Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 215 times |
Download: | 0 times |
Are we losing the fight?
A practical overview how malware threatens the internet economy at the example of mebroot/torpig
Why do people transact online?
Because online transacting is Fast Convenient Safe
Because people are confident that Their information is secure
Is this value proposition being eroded?
Is the message getting through?
“Malicious Software”, OECD Ministerial Meeting on the Future of the Internet Economy, Seoul, South Korea, 17-18 June, 2008
Barak Obama used “botnets”, “malware” and “conficker” in his Cyber Security Policy announcement And e.g. A fairly technical conficker analysis was listed
as a bibliography
Highlights from OECD report Malware, in the form of botnets, has become a critical part of a self sustaining cyber
attack system. The use of malware has become more sophisticated and targeted. Many attacks are smaller and attempt to stay “below the radar” of the security and law enforcement communities.
The effectiveness of current security technologies and other protections in detecting and containing malware is challenged by the shrinking of the time between the discovery of vulnerabilities in software products and their exploitation.
The behaviour of market players confronted with malware (whether Internet service providers, e-commerce companies, registrars, software vendors or end users) is influenced by mixed incentives, some working to enhance and some to reduce security. There are many instances in which the costs of malware are externalised by players at one stage of the value chain onto other players in the value chain.
A wide range of communities and actors – from policy makers to Internet service providers to end users – has a role to play in combating malware. There is still limited knowledge, understanding, organisation and delineation of roles and responsibilities in this broad community of actors.
Current response and mitigation are mainly reactive. There is a need for more structured and strategic co-ordination at national and international levels with involvement of all actors to more adequately assess and mitigate the risk of malware.
No single entity has a global understanding of the scope, trends, development and consequences of malware and thus the overall malware problem is difficult to quantify. Data on malware are not consistent and terminology for cataloguing and measuring the occurrence of malware is not harmonised.
Although its economic and social impacts may be hard to quantify, malware used directly or indirectly can harm critical information infrastructures, result in financial losses, and plays a role in the erosion of trust and confidence in the Internet economy.
Threats
Denying access (e.g. DDOS) Extorting money (Ransom) Espionage Stealing Information
UserID, password, address, mobile phone
Stealing money Banking, Adware, Fake Software, money
laundering
Information Stealing
Two approaches Hack into a webserver and steal lots of
personal information at one time Use malware to perpetrate identity
theft / online fraud
server attackclient attack
Why the shift?
Firstly, server attacks are still highly successful through insecure server software see e.g. VISA malware report
However a client attack has several key advantages Circumvent all server security put into place e.g. By
banks Get access to the info in realtime (e.g. OTP) Use the compromized PC for further action (e.g.
Botnet or even “just” account login▪ Bullit Country, Kentucky lost $415,000 USD in one such
attack (http://voices.washingtonpost.com/securityfix/2009/07/the_pitfalls_of_business_banki.html?wprss=securityfix)
How
There are way too many options to choose from
The bad guys are advertising their services with considerable competition with rating systems and references
More and more “ready-to-run” kits are available (Crimeware-as-a-service)
Crimeware-as-a-service
More and more kits are available as a hosted service (e.g. ZeusCrimeware) "[Q] What is
▪ [A] is a mix between the ZeuS Trojan and MalKit, A browser attack toolkit that will steal all information logged on the computer. After being redirected to the browser exploits, the zeus bot will be installed on the victims computer and start logging all outgoing connections.
[Q] How much does it cost?▪ [A] Hosting for costs $50 for 3 months. This includes the following:
▪ # Fully set up ZeuS Trojan with configured FUD binary.▪ # Log all information via internet explorer▪ # Log all FTP connections▪ # Steal banking data▪ # Steal credit cards▪ # Phish US, UK and RU banks▪ # Host file override▪ # All other ZeuS Trojan features▪ # Fully set up MalKit with stats viewer inter graded.▪ # 10 IE 4/5/6/7 exploits, # 2 Firefox exploits, # 1 Opera exploit"▪ We also host normal ZeuS clients for $10/month.▪ This includes a fully set up zeus panel/configured binary"
ZeuEsta Feature List
ZeuEsta is capable of the following:•Exploit unpatched Internet Explorer (All versions)•Exploit unpatched Firefox (1/2)•Exploit unpatched Opera (9.62 and below)•Exploit Adobe Reader 6/7/8 (All browsers)•Log outgoing browser connections•Log outgoing FTP connections•Log outgoing POP3 connections•Log all IE site cookies•Log site passwords•Log ANY site defined in config•Steal banking information / accounts
•Steal Credit Cards•Issue remote commands•Download and execute files•Get website certificates•View ScreenShots•Use bots as elite socks4 proxy server•Host file override (Site blocking)•Check refers from which sites you get most hits•View exploit statistics to see exploit ratio for your traffic•Not detected by most Antivirus Engines•Plus lots more
Mebroot
Mebroot is the nastiest piece of malware Mebroot is a rootkit that takes control of
a machine by replacing the system’s Master Boot Record (MBR). This allows Mebroot to be executed at boot time, before the operating system is loaded, and to remain undetected by most anti-virus tools
Mebroot will never write any file to the harddrive
Mebroot deploys Torpig
Mebroot will install the Torpig as payload and Torpig is by far the nastiest thing we have ever seen. Generally, it: will steal login and other personal or confidential details from
banking websites can inject any HTML content into any website (websites can be
encrypted with or without EVSSL.) without detection can capture CAPCHA and compromize virtual keyboards can use the information in real-time to defeat One-Time-
Passwords has configuration files for many banking sites so that it knows
exactly what to look out for is incredibly hard to detect works system-wide and therefore any browser is affected. (Yes,
you heard right. Firefox and Chrome users are also affected)
How? Drive-by install
Mebroot infects hosts and “adds” an invisible <IFRAME> which exploits current vulnerabilities Such as the GetIcon vuln in Adobe PDF
Reader
C&C structure
Infected Server
Infected Server
Drive by Install of
Torpig
Drive by Install of
Torpig
…
Infected Server
Drive by Install of
Torpig
…
Infected Server
Infected Server
Infected Server
Infected Server
…
Drive by Install of
Torpig
…
Server-side packaging
From Storm botnet, all request served executables with a 5-10 second delay Time MD5 Hash
0:01 3c45c216e84f8e11d8f430a4360dd6be0:02 73fe77dabc4b268c547fca44bcd2f06a0:03 f9d0e2c5158893060cfa91b0c05b6aa70:04 d1a01e06c9d97420839018dafe53ba730:05 c9df0d27a452f496852837621631f6ac0:06ca2651724de4406a0b30b1d5b61742d00:07 5b822630938e783efe4936e8eb90555a0:08 397c682495a9ac1f36dfdf7cf03637480:09 7137a99429cfdf67525dcf0d61be771f0:10 036502b7062c3eb2c83f7c7ebea29ec6
File: patch.exe, Length: 37642
Why is it so successful?
Mebroot / Torpig is the most sophisticated piece of malware you can find on the planet (master boot record, various kernel files, complicated boot process, code injection, server backend)
Deployment through drive-by from “private” or other compromized sites They use any FTP account details they steal
to compromize the websites or many private and small businesses
Why is it so successful?
They use the information very intelligently They only infect as many hosts as they have to in
order to stay under the radar▪ They only infect a small percentage and often only in
certain parts of the world (Geographic IP) The other main reason could be that they gather
much more information than they can use at any one time
They constantly update the malware to be virtually undetected Current AV engines are really bad in detecting an
infected system as Mebroot doesn’t write anything to the harddrive
Why will it continue to be successful
Use of more and more crypto inside trojans, render current defense strategies useless E.g. It is not possible anymore to sinkhole a
mebroot C&C server Very high quality code. The developers
belong to the best of their class. There are still a number of “deficiencies”
that allows us researchers to be somewhat in control, but this “advantage” will disappear
Why is it a threat?
University of Santa Barbara infiltrated one C&C server with astonishing results for just 10 days!!! The results are astonishing The sinkholed C&C Server collected almost 70GB of
data stolen credentials from 52,540 different infected
machines and some 297,962 unique credentials (username/password)
credentials of 8,310 bank accounts at 410 different financial institutions.
more than 11 million HTTP(S) Form Data, 1,258,862 email accounts, 1,235,122 windows password, …
Why is it a threat? contd
Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. However A report by Symantec indicated (loose) ranges of prices for
common goods and, in particular, priced credit cards between $0.10–$25 and bank accounts from $10–$1,000
If these figures are accurate, in ten days of activity, the Torpig controllers may have profited anywhere between $83k and $8.3M.
Also, a Torpig server was seized in 2008, resultingin the recovery of 250,000 stolen credit and debit cards and 300,000 online bank account login credentials.
BUT STILL
Mebroot/Torpig will NOT use the information in realtime... It will collect the confidential information and use it at a later stage
However there are other high profile trojans that are doing exactly this such as yaludle (a silentbanker variant) Some Zeus variants Bankpatch (even fakes the online statement page
so that the fraudulent transactions doesn’t show up online)
Mebroot/Torpig use only a handful of available techniques... There is more to come.
So... Why should we be concerned?
Financial Impact Impacts on market players
Internet Service Providers Electronic Commerce Software Vendors Registrars End Users
Erosion of trust and confidence Risk to critical infrastructure
Financial Impact
Although precise data on online criminal activity and the associated financial losses is difficult to collect, it is generally accepted that malware contributes significantly to these losses (110)
One recent survey of 52 information technology professionals and managers estimated a slight decline in the direct damages associated with malware from EUR 12.2 billion in 2004, to EUR 10 billion in 2005, to EUR 9.3 billion in 2006. (Computer Economics) This decrease is largely attributed to the suspicion that indirect or
secondary losses are actually increasing Furthermore, the same survey found that most organisations
tracked the frequency of malware incidents but not the financial impacts.(Computer Economics)
Another survey estimated the annual loss to United States businesses at USD 67.2 billion. (United States Government Accountability Office 2007)
Impact on ISPs
Both costs and revenues are affected by malware Biggest cost is customer support and
abuse management Increased traffic volume, through Spam,
DOS Blacklisting could affect the branding of
the ISP
Impact on Ecommerce companies
DDoS, which increases costs Confidential data leakage
External (malware) Internal (malware) Internal (insider threat, ...)
Typically the user of the ecommerce site is affected
Transaction fees for payment processing
Impact on software vendors
Once a software company is affected by malware, the main costs are Branding, Education Loss of functionality, loss of service, ... Incident response management
Not to become affected, the costs are around SDL, testing, patching, ... These costs also apply to the users of
the software
Impact on Registrars
Make a lot of money from malware as the C&C servers typically use domain names with very little costs Security researchers quite often “sinkhole” tens of
thousands domains Main costs is abuse department Suspending domains may result in legal
liabilities Malware related domain-deregistration is a
complex issue where there is no clear breach of trademark or copyright
Risk of legal action
Impact on end users
End users are the typical target of malware
The economic impact of infected computers is distributed across the whole value system
Either the user suffers directly, or other players will suffer from such an
attack, through the compromized machine
Erosion of Trust and confidence
We as a society rely more and more on information systems
In recent years, a number of surveys have been conducted which show that consumers are concerned about security and privacy risks associated with providing information online or conducting transactions online. (121) The key point of these surveys is that if security and
privacy concerns were better able to be addressed, then many more consumers would use e-commerce, e-banking and various e-government services than currently is the case, thus enhancing the economic benefits and efficiencies expected from the use of these platforms.