Storm Worm & Botnet Analysis
|
|
- Alvin Jefferson
- 8 years ago
- Views:
Transcription
1 Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008
2 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses and various phishing Web sites to spread and infect computers. When the worm breaks into the system, it installs a kernel driver to protect itself. With the help of the driver, it then injects and runs malicious code from the legitimate process "services.exe". So, it can bypass firewalls easily and open a back door for the bad guys. This worm contains an SMTP client engine and a peer-to-peer client component. Obviously, these components are prepared for spamming or mass-mailing purposes. During my research, I found that this worm used various rootkit techniques to protect itself (such as hiding files, registers, ports, and the like), so it's not easily detected and removed. The worm also used a custom packer and encryption to protect itself. In the driver that the worm dropped, we learned that it employs a user-mode APC to inject malicious code (embedded) into the process named "services.exe". In this paper, I will explain the worm from three aspects: 1. The interesting things that reside in its executable file (custom packer and encryption) 2. Rootkit techniques it uses 3. Peer-to-peer botnet & spamming Okay, let s start our journey. Overview When this worm is running, it unpacks itself first, and then drops a malicious PE file that is embedded in the executable file. Then, it decrypts the malicious PE file into heap memory. When these steps are complete, the worm jumps to the heap memory (containing the malicious PE file) and executes the decrypted malicious code. This is the code that is responsible for the bad behavior. Figure 1 is a high-level view of this worm's activities: Figure 1. Overview of the worm Next, I will explain how this worm accomplishes all of this, step by step. Page 2 of 26
3 Analysis sequence The worm uses a custom packer and encryption to protect its binary file, so the first step it takes is to unpack and decrypt the embedded PE file. In this section, I will demonstrate how to use OllyDbg and IDA Pro to analyze the worm. Dynamic Analysis First, I use OllyDbg to debug the worm and try to dump the unpacked file. Stage 1 Getting Start Figure 2. Main Routine of the Worm Notice that Figure 2 shows the main routine of the worm. It exports two functions: plr and wsx. The plr function is used to unpack worm-self, and wsx is the real entry point. The plr function is passed to wsx as a parameter. This function implements the custom packer used by the worm. Stage 2 Unpack Figure 3. Calling Unpack Routine plr After the execution path reaches the wsx function, the first thing it does is to unpack the data section, which contains the code that will be executed further. Page 3 of 26
4 Figure 4 shows the packed data section. Figure 4. Packed Code From Figure 4 we can see that this code does not have any actual functions and is used only to obscure its purpose. The figure below shows the same data section after it has been unpacked: Figure 5. Unpacked Code Well, it looks very nice. At this moment, we can dump the memory to a file and do a static analysis (using IDA Pro or other tools). This is my favorite way, but we can continue debugging this worm by OllyDbg and watch what it does next. In the next section, I will use the IDA Pro tool to continue exploring the worm. Page 4 of 26
5 Static Analysis I am very grateful for IDA Pro, which is an amazing tool. With its help, we can search every corner of the malware. Stage 1 Decrypt & Decompress in heap memory During the analysis, I found a TEA constant 0x9E3779B9 in the unpacked file, and after a short analysis I was sure that this worm uses a TEA algorithm to encrypt the embedded malicious PE file. Entire Decrypt & Decompress Routine: Figure 6. TEA Algorithm Figure 7. Decrypt & Decompress in Heap memory Stage 2 Jump to Heap Memory From here, the worm has already expanded its payload (the malicious PE file) to heap memory, and the last thing it does is to fix IAT and handle relocation. Page 5 of 26
6 Figure 8. Fix IAT & Relocation Assuming everything is okay, the worm jumps to the heap memory to execute the malicious PE file. From that point forward, the worm can start breaking in to the system. Figure 9. Jump to Heap to execute Please compare Figure 9 with Figure 5, and note that they are the same. At this point, the execution path expands to heap memory, and in there, the worm accomplishes its evil task. Stage 3 Drop a driver & Start Services The main purpose of the malicious PE file residing in the heap memory is to drop a driver and a P2P configuration file, and to start a Win32 service to load its driver. Page 6 of 26
7 Drop the driver: Figure 10. Release Driver This driver contains another malicious PE file that has been encrypted. Well, this worm carried so many PE files; what a hard worker. In the next section, I will show the technique the worm uses to inject this PE file into a system process from its driver. Page 7 of 26
8 Drop the P2P configuration file: Contents of this configuration file: Figure 11. Release Configuration File The worm reads other bots' information from this configuration file, and then uses this information to contact its brothers residing in the botnet. Page 8 of 26
9 Start a Win32 service to load its driver Figure 12. Install Service Now the worm has broken into the system. Next, I will investigate the heavy weapon that this worm uses to protect itself and bypass the firewall. This weapon is built from rootkit techniques, so in the next section we will dive deep into the Windows kernel. Page 9 of 26
10 The heavy weapon Driver (rootkit technique) Figure 13. The workflow of the worm's driver As we saw earlier, this worm drops two files: a driver named glok+<random_id>.sys and a peer-to-peer configuration file named glok+serv.config. In the end, the worm starts a Win32 service to load its driver. Normally, it is difficult to find these sorts of malicious behaviors, but by intercepting the API call, we locate them with ease. API Calling Figure 14. API Call Win32 Service Figure 15. Register Changes Page 10 of 26
11 Worm's rootkit functionality The worm uses its driver to achieve the goals below: 1. Hide File (Avoid being deleted) 2. Hide TCP Port (Bypass the firewall) 3. Hide Win32 Service (Avoid being detected) 4. Inject Code to services.exe (Smart because it can easily bypass the ring3 detector) 1. Hide file or directory This worm hooks the native API named NtQueryDirectoryFile, so the worm can hide the file or directory whose name contains the string glok+. Do you remember the name of its driver that I mentioned earlier? Yes, the name of the driver is glok+<random_id>.sys ; it contains the string glok+. Code slice Hook NtQueryDirectoryFile: Figure 16. Filter in NtQueryDirectoryFile 2. Hide Win32 Service As we know, using the Win32 service to load the kernel driver will leave some footprint in the register. So the worm hooks two register-related native APIs named NtEnumerateKey and NtEnumerateValueKey ; through them the worm can erase its footprint. Code slice Hook NtEnumerateKey: Code slice Hook NtEnumerateValueKey: Figure 17. Filter in NtEnumerateKey Figure 18. Filter in NtEnumerateValueKey 3. Hide Port This worm will send spam and connect to other bots that are in the botnet, so it must obscure network-related things from everyone's eyes. In the kernel, the worm searches the TCP device (Device\Tcp) and inline hooks its dispatch function. When people try to query the network information, the worm hides itself from the result of the query. Inline hook TCP DeviceIoContorl functions: Page 11 of 26
12 Set up a completion routine for each Irps Code Slice - Hide Port: 4. Inject malicious PE to services.exe This worm does not use the normal way to inject the malicious code to other processes, such as through CreateRemoteThread. Instead, it does this from the kernel through a user-mode APC. In the injected code, the worm uses some shellcode techniques to locate the base address of kernel32.dll and do API searching by itself. The detailed steps are shown in Figure 13. Page 12 of 26
13 Code slice: Using user-mode APC Running in services.exe As mentioned earlier, the injected code is responsible for initializing the bot and joining the botnet. Page 13 of 26
14 Locating kernel32 && Searching APIs often used by shellcode Start main thread Page 14 of 26
15 The super weapon P2P-based botnet Overview In recent years, P2P technology has been used frequently in worms and has become more and more popular. The P2P-based botnet is very hard to trace and to shut down, because the botnet has robust network connectivity, uses encryption, and controls traffic dispersion. Each bot influences only a small part of the botnet, and upgrade/recovery is accomplished easily by its botmaster. The botnet this worm constructed is a decentralized architecture, not like the traditional peer-to-peer system. This kind of botnet does not need a central command and control location; it can allow the attacker to upgrade/control infected hosts without the botmaster. Implement This worm implements a distributed hash table based on the Kademlia algorithm and assigns a random 128bit ID to each bot. The format of the information is similar to this: Steps: 1. Using the system time as a random seed. 2. Depending on the timing seed to generate the 128bit bot ID 3. Randomly picking up the IP/UDP Port from a static array that was carried by itself 4. Keeping a part of the bot information in the configuration file. You can find these BotID from the P2P configuration file named glok+serv.config that is dropped by this worm. The contents of this file were described earlier. An example of how to translate the BotID that is saved in glok+serv.config Botnet Communication Analysis Protocol Analysis For analyzing this worm's peer-to-peer and spamming functionality, I captured the packets from an infected computer. The statistics of the captured packets look like this: Page 15 of 26
16 Protocol Hierarchy Statistics From the statistics, we find that the main protocol this worm uses is UDP protocol; the worm also uses SMTP protocol to send spam. Protocol Port Type Botnet Traffic Map Spamming Depending on the built-in SMTP client, the worm can send spam through many free SMTP servers. Page 16 of 26
17 TCP Connection with SMTP Server When the worm is connected to other bots, it can get the latest instructions/upgrades, then download and run any files. During the analysis, I found that the worm could exchange the list of SMTP servers with other bots. The contents of spam and adware are also exchanged from its brothers. The figure below shows the worm trying to connect to Google's SMTP server: Well, it looks as if Google has improved the security of its SMTP server; the worm failed to connect to it. This is another SMTP server this worm is trying to connect with: Page 17 of 26
18 Send Spam Through Google's SMTP Server Send Spam Through the videotron.ca SMTP Server Some examples of spam sent by this worm: Page 18 of 26
19 Another one: Last one: Page 19 of 26
20 Interacting with other bots I kept running this worm in a test environment and collected the packets it sent. By analyzing the captured packets, I found that this worm interacted with more than 5796 infected hosts only in 21 minutes! This evidence proves that the worm has already set up a large botnet! To protect its botnet, the worm does not carry the entire list of bots, so that it can avoid exposing the entire botnet from a single bot. It uses an XOR encryption algorithm to encrypt traffic, and randomly assigns the UDP port for each bot, to improve the traffic dispersion. All of these methods highly enhance the security of the botnet. UDP-based bots conversation The conversation list is huge; the figure above shows only part of it. Each remote host in this list is infected. The total number of bots I observed is 5746! Page 20 of 26
21 UDP Port Distribution Bot IP Distribution Encryption of Network traffic between bots This worm uses a special XOR algorithm to encrypt/decrypt the network traffic. Using this, the worm can avoid researchers who use network analyzers to study it. Page 21 of 26
22 Code Slice - Encrypt/Decrypt UDP packet C Code - Encrypt/Decrypt algorithm This encryption algorithm is very simple, but good enough for bypassing IDS or IPS. Botnet Message Well, to work against this botnet, I wrote a tool to observe the traffic and analyze the messages between the bots. Page 22 of 26
23 Example: Searching other bots Example: Reply message Page 23 of 26
24 Example: Exchange bot-list Page 24 of 26
25 The huge botnet Conclusion And that's all. From analyzing this worm, we notice that current malware looks more and more like business software. Malicious footprints are less obvious today than those of malware ancestors. The traditional signature-based scan technology can barely detect today's bad stuff. So this is a challenge for all of us. The purpose of most current malware is economic. The malicious author can derive financial benefit from the spreading of the malware. From the technology viewpoint, we find that some malware combines more than one malicious technique, and thus it has become more powerful. Is this a new stage in the evolution of malware? Page 25 of 26
26 Future Work As we saw, peer-to-peer botnets are more powerful and more efficient than traditional malware. I think the follow-on work will include a way of tracing peer-to-peer botnets and simulating their results, to better study their resiliency. Resources and References Websense Security Labs [0] Do we protect against the storm worm [1] Storm Worm Chronology [2] Halloween Storm [3] New Storm tactic: Medical spam sites [4] Analysis of Recent Storm Packer [5] Unpacking Storm Worm: Code and Import Address Table onto the heap Others [6] [7] [8] [9] The honeynet project [10] [11] [12] [13] Page 26 of 26
Inside the Storm: Protocols and Encryption of the Storm Botnet
Inside the Storm: Protocols and Encryption of the Storm Botnet Joe Stewart, GCIH Director of Malware Research, SecureWorks To be covered in this talk: Quick-and-dirty unpacking of Storm Structure of the
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationMultifaceted Approach to Understanding the Botnet Phenomenon
Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationMelde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)
Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE) Andreas Greulich, MELANI Swiss Cyber Storm, 18 April 2009 Agenda Part 1: Introduction (~5 ) Infection
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationDetecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationGuidance Regarding Skype and Other P2P VoIP Solutions
Guidance Regarding Skype and Other P2P VoIP Solutions Ver. 1.1 June 2012 Guidance Regarding Skype and Other P2P VoIP Solutions Scope This paper relates to the use of peer-to-peer (P2P) VoIP protocols,
More informationFrom Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?
From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that
More information2014 ASE BIGDATA/SOCIALCOM/CYBERSECURITY Conference, Stanford University, May 27-31, 2014 ASE 2014 ISBN: 978-1-62561-000-3 1
ASE 2014 ISBN: 978-1-62561-000-3 1 Network Traffic Analysis of ZeroAccess Bot Shree Garg, Anil K. Sarje, Sateesh K. Peddoju Department of Computer Science & Engineering Indian Institute of Technology Roorkee,
More informationDeep Discovery. Technical details
Deep Discovery Technical details Deep Discovery Technologies DETECT Entry point Lateral Movement Exfiltration 360 Approach Network Monitoring Content Inspection Document Emulation Payload Download Behavior
More informationParasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips
Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc
More informationImplementing and Managing Security for Network Communications
3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication
More informationDetecting P2P-Controlled Bots on the Host
Detecting P2P-Controlled Bots on the Host Antti Nummipuro Helsinki University of Technology anummipu # cc.hut.fi Abstract Storm Worm is a trojan that uses a Peer-to-Peer (P2P) protocol as a command and
More informationVIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION
VIRUS TRACKER CHALLENGES OF RUNNING A LARGE SCALE SINKHOLE OPERATION Kleissner & Associates Botconf 14, 3-5 Dec 2014, Nancy/France Worlds largest botnet monitoring system Since September 2012 Originally
More informationINTERNET & COMPUTER SECURITY March 20, 2010. Scoville Library. ccayne@biblio.org
INTERNET & COMPUTER SECURITY March 20, 2010 Scoville Library ccayne@biblio.org Internet: Computer Password strength Phishing Malware Email scams Identity Theft Viruses Windows updates Browser updates Backup
More informationNetwork Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000
Network Security Protective and Dependable With the growth of the Internet threats, network security becomes the fundamental concerns of family network and enterprise network. To enhance your business
More informationWHITE PAPER. Understanding How File Size Affects Malware Detection
WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through
More informationInside Windows Rootkits
Chris Ries Security Research Engineer VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 info@vigilantminds.com Introduction Although they have been around for quite some time, rootkits have become
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare
More informationSeminar Computer Security
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
More informationCIT 480: Securing Computer Systems. Malware
CIT 480: Securing Computer Systems Malware Topics 1. Anti-Virus Software 2. Virus Types 3. Infection Methods 4. Rootkits 5. Malware Analysis 6. Protective Mechanisms 7. Malware Factories 8. Botnets Malware
More informationGlobal Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team
Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers
More informationJK0 015 CompTIA E2C Security+ (2008 Edition) Exam
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
More informationMalicious Network Traffic Analysis
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationCONFIGURING TCP/IP ADDRESSING AND SECURITY
1 Chapter 11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11: CONFIGURING TCP/IP ADDRESSING AND SECURITY 2 OVERVIEW Understand IP addressing Manage IP subnetting and subnet masks Understand IP security
More informationThe ZeroAccess Botnet Mining and Fraud for Massive Financial Gain
The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain By James Wyke, Senior Threat Researcher, SophosLabs Introduction: Since our last paper on ZeroAccess, The ZeroAccess Rootkit [1], its authors
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationDescription: Course Details:
Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationSecurity Intelligence Services. Cybersecurity training. www.kaspersky.com
Kaspersky Security Intelligence Services. Cybersecurity training www.kaspersky.com CYBERSECURITY TRAINING Leverage Kaspersky Lab s cybersecurity knowledge, experience and intelligence through these innovative
More informationSecurity A to Z the most important terms
Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationHow to scan/exploit a ssl based webserver. by xxradar. http://www.radarhack.com mailto:xxradar@radarhack.com. Version 1.
How to scan/exploit a ssl based webserver. by xxradar. http://www.radarhack.com mailto:xxradar@radarhack.com. Version 1.0 21-09-2003 1. Introduction Sometimes late at night, playing with openssl and connecting
More informationDetecting Bots with Automatically Generated Network Signatures
Detecting Bots with Automatically Generated Network Signatures Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda,, {pw,tho}@seclab.tuwien.ac.at Institute Eurecom,
More informationHost-based Intrusion Prevention System (HIPS)
Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively
More informationSANE: A Protection Architecture For Enterprise Networks
Fakultät IV Elektrotechnik und Informatik Intelligent Networks and Management of Distributed Systems Research Group Prof. Anja Feldmann, Ph.D. SANE: A Protection Architecture For Enterprise Networks WS
More informationSPAM FILTER Service Data Sheet
Content 1 Spam detection problem 1.1 What is spam? 1.2 How is spam detected? 2 Infomail 3 EveryCloud Spam Filter features 3.1 Cloud architecture 3.2 Incoming email traffic protection 3.2.1 Mail traffic
More informationCodes of Connection for Devices Connected to Newcastle University ICT Network
Code of Connection (CoCo) for Devices Connected to the University s Author Information Security Officer (Technical) Version V1.1 Date 23 April 2015 Introduction This Code of Connection (CoCo) establishes
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More information2010 White Paper Series. Layer 7 Application Firewalls
2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;
More informationFORBIDDEN - Ethical Hacking Workshop Duration
Workshop Course Module FORBIDDEN - Ethical Hacking Workshop Duration Lecture and Demonstration : 15 Hours Security Challenge : 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once
More informationINTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM
INTERNET SECURITY: THE ROLE OF FIREWALL SYSTEM Okumoku-Evroro Oniovosa Lecturer, Department of Computer Science Delta State University, Abraka, Nigeria Email: victorkleo@live.com ABSTRACT Internet security
More informationVISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE. Summary. Distribution and Installation
VISA SECURITY ALERT December 2015 KUHOOK POINT OF SALE MALWARE Distribution: Merchants, Acquirers Who should read this: Information security, incident response, cyber intelligence staff Summary Kuhook
More informationNetwork Defense Tools
Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall
More informationUsing IPSec in Windows 2000 and XP, Part 2
Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security
More informationABSTRACT' INTRODUCTION' COMMON'SECURITY'MISTAKES'' Reverse Engineering ios Applications
Reverse Engineering ios Applications Drew Branch, Independent Security Evaluators, Associate Security Analyst ABSTRACT' Mobile applications are a part of nearly everyone s life, and most use multiple mobile
More informationTrends in Malware DRAFT OUTLINE. Wednesday, October 10, 12
Trends in Malware DRAFT OUTLINE Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationCustomer Tips. Network Packet Analyzer Tips. for the user. Purpose. Introduction to Packet Capture. Xerox Multifunction Devices.
Xerox Multifunction Devices Customer Tips January 15, 2004 This document applies to these Xerox products: Network Packet Analyzer Tips Purpose This document contains a procedure that Xerox customers can
More informationFirewall Firewall August, 2003
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationClassic IOS Firewall using CBACs. 2012 Cisco and/or its affiliates. All rights reserved. 1
Classic IOS Firewall using CBACs 2012 Cisco and/or its affiliates. All rights reserved. 1 Although CBAC serves as a good foundation for understanding the revolutionary path toward modern zone based firewalls,
More informationITSC Training Courses Student IT Competence Programme SIIS1 Information Security
ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know
More informationWorkshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek, himanshup@cdac.
Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, himanshup@cdac.in} {C-DAC Hyderabad, www.cdachyd.in} 1 Reference to previous lecture Bots
More informationThis report is a detailed analysis of the dropper and the payload of the HIMAN malware.
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
More informationControlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security
More informationUroburos Highly complex espionage software with Russian roots
G Data Red Paper 2014 Uroburos Highly complex espionage software with Russian roots G Data discovers alleged intelligence agency software G Data SecurityLabs Contact: intelligence@gdata.de Red Paper_February-2014
More informationAttacks from the Inside
Attacks from the Inside Eddy Willems, G Data Righard J. Zwienenberg, Norman Attacks from the Inside. Agenda - Social Networking / Engineering - Where are the threats coming from - Infection vectors - The
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More information51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE
51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;
More informationHypervisor-Based, Hardware-Assisted System Monitoring
Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationDefending Behind The Device Mobile Application Risks
Defending Behind The Device Mobile Application Risks Tyler Shields Product Manager and Strategist Veracode, Inc Session ID: MBS-301 Session Classification: Advanced Agenda The What The Problem Mobile Ecosystem
More informationReversing Android Malware
Reversing Android Malware The Honeynet Project 10 th Annual Workshop ESIEA PARIS.FR 2011-03-21 MAHMUD AB RAHMAN (MyCERT, CyberSecurity Malaysia) Copyright 2011 CyberSecurity Malaysia MYSELF Mahmud Ab Rahman
More informationMalware Trend Report, Q2 2014 April May June
Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...
More informationNetworks & Security Course. Web of Trust and Network Forensics
Networks & Security Course Web of Trust and Network Forensics Virtual Machine Virtual Machine Internet connection You need to connect the VM to the Internet for some of the Web of Trust exercises. Make
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationMalware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationLoophole+ with Ethical Hacking and Penetration Testing
Loophole+ with Ethical Hacking and Penetration Testing Duration Lecture and Demonstration: 15 Hours Security Challenge: 01 Hours Introduction Security can't be guaranteed. As Clint Eastwood once said,
More informationNetwork Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík
Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior
More informationDefeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses
Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses Chris Ries Security Research Analyst VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 info@vigilantminds.com
More informationHow To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)
Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More informationCS 6262 - Network Security: Botnets
CS 6262 - Network Security: Botnets Professor Patrick Traynor Fall 2011 Story 2 Botnets A botnet is a network of software robots (bots) run on zombie machines which run are controlled by command and control
More informationFirewalls & Intrusion Detection
Firewalls & Intrusion Detection CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration 2007, 2008 Robert H. Sloan Security Intrusion
More informationMcAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier
Application Note TrustedSource in McAfee Firewall Enterprise McAfee version 8.1.0 and earlier Firewall Enterprise This document uses a question and answer format to explain the TrustedSource reputation
More informationCS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24
Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key
More informationStreamlining Web and Email Security
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationZeroAccess. James Wyke. SophosLabs UK
ZeroAccess James Wyke SophosLabs UK Abstract ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the most widespread threats in the current malware ecosystem. ZeroAccess ability
More informationRevealing Botnets Using Network Traffic Statistics
Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda vojtec}@ics.muni.cz, radek.krejci@mail.muni.cz Security and Protection of Information 2011, 10-12 May 2011, Brno,
More informationWildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks
WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on
More informationThreat Events: Software Attacks (cont.)
ROOTKIT stealthy software with root/administrator privileges aims to modify the operation of the OS in order to facilitate a nonstandard or unauthorized functions unlike virus, rootkit s goal is not to
More informationRadware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid
Reverse Engineering a Sophisticated DDoS Attack Bot Author: Zeev Ravid July 2015 Introduction In July 2015, Radware s Emergency Response Team (ERT) noticed a significant increased usage of the Tsunami
More informationMake a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.
CMSC 355 Lab 3 : Penetration Testing Tools Due: September 31, 2010 In the previous lab, we used some basic system administration tools to figure out which programs where running on a system and which files
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationTutorial 3. June 8, 2015
Tutorial 3 June 8, 2015 I. Basic Notions 1. Multiple-choice (Review Questions Chapter 6, 8 and 11) 2. Answers by a small paragraph (Chapter 2: viruses: MBR, rootkits, ) Multiple choice X. Which is the
More informationTrack 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT
Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?
More informationOperating System Security
Operating System Security Klaus Schütz Windows OS Security Microsoft Redmond Before I start My VP love(d) me A frustrated friend 1 Agenda Evolution of Threats Client vs. Server Security Operating System
More informationUncover security risks on your enterprise network
Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up
More informationBOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL
BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More information