internet-scale security
DESCRIPTION
Arbor Networks is a member of an elite group of institutions that might be referred to as "super remediators." This is a reflection of having both visibility and remediation capabilities at nearly every tier one operator and the vast majority of service provider networks globally. The Arbor Security Engineering and Response Team (ASERT) shares operationally viable intelligence with hundreds of international Computer Emergency Response Teams (CERTs) in an out-of-band manner, apart from the Arbor Networks product line. We also provide this same data to thousands of network operators via in-band security content feeds. ASERT also operates the world's largest distributed honeynet, capturing traffic destined for pullup routes at major providers across the globe. As of Q3 2014, ASERT monitors roughly 90 terabits per second (Tbps) of global Internet traffic, which we estimate to be a third of the average global Internet bandwidth. This mission and the associated resources that Arbor Networks brings to bear to the problem of global Internet security is a massive impetus for innovation and research. This presentation was originally given at AUSCert 2014 and outlines various datasets that ASERT maintains and offers some brief statistics and findings on global DDoS and advanced threat intelligence.TRANSCRIPT
![Page 1: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/1.jpg)
Internet-Scale Security Marc Eisenbarth
![Page 2: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/2.jpg)
About the Speaker
![Page 3: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/3.jpg)
About the Speaker’s Employer
![Page 4: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/4.jpg)
Who is Arbor Networks? A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks
90% Percentage of world’s Tier 1 service providers who are Arbor customers
105 Number of countries with Arbor products deployed
69 Tbps Amount of peak global IPv4 traffic monitored by the ATLAS security intelligence initiative right now
#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment market segments [Infonetics Research]
12 Number of years Arbor has been delivering innovative security and network visibility technologies & products
$18B 2012 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing
![Page 5: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/5.jpg)
Who is Arbor Networks: Analytics
![Page 6: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/6.jpg)
Who is Arbor Networks: Analytics
![Page 7: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/7.jpg)
Who is Arbor Networks: Analytics
![Page 8: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/8.jpg)
Who is Arbor Networks: Analytics
![Page 9: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/9.jpg)
Who is Arbor Networks: Analytics
Google Ideas +
ASERT
h2
p://www.digita
la2ackm
ap.com
![Page 10: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/10.jpg)
The Arbor ecosystem between service providers & enterprises DCs offers unique insight into emerging and active threats
Enterprise data center services are now fully available!
Enterprise Data Centers Service Providers
Who is Arbor Networks: Mitigation
![Page 11: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/11.jpg)
Cloud mi?ga?on with Peakflow
On site mi?ga?on with Pravail
~67Gbps A2ack Traffic ~14Gbps Residual Traffic
Who is Arbor Networks: Mitigation
![Page 12: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/12.jpg)
“MC is taking it like a champ. we nees more bandwidth”
--- Unknown Bad Guy in #operationpayback
Who is Arbor Networks: Mitigation
![Page 13: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/13.jpg)
About the Speaker’s Team
![Page 14: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/14.jpg)
§ Arbor Security Engineering & Response Team – 7 researchers, 4 developers and 4 threat analysts – Broad, interdisciplinary background – h2ps://github.com/arbor – h2p://www.arbornetworks.com/asert/
§ Tools – IDA Pro – IDAPython – Hex-‐Rays decompiler – bindiff – OllyDbg – Windbg
Who is ASERT: The Team
– IDAScope – P32Dasm – Pydbg – CFF Explorer – Process Hacker – PEiD
Majority is home-‐grown
![Page 15: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/15.jpg)
Who is ASERT: The Team
![Page 16: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/16.jpg)
§ Goals of Data Collec?on – Broad coverage required to focus on specific use-‐cases, such as DDoS – Mul?ple infec?on vectors, CnC mechanisms, backsca2er analysis, etc. – Generate unique indicators: honeypots, CnCs themselves, harves?ng, etc.
§ Goals of Reverse Engineering – Reverse engineering of botnet CnC protocol – Emula?on of full CnC protocol for direct CnC and peer (zombie) analysis – Unique approach to sta?c and dynamic analysis techniques
§ Goals of Large-‐Scale Analysis – Understand both latent capabili?es and a2acker resources – Internet-‐scale correla?on, i.e. relate a .eml to origina?ng executable – End-‐to-‐end threat lifecycle, i.e. observe actor via CnC then verify the a2ack via flow
Who is ASERT: Reverse Engineering
![Page 17: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/17.jpg)
Who is ASERT: Reverse Engineering
This bot was seen to a2ack
industrial food processor equipment vendors
![Page 18: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/18.jpg)
// Darkshell bot-to-CnC comms struct { // Header: DWORD dwMagic; // always 0x00000010 for Darkshell // Obfuscated section: char szComputerName[64]; // Name of infected host, NULL-terminated/extended char szMemory[32]; // Amount of memory in infected host; format "%dMB"; NULL-terminated char szWindowsVersion[32]; // Specifies version of Windows; one of: Windows98, Windows95, // WindowsNT, Windows2000, WindowsXP, Windows2003, or Win Vista; // NULL-terminated/extended char szBotVersion[32]; // Specifies version of bot; NULL-terminated/extended; DWORD szUnknown1[4]; // ??? - Always NULL-terminated 'n’ // Binary section: char szPadding1[32]; // Filled with 0x00 bytes WORD wUnknown2; // ??? - We have seen 0x00A0, 0x00B0, and 0x00C0 WORD wUnknown3; // ??? - Always 0xFD7F char szPadding2[20]; // Filled with 0x00 bytes WORD wUnknown4; // ??? - Always 0xB0FC BYTE cUnknown5; // ??? - We have seen 0xD6, 0xD7, 0xE6, 0xE7, and 0xF1 BYTE cZero; // Always 0x00 DWORD dwSignature[8]; // Always 0x00000000, 0xFFFFFFFF, 0x18EE907C, 0x008E917C, // 0xFFFFFFFF, 0xFA8D91&C, 0x25D6907C, 0xCFEA907C };
Who is ASERT: Reverse Engineering
![Page 19: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/19.jpg)
def decrypt_darkshell(cipherbytes, start_idx=0x04, stop_idx=0xA8): """ De-obfuscates Darkshell comms encoded using the following method: cipherbyte = 0xDE - [plainbyte - (plainbyte & 0x10) << 1] The obfuscation is reversed as follows: intermediate = 0xDE - cipherbyte plainbyte = intermediate + (intermediate & 0x10) << 1 """ len_mesg = len(cipherbytes) if len_mesg != 260: raise RuntimeError("Darkshell bot-to-CnC comms are always 260 bytes") plainbytes = [] for cipherbyte in cipherbytes[start_idx:stop_idx]: intermediate= 0xDE - ord(cipherbyte) plainbytes += [chr(intermediate + ((intermediate & 0x10) << 1))] return cipherbytes[:start_idx] + ''.join(plainbytes) + cipherbytes[stop_idx:]};
Who is ASERT: Reverse Engineering
![Page 20: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/20.jpg)
Who is ASERT: Threat Intelligence
h2p://www.arborne
tworks.com
/asert/
![Page 21: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/21.jpg)
Who is ASERT: Blog
![Page 22: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/22.jpg)
ASERT Datasets
![Page 23: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/23.jpg)
ASERT Datasets Active Threat Level Analysis System (ATLAS)
![Page 24: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/24.jpg)
1. ATLAS sensors are deployed in global Internet darknet space to discover and classify a;ack ac<vity.
2. This informa<on is sent to an ATLAS central repository where it is combined with Arbor Peakflow, third-‐party, and vulnerability data.
3. ASERT analyzes combined data and converts into ac<onable intelligence which is posted on the ATLAS public portal.
ASERT Datasets: ATLAS Sensors
![Page 25: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/25.jpg)
§ Sensor network – Func?onally: IDS + Honeypot – 1.76 million (dark) IPv4 addresses covered – Global (4 con?nents) coverage
§ Sensors perform ini?al triage – Host/port scanning ac?vity – Known versus unknown a2acks – Correla?on to security events and vulnerability disclosure – Misconfigura?on detec?on – Backsca2er analysis
ASERT Datasets: ATLAS Sensors
![Page 26: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/26.jpg)
§ Honeypots and sinkholes used for further analysis – Unknown a2acks handed off to high-‐interac?on honeypot / sinkholes – A2empt to automa?cally develop threat fingerprint – Honeypots discover what a2ackers are a2emp?ng – Classify a2acks and characterize scan traffic – Can capture full payloads
ASERT Datasets: ATLAS Sensors
![Page 27: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/27.jpg)
ASERT Datasets ATLAS Statistics
![Page 28: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/28.jpg)
ASERT Datasets: ATLAS Statistics § 275+ ISPs sharing real-‐?me data -‐> ATLAS Internet Trends
§ Automated hourly export via XML / JSON to Arbor’s ASERT team § Customers realize tangible benefit of par?cipa?on
§ Data derived from Flow / BGP / SNMP correla?on § Arbor Peakflow product line (Tier 1 ISPs, transit providers, etc.)
§ Correlates Sampled Flow / BGP in real-‐?me § Distributed in nature § Network / Router / Interface etc. Traffic Repor?ng § Threat Detec?on (DDoS / malware infec?ons / C&C u?liza?on)
§ Flow sta?s?cs feedback, based on ASERT security content feeds
ATLAS currently monitoring a peak
of 69.7Tbps of IPv4 traffic across all
par?cipants
![Page 29: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/29.jpg)
ASERT Datasets: ATLAS Statistics
![Page 30: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/30.jpg)
ASERT Data Enrichment
![Page 31: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/31.jpg)
ASERT Data Enrichment ATLAS Subscriber Reputation Feed (SRF)
![Page 32: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/32.jpg)
ASERT Data Enrichment: SRF § Arbor has extensive sharing network
– Over a hundred na?onal CERT teams (~50% coverage) – Large cross-‐sec?on of the security industry -‐ various sharing groups – ATLAS portal has 711 unique users, represen?ng 6,006 ASNs
§ ATLAS Factoids – Malware Corral has seen 9.1M unique IPv4 addresses over 90 days – ASERT has data for 44,570 ASNs of 45,369 ASNs total (~98%) – ASERT has seen 2.63B unique IPv4 addresses (~71% theore?cal)
– (2^32 – 588,514,304) public addresses – ASERT monitors 1.76M “dark” IPv4 addresses
– The 6,006 ASNs provided ASERT intelligence maps to 1.25B IPv4 hosts (48%)
ASERT provides various “sample digests” in trade with qualified
organiza?ons
![Page 33: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/33.jpg)
ASERT Data Enrichment: SRF AN IODEF VERSION CAN BE DOWNLOADED FROM h2p://atlas-‐public.ec2.arbor.net/XXX/2013-‐10-‐18/atlas_mail_reports/c97d1e95e9878052571d9a2a39deXXXX/XX-‐2013-‐10-‐18.xml ATLAS DETAILED REPORT: <REDACTED> Generated: Sat Oct 19 00:59:16 2013 UTC Covers 24 hour ?me period through now. Ques?ons: Marc Eisenbarth -‐ [email protected] DENIAL OF SERVICE OBSERVED INBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Dest CIDR, Dest ASN, Dest CC, Max BPS, Max PPS 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:15:04:48, "xx.xx.92.12/32", "", , 628562560, 393004 2013-‐09-‐06:08:04:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.250/32", "", , 884237504, 552505 2013-‐09-‐06:08:07:49, 2013-‐10-‐18:12:03:48, "xx.xx.92.12/32", "", , 628562560, 393004
![Page 34: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/34.jpg)
ASERT Data Enrichment: SRF OBSERVED OUTBOUND ATTACKS Based on actual alerts gathered in our Internet sta?s?cs project. Start, End, Source CIDR, Source ASN, Source CC, Max BPS, Max PPS <REDACTED> OBSERVED ATTACK COMMANDS Based on botnet tracking Timestamp, C&C CC, C&C ASN, C&C IP, Target CC, Target ASN, Target IP <REDACTED> MALICIOUS CLIENTS A2acks Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.138.76.59, 15656.0 XXX.138.122.202, 2657.0 XXX.247.33.203, 983.0 XXX.138.133.247, 838.0
![Page 35: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/35.jpg)
ASERT Data Enrichment: SRF Scans Based on ATLAS honeypot sensors. IP, Cumula?ve Bytes XXX.144.74.248, 6316296.0 XXX.167.57.37, 3984822.0 XXX.168.144.59, 3903120.0 XXX.216.131.254, 1522704.0 XXX.216.129.162, 1423104.0 XXX.249.89.82, 1420826.0 XXX.140.122.90, 747584.0 XXX.140.103.249, 480048.0 XXX.140.96.237, 468928.0 XXX.242.187.78, 162192.0 XXX.251.28.182, 154080.0 XXX.158.69.208, 123876.0 XXX.149.69.204, 121860.0 XXX.247.33.203, 117832.0 XXX.210.104.174, 79716.0
![Page 36: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/36.jpg)
ASERT Data Enrichment: SRF MALICIOUS SERVERS Botnet C&C Servers Based on malicious soyware analysis and botnet tracking. CC, ASN, IP, port, malware MD5 <REDACTED> Phishing Servers Based on internal link analysis and third-‐party reports. CC, ASN, IP, port, URL XX, 28526, XXX.215.18.103, 80, h2p://XXXXXXXXX/media/system/css/net.htm Malicious Links URLs contacted by malware during automated analysis. Timestamp, CC, ASN, IP, URL <REDACTED> <snip>
![Page 37: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/37.jpg)
ASERT Data Enrichment Event Analytics
![Page 38: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/38.jpg)
ASERT Data Enrichment: Events
![Page 39: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/39.jpg)
ASERT Data Enrichment: Events
• Largest DDoS a2ack seen to date • Traffic levels verified by service
provider community. • DNS Reflec?on/Amplifica?on A2ack
• Not a new a2ack vector • Responsible for other large
(100Gb/sec) a2acks in the past
• Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.
• Key concern is that other groups will start genera?ng larger a2acks, given the media focus on the Spamhaus a2acks.
![Page 40: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/40.jpg)
ASERT Data Enrichment: Events
![Page 41: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/41.jpg)
ASERT Data Enrichment: Events
![Page 42: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/42.jpg)
ASERT Data Enrichment ATLAS Portal
![Page 43: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/43.jpg)
ASERT Data Enrichment: Portal
43
h2p://atlas.arbor.net
![Page 44: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/44.jpg)
ASERT Data Enrichment: Portal
44
h2p://atlas.arbor.net
![Page 45: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/45.jpg)
ASERT Data Enrichment: Portal
45
h2p://atlas.arbor.net
![Page 46: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/46.jpg)
ASERT Data Enrichment: Portal
46
h2p://atlas.arbor.net
![Page 47: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/47.jpg)
ASERT Data Enrichment Malware Corral
![Page 48: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/48.jpg)
ASERT Data Enrichment: Portal
48
• What is the malware designed to do?
• Not necessarily where it’s been, but where is it going?
• Don’t look at just active behavior, but potential behavior
• Prevailing model: unique sample for specific target
![Page 49: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/49.jpg)
Case-Studies Malware Corral Example
![Page 50: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/50.jpg)
Case-Studies: Malware Corral
![Page 51: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/51.jpg)
Case-Studies: Malware Corral
![Page 52: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/52.jpg)
Case-Studies: Malware Corral
![Page 53: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/53.jpg)
Case-Studies: Malware Corral
![Page 54: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/54.jpg)
Case-Studies: Malware Corral
![Page 55: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/55.jpg)
Case-Studies: Malware Corral
![Page 56: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/56.jpg)
Case-Studies: Malware Corral
![Page 57: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/57.jpg)
Case-Studies: Malware Corral
![Page 58: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/58.jpg)
Case-Studies: Malware Corral
![Page 59: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/59.jpg)
High fidelity indicators, based on in-‐depth analysis of sample
Case-Studies: Malware Corral
![Page 60: Internet-Scale Security](https://reader033.vdocuments.us/reader033/viewer/2022061218/54b6f4094a7959f5698b4586/html5/thumbnails/60.jpg)
Thank You {meisenbarth,asert}@arbor.net