botnet et défense
Création d'un botnet et défenseCréation d'un botnet et défense
Création d'un botnet et défense
 
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
The Harvester, the Botmaster, and the Spammer: On the Relations Between the D...
 
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNSشناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
شناسایی بات نت های Fast-Flux با استفاده از تحلیل ناهنجاری DNS
 
Cryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
Cryptovirology Introduction, SecurityThreats, Safeguards and CountermeasuresCryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
Cryptovirology Introduction, SecurityThreats, Safeguards and Countermeasures
 
Barcamp2015 cyberguerre et-botnet
Barcamp2015 cyberguerre et-botnetBarcamp2015 cyberguerre et-botnet
Barcamp2015 cyberguerre et-botnet
 
آشنایی با جرم‌یابی قانونی رایانه‌ای
آشنایی با جرم‌یابی قانونی رایانه‌ایآشنایی با جرم‌یابی قانونی رایانه‌ای
آشنایی با جرم‌یابی قانونی رایانه‌ای
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
Botnet Architecture
Botnet ArchitectureBotnet Architecture
Botnet Architecture
 

Similar to Black Energy18 - Russian botnet package analysis

Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
Cysinfo Cyber Security Community
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
securityxploded
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
Paul Melson
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
ManjuAppukuttan2
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Sandeep Kumar Seeram
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Den Iir
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
dkaya
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
Paul Melson
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
eugeniadean34240
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat Security Conference
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
Yury Chemerkin
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
Rian Yulian
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
Iftach Ian Amit
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
Cysinfo Cyber Security Community
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
Chetan Ganatra
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
GIBIN JOHN
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 

Similar to Black Energy18 - Russian botnet package analysis (20)

Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware AnalysisReversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis
 
Two-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for EveryoneTwo-For-One Talk: Malware Analysis for Everyone
Two-For-One Talk: Malware Analysis for Everyone
 
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.pptCHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
CHAPTER 3 BASIC DYNAMIC ANALYSIS.ppt
 
Cyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on ExamplesCyber Defense Forensic Analyst - Real World Hands-on Examples
Cyber Defense Forensic Analyst - Real World Hands-on Examples
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012SANS Digital Forensics and Incident Response Poster 2012
SANS Digital Forensics and Incident Response Poster 2012
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Stuxnet dc9723
Stuxnet dc9723Stuxnet dc9723
Stuxnet dc9723
 
Reversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysisReversing malware analysis trainingpart9 advanced malware analysis
Reversing malware analysis trainingpart9 advanced malware analysis
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
Windows Threat Hunting
Windows Threat HuntingWindows Threat Hunting
Windows Threat Hunting
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 

More from Roberto Suggi Liverani

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
Roberto Suggi Liverani
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
Roberto Suggi Liverani
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
Roberto Suggi Liverani
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
Roberto Suggi Liverani
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
Roberto Suggi Liverani
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
Roberto Suggi Liverani
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
Roberto Suggi Liverani
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
Roberto Suggi Liverani
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
Roberto Suggi Liverani
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
Roberto Suggi Liverani
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 

More from Roberto Suggi Liverani (13)

I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Augmented reality in your web proxy
Augmented reality in your web proxyAugmented reality in your web proxy
Augmented reality in your web proxy
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
None More Black - the Dark Side of SEO
None More Black - the Dark Side of SEONone More Black - the Dark Side of SEO
None More Black - the Dark Side of SEO
 
Bridging the gap - Security and Software Testing
Bridging the gap - Security and Software TestingBridging the gap - Security and Software Testing
Bridging the gap - Security and Software Testing
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Exploiting Firefox Extensions
Exploiting Firefox ExtensionsExploiting Firefox Extensions
Exploiting Firefox Extensions
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
Web Spam Techniques
Web Spam TechniquesWeb Spam Techniques
Web Spam Techniques
 
Reversing JavaScript
Reversing JavaScriptReversing JavaScript
Reversing JavaScript
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Browser Security
Browser SecurityBrowser Security
Browser Security
 

Recently uploaded

FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Alliance
 
UiPath Community Day Amsterdam: Code, Collaborate, Connect
UiPath Community Day Amsterdam: Code, Collaborate, ConnectUiPath Community Day Amsterdam: Code, Collaborate, Connect
UiPath Community Day Amsterdam: Code, Collaborate, Connect
UiPathCommunity
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
Dexbytes Infotech Pvt Ltd
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Alliance
 
Starlink Product Specifications_HighPerformance-1.pdf
Starlink Product Specifications_HighPerformance-1.pdfStarlink Product Specifications_HighPerformance-1.pdf
Starlink Product Specifications_HighPerformance-1.pdf
ssuser0b9571
 
Increase Quality with User Access Policies - July 2024
Increase Quality with User Access Policies - July 2024Increase Quality with User Access Policies - July 2024
Increase Quality with User Access Policies - July 2024
Peter Caitens
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
ScyllaDB
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Alliance
 
Indian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for StartupsIndian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for Startups
AMol NAik
 
Understanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptxUnderstanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptx
NFT Space.
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
maricrismontales
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
pubgnewstate1620
 
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptxSuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
nitishjain2015
 
Best USA IPTV Providers to Stream in 2024.pdf
Best USA IPTV Providers to Stream in 2024.pdfBest USA IPTV Providers to Stream in 2024.pdf
Best USA IPTV Providers to Stream in 2024.pdf
perth Riya
 
Informatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptxInformatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptx
OkyPrayudi
 
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
NguynThNhQunh59
 
Jacquard Fabric Explained: Origins, Characteristics, and Uses
Jacquard Fabric Explained: Origins, Characteristics, and UsesJacquard Fabric Explained: Origins, Characteristics, and Uses
Jacquard Fabric Explained: Origins, Characteristics, and Uses
ldtexsolbl
 
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
wromeetup
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
SynapseIndia
 
How CXAI Toolkit uses RAG for Intelligent Q&A
How CXAI Toolkit uses RAG for Intelligent Q&AHow CXAI Toolkit uses RAG for Intelligent Q&A
How CXAI Toolkit uses RAG for Intelligent Q&A
Zilliz
 

Recently uploaded (20)

FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptxFIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
FIDO Munich Seminar: Strong Workforce Authn Push & Pull Factors.pptx
 
UiPath Community Day Amsterdam: Code, Collaborate, Connect
UiPath Community Day Amsterdam: Code, Collaborate, ConnectUiPath Community Day Amsterdam: Code, Collaborate, Connect
UiPath Community Day Amsterdam: Code, Collaborate, Connect
 
Blue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failureBlue Screen Of Death | Windows Down | Biggest IT failure
Blue Screen Of Death | Windows Down | Biggest IT failure
 
FIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptxFIDO Munich Seminar: Securing Smart Car.pptx
FIDO Munich Seminar: Securing Smart Car.pptx
 
Starlink Product Specifications_HighPerformance-1.pdf
Starlink Product Specifications_HighPerformance-1.pdfStarlink Product Specifications_HighPerformance-1.pdf
Starlink Product Specifications_HighPerformance-1.pdf
 
Increase Quality with User Access Policies - July 2024
Increase Quality with User Access Policies - July 2024Increase Quality with User Access Policies - July 2024
Increase Quality with User Access Policies - July 2024
 
Using ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy WorkloadsUsing ScyllaDB for Real-Time Write-Heavy Workloads
Using ScyllaDB for Real-Time Write-Heavy Workloads
 
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptxFIDO Munich Seminar In-Vehicle Payment Trends.pptx
FIDO Munich Seminar In-Vehicle Payment Trends.pptx
 
Indian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for StartupsIndian Privacy law & Infosec for Startups
Indian Privacy law & Infosec for Startups
 
Understanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptxUnderstanding NFT Marketplace Ecosystem.pptx
Understanding NFT Marketplace Ecosystem.pptx
 
The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...The learners analyze the various sectors of ICT and evaluate the potential ca...
The learners analyze the various sectors of ICT and evaluate the potential ca...
 
BCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docxBCC -401-aktu-Cyber-Security Unit-1.docx
BCC -401-aktu-Cyber-Security Unit-1.docx
 
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptxSuratMeetup-MuleSoft + Salt Security for API Security.pptx
SuratMeetup-MuleSoft + Salt Security for API Security.pptx
 
Best USA IPTV Providers to Stream in 2024.pdf
Best USA IPTV Providers to Stream in 2024.pdfBest USA IPTV Providers to Stream in 2024.pdf
Best USA IPTV Providers to Stream in 2024.pdf
 
Informatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptxInformatika smk kelas 10 kurikulum merdeka.pptx
Informatika smk kelas 10 kurikulum merdeka.pptx
 
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinhBài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
Bài tập tiếng anh lớp 9 - Ôn tập tuyển sinh
 
Jacquard Fabric Explained: Origins, Characteristics, and Uses
Jacquard Fabric Explained: Origins, Characteristics, and UsesJacquard Fabric Explained: Origins, Characteristics, and Uses
Jacquard Fabric Explained: Origins, Characteristics, and Uses
 
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
CI/CD pipelines for CloudHub 2.0 - Wroclaw MuleSoft Meetup #2
 
Leading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online RetailersLeading Bigcommerce Development Services for Online Retailers
Leading Bigcommerce Development Services for Online Retailers
 
How CXAI Toolkit uses RAG for Intelligent Q&A
How CXAI Toolkit uses RAG for Intelligent Q&AHow CXAI Toolkit uses RAG for Intelligent Q&A
How CXAI Toolkit uses RAG for Intelligent Q&A
 

Black Energy18 - Russian botnet package analysis

  • 1. © 2008 Security-Assessment.com Black Energy 1.8 Russian web-based botnet package analysis Presented By Roberto Suggi Liverani
  • 2. Agenda Background What’s In The Package? Building The Backdoor Infection Analysis Command and Control System Architecture Botnet Communication Attacks Analysis Defensive Measures Conclusions Demo
  • 3. Background A little bit of background… Web-based distributed denial of service (DDoS) botnet Probably developed by one or more Russian hackers Version 1.8 seems to be the most recent Has been hosted in Malaysia and Russia and actively used against Russian targets Communication is entirely based on HTTP The command and control (C&C) system is based on PHP language and Mysql database Version 1.7 was sold for 40 USD in Russian hacker forums Version 1.8 has been downloaded from download.xakepok.org after visiting affiliate links
  • 4. What’s in the package? The package format… The package comes in a rar archive (blackenergy18.rar). Package listings Bot files: builder.exe builds two versions of the same backdoor (encrypted and unencrypted) crypt.exe is required by builder.exe to encrypt the backdoor cadt.dll is required by crypt.exe to encrypt the backdoor
  • 5. What’s in the package? The C&C files: db.sql is the Mysql database structure of the C&C system www directory contains all PHP scripts used by the C&C index.php is the main C&C web interface page. stat.php – core HTTP communication engine of the botnet. It receives and send responses. flags folder contains flag icons used to identify bot country config.php is the C&C interface config file. common.php – common php functions used by the C&C components cmdhelp.html – command listings and help syntax in Russian language Net folder contains GeoIP.php application used to associate bot IP to a country
  • 6. Building the backdoor Builder.exe creates two backdoor executables. Some interesting options:
  • 7. Building the backdoor Output results… The _bot.exe is created within the same folder where builder.exe is located. _bot.exe is the decrypted backdoor version. crypted__bot.exe is the encrypted/packed version (according to some AV, the packer is “Stalin”). Both executables are fully functional. crypter.exe is automatically invoked by builder.exe and packs _bot.exe with Stalin. This is used to defeat AV detection and reverse engineering. The backdoor decrypted file size is 23040 bytes The backdoor encrypted/packed file size is 12871 bytes
  • 8. Infection Analysis Infection scenario… Black Energy backdoor does not exploit any vulnerability in the OS system. The victim needs to execute the malware in order to be infected. The infection is typically triggered by the victim downloading and executing the backdoor from fake online games web sites.
  • 9. Infection Analysis - Methodology Before proceeding to the analysis of the backdoor, let’s spend some words about the methodology Dynamic and Static analysis: To properly analyse the infection, the backdoor need to be tested in a controlled environment In this way, it is possible to “detect” changes that affect the controlled environment Dynamic Analysis involves deploying multiple sensors into the environment to detect changes caused by the backdoor activity Static Analysis involves use of reverse engineering tools to control the code execution of the backdoor It is recommended to use both methods when analysing any malware. Dynamic analysis tend to produce “false positives” as many factors are analysed at the same time. Some of them may not be related to the backdoor activity. For this reason, the analyst should always confirm the results with static analysis and vice versa.
  • 10. Infection Analysis – Dynamic/Static Analysis Dynamic Analysis Overview Scope: Analysis of local system interaction using multiple tools Any changes to the following components must be detected: Windows Register File System Memory/Processes Network Traffic Static Analysis Overview Scope: Full deep analysis of the disassembly code of the backdoor executable A deep analysis of the PE structure and disassembly code to understand how the backdoor interact with Register, Windows API, Windows DLLs and what functions are called, what operations are performed, what packer is used.
  • 11. Dynamic Analysis – Tools The environment and the monitor tools in the dynamic analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Regmon.exe – tool used to monitor any changes on the Windows Register Filemon.exe – any file system activities is recorded by this tool Diskmon.exe – any disk activity is recorded by this tool SysInternals Process Explorer – like windows task manager tool + additional features Rapier (Rapid Assessment & Potential Incident Examination Report) is a framework that makes use of multiple tools to audit the entire OS Wireshark and tcpdump – network analyser and sniffer
  • 12. Dynamic Analysis – Windows Register Tool: regmon.exe Two Windows Register keys have been created and one modified. [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicessupdate] [HKEY_LOCAL_MACHINEYSTEMontrolSet001ervicessupdate] [HKEY_LOCAL_MACHINEYSTEMurrentControlSetervicesFDarameters]
  • 13. Dynamic Analysis – File System Tools: Rapier with WinAudit and Chksum, filemon.exe A new file called mssrv32.exe is created in C:indowsystem32 File size is 12780 bytes. Other files added with the infection: 4c380647cca89aacd29ed5f7430b2151 _BOT.EXE-160375AD.pf Filemon.exe is used to list all files activities in the system.
  • 14. Dynamic Analysis – File System The following file system activities are related to the creation of mssrv32.exe: Note that the mssrv32.exe is the same size of _bot.exe .
  • 15. Dynamic Analysis – Network/Processes Tools: Tcpview, Rapier + Network Module + GDIProcs, WinAudit Tcpview output: A process without name is identified by Tcpview. It starts a TCP connection with source port 1035 to destination port 80. 192.168.0.34 is the C&C master server in this instance. The properties of the process shows a connection between the botnet and svchost.exe.
  • 16. Dynamic Analysis – Network/Processes Rapier with Network Netstat result: (192.168.1.1 is the C&C server) Rapier with Network module result: Rapier network module runs different scans. All the information gathered allows to identify the PID associated to the process, the source/destination port, the protocol and the executable associated. These results are confirmed by the GDI Procs scan analysis as well:
  • 17. Dynamic Analysis – Network/Processes WinAudit Result: Note that there is no information associated to Process Description and Process Manufacturer
  • 18. Static Analysis – Reversing malware The environment and the monitor tools in the static analysis: VMware image of WinXP with SP2 – this is the controlled environment where the infection has been analysed VMware image of Ubuntu running LAMP environment to host the C&C system Ollydbg – Freeware Windows Debugger – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files IDA Pro – Commercial Windows Debugger – this has been used with _bot.exe file PEID – PE Tool analyser – this has been used with builder.exe, crypt.exe, _bot.exe, crypted__bot.exe, cdat.dll files
  • 19. Static Analysis – Reversing malware Before analysing the disassembly code, information about the PE structure, imports and exports should be analysed Let’s dump basic headers and imports/export entries in the malware executable. Export table only contains a reference to start function which is the OEP (Original Execution Point). Imports are mainly related to the following APIs and DLLs:
  • 20. Static Analysis – Reversing malware Some interesting functions imported:
  • 21. Static Analysis – Reversing malware Backdoor Installation When the program is first launched, it runs some checks to see whether it has already been installed, and if not it installs itself. This is done by calling GetModuleFileName to obtain the primary executable’s file name If nothing is found, it copies itself to C:INDOWSYSTEM32ssrv32.exe
  • 22. Static Analysis – Reversing malware The backdoor cannot delete the executable while it is running. The program had to launch a new instance, terminate the first one, and delete the original file from this new instance. The backdoor proceeds to create a mutex called {F3532CE1-0832-11B1-920A-25000A276A73}. The purpose of this mutex is to make sure no other instances of the program are already running; the program terminates if the mutex already exists. This mechanism ensures that the program doesn’t try to infect the same host twice.
  • 23. Static Analysis – Reversing malware During the installation, the backdoor interacts with the Windows Register. The following is an example of registry creation to establish the backdoor as a system service that will be run at each system boot: The following registry value is added to disable Windows raw socket security checks (this enable the backdoor to launch network DDoS):
  • 24. Static Analysis – Reversing malware After creating mssrv32.exe, it create a svchost.exe process. In then delete _bot.exe.
  • 25. Static Analysis – Reversing malware Botnet communication Then it starts to communicate with the server through POST request.
  • 26. Static Analysis – Reversing malware Crypted__bot.exe – some words about to defeat the protector used by Black Energy Some AV identify the packer as “Stalin” but no information is available about this packer. Crypt.exe creates an executable file which contains the encrypted backdoor at section 13112000 . At VA 131110A1 there is a call to the function 131111B9. This function includes multiple sub functions which perform bitwise operations to decrypt the backdoor into memory. The decrypted backdoor is then copied in clear text byte per byte to the memory address 00320000. Size of the memory allocated for the backdoor decrypted is 6000 bytes. The memory can then be dumped to an executable file with ollydump plug-in or the OEP can be changed. It is then needed to use tool like ImpRec to rebuild the Import/Exports table of the dumped file. LordPE can then be used to optimise the code.
  • 27. Static Analysis – Reversing malware Finding the OEP of the backdoor decrypted… Crypted _bot.exe is stored at 13112000 Crypted_.131111b9 decrypts _bot.exe to 00320000 Note that the different size: 6000 and 3000
  • 28. C&C System Architecture Command and Control System architecture requires: Mysql Server Any web server supporting PHP and PHP-Mysql The C&C is ideal for vulnerable LAMP environments Mysql Database Overview – the database is composed by three tables: Files – id, url, dnum, dtotal, country Opt – name, value Stat – id, build_id, files, ip, last, country, country_full Files table is associated to the downloader function. The URL variable contains the URL from which the backdoor can fetch and launch another executable. Not clear how this function works. It might be used for “updating” the botnet. A cross reference field is also present in the stat table (files).
  • 29. C&C System Architecture The Opt Table store the commands list: attack_mode – a numerical value for the type of attack (default, drop by socket, drop by timeout) cmd – the command to send to the bot http_freq – how many requests per second to send in HTTP GET flood mode http_threads – how many program threads to create for the HTTP flood icmp_freq – how many ICMP packets to send in an ICMP attack mode icmp_size – how large of ICMP packets to send in ICMP attack mode max_sessions – for ‘drop by timeout’ spoof_ip – Boolean, used in raw packet flooding attacks syn_freq – how frequently to send packets during a TCP SYN flood tcpudp_freq – how often to send TCP or UDP traffic tcp_size – how large the TCP packets should be udp_size – how large the UDP packets should be ufreq – how long (in minutes) to wait before checking for another command
  • 30. C&C System Architecture This is the opt table after a flood http localhost command sent to the bot:
  • 31. C&C System Architecture The Stat table contains all the statistics of the botnet: ID is built from the system’s SMB hostname and the System Volume ID from the C:drive of the infected machine build_id is the string value set by builder.exe (can be changed at the building time) Files is a reference to the files table. Last is a time value in the format of time() and measures the bot heartbeat Country and country_full are used by the web interface to display the relative country flag of the bot
  • 32. C&C System Architecture C&C system web interface (index.php) From here, commands can be sent and stat can be accessed.
  • 33. C&C System Architecture Sending the commands to the zombie… The command entered through the web interface (index.php) is saved into the database (table opt). The bot performs regular POST requests to http://c&cserver/stat.php or whatever URL value set at the building time. These requests are performed in order to receive commands from the master server. If the zombie is not able to connect to the master server, it will then automatically execute the command specified at the building time (by default -> wait). Wait set a counter after which the zombie will retry to connect to the master server.
  • 34. C&C System Architecture stat.php is responsible to retrieve commands from the database and then output them in base64 format.
  • 35. C&C System Architecture Commands Available: Refresh Rate – change the refresh rate Flood – Network DDoS attacks icmp - a basic ICMP ping flood syn - a basic TCP SYN flood udp - a basic UDP traffic flood http - an HTTP GET request flooder. data - a basic binary packet flooder dns – a DNS request flooder Wait – the bot process is put to sleep for x seconds and then re-perform the POST request to receive new commands. Stop – stop any attack currently running. Die – this deletes the backdoor on the infected machine
  • 36. C&C System Architecture Commands Syntax: flood http 192.168.1.1 index.htm flood icmp 192.168.2.2 index.php flood syn 192.168.3.2 Multiple Commands can be specified using semicolon: dns; icmp; http; syn; 192.168.1.1#15#xHOST Normally, DDoS options are passed in the command syntax as well: '10;2000;10;0;0;30;100;3;20;1000;2000#wait#10#xHOST’ In order: ICMP frequency, ICMP packet size, SYN frequency, spoof IP or not (Boolean value), the attack mode, the maximum number of HTTP sessions, the HTTP connection frequency, the number of HTTP threads, the TCP and UDP frequency, the UDP size, TCP packet size and the bot id.
  • 37. Botnet Communication Botnet communication from a network perspective: Tools: tcpdump and wireshark. HTTP POST request from bot: Note that the bot id and build_id are passed in the POST request. These are needed by the master to identify the bot. HTTP Response from Master Server: Command -> 10;2000;10;0;0;30;100;3;20;1000;2000#stop#1#
  • 38. DDoS Attacks Overview DDoS Attacks with flood command overview Flood udp – this attack involves sending malformed UDP packets. Source and destination port are random. Flood ICMP – this attack send IP ICMP Request to the target with a payload of 1480 bytes (this value can be changed arbitrarily)
  • 39. DDoS Attacks Overview Flood HTTP – this involves GET requests to the specified URL on the command syntax. Flood Data – this send UDP malformed packet with invalid length. Payload size varies for each packet and random data is appended in the payload. Source and destination port are random for each packet.
  • 40. Defenses and Countermeasures AV Detection – both _bot.exe and crypted__bot.exe have been analysed. Some AV still fail to identify black energy backdoor. Some AV identify the backdoor as a downloader instead. The service that has been used is provided by virustotal.com _bot.exe results available here: http://www.virustotal.com/analisis/c88ba95b30d2fe50bc612ab73b922fc2 Crypted_bot.exe results available here: http://www.virustotal.com/analisis/12cc7b4378f7ce90963232423590068b
  • 41. Defenses and Countermeasures _bot.exe results: Detected by 23/32 AVs (71.88%)
  • 42. Defenses and Countermeasures Crypted__bot.exe results: Detected by 17/32 AV (53.12%)
  • 43. Defenses and Countermeasures Backdoor Variants: Three different backdoor variants have been identified. The variants differentiate by the POST data sent to the C&C master server. First variant: The first uses a simple two-part data string to communicate with the web server, presenting the bot host ID and the build ID using two different variables Second variant: uses only one variable, ‘data’, to submit this information, and separates these two values with a colon (‘:’) Third variant: the same values (bot ID and build_ID) + SOCKS/HTTP proxy address.
  • 44. Conclusions Black energy botnet package is not difficult to obtain C&C system is trivial to install and can be easily installed in any compromised LAMP environment C&C system is easy to use and manage (script-kiddies style) Some AV still do not detect the Black Energy backdoor although it is there since mid 2007. Black Energy Version 1.7 has been released in summer 2007. Version 1.8 has been released in November. Probably a new version will come out soon. Main difference between version 1.7 and version 1.8 is the web interface and the downloader feature. It is unclear today what could be the next variants or versions of the Black energy botnet package. The current information available suggest that Black Energy botnet next version will be easier to use and will include additional features.
  • 45. Demo Time for a Demo!  Demo in VMware environments Only 2 hosts: C&C master server – Ubuntu 6.10 + LAMP – 192.168.1.1 Bot Machine: WinXP with SP2 – 192.168.1.2
  • 46. Questions? © 2007 Security-Assessment.com http://www.security-assessment.com [email_address]
  • 47. References Websites Reversing Engineering Malware - http://www.zeltser.com/reverse-malware-paper/ The Science of Malware Analysis - http://www.osix.net/modules/article/?id=760 BlackEnergy DDoS Bot - http://www.castlecops.com/p1020284-Black_Energy_DDoS_bot.html BlackEnergy DDoS Bot Download File: http://download.xakepok.org/4108126?ints_code=tGdsXA%2FvQR5Rmvk%2BzFVXFHKaGn%2Ffu2aI Fake gamings sites spawns dangerous Trojan - http://sunbeltblog.blogspot.com/2007/11/fake-gaming-site-spawns-dangerous.html BlackEnergy DDoS Bot – HTTP based - http://www.offensivecomputing.net/?q=node/557
  • 48. References Books/WhitePapers Black Energy DDoS Bot Analysis - http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf Wiley – Reversing – The Secrets of Reverse Engineering - 2005