Crimeware Fingerprinting

Characteristics of Crimenet-Controlled Bot Behavior & The Underground Cyber Economy

Joseph PonnolyMBA, MSc, CGEIT, CISM, CISA, CISSP

Botnets , Bots & Crimeware Online financial crimes Targets & Attack Mechanisms Criminals Underground Cyber Economy Countermeasures

Understanding Crimeware

Bots, Botnets& Crimeware

BotnetsThe No. 1 Internet Security Threat

Botnets (networks of hijacked or zombie computers)◦ Bypass traditional network security mechanisms◦ Large botnets control an army of over a million

nodes ◦ Sending 22 to 24 Gbps data- can throttle the Internet◦ 3 Dutch botnet operators arrested September 2005-

controlled 1.5 million machines- used them to extort money from a US company, to steal identities and distribute spyware

◦ Thr34t Krew – botherder massive DDoS attacks and warez (stolen software distributions) Criminal marketplace

◦ Spam botnets to watch in 2009 (Secureworks)

Botnets

Bots (automated malicious software) ◦ Planted on host computers lie low without the owner’s

knowledge◦ Bot binaries (malware) help the botmaster to remotely

control the hijacked nodes using remote command and control

◦ Bots immune to traditional malware defenses (use zero day or real time exploits, avoid detection through polymorphism

Bots

• Malware (Malicious code) – Trojans or bots (automated malicious software agents)– Use zeroday or real time exploits (Immune to traditional

malware defenses), Avoid detection using polymorphism– Specifically targeted at machines – Facilitates online crimes– Controlled by Crimenets◦ Spam Bots◦ Banking Trojans targeting Brazilian banks

•

What is crimeware?

• Mostly Use IRC (Internet Relay Chat Protocol) – IRC is an Internet communications protocol– attractive aspects for operators in the underground

economy: • REALTIME GROUP communications, • requires very little bandwidth, • IRC client software is freely available across

all operating system• Others: HTTP, P2P

Communication Protocols used

Crimeshttp://www.youtube.com/watch?v=pzKmzO_Xq3k

• Extortion• Identity theft• Distribution of spyware• Denial of service attacks• Financial crimes• Targeted Phishing attacks (Spear Phishing,

Whaling)

Crimeware controlled Crimes

Extortion◦ 2004: bot-driven DDoS attacks against online gambling sites,

used for extortion Identity theft Data Theft:

◦ confidential data◦ userids and passwords◦ credit card data, Social Security Numbers◦ sensitive files (corporate espionage, political espionage)

Underground Economy Servers controlled by Botnet operators store and distribute illegal software or credit card data

Rent out botnets for spamming, distribute spyware, distributed denial of service attacks or spear phishing

Online Financial Crimes controlled by CrimeNets

Dutch botnet operators (2005)- controlled 1.5 million machines

Used for extorting money from a US company, to steal identities, distribute spyware

Used Toxbot Trojan to infect the compromised machines

Targets

• Banks, Financial Institutions– US Banks: Email-based phishing– Brazilian Banks, European Banks: (Banking Trojans)

• Online gambling• Online gaming

– Trojan families (Mgania, Nilage)• Online advertisements• Online payment systems (Paypal)• Ecommerce sites (eBay)

– Email-based phishing targeted PayPal, eBay and US Banks

Crimeware Targets

Attack Mechanisms

Attack Vectors:◦ Phishing◦ Keystroke loggers◦ Social Engineering attacks (to open email attachments

that contain crimeware)◦ Email, the weapon of mass delivery of trojans◦ ActiveX drive-by (on compromised or baiting websites)◦ IM (Instant Messagin)◦ Worm attacks (Conflicker Worm) to exploit security

vulnerabilities of targeted systems◦ Injection of crimeware to legitimate sites via cross-site

scripting / web application vulnerabilities◦ Insertion of crimeware into downloadable software

Crimeware Attack Vectors

• Exploits:– Scripts and rootkits used to hide the exploits– Dynamic IP addresses are used to escape detection– Worm attacks to exploit security vulnerabilities of

targeted systems– Injection of crimeware into legitimate websites via

cross-site scripting– Insertion of crimeware into downloadable software

• Propagation– P2P (Peer-to-Peer Networks)– Driveby downloads– Email delivery

Crimeware Attack Vectors

Trojans (54% of top malicious code – Internet Security Report)

Banking Trojans (Brazil) targeting banking transactions◦ Authenticated session hijacking vs. key stroke

loggers or credentials stealing (Session riding malware to make fraudulent transactions)

◦ Can bypass SSL encryption, traditional authentication and malware defenses

Trojans targeting European Banks (eg. Haxdoor and Sinowal, Zeus) use wininet.dll hooks

Payloads

Banking trojans:◦ Trojan monitors the system or user activity to

identify when the user is banking online (Shahlberg, 2007) Hooking WinInet API fucntions Browser Helper Object Interface Window title enumeration (browser title bar contains a string in the filter

list, the trojan logs the key strokes) DDE COM Interfaces Firefox Browser Extensions and Layered Service Provider Interface

◦ Capture user credentials Form grabbing Screen shots or video capture (for banks using ‘virtual keyboards’) Key stroke logging Injection of fraudulent pages or form fields Pharming Man in the Middle Attacks

Attack Methods

◦Haxdoor.gh uses form grabbing techniques Use Browser Helper Objects COM Interfaces API hooking Form grabbing accesses the data before it is encrypted using

SSL2

◦Haxdoor.ki Banking Trojan hit Swedish Banks in January 2007 – Authenticated Session Hijacking Trojan displays an error message after the user has entered

the password The trojan sends the authentication information to the server

managed by the attacker. The attacker logs on to the bank account and transfers money

to his own account or to a hired money mule Successful against banks not using one-time passwords or

stronger authentication.

Haxdoor Banking Trojan

Cryptovirology◦ Malware encrypts critical data on infected

machines◦ Extortionists demand money to restore data

Data Theft Attacks ◦Trial attacks start as sales promotion◦Followed by DDoS attcks or data theft

attacks Data Aggregation for criminal purposes

Attack methods --Contd

The Criminals

Organized crime◦ Banking Trojan Gangs operational in Brazil◦ Phishing Gangs operating from Eastern Europe ◦ Crimeware kits sold in the black market◦ Virus writers employed by cyber underground operators to

create spyware and trojans◦ Customizable Malware/Crimeware As a Service CWaS

Crimeware manufacturing:◦ Malware developers funded to develop malware

trojans/crimeware◦ Dynamics of the cybercrime underworld (Zhuge et al, 2007)

Virus writers, web site crackers, virtual assets thieves collaborate to defraud victims

◦ Malicious Websites: Phishing Crimeware map by WebSense Security labs Major attacks from websites hosted in USA, Russia and China

Criminal Profiles-Cybercrime Underworld

Underground Economy Servers used by criminals (Symantec, 2008)◦ Selling stolen information for identity theft◦ Social security numbers, credit card

information, passwords, personal identification numbers, email addresses, bank account information

◦ An economic model for China’s cybercrime underworld (Zhuge et al, 2007).

◦ Crimeware threat model and taxonomy (US Department of Homeland Security, 2006).

Underground Cyber Economy

Goods and services available for sale on underground economy servers

Countermeasures

Countermeasures

•Defense in Depth•Microsoft's Malicious Software Removal Tool (MSRT)•Two factor authentication for Banks and eCommerce sites- Digital Identity and Access Management•Real-time defenses- malware, Intrustion prevention/ detection•Browser defenses•AWARENESS•OS level security: Security by default

Crimeware Bibliography

Dunham, K., Melnick, J. (2009). Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet. Auerbach Publications, Boca Raton, FL.

Jakobsson, M., Ramzan, Z. (2008). Crimeware: Understanding New Attacks and Defenses, 1 ed. Addison-Wesley Professional.

Emigh, A. (2006). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond . Journal of Digital Forensic Practice, 1556-7346, Volume 1, Issue 3, 2006, Pages 245 – 260

Symantec. (2009). Internet Security Threat Report.