ISPs and the threat from the Underground Economy Mike O’Reirdan Comcast Distinguished Engineer 26 th March 2009

Agenda The Underground Economy Not just a technical issue The threat to the industry Malware and assorted wickedness What is the industry doing right now? “…. Internet is at Serious risk… botnets could eat the Internet” Vint Cerf World Economic Forum Davos January 2007

Spam is a part of the malware issue Competent ISPs have a reasonable handle on spam –Economic problem rather than a technical one Costs are servers, software and staff End user spam levels are low The issue now is malware Direct threat to whole Internet –Personal data –Infrastructure attacks Estonia, Georgia, Kyrgyzstan –Spamming

Parallels with other crime waves Good example is numbers rackets –Initially run by amateurs or small scale criminals Organised crime saw the opportunities offered and easy money to be made –Moved in, made rackets more sophisticated, technically more complex Same has happened to online fraud Mainly operated out of poorly policed environments such as Eastern Europe, West Africa and China –Weak legal environment –High level of organised crime –Good educational systems Now a complete underground economy turning over billions of dollars. –Low physical risk to the criminal –Low cost of entry –High returns, FBI estimate $67B per year –Very hard to prosecute THE UNDERGROUND ECONOMY

Advertising for Criminals! Unlike the numbers rackets, they even have advertising

Legal perspective Jurisdictional problems International issues Getting support in multiple jurisdictions A single “crime” will almost certainly be perpetrated in many countries Some countries have weak legal systems in relation to cyber crime Many DAs find it easier to prosecute “regular” crime Easier to see a drugs haul than a server with stolen identities Requires specialised training Not seen as a large enough crime Inadequate resources Few agents are trained to combat cyber crime Overseas presence is heavily strained The FBI believes that supporters of terrorist groups are using phishing schemes to raise funds for groups that they support Moves are afoot to make the issue legally the responsibility of the ISPs Richard Clarke ( Former special adviser to the President on Cyber security ) "[The FCC] could, for example, say to all the ISPs, 'You will do the following things to reduce fraud, bot nets, malicious activity, etc." Other agencies are looking at the revocation of some common carrier privileges

Educational and cultural perspective Population old enough to use, but not educated enough to defend themselves –Like asking your granny to gap the spark plugs on her car Many efforts to educate from a number of agencies –FTC Main agency charged with messaging public about online safety Relatively poorly resourced, good in that it listens to industry –ISPs Public perception is that the ISPs are not “doing enough” Many ISP offer free protection with leading AV and firewall offerings but many customers do not know or chose not to use it Little idea of scale of criminality on the Internet Expectation of freedom to surf Regulation seen as an inhibitor to the development of the Internet Privacy has yet to be redefined on the Internet

The threats to ISPs Underground Economy is biggest threat Attacks motivated by money, ROI on cost of attack Subscribers are the target Various guises Malware DDOS Phishing Spear-phishing Glory threat remains Not negligible Web site defacement, attacks on infrastructure such as DNS Social engineering is a massive threat

The prevalence of malware and bots Recent unpublished data shows that the level of infection for broadband ISPs ranges between 10 and 25% in the USA and substantially higher in some other countries. Main aim is to extract information which can be sold in the “Underground Economy” Volumes of malware have increased massively –Now seeing up to 20m pieces per annum (Symantec) Moving to the single use binary –Like a one time code pad, much harder to defend against –Renders many current defense mechanisms useless

A brief history of Malware “Hobbyist Phase ( ): Viruses written largely out of curiosity, or for bragging rights –Payloads tended to be limited to propagation, destruction, or political/personal messages Criminal/Commercial Phase (Early 2000s-Present): Bots, Backdoors, Password-Stealers, Spyware, Adware –Shift from parasitic to static malware; steep growth in malware creation rates –The point is stealth and data, and uncontrolled propagation is bad for business” David Marcus (Mcafee) Expect to see twenty million items of Malware reported this year (Symantec) Aim of the bot designers is to provide a highly reliable piece of software that will undetectably run with very little end user impact

Three principal methods of malware distribution –Large amount of malware is distributed via SMTP User opens Opens attachment or clicks on URL Exploit is used to transfer malware to user –Initial malware is downloader –Brings down full exploit Web exploits –Exploited servers User visits web site –Vulnerable browser / OS is exploited –Exploit is used to transfer malware to user »Initial malware is downloader »Brings down full exploit IM –Message to attract user to exploited server User visits servers –Exploit is used to transfer malware to user »Initial malware is downloader »Brings down full exploit

Technical perspective Botnets technology varies – IRC Original location of bots on the Internet Easier to track Some IRC botnets use “anti-sandboxing” techniques –Often “captured bots” run in sandbox Still in use but slowly being obsoleted for sophisticated users –Recent DDOS attack on CastleCops –HTTP proxy bots Extensive usage –Principally spam Actively worked by leading researchers Easily hides C+C traffic within normal port 80 traffic requiring extensive filtering to detect –P2P Big problem area due to levels of sophistication Using modified generally available protocols such as eDonkey Encrypted payloads and communications Requires traffic analysis approach

End user perspective AV has significant issues –Challenged in effectiveness Estimates range from 70 to 30% effective –Overwhelmed by quantity of malware New variants in the range of 1000s per day Over 212K new threats reported to Symantec in 1H 2007 Biggest challenge is remediation –Cost to remediate is high –Tools have limited effectiveness –Often requires specialist knowledge

Some other challenges OS Issues –Poor OS Security Pre XP SP2 is still a major issue Improving with Vista –OS not easily separated from data Most cases, best remediation is a re-install Long term need to work with Microsoft and other OS vendors to allow easy nuking of OS with out loss of user data ISP Issues –Provisioning Provisioning dirty and vulnerable PCs onto the network –Window of vulnerability between manufacture and sale »Estimated to be up to 1 month –Could catch users when being re-provisioned to new homes etc.. No regular checks for cleanliness –Currently no tools exist for this at SP scale

Examples of the “Bad guy’s” work Black Energy –DDOS bot Zeus –Outsourced Crimeware Outsourced “Captcha” cracking –A new export industry for Bangladesh

Easy to use software Black Energy Server: this is the server where the C&C system is running Outfile: the backdoor filename. Execute After: set the length of time after which the infection is triggered Request Rate: set time frequency for request between bot and master Build ID: unique Bot ID Default Command: this is executed if the bot cannot communicate with the master server Right Panel: these options are used in the network DDoS attacks Cheap easily deployed DDOS bot Coded in Russia Used to attack sites for extortion or political ends Costs $40

Like all good economies, outsourcing works Zeus Crimeware SaaS –Crimeware as a service –Open source HTTP bot and associated command and control centre – Generates difficult to detect bots running as rootkits –Used for key logging and credential theft –Deployed Zeus platforms are rented out to third parties –Easily updated code –White hat Zeus tracking site

Captcha crackers Captcha breakers –“We are an expert group for inputing captcha for you with very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas. “ Captcha are no use any longer to protect high value sites when a low cost cracking service exists

Conclusions from the trenches Sure, spam is still a problem, but not what it once was.. No, we are not just going to solve it using technical means alone The new issue facing the ISPs is malware –Suppressing spam will help in controlling malware but…… Needs solving on multiple fronts –Technical –Legal –Educational –Cultural Our customers need help here so we need help Academic community has a role to play