Cyber Crimes: Follow the Money

Transcription

Cyber Crimes: Follow the Money
Cyber Crimes: Follow the Money
McAfee Avert Labs Malware Research
Pedro Bueno, SANS GCIA, GREM, SSMPA
Anti-Malware Research Engineer
©©2007
2008McAfee,
McAfee,Inc.
Inc.
Warming up...
“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
Pentagon.
Wily-fingered hackers had nothing to do with it.”
CNet Article - 2003
Agenda
• Introduction
• Motivation
— Illegal
Financing
— Terrorism
— Mafia Style
• Methods Used
— Identity
Theft
— Phishing Kits
— PWS Trojans
— Virtual Money Laudering
— Botnets
• Conclusion
Introduction
• Significant change from 4 years ago to these days on the
hacking world…
• Some years ago we had hackers “a la’ Mitnik”, or hacking
for fame looking for better ranking on (R.I.P.) Alldas.de
defacement mirror
• Now, we have hackers directly involved with cyber crime,
which is also sponsored by real world organized crime!
• Now, we have hackers directly involved with cyber crime,
which is also sponsoring real world organized crime!
Introduction
— Before:
• 1 bot == $1 a $5 USD or 3 shell accounts
— Now:
• BotNets == $500 USD
• DDoS == $500 - $1500
• ´Hackers for Hire’
— Before:
• Script Kidz...
— Now:
• Organized Crime!
Introduction
• Virus customized for a specific company of your choice =
$50,000 USD
• Recycled virus (modified to avoid signature detection) =
$200 USD
• 10 million email addresses = $160 USD
• Credit card number = $2~6 USD
• Credit card number with security code = $20~60 USD
• Renting a laptop which controls botnet of 5,000~10,000
computers = $100/day
Source: G-Data
Introduction
• Nowadays, the Cyber crime is changing the concept of
cyber terrorism:
• Cyber Terrorism as we know:
1 - “the use of information technology by terrorist groups and
individuals to further their agenda. This can include use of
information technology to organize and execute attacks
against networks, computer systems and
telecommunications infrastructures, or for exchanging
information or making threats electronically. ”- NCSL
• Cyber Terrorism as we should understand:
“[1] + the use of cyber crimes to sponsor real world terrorism
activity”
Introduction
Cyber Crimes - Motivation
• Illegal Financing
• Terrorism
• Mafia Style
Motivation
• Ilegal Financing
— For
example, any kind of organized crime group, like regular
organized crime or terrorism, with whatever objective, like:
• buying arms from illegal arm dealers
• establish a cell in a country
• Tactical Training
• Operational actions
Motivation
• Terrorism
— 4th Generation Warfare!
• Cyber <-> Terror
— — 1999 – Hacking was used to obtain the AirBus A300 structural plan. Those plans
were essential to the successful hijack of the Indian AirLines airplane in
December 1999.
2001 – in February, a hacker was contacted to get the structural plans of other
airplanes, identical to those used on the 9/11 attack.
Motivation
• Terrorism (cont.)
— Bali
2002 – a bombing attack on the tourist district of Kuta on the
Indonesian island of Bali. Investigations leads the information that
the attack was sponsoring by frauds involving Credit Cards. Iman
Samudra, author of the attacks, published a book with a chapter
entitled "Hacking, Why Not?"
— 2004 – A research revealed that ALL terrorists groups have some
kind of ‘virtual cell’ on Internet.
— April 2006 – 5 family members of a Jordanian person with
American citizenship, accused to be a Al Qaeda contact, were
arrested in California, for banking fraud, with identity thief. Some
of the money were transferred to an account on Amman, in
Jordan.
Motivation
• The Mafia style
— CardPlanet
• Uses same schema as the Italian Mafia
• Some “affiliates”:
— Mazafara (aka Network Terrorism)
— ShadowCrew
— IAACA – International Association for the Advanced of Criminal Activity
Motivation
• The Mafia Style
• On January 2008, the famous Russian site
MP3Spack.com was banned from UK backbone after by
doing business with a web host that has been linked to a
cybercrime syndicate.
— It
was using webhosting of Abdallah, from a Turkish
network that have been serving malwares from
years.
— The Turkish network also had links with RBN
(Russian Business Network) that has also been
serving malwares from many years…
Methods
• Identity Theft
• Phishing and Phishing Kits
• PWS trojans
• Virtual Money Laudering
• Botnets
Methods
• Identity Theft
Methods
• Identity Theft
— The
usage of the identities of others to carry out violations of
federal criminal law
— More than 25 types of ID Theft investigated by the USSS.
— Way to obtain Driver's Licenses, bank and credit card
accounts through which terrorism financing is facilitated
— Al-Qaeda terrorist cell in Spain used stolen credit cards in
fictitious sales scams and for numerous other purchases for
the cell and also used stolen telephone and credit cards for
communications back to Pakistan, Afghanistan, Lebanon,
etc.
Methods
• Phishing
— Traditional
— Very
common method to get personal data as SSN, Birth
Date, Family Names, as well bank data, forgering the bank
webpage.
- Old, but still functional!
- “U.S. consumers lost roughly $3.2 billion to phishing scams in 2007” –
Gartner Survey
Methods - Phishing
Methods - Phishing
• Global Cyber Organized Crime
• In May 2008 FBI arrested 38 people
linked to a fraud schema, involving
U.S., Portugal, Romania, Pakistan
and Canada.
• Group “A” in Romania (mostly) run the spam with phishy
message, leading the victim to a phishing site where they
were able to get most personal information, such as PIN,
SSN, CCN…
• Group “A” send the info to Group “B” in U.S., which
manufactured their own credid,debit,gift card to be used in
the Real World!
Source: FBI
● Methods – Phishing Kits
• Created as PHP based malware ‘Kits’
• Usually developed by Russian criminals
• Also presents a C&C
• Examples of such kits are:
— — Mpack/IcePack
ZeuS
• Costs around $700-$1000 USD
Methods – Phishing Kits- Mpack/IcePack
• The latest version exploits the following Client Side
Vulnerabilities:
CVE-2006-5198 - WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
CVE-2007-0015 - Buffer overflow in Apple QuickTime 7.1.3
MS06-006 - Firefox 1.5.x/Opera 7.x WMP plugin vuln
MS06-014 - ADODB/MDAC vuln
MS06-044 - mmc: vuln for Win2000
MS06-055 - remote code execution vulnerability Vector Markup Language (VML)
MS06-057 - WebViewFolderIcon ActiveX vuln
MS06-071 - XML setRequestHeader vuln
MS07-017 – ANI vuln
CVE-2007-3147 - Buffer overflow in the Yahoo! Webcam Upload ActiveX
MS05-052 - Internet Explorer COM objects vuln
MS06-024 - Vulnerability in Windows Media Player
Methods – Phishing Kits- Mpack/IcePack
• Some highlights:
— Uses iFrame to determine the best attack model
— Control the machine remotely through HTTP
— Serve exploits based on country, using GeoIP
— Serve exploits based on browser type, including MSIE, Opera and Firefox
— Allows different statistics
— Offers a Admin panel for updates, views,etc…
Methods – Phishing Kits- Mpack/IcePack
• Mpack Statistics page:
Methods – Phishing Kits- ZeuS
• Another type of PHP kit
— A mix of Client side exploits and client malware
— Also creates a Botnet based on Http protocol
— Also has a C&C
— Client and Server components
— Bank oriented!
— Targets US banks:
• Bank of America
• Chase
• Citibank
Methods – Phishing Kits- ZeuS
• European Banks:
— — — — — — Santander
HSBC in UK
Lloyd
Halifax
Barclays
Banco Popular
• And more…
— …<insert your bank here>
Methods – Phishing Kits- ZeuS
• The Zeus client is created based on a builder application:
• Information screen, also removes it from the machine
Methods – Phishing Kits- ZeuS
• The client offers some builder options:
— Can choose and modify the configuration file
Methods – Phishing Kits- ZeuS
• Creates two files:
— — Cfg.bin – the configuration file
loader.exe – the actual malware
Methods – Phishing Kits- ZeuS
• The Logs are encoded. However the builder provides a
way to decode the logs generated by the client.
Methods
• PWS Trojans
— Stands
— Steals
— Steals
for PassWord Stealers trojans
passwords for bank accounts, called PWS-Bankers
password used on online games, called PWSOnlineGames
Methods
• PWS Trojans
• Basic PWS-Banker “Modus Operandi”:
 User receives email with fake juicy message
 User clicks on link
 User downloads a small file and runs it
 File opens an error message and closes and downloads another big file on
the background
 The big file will intercept bank website access attempt and prompt fake login
to retrieve the user’s bank credentials
 Trojan send email to the hacker with the bank credentials.
Methods
• PWS-Bankers
• New features:
• Targeted banking!
• Steals certificate files used by banks, like *.crt and *.key
• Modular
— Downloader
— Url List
— Redundancy!
• Grabs screenshots and records video clips
• Encrypt the data sent to the hacker
Methods
• PWS Bankers trojans
• Mostly used in south America, specifically in Brazil
, where it moves about 200 million USD/year
• Started with 3 major malware writers group
• About year ago, the groups started to develop special
versions for other countries in Latin America, like Argentina
and Colombia
• The money was mostly used to buy expensive cars
• Now, it is also used to sponsor real world organized crime
Methods – PWS Online Games Trojans
 PWS OnlineGames – virtual money becomes
money in real world!
Source: SANS ISC
Methods – PWS Online Games Trojans
 These trojans attempt to steal the games
credentials and steal/transfer/sell all gold (virtual
money)
 100,000 Gold
Farmers world wide
 $ 1.8 Billion / year
traded in virtual items.
Source: SANS ISC
Virtual Money Laudering
• Uses Online Games as a vector
• Second Life example:
— 9
millions of residents (avatars)
— “The
residents are able to move about, interact with and/or chat
privately with other residents, participate in activities and trade or
buy virtual items and/or services from other residents.
Additionally, virtual real estate may be purchased, sold and
rented and virtual casinos are plentiful.” – BankInfo Security
— Currency
is Linden Dollars, which can be exchanged by USD
Virtual Money Laundering
• “A player/resident may use his actual credit or debit card to
purchase online money and then redeem those credits
for actual money with another player in another country
and in that country's unit of currency”
• Gambling was a legal activity in Second Life. Any citzen
(avatar) would be able to find a place to play blackjack for
example, using Linden Dollars (which could be exchanged
later to USD).
• There was no way to guarantee the accurancy of the
gambling devices…
• As of August 2007, all gambling was banned from Second
Life
Methods – Bots/Botnets
1. Scan&Exploit machines
compromises new
machines
2. The compromised
machines join an IRC
network, controled by a
remote person
3. The remote person can
now order a number of
activities from the
compromised
machines, like a DDoS
Methods – Bots/Botnets
• Boom happened in 2004/2005
— In april 2004, more than 900 bot variants
• In 2005, it raised more than
175% when compared to
2004
• Source: McAfee AvertLabs
Methods – Bots/Botnets
...in 2005:
Data from January to June 2005:
4268 New bot variants!
Source: F-Secure
Agobot * Spybot * Aebot * Aimbot * Alcobot * Babot *
Badbot * Bbot * Bigbot * Evilbot * Gobot * Msbot *
ShellBot * Psybot * Rbot * Sbot * Sdbot * Aebot * GTBot
* Nyrobot * Robobot * Rsbot * Vbbot * Padobot *
Kazabot * Gunbot * IRCBot ...
Methods – Bots/Botnets
• Why so many variants?
— Source
— It
code available in the underground ( and open source!)
is then possible to modify and create the own new variant!
Methods – Bots/Botnets
• Example of a bot source code, under GNU license...(GPL!)
Methods – Bots/Botnets
– Easy to add new functionalities, or Mods
Methods – Bots/Botnets
• Command reference:
23
Methods – Bots/Botnets
• Easy to modify...
Methods – Bots/Botnets
Methods – Bots/Botnets
Methods – Bots/Botnets
• Too many source code files...
• Too many header files...
• Too many config files...
• Too many parameters...
• In resume:
• Quite complicated to create an own version...
Methods – Bots/Botnets
Methods – Bots/Botnets
Server
Parameters
FAQ!
User parameters
Methods – Bots/Botnets
Methods – Bots/Botnets
Methods – Bots/Botnets
• Simple explanation:
– Lots of bots under the control of a unique person ==
BotNet
Botnets allows different DDoS attacks:
• ICMP flood;
• TCP flood;
• UDP flood;
• ‘HTTP’ flood;
Usually under an IRC network!
Methods – Bots/Botnets
• Why?
— Profit
• Spam, PWS...
— Piracy
• warez, videos, books...
— Profit
• DDoS for hire!
— CyberSpace
power
• Did I hear cyberwar??
Methods – Bots/Botnets
» Fonte: F-Secure Weblog (http://www.f-secure.com/weblog)
Botnets usage...
• “...Saad Echouafni, head of a satellite
communications company, is wanted in
Los Angeles, California for allegedly
hiring computer hackers to launch
attacks against his company's
competitors. On August 25, 2004,
Echouafni was indicted by a federal grand
jury in Los Angeles in connection with the
first successful investigation of a largescale distributed denial of service
attack (DDOS) used for a commercial
purpose in the United States....”
• “...That business, as well as others both
private and government in the United
States, were temporarily disrupted by
these attacks which resulted in losses
ranging from $200,000 to over $1
million...”
• Source: FBI
Methods – Bots/Botnets
Botnet information
Methods – Bots/Botnets
40
Methods – Bots/Botnets
Activities
Bots
Methods – Bots/Botnets
[17:11] <randomnick> .up
[17:11] <[x]12212893> [MAIN]: Uptime: 1d 8h 50m.
[17:11] <[x]55483161> [MAIN]: Uptime: 2d 8h 18m.
[17:11] <[x]32705837> [MAIN]: Uptime: 2d 6h 49m.
[17:11] <[x]66729140> [MAIN]: Uptime: 0d 4h 2m.
[17:11] <[x]62694986> [MAIN]: Uptime: 0d 7h 0m.
[17:11] <[x]77045269> [MAIN]: Uptime: 23d 8h 10m.
[17:11] <[x]10568877> [MAIN]: Uptime: 0d 8h 8m.
[17:11] <[x]43332600> [MAIN]: Uptime: 0d 5h 8m.
[17:11] <[x]38093578> [MAIN]: Uptime: 0d 9h 14m.
[17:11] <[x]59464173> [MAIN]: Uptime: 29d 9h 14m.
[17:11] <[x]59968649> [MAIN]: Uptime: 23d 8h 9m.
[17:11] <[x]29780258> [MAIN]: Uptime: 0d 6h 29m.
[17:11] <[x]70324359> [MAIN]: Uptime: 23d 8h 10m.
Methods – Bots/Botnets
• Packet Dumps...
Methods – Bots/Botnets
Methods – Bots/Botnets
Methods – Bots/Botnets – the new generation
• StormWorm case...(aka Nuwar, postcard worm...)
— P2P
based
• Say bye-bye to a central C&C!
• Hard to detect on the infected machine (uses rootkit)
• Many different binaries
• Use of Fast-Flux networks
• Quite complex P2P network
Methods – Bots/Botnets – the new generation
• Storm worm allows:
— Pump
and Dump spams ( stock spams)
• “involving use of false or misleading statements to hype stocks, which are
"dumped" on the public at inflated prices.”
— Company
price goes high, so it is possible to sell the stocks at a higher
price!
• Using different file formats, like PDF, DOC, Excel, plain text…
— Phishing
— DDoS
emails that leads to sites with client side exploits
attacks and Auto DDoS
— High-availability
due Fast-Flux networks
Methods – Bots/Botnets – the new generation
• A quick highlight on Fast Flux schema:
Source: Honeynet project
Methods – Bots/Botnets – the new generation
• Example:
• giftapplys.cn IN A 0:89.228.78.213
giftapplys.cn IN A 0:98.14.181.131
giftapplys.cn IN A 0:64.53.130.14
giftapplys.cn IN A 0:70.121.217.6
giftapplys.cn IN A 0:220.248.169.116
giftapplys.cn IN A 0:71.226.85.20
giftapplys.cn IN A 0:81.132.159.4
giftapplys.cn IN A 0:190.50.120.156
giftapplys.cn IN A 0:68.90.143.63
giftapplys.cn IN A 0:67.187.207.126
giftapplys.cn IN A 0:12.214.208.136
giftapplys.cn IN A 0:98.212.18.73
giftapplys.cn IN A 0:71.197.38.110
Conclusion
• The Cyber Crime industry moves about 100 Billion USD/
year and is the most sucessful sector of the organized
crime…growing 40%/year
• There is no way to threat cyber crimes and real world
crimes in different ways
• Both causes billion of loses
• Both are used to sponsor illegal activities
• Both can be used to sponsor real world terror
Conclusion
• May 2008
• IDG: Do you see any areas of the world that are emerging
sources of concern when it comes to cybercrime?
• INTERPOL Executive DirectorJean-Michel Louboutin:
Terrorism. I think the main concern for the world is terrorism,
fraud. This is very important. They use the Internet a lot. We
can have different networks of terrorism using Internet, because
it is very easy to create a site. You can create propaganda. You
can recruit. Now the main recruitment for Afghanistan is over
the Internet. Terrorists are chatting on Internet sites. They can
provide tools for training. They can set up rendezvous. They
can use encrypted language to give orders. It is a major trend.
Remember this?
“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
Pentagon.
Wily-fingered hackers had nothing to do with it.”
CNet Article - 2003
Questions!
[The End!]
pbueno@isc.sans.org / pbueno@avertlabs.com