securing and enabling dynamic business Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21st, 2011
Lance James Lance James Brief Bio: Director of Intelligence, Vigilant, LLC Founder of Secure Science Corporation Brief Bio: Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight Author of “Phishing Exposed”, Co-Author of “Emerging Threat Analysis” 3rd Book on it’s way (counter-intelligence) Loves Karaoke Very Hyper (but I am getting old)
Research SpyEye Law Web Panel based C&C DIY Builder Kits Merging with Zeus $1000-$3000 WMZ Law Title 18 USC 1030 Color of Right Expectation of Privacy
SpyEye
Components of SpyEye Trojan Build it yourself Data interception Formgrabs Credit Cards Software Collection Process hooking Kills Zeus/Zeus Merger UPX Packed (most cases)
Components of SpyEye Web-based Panel SYN 1 (Blind Drop) Formgrabber/Data Manager FTP Theft Bank of America Theft Stats CN 1 (Command & Control) Binary Updates Configuration Updates Statistic collection Plugins Backconnect (SOCKS5/FTP)
Builder
Web Panel (SYN 1)
Web Panel (CN 1)
Web Panel Investigation What we know Web Panel Investigation Build Inference (directories and files) Debug.log (general traffic) Error.log (possible leaked IP’s and other info) Tasks.log (what it’s doing) Backup.sh (sql dump and passwords) Config.ini (settings) Understand the code AJAX driven AJAX queries and refreshes for data
Debug.log
Case Study CnC Host: 91.211.117.25/sp/admin (currently down) History: specific URI discovered publicly 09/07/2010 Prior attacks from this IP discovered 07/26/2010 (same operator) ASN 48587 (known for malicious activity) Location: Ukraine (UA) AS Name: Private Entrepreneur Zharkov Mukola Mukolayovuch Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) Unique computers infected: 28,590 Unique binaries distributed: 2,325
C&C Activity
Botnet Infections
C&C has many world readable files Including Frm_grab.php C&C Advancement & Law C&C has many world readable files Including Frm_grab.php Doesn’t work without AJAX environment Same concept as request 1 world readable file Many requests at once Very useful intelligence Very complicated Legally Explain what we did to a jury or judge Explain it to attorney DOJ conservative to risk
How it works C&C Target (SYN 1) main page password protected (illegal in US to log in)
Log in to local C&C setup Eating Dog Food Log in to local C&C setup Fire up Proxy, Set Servers to Stun!
Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration
Target Acquired When this changes we know we are connected
All data compromised in real time Bot GUIDS per data compromise Results All data compromised in real time Bot GUIDS per data compromise Dates of compromises Bonus points! Bad guy activity The day before 0 Settings We can update the botnets (Not Approved)
Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law
Be the Smart Jedi May the Force Be With Us Do or Do Not! We’re gonna need it Do or Do Not! There is no try Yoda is awesome
Contact Thank You! Lance James Director of Intelligence ljames@thevigilant.com http://www.thevigilant.com