Cyber Crimes: Follow the Money
Transcription
Cyber Crimes: Follow the Money
Cyber Crimes: Follow the Money McAfee Avert Labs Malware Research Pedro Bueno, SANS GCIA, GREM, SSMPA Anti-Malware Research Engineer ©©2007 2008McAfee, McAfee,Inc. Inc. Warming up... “Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the Pentagon. Wily-fingered hackers had nothing to do with it.” CNet Article - 2003 Agenda • Introduction • Motivation — Illegal Financing — Terrorism — Mafia Style • Methods Used — Identity Theft — Phishing Kits — PWS Trojans — Virtual Money Laudering — Botnets • Conclusion Introduction • Significant change from 4 years ago to these days on the hacking world… • Some years ago we had hackers “a la’ Mitnik”, or hacking for fame looking for better ranking on (R.I.P.) Alldas.de defacement mirror • Now, we have hackers directly involved with cyber crime, which is also sponsored by real world organized crime! • Now, we have hackers directly involved with cyber crime, which is also sponsoring real world organized crime! Introduction — Before: • 1 bot == $1 a $5 USD or 3 shell accounts — Now: • BotNets == $500 USD • DDoS == $500 - $1500 • ´Hackers for Hire’ — Before: • Script Kidz... — Now: • Organized Crime! Introduction • Virus customized for a specific company of your choice = $50,000 USD • Recycled virus (modified to avoid signature detection) = $200 USD • 10 million email addresses = $160 USD • Credit card number = $2~6 USD • Credit card number with security code = $20~60 USD • Renting a laptop which controls botnet of 5,000~10,000 computers = $100/day Source: G-Data Introduction • Nowadays, the Cyber crime is changing the concept of cyber terrorism: • Cyber Terrorism as we know: 1 - “the use of information technology by terrorist groups and individuals to further their agenda. This can include use of information technology to organize and execute attacks against networks, computer systems and telecommunications infrastructures, or for exchanging information or making threats electronically. ”- NCSL • Cyber Terrorism as we should understand: “[1] + the use of cyber crimes to sponsor real world terrorism activity” Introduction Cyber Crimes - Motivation • Illegal Financing • Terrorism • Mafia Style Motivation • Ilegal Financing — For example, any kind of organized crime group, like regular organized crime or terrorism, with whatever objective, like: • buying arms from illegal arm dealers • establish a cell in a country • Tactical Training • Operational actions Motivation • Terrorism — 4th Generation Warfare! • Cyber <-> Terror — — 1999 – Hacking was used to obtain the AirBus A300 structural plan. Those plans were essential to the successful hijack of the Indian AirLines airplane in December 1999. 2001 – in February, a hacker was contacted to get the structural plans of other airplanes, identical to those used on the 9/11 attack. Motivation • Terrorism (cont.) — Bali 2002 – a bombing attack on the tourist district of Kuta on the Indonesian island of Bali. Investigations leads the information that the attack was sponsoring by frauds involving Credit Cards. Iman Samudra, author of the attacks, published a book with a chapter entitled "Hacking, Why Not?" — 2004 – A research revealed that ALL terrorists groups have some kind of ‘virtual cell’ on Internet. — April 2006 – 5 family members of a Jordanian person with American citizenship, accused to be a Al Qaeda contact, were arrested in California, for banking fraud, with identity thief. Some of the money were transferred to an account on Amman, in Jordan. Motivation • The Mafia style — CardPlanet • Uses same schema as the Italian Mafia • Some “affiliates”: — Mazafara (aka Network Terrorism) — ShadowCrew — IAACA – International Association for the Advanced of Criminal Activity Motivation • The Mafia Style • On January 2008, the famous Russian site MP3Spack.com was banned from UK backbone after by doing business with a web host that has been linked to a cybercrime syndicate. — It was using webhosting of Abdallah, from a Turkish network that have been serving malwares from years. — The Turkish network also had links with RBN (Russian Business Network) that has also been serving malwares from many years… Methods • Identity Theft • Phishing and Phishing Kits • PWS trojans • Virtual Money Laudering • Botnets Methods • Identity Theft Methods • Identity Theft — The usage of the identities of others to carry out violations of federal criminal law — More than 25 types of ID Theft investigated by the USSS. — Way to obtain Driver's Licenses, bank and credit card accounts through which terrorism financing is facilitated — Al-Qaeda terrorist cell in Spain used stolen credit cards in fictitious sales scams and for numerous other purchases for the cell and also used stolen telephone and credit cards for communications back to Pakistan, Afghanistan, Lebanon, etc. Methods • Phishing — Traditional — Very common method to get personal data as SSN, Birth Date, Family Names, as well bank data, forgering the bank webpage. - Old, but still functional! - “U.S. consumers lost roughly $3.2 billion to phishing scams in 2007” – Gartner Survey Methods - Phishing Methods - Phishing • Global Cyber Organized Crime • In May 2008 FBI arrested 38 people linked to a fraud schema, involving U.S., Portugal, Romania, Pakistan and Canada. • Group “A” in Romania (mostly) run the spam with phishy message, leading the victim to a phishing site where they were able to get most personal information, such as PIN, SSN, CCN… • Group “A” send the info to Group “B” in U.S., which manufactured their own credid,debit,gift card to be used in the Real World! Source: FBI ● Methods – Phishing Kits • Created as PHP based malware ‘Kits’ • Usually developed by Russian criminals • Also presents a C&C • Examples of such kits are: — — Mpack/IcePack ZeuS • Costs around $700-$1000 USD Methods – Phishing Kits- Mpack/IcePack • The latest version exploits the following Client Side Vulnerabilities: CVE-2006-5198 - WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability CVE-2007-0015 - Buffer overflow in Apple QuickTime 7.1.3 MS06-006 - Firefox 1.5.x/Opera 7.x WMP plugin vuln MS06-014 - ADODB/MDAC vuln MS06-044 - mmc: vuln for Win2000 MS06-055 - remote code execution vulnerability Vector Markup Language (VML) MS06-057 - WebViewFolderIcon ActiveX vuln MS06-071 - XML setRequestHeader vuln MS07-017 – ANI vuln CVE-2007-3147 - Buffer overflow in the Yahoo! Webcam Upload ActiveX MS05-052 - Internet Explorer COM objects vuln MS06-024 - Vulnerability in Windows Media Player Methods – Phishing Kits- Mpack/IcePack • Some highlights: — Uses iFrame to determine the best attack model — Control the machine remotely through HTTP — Serve exploits based on country, using GeoIP — Serve exploits based on browser type, including MSIE, Opera and Firefox — Allows different statistics — Offers a Admin panel for updates, views,etc… Methods – Phishing Kits- Mpack/IcePack • Mpack Statistics page: Methods – Phishing Kits- ZeuS • Another type of PHP kit — A mix of Client side exploits and client malware — Also creates a Botnet based on Http protocol — Also has a C&C — Client and Server components — Bank oriented! — Targets US banks: • Bank of America • Chase • Citibank Methods – Phishing Kits- ZeuS • European Banks: — — — — — — Santander HSBC in UK Lloyd Halifax Barclays Banco Popular • And more… — …<insert your bank here> Methods – Phishing Kits- ZeuS • The Zeus client is created based on a builder application: • Information screen, also removes it from the machine Methods – Phishing Kits- ZeuS • The client offers some builder options: — Can choose and modify the configuration file Methods – Phishing Kits- ZeuS • Creates two files: — — Cfg.bin – the configuration file loader.exe – the actual malware Methods – Phishing Kits- ZeuS • The Logs are encoded. However the builder provides a way to decode the logs generated by the client. Methods • PWS Trojans — Stands — Steals — Steals for PassWord Stealers trojans passwords for bank accounts, called PWS-Bankers password used on online games, called PWSOnlineGames Methods • PWS Trojans • Basic PWS-Banker “Modus Operandi”: User receives email with fake juicy message User clicks on link User downloads a small file and runs it File opens an error message and closes and downloads another big file on the background The big file will intercept bank website access attempt and prompt fake login to retrieve the user’s bank credentials Trojan send email to the hacker with the bank credentials. Methods • PWS-Bankers • New features: • Targeted banking! • Steals certificate files used by banks, like *.crt and *.key • Modular — Downloader — Url List — Redundancy! • Grabs screenshots and records video clips • Encrypt the data sent to the hacker Methods • PWS Bankers trojans • Mostly used in south America, specifically in Brazil , where it moves about 200 million USD/year • Started with 3 major malware writers group • About year ago, the groups started to develop special versions for other countries in Latin America, like Argentina and Colombia • The money was mostly used to buy expensive cars • Now, it is also used to sponsor real world organized crime Methods – PWS Online Games Trojans PWS OnlineGames – virtual money becomes money in real world! Source: SANS ISC Methods – PWS Online Games Trojans These trojans attempt to steal the games credentials and steal/transfer/sell all gold (virtual money) 100,000 Gold Farmers world wide $ 1.8 Billion / year traded in virtual items. Source: SANS ISC Virtual Money Laudering • Uses Online Games as a vector • Second Life example: — 9 millions of residents (avatars) — “The residents are able to move about, interact with and/or chat privately with other residents, participate in activities and trade or buy virtual items and/or services from other residents. Additionally, virtual real estate may be purchased, sold and rented and virtual casinos are plentiful.” – BankInfo Security — Currency is Linden Dollars, which can be exchanged by USD Virtual Money Laundering • “A player/resident may use his actual credit or debit card to purchase online money and then redeem those credits for actual money with another player in another country and in that country's unit of currency” • Gambling was a legal activity in Second Life. Any citzen (avatar) would be able to find a place to play blackjack for example, using Linden Dollars (which could be exchanged later to USD). • There was no way to guarantee the accurancy of the gambling devices… • As of August 2007, all gambling was banned from Second Life Methods – Bots/Botnets 1. Scan&Exploit machines compromises new machines 2. The compromised machines join an IRC network, controled by a remote person 3. The remote person can now order a number of activities from the compromised machines, like a DDoS Methods – Bots/Botnets • Boom happened in 2004/2005 — In april 2004, more than 900 bot variants • In 2005, it raised more than 175% when compared to 2004 • Source: McAfee AvertLabs Methods – Bots/Botnets ...in 2005: Data from January to June 2005: 4268 New bot variants! Source: F-Secure Agobot * Spybot * Aebot * Aimbot * Alcobot * Babot * Badbot * Bbot * Bigbot * Evilbot * Gobot * Msbot * ShellBot * Psybot * Rbot * Sbot * Sdbot * Aebot * GTBot * Nyrobot * Robobot * Rsbot * Vbbot * Padobot * Kazabot * Gunbot * IRCBot ... Methods – Bots/Botnets • Why so many variants? — Source — It code available in the underground ( and open source!) is then possible to modify and create the own new variant! Methods – Bots/Botnets • Example of a bot source code, under GNU license...(GPL!) Methods – Bots/Botnets – Easy to add new functionalities, or Mods Methods – Bots/Botnets • Command reference: 23 Methods – Bots/Botnets • Easy to modify... Methods – Bots/Botnets Methods – Bots/Botnets Methods – Bots/Botnets • Too many source code files... • Too many header files... • Too many config files... • Too many parameters... • In resume: • Quite complicated to create an own version... Methods – Bots/Botnets Methods – Bots/Botnets Server Parameters FAQ! User parameters Methods – Bots/Botnets Methods – Bots/Botnets Methods – Bots/Botnets • Simple explanation: – Lots of bots under the control of a unique person == BotNet Botnets allows different DDoS attacks: • ICMP flood; • TCP flood; • UDP flood; • ‘HTTP’ flood; Usually under an IRC network! Methods – Bots/Botnets • Why? — Profit • Spam, PWS... — Piracy • warez, videos, books... — Profit • DDoS for hire! — CyberSpace power • Did I hear cyberwar?? Methods – Bots/Botnets » Fonte: F-Secure Weblog (http://www.f-secure.com/weblog) Botnets usage... • “...Saad Echouafni, head of a satellite communications company, is wanted in Los Angeles, California for allegedly hiring computer hackers to launch attacks against his company's competitors. On August 25, 2004, Echouafni was indicted by a federal grand jury in Los Angeles in connection with the first successful investigation of a largescale distributed denial of service attack (DDOS) used for a commercial purpose in the United States....” • “...That business, as well as others both private and government in the United States, were temporarily disrupted by these attacks which resulted in losses ranging from $200,000 to over $1 million...” • Source: FBI Methods – Bots/Botnets Botnet information Methods – Bots/Botnets 40 Methods – Bots/Botnets Activities Bots Methods – Bots/Botnets [17:11] <randomnick> .up [17:11] <[x]12212893> [MAIN]: Uptime: 1d 8h 50m. [17:11] <[x]55483161> [MAIN]: Uptime: 2d 8h 18m. [17:11] <[x]32705837> [MAIN]: Uptime: 2d 6h 49m. [17:11] <[x]66729140> [MAIN]: Uptime: 0d 4h 2m. [17:11] <[x]62694986> [MAIN]: Uptime: 0d 7h 0m. [17:11] <[x]77045269> [MAIN]: Uptime: 23d 8h 10m. [17:11] <[x]10568877> [MAIN]: Uptime: 0d 8h 8m. [17:11] <[x]43332600> [MAIN]: Uptime: 0d 5h 8m. [17:11] <[x]38093578> [MAIN]: Uptime: 0d 9h 14m. [17:11] <[x]59464173> [MAIN]: Uptime: 29d 9h 14m. [17:11] <[x]59968649> [MAIN]: Uptime: 23d 8h 9m. [17:11] <[x]29780258> [MAIN]: Uptime: 0d 6h 29m. [17:11] <[x]70324359> [MAIN]: Uptime: 23d 8h 10m. Methods – Bots/Botnets • Packet Dumps... Methods – Bots/Botnets Methods – Bots/Botnets Methods – Bots/Botnets – the new generation • StormWorm case...(aka Nuwar, postcard worm...) — P2P based • Say bye-bye to a central C&C! • Hard to detect on the infected machine (uses rootkit) • Many different binaries • Use of Fast-Flux networks • Quite complex P2P network Methods – Bots/Botnets – the new generation • Storm worm allows: — Pump and Dump spams ( stock spams) • “involving use of false or misleading statements to hype stocks, which are "dumped" on the public at inflated prices.” — Company price goes high, so it is possible to sell the stocks at a higher price! • Using different file formats, like PDF, DOC, Excel, plain text… — Phishing — DDoS emails that leads to sites with client side exploits attacks and Auto DDoS — High-availability due Fast-Flux networks Methods – Bots/Botnets – the new generation • A quick highlight on Fast Flux schema: Source: Honeynet project Methods – Bots/Botnets – the new generation • Example: • giftapplys.cn IN A 0:89.228.78.213 giftapplys.cn IN A 0:98.14.181.131 giftapplys.cn IN A 0:64.53.130.14 giftapplys.cn IN A 0:70.121.217.6 giftapplys.cn IN A 0:220.248.169.116 giftapplys.cn IN A 0:71.226.85.20 giftapplys.cn IN A 0:81.132.159.4 giftapplys.cn IN A 0:190.50.120.156 giftapplys.cn IN A 0:68.90.143.63 giftapplys.cn IN A 0:67.187.207.126 giftapplys.cn IN A 0:12.214.208.136 giftapplys.cn IN A 0:98.212.18.73 giftapplys.cn IN A 0:71.197.38.110 Conclusion • The Cyber Crime industry moves about 100 Billion USD/ year and is the most sucessful sector of the organized crime…growing 40%/year • There is no way to threat cyber crimes and real world crimes in different ways • Both causes billion of loses • Both are used to sponsor illegal activities • Both can be used to sponsor real world terror Conclusion • May 2008 • IDG: Do you see any areas of the world that are emerging sources of concern when it comes to cybercrime? • INTERPOL Executive DirectorJean-Michel Louboutin: Terrorism. I think the main concern for the world is terrorism, fraud. This is very important. They use the Internet a lot. We can have different networks of terrorism using Internet, because it is very easy to create a site. You can create propaganda. You can recruit. Now the main recruitment for Afghanistan is over the Internet. Terrorists are chatting on Internet sites. They can provide tools for training. They can set up rendezvous. They can use encrypted language to give orders. It is a major trend. Remember this? “Last I checked, it was physical terrorists who bombed the Marine barracks in Lebanon, who attacked the U.S.S. Cole, who took out the Oklahoma City federal building, and who suicide-bombed the World Trade Center and the Pentagon. Wily-fingered hackers had nothing to do with it.” CNet Article - 2003 Questions! [The End!] pbueno@isc.sans.org / pbueno@avertlabs.com