Davide “ocean” Quarta

Malicious web:a look into the dirty net

Something about me...

I'm a student, i'm mostly interested inmalware/rootkit research, reverse engineeringand psychology of security. Also got some interest inalgorithms and web application security.I program since i was 14 (x86/z80 asm programming and C).

Presented other papers in Italian IT events.

Proud member of EvilFingers group, i write for the team's bloghttp://evilfingers.blogspot.com/

My blog: http://www.inseclab.netsons.org

What are we doing here?

IT Security!!!Home Users

GovernmentsBusinesses

IT Security

A few questions:● Why must we defend ourselves?● From who/what?

Replies from the public? :)

Home UsersGovernments

Businesses?

What if we were the bad guys?

●Crimeware based organizations

●Scareware companies

●Skilled singles/teams

●Ex-employees

●Other companies

●Adverse governments

What's the gain?

Web Threats

Web Threats

Malware

Cybercrime Crimeware

Exploit Packs

SQL InjectionXSS

RCE

RFI

0Day

Buffer OverflowNull pointer dereference

ScarewareIdentity TheftFraud

Malware/Scareware/Crimeware

●Malware: software created to be installed and carryon activities without the users informed consent

●Scareware: scam software, forces the user to be scared ofsomething and pay for a fake service.

●Crimeware: malware created with the intent of automatingcybercrime. Used for identity theft to get access tosensible data like banking accounts.

SQLi, RCE, BOF...

●SQL Injection: inefficient checks on SQL queriesto database can lead to remote execution of code.

●RCE: Remote Code Execution

●Buffer Overflow: lenght of input buffers not checkedhigh risk of DOS or RCE/LPE

XSS, RFI

●XSS: Cross Site Scripting, unverified input can lead tocode execution, used to insert external frames in a pageor steal session informations.

●RFI: Remote File Inclusion

0Day

Exploiting application withunknown/unpactched

software vulnerabilities

Exploit Packs

●Web Based Malware Kits●Mostly coded in PHP●Serves web pages carrying exploits to inoculate malware●Produced by single/team●Price $100-$3000

●Some informations on evilfingers blog (thanks to Jorge Mieres)● http://evilfingers.blogspot.com/2009/08/prices-of-russian-crimeware-part-2.html● http://evilfingers.blogspot.com/2009/06/trade-russian-version-of-private.html● http://evilfingers.blogspot.com/2009/03/russian-prices-of-crimware.html

Exploit Packs

●Vulnerabilities most used:● PDF exploits● ActiveX exploits● Browser plugins/components exploit

●Used by crimeware organizations to deploylarge scale malware infections

●Large scale malware infection results mosteffective in the first weeks of activity

Latest Exploit Packs

●Produce Statistics about usage/infections

●Selection of which countries to infect

Social Engineering

Tricks Deception

People Manipulation

Divulging sensible/confidential data Performing actions

Fraud

Scam

Phishing

FraudCarding

Identity Theft

Phishing

Criminally gaining access to sensitive informations,trying to look as a thrustworthy entityin an electronic transaction.

Usernames/Passwords, Bank accounts details,Credit Card details...

Scam/Carding/Identity Theft

●Scam: fraud perpetrated with the use ofSocial Engineering techniques. Also called “confidence trick”

●Carding: theft/fraud using credit cards

●Identity theft: stealing identities to steal money orgain other benefits

RBN

Is an organization wich offers bullet-proof hosting to a lotof cybercrime activities.

● Delivery of exploits● Identity Theft● CP● Malware● Phishing● Cybercrime● Spam

Under the hood: skilled enough?

If you have enough skills/resources you can alsosell other services in the black market:

● Custom Rootkits● Custom malware● Custom PE Packers/Crypters● Mw with custom AV/VM defeat techniques● Mw with scan for known vulns● Selling 0Day vulnerabilities

Fight back!

One important thing is the profile of the attacker,analyzing it we can gain some important informationsabout him and the techniques he use.

Doing proactive security means also to inform people.Security starts from people (employees,home users, professionals...)

Audit/Pentest your networks and products

Try to keep your systems updated and a little moresecure with some good network security products.

Fight back!

Is there any good product to usefor our network security?

...It's out of the scope of this presentation to say this :)

Security researchers are doing a good job, but i think that the best results can be achieved with community driven efforts.

Conclusions

Questions?

???

Thanks to...

This presentation is dedicated to the people without who Iwouldn't be the nice person I am, my parents and family,two really good friends of mine, Jesus :)

Thanks to my friends in real life and webspace, including andnot limited to: Evilcry, Emdel, C0sm4ky, Nex, Omni, Alby, Raistlin,Pincopall, Zairon, everyone at EvilFingers and Malware Domains List.

Thanks also to my friends irl.

Thanks also to you for being here today!