![Page 1: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/1.jpg)
Anonymity is King Virus Bulletin 2015: Prague
October 1, 2015
![Page 2: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/2.jpg)
Copyright 2015 Trend Micro Inc. 2
“A man is least himself when he talks in his own person, But give him a mask and he will tell you the truth”
![Page 3: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/3.jpg)
Copyright 2015 Trend Micro Inc. 3
Speakers
Michael John Marcos
Anthony Joe Melgarejo
Threat Research Engineer, Trend Micro
SME – Banking Trojan
Threat Research Engineer, Trend Micro
SME - Ransomware
![Page 4: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/4.jpg)
Copyright 2015 Trend Micro Inc. 4
Deep Web
• part of the Internet that is inaccessible to conventional search engines, and consequently, to most users.
![Page 5: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/5.jpg)
Copyright 2015 Trend Micro Inc. 5
WHAT’S OUR STORY?
![Page 6: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/6.jpg)
Copyright 2015 Trend Micro Inc. 6
What’s our story
• How it all began?
• How do cybercriminals exploit this technology?
• What can we do to investigate?
• What’s next?
![Page 7: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/7.jpg)
Copyright 2015 Trend Micro Inc. 7
HOW IT ALL BEGAN?
![Page 8: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/8.jpg)
Copyright 2015 Trend Micro Inc. 8
Botnet Topology
• Star
C&C Server
![Page 9: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/9.jpg)
Copyright 2015 Trend Micro Inc. 9
Botnet Topology (cont’d)
• Multi-server
C&C Servers
![Page 10: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/10.jpg)
Copyright 2015 Trend Micro Inc. 10
Takedowns.. Everywhere..
![Page 11: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/11.jpg)
Copyright 2015 Trend Micro Inc. 11
Solution
![Page 12: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/12.jpg)
Copyright 2015 Trend Micro Inc. 12
Deep Web traffic is Encrypted.
![Page 13: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/13.jpg)
Copyright 2015 Trend Micro Inc. 13
Deep Web offers Deception.
Infected Machine C&C Server
uhwikih256ynt57t.onion
lp4t52xp5vlhyhkb.onion
s6cco2jylmxqcdeh.onion
![Page 14: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/14.jpg)
Copyright 2015 Trend Micro Inc. 14
Deep Web provides Resilience and High Availability.
Infected Machine lp4t52xp5vlhyhkb.onion
C&C Server 1
C&C Server 2
C&C Server 3
Active
Offline
Reserved
![Page 15: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/15.jpg)
Copyright 2015 Trend Micro Inc. 15
HOW DO CYBERCRIMINALS EXPLOIT THIS TECHNOLOGY?
![Page 16: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/16.jpg)
Copyright 2015 Trend Micro Inc. 16
Tor - The Onion Router TOR CLIENT
Unencrypted
![Page 17: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/17.jpg)
Copyright 2015 Trend Micro Inc. 17
Hidden Services
TOR CLIENT
HIDDEN SERVICE
IP2
IP3
IP1
RP
DB
IP1-3
PK
PK
Cookie
RP
IP1-3
PK
Cookie
![Page 18: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/18.jpg)
Copyright 2015 Trend Micro Inc. 18
KINS
![Page 19: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/19.jpg)
Copyright 2015 Trend Micro Inc. 19
KINS - Static Analysis
32-bit executable 64-bit executable
TOR executable
![Page 20: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/20.jpg)
Copyright 2015 Trend Micro Inc. 20
Installation
Inject
--HiddenServiceDir "%appdata%\tor\hidden_service"
--HiddenServicePort "1080 127.0.0.1:23318"
--HiddenServicePort "5900 127.0.0.1:26824"
KINS Infection Flow
![Page 21: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/21.jpg)
Copyright 2015 Trend Micro Inc. 21
Tor pre-requisites
Tor Browser Installation
![Page 22: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/22.jpg)
Copyright 2015 Trend Micro Inc. 22
Tor2web
Allows Internet users to access
Tor hidden services without using
Tor Browser
![Page 23: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/23.jpg)
Copyright 2015 Trend Micro Inc. 23
Using Tor2Web
Tor: • http://duskgytldkxiuqc6.onion
Tor2web:
• http://duskgytldkxiuqc6.tor2web.org
• http://duskgytldkxiuqc6.onion.to
• http://duskgytldkxiuqc6.onion.cab
• etc...
![Page 24: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/24.jpg)
Copyright 2015 Trend Micro Inc. 24
CTB-Locker - Overview
ECDH
TOR AND TOR2WEB
BITCOIN
![Page 25: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/25.jpg)
Copyright 2015 Trend Micro Inc. 25
CTB-Locker Infection Flow
Installation
Inject
Public Key
Bitcoin Address
Payment Site
![Page 26: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/26.jpg)
Copyright 2015 Trend Micro Inc. 26
CTB-Locker: Payment Sites
![Page 27: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/27.jpg)
Copyright 2015 Trend Micro Inc. 27
Blocked Payment sites
![Page 28: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/28.jpg)
Copyright 2015 Trend Micro Inc. 28
CTB-Locker: Leveraging Tor2web availability
![Page 29: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/29.jpg)
Copyright 2015 Trend Micro Inc. 29
Advantages of Malware using Tor2web
• No need for Tor installation • No Tor network traffic in the system • Availability of variety
![Page 30: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/30.jpg)
Copyright 2015 Trend Micro Inc. 30
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
GARLIC MESSAGE
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
I2P - Invisible Internet Project
CLIENT CLIENT
ROUTER WEB
SERVER
SERVER
ROUTER
CLIENT OUTBOUND TUNNELS SERVER INBOUND TUNNELS
CLIENT INBOUND TUNNELS SERVER OUTBOUND TUNNELS
HTTP REQUEST
DELIVERY STATUS
DATABASE STORE
HTTP REQUEST
![Page 31: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/31.jpg)
Copyright 2015 Trend Micro Inc. 31
Dyreza
![Page 32: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/32.jpg)
Copyright 2015 Trend Micro Inc. 32
Dyre capabilities NAT
System
Informatiom
![Page 33: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/33.jpg)
Copyright 2015 Trend Micro Inc. 33
Dyreza: Call Home via I2P
![Page 34: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/34.jpg)
Copyright 2015 Trend Micro Inc. 34
Dyreza: Domain generation algorithm
![Page 35: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/35.jpg)
Copyright 2015 Trend Micro Inc. 35
As Malware Support Portal
• CRYPVAULT – crypto-ransomware
Support Portal URL
key file
(Instructions) (Brief)
(Warning Message)
![Page 36: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/36.jpg)
As Malware Support Portal (cont’d)
Upload key file
![Page 37: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/37.jpg)
Copyright 2015 Trend Micro Inc. 37
As Malware Support Portal (cont’d)
Real-time Chat Technical Support
![Page 38: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/38.jpg)
Copyright 2015 Trend Micro Inc. 38
As Command and Control Server
• Slempo – Android Backdoor malware
• Trojanized version of Orbot
• Backdoor Commands
![Page 39: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/39.jpg)
Copyright 2015 Trend Micro Inc. 39
As Command and Control Server (cont’d)
TOR URL
} stolen information
![Page 40: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/40.jpg)
Copyright 2015 Trend Micro Inc. 40
As File Server hosting malware
• Chanitor, a downloader malware
• It uses Tor2Web URLs to deploy a banking trojan, VAWTRAK in the infected system
Harcoded Tor2Web URLs
![Page 41: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/41.jpg)
Copyright 2015 Trend Micro Inc. 41
WHAT CAN WE DO TO INVESTIGATE?
![Page 42: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/42.jpg)
Copyright 2015 Trend Micro Inc. 42
Forensics / Detection
Good sources of information to extract Deep Web artifacts:
• Command-line arguments
• Installed files and folders
• Prefetch (.pf) files
• Network Traffic
![Page 43: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/43.jpg)
Copyright 2015 Trend Micro Inc. 43
Forensics / Detection (cont’d)
• Command-line arguments
![Page 44: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/44.jpg)
Copyright 2015 Trend Micro Inc. 44
Forensics / Detection (cont’d)
• Installed files and Folder
– Installation Date
– Last Execution Date
– Other info (e.g. generated Deep Web URL, version and etc.)
![Page 45: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/45.jpg)
Copyright 2015 Trend Micro Inc. 45
Forensics / Detection (cont’d)
• Prefetch files
![Page 46: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/46.jpg)
Copyright 2015 Trend Micro Inc. 46
Forensics / Detection (cont’d)
• Network Traffic logs
![Page 47: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/47.jpg)
Copyright 2015 Trend Micro Inc. 47
WHAT’S NEXT
![Page 48: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/48.jpg)
Copyright 2015 Trend Micro Inc. 48
Conclusion
• Cyber criminals will continue to use Deep Web to evade attribution
![Page 49: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/49.jpg)
Copyright 2015 Trend Micro Inc. 49
Over the years..
2012 2013 2014 April 2015 Skynet Sefnit Chewbacca CryptoWall 3.0
Atrax BitCrypt CTB Locker Zbot Bifrose Dyre Onionduke VaultCrypt CryptoWall 2.0 TeslaCrypt LusyPOS Babar Slempo Chanitor Torrent Locker Vawtrak
April 2015 – October 2015
Tox
ORX Locker
Encryptor RaaS
Cryptoapp
AlphaCrypt
Troldesh
![Page 50: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/50.jpg)
Copyright 2015 Trend Micro Inc. 50
![Page 51: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/51.jpg)
Copyright 2015 Trend Micro Inc. 51
Conclusion
• Cyber criminals will continue to use Deep Web to evade attribution. • More cybercriminal groups will be attracted to Deep Web. • Being one-step ahead.
![Page 52: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/52.jpg)
Copyright 2015 Trend Micro Inc. 52
QUESTIONS?
![Page 53: Anonymity is King - Virus Bulletin · Anonymity is King Virus Bulletin 2015: Prague October 1, 2015 . ... GARLIC MESSAGE HTTP REQUEST DELIVERY STATUS DATABASE STORE I2P - Invisible](https://reader034.vdocuments.mx/reader034/viewer/2022042106/5e852c5aee275930712d5ace/html5/thumbnails/53.jpg)
Copyright 2015 Trend Micro Inc. 53
Conclusion
Thank You !!!
Michael John Marcos,
Anthony Joe Melgarejo
October 2015