Mengenal ZEUS Botnet Lebih Dekat

Mengenal Zeus Botnet

Lebih Dekat

Charles Lim | Indonesia Chapter Lead6 July 2015

Jakarta, Indonesia

Agenda

• Introduction to The Honeynet Project &

Indonesia Chapter

• Profiling – Zeus

• How Zeus botnet works

• Tracking Zeus

• New National Monitoring Center

• Next Events

Speakers

• Charles Lim, Msc., ECSA, ECSP, ECIH, CEH, CEI

• More than 20+ year in IT services industry

• IP networking, Software Automation,

• Led Indonesia Chapter (2012)

• Lecturer and Researcher at Swiss German University (Information Security Group) –http://people.sgu.ac.id/charleslim

• Research Interest: Malware Detection, Intrusion Detection, Incident Handling, Cloud Security, Vulnerability Analysis

Introduction to The Honeynet

Project

• Volunteer open source computer security research organization since 1999 (US 501c3 non-profit)

• Mission: ¨learn the tools, tactics and motives involved in computer and network attacks, and share the lessons learned¨ -http://www.honeynet.org

Introduction to The Honeynet

Project

• Know Your Enemy – Tracking the enemies is the passion of the HP (Honeynet Project) team

• Know Your Tools – It is about open source tools to track the enemies contribute to the world

Indonesia Chapter

• 25 November 2011, about 15

people from academia, security

professionals and government

made the declaration during

our yearly malware workshop

at SGU (Swiss German

University)

• 19 January 2012 accepted as

part of Honeynet Chapter

• Members: 129 (today)

First Indonesia Honeynet

Seminar & Workshop

Honeynet Indonesia Seminar 5 June 2012

First Indonesia Honeynet

Seminar & Workshop

Honeynet Indonesia Workshop 6 June 2012

2015 Indonesia Honeynet

Seminar & Workshop

Honeynet Indonesia Seminar 10-11 June 2015

2015 Indonesia Honeynet

Seminar & Workshop

Honeynet Indonesia Workshop 10-11 June 2015

Zeus – Profile

• First Appearance: 2007

• Type: Trojan

• Payload: Very Light Footprint

• Goal: Steal sensitive data stored on computers or transmitted through web browsers and protected storage.

• Communication: Encrypted channel with C&C server

• Obfuscation: Polymorphic encryption (re-encrypts itself automatically to create a new signature)

Bypassing Anti Virus

Another Zeus Version – P2P

(2012)

Botnet Overview


(2012)


(2012)

Rank Country Unique Bot IDs Unique IPs

1 United States 150,201 (22.1%) 458,882 (29.2%)

2 Germany 48,853 (7.2%) 73,951 (4.7%)

3 Italy 34,361 (5.1%) 145,290 (9.2%)

4 Canada 27,150 (4.0%) 40,482 (2.6%)

5 Brazil 24,997 (3.7%) 120,497 (7.7%)

6 Mexico 24,143 (3.6%) 119,658 (7.6%)

7 India 23,811 (3.5%) 141,412 (9.0%)

8 Indonesia 19.146 (2.8%) 113,196 (7.2%)

9 Iran 18,948 (2.8%) 69,617 (4.4%)

10 Turkey 16,935 (2.5%) 104,391 (6.6%)

Zeus Gameover –

Top 20 Countries Infections

Country Total

Japan 3,122

United States 1,482

Italy 1,367

United Kingdom 857

Ukraine 834

India 761

Indonesia 666

Vietnam 553

Thailand 458

Belarus 411

China 390

Germany 355

France 355

Turkey 306

Iran, Islamic Republic of 298

Saudi Arabia 272

Israel 244

Korea, Republic of 241

Poland 220

Philippines 214

https://goz.shadowserver.org/

Zeus Gameover –

Top 20 Countries Infections

https://goz.shadowserver.org/

ASN AS Name Country TotalAS4713 OCN JP 830

AS3269 ASN IT 549

AS6697 BELPAK BY 378

AS8075MICROSOFT-

CORP-MSN-AUS 372

AS2516 KDDI JP 371

AS17676 GIGAINFRA JP 365

AS17974 TELKOMNET-AS2 ID 349

AS45899 VNPT-AS VN 297

AS2856 BT-UK GB 269

AS12874 FASTWEB IT 237

AS9121 TTNET TR 222

AS9829 BSNL IN 205

AS6849 UKRTELNET UA 186

AS5384 EMIRATES AE 175

AS1267 ASN EU 163

AS9506 MAGIX-SG SG 158

AS3215 AS3215 FR 156

AS15169 GOOGLE US 150

AS8151 Uninet MX 140

AS4788 TMNET-AS MY 131

Zeus Communication (1/4)

Botnet Takedown 2012

• March 2012 – Zeus Botnet Nitol Botnet

• July 2012 - Grum Botnet

• September 2012 – Nitol Botnet

Important milestones

• Previous takedown has been to kill off the C & C server

• Microsoft maintain C & C server but redirect the traffic to Microsoft server to allow futherresearch

Tracking Zeus

• https://zeustracker.abuse.ch/monitor.php

National Cyber Attack

Monitoring

Call to participate

• Call for more participation from universities, industry and government

• Requirements:• A commitment from the top management

• At least 1 public IP address to start

• Fill out form to request to join

• Willing to submit malware samples to central repository

• You will get:• 1 Raspberry to be installed in your infra

Custom-built appliance

• 1 U Rack Case

• 5 Raspberry PI

• 5 different honeypots: dionaea, glastopf, kippo, etc.

References

• Gañán, Carlos, Orcun Cetin, and Michel van Eeten. "An Empirical Analysis of ZeuS C&C Lifetime." Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security. ACM, 2015.

• Mohaisen, Abedelaziz, and Omar Alrawi. "Unveiling zeus: automated classification of malware samples." Proceedings of the 22nd international conference on World Wide Web companion. International World Wide Web Conferences Steering Committee, 2013.

• http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

• http://www.symantec.com/connect/blogs/evolution-zeus-botnet

• http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

• http://hypersecurity.blogspot.com/2009/11/dissecting-zeus-botnet.html

Further Information

• The Honeynet Project

(http://www.honeynet.org)

• Indonesia Honeynet Project

(http://www.honeynet.or.id)

• Swiss German University

(http://www.sgu.ac.id)

• My Blog

(http://people.sgu.ac.id/charleslim)

Indonesia Chapter

• Indonesia Honeynet Project

• Id_honeynet

• http://www.honeynet.or.id

• http://groups.google.com/group/id-honeynet

Mengenal ZEUS Botnet Lebih Dekat

Documents

Transcript of Mengenal ZEUS Botnet Lebih Dekat