FIRST2011 GunterOllmann ... · Other ZeuS CnC Structures ZeuS Kit Custom Cnc URL URL Type freehost21.tw/b/cfg375.bin CnC CnC

!"#$%&%'(")'(*++,#&-)./01(2,&)%&(2-.3'.)$(

456577( 8,+9#.$:&(;<=7=(>"?@"33"A(B)1C(D33(E.$:&/(E%/%#F%'(G,#3'H.'%C( 7(

About

•  I-)&%#(*33?"))(– !"#$%#&'(')*+,-#.)/0)11)#23+4#– 5$)*6#$%#7689($*(-#2:7+;8'#23+4#

•  2#.%J(2.,K(–  5''3#93#2<#936=(>*?#%$*#>@$#6'+)6'(#A#5=91>#)36#*=3#93>'*3);$3)1#B'3>'(>#>')/(-#&C.#D*$=B(#)36#+$3(=1;3D#B*)+;+'(#)*$=36#>,'#@$*164##

–  E$*/'*1?#F,9'%#G'+=*9>?#G>*)>'D9(>#%$*#25H-#.9*'+>$*#$%#IJE$*+'#%$*#2GG-#"*$%'((9$3)1#G'*89+'(#.9*'+>$*#%$*#KLG#G$M@)*'-#N')6#$%#7O)+P#G'*89+'(#QHQ7-#'>+4#

–  E*'R='3>#@*9>'*-#+$1=/39(>#)36#01$DD'*#@9>,#1$>(#$%#@,9>'B)B'*(S#

•  ,OBTUU01$D46)/0)11)4+$/#C#,OBTUU>'+,39+)193%$6$>3'>401$D(B$>4+$/U##

Targeted?

VUWUXX# Y#

Opportunistic?

VUWUXX# Z#

VUWUXX# [#

G:%#%(&,(2%$.)L(

!,,3/(")'(/%#F.1%/("F".3"@3%(J,#(/"3%A(#%)&(")'(3%"/%(

Today’s Threat Landscape

•  G:"&M/(.&(&"N%(&,(@%1,?%("(19@%#1#.?.)"3L(

VUWUXX# V#

O),H(:,H(&,(-/%("(/%"#1:(%)$.)%(

[email protected].&9(&,(.)/&"33(/,PH"#%((,)(9,-#(,H)(1,?+-&%#(

•  G:"&("@,-&(&:,/%(Q"'F")1%'R(&:#%"&/L(

S%'%#"&%'(%1,/9/&%?(,J(&,,3(")'(/%#F.1%(+#,F.'%#/(

T+%1."3./&(/%#F.1%/(")'($#"9U?"#N%&(%V+%#0/%(J,#(:.#%(

W.'%,(:,HU&,M/(")'("'F%#0X.)$(

Back in the old days!

•  T%3JU1,)&".)%'(@,&)%&(@-.3'.)$(-).&(– GP911(#)11#+$3>)93'6#@9>,93#)#(93D1'#>')/#

•  *)%U/&,+(1#.?%(/:,+(– 5=91693D-#/)3)D93D-#69(>*90=;3D##C#/$3';\93D#>,'#0$>3'>#

– 7=>$3$/$=(#+?0'*+*9/'#=39>################

VUWUXX# W#

H)1@)*'#7=>,$*# ]'0#.'8'1$B'*# Q/)91#G'36'*#Q^B1$9>#F$6'*# E*)=6#N)361'*#

A Brief History of Botnets

VUWUXX# _#


VUWUXX# `#

<$$#/)3?#$B'*)>$*(#+$/B';3D#%$*#

69/939(,93D#*'>=*3(#


VUWUXX# Xa#

H$*'#;/'#(B'3>#0)O193D##>,'9*#+$/B';>$*(#

b..$G-#()0$>)D'-#93%$*/)3>(-#'>+4c#


VUWUXX# XX#

L*$@93D#6'D*''(#$%#

(B'+9)19\);$3#

H)3?#+*9/93)1#$B'*)>$*#>')/(#

69(($18'#


VUWUXX# Xd#

E'6'*)>'6#('*89+'(#/$6'1#

23>*$6=+;$3#$%#3'@09'(#@9>,#/939/)1#

>'+,39+)1#(P911#

Service Specialization

•  8,)/,3.'"0,)(,J(%V+%#0/%(– .'69+)>'6#D=3(#%$*#,9*'#

•  2,-0Y-%(/+%1."3.X"0,)/(– <*)3(1);$3#('*89+'(#%$*#(B')*#B,9(,93D#+)/B)9D3(#– Q^B1$9>#@')B$39\);$3#%$*#736*$96#/)1@)*'#– 7*09>*);$3#('*89+'(#0'>@''3#0$>3'>#0=?'*(U('11'*(#

VUWUXX# XY#

5$>3'>#e9>#7=>,$*(# ",9(,93D#.'8'1$B'*(# 5=1P#GB)/#G'36'*(# .*98'J0?#F$6'*(# F)*6'*(#

VUWUXX# XZ#

D(W.@#")&(Z"#N%&(

Self-contained Ecosystem

•  T%#F.1%(")'(&,,3(+#,F./.,).)$((– E*$/#+$O)D'J936=(>*?#>$#%=11J('*89+'#$f'*93D(#

•  [#.1.)$(?,'%3/(&,(/-.&(")9(+,1N%&(– 5=?J>$J*'3>-#*'3>J>$J0=?#– G'*89+'#b)36#89+;/c#0)*>'*93D#

•  D\3."&%(/9/&%?/(– &'('11'*(#– !)1='J)66#('*89+'(#

VUWUXX# X[#

The Business of Crimeware

•  Z-30+3%(1,?+,)%)&/(&,(@,&)%&(@-.3'.)$(– F*');$3#$%#>,'#0$>3'>#+*9/'@)*'#– E$*+'U>*9+P#89+;/#>$#93(>)1193D#>,'#+*9/'@)*'#– 5=91693D#)#*$0=(>#F3F#93%*)(>*=+>=*'#– H$3';\);$3T#1)=36'*93D-#/=1'(-#'>+4#

•  [3%)&9(,J(,++,#&-).&9(J,#(&:.#'U+"#0%/(

VUWUXX# XV#

",9(,93D#

>#.F.)$(&:%(W.10?(&,(&:%(2"')%//(

51)+P,)>#GQ:# N)+P'6#G9>'# 23g'+;$3# :=>J$%J0)36# 5)33'*(# G$+9)1#K'>@$*P#

An Infection Lifecycle

VUWUXX# XW#

[,/&(])+"1N(.9()01'#1$+)1#('+=*9>?#"*'8'3>#=B6)>'(UB)>+,'(#238'3>$*?#89+;/#

W.10?(>#,++%#^/_(

Dropper unpacks on the Victim machine and runs

]+'"&%(>,H)3,"'%#(F$3h*/#93(>)11);$3#2(#>,9(#)#*')1#/)+,93'i#N)8'#2#(''3#9>#0'%$*'i#!"#$%&'($)*$+&'),-$.,/'

[,/&(D$%)&(B)/&"33(.'1'>'#6*$BB'*U93(>)11'*#F1')*#1$D(#C#'8'3>(#F)>)1$D='#C#938'3>$*?#

>,H)3,"'(2,&(D$%)&(N$(>#0$>#)D'3>b(c#7D'3>#('1'+;$3#+*9>'*9)#],9>'19(>'6#*'B$(9>$*9'(#!/012&'3,%/&%'$4&/%'

>"&"(E%+,/.&,#9(j$DD93D#$%#93(>)11#(=++'(('(#Q3+*?B>'6#h1'(#%*$/#89+;/#G>$1'3#B)((@$*6(#C#"22#

8#.?.)"3(8,)&#,3(H=1;B1'#F3F#B*$^9'(#G'B)*)>'#F3F#B$*>)1(#kB6)>'(#>$#0$>#)D'3>#kB6)>'(#>$#19(>#$%#F3Fl(#7D'3>#93>'D*9>?#+,'+P93D#j$+P93D#$%#)D'3>#>$#89+;/#2((=93D#$%#0)>+,'6#+$//)36(#5&(,%&'$--&66'7'-,/%+,)''

CnC Proxies CnC Portals

]+'"&%#(

>,H)3,"'%#(

E%+,/.&,#9(

Malware Reviews

VUWUXX# X_#

AV Testing

VUWUXX# X`#

AV Testing

VUWUXX# da#

The service lowest prices on the market: $0.12 for one-time validation (6 cents per file) and $ 20 per month for full-NL(

Tutorials

VUWUXX# dX#

Bullet-proof Hosting

VUWUXX# dd#

Full Service Hosting Providers

•  !"#$%&%'(/%#F.1%(,`%#.)$/(–  F)>'*93D#'^+1=(98'1?#>$#+?0'*#

+*9/93)1(#

VUWUXX# dY#

VPN Services

VUWUXX# dZ#

VPN Services

VUWUXX# d[#

Call Service Translation

•  S,#%.$)(3")$-"$%(/-++,#&(– F*9/'#(B'+9h+#

VUWUXX# dV#

Exploit packs

•  a3%,),#%(aV+(F7C4C<(•  [#.1.)$(

–  ")+P)D'T#mdaaa#–  kB6)>'(T#mXaa#–  &'0=916#%$*#3'@#2"T#m[a#

•  T+%1."3(+#.1.)$(–  G=0)++#Q69;$3T#md[aa#–  &'3>)1#Q69;$3T#mYaaa#

VUWUXX# dW#

Exploit Pack Diversity

VUWUXX# d_#

Exploit Pack Management

•  S-33(1"+"@.3.&9(+,#&"3/(•  Z-30+3%(%V+3,.&/(

– H=1;JB1)n$*/#C#)BB#

VUWUXX# d`#

DDoS for Rent

VUWUXX# Ya#

Botnet Selling

•  2-.3'U&,U/%33(?,'%3/(– "=019+#%$*=/#B$(;3D(#– "*98)>'#%$*=/#*'R='(>(#– H'69)>$*(#>$#%)+919>)>'#>*)3(%'*(#

VUWUXX# YX#

Buy Specific Bot Victims

•  8,?+#,?./%'(/9/&%?/(– N)+P'6#o/)3=)11?p#– N)+P'6#89)#L$$D1'6$*P(#– 5)+P6$$*#6'198'*?#

•  8"?+".$)/(– o:BB$*>=39(;+p#6'198'*?#– G9M93D#$%#89+;/#938'3>$*?#– GB'+9)19\'6#()1'#$%#3$>)01'#(?(>'/(#

PPI

VUWUXX# YY#

.9(>*90=>'6#<.jY#8)*9)3>(#

Full Service PPI

VUWUXX# YZ#

Gangstabucks

VUWUXX# Y[#

.9(>*90=>'6#<.jZ#8)*9)3>(#

VUWUXX# YV#

>./13".?%#/(b([#,&%10,)(

Disclaimers

•  c%$.0?"&%(,#(J#"-'L(– F$//$3#=('#$%#69(+1)9/'*(#)36#)D*''/'3>(#

•  Q[#,&%10,)R(")'(".#(,J("-&:%)01.&9(– "*$$%#$%#+$3+'B>#– K$>#%$*#+*9/93)1#=('#– "1')('#6$#3$>#=('#911'D)11?#–  23>'*3)1#>'(;3D#B=*B$('(#$31?#– ])**)3>?#8$96#9%#=('6#%$*#+*9/93)1#B=*B$('(#– F$//'*+9)1#3'>@$*P#)6/939(>*)>$*(#$31?#– F19+P#,'*'#>$#)++'B>#%=11#*'(B$3(90919>?#

VUWUXX# YW#

DDoSer Tool

7C   G%("#%(),&(:%3'(#%/+,)/.@3%(J,#(")9("10,)/(9,-(-/%(,-#(/,JH"#%(J,#C(

d4  ]'#)*'#3$>#*'(B$3(901'#9%#?$=#B=*+,)('#>,9(#@9>,$=>#,)893D#)3?#=36'*(>)3693D#$%#,$@#9>#@$*P(4#

Y4  <,'*'#)*'#K:#*'%=36(-#)11#()1'(#)*'#!"#$4#Z4  2%#?$=*#B$*>)1#)++$=3>#D'>(#(>$1'3-#?$=#,)8'#>$#B*$896'#

$@3'*(,9B#$%#9>#0'%$*'#@'#@911#$f'*#(=BB$*>#$3#,'1B93D#?$=#D'>#9>#0)+P-#$>,'*@9('#9>(#3$>#$=*#B*$01'/4#b"=*+,)('#23%$*/);$3#'>+4c#

[4  ]'#$31?#$f'*#(=BB$*>#9%#9>(#($/'>,93D#$3#$=*#'36-#$>,'*@9('#@'#)*'#3$>#*'(B$3(901'#9%#?$=*#,)893D#B*$01'/(#@9>,#=(93D#$=*#($M@)*'4#b]'#)*'#,'*'#>$#,'1B-#3$>#(B$$3#%''64c#

V4  ]'#6$#3$>#(=BB$*>#*'($16#)++$=3>(q#G%("#%(),&(:%3'(#%/+,)/.@3%(.J(9,-("#%(/1"??%'(@9("(#%/%33%#A(&,(@%(/"J%(9,-(/:,-3'(,)39(@-9(>>,T%E(J#,?(-/C#2%#?$=#696#3$>#B=*+,)('#%*$/#=(#>,'3#@'#)*'#3$>#*'R=9*'6#>$#D98'#?$=#(=BB$*>4#

W4  r$=#/)?#D'>#>*$11'6#$3#93#sk('*#+,)>s-#@'#6$3t>#+)*'-#($#6$3>#+$/'#+*?93D#>$#=(#0'+)=('#9>(#3$>#$=*#B*$01'/#>,)>#?$=*#(>=B969>?#$8'*#+$/'(#?$=4#

VUWUXX# Y_#

DarkComet RAT Disclaimer

•  83.1NU&:#,-$:(a]cD5>./13".?%#/(

VUWUXX# Y`#

Scam Reporting

VUWUXX# Za#

VUWUXX# ZX#

2,&)%&(2-.3'.)$(b(*+%#"0,)/(

2010 Biggest Botnets

VUWUXX# Zd#

<=7=(2,&)%&# [%#1%)&"$%(,J(W.10?([,+-3"0,)#

<==d([,/.0,)#

7# <.j5$>3'>7#b&=6'])*1$+PH$0c# XZ4_u# JJ#

<# &$D='7!5$>3'>#bE*')P?GB96'*F)*>'1c# [4Wu# JJ#

e# v'=(5$>3'>5#bE$=*j)P'&96'*(c# [4Yu# JJ#

f# H$3P9%# [4du# [>,#

g# e$$0%)+'47# Z4au# w#>$BXa#

4# F$3h+P'*4F# d4_u# w#>$BXa#

6# N)/@'R#bL*)?G=3L9*1(c# d4[u# JJ#

h# 76@)*'<*$g)35$>3'>#b]9+P'6&$+PH$3(>'*(c# d4du# JJ#

d# G)19>?# d4Xu# w#>$BXa#

7=# GB?Q?'5$>3'>7#b:3'G>*''><*$$Bc# X4`u# JJ#

Feature Creep

Kit Development & Deployment

VUWUXX# ZZ#

i%-/(

T+9a9%(

!>TT(

Zeus

•  *#.$.)"339(i@,&(H"/("(I"?.)$(Z,'58:%"&(@,&(

•  B).0"339('%F%3,+%'(@9(T3"F.N(^"N"(Z,)/&#_(.)&,(&:%(i%-/(@,&(H%(N),H(&,'"9(

•  S,#(H%33(,F%#(g(9%"#/(i%-/(^i@,&_(3%'(&:%(&,+(7=(?,/&(H")&%'(1#.?.)"3()%&H,#N/(

•  a"/&%#)(a-#,+%")(@"/%'(,#$").X%'(1#.?.)"3(&:#%"&(

•  B)(%"#39(j7(<=77(@%/&(,J(i%-/(H"/(?%#$%'(.)&,(T+9a9%(

•  B)(3"&%(j7(<=77(/,-#1%(1,'%(J,#(F%#/.,)(<C=ChCd([email protected](3%"N%'(

2/15/2007 10/14/2011

1/1/2008 1/1/2009 1/1/2010 1/1/2011

2/28/2009Millions of Infections Identified

2/28/2008Phising with Zeus en’mass

11/3/2009Small Zeus Arrest

2/15/2007Zbot originally a Game Mod 7/31/2007

Zeus (Zbot) Identified

11/27/20099 Million Emails

7/10/2010International Banks Hit

10/15/201090 Zeus Arrests

10/1/2010$70M Reported Stolen

11/1/2010Zeus Source Passed

3/21/2011Zeus v2 Source Leaked

VUWUXX# ZV#

0

200,000

400,000

600,000

800,000

1,000,000

1,200,000

1,400,000

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51

Major Zeus Botnets 2010

FourLakeRiders

GreenAlienRiders

RAT-ZU-91117

EightLakeRiders

Zeus

VUWUXX# ZW#

Zeus code for sale/grabs

VUWUXX# Z_#

ZeuS CnC Structures i%-T(O.&(>%J"-3&(]Ec( ]Ec(!9+%(

X%+:%:,,Y-C#-5@.)5&%%?"%N,C@.)( 8)8(

.F%%&%%+%HC#-5@.)5&%%?"%N,C@.)( CnC(

k,1-'".'.%C#-5@.)51":',.$-C@.)( CnC(

k,:$:%%k"%C#-5@.)5,,+".@,,C@.)( CnC(

N".&:--/:.C#-5@.)5".+:".+.C@.)( CnC(

'%.3"%9%%HC#-5@.)5-1-,/"%HC@.)( CnC(

"'".1:"%+,C#-5@.)5&:,,&:"?C@.)( CnC(

,,&".F.3%.C#-5@.)5&:,,&:"?C@.)( CnC(

F,#",k,,)$C#-5@.)5/"%k-,$.C@.)( CnC(

dahzunaeye.ru/bin/sofeigoo.bin CnC

,8"8$89&-8:+2;30/;3$012$$#:30/' CnC(

,8"8$89&-8:+2;30/;&&4,%,,<:30/' CnC(

,8"8$89&-8:+2;30/;82&480=$:30/' CnC(

,8"8$89&-8:+2;30/;)$$/40&%:30/' CnC(

,8"8$89&-8:+2;30/;,,(0&"8&:30/' CnC(

,8"8$89&-8:+2;30/;6$&>2,40:30/' CnC(

,8"8$89&-8:+2;30/;6829$0-$:30/' CnC(

,8"8$89&-8:+2;30/;%8,,%8$(:30/' CnC(

,8"8$89&-8:+2;30/;?,0+,,-,:30/' CnC(

,8"8$89&-8:+2;30/;?26,4$88:30/' CnC(

Other ZeuS CnC Structures

ZeuS Kit Custom Cnc URL URL Type

freehost21.tw/b/cfg375.bin CnC

www.technoplast.com.ua/catalog/nibco/tmc.bin CnC

askuv.com/percent/update.bin CnC

leadingcase.cc/20aug_old.cpm CnC

mswship.com/xed/config.bin CnC

nascetur.com:81/wc/cof58.bin CnC

nascetur.com:81/wc/g6.php Drop Site

nascetur.com:81/wc/512.exe Trojan


VUWUXX# [X#

i%-/(

T+9a9%(

!>TT(

SpyEye

•  >%F%3,+%'(@9(E,?")(^"N"(I#.@,5l.#,_(.)(?.'U<==d(

•  E%3%"/%'(.)(3"&%(<==d(&,(1,?+%&%(H.&:(i%-/A("-&,?"01"339(#%?,F.)$(i%-/(-+,)(.)J%10,)(

•  B)(jf(<=7=(E,?")(#%1%.F%'(/&%H"#'/:.+(,J(&:%(i%-/(@,&(/,-#1%(1,'%(J#,?(T3"F.N(

•  B)(j7(<=77(T+9a9%(7Ce(%?%#$%'("/(&:%(@%/&(,J(i%-/(")'(T+9a9%(?%#$%'(H.&:()%H(J-)10,)"3.&9(

–  H$091'#.'89+'(#–  ..$G#–  Q3,)3+'6#"'*(9(>'3+'#

6/15/2009 10/14/2011

1/1/2010 1/1/2011

6/15/2009Roman starts with SpyEye

11/3/2009SpyEye Discovered

1/31/2010SpyEye Competes w/Zeus

6/10/2010SpyEye Infiltrated

11/22/2010Dev team gets Zeus source

1/11/2011SpyEye 1.3 released

2/19/2011SpyEye DDoS'ing

2/28/2011SpyEye now Mobile

4/6/2010SpyEye Deleting Zeus

4/25/2011SpyEye #1 US Threat

SpyEye 1.3

VUWUXX# [Y#

WebInjects for SpyEye/Zeus

VUWUXX# [Z#

Mynet-Injects Service

VUWUXX# [[#

SpyEye

Type

barcalys-trial3.com/main/bin/build.exe Malware Drop

coundnes.com/cache/bin/build.exe Malware Drop

eu-analytics.com/sp4a/bin/1_sp4a_new.exe.crypted.exe Malware Drop

217.23.7.21/date/gate.php?guid=User!SANDBOX0!D06F0742&ver=10129&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=19&ccrc=3D893DD9&md5=60d6d584515e1925e0d0c9edd8b32eed

CnC

200.63.45.69/~datosco/main/gate.php?guid=User!SANDBOX2!D06F0742&ver=10132&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=690E5C55&md5=82beb808bef523b7660af10266377407

CnC

91.213.174.34/spyeye_main/gate.php?guid=User!SANDBOX2!D06F0742&ver=10200&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=22&ccrc=B144ABF5&md5=e8a713c24a38b9339474f71f5bcff78a

CnC

77.78.240.162/spye/gate.php?guid=User!SANDBOX0!D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&plg=ftpbc&cpu=100&ccrc=8CCFE0AB&md5=84a9aedb378c3ec297a775c1f7fc573a

CnC

113.11.194.173/eye/main/gate.php CnC

204.12.243.187/main/gate.php CnC

200.56.243.137/includes/admin/gate.php?guid=User!SANDBOX2!D06F0742&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=80&ccrc=3FF0F25D&md5=86e1bb6f428421a06bdae1b2b55323d1

CnC

200.56.243.137/includes/phpbb/gate.php CnC

200.56.243.137/joomla/admin/gate.php CnC

cocainy.net/spmini/gate.php?guid=User!SANDBOX0!D06F0742&ver=10225&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=ED1A0A53&md5=1aa16572aee1486c7cd8c78dad9cb510

CnC

craken.biz/aimpis/gate.php?guid=User!SANDBOX2!D06F0742&ver=10211&stat=ONLINE&ie=6.0.2900.2180&os=5.1.2600&ut=Admin&cpu=100&ccrc=3AF32A5D&md5=a5c67adc367e850f49c441b2cee4b59b

CnC


VUWUXX# [W#

i%-/(

T+9a9%(

!>TT(

TDL/TDSS

•  S.#/&("++%"#")1%(.)(<==h("/("(#,,&N.&/(H.&:(/&#.)$/(,J(!>TT(–  <,'*'#D$#>,'#3)/'#<.GG#)#B1)?#$3#>,'#)+*$3?/#GG.<#@,9+,#9>#0*$P'#–  <.j#+$/'(#%*$/##>,'#B1)?#$3#>,'#)+*$3?/#j.<#0=>#)1($#)(#>,'#o<?1'*#.=*6'3#j$)6'*p#

•  2%&H%%)(<==hU<=7=(F%#/.,)/(7Ue(m(B)J,(T&%"3%#/(b(',H)3,"'%#/(J,#(#,$-%(DW(")'(>nT(1:")$.)$(&#,k")/(^/-@3%"/.)$_(

•  B)(je(<=7=(F%#/.,)(f(J,1-/%'(,)(.)U'%+&:(+%#/./&%)1%(Z2E(.)J%10,)(

•  B)(j7(<=77(F%#/.,)(fC7(&:%#%(./(),H(4f@.&(/-++,#&(

•  B)(j<(<=77(E%+,#&/(,J(Z"1(")'(Z,@.3%('%F.1%(/-++,#&(

•  Z"#1:(<=77(o(.)/&"33/(,&:%#(?"3H"#%(–  ]93YdUL1=B>'0)4.#bF19+Pg)+P93DUGQ:#0$>c#

4/15/2008 6/14/2011

1/1/2009 1/1/2010 1/1/2011

5/9/2008TDSS/TDL v1

First Discovered

2/17/2010TDSS/TDLv3 released



8/9/2009Millions of Infections

Reported

1/20/2011Added 64bit Support

11/1/2010Included Mobile Support

5/28/2011Linux/Mac OSX MBR

TDB

8/5/2010Includes MBR Infector2/5/2009

Business with FakeAV

4/30/2010Business w/DNS Changer

VUWUXX# [`#

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51

TDL3BotnetA (RudeWarlockMob) 2010

RudeWarlockMob

VUWUXX# Va#

TDL3 Driver Source

VUWUXX# VX#

TDL/TDSS Gang

Type

64.191.25.166/perce/447c05f1e6bff6d24d24a15d483cedb9689f10406b7230b46e69c850008919480e2c3fe8d432c72e6/607/perce.jpg

CnC


CnC

69.10.35.251/perce/465cbbfb5c459068718ea7c544e87ed2a776f651b13f6f75e085d95d0f16be4d73603cc8bfd83f316/d4f5b0c5628/qwerce.gif

CnC

69.10.35.251/perce/8020ac6db14a14e0ed94c17da86c8d0938cff0c02ba29014aee9a81000a9b998de6c0f98a422879eb/400/perce.jpg

CnC

69.10.35.251/perce/96ec3b1bcc25c048614e07d5d478be22d7565661f17f1f754035b9cd3ff64ecde370eca8afa8ff01f/f0e/perce.jpg

CnC


CnC

images-humanity.com/werber/30f/216.jpg CnC

imagesmonitor.com/werber/e4d08081926/216.jpg CnC

pictureswall.com/werber/b0f/216.jpg CnC

hipartsonline.com/werber/548582c8e44/217.gif

CnC

virtualartsonline.com/perce/23a8802761f8ac0664709edb14bbd80dee 020a2ca627fe38e60811523634ef62dc748b397c3e4cd0a/d4b8c69787c/qwerce.gif

CnC

videoartfilms.com/werber/34a826c797b/217.gif CnC

>."3.)$(.)(&:%(Dp"1N(

Opportunistic Building Strategy

•  !:%#%M/("($%)%#"3(?9&:(&:"&(@,&)%&(,+%#"&,#/("#%(,++,#&-)./01(.)(&:%.#(@-.3'.)$(/&#"&%$9C((–  23#($/'#$16'*#)36#(1$BB9'*#+)('(#>,'?#)*'#0=>#>,93D(#,)8'#/$8'6#$34##

•  >"?@"33"(&#"1N.)$(/%F%#"3(&:,-/")'/($#,-+/(– 7((9D393D#%=33?#3)/'(#'>+4#– GB'+9)19\'6#>)+;+(#

VUWUXX# VZ#

Major Attack “Classes”

VUWUXX# V[#

<)*D'>'6#

<*9B@9*'#

<*)@193D#

[#%'%q)%'#$0g'+;8'#)36#89+;/#19(>###x#7O)+P#8'+>$*(#>=3'6#>$#>)*D'>#*'R=9*'/'3>(###x#.'(;3);$3U=('#$%#(>$1'3#6)>)#B*'J)D*''6###x#E$+=('6#>$$1#6'(9D3#)36#/)3=)1#B*$+'(('(#

B)'./1#.?.)"&%#o@*$3D#B1)+'#)>#>,'#@*$3D#;/'p###x#G''693D#$%#B$B=1)*#(9>'(U1$+);$3(Uh1'(###x#:BB$*>=39(;+#*'>=*3#$3#89+;/(#A#($*>#)M'*@)*6(###x#E9*'#)36#%$*D'>#@9>,#3$U1$@#/)3)D'/'3>#+$(>(##E$+=('6#=B$3#)#>)*D'>#+#,q3%(##x#F)(;3D#)#@96'#3'>#$8'*#B$((901'#89+;/(###x#H$3';\);$3#)3D1'#)1*')6?#6'+96'6#=B$3###x#Qy+9'3>#)36#1)*D'1?#)=>$/)>'6#)BB*$)+,#

Attack Cost

•  T1%)"#.,K(–  XZ?*J$16#@)3;3D#>$#..$G#o%*9'36(p#$3#IJ5$^#–  G''6#>$**'3>(#)36#3'@(D*$=B(#@9>,#0$>3'>#)D'3>#–  <)*D'>#z#D*$@>,#*)>'#$%#Xaa#89+;/(#B'*#@''P#

VUWUXX# VV#

<*9B@9*'#

Setup Monthly Annually

Zeus DIY Kit •  Pirated version

$0 $0 $0

Single CnC server •  Home computer

$0 $30 $360

Dynamic DNS •  Free DDNS for DHCP churn

$0 $0 $0

Total $0 $30 $360

Attack Cost

•  T1%)"#.,K(–  X_?*J$16#(>=6'3>#93#5*)\91#@)3;3D#kG7#89+;/#0)3P#)++$=3>(#–  F)*0$3J+$B?#B,9(,93D#'389*$3/'3>#)36#'/)91(#–  <)*D'>#z#d-[aa{#89+;/(#B'*#@''P#

VUWUXX# VW#


SpyEye DIY Kit •  Commercial version

$2,000 $0 $500

Two CnC servers •  Bullet proof

$75 $30 $360

US Bank phishing SpyEye plug-in $50 $0 $0

Spam sending service •  100,000 emails per day

$0 $100 $1200

Total(s) $1,125 $130 $2,060

<*)@193D#

Attack Cost

•  T1%)"#.,K(–  "*$%'((9$3)1#+?0'*+*9/93)1#1$$P93D#%$*#09D#B)?/'3>#–  j$+);3D#)36#'8'3>=)1#(B')*JB,9(,93D#$%#FE:#–  <)*D'>#z#$0>)93#+$*B$*)>'#0)3P93D#+*'6'3;)1(#

VUWUXX# V_#


Poison Ivy malware construction kit (licensed) $0 $0 $0

Armoring of malware & QA FUD testing $60 $20 $240

Obtaining corporate hierarchy details $499 $0 $0

Email, translation and spear-phishing design $200 $0 $0

Mule & transaction laundering service $0 $600 $0

Total(s) $759 $620 $240

<)*D'>'6U<*)@193D#

Attack Cost

•  T1%)"#.,K(–  73$3?/$=(#'3;>?#b")>*9$;+#$*#"$19;+)11?#/$;8)>'6c#–  23h1>*)>'#)36#(>')1#($M@)*'#(9D393D#+'*;h+)>'#–  <)*D'>#z#7#B$B=1)*#/9+*$B*$+'(($*#/)3=%)+>=*'*#

VUWUXX# V`#


Commercial grade RAT $0k $0 $0

Commissioned spear-phishing campaigns •  Guaranteed delivery, 24x7 support

$2k $2k $24k

Access to 2 (two) 0-day vulnerabilities •  Replacement warranty if fixed/patched

$40k $0 $0

Rent-a-hacker •  Experienced hacker & enterprise network navigator •  10 man-day retainer + hourly rate

$20k $0 $0

Total(s) $62 $2 $24

<)*D'>'6#

VUWUXX# Wa#

G#"++.)$(.&(-+r(

Keeping it simple (and wrong)

VUWUXX# WX#

W.10?( Dp"1N%#(

>%3.F%#9( Z"3H"#%(

S#"-'(

Federated Operations

VUWUXX# Wd#

W.10?(

Dp"1N%#(

>%3.F%#9(

Z"3H"#%(

D#?,#.)$(

aV+3,.&/(

S#"-'(

8,)/,3%(>%F%3,+%#/(

*#$").X%'(8#.?%(

T&"&%(T+,)/,#/(

Context Change

•  23-##%'(Q!"#$%&%'R(F/(Q*++,#&-)./01RL(– k3)y19)>'6#)O)+P#+$/B$3'3>(#–  236'B'36'3>#('*89+'#B*$89(9$393D#

•  !"#$%&%'("p"1N/(– .$'(#o93>'3>p#/)O'*i#– o2>l(#g=(>#0=(93'((p#A##.$3l>#>)P'#9>#B'*($3)11?#

VUWUXX# WY#

Perspective

•  B&M/("(?"p%#(,J(+%#/+%10F%(–  2>#%''1(#B'*($3)1S#

•  !:%#%(?"9(@%(&"#$%&%'(,@k%10F%/(– .9f'*'3>#B)*>(#$%#>,'#o8)1='#+,)93p#

•  Dp"1N('%3.F%#9(,++,#&-)./01(– H=1;B1'#+)/B)9D3(#C#B*$0)0919;'(#$%#(=++'((#– L*)?J)*')(#$%#$B'*);$3#

VUWUXX# WZ#

New Label?

•  B/(&:%(Q!"#$%&%'(Dp"1NR(")(,-&'"&%'(&%#?L(– 5)O193D#)3#'+$(?(>'/#3$>#)3#9369896=)1#

•  !cD("3&%#)"0F%(3"@%3/L(–  7"<#b768)3+'6#"'*(9(>'3>#<,*')>c#–  757#b7y19)>'J0)('6#7O)+Pc#–  F.G#bF*9/'@)*'#.9(>*90=;$3#G?(>'/c#– ]"]<#b]*$3D#"1)+'-#]*$3D#<9/'c#

VUWUXX# W[#

Opportunity

VUWUXX# WV#I-)&%#(*33?"))A(@A'5&6&$+-8' $,33?"))s'"?@"33"C1,?'

Documents

FIRST2011 GunterOllmann ... · Other ZeuS CnC Structures ZeuS Kit Custom Cnc URL URL Type freehost21.tw/b/cfg375.bin CnC CnC