Thursday 1 October 11:30 - 12:00, Red roomMichael John S. Marcos (Trend Micro)
Anthony Joe Melgarejo (Trend Micro) download slides (PDF)In a cybercrime business model, it is imperative that the servers used to monitor malware-infected machines are operational round the clock. After a series of takedowns of command and control (C&C) servers related to notorious banking and ransom malware (e.g. Kelihos, GameOver Zeus, CryptoLocker and Citadel) in the last couple of years, the cybercriminals behind these threats have started to look for innovative ways to make their malware infrastructure difficult to locate. One of the approaches they have turned to is to utilize the 'Deep Web' network (e.g. Tor and i2p). The Deep Web was once a channel where illegal drugs and stolen credit card details were sold. Today, it has evolved into the digital playground of threat actors wanting to make their malicious actions untraceable.This paper will talk about different Deep Web technologies, and how these can be both an advantage and a disadvantage to the malware and cybercriminals that use them. We will also take an in-depth look at several notable pieces of malware that leverage the Deep Web network as part of their routines (e.g. as a C&C server, as a host or repository of configuration files and decryption keys, etc.), as well as the trends in the adoption and use of Deep Web by cybercriminals for their malicious activities.We will also discuss technologies that can help researchers and administrators monitor malicious activities in the Deep Web network for their incident response activities, forensic investigation and solution creation.Click here for more details about the conference.