ISPs and the threat from the Underground Economy

Mike O’Reirdan

Comcast Distinguished Engineer

26th March 2009

Agenda

• The Underground Economy

• Not just a technical issue

• The threat to the industry

• Malware and assorted wickedness

• What is the industry doing right now?

“….Internet is at Serious risk…botnets could eat the Internet”

Vint CerfWorld Economic Forum

Davos January 2007

Spam is a part of the malware issue

•Competent ISPs have a reasonable handle on spam

– Economic problem rather than a technical one

• Costs are servers, software and staff

• End user spam levels are low

•The issue now is malware

•Direct threat to whole Internet

– Personal data

– Infrastructure attacks

• Estonia, Georgia, Kyrgyzstan

– Spamming

• Parallels with other crime waves

• Good example is numbers rackets

– Initially run by amateurs or small scale criminals

• Organised crime saw the opportunities offered and easy money to be made

– Moved in, made rackets more sophisticated, technically more complex

• Same has happened to online fraud

• Mainly operated out of poorly policed environments such as Eastern Europe, West Africa and China

– Weak legal environment

– High level of organised crime

– Good educational systems

• Now a complete underground economy turning over billions of dollars.

– Low physical risk to the criminal

– Low cost of entry

– High returns, FBI estimate $67B per year

– Very hard to prosecute

THE UNDERGROUND ECONOMY

Advertising for Criminals!

Unlike the numbers rackets, they even have advertising

Legal perspective Jurisdictional problems

International issues Getting support in multiple jurisdictions

A single “crime” will almost certainly be perpetrated in many countries

Some countries have weak legal systems in relation to cyber crime

Many DAs find it easier to prosecute “regular” crime Easier to see a drugs haul than a server with stolen identities

Requires specialised training

Not seen as a large enough crime

Inadequate resources Few agents are trained to combat cyber crime

Overseas presence is heavily strained

The FBI believes that supporters of terrorist groups are using phishing schemes to raise funds for groups that they support

Moves are afoot to make the issue legally the responsibility of the ISPs Richard Clarke (Former special adviser to the President on Cyber security)

"[The FCC] could, for example, say to all the ISPs, 'You will do the following things to reduce fraud, bot nets, malicious activity, etc."

Other agencies are looking at the revocation of some common carrier privileges

Educational and cultural perspective• Population old enough to use, but not educated enough to defend

themselves

– Like asking your granny to gap the spark plugs on her car

• Many efforts to educate from a number of agencies

– FTC

• Main agency charged with messaging public about online safety

• Relatively poorly resourced, good in that it listens to industry

– ISPs

• Public perception is that the ISPs are not “doing enough”

• Many ISP offer free protection with leading AV and firewall offerings but many customers do not know or chose not to use it

• Little idea of scale of criminality on the Internet

• Expectation of freedom to surf

• Regulation seen as an inhibitor to the development of the Internet

• Privacy has yet to be redefined on the Internet

The threats to ISPsUnderground Economy is biggest threat

Attacks motivated by money, ROI on cost of attack

Subscribers are the target

Various guisesMalware

DDOS

Phishing

Spear-phishing

Glory threat remainsNot negligible

Web site defacement, attacks on infrastructure such as DNS

Social engineering is a massive threat

The prevalence of malware and bots

•Recent unpublished data shows that the level of infection for broadband ISPs ranges between 10 and 25% in the USA and substantially higher in some other countries.

• Main aim is to extract information which can be sold in the “Underground Economy”

•Volumes of malware have increased massively

– Now seeing up to 20m pieces per annum (Symantec)

•Moving to the single use binary

– Like a one time code pad, much harder to defend against

– Renders many current defense mechanisms useless

A brief history of Malware• “Hobbyist Phase (1986-2000): Viruses written largely out of

curiosity, or for bragging rights– Payloads tended to be limited to propagation, destruction, or

political/personal messages

• Criminal/Commercial Phase (Early 2000s-Present): Bots, Backdoors, Password-Stealers, Spyware, Adware– Shift from parasitic to static malware; steep growth in malware creation

rates

– The point is stealth and data, and uncontrolled propagation is bad for business”

David Marcus (Mcafee)

• Expect to see twenty million items of Malware reported this year (Symantec)

• Aim of the bot designers is to provide a highly reliable piece of software that will undetectably run with very little end user impact

Three principal methods of malware distribution

• Email

– Large amount of malware is distributed via SMTP• User opens email

• Opens attachment or clicks on URL

• Exploit is used to transfer malware to user

– Initial malware is downloader

– Brings down full exploit

• Web exploits

– Exploited servers

• User visits web site

– Vulnerable browser / OS is exploited

– Exploit is used to transfer malware to user

» Initial malware is downloader

» Brings down full exploit

• IM

– Message to attract user to exploited server

• User visits servers

– Exploit is used to transfer malware to user

» Initial malware is downloader

» Brings down full exploit

Technical perspective• Botnets technology varies

– IRC

• Original location of bots on the Internet

• Easier to track

• Some IRC botnets use “anti-sandboxing” techniques

– Often “captured bots” run in sandbox

• Still in use but slowly being obsoleted for sophisticated users

– Recent DDOS attack on CastleCops

– HTTP proxy bots

• Extensive usage

– Principally spam

• Actively worked by leading researchers

• Easily hides C+C traffic within normal port 80 traffic requiring extensive filtering to detect

– P2P

• Big problem area due to levels of sophistication

• Using modified generally available protocols such as eDonkey

• Encrypted payloads and communications

• Requires traffic analysis approach

End user perspective

•AV has significant issues

– Challenged in effectiveness

• Estimates range from 70 to 30% effective

– Overwhelmed by quantity of malware

• New variants in the range of 1000s per day

• Over 212K new threats reported to Symantec in 1H 2007

•Biggest challenge is remediation

– Cost to remediate is high

– Tools have limited effectiveness

– Often requires specialist knowledge

Some other challenges• OS Issues

– Poor OS Security

• Pre XP SP2 is still a major issue

• Improving with Vista

– OS not easily separated from data

• Most cases, best remediation is a re-install

• Long term need to work with Microsoft and other OS vendors to allow easy nuking of OS with out loss of user data

• ISP Issues

– Provisioning

• Provisioning dirty and vulnerable PCs onto the network

– Window of vulnerability between manufacture and sale

» Estimated to be up to 1 month

– Could catch users when being re-provisioned to new homes etc..

• No regular checks for cleanliness

– Currently no tools exist for this at SP scale

Examples of the “Bad guy’s” work

•Black Energy

– DDOS bot

•Zeus

– Outsourced Crimeware

•Outsourced “Captcha” cracking

– A new export industry for Bangladesh

Easy to use software

Black Energy

Server: this is the server where the ++++++++C&C system is running

Outfile: the backdoor filename.

Execute After: set the length of time after which the infection is triggered

Request Rate: set time frequency for request between bot and master

Build ID: unique Bot ID

Default Command: this is executed if the bot cannot communicate with the master server

Right Panel: these options are used in the network DDoS attacks

• Cheap easily deployed DDOS bot

•Coded in Russia

•Used to attack sites for extortion or political ends

•Costs $40

Like all good economies, outsourcing works

•Zeus Crimeware SaaS– Crimeware as a service

– Open source HTTP bot and associated command and control centre

– Generates difficult to detect bots running as rootkits

– Used for key logging and credential theft

– Deployed Zeus platforms are rented out to third parties

– Easily updated code

– White hat Zeus tracking site https://zeustracker.abuse.ch

Captcha crackers

•Captcha breakers– “We are an expert group for inputing captcha for you with

very low price and high accuracy. We can input 10k to 100k (depending on how many you can offer to us) per day with accuracy at least 70% (for simple captcha such as yahoo, it is above 95%). We also own expert programmers who can help you with writting your spiders or other softwares to get and manage all the captchas. “

•Captcha are no use any longer to protect high value sites when a low cost cracking service exists

Conclusions from the trenches• Sure, spam is still a problem, but not what it once was..

• No, we are not just going to solve it using technical means alone

• The new issue facing the ISPs is malware

– Suppressing spam will help in controlling malware but……

• Needs solving on multiple fronts

– Technical

– Legal

– Educational

– Cultural

• Our customers need help here so we need help

• Academic community has a role to play