Update16 1.9.2019
Novinky/Změny
Hlavní stránka
+ Obsahuje seznam citací od velkých mistrů a mích vlastních.
Windows Vulnerebilities Statistics
+ Aktualizace a grafická úprava
+ Přidána nová sekce " 2019 ". Obsahuje záznamy CERT pro rok 2019
- Grafické předělání a zlepšení vzhledu
+ Tipy na zabezpečení vypracováno odborníky
+ Přidání nové sekce tabulky. Obsahuje informace o dané operaci.
- Graficky úprava tabulky
- Grafická úprava všech stránek
+ Rozdělení reportů podle kategorií
+ Menu je srovnáno
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
+ Připraven základní vzhled a připraveno pro další rozšíření.
-Odstraněno několik starých věcí.
+Rozděleny všechny roky podle měsíců.
2013
2013 January February March April May June July August September October November December
2014
2014 January February March April May June July August September October November December
2015
2015 January February March April May June July August September October November December
2016
2016 January February March April May June July August September October November December
2017
2017 January February March April May June July August September October November December
2018
2018 January February March April May June July August September October November December
2019
- Nový grafický vzhled a uspořádání
+ Spojení sekce Odborné články a poté její zrušení
+ Sekce bude obsahovat seznam nabízeních materiálů, tutoriálu a videí pro zvýšení znalosti pro obor IT.
+ Nová sekce obsahuje jednotlivé lekce pro jednotlivé témata.
+ Sekce bude obsahovat seznam nabízeních materiálů z bezpečnostních konferencí.
+ Přidána sekce ve které jsou jednotlivé prezentace.
+ DefCon27
- Odstraněny sekce CERT, kvůli přehlednosti.
+ Přidáno rozdělení podle kontinentů.
- Graficky upraveny v sekci komponenty
- Úprava menu ve všech sekcí
- Menší grafické úpravy.
- Několik úprav
+ Přidáno rozdělení podle roků 2019 2018
+ Rozděleno do několika sekcí kvůli přehlednosti a rychlosti načítání.
- Nové grafické zpracování
+ Přidáno menu programů rozdělených podle kategorií:
Úvod Antiviry Internet Security Anti-Ransomware Šifrování Online Services Nástroje
- Nové grafické zpracování
+ Přidány menu do všech sekcí
+ Přidány seznamy Windows Error Code ve formatu pdf
+ Vytvořeno základní grafické zobrazení
+ Vytvořeno základní grafické zobrazení
+ Vytvořeno základní grafické zobrazení
+ Vytvořeno základní grafické zobrazení
- Nové grafické zpracování. Rozděleno do sekcí a podsekce.
+Sekce obsahuje statistickou analýzu hrozeb a jejich vývoje.
+ Rozdělen podle ročníků 2019 2018 2017 2016 2015 2014
- Nový grafický vzhled.
- Grafické úpravy a opravy vzhledu.
+ Přidáno menu programů rozdělených podle kategorií:
Úvod Antiviry Internet Security Anti-Ransomware Šifrování Online Services Nástroje
Gozi | Also known as Ursnif, Gozi is one of the oldest banking trojans. To put it simply, Gozi tricks users into completing financial transactions in accounts that aren’t theirs. It’s been around since 2007 and, as one of the original banking trojans, has caused millions of dollars in damages. In 2010, the Gozi source code was leaked, which lead to the creation of several different versions of the malware. It was leaked for a second time in 2015, which led to further modularization and development of new versions of the malware. In 2016, Latvian hacker Deniss Calovskis was sentenced to time served (21 months) for developing the original Gozi code.Arresting a key developer often stops banking trojans, but it appeared to have little affect with Gozi. After more than ten years, Gozi continues to be one of the most sophisticated and constantly evolving malwares. When first developed, Gozi used rootkit components to hide its processes. More recently it has added both client-side and server-side evasion techniques and has continued to evolve. Recently, Gozi and Tinba have been connected through their use of shared web injection techniques. Although the scope has expanded for many banking trojans, Gozi continues to target financial institutions. As of March 2019, Gozi has been connected to DanaBot for targeting some of the same Italian banks. Gozi shows no signs of stopping and is considered one of the most dangerous pieces of banking trojan malware. | |
Tinba | Also known as Tiny Banking Trojan, Tinba was first discovered in the wild in 2012 when it was found to have infected a number of computers in Turkey. It is the smallest banking trojan known, consisting only of a 20 KB file. It typically runs geo-specific campaigns, though varies its regions. Tinba’s code was first leaked in 2014 and proved to be a useful resource for malware researchers to analyze. Tinba has also been linked to other banking trojans in the past. It is allegedly a highly modified version of Zeus, as it has a similar architecture. In 2016, F5 labs reported that Tinba and Gozi used almost identical web injects. They seem to have been bought from the same webinject workshop. Tinba has not been in the news recently, but it would be naive to think that it is gone for good. | |
Vawtrak | Also known as Neverquest or Snifula, Vawtrak is a descendent of the Gozi banking trojan. First discovered in 2013, Vawtrak was active in geographically targeted campaigns and employs a Cybercrime-as-a-Service business model. This is not unique to Vawtrak, as other trojans, including Gameover Zeus, also use this business model. Instead of selling the malware outright, Vawtrak’s authors offer malware delivery based on a service agreement. For example: A Number of Passwords stolen from X number of Users, using bank Y in country Z.28 There have been a few technical papers detailing the analysis of the Vawtrak malware and its evolution over the years. In January 2017, Vawtrak’s alleged author, Russian national Stanislav Vitaliyevich Lisov, who went by the moniker “Black” and “Blackf,” was arrested and as of February 2019, pled guilty to creating, running, and infecting users with the Vawtrak banking trojan.30 Vawtrak’s activity declined after Lisov’s arrest, however, another banking trojan, Bokbot (also known as IcedID) has been connected to the group behind Vawtrak. | |
Emotet | This malware was first identified by security researchers in 2014 as a simple banking trojan. Later versions of the malware evolved and included the addition of malware delivery services, including the ability to install other banking trojans.In August 2017, Emotet was connected to another banking trojan, Dridex—Emotet “dropped” Dridex as an additional payload. The technique of using one piece of malware to drop another is not new, but it is significant to see banking trojans “working together.” As of September 2018, Emotet was utilizing the EternalBlue Windows vulnerability (first seen with the WannaCry ransomware) in order to propagate.This powerful vulnerability has had a patch out, however, there are still devices out there that haven’t yet patched against the SMB (file sharing) vulnerability. Emotet is not a continually running malware; it tends to run through geographically centered campaigns, yet its techniques are constantly evolving and it continues to be dangerous. | |
Kronos | Kronos is known in Greek mythology as the “Father of Zeus.” Kronos malware was first discovered in a Russian underground forum in 2014 after the takedown of Gameover Zeus. It was more expensive than many other banking trojans, costing $7,000 to buy outright or $1,000 for a one-week trial. Many other banking trojans could be bought from underground forums for hundreds, not thousands, of dollars. Kronos marketed itself as one of the most sophisticated trojans, and many malware researchers commented that its author(s) clearly had prior knowledge of malware techniques.The code is well obfuscated using many different techniques. Security researchers from Kaspersky Lab postulated that Kronos may be a spin-off of the Carberp banking trojan, The code is well obfuscated using many different techniques. Security researchers from Kaspersky Lab postulated that Kronos may be a spin-off of the Carberp banking trojan, and IBM analysts also connected Kronos to Zeus through its compatible HTML injection mechanism.In August 2017, Marcus Hutchens, the security researcher who single handedly put a halt to the WannaCry ransomware outbreak, was indicted and charged with writing with intent to distribute Kronos malware. In April 2019, Hutchins pled guilty to two of the ten charges laid against him. As of July 26th 2019, Hutchins was sentenced to time served with supervised release. Unlike many other banking trojans, Kronos did not die out with the arrest of a supposed key author. In July 2018, Kronos reemerged with three distinct campaigns targeting Germany, Japan, and Poland. There is also some circumstantial and speculative evidence in the malware research community suggesting that Kronos has been rebranded and is being sold as the Osiris banking trojan.Kronos is still active and continues to be a threat. | |
Dridex | First seen in 2011, Dridex has had a longer evolutionary journey than most malwares and has urvived through the years by obfuscating its main command-and-control (C&C) servers through proxies. Dridex’s first appearances in September 2011 came under the name Cidex. It caused destruction to banks until June 2014 when Dridex version 1.1 appeared in the wild. Dridex emerged almost exactly one month after Operation Tovar’s takedown of the Gameover ZeuS botnet, which also marked the end of Cidex attacks.Dridex and Gameover ZeuS have many similarities in their code, and attribution for Dridex47 is tied to a Russian-speaking gang that may be a spinoff from the “Business Club,” an organized cybercrime gang that developed the Gameover ZeuS botnet. A number of arrests were made in September 2015, but that did little to stop Dridex. In February 2016, F5 labs published reports on the Dridex Botnet 220 campaign noting the evolution of the malware, and then in April 2016 noted that Dridex shifted focus from UK banks to US banks. In December 2018, researchers found connections between Dridex, Emotet, and Ursnif/Gozi malware.48 It continues to evolve technically and remains an active threat | |
DanaBot | One of the newer banking trojans, DanaBot first emerged in mid-2018,49 targeting Australian users. Since it first appeared in the wild, DanaBot has been seen targeting European banks and email providers. Like many other banking trojans, DanaBot has recently shifted focus away from exclusively targeting financial services institutions for a number of reasons. Since users often share passwords across platforms, compromising credentials is still useful for many cybercriminals. F5 Labs also published a notable link between DanaBot, Gozi, and Tinba web injection patterns, supporting the idea that a great deal of fraud business logic is now implemented in JavaScript and sold to malware authors. | |
Ramnit | This unique banking trojan started out in 2010 as a worm and, sometime after the Zeus source code leak, acquired parts of the Zeus code and became a banking trojan.Ramnit has continued to evolve in terms of sophistication, technique, and scope as a botnet since becoming a banking trojan. It remains active despite a shutdown of 300 command-and-control servers in February 2015.51 After this setback, Ramnit reappeared in late 2015 and again in mid 2016.52 In early 2017, F5 labs published a technical article breaking down Ramnit’s new disappearing configuration file. Like many other banking trojans, Ramnit has broadened its scope in recent years. Over the 2017 holiday season, Ramnit’s target list was 64% eCommerce retailers in addition to financial services institutions. In 2018, Ramnit continued to work quickly, infecting over 100,000 machines in two months.Ramnit continues to be distributed via exploit kit and still runs active campaigns today, most recently returning back to target Italian financial institutions. | |
Panda | Yet another Zeus variant, Panda was first discovered in Brazil in 2016, around the time of the Olympic games. Panda uses many of the traditional techniques from Zeus, including man-in-the-browser (MITB) attacks and keylogging, but sets itself apart through its advanced stealth capabilities. This has made analyzing the malware more difficult. As of 2017, Panda was able to detect 23 forensic analytic tools and it is possible that it now detects even more.54 Like many other banking trojans, Panda has expanded its target list beyond just financial services institutions, and in 2018 was caught targeting cryptocurrency exchanges and social media websites. Moving to 2019, Panda continued to expand its scope. The March 2019 campaign exclusively targeted US-based companies, many of which are in the web services industry. Panda remains active; its stealth capabilities make it a unique malware family that continues to evade anti-virus software. | |
Backswap | A variant on Tinba, Backswap was first observed in March 2018 targeting Polish banks and browsers. Backswap is written entirely in assembly language and is considered “position-independent code” (PIC), which means that it can be run from anywhere in memory. Its PIC status makes Backswap very different from other banking trojans. The Polish CERT published a comprehensive technical analysis on the code.55 Backswap quickly expanded scope in April 2018, adding additional banks and techniques thoroughly detailed by F5 Labs. The evolution of techniques continued through August 2018 when Backswap also made a geographical shift away from Polish banks to exclusively target Spanish banks.56 Through the latter part of 2018 and early 2019, Backswap continues to run campaigns, though its technical evolution has slowed. | |
Zbot/Zeus | Zeus, also known as Zbot, is a notorious Trojan which infects Windows users and tries to retrieve confidential information from the infected computers. Once it is installed, it also tries to download configuration files and updates from the Internet. The Zeus files are created and customized using a Trojan-building toolkit, which is available online for cybercriminals. Zeus has been created to steal private data from the infected systems, such as system information, passwords, banking credentials or other financial details and it can be customized to gather banking details in specific countries and by using various methods. Using the retrieved information, cybercriminals log into banking accounts and make unauthorized money transfers through a complex network of computers. Zbot/Zeus is based on the client-server model and requires a Command and Control server to send and receive information across the network. The single Command and Control server is considered to be the weak point in the malware architecture and it is the target of law enforcement agencies when dealing with Zeus. To counter this weak point, the latest variant of Zeus/Zbot have included a DGA (domain generation algorithm), which makes the Command and Control servers resistant to takedown attempts. The DGA generates a list of domain names to which the bots try to connect in case the Command and Control server cannot be reached. Zeus/Zbot, known by many names including PRG and Infostealer, has already infected as many as 3.6 million systems in the United States. In 2009, security analysts found that the Zeus spread on more than 70,000 accounts of banks and businesses including NASA and the Bank of America. | |
Zeus Gameover | Zeus Gameover is a variant of the Zeus family – the infamous family of financial stealing malware – which relies upon a peer-to-peer botnet infrastructure. The network configuration removes the need for a centralized Command and Control server, including a DGA (Domain Generation Algorithm) which produces new domains in case the peers cannot be reached. The generated peers in the botnet can act as independent Command and Control servers and are able to download commands or configuration files between them, finally sending the stolen data to the malicious servers. Zeus Gameover is used by cybercriminals to collect financial information, targeting various user data from credentials, credit card numbers and passwords to any other private information which might prove useful in retrieving a victim’s banking information. GameOver Zeus is estimated to have infected 1 million users around the world. | |
Ice IX | Ice IX is a modified variant of Zeus, the infamous banking Trojan, one of the most sophisticated pieces of financial malware out there. This modified variant is used by cybercriminals with the same malicious purpose of stealing personal and financial information, such as credentials or passwords for the e-mail or the online bank accounts. Like Zeus, Ice IX can control the displayed content in a browser used for online banking websites. The injected web forms are used to extract banking credentials and other private security information. Ice IX, the modified version of Zeus, improved a few Zeus capabilities. The most important one is a defense mechanism to evade tracker sites, which monitor at present most Command and Control servers controlled by Zeus. | |
Bugat | Bugat is another banking Trojan, with similar capabilities to Zeus – the notorious data-stealing Trojan – which is used by IT criminals to steal financial credentials. Bugat targets an infected user’s browsing activity and harvests information during online banking sessions. It can upload files from an infected computer, download and execute a list of running processes or steal FTP credentials. Bugat communicates with a command and control server from where it receives instructions and updates to the list of financial websites it targets. The collected information is sent to the cybercriminal’s remote server. Cybercriminals spreads the malware mostly by inserting malicious links in the e-mails they send to the targeted users. When a user clicks a malicious link, he is directed to a dangerous website where the Bugat executable downloads on the system. | |
Shylock | Shylock is a banking malware, designed to retrieve user’s banking credentials for fraudulent purposes. As soon as it is installed, Shylock communicates with the remote Command and Control servers controlled by the cybercriminals, sending and receiving data to and from the infected PCs. Similar to Zeus Gameover, this malware makes use of a (DGA) Domain generation algorithm which is used to generate a number of domain names that can be used receive commands between the malicious servers and the infected systems. The Trojan is delivered mostly through drive-by downloads on compromised websites and via malvertising, where malicious code is inserted in adverts that are then placed on legitimate websites. Another popular method of spreading this financial malware is by inserting malicious JavaScript into a web page. This technique produces a pop-up which pushes the user to download a plugin, apparently necessary for the media display on the website. | |
Torpig | Torpig is a sophisticated type of malware program designed to harvest sensitive information, such as bank account and credit card information from its victims. The Torpig botnet – the network of compromised PCs – which are under the control of cybercriminals are the main means for sending spam e-mails or stealing private information or credentials for the online bank accounts. Torpig also uses a DGA (domain generation algorithm) to generate a list of domains names and locate the Command and Control servers used by hackers. Users are typically infected through drive-by downloads; a web page on a legitimate website is modified to ask the user for JavaScript code from a web location controlled by the IT criminals. The infected computers run phishing attacks to obtain sensitive data from its victims. | |
CryptoLocker | This malware encrypts your data and displays a message which states that your private information can be decrypted for a sum of money in a limited period of time. Though CryptoLocker can be removed by various security solutions, there isn’t any way yet to decrypt the locked files. CryptoLocker is one of the nastiest pieces of malware ever created. It’s not just because it takes money from you or because it can access your private data, but once it manages to encrypt your information, there is no way for you to decrypt those files. This ransomware is so dangerous because the affected users have their private information disclosed (and taken advantage from) and they also lose the files without having any chance of recovering them. CryptoLocker is a ransomware Trojan which can infect your system in different ways, but usually this happens through the means of an apparently legitimate e-mail attachment, from a well-known company or institution. Because it spreads through e-mail attachments, this ransomware is known to target companies and institutions through phishing attacks. |
X Sekce byla zrušena a spojena se sekcí Učení Press
Opravy
! Zkontrolovat odkazování v menu Bsides, 44Con, Canwest, Defcon.
!Opravit zvětšení rámu ve všech sekcích