Pre-Login pristatymas su Robert Lipovsky
-
Upload
nod-baltic -
Category
Software
-
view
103 -
download
3
Transcript of Pre-Login pristatymas su Robert Lipovsky
Malware?
„Downloaders“
„Bootkits “
„Rootkits“
„Injectors“„Worms“
„Scareware“
„Trojans“
„Grayware“
Viruses“„Banking trojans“
„Spyware“
„Grayware“
“Table of prisoners of Ukrainian armed forces on 05.03.2015”Загальна таблиця захопл та полонених за ЗСУ станом на 05.03.2015.exe
“Exempted military persons between 06.09.2014 and 05.03.2015”Звільнені військовослужбовці з 06.09.2014 по 05.03.2015 .exe
“Exempted from captivity for Chief of the General Staff on 05.03.2015 “на 05.03.2015 зв_льнен_ з полону для НГШ.exe
“List of captured during the ATO on 05.03.2015” Список захопл у ході АТО за ЗСУ станом на 05.03.2015.exe
Attacks against UA government & military
…\Local\Temp\HHDC05.tmp.exe
During our research…
…\Downloads\TrueCrypt\TrueCrypt.exe
…\TrueCrypt Setup 7.1.exe
http://www.truecryptrussia.ru/
• 2007 – 1st BlackEnergy variants
• 2014 – switch from crimeware to cyberespionage
• Discovery of PPT 0-day (CVE-2014-4114)
• Presentation @ Virus Bulletin 2014
• 2015 – 2016 – more targeted attacks
• power industry, airport, media, …
BlackEnergy
Spyware targeting players of online poker clients
Modus Operandi:
1. Infect
2. Join table
3. Peek in opponent’s hand
Win32/Spy.Odlanor
• Installers
• sometimes bundled with Win32/InstallCore PUA
• DAEMON_Tools_Lite.exe, uTorrent.exe, …
• Poker support software – Tournament Shark, Poker Calculator Pro, Smart Buddy, Poker Office, …
Infection Vectors
Conditions for taking screenshots:
• “PokerStarsTableFrameClass”, “Hold’em”, “Omaha”, “Stud”, “Razz”, “Draw”, “Irish”
• “FullTiltPoker”
Technical Details
C&C POST data:%data_size%|||%machine_guid%|||%window_title%|||
%zipped_data%
Technical DetailsTitle of PokerStars / FullTiltPoker window – contains Table ID & Game Type
Screenshots / Passwords