Date post: | 06-May-2015 |
Category: |
Technology |
Upload: | nu-the-open-security-community |
View: | 13,390 times |
Download: | 0 times |
http://null.co.in/ http://nullcon.net/
NO BULLSHITUnderground crime: traces, trends, attribution,
and more
Fyodor Y., Grugq and a whole bunch of unnamed people :)
http://null.co.in/ http://nullcon.net/
Agenda
• Overview• APT vs. Commercialized crime• Data sources• Analysis techniques• Attribution• APT, greed and more• Final words
3http://null.co.in/ http://nullcon.net/
Still .. meet the “authors”.. :)Started as hobby project
We talked about thisAt c0c0n
Here you’ll see Some fresh stuff
Why?...Something we doWhen we need aGood laugh :)
Чтобы заработь на Интернете не
нужноничего и даже
мозгов
“ 想要在網路賺錢 - 連腦袋也不需要用” - 網路的tutorial ;)
My favorite quote:
But it is not only about money
http://null.co.in/ http://nullcon.net/
Attack attribution
7http://null.co.in/ http://nullcon.net/
General: $$ vs. APT
• $$ -> attacks en masse; social engineering is common; doesn’t relay on 0day; rapid outbreaks
• APT -> multi-staged; single targeted exploit; mostly “spear-phishing” or variants;
8http://null.co.in/ http://nullcon.net/
A word on attribution
• Attribution is not just the malware analysis
9http://null.co.in/ http://nullcon.net/
Points to note
• Binary analysis (reversing)• Exploit coding style and encoding• Infection vectors (iframing, malvert,
mass mailing etc)• Bits and pieces in binary and
deobfuscated code
http://null.co.in/ http://nullcon.net/
Brief: Data sources and Tools (covered in
workshop)
11
http://null.co.in/ http://nullcon.net/
Data analysis and sources• Dealing with large volume of data
(public forums, bbs, manual follow up)
• Mostly public data (reading, scrapping, post analysis etc)
• Often: post mortem analysis of compromised systems
12
http://null.co.in/ http://nullcon.net/
Intelligence Gathering
• Automated and manual analysis of publicly available data
13
http://null.co.in/ http://nullcon.net/
Automation: difficulties
• Language: complicated for automated processing (slang, misspellings, multiple spellings)
• Context evaluation for new items of trade requires manual analysis
14
http://null.co.in/ http://nullcon.net/
Ex.: What does this say?
15
http://null.co.in/ http://nullcon.net/
Good luck w/ automated translation
• After language adaption filter:
16
http://null.co.in/ http://nullcon.net/
Slang sources• Fenya - Russian prison slang
• Anglonims - English loan words
• Rhyming slang - Sounds like the English word
• Direct translation
Team Cymru has a nice research on russian slang. Not repeated here
17
http://null.co.in/ http://nullcon.net/
Tools of trade• Covered in workshop. So we’ll skip
that part
http://null.co.in/ http://nullcon.net/
So, russian underground - mafia or geeks? :)
19
http://null.co.in/ http://nullcon.net/
From russia with ...
• What is the biggest russian export besides oil, gas and nuclear scientists?? :)
20
http://null.co.in/ http://nullcon.net/
-malware -Stuff that lives in your PCAgainst your will :)
21
http://null.co.in/ http://nullcon.net/
Typical export sample:
• Targets MS platforms• Often - multi-component (loader,
payload functions in form of DLL etc)• Sensitive information collection (data,
keystrokes and credential information)• Turns computer into web proxy, smtp
proxy, socks etc (useful for rent, spamming etc)
• May extort money from end user
22
http://null.co.in/ http://nullcon.net/
Looks familiar?
23
http://null.co.in/ http://nullcon.net/
Моscow arest (31/08/2010)
Annual income: over 500,000 rubles (100,000USD)
One unlock charged at300 rubles (10USD) Via SMS
24
http://null.co.in/ http://nullcon.net/
Scale: big
25
http://null.co.in/ http://nullcon.net/
“export” through legitimate sites
26
http://null.co.in/ http://nullcon.net/
Which end up in Google blacklist
27
http://null.co.in/ http://nullcon.net/
Why such spike?
• Fun?• Profit!
28
http://null.co.in/ http://nullcon.net/
But there’s much more..
malware
OTHERCOOLSTUFF:-)
29
http://null.co.in/ http://nullcon.net/
That’s not a russian hax0r
30
http://null.co.in/ http://nullcon.net/
This is closer..
http://null.co.in/ http://nullcon.net/
Insight on underground market
:-)
http://null.co.in/ http://nullcon.net/
We don’t sell or advertize any service
We simply look at the trades :-)
Disclaimer:
33
http://null.co.in/ http://nullcon.net/
“We are after the money!” ;-)
• Banking credentials• Credit cards• Shops and goods• Online goods and services• Online currencies• Monetization via Carrier
providers and more
34
http://null.co.in/ http://nullcon.net/
“Ликбез”
• WMZ - web money - one wmz = one USD
• Drop - money mule• CC - creditcards• Abuse resistant - Safe to host any
kind of fraudulent service • Partnerka - partnership program
35
http://null.co.in/ http://nullcon.net/
Online currencies
• Web Money (WMZ)• Yandex Money• LR (liberty reserve• Epassporte (dead!)
36
http://null.co.in/ http://nullcon.net/
More payment systems
37
http://null.co.in/ http://nullcon.net/
Exchange points
38
http://null.co.in/ http://nullcon.net/
Trading rules
Guarantee service
39
http://null.co.in/ http://nullcon.net/
Service verification
40
http://null.co.in/ http://nullcon.net/
blacklists
41
http://null.co.in/ http://nullcon.net/
White lists
42
http://null.co.in/ http://nullcon.net/
Credit cards
Very accessible
43
http://null.co.in/ http://nullcon.net/
CC deals made easy
44
http://null.co.in/ http://nullcon.net/
Cards, burners
45
http://null.co.in/ http://nullcon.net/
And more
46
http://null.co.in/ http://nullcon.net/
Bad $$ => good $$ :P
47
http://null.co.in/ http://nullcon.net/
Other Online goods
48
http://null.co.in/ http://nullcon.net/
Professional massinfection
<--Pricing (per 1000 installs)
<--Pricing (per 1000 installs)
49
http://null.co.in/ http://nullcon.net/
ICQ - elite nums :p
50
http://null.co.in/ http://nullcon.net/
Mail cracking -:)
~65USD
Price in rubles
51
http://null.co.in/ http://nullcon.net/
Looks familiar?
52
http://null.co.in/ http://nullcon.net/
Passport scans
4-5USD/scan avg.eu, .ru, .us, asianOne-hand salesAlso offered - scan “redraw”Special prices for bulk
52
53
http://null.co.in/ http://nullcon.net/
Full package is also available
54
http://null.co.in/ http://nullcon.net/
“Business package” PaIncludes..
Под средства любой загрязненности! For money of any state of dirtinessВ комплект входит: Pack includes1.Банковский акк(online доступ) Online bank account access2.АТМ картa(Дневной лимит на снятие средств 1000$/6000$ В МЕСЯЦ-Возможно увеличение лимита +30$-) ATM card (1000/6000USD per month withdrawal limit)3.Карта кодов (для online доступа) online access passwords4.Копия паспорта дропа Passport copy of “poor john”5.Sim-ka SIM card
Also can be pre-ordered on custom passport scan (25USD)
55
http://null.co.in/ http://nullcon.net/
Drop:
Another way to turn dirty cash into profit
56
http://null.co.in/ http://nullcon.net/
Saw the news? :)
57
http://null.co.in/ http://nullcon.net/
Zeus witchunt :)
Not sure if this would change things :)
58
http://null.co.in/ http://nullcon.net/
New bots - custom made
http://www.nomina.ru/search/alternatives_by_value.php?paid_till=2010-09-06&domain=rundll32.ru
59
http://null.co.in/ http://nullcon.net/
Or pre-built
Why “zeus” when you can buy this?! :p
60
http://null.co.in/ http://nullcon.net/
Comes with handyAdmin panel
61
http://null.co.in/ http://nullcon.net/
Traf + loader = $$$$
62
http://null.co.in/ http://nullcon.net/
Costs
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
Per 1000 Unique visitors
63
http://null.co.in/ http://nullcon.net/
Mass domaintheft
64
http://null.co.in/ http://nullcon.net/
DDOSVery affordable
We remove sites of your concurrents with DDOS attack. Fast and effective. Supported:
Prices (in WMZ ~= USD)
Discounts for bulk
65
http://null.co.in/ http://nullcon.net/
Abuse resistant hosting
66
http://null.co.in/ http://nullcon.net/
Malware A/V QA
67
http://null.co.in/ http://nullcon.net/
Hash crackingIn cloud
68
http://null.co.in/ http://nullcon.net/
CaptchaIn cloud
69
http://null.co.in/ http://nullcon.net/
Exploit packs
70
http://null.co.in/ http://nullcon.net/
With nice stats
71
http://null.co.in/ http://nullcon.net/
Stats per countryClicks, loads (pwned ;), percentage)
72
http://null.co.in/ http://nullcon.net/
Need to build Botnet?
73
http://null.co.in/ http://nullcon.net/
WelcomeTDS system
74
http://null.co.in/ http://nullcon.net/
Seller
75
http://null.co.in/ http://nullcon.net/
Buyer
76
http://null.co.in/ http://nullcon.net/
Owner
77
http://null.co.in/ http://nullcon.net/
“Game” rules :)Iframe traff. 4USD/1000 clicks No bot traf (ruclicks)
Payday - every monday
78
http://null.co.in/ http://nullcon.net/
Making money together
Fake AV affiliation program
79
http://null.co.in/ http://nullcon.net/
Fake AV payouts
BalanceLogin
http://null.co.in/ http://nullcon.net/
Crimeware: trendsAnd research
81
http://null.co.in/ http://nullcon.net/
Moving mobile• Steal a dollar from million - still a
million dollars• Trojaned handsets on sale• WAP sites spreading trojaned games
are very popular• Android trojan samples from china:
– http://www.antiy.com/cn/news/android_adrd.htm
– Geinimi
82
http://null.co.in/ http://nullcon.net/
Brief on antiy rep
83
http://null.co.in/ http://nullcon.net/
Spreading vector
84
http://null.co.in/ http://nullcon.net/
Mobile Malware
85
http://null.co.in/ http://nullcon.net/
A case study
• Available from a WAP site• X-rated version of python game• With a secret inside :)
86
http://null.co.in/ http://nullcon.net/
Taking a glance
87
http://null.co.in/ http://nullcon.net/
The trick!
Press the button “stop” as soon as possible!
88
http://null.co.in/ http://nullcon.net/
SEO spam
<*bad* word (rus)
89
http://null.co.in/ http://nullcon.net/
Now - delivered professionally :)
90
http://null.co.in/ http://nullcon.net/
malwertising
91
http://null.co.in/ http://nullcon.net/
Malware infectionHidden behind login screens
• Frequent in banking or other online credential targeted attacks
• Effectively prevents services like google blacklist, HA and other from identifying infections
92
http://null.co.in/ http://nullcon.net/
Anti-DDOS el russo
93
http://null.co.in/ http://nullcon.net/
Research
• Monetization schemes• Taking over the existing ifrastructures
for forensics analysis and statistics• Hunt the hunters
Hunt the hunter• Pwnkit - automated exploitkit pwner
• Automated exploit kit fingerprinting
• Password bruteforce
• Exploiting bugs and common misconfigurations
• Generates statistics on exploit pack usage :in the wild:
http://null.co.in/ http://nullcon.net/
Botnet cost estimation :)
96
http://null.co.in/ http://nullcon.net/
DIY botnet ;)
• aim: build a 1000000 node networks
• No skills required• Buy these (available on sale):
– Traffic– Abuse-resistant service– Exploitpack– Botnet gear
97
http://null.co.in/ http://nullcon.net/
How much it costs
• Traffic - 10-15KUSD (mixed) infection ratio around 10-20% (depending on exploit pack)
• Abuse resistant server 300USD/month• Exploitpack 200-2000USD• Botnet gear 500- 10,000USD • = 15-20,000USD total + 1-2 months
of work
http://null.co.in/ http://nullcon.net/
So what’s up with russian authorities?! :)
99
http://null.co.in/ http://nullcon.net/
No words ;-)
100
http://null.co.in/ http://nullcon.net/
What’s next?
101
http://null.co.in/ http://nullcon.net/
Get some edukation :-)
102
http://null.co.in/ http://nullcon.net/
finale• Computer users ultimately trust their PC
and follow its instructions (please download XX to disinfect YY :p)
• You can be victim, even if you paid for Kaspersky and apply patches regularly :)
• While malware is what you mostly see, cybercrime is not about malware, it is about money
• Global economy - global fraud - global fun? :p
• 0day is not important. Volume is important• (Mostly) not organized crime but ecosystem
103
http://null.co.in/ http://nullcon.net/
Thanks!Throw your questions!
• [email protected] http://www.o0o.nu