mengenal zeus botnet lebih dekat
TRANSCRIPT
Mengenal Zeus Botnet
Lebih Dekat
Charles Lim | Indonesia Chapter Lead6 July 2015
Jakarta, Indonesia
Agenda
• Introduction to The Honeynet Project &
Indonesia Chapter
• Profiling – Zeus
• How Zeus botnet works
• Tracking Zeus
• New National Monitoring Center
• Next Events
Speakers
• Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI
• More than 20+ year in IT services industry
• IP networking, Software Automation,
• Led Indonesia Chapter (2012)
• Lecturer and Researcher at Swiss German University (Information Security Group) –http://people.sgu.ac.id/charleslim
• Research Interest: Malware Detection, Intrusion Detection, Incident Handling, Cloud Security, Vulnerability Analysis
Introduction to The Honeynet
Project
• Volunteer open source computer security research organization since 1999 (US 501c3 non-profit)
• Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ -http://www.honeynet.org
Introduction to The Honeynet
Project
• Know Your Enemy – Tracking the enemies is the passion of the HP (Honeynet Project) team
• Know Your Tools – It is about open source tools to track the enemies contribute to the world
Indonesia Chapter
• 25 November 2011, about 15
people from academia, security
professionals and government
made the declaration during
our yearly malware workshop
at SGU (Swiss German
University)
• 19 January 2012 accepted as
part of Honeynet Chapter
• Members: 129 (today)
First Indonesia Honeynet
Seminar & Workshop
Honeynet Indonesia Seminar 5 June 2012
First Indonesia Honeynet
Seminar & Workshop
Honeynet Indonesia Workshop 6 June 2012
2015 Indonesia Honeynet
Seminar & Workshop
Honeynet Indonesia Seminar 10-11 June 2015
2015 Indonesia Honeynet
Seminar & Workshop
Honeynet Indonesia Workshop 10-11 June 2015
Zeus – Profile
• First Appearance: 2007
• Type: Trojan
• Payload: Very Light Footprint
• Goal: Steal sensitive data stored on computers or transmitted through web browsers and protected storage.
• Communication: Encrypted channel with C&C server
• Obfuscation: Polymorphic encryption (re-encrypts itself automatically to create a new signature)
Bypassing Anti Virus
Another Zeus Version – P2P
(2012)
Another Zeus Version – P2P
(2012)
Another Zeus Version – P2P
(2012)
Botnet Overview
Another Zeus Version – P2P
(2012)
Another Zeus Version – P2P
(2012)
Another Zeus Version – P2P
(2012)
Rank Country Unique Bot IDs Unique IPs
1 United States 150,201 (22.1%) 458,882 (29.2%)
2 Germany 48,853 (7.2%) 73,951 (4.7%)
3 Italy 34,361 (5.1%) 145,290 (9.2%)
4 Canada 27,150 (4.0%) 40,482 (2.6%)
5 Brazil 24,997 (3.7%) 120,497 (7.7%)
6 Mexico 24,143 (3.6%) 119,658 (7.6%)
7 India 23,811 (3.5%) 141,412 (9.0%)
8 Indonesia 19.146 (2.8%) 113,196 (7.2%)
9 Iran 18,948 (2.8%) 69,617 (4.4%)
10 Turkey 16,935 (2.5%) 104,391 (6.6%)
Zeus Gameover –
Top 20 Countries Infections
Country Total
Japan 3,122
United States 1,482
Italy 1,367
United Kingdom 857
Ukraine 834
India 761
Indonesia 666
Vietnam 553
Thailand 458
Belarus 411
China 390
Germany 355
France 355
Turkey 306
Iran, Islamic Republic of 298
Saudi Arabia 272
Israel 244
Korea, Republic of 241
Poland 220
Philippines 214
https://goz.shadowserver.org/
Zeus Gameover –
Top 20 Countries Infections
https://goz.shadowserver.org/
ASN AS Name Country TotalAS4713 OCN JP 830
AS3269 ASN IT 549
AS6697 BELPAK BY 378
AS8075MICROSOFT-
CORP-MSN-AUS 372
AS2516 KDDI JP 371
AS17676 GIGAINFRA JP 365
AS17974 TELKOMNET-AS2 ID 349
AS45899 VNPT-AS VN 297
AS2856 BT-UK GB 269
AS12874 FASTWEB IT 237
AS9121 TTNET TR 222
AS9829 BSNL IN 205
AS6849 UKRTELNET UA 186
AS5384 EMIRATES AE 175
AS1267 ASN EU 163
AS9506 MAGIX-SG SG 158
AS3215 AS3215 FR 156
AS15169 GOOGLE US 150
AS8151 Uninet MX 140
AS4788 TMNET-AS MY 131
Zeus Communication (1/4)
Zeus Communication (2/4)
Zeus Communication (3/4)
Zeus Communication (3/4)
Botnet Takedown 2012
• March 2012 – Zeus Botnet Nitol Botnet
• July 2012 - Grum Botnet
• September 2012 – Nitol Botnet
Important milestones
• Previous takedown has been to kill off the C & C server
• Microsoft maintain C & C server but redirect the traffic to Microsoft server to allow futherresearch
Tracking Zeus
• https://zeustracker.abuse.ch/monitor.php
Tracking Zeus
• https://zeustracker.abuse.ch/monitor.php
Tracking Zeus
• https://zeustracker.abuse.ch/monitor.php
National Cyber Attack
Monitoring
National Cyber Attack
Monitoring
Call to participate
• Call for more participation from universities, industry and government
• Requirements:• A commitment from the top management
• At least 1 public IP address to start
• Fill out form to request to join
• Willing to submit malware samples to central repository
• You will get:• 1 Raspberry to be installed in your infra
Custom-built appliance
• 1 U Rack Case
• 5 Raspberry PI
• 5 different honeypots: dionaea, glastopf, kippo, etc.
References
• Gañán, Carlos, Orcun Cetin, and Michel van Eeten. "An Empirical Analysis of ZeuS C&C Lifetime." Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 2015.
• Mohaisen, Abedelaziz, and Omar Alrawi. "Unveiling zeus: automated classification of malware samples." Proceedings of the 22nd international conference on World Wide Web companion. International World Wide Web Conferences Steering Committee, 2013.
• http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
• http://www.symantec.com/connect/blogs/evolution-zeus-botnet
• http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/
• http://hypersecurity.blogspot.com/2009/11/dissecting-zeus-botnet.html
Further Information
• The Honeynet Project
(http://www.honeynet.org)
• Indonesia Honeynet Project
(http://www.honeynet.or.id)
• Swiss German University
(http://www.sgu.ac.id)
• My Blog
(http://people.sgu.ac.id/charleslim)
Indonesia Chapter
• Indonesia Honeynet Project
• Id_honeynet
• http://www.honeynet.or.id
• http://groups.google.com/group/id-honeynet