nullcon 2011 - No bullshit on underground crime: traces, trends, attribution, techniques and more

http://null.co.in/ http://nullcon.net/

NO BULLSHITUnderground crime: traces, trends, attribution,

and more

Fyodor Y., Grugq and a whole bunch of unnamed people :)


Agenda

• Overview• APT vs. Commercialized crime• Data sources• Analysis techniques• Attribution• APT, greed and more• Final words

3http://null.co.in/ http://nullcon.net/

Still .. meet the “authors”.. :)Started as hobby project

We talked about thisAt c0c0n

Here you’ll see Some fresh stuff

Why?...Something we doWhen we need aGood laugh :)

Чтобы заработь на Интернете не

нужноничего и даже

мозгов

“ 想要在網路賺錢－連腦袋也不需要用” - 網路的tutorial ;)

My favorite quote:

But it is not only about money


Attack attribution


General: $$ vs. APT

• $$ -> attacks en masse; social engineering is common; doesn’t relay on 0day; rapid outbreaks

• APT -> multi-staged; single targeted exploit; mostly “spear-phishing” or variants;


A word on attribution

• Attribution is not just the malware analysis


Points to note

• Binary analysis (reversing)• Exploit coding style and encoding• Infection vectors (iframing, malvert,

mass mailing etc)• Bits and pieces in binary and

deobfuscated code


Brief: Data sources and Tools (covered in

workshop)

11


Data analysis and sources• Dealing with large volume of data

(public forums, bbs, manual follow up)

• Mostly public data (reading, scrapping, post analysis etc)

• Often: post mortem analysis of compromised systems

12


Intelligence Gathering

• Automated and manual analysis of publicly available data

13


Automation: difficulties

• Language: complicated for automated processing (slang, misspellings, multiple spellings)

• Context evaluation for new items of trade requires manual analysis

14


Ex.: What does this say?

15


Good luck w/ automated translation

• After language adaption filter:

16


Slang sources• Fenya - Russian prison slang

• Anglonims - English loan words

• Rhyming slang - Sounds like the English word

• Direct translation

Team Cymru has a nice research on russian slang. Not repeated here

17


Tools of trade• Covered in workshop. So we’ll skip

that part


So, russian underground - mafia or geeks? :)

19


From russia with ...

• What is the biggest russian export besides oil, gas and nuclear scientists?? :)

20


-malware -Stuff that lives in your PCAgainst your will :)

21


Typical export sample:

• Targets MS platforms• Often - multi-component (loader,

payload functions in form of DLL etc)• Sensitive information collection (data,

keystrokes and credential information)• Turns computer into web proxy, smtp

proxy, socks etc (useful for rent, spamming etc)

• May extort money from end user

22


Looks familiar?

23


Моscow arest (31/08/2010)

Annual income: over 500,000 rubles (100,000USD)

One unlock charged at300 rubles (10USD) Via SMS

24


Scale: big

25


“export” through legitimate sites

26


Which end up in Google blacklist

27


Why such spike?

• Fun?• Profit!

28


But there’s much more..

malware

OTHERCOOLSTUFF:-)

29


That’s not a russian hax0r

30


This is closer..


Insight on underground market

：－）


We don’t sell or advertize any service

We simply look at the trades :-)

Disclaimer:

33


“We are after the money!” ;-)

• Banking credentials• Credit cards• Shops and goods• Online goods and services• Online currencies• Monetization via Carrier

providers and more

34


“Ликбез”

• WMZ - web money - one wmz = one USD

• Drop - money mule• CC - creditcards• Abuse resistant - Safe to host any

kind of fraudulent service • Partnerka - partnership program

35


Online currencies

• Web Money (WMZ)• Yandex Money• LR (liberty reserve• Epassporte (dead!)

36


More payment systems

37


Exchange points

38


Trading rules

Guarantee service

39


Service verification

40


blacklists

41


White lists

42


Credit cards

Very accessible

43


CC deals made easy

44


Cards, burners

45


And more

46


Bad $$ => good $$ :P

47


Other Online goods

48


Professional massinfection

<--Pricing (per 1000 installs)

<--Pricing (per 1000 installs)

49


ICQ - elite nums :p

50


Mail cracking -:)

~65USD

Price in rubles

51


Looks familiar?

52


Passport scans

4-5USD/scan avg.eu, .ru, .us, asianOne-hand salesAlso offered - scan “redraw”Special prices for bulk

52

53


Full package is also available

54


“Business package” PaIncludes..

Под средства любой загрязненности! For money of any state of dirtinessВ комплект входит: Pack includes1.Банковский акк(online доступ) Online bank account access2.АТМ картa(Дневной лимит на снятие средств 1000$/6000$ В МЕСЯЦ-Возможно увеличение лимита +30$-) ATM card (1000/6000USD per month withdrawal limit)3.Карта кодов (для online доступа) online access passwords4.Копия паспорта дропа Passport copy of “poor john”5.Sim-ka SIM card

Also can be pre-ordered on custom passport scan (25USD)

55


Drop:

Another way to turn dirty cash into profit

56


Saw the news? :)

57


Zeus witchunt :)

Not sure if this would change things :)

58


New bots - custom made

http://www.nomina.ru/search/alternatives_by_value.php?paid_till=2010-09-06&domain=rundll32.ru

http://www.nomina.ru/search/alternatives_by_value.php?paid_till=2010-09-06&domain=rundll32.ru

59


Or pre-built

Why “zeus” when you can buy this?! :p

60


Comes with handyAdmin panel

61


Traf + loader = $$$$

62


Costs

• AU - 300-550$

• UK - 220-300$

• IT - 200-350$

• NZ - 200-250$

• ES,DE,FR - 170-250$

• US - 100-150$

• RU, UA, KZ, KG .. 10-40$

Per 1000 Unique visitors

63


Mass domaintheft

64


DDOSVery affordable

We remove sites of your concurrents with DDOS attack. Fast and effective. Supported:

Prices (in WMZ ~= USD)

Discounts for bulk

65


Abuse resistant hosting

66


Malware A/V QA

67


Hash crackingIn cloud

68


CaptchaIn cloud

69


Exploit packs

70


With nice stats

71


Stats per countryClicks, loads (pwned ;), percentage)

72


Need to build Botnet?

73


WelcomeTDS system

74


Seller

75


Buyer

76


Owner

77


“Game” rules :)Iframe traff. 4USD/1000 clicks No bot traf (ruclicks)

Payday - every monday

78


Making money together

Fake AV affiliation program

79


Fake AV payouts

BalanceLogin


Crimeware: trendsAnd research

81


Moving mobile• Steal a dollar from million - still a

million dollars• Trojaned handsets on sale• WAP sites spreading trojaned games

are very popular• Android trojan samples from china:

– http://www.antiy.com/cn/news/android_adrd.htm

– Geinimi

http://www.antiy.com/cn/news/android_adrd.htm

http://www.antiy.com/cn/news/android_adrd.htm

82


Brief on antiy rep

83


Spreading vector

84


Mobile Malware

85


A case study

• Available from a WAP site• X-rated version of python game• With a secret inside :)

86


Taking a glance

87


The trick!

Press the button “stop” as soon as possible!

88


SEO spam

<*bad* word (rus)

89


Now - delivered professionally :)

90


malwertising

91


Malware infectionHidden behind login screens

• Frequent in banking or other online credential targeted attacks

• Effectively prevents services like google blacklist, HA and other from identifying infections

92


Anti-DDOS el russo

93


Research

• Monetization schemes• Taking over the existing ifrastructures

for forensics analysis and statistics• Hunt the hunters

Hunt the hunter• Pwnkit - automated exploitkit pwner

• Automated exploit kit fingerprinting

• Password bruteforce

• Exploiting bugs and common misconfigurations

• Generates statistics on exploit pack usage :in the wild:


Botnet cost estimation :)

96


DIY botnet ;)

• aim: build a 1000000 node networks

• No skills required• Buy these (available on sale):

– Traffic– Abuse-resistant service– Exploitpack– Botnet gear

97


How much it costs

• Traffic - 10-15KUSD (mixed) infection ratio around 10-20% (depending on exploit pack)

• Abuse resistant server 300USD/month• Exploitpack 200-2000USD• Botnet gear 500- 10,000USD • = 15-20,000USD total + 1-2 months

of work


So what’s up with russian authorities?! ：）

99


No words ;-)

100


What’s next?

101


Get some edukation :-)

102


finale• Computer users ultimately trust their PC

and follow its instructions (please download XX to disinfect YY :p)

• You can be victim, even if you paid for Kaspersky and apply patches regularly :)

• While malware is what you mostly see, cybercrime is not about malware, it is about money

• Global economy - global fraud - global fun? :p

• 0day is not important. Volume is important• (Mostly) not organized crime but ecosystem

103


Thanks!Throw your questions!

• [email protected] http://www.o0o.nu

Date post:	06-May-2015
Category:	Technology
Upload:	nu-the-open-security-community
View:	13,390 times
Download:	0 times

nullcon 2011 - No bullshit on underground crime: traces, trends, attribution, techniques and more

Technology