• No results found

Botnets: The Advanced Malware Threat in Kenya's Cyberspace

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Botnets: The Advanced Malware Threat in Kenya's Cyberspace"

Copied!
29
0
0

Loading.... (view fulltext now)

Download now ( 29 Page )

Full text

(1)

Botnets:

The Advanced Malware Threat

in Kenya's Cyberspace

AfricaHackon 28th February 2014

(2)

Who we Are!

Paula Musuva-Kigen

Research Associate Director, Centre for Informatics Research and Innovation (CIRI) Lecturer in Cyber-security and Digital Forensics, USIU

MSc, CCSP, CISA

Christian Kisutsa

Information Security Consultant – Serianu Limited Computer Forensics & Cyber Crime Graduate (USIU)

(3)

Introduction: What is a bot(net)

Bot

– type of malicious software

Places the infected machine (

zombie

) under the control of

an attacker (

bot herder

or

bot master

)

Zombie connects to a

Command and Control (C&C)

server

Initially Internet Relay Chat (IRC) used to connect to C&C

These days use HTTP to connect to C&C because its NOT blocked

on firewalls

Botnet

- Network of machines infected with a particular bot

Common Command and Control (C&C) server

Often infected machines are designed to use automated infection

(4)

Introduction: Worldwide Statistics

Top Banking Botnets of 2013 – Released Feb 2014

Dell Secure Works Counter Threat Unit (CTU)

Over 900 financial institutions around the globe are being targeted

Banks and Corporate Finance providers

Also providers of corporate payroll services, stock trading, social

networking, email services, mail delivery services, employment portals, entertainment and dating portals

(5)

Top Botnets in Kenya - 2013 [exclusive statistics]

(6)

What do Botnets Do?

Theft of Information (keyloggers)

Login credetials leading to Identity Theft Financial data especially Credit Card data

IP/Trade secrets on espionage basis and Identity theft

Financial fraud:

E-banking and Mobile banking

Consumer Accounts – Online shopping (Jambopay/Jumia/Pesapal) Business Accounts – Online Banking (Corporate/Retail)

Spam/Phishing:

Infected machines relay spam

Click Fraud:

Automated clicks of Web advertising links for revenue

DDoS:

Zombies can be co-ordinated to launch massive attacks

Pay per Install:

malware distribution. Bot masters get paid for every 1,000 infected machines

(7)

Tactics for Botnet malware delivery

Cracked softwares

or Free wares

Clicking links to

infected sites

e.g link on email/social media

Drive by downloads

:

visiting site with malicious scripts, automatic

download through browser without user’s interaction/knowledge 

Malicious

PDFs

Malicious

images/photos

e.g. On social media

Creating

FUD

(Fully Undetectable) files by use of cryptors

that evade anti-virus detection

Executable

flash disks

(8)
(9)

Background of Zeus, Citadel and Spyeye

Zeus creator called Slavik aka Monstr

 Released 2007. Zeus code publicly leaked in May 2011 (Many variants thereafter  SpyEye creator called Gribodemon, aka Harderman

 Released 2009. Initially a competitor to Zeus (removed Zeus)

Author Aleksander Panin arrested in Jan 2014

Citadel and Ice IX considered by-products of Zeus

Released in 2011

Citadel’s creator called Aquabox

Improved ZeuS’s code by making its control panel more user-friendly Very good customer support network for buyers in underground

Ice IX creator called nvidiag

Gameover– P2P Zeus variant released in 2011. Highest infection. P2P

ZitMO– Zeus in The Mobile since 2010. Intercepts SMS and 2F authentication KINS latest Zeus variant since 2013

(10)

Timeline of Zeus and its variants

(11)

ZEUS AND CITADEL

(12)

Building the botnet

Builder

Bot preparation and compilation

Configuration file

Contains settings for the Bot

Web injects

– Man-in-the-Browser customizations.

These show extra fields in the log-in screens

Control Panel

– Bot Master’s screen where they control

all the Bots under their control.

Remote Scripts

– The Bot Master’s tools to send

(13)

ONLINE BANKING, PAYMENT & SHOPPING

(14)

Online Services

Measures Taken to Secure Online Banking in East Africa

Virtual Keyboards

Randomized Keys Hover-mode

Encryption

SSL over HTTP - HTTPS Client Side Encryption

2 page authentication

Measures Taken to Secure Online Payment and Shopping

Encryption

(15)

Statistics: Online Banking - Kenya

Banks using 2PG – 4/33 Banks

(16)

Online Banking - Kenya

Banks with client side encryption – 2/33 Banks

Banks with NO client side encryption : 31/33 Banks

(17)

Online Banking - East Africa

Banks using 2PG – 6/46 Banks

Banks using virtual keyboards – 9/46 Banks

(18)

Online Banking - East Africa

Banks with NO client side encryption : 40/46 Banks

Banks with client side encryption : 6/46 Banks

(19)

Online Payment and Shopping

Top Online Payment Sites in Kenya with NO client side encryption : 4/4 sites

Top Online Shopping Sites in Kenya with NO client side encryption : 6/6 sites

(20)

Mobile Malware

ZitMo for Mobile banking

Version of Zeus that infects Mobile Phones

Mobile Banking is the new “thing” in Kenya hence users

exposed to this Mobile Trojan and other mobile malware.

M-pesa users at risk as Android malware is on the rise.

Only a matter of time before a custom malware is made

(21)

Botnet Evolution

Domain Generation Algorithms (DGA)

Tor Botnets - Anonymized

(22)

WHAT DO WE NEED TO DO?

(23)

Prevention

Patch systems:

bots exploit known vulnerabilities for

infection especially browsers and Windows OS

Anti-malware

tools: antivirus makers have signatures for

the well known bot types

Use Browser protection

Use latest anti-malware updates and signatures

User Information Security Education, Training and

Awareness Program

(SETA)

Use reports like those by Serianu and Tespok Cyberusalama to

(24)

How do I know I’m Infected

Process Monitoring:

e.g. use of CrowdInspect and

Sysinternals TCP View

Registry Entries

with sdra64.exe

(25)

How do I know I’m Infected

CrowdInspect

– highly recommended for Microsoft users

Multiple sources of information, including VirusTotal, Web of Trust (WOT), and Team

Cymru's Malware Hash Registry

 Host-based process inspection for Forensic analysis

(26)

Remediation: Network Side

Detecting C&C traffic

Examine networktrafficforcertain known patterns Use logging information from IDS/IPS, Firewalls

E.g BotHunter and BotSniffer

Honeypots/Honeybots: www.honeynet.org Dionaea, Spam traps,

Open Proxies, URL analysis

Correlate using SIEM tools

Sinkholing

Hijacking Botnet traffic, redirecting it to analysis servers

Done by CERTs and Security Researchers in collaboration with ISPs

and Domain Registrars

E.g. by Microsoft (Mar 2012) , Polish CERT, Team Cymru

(27)

Remediation: Network Side

Zeus Tracker and SpyEye Tracker (abuse.ch)

Provide domain- and IP-blocklist of known ZeuS Command&Control servers (hosts) around the world

(28)

pmusuva@usiu.ac.ke

christian.kisutsa@serianu.com

THANK YOU

(29)

Boot camp at USIU

Dates: Mon 28 April - Sat 03 May 2014

Fee:

Ksh 60,000/= only

Excellent Practical Labs & Certified Trainers

Meals Included

Sign Up TODAY

References

Download now ( PDF - 29 Page - 1.37 MB )

Related documents

Effects of Upper Trunk Rotation on Shoulder Joint Torque Among Baseball Pitchers of Various Levels

and other signs and symptoms of shoulder injuries in baseball pitchers can be attributed in part to the physiological effects of these joint loads brought about from

Tryp Cayo Coco All Inclusive

508 double occupancy rooms and single use, 304 rooms with garden view, 134 rooms with swimming pool view, 70 rooms with ocean view, 48 interconnecting rooms and 2 for the

The Euro Area Crisis Management Framework – Consequences and Institutional Follow-ups

• European Commission (2010b), Enhancing economic policy coordination for stability, growth and jobs – Tools for stronger EU economic governance, Communication from the Commission

Teaching the Spiritual Dimension of Nursing Care: A Survey of Associate Degree Nursing Programs in the Southeast United States

Also being investigated are questions related to faculty’s perception of the terms spirituality and spiritual care, how and where the nursing programs integrate spirituality

Lessons in Advanced Perception - Harold S. Schroeppel

NOW WE will take up imagination drills for control of space. You should be picking up something of other people's thought, and you should own the space around you and the space

Offer for The City of St. Petersburg FL Commerce Park RFP

Due Diligence: Offeror shall have one hundred eighty (180) days after City Council approval of the lease to perform its due diligence and to inspect the Property.. City shall

Revised version General Examination and Study Regulations for Master Programmes

(1) The Master programme is successfully completed by those that successfully partake in all modules required by the subject-related regulations, including the Master’s thesis and its

An analysis of Youth Guarantee Fees-free programme outcomes in a New Zealand wānanga

Table 6: Summary of Documentary Analysis Findings: Monitoring the Youth Guarantee Fees Free 2017 YGFF Objective To provide full-time, fees-free tertiary study at New Zealand