SF21VEU - 07 Network Forensic Case Studies (Phill Shade)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay so today we're gonna talk about network forensic analysis and in particular we're gonna i'm gonna pull out case studies from my own experiences and the lesson the lesson i try to teach people is those who don't learn from the past are doomed to repeat it because a lot of these things are not really new but they keep happening so yours truly blah blah blah i've been there done a lot of things but i really am here to help at least this week um so i went poking around and just i did a filter on cyber news for the last 10 days and it's interesting because this one with in the bottom the bottom left corner the cvs health care that's a big medical chain in california which is where i'm from this just happened on the 16th is when the story broke in the in the previous session by eddie he actually talked a little bit about the uh script file that these people apparently used so i hope nobody here by the way drives volkswagens because that story broke on june 11th and if you play any ea games god better check on that now i did down here in the bottom right i did put a couple of good news stories i did do that i was tired of all the bad news so i decided to put some good news in there okay so here's today's agenda these are the things that we're going to look at so it's assuming our time works it'll be six case studies and i'm gonna start out with one that was also mentioned in the previous session nice nice uh coincidence there we'll talk about the one that can get most people in a lot of trouble universal plug and play we'll then talk about one of my personal favorites uh the internet of things people say byod bring their own device i say buy your own destruction when it comes to internet of things and then of course a topic that's heavy heavy in the news ransomware i've got a pcap sample of drydex which was the one that rampaged through europe uh shut down rotterdam in the netherlands as well [Music] we'll talk about botnets botnets are kind of old school but i'm going to show you a few new wrinkles with these things they're adapting like everything else is and then my personal favorite uh man in the middles man in the middle attacks uh this one hit a company i used to work at so i'll tell you guys the story on that and then the one application attacks this is the one with the the web-based things especially web-based email so i hope you'll find some interesting examples here okay one of the questions that pops up when i teach wireshark classes what's the difference between troubleshooting and forensics you can use the same pcap in fact we often do to do either one it depends on what the customer is interested in so here we see that when we're troubleshooting we're primarily concerned with two things how can i figure out what's the cause of my issue and how do i locate and resolve it which is to be honest as a network engineer that's what you're paid to do in the forensic world which i do a tremendous amount of work in we kind of take over after these questions and the kind of questions that i look for answers in pcapps are what what kind of damage has been done can we identify the intruder and how they penetrated the existing security precautions the detroiter and leave anything such as a new new user accounts or perhaps some new type of malware and the most important one because forensic cases sometimes end up in the legal system they end up in court i've actually had been in court three times as an expert witness for these do we have sufficient data to analyze and reproduce the attack so those are all the different type of questions so we're going to be looking at the forensic questions today now one of the secrets to being effective in forensic analysis with tools like wireshark zeke and some of the other tools out there network miner and a few others you have to know what things look like when they're normal before you can spot the abnormal behavior so this ties in with one of my favorite things baseline and reference files these are samples of known good behavior and i'm kind of a trace file junkie any any pcap that i get my hands on that the client will let me keep i keep and i archive them onto my servers over here about half a meter over to my left so i've got terabytes and terabytes of sample files and it's a lot easier to analyze if you have a sample that you can put on one screen okay this is what how email works you know say smtp this is it working correctly then you put up the suspect file on the other screen and you compare the two and you look for where things are different that's what you look for you look for where things are different and that's where you focus your efforts so where do i get them there are a bunch of places i've used all of these the wireshark the wireshark wiki has a huge section of sample captures uh packet life net has a pretty good assortment pcapper net all of these have good assortments and if you can't find what you're looking for here just drop me a quick email down here build.shade gmail.com and i can if i have it i'll i'll give it to you and if i don't i i know people i can ask to get some of these cool files so now the question becomes when you're looking at wireshark what do i look for well you can see these these marked in red these are the key sections of wireshark that i use extensively and to be honest this upper red mark should extend down to i o graph i didn't realize i'd accidentally cut it off with the red box so the kind of things i look for are things that don't make sense uh unusual communications unusual ports and protocols too many failed connections suspicious inbound connections and if your network is already compromised look for those outbound connections that could be command and control traffic the phone home behavior of your own computers contacting this the command and control servers and the big one is dns there's uh a lot you can do with dns we teach a lot of this in our wireshark 1 and our advanced wiresharks classes these are all things we teach our students what to look for all right so the first one i kind of stuck it in here to get your attention so let's take a look at it it's going to be using upnp which i often call the unforeseen http threat this is the one that pretty much is enabled by default on everybody's computer now if i asked ever if i took a poll and asked people what about about http i'm pretty sure just about everybody give me port 80 possibly 80 80 if you're doing proxy and maybe even 443 if you're doing tls but how many people would think of udp port 1900 so i have a pcap here um i didn't have time to put a file zipped together for everybody to download if you're interested in these pcaps just send me a quick email and i'll be happy to send them to you so if you look here upnp uses a series of commands they use a mix of modifieds notifies and 200 okays so here we see some of the notifies notice that it's your computer sending it out to a multicast address and basically what it's doing is it's telling the world or the rest of the network because if your network is properly configured these things will not leak out onto the internet that would be very bad it's telling everybody hey man i support plug and play i'm right here at this address here's my mac address tell everybody that i support plug-and-play and that's the notify now the m searches are me looking for other plug and play devices and again we're using that funny multicast address we're using udp port 1900 and we're using a protocol called ssdp carried over http now i don't think i have any 200 oh i do have some 200 okays all right so 200 okay is what we get when we successfully connect to another plug-and-play device in this case a media server so most people don't know this exists and if i told them their computers were leaking stuff all over the network they'd laugh at me well i'm sorry to say here you go we've tested this over and over again in class everybody's computer does it pretty much the only way you can stop this on your home networks or your company networks is to disable plug-and-play unfortunately that's going to cause its own bunch of problems so that's why i call it the unforeseen threat people don't know it's there if you don't know it's there you can't take precautions like blocking it leaving your network you know put a rule in the firewall deny outbound udp 1900 to be honest that's actually how i i stumbled onto this i was tinkering with my firewall [Music] i just got my hands on a hardware based firewall box from juniper and i was setting up rules and by default i do like everybody else i block everything and then open what's needed and i kept getting these alerts saying would you allow outbound 1900 and i'm like what the heck is outbound udp 1900 so being a pcapp guy i fired up wireshark and this is where these captures came from so i very quickly said well i'm not i'll allow the stuff within my network it makes total sense but i'm not allowing it to leave the network my network is built around three three layers of firewalls so i run a total of three dmzs and this is only allowed inside the innermost part of the network so again udp 1900 so iot iot now my question is how many of you guys have at least one of these see if we get any any but any responses we got a whole bunch of people so hopefully somebody is looking at this going uh oh um these are from all over the world um so i'm pretty sure most people have got at least a couple of these now the cool little animated dude in there is medical iot this has been a big area things like insulin pumps and heart pacemakers there's been a lot of attention focused on medical technology lately because to be honest it's not terribly secure as a matter of fact i was teaching two years ago in the in the netherlands i was teaching a class when they announced six vulnerabilities in pacemakers in one particular model of pacemaker and at lunch time on that day i had a very worried student come up to me and said um i have that pacemaker in my chest what do i do and i said well you get a hold of your doctor right away and you find out what they're going to do if possible to patch any of these vulnerabilities yep ethernet over power lines uh uh question here is the top left ethernet over power lines yes or also watching television using the power alliance to carry this signal um these were a pair of these that were brought in by a dutch friend of mine to a class and it was kind of interesting to play with them so the medical story and uh when we get into the bot nets i'm going to show you a piece of medical equipment i have that could be that was on the mire internet of things hit list really got my attention when i was reading about it and if it works i've got a video of some of a guy that hacked his friend's roomba the little vacuum cleaner and what he did is he set it up so every time it bumped into something it gave a scream and then they were all sitting there at the table when the rumba crawled out of its little little power module to start its evenings cleaning and you hear this thing starting to scream these horrible blood-curdling screams as it's going around the house um the people did not find it very interesting or very entertaining rather very entertaining they were impressed that the guy did it but they didn't like what he had done all right so when we're talking about internet of things you'll often hear another term it's it's slowly falling out of use but i still come across it and that's soho small office home office but internet of things are genui generally speaking relatively low power small form factors a lot of them use the 2.4 gigahertz band but they've also branched out into some other frequency ranges including 900 megahertz now unfortunately this is not an iot class so i i can't spend very much time on this there there is a class for iot if you're interested talk to me offline and we'll do that but i did pick out a couple of examples and i recently um i do a lot of work with the american fbi and i was in a briefing just recently about iot and these were the statistics they were quoting you can see that the iot these are the publicly known vulnerabilities through the z cve program and the chart only unfortunately goes up to 2019 i wasn't able to get a more recent one but i mean just look at the vulnerabilities the way they're skyrocketing this is getting scary and i've been told that 20 20 20 is even worse especially with all of the covet issue and people working at home a lot of people are using internet of things connection devices and stuff so one of my favorite things to play with in iot is the bluetooth the bluetooth frequency spectrum in particular this the specification for bluetooth that now actually has its own ieee specification is 802.15 and bluetooth just isn't for a headset or headphones anymore bluetooth is now class ones are designed to be used in industrial manufacturing facilities as networking equipment class 2 devices can also be used to interconnect and build home bluetooth based networks i found that very interesting when i was first introduced to it so wireshark of course does a wonderful job with bluetooth it has several menus under the wireless menu and it the decodes are pretty good they need a little bit of work in places but that's that's that's being done there's they're working on these now bluetooth can run encrypted or it can run unencrypted you can see an unencrypted example here this was taken from a classroom we were doing a forensics class and to prove a point one of the guys brought some bluetooth stuff in and there are bluetooth capture adapters that interface with wireshark quite nicely and so we sat down to try several of them to see how well they captured and this was the result we did a simple file transfer from one side of the room to the other but one that a lot of people have uh how many of you folks have any of these products anybody got any of these one of the nokia wristbands because in europe especially they're not real popular here in the states um ah somebody says i have those scales yep yeah the scales by themselves collect data and report back but the wristbands are also designed to interconnect so here's an example of a this is yes this is the the wristband the fitbit connecting to the scale and you can see they've got all kinds of stuff matter of fact they they've even slipped in a little recruiting blurb this is becoming real popular in http packets they they embed all sorts of interesting information i've discovered these little easter eggs in a number of um http packets in various products the first one i discovered by accident was uh in a antivirus product and i just was whenever i get a new device or new software i run it through its paces and i capture that and that becomes my baseline for that device and i was looking through after i did an update on the antivirus i was looking through the packets just to see what they look like and came across a very similar message so let's take a look at this in wireshark okay so this one's an interesting one this is a phillips hue oops wrong one there we go um hold on so these are the scales and you can see here it's all in plain text i was really surprised i was really surprised these are all data points that make sense to somebody and they're going back to nokia which is something i didn't like for the privacy factor but as we found out i've done a lot of research into iot devices and it's really scary how many of them are reporting data back to the manufacturer iot security and privacy disaster absolutely correct absolutely correct that's why i say buy your own destruction but these things are everywhere they're everywhere um here in the states it hasn't happened overseas but uh amazon has debuted something i don't know if you guys have heard about it but it's called sidewalk where your uh doorbell your video doorbell your alexa all of your little all of your little amazon devices will share your internet wi-fi connection with people around the theory is that they can network the entire neighborhood and i can tell you i'm not a big fan of that not a big fan at all and they you can opt out the opt-out procedure is fairly simple to do if you know where to go to do it so here in the states it's been all over the news for about the last week because it went live on tuesday is when it went live so if you're interested look up amazon sidewalk it may be coming to europe i don't know you guys have a lot better privacy regulations in the european union than we do here so blue bug this is a classic one um this is just compromising the phone it's not a new one we warn people about this all the time but it happens it happens over and over and over again um blue snarfing i like this one um this isn't an american hacker i was told originally he was a dutch guy but it turns out he's an american hacker and he created that's a blue sniper rifle that is not a star wars blaster but he managed to hack a mobile phone over the bluetooth from two kilometers away by using a high gain antenna he doesn't even need line of sight and if you think about two kilometers around you that's a lot of room for somebody to be tapping into you and he was famous for among other things hacking uh paris what's her name paris hilton that's it yeah he hacked her phone and had dumped all the pictures on the website um but this is a more recent one uh some guys were having fun teslas have an ability to update their software these guys figured out a little exploit and uh drove through the parking lot these are all new teslas waiting to be shipped out to buyers and basically they were turning on and off the headlights um they got in through a gate that was unguarded and they had some fun before they got caught um kind of a cool story because they basically exploited the same thing that tesla uses to do their updates so i want to talk about another one that's really popular zigbee zigbee uses a variety of frequency bands and has different data rates and again it's made more for connectivity i wouldn't try to do a file transfer over zigbee there are a lot better ways to do file transfers so zigbee is used to do a lot of things for example our friend the philips hue light bulbs that's the pcap i have open here and we were taking a look we noticed that there were some notifies and this was a test we were just sitting at a friend's house in the netherlands a police friend of mine and take a look at this stuff look at what these things are putting out there and it's again it's in plain text and it's communicating back to nokia and these are the the adjust the phillips shoes the adjustable light bulbs now here's a close-up of one um this is from a different trace but what we had done was go ahead and excuse me my wife's leaving for work i love you all right so we've gone through and we found actual identifiable information in here so we used an editing tool to change it so it would say dead beef but it's really scary and i mean the light bulbs are everywhere the philips hues are everywhere man so here's some of the information here um philips hue personal wireless lighting there's the model number the bridge id the serial number the unique identifier and again it's all in plain text now in in phillips defense they have they do have encryption now available it's a lightweight encryption but it's enough to keep somebody like me from just reading your data uh the problem with it is it's not enabled by default the more i've researched a lot of these internet of things i do find that a lot of them support some type of encryption or some type of security but again it's not on by default so here's one this was a hack that made the news about two years ago if you can't really see it very well but some college researchers loaded up a drone and they're just flying the drone down the building and they're looking to see which light bulbs blink on and off so interesting little test um and this one this one i came across i was on a security feed and uh their wi-fi connected printers got hacked and started printing out some interesting messages and again most of the modern printers support web wpa whatever but it's not enabled by default dridex ransomware definitely not how you want to start your day has anybody been hit with this one or or ransomware in general okay well this is an example of drydex this is a particularly nasty piece of malware like i said it it shut down the port of rotterdam i talked to the ukrainians about drydex they they they love it because it destroyed their power grid okay somebody's popping in a chat there ah yes my father with windows xp oh yeah and you would think that there wouldn't be after all these years a very big installed base of the more obsolete operating systems such as windows xp ce um and so forth but within the industrial segment of the critical technologies industrial control systems skated arrays atm machines restaurant point of sale terminals a lot of that kind of stuff people buy it once they never bother to update it they don't even think about updating so this kind of stuff is alive and well i mean i think i still have one laptop with xp on it in my test stack i got a whole stack of computers off to the side i used to test things on and i think i may have an xp machine in there somewhere but my god i was looking at i was staying in a hotel in amsterdam and i happen to be i know a lot of the employees because i stay there a lot and i was looking at their point of sale terminal for their uh restaurant and i happened to be there in the morning for breakfast when they were starting it and sure enough there went the xp logo flashing by and this was just before covet i was in europe right up until the middle of march when they called all the americans back home i spent by the time i left the hotel there were 15 guests and 17 staff people left in this huge hotel and we were all trying to get flights home fact that's where i caught coped i didn't catch it in holland i caught it when i came back to the states passing through chicago because they still had everybody in these long lines and that's where i caught coved and then brought it home to my wife all right so this is one this is from a couple years ago we actually wrote this one up um we've obfuscated parts of it because i was doing a presentation about a year and a half ago with this example and some rocket scientists typed in the whole url and got infected so it is still functional now it was my computer that got zapped but in interest to full disclosure we knew about it and we were i was the one that got picked i i lost the coin toss basically so it was my computer that went to this website now it appears to be a chinese alliance against google which is okay that's their right they have the right to do that um and all i did was load the web page i didn't click on anything i definitely didn't click on the join us banner down here now we did two captures one doing good old school tcp dump and another one doing wireshark and we changed the contrast a little bit we were trying to tinker with what would make it show up the best but uh here you can see that among other things here comes a lovely little executable being handed down to me as part of the html download and again the critical pieces are are hidden to keep anybody from getting zapped um md5 exes chinese army backdoor malware it opens up a back door in your computer you're not really a bot not yet but your computer is open um here is drydex this is the drydex ransomware and when you first look at it it looks pretty harmless but if you use the search function you find the m the capital m z which means it's so it's focused at windows 6 system executable so i mean it comes down gzip so you're not going to see any cool text here like you would on some other malware and they disguise the file name to boot but this is how it does its damage now i don't know how many of you know of this website nomoreransome.org um if you encounter ransomware this is a great place to start this started out as a dutch police organization but now it's become global probably almost 100 different security companies law enforcement agencies all over the world and what they do they deliberately let them they have test computers they deliberately get them infected then they analyze the ransomware and if they can figure out the key to unlock the computers because most of these ransomwares don't generate a unique key for every computer they have one key for everybody there's been several stories on the news about this so what happens is if they figure out the key they post the key on the website so i've had several people i know get hit with ransomware and out of um out of five cases i think i was able to decrypt two of them by using this web page to do a little bit of research so hey if you get zapped it doesn't hurt to try all right i'm watching my time we're we're getting there uh the future botnets everybody knows botnets uh in the previous presentation they're by eddie there was an incredibly good example of botnets so what i want to talk about is my buddy the mirai means future now the mirai had an interesting background and i got from a buddy the fbi i got some captures for starters for command and control it used unencrypted telnet i found that fascinating it did they they weren't very sophisticated in their command and control at all but that's because it started out a couple of college students wrote it up to they hacked together their idea was to take iot devices like the cameras and the dorms and all this other stuff turn them into a bot net and then they were going to turn the bots loose on a game you may have heard of called world of warcraft and the idea was they were going to make a whole lot of money inside the game um i talked to my wife i don't play world of warcraft i play lineage which is a korean game but my wife does world of warcraft and she said oh yeah yeah there's there's people they call it farming they get these automated scripts running inside the game they generate virtual things in the game then they sell them to people for real world money well the three college guys that did this didn't do a very good job of constructing it they basically hacked together code modules they picked up all over the internet but you know what for about a week it worked for about a week it worked and then one of the code modules they they hacked packed together had a back door in it that they didn't bother to research and another hacker hacked in took over the command their command and control server took control of mirae and then proceeded to launch massive massive brute force attacks and in october 2016 a little tiny company in the united states that most people have never heard of called dine was just ddosed out of existence the peak was about 280 gigabit per second coming from 10.5 million individual nodes uh the average throughput was about 130 megabit so it was it was it was ugly uh here is the architecture of mary and all mary did here if you look at this this is just a chunk of the chart the chart is about a gig the spreadsheet is about a gig in size all they did was identify your iot devices they knew the default login credentials and would try them so you can see samsung ip cameras all security counters smc routers toshiba cameras xerox printers and so on and so on and so on and this is just a tiny snapshot remember they got almost 11 million devices by doing this because how many people think to change all of their passwords when they buy something hopefully everybody in this presentation does but i'm willing to bet your your father your mother your brother your uncle or whatever it doesn't even occur to them so here's some of the command and control i was showing you and here's my personal mirae story buried deep in that table was a category of couple hundred thousand different pieces of medical equipment now my lungs are pretty damaged before i even got covered my lungs were messed up already i'd been in several fires and breathed too much smoke and damaged my lungs um so i have a breathing machine that helps me breathe at night well brand new one i had just gotten this thing this is my machine i was i was actually in europe i think i was in germany i was either in germany or finland i don't remember when the alert came out and i just photographed it that's my machine but when i got it there was this little wi-fi module right here on the back of it you notice you don't see it there in the picture from my hotel room that's me taking it off because i asked the guy the guy that was showing me how to use the machine what this module was for and he said oh that's so we can collect data oh you're somebody with the same machine yeah i hope nobody here has a phillips cpap machine there was a big article here in the states there is a big recall on the philips cpap machines because the chemical that they use inside the machine as an insulator to cut down the noise causes cancer so a lot of people are worried anyway what the guy said was says oh your machine will send data back to us and here's just this is a canned screenshot from the website this isn't my data and i said great is it encrypted and he said uh i don't know and i said is this one way is it just reporting data and he said oh no no no the doctor can connect your machine and adjust it and i was like hmm piece of equipment keeping me alive while i sleep unencrypted and that means people can control it okay can i take the module off and he said whoa yeah so you see me taking it off in that picture and he said but now you're gonna have to bring in there's a little sd card that's hidden behind this module he says we have to bring that into the doctor every time and i'm like cool i can do that there's no way i'm gonna be relying on a piece of equipment that some idiot idiot kid down the street can hack into so that's my story now i was lucky my machine did not get infected by mirai but it is in the table of um devices that could be brute forced all right so here's what mary does couple of different variations of syn floods these are all different mira attacks that i picked up on just looking at them in wireshark you're basically your generic tcp syn floods ddos so turns out that dyn dyn that little company is responsible for hosting one of the root server clusters for dns when they got bombarded with that massive denial of service attack it took down the root servers they had to shut them down which took out the internet in a good portion of the united not just the states states but it stretched up into canada and down into mexico so life was not good now i know some of you probably looked at the dates on that mirai trace file you're saying ah that's a long time ago from a friend at netscout uh as of december of 2020 here are mirai nodes that are still being repurposed this really caught my eye i was really surprised oh brickerbot god i haven't heard that name in a while yes it's just not no it didn't work but now here's something interesting mary was just the first these are all other botnets and the thing about mira remember was it was the first iot based botnet but take a look at these there's now once one guy figures out something cool everybody else copies it that's just the way it is so here are a bunch of other iot-based botnets there's a twitter botnet an android based up botnet and before you iphone guys think ah yeah you can't get me you can't get me um there's also some andro or apple iphone i forgot to put them on the chart that was my mistake but there would be two two iphone specific bot nets on here as well attacking from within this is probably the easiest thing in the world to prevent it's ancient as all get out man in the middle attacks started about two days after ethernet was created back in february 3rd 1980 was when the 802.3 specification which is ethernet that's how they got the 802 it's february 3rd of 1980. so a couple days after after ethernet was created somebody figured out how to do a man in the middle attack it was really easy and they became so common that everybody knew how to recognize them on the ethernet and how to ignore them or mitigate them almost instantly that they fell out of use they they stopped happening but along came a really cool technology called wi-fi and i tell you what i dare you to invent a less secure technology than wi-fi so this one happened at a software company and it is cost them a lot of money actually so let me so basically they were working on a key project a week prior the competitor trademarked his primary and secondary names they were forced to pull the product redo everything and it cost him about two million dollars to fix it so man in the middle is very straightforward it wi-fi is like built for man in the middle so here are just a few few different man in the middle toys that you can pick up i don't some of you probably recognize pineapple tetras or the wi-fi pineapple small one and the tetras this was at a recent def con that my evil twin went to and uh just grabbed a couple of pictures of a table so the scene of the crime courtesy of google street view basically what happened was once we realized something had happened in the wi-fi we took a wi-fi scanner and we went around to each of the documented access points as we found them on the scanner and we shut them off by the time we were done with the access points being disabled we should have had no more signals we found a signal with the directional antenna we were able to track the signal to the conference room the executive conference room on the second floor now this is the original projector and this is the original connection in fact that's my old laptop connecting to the cables to put to project to the screen well there was a new projector there that was wi-fi enabled and guess what doesn't support encryption the access point was what's called a dual home or dual radio access point that means it has two receivers and two transmitters was on a tree branch connected to a very large battery pack and basically what happened was they turned the encryption off on their laptops to connect to the cool projector they were actually connecting to the rogue access point which was connecting to the projector which meant the access point was getting a copy of everything and here are the packets in this case uh intel core 5e is the attacker the projector is cisco d0 and the client was intel e3 and the tip-off to these the tip-off to these is the directed arp requests arc requests are normally sent to a broadcast domain with one exception this isn't those exceptions you can see here he's trying to trick two different devices so we constructed some color rules and some quick filters to identify funny suspicious arps and that would be your filter string and here are some of them hidden in the trace you can see they're sprinkled throughout the trace the idea is you poison the arc cache and eventually you trick the guy into believing you're who you say you are so we went through the investigation we found all of this and of course nobody had any record of the projector being being purchased no one would admit to purchasing it so um i'm censoring my answer when i discovered it okay oh one more cool this is two different files we're gonna look at email a little bit of phishing and we're gonna look at a zbot one decided designed to steal your money so let's real quick get through these uh phishing emails my one of my favorite dober cartoons uh just so you think you know you've probably heard about solarwinds you may have heard about the office 365 and the google g suite these are some recent examples of app application and emails most of these infected infections happen from email these are all ones that popped into my inbox i have several different inboxes with different names that i use for work and not one of these is real not one of these is real but several of them look very legitimate the paypal one looks pretty legitimate and this one looks really legitimate looks like a subpoena for court and i did look up the case number right here i went online looked up the case number um it's in california district court i live in california and everything about it is legitimate except for one thing by our constitution you cannot you have to be served in person or through your proxy your lawyer a subpoena they cannot email you a subpoena but boy it looked real um here you go so this is an email it's using an old trick so let me go ahead and reassemble it real quick follow the stream you can see here that it appears to be an audio file well it's actually an executable it's piece of malware this piece of malware being sent through the email horror of horrors this was how a lot of those solar wind attacks and how most malware to be honest still spreads the same old-fashioned way people click on something either a web page like that previous example of that chinese website or on an email link and every company out there does testing and people still fall for it case in point google um their top executives got an email and it had a pdf corporate information google management this is what's called a spearfish it was targeted to a particular group it put trojan spyware on there now this one i could not get a cost factor from but the chinese when they did an analysis of it they were targeting the gmail records of human right activists a number of which have disappeared so you can think whatever you want to think this one has a cost that is not dollars and cents um i threw that one in nobody's safe not even my buddy sent you shouldn't use a username santa and ho ho ho password um here's what happened with the google guys there's that md5 again that one i showed you from that web page this thing is everywhere this md5 exe the chinese updated all the time uh here's a few fake login screens one of them's gmail a couple more for banks uh some breakdown of how it works and then we've got our zbot but before i open up the zbot trace i want to show you guys something this one popped into my inbox today this this morning at about three o'clock in the morning and dignity health is a huge hospital chain in the united states and they want me to set up an account my account and it says action needed your dignity health records and they even offer a spanish version of it which is kind of cool the problem is neither my wife or i belong to dignity health i'm uh ex-u.s navy so i get my medical care from the military i apologize there you go you guys should see it now so this one was pretty good and when i do you know when i hover over the links they look pretty accurate but i did a little bit of research on it and it takes you to a malware site so i thought that one was kind of cool uh it doesn't have any of the usual issues with bad lang bad spelling or anything else um it's very well crafted and i would imagine that somebody that uses the dignity health hospital chain could fall prey to that one quite easily alright so this is a trace that came from a bank the guy that captured the trace was a friend of mine the bank is windows based and i've got some i've got some quick filters http get request there's two which that ain't good that isn't good right there exe um zbots have been around for quite a while the reason they're still on the top 10 list is they steal financial information in particular christina god oh i can never pronounce her name i suck at russian i can read it but i can't pronounce it anyway she they grabbed using 99 transactions in the space of 30 minutes 12 and a half million dollars nine three million from the us and nine and a half million from the uk banks and the banks are able to follow the money trail they're real good at that but when your money trail goes through venezuela iraq and a couple of other friendly countries and ends up in russia good luck getting your 99 cents back so the key was that ribbon tar the ribbon tar and you would say to yourself well windows machines don't know tar files well unfortunately uh this was the first click that we saw that caused our attention hong kong now remember this is a bank and a lot of banks do business in hong kong well this bank didn't it was a small bank so we looked up ribbon.tar and it takes you to the cisco talus research site which is a fantastic site and it walks you through the complete breakdown of this thing ribbon.tar is just one of the zbot terms there are about 30. this one was responsible for a couple million dollars before they cut it off so it downloads the tar and embedded in this is a self extractor once it is downloaded it will self extract you then send a burst of information back to the server and in this case the pipi skin hk and then that software tells you to go ahead and download the actual executable malware at which point they own that computer and they are now inside your bank so i poked around i'd heard of this i'd heard that i could find copies of the zbot software to custom make it and i was offered apparently i'm a trusted member of what i won't say but apparently i was and for 700 bucks he would sell me the source code and no there is no dummies book for zbots that was something my friend drafted up just for funny uh final example international space station should be pretty safe it's got a 200 mile air gap well stuxnet got on it through a usb stick so even in space you aren't safe if you're not paying attention to what's happening i have no idea the back story of this picture but well you're just wasting your time you're in a flood bailing out your car isn't going to work so now time for questions anybody got any questions no open questions you can pop them in the chat either one will watch a shark do the macarena oh there's a couple of them cool how did stuxnet end up in the space station i thought it hit iran's stuxnet crawled everywhere um it was designed to target one particular programmable logic array that controlled centrifuges and yes it did target iran's nuclear facilities but it's spread all over the world the thing is as it would infect a device it would scan the device send out a burst of about 300 bytes which i have a feeling is uh a way of telling the command and control server sorry not this network and then it would go dormant it wouldn't do anything you wouldn't even know you had it if you can see that 300 bite bursts so um yeah it was everywhere and it got onto the space the international space station through a usb stick i actually have let's see yes i will cover the name of the manufacturer but i have a usb stick here it's kind of hard to see right there it is this has stuxnet on it yes a copy of stuxnet kind of interesting any certifications of worth i'm not sure what you what you mean um i will send me an email ah yeah there you go this one gets the quickest answers um and so forth so where do i go from here uh there's a in europe asia middle east there's a training consortium of five five different companies that do wireshark training these are the different classes they offer um if you're interested send us send us a question and we can talk to you

Info

Channel: SharkFest Wireshark Developer and User Conference

Views: 533

Rating: undefined out of 5

Keywords: SharkFest, Wireshark

Id: MFvKkq_MEWQ

Channel Id: undefined

Length: 60min 48sec (3648 seconds)

Published: Tue Jul 06 2021