como hacer seguimiento de una campaña p2p
Post on 15-Jul-2015
81 Views
Preview:
TRANSCRIPT
Tracking P2P Cybercrime
Infraestructures
Marc Rivero | (@seifreed) | www.ecrime.info
#who
Marc Rivero López
Ponente en eventos nacionales (No cON Name, Owasp, Navaja Negra) e internacionales (DragonJAR CON - Colombia).Miembro de asociaciones y grupos de research como la HoneyNet Project, Owasp, SySsec etc..También soy el organizador de las conferencias Hack&Beers en BarcelonaMiembro de Malw.re
Infraestructure
* [ Elements…]
DropzoneC&C Config Server
Exploit KitBinary Server
User
* [ Process infection…]
•The victim visits a compromised website•The website redirects the user to an Exploit Kit•The exploits Kit infects the machine
* [ Type of servers…]
* [ Type of servers…]
* [ Type of servers…]
Bulletproof hosting features
Send to /dev/null abuse requestsDDoS protectionChange IP for protecting end customerAny activity allowed
* [ Enemy wanted…]
* [ Zeus P2P features…]
Main differences in P2P variant :•Use P2P network•Daily DGA domains•All Resources with the botmaster signature•DDoS capabilities
* [ Daily DGA domains…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Statistics…]
* [ Oraculo…]
A tool for tracking P2P campaigns (Only DGA at the moment)
Principal elements:Monitor: tracking all the changes in a domainScheduler: Checking all the changes in all the malware domainsFocused on P2P campaigns, but adaptable to track other familiesPossibility to check sinkholed domains
Tool developed in Python (Backend) + Django (FrontEnd)
* [ Oraculo…]
The tool collects:CountryWeb ServerIP AddressWhoisAnd more information…
* [ Oraculo…]
pDNS information
* [ Oraculo…]
Email reports..We integrate third party tools in the report
* [ Oraculo…]
Domains with more changesDomains more time UP
* [ Oraculo…]
Sinkhole VS malicious domains (Experimental feature)Countries source with more malicious activity
* [ Oraculo…]
Search feature:Search using REGEX, TLD, countries all the information is indexedThe tool shows if the domain it’s active or notCan show a graphic showing the infrastructure
* [ Oraculo…]
Domain detailsGeoposition in a MapActivity relatedHistory activity
* [ Oraculo…]
* [ Oraculo…]
top related