Anonymity is king

Presented at VB2015, Oct. 1, 2015, 11:30 a.m. (30 minutes)

In a cybercrime business model, it is imperative that the servers used to monitor malware-infected machines are operational round the clock. After a series of takedowns of command and control (C&C) servers related to notorious banking and ransom malware (e.g. Kelihos, GameOver Zeus, CryptoLocker and Citadel) in the last couple of years, the cybercriminals behind these threats have started to look for innovative ways to make their malware infrastructure difficult to locate. One of the approaches they have turned to is to utilize the 'Deep Web' network (e.g. Tor and i2p). The Deep Web was once a channel where illegal drugs and stolen credit card details were sold. Today, it has evolved into the digital playground of threat actors wanting to make their malicious actions untraceable. This paper will talk about different Deep Web technologies, and how these can be both an advantage and a disadvantage to the malware and cybercriminals that use them. We will also take an in-depth look at several notable pieces of malware that leverage the Deep Web network as part of their routines (e.g. as a C&C server, as a host or repository of configuration files and decryption keys, etc.), as well as the trends in the adoption and use of Deep Web by cybercriminals for their malicious activities. We will also discuss technologies that can help researchers and administrators monitor malicious activities in the Deep Web network for their incident response activities, forensic investigation and solution creation.

Presenters:

• Anthony Joe Melgarejo - Trend Micro
  Anthony Joe Melgarejo Anthony Melgarejo was born in Manila in 1990. In 2012, he started his career as a threat research engineer at Trend Micro, where his main role was to analyse malware and create technical reports. He is a contributor to the TrendLabs Security Intelligence Blog where he writes about noteworthy malware and threats such as Shellshock and the Sony hack. In June 2014, he temporarily joined Trend University to train aspiring threat reponse and reseach engineers. In 2015, he joined the Subject Matter Experts (SME) Team where he will handle crypto-ransom malware evolution research.
• Michael John S. Marcos - Trend Micro
  Michael John S. Marcos Michael Marcos graduated from De La Salle University, Manila with a Bachelor's degree in computer science with specialization in network engineering. He started his career as a forensic technology consultant at Ernst and Young doing mostly IT forensic and e-discovery work. His experience in forensic examination and incident response includes cases related to white-collar crimes, corporate espionage, cybercrimes and cyber warfare. He has also appeared as a qualified digital forensic expert in court cases in the Philippines and in the Asia Pacific region. Michael joined Trend Micro in 2014 as part of a team of subject matter experts conducting in-depth research on new malware technologies. During his spare time, he enjoys outdoor activities such as mountaineering and surfing.

Links:

• https://www.virusbulletin.com/conference/vb2015/abstracts/anonymity-king
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/MarcosMelgarejo-VB2015.pdf
• https://www.virusbulletin.com/virusbulletin/2016/12/vb2015-paper-anonymity-king/

Similar Presentations:

• VB2015 / Breaking the bank(er): automated configuration data extraction for banking malware
• VB2018 / DOKKAEBI: Documents of Korean and Evil Binary
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab