The Noob Persistent

Threat

June 15, 2013

Who are we?

Allison Nixon (@nixon.nixoff)

• Security Consultant

• Pentesting, Incident response

• Host on the Pauldotcom podcast

• SANS GCIA Gold certified

Brandon Levene (@seraphimdomain)

• Incident Handler/Incident Response for a Cloud Provider

• Malware + Vuln analysis

• Independent Security Researcher

• SANS Certified Pentester

What is this Noob Persistent Threat?

• Script kiddies o Sometimes financially motivated

o Sometimes hacking out of curiosity

o The lowest level of the criminal underground

o Low technical skills

o Often poor opsec

o Often frequent hacking forums

o Often American or EU citizens

...but I don't have anything worth

stealing...

Do you have any of the following:

• Credit or Debit Card

• Bank Account

• Paypal Account

• Medical Records

• Social Media Profile

• Computer

• Digital Delivery Account(s) (Steam, Origin, Xbox)

http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf

The Noob

Renaissance

2011

Discussion Topics

Beginner Hacking/Tutorials - 25%

Hacking Tools/Programs - 22%

Website/Forum Hacking - 21%

2012 Discussion Topics • Beginner Hacking/Tutorials - 28%

• *Hacking Methods - 5% (This is in

ADDITION to Beginner content)

• Hacking Tools/Programs - 21%

• Website/Forum Hacking - 21%

Source:

http://www.imperva.com/resources/hacker_intelligence.asp

A Smattering of Services List of Services Offered on the Underground

Recognize

Homework Service

Ewhoring (GIRL = Guy In Real Life)

Cash for Sale

...If you can get it

Want some

credit cards?

Mattfeuter.ru Arrests

http://www.scmagazine.com/police-arrest-mattfeuter-site-operators-

break-up-200m-carder-racket/article/296609/

Carder Shops

• Just like any other shopping web app o Shopping cart features

o Ticket system

• Buy credit card details, Paypal accounts

• Proxies are sold to bypass region limitations

Bootershells

Power of the Gods

Fun for all Ages

PedoStresser Rebranding

• Same Staff

• Same Paypal account

• Same font used in logo

• Crosslinked Ads to PedoStresser

Booter source code

Ragebooter

Comedy

Hour

Going

legit?

Technical Analysis of Ragebooter

-Half the functions of the site didn't work

-C&C infrastructure could be discovered

-Username transmitted within

attack data for no reason

Sample

Flood Packets

POST Flood

ARME

CVE-2011-3192

Username is transmitted for no reason

X-forwarded-for information leakage

Obvious use of open proxies

Most flood options resulted in no traffic

Asylumstresser

• Another booter on the market (Deceased)

• Largely nonfunctional o Only capable of reflected DNS and UDP flooding

• Made thousands of dollars anyways

• Accepts Paypal

• Protected by Cloudflare

• Run by children

Asylumstresser Earnings Report

Earnings by month:

Oct-11 $26.25

Nov-11 $477.28

Dec-11 $884.69

Jan-12 $1,243.02

Feb-12 $1,614.64

Mar-12 $1,349.52

Apr-12 $855.14

May-12 $1,438.89

Jun-12 $1,658.80

Jul-12 $1,403.94

Aug-12 $1,666.36

Sep-12 $1,812.30

Oct-12 $2,662.95

Nov-12 $3,915.85

Dec-12 $3,983.47

Jan-13 $4,109.29

Feb-13 $3,403.34

Mar-13 $2,875.81

Grand total: $35,381.54

• $23,604 earned in 2012 split between the

owner and several support staff.

• The database did not record any

chargebacks, fraud, fees, or server costs, so

the take home pay is much lower

• Conclusion: get a real job

Asylumstresser Earnings Report

• Analysis of customer base

o Many gaming server admins o Ironically, some of these admins have blogged about getting DDOSed.

Are they taking up arms themselves and starting a cyber-war?

o Self-described gamers

o Very elite hackers

o I even found one connected to a police officer in

Florida

No e-mails will be be published because we have not ruled out stolen paypal accounts

Additional Services

Cloudflare "resolver"

Oh, you mean the nmap

dns-brute script?

nmap --script dns-brute

www.foo.com

http://nmap.org/nsedoc/scripts/dns-

brute.html

Skype Resolver (API)

Searching for Skype resolver

"source" will generally result in

something akin to the script above.

The "api" consists of

a modified Skype

binary (cleartext

logging enabled)

located on a http

accessible server,

generally a cheap

VPS.

Here's the script

that parses the

API request and

pulls the results

from the plaintext

logs.

twBooter (aka Bootertw)

• This one made the news several months ago

• Allegedly used by hacker 'Phobia' to ddos

krebsonsecurity.com while he swatted its owner

• Database was leaked containing evidence of

the launched attack

• Database contained logs of 48,844 attacks

launched in two month's time

twBooter (aka Bootertw)

• We were able to correlate different parts of the

database to find out:

• Which account was used

• Their IP

• Their user-agent

• When the

attacks occurred

Jacking

• Identify gamertag

• Identify owner

• Use sites like spokeo or ssndob.ru to find owner's details

• Call service provider in order to reset password

• ???

• Profit

This technique can be used to social engineer any company and abuse their customers.

Famous case: Mat Honan August 2012. "How Apple and Amazon Security Flaws Led to My Epic Hacking"

The Krebs Cycle

1. You SWAT Brian Krebs.

2. Brian Krebs finds out everything about you,

your family, and your friends.

3. SWAT team visits your house. (optional: DDOS his website because he made you mad)

The Krebs Cycle

• We were informed that 'Phobia' was suspected

• Phobia left a lot of information laying around

• Youtube channel full of bragging. "RealTeamHype" o Full of information leakage

o Allowed us to find some of his friends

o Profile the programs, operating systems they use

o Profile them by voice

o Their VPN providers

• Phobia has been doxed before

• E-mails can be linked to Facebook

• Hackforums.net, Forumkorner profiles

Counter Booters?

OSINT for

Bads...

...or why I love poor

OPSEC

Maltego

is

Awesome

Abuse of Legitimate

Services

Paypal “While we cannot share specifics on our

customers’ accounts due to our privacy policy,

we can confirm that we will review suspicious

accounts for malicious activity and work with

law enforcement to ensure cyber criminals are

reported properly. We take security very

seriously at PayPal and we do not condone

the use of our site in the sale or dissemination

of tools, which have the sole purpose to attack

customers and illegally take down web sites.”

-Paypal

(In response to Brian Krebs' article) http://krebsonsecurity.com/2013/05/ddos-services-

advertise-openly-take-paypal/

Cloudflare "I do find it troubling when there are extralegal

measures taken to determine what is and is

not going on," he said, in an apparent

reference to the investigation by Krebs, Nixon

and Levene. "How far do you go with that, if

someone assumes XYZ shouldn't be on the

Internet? Should Google remove them from

their search index?" he asked.

"We believe in due process," said Prince.

-Cloudflare CEO (Matthew Prince) http://www.itworld.com/it-management/357306/legitimate-

online-services-enabling-ddos-attacks-hire-sites

“Extralegal?”

TOP SECRET

Its like PRISM, but lame.

Tying it Together

Questions?

Allison's perfect specimen