Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Elusive Enemy - Cybercrime

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "The Elusive Enemy - Cybercrime"— Presentation transcript:

1 The Elusive Enemy - Cybercrime
Lance Wolrab, CISSP Senior Security Engineer SecureWorks 1

2 Cyber Criminals - First Generation Motives
Chen Ing-Hau, 24, Taiwan Arrested September 15, 2000 CIH (Chernobyl) Virus Jeffrey Lee Parson, 18, USA Arrested August 29, 2003 Blaster Worm ('B' variants only), DDoS Chen released CIH while attending Tatung University in Taipei. When he created the virus, he received little more than a demerit[2] from the university. He became nervous after learning that the virus had become prevalent. Some classmates advised him not to admit to creating the virus, but he believed that security experts could track him down given enough time. Prior to graduation, he wrote an apology on the Internet, in particular to numerous users in China who were affected. He did this because he was upset about buying an anti-virus program which did not work. Jeffrey Lee Parson, an 18-year-old from Hopkins, Minnesota was arrested for creating the B variant of the Blaster worm; he admitted responsibility and was sentenced to an 18-month prison term in January The officials first got on the trail of Parson after tracking down ownership of an Internet domain, used by the Blaster-B worm to download instructions and report on infected hosts. Information about that domain name led officials to Parson's father's home in Hopkins, Minnesota. Parson was arrested and seven computers were seized from his home. Sven Jaschan was found guilty of computer sabotage and illegally altering data, said a court official. He evaded a jail term as he was tried as a minor since he was 17 years old when he wrote the worm. Jaschan had admitted to creating the worm at the beginning of his trial on Tuesday, reiterating a confession to authorities at the time of his arrest in May His sentence fell far short of the maximum sentence of five years in jail that computer sabotage carries under German law. "Sven Jaschan avoided a jail sentence by the skin of his teeth because he was arrested within days of his 18th birthday," said Graham Cluley, senior technology consultant for anti-virus company Sophos. Jaschan was arrested following a tip-off passed to Microsoft which put up a cash reward of $250,000 for information leading to the arrest of whoever was behind the virulent worm. Unlike many other viruses, Sasser made its way from computer to computer without help from users. Sven Jaschan, 18, Germany Arrested May 7, 2004 NetSky (Sasser) Worm 2

3 Cyber Criminals - Second Generation Motives
Farid Essebar, 18, Morocco Arrested August 25, 2005 Mytob and Zotob (Bozori) Worms Atilla Ekici, 21, Turkey Arrested August 25, 2005 Operating Mytob and Zotob botnets The Zobot Botzor.exe (a/k/a worm-rbot.cbq, rbot.cbq, and rbot.ebq) and Mytob worm authors are believed to have been arrested in Turkey and Morroco. Authorities in both countries, in cooperation with the FBI and Microsoft, arrested Farid Essebar and Atilla Ekici, using online nicknames Diab10 and Coder, who are believed to have authored the worms. A signature in the Zotob worm code suggested it was coded by Diabl0 and the IRC server it connects to is the same used in previous version of Mytob. Diabl0 is believed to have incorporated the code of a Russian nicknamed houseofdabus whose journal has been shut down by authorities, just after the arrest of Diabl0. The coder (Ekici) probably paid Diabl0 (Essebar) to write the code. His worm was lowering the security settings of Microsoft's Internet Explorer browser so that pop-up advertisements served by the adware and spyware planted on infected machines would not be blocked. The first conspiracy alleged in the indictment accuses Ancheta of modifying and disseminating the Trojan horse program "rxbot," which allowed him to create botnets, each with thousands of Internet-connected computers reporting to an Internet Relay Chat (IRC) channel that Ancheta controlled. In a separate IRC channel, Ancheta advertised the sale of his botnets to those interested in launching DDOS attacks or distributing spam without detection. After receiving payment from customers, according to the indictment, Ancheta would give customers control of enough botnets to accomplish their specified task. Ancheta would also provide an instructional manual that included the commands needed to instruct the botnets to launch DDOS attacks or send spam. The manual would also include the malicious code that would allow the botnets to spread or propagate. As part of his fee, Ancheta allegedly set up and tested the purchased botnet to ensure that the DDOS attacks or spamming could be successfully carried out. The second conspiracy outlined in the indictment alleges that Ancheta caused adware to be downloaded onto the infected computers that were part of his bot net armies. To do this, Ancheta alleged directed the compromised computers to other computer servers he controlled where adware he had modified would surreptitiously install onto the infected computers. Ancheta had become an affiliate of several different advertising service companies, and those companies paid him a commission based upon the number of installations. To avoid detection by network administrators, security analysts and law enforcement, Ancheta would vary the download times and rates of the adware installations. When companies hosting Ancheta's adware servers discovered the malicious activity, Ancheta redirected his botnet armies to a different server he controlled to pick up adware. To generate the roughly $60,000 he received in advertising affiliate proceeds, Ancheta caused the surreptitious installation of adware on approximately 400,000 compromised computers. Ancheta used the advertising affiliate proceeds he earned to pay for, among other things, the multiple servers used to conduct his schemes. He was sentenced to 57 months in US federal prison. Jeanson James Ancheta, 24, USA Arrested November 3, 2005 Rxbot zombie networks for hire (spam and DDoS)

4 Cyber Gangs – Third Generation
DDoS attacks on UK bookmakers in October 2003 Extortion ($3 million gross) Nine arrested on July 20 and 21, 2004 In October 2006, three were sent to prison The two gang leaders and masterminds are still at large On the Wanted List of the Federal Security Service (FSB) of the Russian Federation Maria Zarubina and Timur Arutchev In October 2003, Canbet bosses addressed the UK’s National Hi-Tech Crime Unit claiming hackers had blocked its site with DDoS. Canbet’s clients went to other companies and Canbet lost up to $200,000 every day. The hackers said they would stop their attacks if the company transferred $40,000 to an account in a Latvian bank. The company transferred the cash several times but the attacks did not stop. Money was then transferred to Russian banks, and British police asked Russian colleagues for help. Russian police determined the IP addresses of the hackers’ computers. 4

5 Cyber Crime Goes Big Time
London branch of Japan's Sumitomo Mitsui Bank Worked with insiders through Aharon Abu-Hamra, a 35-year-old Tel Aviv resident Injected a Trojan to gather credentials to a transfer system Attempted to transfer £220 million into accounts he controlled around the world £13.9 million to his own business account Yaron Bolondi, 32, Israel Arrested March 16, 2005 Sumitomo called police last October when suspicions surfaced that hackers were trying to infiltrate its computer systems. An undercover operation foiled plans to transfer the money into 10 bank accounts around the world and the cyber crime was thwarted with no cash lost. Israeli police arrested a 32-year-old man, Yaron Bolondi, in Holon, near Tel Aviv. Bolondi, an Israeli who is not a bank employee, has been charged with money laundering and deception. An Israeli police spokesman said there had been a sophisticated attempt to transfer €20m (£13.9m) into his business account. Blog reports the killing of Aharon Abu-Hamra on the streets of Holon in Israel. Abu-Hamra, the alleged number two man in an organized crime ring in Israel, was behind the Sumitomo heist. 5

6 Installs executable with random name in user’s directory
4 Installs executable with random name in user’s directory Added to registry to run on startup Installed system drivers to hide file and registry key Downloads drop box IP address Target 2 Browses to and downloads redirect code User logs in to web site while being recorded by Gozi 6 3 Downloads index.html and counter.html Counter.html has AJAX code to download and run Gozi Uploads all client certificates and keys stolen from windows protected storage 5 7 User login data posted to hacker website On 1 drop box 3.3 gbytes of stolen data 5200 infected machines 10,000 accounts from over 300 organizations Mazowieckie, Poland Sacramento CA 1 Compromises website and adds redirect code Gozi Trojan deployment – Target Malware distribution server in Poland compromises website and provides redirect to legitimate website Unsuspecting Internet user browses to legitimate website and gets a redirect to the malicious code source User downloads code to install and run Gozi all in the background – this is invisible to the user User’s confidential information (certificates, keys, stored passwords, etc.) are sent to the malicious website User accesses confidential website (banking site, affinity site, healthcare insurance site, etc.) – credentials are harvested and sent to malicious server’s user credential database. Criminal logs in to purchase identity for fraudulent use. Hacker gets paid. Hacker gets paid 9 8 Criminal logs in and purchases accounts and steals identity 6

7 Criminal-to-Criminal Activity – Fourth Generation
Increase in Criminal-to-Criminal activity Exploit Auction houses (WabiSabiLabi) Forums and IRC (#Vxers, cybermafia.cc) Distribution Service (IFRAMES.BIZ) Botnet Rental (5Socks.net) Licensing model (storm worm) Identity Auctions (76service) Social Networks (Ranking and Escrow) WabiSabiLabi - Located in Switzerland. In 2 months 160,000 unique visitors >150 Vulnerabilities submitted We've seen an increase in traditional IRC bots that report to aggregator systems on web servers, which allows easy searching for files across multiple infected PCs. iFrames – distribution technology for sale to simplify malware propagation Storm worm – using certificate technology to allow “renting” the resource for a specific period of time. 76service developed by 76team (Grig, aka "76" from St. Petersburg and Exoric operating out of Mexico) as a backend subscription and search service for data stolen by Berbew/A311 Death/OderGun (Gozi family) trojans. Transactions are brokered by escrow services, and malware owners are able to sell their wares via proxy to remove suspicions buyers won’t pay and malware won’t work. 7

8 Losses due to "Traditional" Crimes
Source: FBI

9 Compare to Cyber Crime Losses from a Single Threat
Source: ZeuS Working Group

10 Identity Theft Market Rates
Item Price US-Based Credit Card (with CVV) $1 - $6 Identity (ssn, dob, bank account, credit card, …) $14 - $18 Online banking account with $9,900 balance $300 Compromised Computer $6 - $20 Phishing Web site hosting – per site $3 - $5 Verified Paypal account with balance $50 - $500 Skype Account $12 World of Warcraft Account $10 Interestingly enough, we’re seeing US $2k for healthcare insurance credentials to be used for healthcare fraud. These prices give guidance on the usefulness of the information purchased. Source: Symantec Corporation

11 Source of Attacks By Country
The United States is still the primary source of attacks by count.

12 Malicious activity by country/region
Symantec Intelligence Quarterly, April - June 2010 Malicious activity by country/region

13 Attacks / Layer Web 8. Web IP 5. Session 2. Data 1. Physical ‘06 ‘07
‘08 ’09 est 43% 57% 68% 80% 42% 33% 22% 13% 10% 7% 5% 4% 3% 2% 0% - Web HTTP, SMTP, FTP, … SSL / TLS TCP, SIP TCP, UDP IP 802.3, , 802.1q, HDP, FDDI, Frame Relay, Token Ring, PPP, CDP 100Base-Tx, RS-232, T1, E1, 10Base-T, SONET, DSL, SDH, POTS, V.XX 8. Web 7. Application 6. Presentation 5. Session 4. Transport 3. Network 2. Data 1. Physical Rich Ubiquitous Environments Javascript Flash Silverlight Server Languages Infrastructure (.NET/J2EE) Developers Concepts Semantic Web Social Networking Applications Vendors Mashups Advertisements Protocols As of last year, attacks have moved up the stack – it is easier to attack unprotected elements – traditional security measures (FW) has no ability to stop layer 7 attacks. Greater visibility is essential to understanding complex layer 7 attacks – correlative log analysis and advanced tools at the network layer are the primary sources of clues for layer 7 attacks.

14 Vulnerabilities 57% 30% It is clearly impossible to write secure code.
Source: SecureWorks Vulnerability Database

15 Web Application Vulnerabilities (Oct. 2010)
Web application vulnerabilities are one of the fastest growing attack vectors. The are the most prevalent source of data breaches and one of the greatest risks to organizations. Unpatched vulnerabilities in both commercial (off-the-shelf) and custom applications 1) allow cybercriminals to steal and manipulate sensitive information, 2) provide a doorway to your network and backend applications, and 3) put organizations at significant risk of noncompliance with regulatory mandates. Web applications are the “low hanging” fruit for cybercriminals. Web applications process, store and transmit highly sensitive information. They are public-facing, easily accessed over the Internet, and are easy targets to bypass traditional IT defenses. Most Web applications are developed without significant focus on security and are highly vulnerable to exploitation. This chart shows the dramatic growth in Web application vulnerabilities that we have seen across our client base from 2007 up through Q3 this year. Other industry reports validate this same trend. SQLi and XSS vulnerabilities continue to lead the pack. Since the beginning of the year, we’ve observed a noticeable increase in Authentication Bypass, File Upload, Directory Traversal and XSRF vulnerabilities. Source: SecureWorks’ Counter Threat Unit

16 Malware attacks 2010 YTD Attack name Attacks Clients Allaple.A Worm
964 Prg Trojan 276 Bredolab Trojan 250 Crimea Bancos Trojan Variant from ZlKon 22 Bugat Trojan 29 Hamweg/Hamweq/Autoham Worm 761971 6 Afcore Trojan 691927 16 Cutwail Trojan 107915 40 Koobface Worm 97350 190 Trojan.Gozi 78592 80 Source: SecureWorks Malware attacks 2010 YTD

17 Focused Attacks – BBB Attack
Old approach: Wide net, shallow data collection phishing attack against one bank, spammed en masse New approach: Narrow net, deep data collection BBB phishing attack Targets selected by high-value/role (CxO, VP) Collected ALL data from interactive web posts Banking data Stock accounts Company intranet logins Webmail accounts (complete with body) Online shopping history and payment info Online prescription refills All websites visited Social Networking Sites: LinkedIn, Facebook, etc. 17

18 Multi Factor Authentication Bypass
Many of the proposed defences to phishing attacks are focused on making the authentication phase more secure On-screen keyboards Tokens Certificates Criminals are simply skipping the step altogether Hijack the user's browser with malware Wait for them to log in Automate the web browsing interface to transfer money Win32.Grams Torpig/HiLoad Multi-phase authentication needed to verify transactions 18

19 Web Search Index Poisoning

20 Web Content Providers Delivering Malware
Advertising servers were compromised and even The Register got its hand bit.

21 Attack Trends in 2010 New innovation to displace ZeuS banking Trojan horse Clod/Sereki, SpyEye, Gozi 2.0, Silon, Bugat... Telephone DoS to hamper out-of-band verification Commoditizing of Criminal-to-Criminal (C2C) Activity Targeted and counterfeiting attacks become more scalable

22 ZeuS Banking Trojan ZeuS
One of most prolific and capable banking trojans “Crimeware” model – ZeuS trojan kits bought and sold widely Criminal gangs committing large ACH frauds Example of the kind of threat we track closely ZeuS CTU has been tracking ZeuS trojan since it’s earliest versions. Delivered via the ususual suspects: browse-and-exploit, social engineering, phishing, follow on payload of other trojans or rogue anti-virus software Recommendation for business in retail or commercial banking / CU: educate their employees who interface with clients should be made aware of these types of threats to help triage potential victims. Screen is login page to banking site. Left Side is normal login on clean machine. Right side shows additional form fields that have been injected by ZeuS trojan, capability known as “web injects”, highly configurable. Images are from CTU’s public ZeuS report,

23 Attack Trends in 2010 New innovation to displace ZeuS banking Trojan horse Clod/Sereki, SpyEye, Gozi 2.0, Silon, Bugat... Telephone DoS to hamper out-of-band verification Commoditizing of Criminal-to-Criminal (C2C) Activity Targeted and counterfeiting attacks become more scalable

24 Mature Market for Every Niche Job

25 C2C Services Exploit development/commissioning
Bulletin boards, chat and IRC (Internet Relay Chat: #Vxers, dark0de.com) Distribution Services, Pay-per-Install (Dogma Millions) Botnet rental and proxy services (AllProxies.com) Social networks with reputational ranking

26 Full-Service PPI Offers to help develop content (unique so far)
News for affiliates on EXE FUD-ing On-staff, live sales support Will pay for installs in Russia and former Soviet countries FUD = making an executable Fully Un-Detectable (no AV detections)

27 Mature Market for Every Niche Job

28 Pay-Per-Install.org: Exploiter’s market
Hosts a forum where people come together to talk about the PPI business and how to make money doing it The site has set up affiliate programs Gets referral bonus from affiliates Site provides help guides and tutorials Discusses which programs are currently paying the best and not “shaving” (crediting fewer installations)

29 Pay-Per-Install.org

30 Pay-Per-Install.org

31 Mature Market for Every Niche Job

32 Pay-Per-Install (PPI)
Google estimates ~10% of websites host active malicious code > 50% of websites have over last year Compromised ad servers contribute Google estimates that ten percent of active websites have been compromised and are hosting malicious code at any given time.  The threat is cleaned but is often reintroduced through new vulnerabilities.  Over the last year, more than fifty percent of legitimate -- trusted and usually whitelisted -- websites have exposed users to malicious code.  Clandestine ad networks and gangs who compromise legitimate ad servers exploit the trust model of Internet advertising in order to launch exploits and malware at users in the trusted context of the legitimate website.

33 Mature Market for Every Niche Job

34 MyLoader botnet: Command & Control, Reporting
Oficla downloader trojan CTU TIPS 4/12/2010 Managed via MyLoader C2 interface (below) Reporting interface (right)

35 Mature Market for Every Niche Job

36 Malware Tech Support Selling malware for “research only”
Manuals, translation Support / User forums Language-specific Bargains on mutation engines and packers Referrals to hosting companies Generally not illegal Operate in countries that shield them from civil actions Makes it easy to enter the cybercrime market Not criminally illegal. Nuclear Winter Crew boasts a long list of features, operate in English, have support forums. Their Nuclear RAT and Bondook RAT have both been used in the BBB and IRS targeted scams.

37 Economic Case Study: earning4u
One typical affiliate had 2875 installs in 5 days: 575 a day 4025 per week 16100 per month The site claims they have 1000 affiliates. Other affiliates who are not as productive may get around 200 installs a day, and maybe half don’t even install anything (500 affiliates instead of 1000). This scenario represents 2,800,000 installs per month (infected PCs from one PPI program). At least a dozen active programs on-line today.

38 The New Face of C2C Success
Pay-Per-Install.org is maintained by Harro HaRRo ICQ HaRRo Skype harrioinc Dave Harrison Shamrock Court Belfast BT6 8HT  Phone: Other associated sites blackhatworld.com makecash.org

39 BigBoss Check Counterfeiting Investigation
SecureWorks Proprietary & Confidential

40 Russian Check Counterfeiting Ring Uncovered by CTU
Investigation started with unusual ZeuS sample analyzed by CTU Proxy functionality PPTP VPN tunneling Analysis of botnet showed large-scale criminal activity Credential theft Hacking of check image repositories Scraping of job sites for addresses Money mule job offer spam via webmail SecureWorks Proprietary & Confidential

41 “BigBoss” Check Counterfeiting Operation
SecureWorks Proprietary & Confidential

42 Point-and-Click Check Counterfeiting
SecureWorks Proprietary & Confidential

43 BigBoss Group Statistics Since 06/2009
2,884 Potential money mules 3,285 transactions (checks printed) 1,280 accounts counterfeited Estimated $9M USD in counterfeit checks printed (face value) Estimated potential income for counterfeiters: ~$1M SecureWorks Proprietary & Confidential

44 Countermeasures

45 CTU Strategy Know the client Know the enemy
Make a difference – applied research Innovate in the analysis & classification of security intelligence Capitalize on our vision across the client base

46 Advice to FI Customers Malware can pretend to be you to the bank, and can pretend to be the bank to you Antivirus is frequently unable to proactively detect the infections Bottom line – if there is a possibility of your computer being infected, you can’t trust anything you see on screen, and you can’t trust that anything you enter won’t be stolen in real time Solution – don’t get infected (seriously) Do not log in to financial portals from any workstation that has been used to casually browse the Internet Use a dedicated, hardened system (alternative OS if possible) Disallow all access to the Internet except for specific financial sites and software updates Isolate from the rest of the Internal network Disable AutoRun (and Windows LNK icons)

47 SecureWorks’ Counter Threat UnitSM (CTU) Facts
30,000 malware specimens / day Monitor ~20 Botnets ~40 Vulnerabilities / business day 1,000’s Security Events of interest / day 10,000’s intelligence artifacts processed a day 2,300 clients attacked / day 1,500 attack types / day ~3,000,000 IP addresses of attackers detected / year

48 Questions? info@secureworks.com
48

Download ppt "The Elusive Enemy - Cybercrime"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
How to protect yourself, your computer, and others on the internet

How to protect yourself, your computer, and others on the internet
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
Malware and ACH/EFT Fraud

Malware and ACH/EFT Fraud
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
The development of Internet A cow was lost in Jan 14th 2003. If you know where it is, please contact with me. My QQ number is 87881405. QQ is one of the.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Www.secureworks.com Page 1 The Information Security Experts Copyright © 2009 SecureWorks, Inc. All rights reserved. Cyber Threats Mike Cote Chairman and.

Page 1 The Information Security Experts Copyright © 2009 SecureWorks, Inc. All rights reserved. Cyber Threats Mike Cote Chairman and.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!

Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.

Phishing Definition: a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.

Australian High Tech Crime Centre What is cybercrime & trends Monday 5 November 2007.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

Similar presentations

Ads by Google