Cyber Security Project

2014

MIS 510-WEB COMPUTING AND ANALYTICS

TEAM MEMBERS

KIRAN VISWANATHAN PRATHAMESH BHURKE

PRASAD KODRE VANITHA VENKATANARAYANAN

Cyber Security Project

1

Introduction With the increase in reliance on technology many aspects of our lives depend on the Internet and computers, including communications, transportation, government, finance and education. As more and more critical information is stored and handled online the need for providing a secure way to store all this information rises. With the advancement in technology the accessibility to this data has become easier and hence the systems are more vulnerable to cyber threats. The increasing volume and sophistication of cyber security threats such as malware attacks, phishing

scams, data theft, and other online vulnerabilities, demand that we remain vigilant about securing our

systems and information. Systems can be easily compromised if unprotected and a lot of sensitive

information can be obtained and misused. Thousands of infected web pages are being discovered every

day. Hundreds of millions of records have been involved in data breaches. Companies have lost millions

of dollars due to cyber-attacks and the law suits that follow the attacks. New attack methods are

launched continuously. We would like to highlight the importance of information security and

vulnerabilities in various industries such as communication, government, banking domain and social

media through our research.

The communication industry that connects millions of users together faces cyber threats on a day to day

basis. The security levels of Cisco routers were analyzed and statistics and analytics have been discussed

in our research. Next we analyze the kind of attacks that are launched on Industrial systems and the

SCADA devices affected by Stuxnet and the countries that faced the maximum impact. We then look into

the world of Trojans and discuss the most popular Trojans and their impact on the Banking domain.

Another area where huge amounts of personal information is under threat is social media sites. By

analysis of the hacker web forums we deducted that Facebook is the most targeted site.

Cybersecurity Research Questions

How secure are the large number of Cisco routers which are currently connected to the

internet?

Are there any Industrial Control Systems connected to internet? How secure are SCADA/ICS

equipment which are behind the organizational firewall?

Which are the top 3 Banking Trojans spoken about on Hacker web?

Which is the most targeted Social media platform?

Literature Review To understand the impact of cybersecurity we studied the existing documentations and recent news

about cybersecurity. There is tremendous amount of growth in the area of cybersecurity. Some of the

major research papers/blogs we studied are:

1. Banking Trojans: Understanding their impact and how to defend your institution against Trojan-

aided fraud.

Reference:https://www4.symantec.com/mktginfo/whitepaper/user_authentication/21195180_WP

_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf

This paper talks about the different banking malwares and their impact on the market. The papers

gives good statistical analysis of the affected areas and the impact of the malware. The author also

talks about preventive measures can be taken to prevent from future attacks and also how the

current attacks can be mitigated.

Cyber Security Project

2

2. Trojan.Zbot: Trojan.Zbot, also called Zeus, is a Trojan horse that attempts to steal confidential

information from the compromised computer.

References: http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-

99

This paper talks about the Trojan.Zbot. It gives a detail analysis of a the Trojan, its functionality,

infection, geographical distribution and a detail summary

3. Carberp Code Leak Stokes Copycat Fears:

References: http://krebsonsecurity.com/2013/06/carberp-code-leak-stokes-copycat-fears/

This blog talks about the Carberp Trojan. The article gives details about the Trojan and its growth.

4. Some other important References:

http://en.wikipedia.org/wiki/Industrial_control_system

http://en.wikipedia.org/wiki/SCADA

http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-

scada/

http://en.wikipedia.org/wiki/Flame_(malware)

http://en.wikipedia.org/wiki/Stuxnet

https://www.owasp.org

Research Design Shodan data retrieval technique

Shodan Python API was used as the primary method for data retrieval from Shodan. An API key is

required to use this API which can be obtained by registering at http://www.shodanhq.com/

This API has two important functions:

search() method returns a dictionary of result information

count() method returns the total number of results that matched the query and any facet

information that was requested

Both the above function accept two parameters:

query – a string which is used to search the database of banners in Shodan

facet – a comma-separated list of properties to get summary information

As most of the questions in this report required statistical data, count () function was used for fetching the data. The python program fetched following data from Shodan Total results

1. Result count for each of the top 10 organizations for the query 2. Result count for each of the top 10 domains for the query 3. Result count for each of the top 200 countries for the query

Data visualization tools

Tableau: Tableau was used to build graphs and other visualizations. The data for these graphs were obtained from Hacker Web forums and Shodan. For the question regarding social media attacks, a graph is plotted which show the increase in the number of posts which talked about hacking Facebook from the year 2010 to 2013. It also shows the number of views to these respective posts and threads. This was plotted with the help of Tableau. The data was obtained from the ‘Anon’ forum in Hacker Web

Cyber Security Project

3

Spotfire: Spotfire is another tool for analyzing data and building charts. There are different kind of charts that can be built with the help of Spotfire. For this project, we make use of Spotfire in the analyzing phase for posts related to Facebook. Here we make use of bar chart which shows the author name on X-axis and integrates his reputation score, number of posts, number of views to the post and the post rank. This gives you an overall view of ‘Anon’ forum. Also the result is filtered to only show the posts which has the term ‘hack Facebook’. Excel: Many of the graphs are obtained with the help of excel. The data from the forums were exported to excel and then the graph was built. Graphs are plotted based on the required metrics.

Content analysis tool

RapidMiner: RapidMiner is a very powerful analyzing tool. It has a great graphical interface and provides

ways to refine your mining. Rapid miner allows you to build charts, perform statistical analysis,

predictive analysis and text analysis. The analysis performed in this project, was to mine text ‘hack

Facebook’ or ‘Hacking Facebook’ in order to count the number of occurrences these terms were

specified in the posts and threads of the forum ‘Anon’. It was also used to mine the word ‘Carberp’ a

virus on which one of our question is based on.

Findings and Discussion 1. How secure are the large number of Cisco routers which are currently connected to the internet?

Many of the Cisco routers which are currently connected to the internet have a web interface to

configure the devices. To gain access to these devices, a username and password might be needed.

Unauthorized access to these devices may lead to unwanted consequences. Data collected from Shodan

for Cisco devices around the world shows that there are at least 1,616,911 Cisco routers connected to

the internet. Among these potentially more than 11,419 devices do not require authentication. This

information can be found out by spotting differences in the banner information of the device. Banners

which have string “200 OK” status code and “Last-modified” line do not require authentication. A “www-

authenticate” line indicates that a username and password is required.

Countries Total Cisco-IOS devices

Cisco devices – Authentication

required

Cisco devices – No

authentication required

Unprotected devices

percentage

United States 380771 261169 2334 0.61 %

United Kingdom 59607 47885 618 1.04 %

China 84871 63656 564 0.66 %

Italy 82087 42820 462 0.56 %

Mexico 60032 51442 395 0.66 %

Brazil 39047 21668 378 0.99 %

Russia 77413 47684 373 0.48 %

South Korea 42673 26399 322 0.75 %

India 45197 29059 247 0.55 %

Turkey 69135 66930 68 0.10 %

Table 1.0 Countries with maximum Cisco routers which do not require authentication

Cyber Security Project

4

United States has the maximum number of unprotected by Cisco routers followed by UK and China.

Figure 1.0 Percentage of unprotected Cisco routers of total Cisco routers for each country

1. telecomitalia.it 247

2. codetel.net.do 244

3. wanadoo.fr 135

4. mundivox.com 127

5. t-ipconnect.de 116

Table 2.0 List of top domains with maximum number of unprotected Cisco routers

Now, let’s take a look at Cisco routers which fall under the .edu domain network. Out of the total 9248

Cisco routers under the .edu domain network which can be found on Shodan, 71 devices can be

accessed without any login or password. United States has the maximum number of unprotected Cisco

routers under the .edu domain network.

Countries Total Cisco-IOS devices under .edu domain

Cisco devices under .edu domain–

Authentication required

Cisco devices under .edu – No authentication

required

Unprotected devices

percentage

United States 6085 5699 32 0.52 %

Taiwan 1849 1413 22 1.19 %

Turkey 530 509 7 1.32 %

Mali 3 0 3 100 %

Argentina 111 57 2 1.80 %

Australia 144 115 2 1.39 %

Colombia 37 33 1 2.70 %

Lebanon 7 4 1 14.28 %

Netherlands 12 4 1 8.33 %

Table 3.0 Countries with maximum Cisco routers under .edu network which do not require

authentication

0.61%

1.04%

0.66% 0.56%

0.66%

0.99%

0.48%

0.75%

0.55%

0.10% 0.00%

0.20%

0.40%

0.60%

0.80%

1.00%

1.20%

6. prod-infinitum.com.mx 100

7. uninet-ide.com.mx 90

8. cantv.net 80

9. btopenworld.com 42

10. tpnet.pl 37

Cyber Security Project

5

Following is a list of top domains under .edu domain network with maximum number of unprotected

Cisco routers. Among these top 10 domains, 4 .edu domains belong to Taiwan.

1. mcu.edu.tw 10

2. hargrave.edu 9

3. olemiss.edu 7

4. deu.edu.tr 5

5. ilc.edu.tw 4

Table 4.0 Similar to .edu domain networks, data for unprotected Cisco devices can also be collected for .gov

domain networks. Out of the total 949 Cisco routers under the .gov domain network which can be found

on Shodan, 5 devices can be accessed without any login or password.

Countries Total Cisco-IOS devices under .gov domain

Cisco devices under .gov domain–

Authentication required

Cisco devices under .gov – No authentication

required

Unprotected devices

percentage

Canada 353 339 4 1.33 %

Brazil 42 23 1 2.38 %

Argentina 40 32 0 0 %

Australia 19 16 0 0 %

Table 5.0 Countries with maximum Cisco routers under .gov network which do not require

authentication

2. Are there any Industrial Control Systems connected to internet? How secure are SCADA/ICS

equipment which are behind the organizational firewall?

Wikipedia defines Industrial Control Systems as ‘a general term that encompasses several types of

control systems used in industrial production, including supervisory control and data acquisition

(SCADA) systems, distributed control systems (DCS), and other smaller control system configurations

such as programmable logic controllers (PLC) often found in the industrial sectors and critical

infrastructures’. To make it simpler; ICS are devices that control various industrial operations

electronically. Ideally, ICS equipment should not be directly connected to internet and should be placed

behind the organizational firewall, accessible only on a private network by authorized personnel only.

However, this does not happen and you can practically find a large number of these devices directly

accessible from internet.

So how do these internet connected ICS equipment pose a threat? ICS control major industrial

machineries or operations. These equipment can typically be found at manufacturing industries, oil and

gas refineries, power generation plants, nuclear enrichment plants, etc. So not only do these devices

handle large scale operations but also control life-critical systems. Cyber criminals who are able to gain

unauthorized access to these systems might disrupt the operations of these facilities or worse may

sabotage their operations. Let’s take a look at few examples of recent large scale ICS attacks.

Stuxnet

6. univ-bamako.edu.ml 3

7. ntust.edu.tw 3

8. vnu.edu.tw 2

9. kent.edu 2

10. wisc.edu 1

Cyber Security Project

6

Stuxnet (W32.Stuxnet) is a computer virus targeted at SCADA systems manufactured by Siemens. The intent of Stuxnet was to sabotage the operations of facilities such as power plants, gas pipelines, etc. where these systems are used. The attack is carried out by reprogramming the PLC thus modifying the behavior of intended control systems. The virus was discovered in June 2012 and till date has affected power plants, traffic control systems and factories all around the world. There are speculations that Stuxnet was designed to sabotage nuclear enrichment facilities in Iran. According to a Symantec report, about 60% of the systems infected by the virus were in Iran. Flame Flame is large scale cyber espionage attack which mainly targeted insecure SCADA/ICS devices and industry computers. The objective was to steal operation critical information from these devices in form of screenshots, audio recording, etc. Kaspersky in May 2012, estimated 1000 machines to be infected by Flame, with victims including industries, governmental organizations and private individuals. Flame has many similarities to Stuxnet. It was distributed using removable media and local networks which had a code structure similar to Stuxnet. However, the purpose of designing these viruses was different. Stuxnet was designed to sabotage operations primarily of nuclear enrichment facilities while Flame’s objective was to collect and relay intelligence data and its targets also included thousands of industry computers.

In case of both Stuxnet and Flame, the systems were hacked even though they were not directly connected to internet. If so, how secure are the ICS devices which are directly connected to the internet? A simple search by string 'Siemens SIMATIC' on Shodan reveals that there are at least 1141 Siemens SCADA/ICS devices connected to internet which should have been behind the firewall. This number is just a tip of the iceberg as we are not considering devices from other manufacturers. And there are currently more than 250 manufacturers for these devices. Looking at a country-wise distribution for Siemens SCADA/ICS devices from Shodan search, tells us that US has the maximum number of insecure devices, immediately followed by Germany and Italy.

Figure 2.0 Country-wise distribution of Siemens SCADA/ICS devices connected to internet derived from Shodan search

Below is a list of some SCADA products and the number of these devices accessible from internet. The

device list was obtained from ‘SCADA detection cheat sheet’ available on www.owasp.org. Shodan was

used to collect statistics for these devices.

194 179

80 56 55 47 42 37 36 30

0

50

100

150

200

250

UnitedStates

Germany Italy France Spain CyechRepublic

China Russia Swedan Poland

Cyber Security Project

7

Product Vendor Total accessible devices on

internet

Country with maximum

number of such devices

Broadwin SCADA Broadwin Technology 12 Ireland

ISC SCADA System Cloris Controls 14 Denmark

ClearSCADA/6.72.4644.1 Control Microsystems & Trio Datacom

45 United States

Proficy HMI/SCADA CIMPLICITY General Electric Company 253 India

SIMATIC NET CP 343-1 Siemens 94 China

SIMATIC S7-300 Siemens 39 United States

Table 6.0 Shodan statistics for some SCADA products

3. Which are the top 3 Banking Trojans are spoken about on Hacker web forums?

Banks need to remain vigilant to the threats posed by criminals. New

dangers are emerging in areas such as online banking, where

transaction volumes are increasing and hence threats are on the rise.

More people are using electronic payments, mobile banking and other

new technologies, which makes them more appealing to the criminals

– more transactions mean more money. Banking malware, specifically

banking Trojans, are reaching alarming new levels of sophistication.

New variations are constantly being introduced to thwart detection by

antivirus software on the victim’s PC. And real-time capabilities built into the Trojans make it difficult for

banks and account holders to spot fraud attempts as they occur.

Based on our observations from Hacker Web forums we have observed that Zeus is still the most spoken

about Trojan despite the fact that it first came into the market in 2007 and had maximum impact in

2009:

Figure 3.0 Statistics of the most spoken about Trojans in Hacker web forums

Zeus

1

1

3

7

1

1

0

1

20

13

3

7

4

22

150

19

9

50

Anon

Icode

Vctool

Hackhound

EliteHack

Exploit

Carberp Citadel Zeus

Cyber Security Project

8

The Trojan.Zbot files allows an attacker a high degree of control over the functionality of the final

executable that is distributed to targeted computers. The Trojan itself is primarily distributed through

spam campaigns and drive-by downloads, though given its versatility, other vectors may also be utilized.

The user may receive an email message purporting to be from organizations such as the FDIC, IRS,

Myspace, Facebook, or Microsoft. The message body warns the user of a problem with their financial

information, online account, or software and suggests they visit a link provided in the email. The

computer is compromised if the user visits the link, if it is not protected. Upon execution the Trojan

automatically gathers any Internet Explorer, FTP, or POP3 passwords that are contained within

Protected Storage (PStore).

Citadel:

This Trojan is a variation of Zeus which emerged in 2011. Citadel’s initial noteworthiness lies with its

creator’s novel adoption of the open-source development model that lets anyone review its code and

improve upon it. Some of the most fascinating capabilities included AES encryption of configuration files

and communications with the C&C server, an ability to evade tracking sites, the capacity to block access

to security sites on victim machines, and a functionality that could record videos of victim activities.

Carberp:

Win32/Carberp is a family of Trojans that may be delivered via malicious code, for instance by variants

ofExploit: JS/Blacole. The Trojan downloads other Win32/Carberp components to execute payload code

such as stealing online banking credentials and log on data from numerous other software applications,

downloading and executing arbitrary files, exporting installed certificates, capturing screen shots and

logging keystrokes. Carberp relays the information it steals back to a C&C server under its creator’s

control. The tricky component was the complicated rootkit functionality, allowing the Trojan to remain

unnoticed on the victim’s system. The next generation of Carberp added plug-ins: one that removed

anti-malware software from infected machines. It has the ability to encrypt stolen data as it passes

between affected machines and their C&C

server.

4. Social media that is being targeted in 2013 - 2014?

Analyzing the forums available in Hacker web, we come to the conclusion that ‘Facebook’ is being targeted most by the attackers. Performing text mining to figure out how many posts are talking about hacking Facebook, we find that there are large number of threads and posts who are talking about the same. A Palestinian hacker names Khalil Shreateh hacked into Mark Zuckerberg’s account on August 2013. He had initially reported a bug. But since the Facebook employees where not taking him seriously, he hacked into Mark Zuckerberg’s account to prove the bug. Hacking into Facebook has become a serious issue since 2013. Millions of Facebook accounts are being hacked. More than 600,000 Facebook accounts are being compromised

Cyber Security Project

9

every day. For some people Facebook is everything. Hence a huge amount confidential information is under threat. Using the facts and data collected in hacker web, most of the Facebook accounts have been hacked using “Keylogger”. The algorithm for Keylogger is as follows:

1. Create an Empty log file for storing keylogs.

2. Intercept keys pressed by user using GetAsyncKeyState () function.

3. Store these intercepted values in file.

4. Hide the Running Window Dialog to make it undetectable.

5. Use while loop to make it running in all conditions.

6. Add Sleep () function to reduce the CPU usage to 0%.

Figure 4.0 the above graph provides information about the posts and threads which are talking about

Facebook in different forums.

Figure 5.0 The above graph displays the rise in Number of Posts and Number of views that talk about

hacking Facebook.

37 89

411

48

618

24 62

267

25

452

0

100

200

300

400

500

600

700

Hackhound Anon Elitehack Icode Vctool

Posts Threads

Cyber Security Project

10

References

http://www.shodanhq.com/ https://www.defcon.org/images/defcon-18/dc-18-presentations/Schearer/DEFCON-18-Schearer-SHODAN.pdf http://en.wikipedia.org/wiki/Cisco_IOS http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html http://en.wikipedia.org/wiki/Industrial_control_system http://en.wikipedia.org/wiki/SCADA http://www.digitalbond.com/blog/2010/11/02/what-you-should-know-about-shodan-and-scada/ http://en.wikipedia.org/wiki/Flame_(malware) http://en.wikipedia.org/wiki/Stuxnet https://www.owasp.org https://www4.symantec.com/mktginfo/whitepaper/user_authentication/21195180_WP_GA_BankingTrojansImpactandDefendAgainstTrojanFraud_062611.pdf http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Appendix

Shodan data retrieval technique

Following are the queries used to fetch data from Shodan.

Query Purpose

cisco-ios Cisco routers

cisco-ios last-modified 200 ok Cisco routers which do not require authentication

cisco-ios web-authenticate Cisco routers which require authentication

cisco-ios hostname:.gov Cisco routers for .gov domain

cisco-ios hostname:.edu Cisco routers for .edu domain

cisco-ios last-modified 200 ok hostname:.edu Cisco routers for .edu domain which do not require authentication

cisco-ios last-modified 200 ok hostname:.gov Cisco routers for .gov domain which do not require authentication

cisco-ios web-authenticate hostname:.edu Cisco routers for .edu domain which require authentication

cisco-ios web-authenticate hostname:.gov Cisco routers for .gov domain which require authentication

Siemens, SIMATIC Siemens SCADA devices on internet

Location: ./broadWeb/system/bwviewpg.asp Broadwin SCADA

Server: ISC SCADA Service HTTPserv:00001 ISC SCADA System

Server: ClearSCADA/6.72.4644.1 ClearSCADA/6.72.4644.1

Server: CIMPLICITY-HttpSvr/1.0 Proficy HMI/SCADA CIMPLICITY

Server: INDAS WEB SCADA INDAS WEB SCADA

Siemens, SIMATIC NET, CP 343-1 SIMATIC NET CP 343-1

Siemens, SIMATIC, S7-300 SIMATIC S7-300

Siemens, SIMATIC NET, SCALANCE X208 SIMATIC NET SCALANCE X208

Siemens, SIMATIC NET, Scalance S612 SIMATIC NET SCALANCE S612

SCALANCE W746-1PRO Siemens SCALANCE W746-1PRO

Cyber Security Project

11