Shadowserver Foundation - Viruses - Payload

Big View ? Attach:Site/PageHeader/softflow.gif Δ Home Edit History Recent Changes
HomePage Shadowserver Mission Terms of Service Standards and Guidelines Organizations Calendar Future Goals Job Opportunities Press Security Organizations News Articles Blogs and Forums Misc Presentations Chronological Operations Status Knowledge Base Technology in Use Botnets Botnet Detection Honeypots eFraud Malware Whitepapers Definitions Links Get Involved Get Reports on your Network Blacklists and Blocking TOR Nodes and Reporting Mailing List Submit a Botnet Build a Honeypot Hall of Fame Services Info Binary Whitelist Test IP/ASN/Geo Mapping MD5/SHA1 AV Results Statistics ASN Bots Bot Counts Drone Maps Drone Historical Conficker Botnets Botnet Charts Botnet Maps Botnet Maps Historical DDoS DDoS Charts DDoS Maps DDoS Historical Geo Locations IRC Ports Malware Sandbox Charts Sandbox Graphs Packer Statistics Scans Scan Charts Scan Maps Scan Maps Historical URLs Viruses Sharing Virus Daily Stats Virus Weekly Stats Virus Monthly Stats Virus 60-Day Stats Virus 90-Day Stats Virus 180-Day Stats Virus Yearly Stats Virus Two Year Stats Virus Three Year Stats Combined Results Combined Performance Improvement Between Initial and Retests Contact Us Site Statistics edit SideBar	Payload Modern Computer Viruses Author Aim Four Installments Payloads Spreading/Replicating Backdoor/Remote control Backdoor/Remote control IRC HTTP Backdoor/Remote control Other Backdoor/Remote control Update/Install Remote Logging Remote Logging SMTP Remote Logging FTP Remote Logging HTTP Proxy Traffic Conclusion Author - Chas Tomlin IT Security Specialist in School of Electronics and Computer Science Member of Shadowserver Maintain a db of currently ~16,000 unique viruses and their associated network traffic. Top Aim Take a look at current viruses/malware and how they propagate See what features modern viruses come with See what impact an infected machine might have on your network Learn to detect and prevent viruses Top Four Installments: Infection Payload Impact Response Focus on Windows viruses Top Payloads What do modern viruses carry the capability of doing? Spreading/Replicating Backdoor/Remote control Update/Install Log remotely/Steal information Proxy traffic Top Spreading/Replicating Spread using one of the methods mentioned in first installment. Email Scanning, remote buffer overflow IM spamming Copying to network shares Infecting files Just because a virus spreads by one method, doesn’t mean that’s all it will do! Top Backdoor/Remote control Most modern malware carries the ability to communicate with a command and control source. Most initiate outbound network connections Use all sorts of internet protocols, UDP or TCP, IRC, HTTP, FTP, SMTP….. In Nov 2006 of 2434 viruses analysed 1047 (43%) exhibited IRC backdoor traffic Top Backdoor/Remote control IRC What is IRC - Internet Relay Chat ? Typical IRC backdoor connection details IRC Bot Commands IRC DDoS Command Top HTTP Backdoor/Remote control HTTP can also be used to remote control infected hosts Commands stored on a web server, malware polls server periodically to retrieve them. Can be encrypted, very hard to identify. Top Other Backdoor/Remote control Unix rootkit, has a backdoor that is triggered by a certain sequence of network traffic. Top Update/Install Viruses will carry the ability to update themselves, Why? 26% of viruses captured in Nov 2006 were not recognised by anti virus software! Virus writers need to stay ahead of the AV companies. Top Remote Logging Viruses carry the ability to log remotely Used for stealing passwords, login details, keystrokes. Logging can take place over many different internet protocols, HTTP, FTP, SMTP, IRC…. Top Remote Logging SMTP Top Remote Logging FTP Top Remote Logging HTTP Top Proxy Traffic Viruses carry the ability to allow traffic to be proxied through the infected host. Allows the attacker to hide his/her real IP address. Top Conclusion Spreading/Replicating Backdoor/Remote control Update/Install Log remotely/Steal information Proxy traffic Top << \| Viruses \| >> Edit Page History Source Attach File Backlinks List Group Page last modified on December 31, 2005, at 04:32 AM	Bot Counts Botnets Calendar/Blog March 2011 01 · April 2011 03 · May 2011 17 · June 2011 July 2011 August 2011 02 \| 08 · September 2011 21 · October 2011 November 2011 December 2011 January 2012 February 2012 March 2012 April 2012 May 2012 Link List Arbor Networks ASERT AV Comparatives Emerging Threats Mwcollect Nepenthes Offensive Computing SANS ISC Securtyfix SecuriTeam Sunbelt/CWSandbox Support Intelligence TaoSecurity ThreatSTOP Websense Zeus Tracker