Скачать презентацию Zeu S God of All Cyber-Theft Roland Dela Скачать презентацию Zeu S God of All Cyber-Theft Roland Dela

2eadb2b31b413ca3da6e8812a8c81f01.ppt

  • Количество слайдов: 67

Zeu. S: God of All Cyber-Theft Roland Dela Paz and Jasper Manuel Threat Researchers Zeu. S: God of All Cyber-Theft Roland Dela Paz and Jasper Manuel Threat Researchers Classification 3/18/2018 1

Greek Mythology Classification 3/18/2018 2 Greek Mythology Classification 3/18/2018 2

Virtual Landscape Classification 3/18/2018 3 Virtual Landscape Classification 3/18/2018 3

Fast Facts on Zeu. S • Commercial crimeware for stealing online banking credentials • Fast Facts on Zeu. S • Commercial crimeware for stealing online banking credentials • Authored by “Slavik”/“Monstr” • Has been in the wild since late 2005

The Zeu. S Infection Chain via spammed messages The Zeu. S Infection Chain via spammed messages

The Zeu. S Infection Chain via spammed messages via malicious websites The Zeu. S Infection Chain via spammed messages via malicious websites

Zeu. S and Spam Zeu. S and Spam

Zeu. S and Spam Zeu. S and Spam

Zeu. S and Spam Zeu. S and Spam

Zeu. S: The How • Zeu. S is configured to target a list of Zeu. S: The How • Zeu. S is configured to target a list of bank-related websites or financial institutions from which they try to steal sensitive online banking information

Zeu. S: The How Zeu. S: The How

Zeu. S: The How Zeu. S: The How

Zeu. S: The How Zeu. S: The How

Zeu. S: The How Zeu. S: The How

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S – a Cyber-Theft God Zeu. S – a Cyber-Theft God

Zeu. S Toolkit Components • Zeu. S Builder • Web Panel • Configuration Files Zeu. S Toolkit Components • Zeu. S Builder • Web Panel • Configuration Files

Zeu. S Toolkit Components Zeus Builder Zeu. S Toolkit Components Zeus Builder

Zeu. S Toolkit Components Web Panel Zeu. S Toolkit Components Web Panel

Zeu. S Toolkit Components Web Panel Zeu. S Toolkit Components Web Panel

Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt: Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt:

Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt: Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt:

Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt: Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt:

Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt: Zeu. S Toolkit Components Configuration Files Config. txt: Webinjects. txt:

Gathering Intelligence Downloaded configuration file Gathering Intelligence Downloaded configuration file

Gathering Intelligence Downloaded configuration file Gathering Intelligence Downloaded configuration file

Gathering Intelligence Breaking the encryption Where is the decryption key? ? ? Gathering Intelligence Breaking the encryption Where is the decryption key? ? ?

Gathering Intelligence Breaking the encryption Zeu. S 1. x encryption algorithm Gathering Intelligence Breaking the encryption Zeu. S 1. x encryption algorithm

Gathering Intelligence Breaking the encryption Finding the key stream Gathering Intelligence Breaking the encryption Finding the key stream

Gathering Intelligence Breaking the encryption Encryption key in config. txt Gathering Intelligence Breaking the encryption Encryption key in config. txt

Gathering Intelligence Breaking the encryption RC 4 function used by Zeu. S Gathering Intelligence Breaking the encryption RC 4 function used by Zeu. S

Gathering Intelligence Breaking the encryption Zeu. S builder - key stream generation Gathering Intelligence Breaking the encryption Zeu. S builder - key stream generation

Gathering Intelligence Breaking the encryption Zeu. S 2. x encryption algorithm Gathering Intelligence Breaking the encryption Zeu. S 2. x encryption algorithm

Gathering Intelligence Breaking the encryption Finding the key stream Gathering Intelligence Breaking the encryption Finding the key stream

Gathering Intelligence Breaking the encryption Finding the key stream Gathering Intelligence Breaking the encryption Finding the key stream

Gathering Intelligence Breaking the encryption Finding the key stream Gathering Intelligence Breaking the encryption Finding the key stream

Gathering Intelligence Breaking the encryption Encrypted HTTP traffic Gathering Intelligence Breaking the encryption Encrypted HTTP traffic

Gathering Intelligence Zeu. S POST data decryption Decryption key in Zeu. S CP Gathering Intelligence Zeu. S POST data decryption Decryption key in Zeu. S CP

Gathering Intelligence Zeu. S POST data decryption Gathering Intelligence Zeu. S POST data decryption

Gathering Intelligence Zeu. S POST data decryption Gathering Intelligence Zeu. S POST data decryption

What to do with gathered intelligence? • Use to source and monitor Zeu. S What to do with gathered intelligence? • Use to source and monitor Zeu. S binaries for detection, malware development, and solution creation • Use to source and monitor malicious Zeu. S domains for blocking • Share with law enforcement agencies to help in investigations, arrests, C&C take-downs, etc. • Use to identify target (financial) firms and country

What makes financial firms attractive targets? • Volume of customers • Online security measures What makes financial firms attractive targets? • Volume of customers • Online security measures • Availability of webinject scripts

What makes a country/region an attractive target? • Internet population • Online banking population What makes a country/region an attractive target? • Internet population • Online banking population • Value of money • Locality

Geographic Distribution data taken from Trend Micro Smart Protection Network Geographic Distribution data taken from Trend Micro Smart Protection Network

Is the Philippines safe from Zeu. S? Is the Philippines safe from Zeu. S?

Is the Philippines safe from Zeu. S? Online Banking Category Visitation by Market January Is the Philippines safe from Zeu. S? Online Banking Category Visitation by Market January 2011 vs. January 2010 Total Audience, Age 15+ - Home & Work Locations* Source: com. Score Media Metrix Country Total Unique Visitors (000) Jan-2010 Jan-2011 % Change Malaysia 2, 360 2, 746 16% Hong Kong 1, 304 1, 543 18% Vietnam 701 949 35% Singapore 779 889 14% Indonesia 435 749 72% Philippines 377 525 39% statistics taken from

Is the Philippines safe from Zeu. S? Top 3 Online Banking Sites by Unique Is the Philippines safe from Zeu. S? Top 3 Online Banking Sites by Unique Visitors for Individual Markets January 2011 Total Audience, Age 15+ - Home & Work Locations* Source: com. Score Media Metrix Country Malaysia 1 st Online Banking 2 nd Online Banking 3 rd Online Banking Destination Maybank Group Cimbclicks. com. my Pbebank. com Hong Kong HSBC Bochk. com Standard Chartered Vietnam Vietcombank. com. vn Acb. com. vn Dongabank. com. vn Singapore DBS. com. sg United Overseas Bank Group Citigroup Indonesia Bankmandiri. co. id BNI. co. id Citigroup Philippines Bpiexpressonline. com Citigroup HSBC statistics taken from

Is the Philippines safe from Zeu. S? Trend. Labs encountered at least two Zeu. Is the Philippines safe from Zeu. S? Trend. Labs encountered at least two Zeu. S binaries that target online banking sites in the Philippines

So what can I do? So what can I do?

Prevention is still key • Keep machines up-to-date by regularly patching software and operating Prevention is still key • Keep machines up-to-date by regularly patching software and operating systems. • Do not click on links or open attachments in email messages, instant messages, or messages that arrive via social media. • Organizations should likewise cascade pertinent information to employees to prevent Zeu. S from penetrating network security. Dear All, There has been increased concern on news of a massive system compromise that recently hit the headlines. The attack, which involves thousands of computers and organizations, was found to be result of work of a specific Zeu. S botnet compromise dubbed as the Kneber botnet. As some of you know, the Zeu. S botnet has been around for years and is best known for its crimeware tactics. It is primarily designed for data theft or to steal account information related to online banking transactions. Everyone is thus advised to exercise caution in opening email messages. Avoid downloading suspicious attachments and clicking on URLs, especially those from unknown senders. Since the Zeu. S malware perpetrators are constantly finding new ways to attack users, it would be wise to maintain safe computing practices. Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over their personal information. The absence of visible infection markers makes it challenging to detect a Zeu. S compromise. As such, should you receive suspicious messages via email or instant messaging, please report them immediately. Your cooperation and vigilance would be extremely valuable in ensuring the continued security of our network.

What’s next for Zeu. S? Slavik/Monstr halted Zeu. S’ development in late 2010. What What’s next for Zeu. S? Slavik/Monstr halted Zeu. S’ development in late 2010. What now? data taken from Trend Micro Smart Protection Network

What’s next for Zeu. S? • Source code was leaked • Effect of the What’s next for Zeu. S? • Source code was leaked • Effect of the leak: Improved Spy. Eye, LICAT(Murofet), RAMNIT, Ice IX Bot, and a few others

Demo Demo

CONCLUSION CONCLUSION

Questions? Questions?

Thank you. Classification 3/18/2018 63 Thank you. Classification 3/18/2018 63

Classification 3/18/2018 64 Classification 3/18/2018 64

ZBOT related Spam Blocked (2010 Data) • Most ZBOT related spam detections came from ZBOT related Spam Blocked (2010 Data) • Most ZBOT related spam detections came from Brazil – 39% with India following in second place at 8% Spam Distribution by Country 30% • USA followed in 3 rd place with 3. 25% 2% 3% 3% 8% BRA IND 40% USA PHL IDN KOR COL ARG POL MYS Other

ZBOT related URLs Blocked (2010 Data) • Most ZBOT related URL detections came from ZBOT related URLs Blocked (2010 Data) • Most ZBOT related URL detections came from the United States (54%) Detected URL by Country 16% UNITED STATES UNKNOWN RUSSIAN FEDERATION 1% 1% 1% 2% 2% 2% CANADA ISRAEL GERMANY 2% 3% SPAIN UKRAINE CHINA 15% FRANCE OTHERS 53%

ZBOT Files Blocked (2010 Data) Geographic Distribution • US clients had the highest no. ZBOT Files Blocked (2010 Data) Geographic Distribution • US clients had the highest no. of ZBOT file detections (61%) UNITED STATES UNKNOWN 2% 2%2%2% 3% 4% 9% 11% 61% JAPAN UNITED KINGDOM CANADA AUSTRALIA INDIA SPAIN TAIWAN BRAZIL ~2 ~2 00 9 /0 4 00 /30 9/ ~2 05/ 31 00 9/ ~2 06/ 30 00 9/ ~2 07/ 31 00 9/ ~2 08/ 31 00 9/ ~2 09/ 30 00 9/ ~2 10/ 31 00 9/ ~2 11/ 30 00 9/ 12 ~2 01 /31 0/ ~2 01/ 31 01 0/ 02 /2 0 100 90 80 70 60 50 40 30 20 10 0 Accumulated Unique Detections/Clients OTHERS