Botnets, malware and……network attacks

Pablo GonzálezCarmen Torrano

Juan Antonio Calles

I am…

• Carmen Torrano Giménez

• Phd Student at CSIC

• Research on Computer Security

• www.flu-project.com

I am…

• Pablo González (@fluproject)

• Head of security department

at Informatica 64

• www.flu-project.com

• www.seguridadapple.com

I am…

• Juan Antonio Calles (@jantonioCalles)

• Security Team Leader at Everis Spain

• elblogdecalles.blogspot.com

• www.flu-project.com

Timeline

What is Flu Project?

Malware and Botnets

Data Network Attacks!

What is…

What is… Flu?

Free Communit

y

Ethical Hacking

Social Awareness

Anti cybergrooming with Anti

Depredadores

Application development

Application development

• Flu• Anubis (footprinting and

fingerprinting)• Liberad a Wifi (default key

generation for Wifi routers)• Flunym0us (vulnerability scanner

Moodle, Wordpress)

Collaboration

Cybergrooming

So, Flu really is…

Knowledge… …Learning……Concepts…

…Security……Collaboration…

…Awareness…You… …Freedom

Malware

Malware Classes

• Viruses• Worms• Trojans• Rootkits• Spyware• Time bombs

Viruses

• They are only a kind of malware

• What is their goal? Destruction!

• Flu is not a virus

Virus Phases

Dormant

Propagation

Attack

Types…

• Boot

• Files

• Polymorphic

• Macro

Worms

• What are they?

• Key feature: Replication

• Flu is not a worm

Trojans

• What are they? Powerful!

• Remote control

• Direct and reverse

• Yeah! Flu is a trojan but……It’s a educational trojan

Rootkits

• What are they?

• Rootkit != management OR remote control software

• Key feature: they hide things…

Spyware

• What is it?

• Not harmful malware but attempts against privacy

• Key feature: Spy & Statistics

Time bombs

• What are they? Simple code but… destructive!

• Key feature: delayed action• Bash, Sh, Ksh, Dash, cmd, PowerShell

…• …And, Flu is not a time bomb

Botnets

Botnets

• What are they? • Bots, zombies, botmaster• Flu• Statistics: 10% of you belong to a

botnet!!• DOS attack – Anonymous (against

Internet censhorship- hacked CIA webpage)

Flu Features

• Hidden in the user folder, hidden process

• HaaS: Hacking as a Service

• Bot generator

• Client-server architecture

• WAMP (Windows, Apache, MySql

and PHP)

• Windows + .Net Framework

Flu architecture

Flu architecture

Flu Features

Keylogger Remote CMD & Powershell

Screenshot

Capture Microphone Steal Files Manageme

nt Registry

MSN Information

Web History

Passwords

And More…

Flu features

• Dynamic ID in XML file

• Commands directed to:– A specific computer– The whole botnet

Flu features

• AES encription (128 bits)• Hash of the files• GUI for Android• Undergraduate thesis at Deusto

University

Practical example

Dem

o

Data Network Attacks

1- Sniffing

PC HACKER

PC 1

PC 2 PC 3

PC 4

Sniffer

Filtra Filtra

Sniffing: hub

Hub

Datos PC 4

Sniffer

MAC 1

MAC 2 MAC H MAC 3

MAC 4

Port 1 MAC 1Port 2 MAC 2Port 6 MAC HPort 11 MAC 3Port 12 MAC 4

Sniffing: Switch

Switch

PC HACKER

PC 1

PC 2 PC 3

PC 4

Data PC 4

2- ARP Spoofing(MITM)

IP: MAC:

10.0.0.10 – ALICE 00:00:00:00:00:50 - ATTACKER

IP: MAC:

10.0.0.20 – BOB 00:00:00:00:00:50 - ATTACKER

Alice

IP: MAC:IP: MAC:IP: MAC:

10.0.0.20 – BOB 00:00:00:00:00:20 – BOB

IP: MAC:

10.0.0.10 – ALICE 00:00:00:00:00:10 – ALICE

Who is 10.0.0.20?

Who is 10.0.0.20?

10.0.0.20 is in 00:00:00:00:00:20

ARP Reply

ARP Request

10.0.0.10 is in

00:00:00:00:00:50

Bob

IP 10.0.0.50MAC 00:00:00:00:00:50

Eve

IP 10.0.0.10MAC 00:00:00:00:10

IP 10.0.0.20MAC 00:00:00:00:20

TABLA ARP ALICE TABLA ARP BOB

10.0.0.20 is in

00:00:00:00:00:50

Goals of MITM• Stealing:

– passwords

–hashes

–files

–sessions

Demo: MItM

3 - Hijacking

• Goal: Steal user identity/session (impersonation)

• Types: transport layer, application layer

• We focus on HTTP Communication

• Social Networks, Webmails…

Hijacking

Hijacking• I do not need your password!• HTTPs (authentication), HTTP

(rest of the session)• Insecure communications- Cookie Stolen… Ouch!• Firesheep

Demo: Hijacking

Finally…

Proud…

• Juanan and…

• “La biblia del Footprinting”

• Free!!!

…And Proud… :D

• Pablo and… his book

• “PowerShell: La navaja suiza de los administradores de sistemas”

• Sad… Not Free :(

Shopping!

• 5 Euros!• Really?? Yeah! • Finance… for Project!

Thank you!

www.flu-project.com

@fluproject@jantonioCalles@ctorranog

Grupo Flu Project

Grupo Flu Project

Feeds.feedburner.com/FluProject

Contact