Crimeware Fingerprinting
Characteristics of Crimenet-Controlled Bot Behavior & The Underground Cyber Economy
Joseph PonnolyMBA, MSc, CGEIT, CISM, CISA, CISSP
Botnets , Bots & Crimeware Online financial crimes Targets & Attack Mechanisms Criminals Underground Cyber Economy Countermeasures
Understanding Crimeware
Bots, Botnets& Crimeware
BotnetsThe No. 1 Internet Security Threat
Botnets (networks of hijacked or zombie computers)◦ Bypass traditional network security mechanisms◦ Large botnets control an army of over a million
nodes ◦ Sending 22 to 24 Gbps data- can throttle the Internet◦ 3 Dutch botnet operators arrested September 2005-
controlled 1.5 million machines- used them to extort money from a US company, to steal identities and distribute spyware
◦ Thr34t Krew – botherder massive DDoS attacks and warez (stolen software distributions) Criminal marketplace
◦ Spam botnets to watch in 2009 (Secureworks)
Botnets
Bots (automated malicious software) ◦ Planted on host computers lie low without the owner’s
knowledge◦ Bot binaries (malware) help the botmaster to remotely
control the hijacked nodes using remote command and control
◦ Bots immune to traditional malware defenses (use zero day or real time exploits, avoid detection through polymorphism
Bots
• Malware (Malicious code) – Trojans or bots (automated malicious software agents)– Use zeroday or real time exploits (Immune to traditional
malware defenses), Avoid detection using polymorphism– Specifically targeted at machines – Facilitates online crimes– Controlled by Crimenets◦ Spam Bots◦ Banking Trojans targeting Brazilian banks
•
What is crimeware?
• Mostly Use IRC (Internet Relay Chat Protocol) – IRC is an Internet communications protocol– attractive aspects for operators in the underground
economy: • REALTIME GROUP communications, • requires very little bandwidth, • IRC client software is freely available across
all operating system• Others: HTTP, P2P
Communication Protocols used
Crimeshttp://www.youtube.com/watch?v=pzKmzO_Xq3k
• Extortion• Identity theft• Distribution of spyware• Denial of service attacks• Financial crimes• Targeted Phishing attacks (Spear Phishing,
Whaling)
Crimeware controlled Crimes
Extortion◦ 2004: bot-driven DDoS attacks against online gambling sites,
used for extortion Identity theft Data Theft:
◦ confidential data◦ userids and passwords◦ credit card data, Social Security Numbers◦ sensitive files (corporate espionage, political espionage)
Underground Economy Servers controlled by Botnet operators store and distribute illegal software or credit card data
Rent out botnets for spamming, distribute spyware, distributed denial of service attacks or spear phishing
Online Financial Crimes controlled by CrimeNets
Dutch botnet operators (2005)- controlled 1.5 million machines
Used for extorting money from a US company, to steal identities, distribute spyware
Used Toxbot Trojan to infect the compromised machines
Targets
• Banks, Financial Institutions– US Banks: Email-based phishing– Brazilian Banks, European Banks: (Banking Trojans)
• Online gambling• Online gaming
– Trojan families (Mgania, Nilage)• Online advertisements• Online payment systems (Paypal)• Ecommerce sites (eBay)
– Email-based phishing targeted PayPal, eBay and US Banks
Crimeware Targets
Attack Mechanisms
Attack Vectors:◦ Phishing◦ Keystroke loggers◦ Social Engineering attacks (to open email attachments
that contain crimeware)◦ Email, the weapon of mass delivery of trojans◦ ActiveX drive-by (on compromised or baiting websites)◦ IM (Instant Messagin)◦ Worm attacks (Conflicker Worm) to exploit security
vulnerabilities of targeted systems◦ Injection of crimeware to legitimate sites via cross-site
scripting / web application vulnerabilities◦ Insertion of crimeware into downloadable software
Crimeware Attack Vectors
• Exploits:– Scripts and rootkits used to hide the exploits– Dynamic IP addresses are used to escape detection– Worm attacks to exploit security vulnerabilities of
targeted systems– Injection of crimeware into legitimate websites via
cross-site scripting– Insertion of crimeware into downloadable software
• Propagation– P2P (Peer-to-Peer Networks)– Driveby downloads– Email delivery
Crimeware Attack Vectors
Trojans (54% of top malicious code – Internet Security Report)
Banking Trojans (Brazil) targeting banking transactions◦ Authenticated session hijacking vs. key stroke
loggers or credentials stealing (Session riding malware to make fraudulent transactions)
◦ Can bypass SSL encryption, traditional authentication and malware defenses
Trojans targeting European Banks (eg. Haxdoor and Sinowal, Zeus) use wininet.dll hooks
Payloads
Banking trojans:◦ Trojan monitors the system or user activity to
identify when the user is banking online (Shahlberg, 2007) Hooking WinInet API fucntions Browser Helper Object Interface Window title enumeration (browser title bar contains a string in the filter
list, the trojan logs the key strokes) DDE COM Interfaces Firefox Browser Extensions and Layered Service Provider Interface
◦ Capture user credentials Form grabbing Screen shots or video capture (for banks using ‘virtual keyboards’) Key stroke logging Injection of fraudulent pages or form fields Pharming Man in the Middle Attacks
Attack Methods
◦Haxdoor.gh uses form grabbing techniques Use Browser Helper Objects COM Interfaces API hooking Form grabbing accesses the data before it is encrypted using
SSL2
◦Haxdoor.ki Banking Trojan hit Swedish Banks in January 2007 – Authenticated Session Hijacking Trojan displays an error message after the user has entered
the password The trojan sends the authentication information to the server
managed by the attacker. The attacker logs on to the bank account and transfers money
to his own account or to a hired money mule Successful against banks not using one-time passwords or
stronger authentication.
Haxdoor Banking Trojan
Cryptovirology◦ Malware encrypts critical data on infected
machines◦ Extortionists demand money to restore data
Data Theft Attacks ◦Trial attacks start as sales promotion◦Followed by DDoS attcks or data theft
attacks Data Aggregation for criminal purposes
Attack methods --Contd
The Criminals
Organized crime◦ Banking Trojan Gangs operational in Brazil◦ Phishing Gangs operating from Eastern Europe ◦ Crimeware kits sold in the black market◦ Virus writers employed by cyber underground operators to
create spyware and trojans◦ Customizable Malware/Crimeware As a Service CWaS
Crimeware manufacturing:◦ Malware developers funded to develop malware
trojans/crimeware◦ Dynamics of the cybercrime underworld (Zhuge et al, 2007)
Virus writers, web site crackers, virtual assets thieves collaborate to defraud victims
◦ Malicious Websites: Phishing Crimeware map by WebSense Security labs Major attacks from websites hosted in USA, Russia and China
Criminal Profiles-Cybercrime Underworld
Underground Economy Servers used by criminals (Symantec, 2008)◦ Selling stolen information for identity theft◦ Social security numbers, credit card
information, passwords, personal identification numbers, email addresses, bank account information
◦ An economic model for China’s cybercrime underworld (Zhuge et al, 2007).
◦ Crimeware threat model and taxonomy (US Department of Homeland Security, 2006).
Underground Cyber Economy
Goods and services available for sale on underground economy servers
Countermeasures
Countermeasures
•Defense in Depth•Microsoft's Malicious Software Removal Tool (MSRT)•Two factor authentication for Banks and eCommerce sites- Digital Identity and Access Management•Real-time defenses- malware, Intrustion prevention/ detection•Browser defenses•AWARENESS•OS level security: Security by default
Crimeware Bibliography
Dunham, K., Melnick, J. (2009). Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet. Auerbach Publications, Boca Raton, FL.
Jakobsson, M., Ramzan, Z. (2008). Crimeware: Understanding New Attacks and Defenses, 1 ed. Addison-Wesley Professional.
Emigh, A. (2006). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond . Journal of Digital Forensic Practice, 1556-7346, Volume 1, Issue 3, 2006, Pages 245 – 260
Symantec. (2009). Internet Security Threat Report.