Upload
sean-paul-correll
View
912
Download
2
Tags:
Embed Size (px)
DESCRIPTION
My presentation from CSI 2010
Citation preview
www.pandasecurity.com
Lessons Learned from Mariposa: Avoiding Disaster, Protecting from Cybercrime
Sean-Paul CorrellThreat Researcher
Panda Security, USA
www.pandasecurity.com2
May 2009
www.pandasecurity.com3
October 2009
www.pandasecurity.com4
Mariposa Working Group
Defence IntelligencePanda SecurityGeorgia Tech Information Security CenterNeustarResearchers who wish to remain anonymous
In collaboration with:
FBISpanish Civil Guard
www.pandasecurity.com5
Some of the DNS domain names observed as C&C servers:
lalundelau.sinip.es
bf2back.sinip.es
thejacksonfive.mobi
butterfly.BigMoney.biz
bfisback.sinip.es
qwertasdfg.sinip.es
www.pandasecurity.com6
Early estimates
??????????
Command & Control
SPAIN
USA
100,000 – 200,000 Victims
PANAMA
UDP COMMUNICATION
www.pandasecurity.com7
??????????
Command & Control
SPAIN
USA
PANAMA
100,000 – 200,000 Victims SINKHOLE
www.pandasecurity.com8
TimelineDecember 21st 2009
Spanish LE visit to CDMON (Spanish ISP)
December 23rd 2009
All C&C domains pointed to sinkhole:
Cdmon, ChangeIP, Directi, GetmyIP, DynDNS
December 24th 2009
New binary (2/24 @ VirusTotal) dropped.
www.pandasecurity.com9
Staying undetected…
The botnet operators used Swedish VPN providers in order to avoid physical detection.
The sinkhole caused the main botnet operator to panic and connect to the infrastructure using his home DSL connection.
www.pandasecurity.com10
Panic at the disco!
C&C sinkhole panic allowed us to trace the botnet operators Internet connection back to Spain.
Spanish LE visits ISP to retrieve DSL customer information
Time to make some arrests!
www.pandasecurity.com11
MWG: Let’s move on the arrest!Spain LE: Not so fast!
Law enforcement roadblocks:
Owning a botnet is not illegal in Spain
Spanish law protects criminals
Forensic skills are not up to par
www.pandasecurity.com12
Timeline
January 22nd 2010
Bot master bribed CDMON tech support to recover booster.estr.es for €500.
January 25th 2010
Bot master launches DDOS against Defence Intelligence sustained 900MB/s traffic
February 3rd 2010
Bot master arrested at home by Spanish Civil Guard
www.pandasecurity.com13
What did we uncover after the arrest?
www.pandasecurity.com14
Stolen Credentials
• Personal information from over 1,000,000 victims
Credit Cards
Social Security numbers
Bank Accounts
Intranet credentials
Data from universities, banks, + half of Fortune 1000 companies
What did we uncover after the arrest?
www.pandasecurity.com15
www.pandasecurity.com16
Anti-detection/debugging tools…
www.pandasecurity.com17
Anti-detection/debugging tools
www.pandasecurity.com18
Licensing control systemButterfly Bot Version
Licensing control UID
www.pandasecurity.com19
Builder packed with Themida
www.pandasecurity.com20
Timeline after initial arrest
February 10th 2010Butterfly.bigmoney.biz recovered by Mariposa.
Moved C&C servers to Israeli & Chinese domain registrars.
February 24th 2010Ostiator & JonnyLoleante arrested
March 3rd 2010Mariposa Final Takedown
www.pandasecurity.com21
Infections in 189 different countries
www.pandasecurity.com22
Top 10 infected countries
www.pandasecurity.com23
Infection statistics
31,901 infected towns and cities
www.pandasecurity.com24
Infection statistics
Over half of Fortune 1000’s infected
Over 40 banks infected
www.pandasecurity.com25
Why was Mariposa so successful?
www.pandasecurity.com26
Strong AV signature evasion + Botnet Infrastructure
+ =
www.pandasecurity.com27
Peer to Peer (P2P)
www.pandasecurity.com28
P2P – Strengths and WeaknessesLow chance of infecting corporate networks (perimeter blocking)
High chance of infecting home networks (piracy)
APAC region had a high concentration of infections. High risk due to rampant piracy.
65% of software is pirated in India according to Business Software Alliance Study: http://bit.ly/bLlN06
www.pandasecurity.com29
USB Distribution
www.pandasecurity.com30
USB – Strengths and WeaknessesHigh chance of infection in corporate networks
USB enabled by default in most organizations
Working from home introduces threats into the workplace.
High chance of infection in home networks
We use USB devices every day
Knowledge of USB threat vector low
www.pandasecurity.com31
MSN Messenger
www.pandasecurity.com32
MSN Messenger
www.pandasecurity.com33
MSN Messenger – Strengths and Weaknesses
Moderate chance of infection in corporate networks
Sometimes used for interoffice communication
31% of businesses use instant messaging according to Nielson
High chance of infection in home networks
40% of home users use instant messaging according to Nielson
MSN usage ranks high in most affected countries
Unique social engineering capability
www.pandasecurity.com34
Exploit Kits
www.pandasecurity.com35
Exploit kits– Strengths and Weaknesses
Moderate chance of infection in corporate networks
Operating system updates are most likely enforced via policy
Non system software updates are most likely not enforced via policy
Antivirus software installed by default
High chance of infection in home networks
Operating system updates not always installed.
Non system software updates are almost never installed (unless forced)
Antivirus software may not be installed
www.pandasecurity.com36
Mariposa Botnet Control Software
www.pandasecurity.com37
Command and Control Software
www.pandasecurity.com38
www.pandasecurity.com39
www.pandasecurity.com40
www.pandasecurity.com41
www.pandasecurity.com42
www.pandasecurity.com43
www.pandasecurity.com44
Who are these guys?
www.pandasecurity.com45
Members Arrested
Netkairo, 31, Spain
Ostiator, 25, Spain
jonnyloleante, 30, Spain
DDP Team:
Dias De Pesadilla Team – Nightmare Days Team
www.pandasecurity.com46
What were their roles?
www.pandasecurity.com47
www.pandasecurity.com48
Butterfly Bot Packages
www.pandasecurity.com49
Butterfly Module Prices
www.pandasecurity.com50
How much money were they earning?
10,000€ / month (around each 3,000)
AdsPay per clickRenting portions of the botnetPost data grabber (stealing credentials)
www.pandasecurity.com51
www.pandasecurity.com52
www.pandasecurity.com53
www.pandasecurity.com54
Monday, March 22nd
www.pandasecurity.com55
www.pandasecurity.com56
www.pandasecurity.com57
Commenting on the blog
www.pandasecurity.com58
www.pandasecurity.com59
www.pandasecurity.com60
www.pandasecurity.com61
Iuis_corrons following Luis_Corrons
www.pandasecurity.com62
D’oh!
www.pandasecurity.com63
What are we dealing with here?CYBE
R KINGPINS
?
CYBER
IDIOTS
www.pandasecurity.com64
The Slovenian Connection
www.pandasecurity.com65
www.pandasecurity.com66
www.pandasecurity.com67
Collateral Damage?
Dejan Janzekovic
www.pandasecurity.com68
Lessons Learned
Just shutting down botnet C&C’s does not stop the bad guys.
Arresting the bad guys doesn’t stop them either
Signature based Antivirus detection isn’t good enough. Signatures can take weeks to develop.
Cyber legislation needs significant improvements to adapt to the current threat landscape situation
Communication with law enforcement is often one-way and difficult, but results are better than simple shutdowns.
www.pandasecurity.com
Thank you!Sean-Paul Correll
Threat ResearcherPanda Security, USA
Twitter: http://twitter.com/lithium E-mail: [email protected]