یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ...
TRANSCRIPT
![Page 1: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/1.jpg)
بخش دوم: معماری امن ذخیره و بازیابی اثربخش اطالعات
علیرضا کامرانی، مدیر گوهر بانکی بابک امین آزاد، کارشناس گوهر بانکی
1
بخش اول: باجافزارها و راهکارهای مقابله با آنها
رضا صاحب زمانی، مشاور مدیر عامل
![Page 2: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/2.jpg)
باجافزارها و راهکارهای مقابله با آنها
علیرضا کامرانی، مدیر گوهر بانکی بابک امین آزاد، کارشناس گوهر بانکی
2
![Page 3: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/3.jpg)
3
Goals
Generating a malware is not difficult With cooking a sample Ransomware
The most useful solutions could be the simple ones Consider a backup policy
![Page 4: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/4.jpg)
Kaspersky Lab’s web antivirus detected 121,262,075 unique malicious objects: scripts, exploits, executable files, etc.
there were 1,966,324 registered notifications about attempted malware infections that aimed to steal money via online access to bank accounts.
2015 – an interesting year for ransomware
Malwares
4
![Page 5: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/5.jpg)
5
![Page 6: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/6.jpg)
6
What are Ransomwares?
![Page 7: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/7.jpg)
7
![Page 8: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/8.jpg)
88
How Malware Finds Its Way onto Your Computer
![Page 9: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/9.jpg)
9
in 100 days
30 Million Dollars
![Page 10: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/10.jpg)
10
Technologies involved
DGA
![Page 11: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/11.jpg)
11
Sample Domain Generation Algorithm
E.g., on January 7th, 2014, this method would generate the domain name intgmxdeadnxuyla, while the following day, it would return axwscwsslmiagfah
![Page 12: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/12.jpg)
12
Targets
Home Users Businesses Public Agencies
![Page 13: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/13.jpg)
13
Unbreakable AES, CHM infection, Bitcoin, I2P Proxy(anonymity)
Infection: RAR Attachment containing .chm file, runs in %temp% foldervia Localized spam, sophisticated language and grammar
1. Deletes shadow copies (vssadmin.exe Delete Shadows /All /Quiet)
2. Launches svchost.exe injects itself into it3. Gets unique rsa public key from c2 (via Hardcoded c2 urls)4. Localized ransom note language based on ip geolocation5. Saves list of encrypted files in registry6. Can decrypt one file freely to prove they got the key and it
works
Cryptowall
![Page 14: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/14.jpg)
14
![Page 15: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/15.jpg)
15
Cryptolocker’s method
![Page 16: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/16.jpg)
16
CTBLocker’s method
![Page 17: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/17.jpg)
17
![Page 18: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/18.jpg)
18
Let’s Do The Math
![Page 19: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/19.jpg)
19
.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie,
.sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf…
Target File Extensions
![Page 20: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/20.jpg)
20
Ransomware as a Service(RaaS)
19 May 2015
![Page 21: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/21.jpg)
21
![Page 22: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/22.jpg)
22
![Page 23: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/23.jpg)
23
Cryptolocker/GOZ takedownA.K.A Operation Tovar
160 people worldwide took partCracked DGA. same as Flashback OSX Trojan, they likely bought itRPZ all domains? Sinkhole? Surveil the infrastructure!
Participants:US Dpt of Justice, Europol, FBI, UK National Crime AgencySecurity Companies (Dell Secureworks, Microsoft, F-Secure, McAfee, Symantec, Sophos, TrendMicro)Carnegie Mellon, Georgia institute of technology
June 2014
![Page 24: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/24.jpg)
24
Ransomware going Open Source
Aug 16, 2015
![Page 25: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/25.jpg)
25
CountermeasuresPreventive action
Backup, Backup, BackupStandard anti-malwareAvoidance of risky activitiesUse OSINT feeds to block C&Cs
Corrective actionDisaster/recovery planTime is money!Challenge: FBI to state: “… To be honest, we often advise people just to pay the ransom”
25
![Page 26: یﺎﻫرﺎﮑﻫار و ﺎﻫراﺰﻓاجﺎﺑ لوا ﺶﺨﺑ ﺎﻫنآ ﺎﺑ …conf.mbri.ac.ir/ebps5/userfiles/file/پاورپوینت__ها/ر وز دوم...3. Gets unique](https://reader036.vdocuments.pub/reader036/viewer/2022062603/5f0942897e708231d425f891/html5/thumbnails/26.jpg)
2626
تماس با کاشف
[email protected]@kashef.ir
22266478
1000527433
Email Address :
Phone :
SMS :
Website :www.kashef.ir