Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st, 2011 securing and enabling dynamic business
4-May-15 2 Lance James – Director of Intelligence, Vigilant, LLC – Founder of Secure Science Corporation Brief Bio: – Infosec over a decade, development, research, network intrusion, cryptography (IIP/I2P), IntelliFound, Daylight – Author of “Phishing Exposed”, – Co-Author of “Emerging Threat Analysis” – 3 rd Book on it’s way (counter-intelligence) – Loves Karaoke – Very Hyper (but I am getting old)
4-May-15 3 Research – SpyEye Web Panel based C&C DIY Builder Kits Merging with Zeus $1000-$3000 WMZ – Law Title 18 USC 1030 Color of Right Expectation of Privacy
4-May-15 4 SpyEye
4-May-15 5 Components of SpyEye Trojan – Build it yourself – Data interception – Formgrabs – Credit Cards – Software Collection – Process hooking – Kills Zeus/Zeus Merger – UPX Packed (most cases)
4-May-15 6 Components of SpyEye Web-based Panel – SYN 1 (Blind Drop) Formgrabber/Data Manager FTP Theft Bank of America Theft Stats – CN 1 (Command & Control) Binary Updates Configuration Updates Statistic collection Plugins Backconnect (SOCKS5/FTP)
4-May-15 7 Builder
4-May-15 8 Web Panel (SYN 1)
4-May-15 9 Web Panel (CN 1)
4-May What we know Web Panel Investigation – Build Inference (directories and files) Debug.log (general traffic) Error.log (possible leaked IP’s and other info) Tasks.log (what it’s doing) Backup.sh (sql dump and passwords) Config.ini (settings) – Understand the code – AJAX driven AJAX queries and refreshes for data
4-May Debug.log
4-May Case Study CnC Host: /sp/admin (currently down) History: specific URI discovered publicly 09/07/2010 Prior attacks from this IP discovered 07/26/2010 (same operator) ASN (known for malicious activity) Location: Ukraine (UA) AS Name: Private Entrepreneur Zharkov Mukola Mukolayovuch Malware Life-cycle: Monday 08/30/10 – Friday, 09/24/10 (25 days) Unique computers infected: 28,590 Unique binaries distributed: 2,325
4-May C&C Activity
4-May Botnet Infections
4-May C&C Advancement & Law C&C has many world readable files Including Frm_grab.php – Doesn’t work without AJAX environment – Same concept as request 1 world readable file Many requests at once Very useful intelligence – Very complicated Legally Explain what we did to a jury or judge Explain it to attorney DOJ conservative to risk
4-May How it works C&C Target (SYN 1) main page password protected (illegal in US to log in)
4-May Eating Dog Food Log in to local C&C setup Fire up Proxy, Set Servers to Stun!
4-May Kibbles & Bits Proxy Setup – either with burp or netsed Header Modification Browser proxy configuration
4-May Target Acquired When this changes we know we are connected
4-May Results All data compromised in real time Bot GUIDS per data compromise Dates of compromises Bonus points! – Bad guy activity – The day before 0 – Settings – We can update the botnets (Not Approved)
4-May Spy Wars Adversary is quick, no boundaries Jedi tools Jedi Council Disciplined Philosophy Jedi skill Limited by Law
4-May Be the Smart Jedi May the Force Be With Us – We’re gonna need it Do or Do Not! – There is no try Yoda is awesome
4-May Contact Thank You! Lance James Director of Intelligence