fyodor yarochkin - dissecting unlawful internet activities

Dissecting unlawful Internet Activities

Fyodor Yarochkin

@fygraveArmorize Technologies

АГЕНДА

Observations

Case studies

Sampling goods and services

Q & A

(c) 2011 Armorize Technologies

MEET THE AUTHORS

(c) 2011 Armorize Technologies

Our environment

Honeypots (http, ftp, ssh, smtp, ...)

Sandboxes + proactive internet “browsing”

End points around the globe

Public discussion groups of interest: scrapping and indexing

(c) 2011 Armorize Technologies

Overview

(c) 2011 Armorize Technologies

What makes the news..

MALWAREBlack SEO

Fake AVMass Injections

CC abuse

(c) 2011 Armorize Technologies

MAIN ACTORS

KiddiesProfit Oriented

Crime APT

(c) 2011 Armorize Technologies

Range of players!

(c) 2011 Armorize Technologies

Kiddies: hit our honeypots daily :)

(c) 2011 Armorize Technologies

Still live in IRCBOT age

(c) 2011 Armorize Technologies

APT

• Kiddies are not very interesting. Following the APT guys is a bit more fun

APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))

(c) 2011 Armorize Technologies

APT: attack vectors – often plain silly

(c) 2011 Armorize Technologies

APT: in taiwan

• Targets: academics, post, rail, ..

(c) 2011 Armorize Technologies

APT: main characteristics

• Attacks are planned and methodological

• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)

• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)

(c) 2011 Armorize Technologies

APT Research from xecure-lab guys

(c) 2011 Armorize Technologies

Aptdeezer: apt analysis platform from xecure-lab

(c) 2011 Armorize Technologies

Businessmen are fun to study:)

Online goods

services

Traffic

(c) 2011 Armorize Technologies

How to steal a million?

(c) 2011 Armorize Technologies

Effectiveness

• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)

• New school: steal a dollar from a million people. It is still a million (and no noise).

(c) 2011 Armorize Technologies

So, where is the money?

CC cashing

Banking credentialsAds (PPC)

Mobile scam

Pharm

Pr0n

DIRECT SOURCES:

Extortions“Software”

INDIRECT SOURCES:

TRAFF Credentials Online goods& services

(c) 2011 Armorize Technologies

TRAFFIC..

• You need users to start visiting your “milking resource” to start with..

(c) 2011 Armorize Technologies

TRAF. COST

• AU - 300-550$

• UK - 220-300$

• IT - 200-350$

• NZ - 200-250$

• ES,DE,FR - 170-250$

• US - 100-150$

• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies

Case studies~

(c) 2011 Armorize Technologies

Infrastructure compromise: case study

(c) 2011 Armorize Technologies

UNDER THE HOOD

(c) 2011 Armorize Technologies

Looking into Packet fields

(c) 2011 Armorize Technologies

TRACKING THE GHOST

(c) 2011 Armorize Technologies

HYPO: ATTACK SCENARIO

(c) 2011 Armorize Technologies

RESULTED IN...

http://tools.cisco.com/security/center/viewAlert.x?alertId=17778

(c) 2011 Armorize Technologies

Compromised CAs

• How about combining this and compromised CA?

(c) 2011 Armorize Technologies

WHAT HAD HAPPENED..

Your taffic is mirrored!!

tunnel source <interface>

tunnel destination <badIP>

(c) 2011 Armorize Technologies

How were they 0wn3d?

(c) 2011 Armorize Technologies

AND MORE..

(c) 2011 Armorize Technologies

LESSON LEARNT

• The whole city compromised

• Users infected on the fly. Visiting legimate web sites

• Tricky to investigate

• Affected parties - complete denial

(c) 2011 Armorize Technologies

Other varieties ;-)

(c) 2011 Armorize Technologies

Ad ABUSE: “MALVERTISEMENT”

(c) 2011 Armorize Technologies

Introducing ad. Space hell :)

Source: razorfishmedia.com

(c) 2011 Armorize Technologies

Ad network dynamic bidding

• Ad network dynamic bidding system is asking for abuse :-)

• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)

•

(c) 2011 Armorize Technologies

MALVERT. Mechanics

iframe

redirect

iframe

redirect

iframe

Iframe to TDS(c) 2011 Armorize Technologies

Malvertisement (cont)

(c) 2011 Armorize Technologies

Malvert: agencies get 0wned

• Pulpomedia incident:

(c) 2011 Armorize Technologies

Extortions going international

(c) 2011 Armorize Technologies

Also spanish version

Credit: http://xylibox.blogspot.com/

(c) 2011 Armorize Technologies

Common characteristics

• Hosting and domain registration

Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com

Domain name: bundespol.net

Registrant Contact: Whois Privacy Protection Service Whois Agent gmvjcxkxhs@whoisservices.cn +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: goldenideas.ionut@yahoo.com

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: goldenideas.ionut@yahoo.com

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT

(c) 2011 Armorize Technologies

WAS ON THE NEWS

(c) 2011 Armorize Technologies

COMMON PATTERNS

Exploits Social tricks

(c) 2011 Armorize Technologies

“Social engineering”

(c) 2011 Armorize Technologies

Well-operated :)

• Spreads through advertisements (social engineering and exploits)

• Reboots machine until license is purchased (80USD)

• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible

to do refunds)(c) 2011 Armorize Technologies

Another attack: infrastructure

(c) 2011 Armorize Technologies

Infrastructure

Speedtest.net

Ads.ookla.com

http://35ksegugsfkfue.cx.cc(c) 2011 Armorize Technologies

TDS systems: TRAFF marketplace

(c) 2011 Armorize Technologies

COMMON TDS

(c) 2011 Armorize Technologies

TDS + verification srv

(c) 2011 Armorize Technologies

SEO:Another option

• Black SEO:

(c) 2011 Armorize Technologies

SEO USE and abuse :)

<*bad* word (rus)

(c) 2011 Armorize Technologies

SEO SERVICES

(c) 2011 Armorize Technologies

Goods and services :Sampling :)

(c) 2011 Armorize Technologies

Digital currencies

• Modern day hawalla

(c) 2011 Armorize Technologies

Amusing portals

(c) 2011 Armorize Technologies

PASSPORT COPIES

(c) 2011 Armorize Technologies

.. OR A SET

For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card

(c) 2011 Armorize Technologies

MALWARE Q/A AND HOSTING

(c) 2011 Armorize Technologies

Abuse-resistant hosting

(c) 2011 Armorize Technologies

CLOUD-cracking

(c) 2011 Armorize Technologies

AND CAPTCHA

(c) 2011 Armorize Technologies

MOBILESo far - easy to spot with

static analysis tools (android, j2me)

(c) 2011 Armorize Technologies

Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!

(c) 2011 Armorize Technologies

LEARNING POSSIBILITIES :)

(c) 2011 Armorize Technologies

Questions

l

(c) 2011 Armorize Technologies