45
Cyber threats – The reality March 2015
Cyber threats – The reality
March 2015
root [~]# crontab -l
05 14 27 3 4 wall "Cybercrime: Modus Operandi"
10 14 27 3 4 wall "Botnets Overview"
30 14 27 3 4 wall "How to deal with these threats"
Cyber Crime: Modus
Operandi
root [~]# wall Cybercrime
What’s the current landscape ?
• Malware Botnets
– Point of Sales (POS)
– Trojan bankers
– Credential Stealers
– Ransomware
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Pre-attack
– The attacker looks for possible targets
and obtains any information he needs:
– He also:
• Weaponizes an application or common
software
• Weaponizes a website application
• Nowadays you can acquire a great
variety of bundles or kits:
– Free kits like SET
– Paying kits like Rock Phish kit, and
others...
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Attackers working together to industrialize cybercrime:
– Use of forums and marketplaces to rent or sell services
– Service bundles
• Creation of different deployment and weaponization kits:
– Spam kits
– Phishing kits
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Attack
– The attacker launches a campaign to
infect the victims
• Via mail
• Contracting the services of other
attackers
• Using deployment kits
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Commonly, the users are infected via a mailing campaign:
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Once the user is infected, the attacker uses a weaponized
web application, or file to infect the user:
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• This web application or file, might be the result of a
popular exploit kit.
• Nuclear Pack
– Updated with the last Flash vulnerability
• Black Hole, Armitage, CrimePack, Eleonore,
Firepack…
root [~]# wall Cybercrime Distribution - Infection Vectors & Cyber Kill Chain
• Post-attack
– The malware communicates with the
C&C to download the config file
– Begins the exfiltration of data to an
exfiltration server.
Botnets overview
root [~]# wall Botnet\ Overview POS – I want to steal your credit cards
• Most Active POS:
– Dexter
– Jackpos
– Soraya
– Backoff
– BrutPos
– ChewBacca
– Decebal
– RawPOS
• Common Features:
– Very targeted to POS systems
(searching for installed software and
applications)
– Process Memmory Scrapping
• Credit card Tracks 1 and 2
detection
• Regex Card Detection
– Luhn Validation
– Keylogger
– Exfiltration via FTP and HTTP
root [~]# wall Botnet\ Overview POS– A glance at JackPos
• JackPOS:
Infection Installs at %APPDATA%
Set autostart reg. key Drop watchdog
The watchdog checks if
Jackpos is running on
the system. If it isn´t,
it spawns a new jackpos
process.
Spawn jackposs process Begin memory scrapping
Search CC Exfiiltrate data
Using the
Createtoolhelp32Snaphot
method, jackposs scraps
memory from the
different processes.
Jackpos searches for CC
using pattern maching
methods, grabbing CC
only from specific issuers.
Jackposs spawns with
names used by java
processes: jusched.exe,
javaw.exe..
root [~]# wall Botnet\ Overview POS– A glance at JackPos
• JackPOS Data Extraction:
mac MAC Address Unique Identifier
&t1 base64 encoded Track 1 data
&t2 base64 encoded Track 2 data
root [~]# wall Botnet\ Overview POS– steal your credit cards
• The C&C:
root [~]# wall Botnet\ Overview Trojan Bankers – I want to steal your money
• Common Features
– Steal Cookies, Certs and Passwords
• Keylogger
• Form HTTP/S grabbing
• Screenshots
– Search for local files
– Inject into system process
– Man In The Browser
• HTTP / Socks Proxy
• WebInjects
• Automatic Transfer Systems (ATS)
– DGA
• Most Active Bankers:
– Zeus
– Citadel
– Shylock
– Gozi
– Cridex / Feodo /
Dridex
– Sinowal / Torpig
– Dyre
root [~]# wall Botnet\ Overview Trojan Bankers – I want to steal your money
• What is a DGA?
• Domain Generation Algorithm:
• Many samples are using it: Zeus P2P, Dyre, shylock, …
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
• Dyre:
Malicious installer Persistence
Basic sysinfo exfiltration Configuration Download
Browser injection Wait for bank connection
MiTM
Bank info exfiltration
and redirection to real
bank website
Spam Victim
Dyre infects the victims and
injects itself different processes
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
• Dyre – Data Exfiltration:
Request to the C&C
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
• Dyre – Decrypting C&C communications:
root [~]# wall Botnet\ Overview Trojan Bankers – A glance at Dyre
• Dyre Configs (snipped):
Trigger URLs
“Auth Key” for
The redirect
root [~]# wall Botnet\ Overview Credential Stealers– I want your passwords
• Most Active Stealers:
– Pony
– Carbon Grabber
– Betabot
• Common Features:
– Keylogger
– Target software in order to steal
vaults from (FTP, SSH, Telnet,
etc.)
– Targets browser’s vaults
– HTTP/s Interception
Infection
The pony obtains the list
of users in the system and
tries to login with a
dictionary attack.
Am I
System?
Proceed to steal
creadentials
Proceed to steal user
creadentials
Try to login with
another user
Post credentials to C&C
Yes No
root [~]# wall Botnet\ Overview
Credential Stealers – A glance at Pony
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY – C&C Communication:
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY – C&C Communication:
DATA
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY – C&C Communication:
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY Control Panel:
• gate.php
• PHP script to process all incomming traffic from Bots:
Decryption and Depacking of HTTP Posts.
• includes/password_modules.php
• Contains array of all software it tries to steal
credentials for
• The malware can crack or decrypt quite complex
passwords stored in various forms
• includes/database.php
• Contains db schema and accessors
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY Control Panel – Password Modules:
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY Control Panel:
root [~]# wall Botnet\ Overview Credential Stealers– A glance at Pony
• PONY Control Panel:
Demo: Pony Builder
How do we deal with
this?
root [~]# wall Fighting back the current
threats
• Traditional solutions aren’t enough anymore
• Organizations need to combine their internal knowledge
with external intelligence
Internal
External
Protection
root [~]# wall Fighting back the current
threats
• Information that can be gathered on the wild
– C&C servers
– Exfiltration servers
– Bots IP
– Domain reputation
– Malware samples information
– And a lot more
• How can we gather all that data?
root [~]# wall Fighting back the current
threats
• Most effective
technique is
analysing samples:
root [~]# wall Fighting back the current
threats
• Once you have harvested data from the samples, you can
feed it to a SIEM
root [~]# wall Kicking bad guys asses
• Cyber threats are very much like an organism, mutating and
improving with time
• And so, we must evolve with them. We think that the future
is to build collaborative models
– Sharing information is the key
– The cybercriminals build communities where they share information,
and so must we
– Only collaborating we’ll be able to keep up with the new threats
root [~]# wall Kicking’ bad guys asses
• From Blueliv, we’re providing a free API with information
about malicious servers
https://map.blueliv.com
Demo: Free Tracker API
https://map.blueliv.com
https://github.com/BluelivSecurity
