(Botnets and Malware) The Zbot attack. Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

Similar documents
Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Network Security Fundamentals

Synchronized Security

Malware Research at SMU. Tom Chen SMU

Security Gap Analysis: Aggregrated Results

Prevx 3.0 v Product Overview - Core Functionality. April, includes overviews of. MyPrevx, Prevx 3.0 Enterprise,

Security Trend of New Computing Era

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Phishing Activity Trends Report August, 2006

Unique Phishing Attacks (2008 vs in thousands)

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

The Scenes of Cyber Crime

Quick Heal Total Security Multi-Device (Mac) Simple, fast and seamless protection for Mac.

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

A Review Paper on Network Security Attacks and Defences

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

IBM Security Network Protection Solutions

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Chapter 10: Security. 2. What are the two types of general threats to computer security? Give examples of each.

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

Unit 2 Assignment 2. Software Utilities?

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Proactive Protection Against New and Emerging Threats. Solution Brief

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Training UNIFIED SECURITY. Signature based packet analysis

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

vol.15 August 1, 2017 JSOC Analysis Team

Large-Scale Internet Crimes Global Reach, Vast Numbers, and Anonymity

Elementary Computing CSC 100. M. Cheng, Computer Science

Phishing Activity Trends

Hardening the Education. with NGFW. Narongveth Yutithammanurak Business Development Manager 23 Feb 2012

Panda Security 2010 Page 1

The Human Exploitation Kill Chain

Seqrite Antivirus for Server

Cisco s Appliance-based Content Security: IronPort and Web Security

Quick Heal AntiVirus for Server. Optimized Antivirus Scanning. Low on Resources. Strong on Technology.

Phishing Activity Trends

Protecting Virtual Environments

Défense In-Depth Security. Samson Oduor - Internet Solutions Kenya Watson Kamanga - Seacom

Quick Heal Total Security for Mac. Simple, fast and seamless protection for Mac.

McAfee Labs Threat Report

Review Kaspersky Internet Security - multi-device 2015 online software downloader ]

Securing Your Business Against the Diversifying Targeted Attacks Leonard Sim

2014 INTERNET COMMERCE CASE STUDY. The Battle Against Phishing and Fraudulent s. 100 S. Ellsworth Ave 4th Floor San Mateo, CA

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

Online Security and Safety Protect Your Computer - and Yourself!

Venusense UTM Introduction

FAQ. Usually appear to be sent from official address

Cyber Security Guide for NHSmail

Key Features. DATA SHEET

MRG Effitas Online Banking Browser Security Assessment Project Q Q1 2014

Course Outline (version 2)

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

How to prevent phishing attacks? In 3 Pages. Author: Soroush Dalili irsdl {4t[ yahoo }d0t] com Website: Soroush.SecProject.

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

UTM 5000 WannaCry Technote

Ethical Hacking and Prevention

ANTIVIRUS SITE PROTECTION (by SiteGuarding.com)

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Sizing and Scoping ecrime

Advanced Threat Hunting:

Real protection against real threats

Phishing Activity Trends

CERTIFIED SECURE COMPUTER USER COURSE OUTLINE

Sales Training

Botnets: major players in the shadows. Author Sébastien GOUTAL Chief Science Officer

DNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited

Office 365 Buyers Guide: Best Practices for Securing Office 365

Automated Context and Incident Response

Cyber Vigilantes. Rob Rachwald Director of Security Strategy. Porto Alegre, October 5, 2011

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Automating Security Response based on Internet Reputation

MODERN DESKTOP SECURITY

An Eye on the Storm: Inside the Storm Epidemic. Josh Ballard Network Security Analyst Kansas State University

Symantec Ransomware Protection

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Phishing Read Behind The Lines

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

Phishing Activity Trends Report August, 2005

All-in one security for large and medium-sized businesses.

Massive Attack WannaCry Update and Prevention. Eric Kwok KL.CSE

Ethical Hacking and Countermeasures: Secure Network Operating Systems and Infrastructures, Second Edition

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

RSA Web Threat Detection

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

Herd Intelligence: true protection from targeted attacks. Ryan Sherstobitoff, Chief Corporate Evangelist

BOTNET-GENERATED SPAM

Cracked BitDefender Security for File Servers 2 Years 55 PCs pc repair software for free ]

Social Engineering (SE)

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

SPAM Malware s Super Highway. How To Protect Yourself Against Malicious s 1

Ethical Hacking. Content Outline: Session 1

Trend Micro SMB Endpoint Comparative Report Performed by AV-Test.org

FIREWALL BEST PRACTICES TO BLOCK

Transcription:

(Botnets and Malware) The Zbot attack Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth

What Happened? Type of Attack Botnet - refers to group of compromised computers able to be controlled by master Targeted malware attack (Zeus Trojan) Zeus crimeware toolkit Ability to evade anti-virus software Banking/Financial institutes, small companies attacked Toolkit Capability Customized malware creation Website Phishing Command and Control capability Web Injection Scripts (monitoring tools) Kill OS Script (delays victim from realizing attack) Screenshots, Logging Keystrokes, Running Proxy Server, Hosting Phishing Websites, Spamming Campaign

What Happened? Installs on machine and disables security software Embeds configuration file from toolkit Retrieves data and uploads to remote URL

What was the impact? Spread - First became widespread in March 2009 - In May 2009, a botnet operator spontaneously decided to render inoperable 100000 PC's - Named America's most pervasive computer Botnet virus by Network World magazine in July 2009 - In October 2009, Facebook phishing e-mails were measured being sent out at over 500 per second. - In November 2009, 9 million e-mails were sent out over a two day period targetting Verizon customers. - Infiltrated Amazon's Cloud Computing network in December 2009.

What was the impact? Spread (cont.) - 3.6 Million Infections, measured July 2009 - Accounted for 44% of all financial malware infections in September - Still very active today

Why did this attack succeed? Social Engineering (Human Ignorance) Infiltrated computers through phishing emails Facebook Microsoft Updates Conflickr Removal CDC Vacinations UPS Delta Airlines System Administrator emails Used authentic looking domain names updata-1.com, admin-data.com, 1-db.com, 1ssl-network.com, upd-central.com central-updates.com, admin-systems.com, db-1.net, cert1.net, admin-db.net Easy deployment, used by a vast number of criminal organizations

Malware Tacticts Infects Computer in multiple ways Phishing Malicious scripts in webpages Rootkit Hides files and folders from view Injects code into system processes Hard to detect by security software Disable security Closes firewall and other security applications Fast-Flux DNS

What happened in the aftermath? ZBot Server in Cayman Islands shutdown in June 2009 Stored FTP login information for over 68,000 websites Major companies including Amazon Bank of America BBC Cisco McAfee monster.com Symantec Two suspects questioned by Manchester officials in November

Attacks continue... Amazon disconnected the infected channel in its EC2 Cloud shortly after the discovery in December Newer variants more difficult to detect Virustotal.com reports only 6 out of 41 anti-virus programs detected the virus as of September 2009 Over 200 new ZBot servers have come online already this year, and there are over 1,000 currently active servers New phishing e-mail starting to appear just this past week, probably from Russia

What was done to make systems less vulnerable to this kind of threat? Common Educate users about spam and Trojans Listen to system warnings Frequent anti-virus updates Keep windows and other software up to date Home Users Keep up to date on the threats that exist Don't open email from unknown senders Don't open files or click on links unless you are sure Don't open firewall ports unless you know about the application

What was done to make systems less vulnerable to this kind of threat? Corporate users Use signatures to verify the authenticity of senders Keep users out of the administrator accounts Do risky/sensitive work on virtual machines Tighter Firewall Protection and traffic filters Web filtering to help guard against malicious controller domains Internal Distribution of updates Threat detection devices embedded in the network

What chapter in the book will be helpful in understanding this event? Chapter 3 - Program Security Viruses and Other Malicious Code (3.3) Targeted Malicious Code (3.4) Chapter 7 - Security in Networks Threats in Networks (7.2)

Questions?

Sources http://community.ca.com/blogs/securityadvisor/archive/2009/12/10/zbot-reports-a-quot-possible-fraudulent-visa-cardtransaction-quot.aspx http://blog.trendmicro.com/zbot-targets-facebook-again/ http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits http://community.trendmicro.com/t5/web-threat-spotlight/facebook-phishing-page-leads-to-exploits-and-zbot/ba-p/2237 http://www.securecomputing.net.au/news/149039,malicious-server-used-to-propagate-zbot-shut-down.aspx http://www.securecomputing.net.au/news/148759,ftp-login-credentials-at-major-corporations-breached.aspx http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8366504.stm http://www.spamfighter.com/news-12877-new-study-finds-computer-virus-zeus-bot-in-internet-postcards.htm http://www.darkreading.com/security/antivirus/showarticle.jhtml?articleid=220000718 http://blog.fortinet.com/august-2009-threatscape-zbot-detected-in-record-levels-fresh-vulnerabilities-consistently-attacked/ http://www.scmagazineus.com/new-verizon-wireless-themed-zeus-campaign-hits/article/157848/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback