Thursday, May 30, 2013

"Ponmocup Hunter" SANS DFIR Summit 2013

Update: the presentation slides have been online for a while [PDF Link].
I've given a newer version of this talk at DeepSec and BotConf. Slides will be linked when made public.

I'm thrilled to give a presentation "My name is Hunter, Ponmocup Hunter" in July at the SANS DFIR Summit 2013 in Austin, Texas. (Summit / Agenda).

In early 2011 we discovered some botnet malware infected systems in our network. Starting from one A/V event we discovered several host- and network-based indicators to identify and confirm several infections. A brief high-level overview of the security architecture will help you understand how the indicators could be found and searched for. With a one-strike remediation all infected systems were quarantined and cleaned. A few weeks later the sinkholing of several known C&C domains showed the botnet was very big (several million bots). Quickly I got obsessed with analyzing and hunting this malware, which could infect fully patched systems without using exploits (only social engineering) and protected by firewalls, IPS and multi-layered A/V. The malware got some visibility and media attention in June 2012 with titles such as "printer virus", "printer bomb" or "Trojan.Milicenso: A Paper Salesman’s Dream Come True". This was likely due to an unwanted side-effect or "mistake" by the bot-master and probably didn't happen to all infected hosts or networks.
You'll learn:
  • how the malware was discovered, what indicators were derived
  • how all infected hosts were identified and how remediation was done
  • how this malware spreads and how to defend against it
  • how to detect infected systems (host & network indicators)
  • how to find infected web servers used to spread it
  • what malware functionalities are known and currently still unknown

If you can attend the DFIR Summit and haven't registered yet, you can use the discount code "Swiss10" to get 10% off.

In the mean time, if you're not familiar with the Ponmocup Malware yet, you can read my previous posts:

There are some more "Threat Intelligence" feeds available, beside the ones that have previously been listed:

Lists of Malware Domains and IPs (pre- and post-infection) [CIF usable]

Now there's also a list for:
Malware redirection servers and .htaccess infected web servers [CIF]

Ponmocup-Finder output:
Currently infected websites (redirecting to Malware downloads)
History of all infected websites (first and last seen)

For more details you can follow me on Twitter (@c_APT_ure) or look for #Ponmocup tweets.

If you would like to get involved with analyzing or fighting this Malware / Botnet please get in touch with me.