Dissecting unlawful Internet Activities
Fyodor Yarochkin
@fygraveArmorize Technologies
АГЕНДА
Observations
Case studies
Sampling goods and services
Q & A
(c) 2011 Armorize Technologies
MEET THE AUTHORS
(c) 2011 Armorize Technologies
Our environment
Honeypots (http, ftp, ssh, smtp, ...)
Sandboxes + proactive internet “browsing”
End points around the globe
Public discussion groups of interest: scrapping and indexing
(c) 2011 Armorize Technologies
Overview
(c) 2011 Armorize Technologies
What makes the news..
MALWAREBlack SEO
Fake AVMass Injections
CC abuse
(c) 2011 Armorize Technologies
MAIN ACTORS
KiddiesProfit Oriented
Crime APT
(c) 2011 Armorize Technologies
Range of players!
(c) 2011 Armorize Technologies
Kiddies: hit our honeypots daily :)
(c) 2011 Armorize Technologies
Still live in IRCBOT age
(c) 2011 Armorize Technologies
APT
• Kiddies are not very interesting. Following the APT guys is a bit more fun
APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))
(c) 2011 Armorize Technologies
APT: attack vectors – often plain silly
(c) 2011 Armorize Technologies
APT: in taiwan
• Targets: academics, post, rail, ..
(c) 2011 Armorize Technologies
APT: main characteristics
• Attacks are planned and methodological
• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)
• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)
(c) 2011 Armorize Technologies
APT Research from xecure-lab guys
(c) 2011 Armorize Technologies
Aptdeezer: apt analysis platform from xecure-lab
(c) 2011 Armorize Technologies
Businessmen are fun to study:)
Online goods
services
Traffic
(c) 2011 Armorize Technologies
How to steal a million?
(c) 2011 Armorize Technologies
Effectiveness
• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)
• New school: steal a dollar from a million people. It is still a million (and no noise).
(c) 2011 Armorize Technologies
So, where is the money?
CC cashing
Banking credentialsAds (PPC)
Mobile scam
Pharm
Pr0n
DIRECT SOURCES:
Extortions“Software”
INDIRECT SOURCES:
TRAFF Credentials Online goods& services
(c) 2011 Armorize Technologies
TRAFFIC..
• You need users to start visiting your “milking resource” to start with..
(c) 2011 Armorize Technologies
TRAF. COST
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies
Case studies~
(c) 2011 Armorize Technologies
Infrastructure compromise: case study
(c) 2011 Armorize Technologies
UNDER THE HOOD
(c) 2011 Armorize Technologies
Looking into Packet fields
(c) 2011 Armorize Technologies
TRACKING THE GHOST
(c) 2011 Armorize Technologies
HYPO: ATTACK SCENARIO
(c) 2011 Armorize Technologies
RESULTED IN...
http://tools.cisco.com/security/center/viewAlert.x?alertId=17778
(c) 2011 Armorize Technologies
Compromised CAs
• How about combining this and compromised CA?
(c) 2011 Armorize Technologies
WHAT HAD HAPPENED..
Your taffic is mirrored!!
tunnel source <interface>
tunnel destination <badIP>
(c) 2011 Armorize Technologies
How were they 0wn3d?
(c) 2011 Armorize Technologies
AND MORE..
(c) 2011 Armorize Technologies
LESSON LEARNT
• The whole city compromised
• Users infected on the fly. Visiting legimate web sites
• Tricky to investigate
• Affected parties - complete denial
(c) 2011 Armorize Technologies
Other varieties ;-)
(c) 2011 Armorize Technologies
Ad ABUSE: “MALVERTISEMENT”
(c) 2011 Armorize Technologies
Introducing ad. Space hell :)
Source: razorfishmedia.com
(c) 2011 Armorize Technologies
Ad network dynamic bidding
• Ad network dynamic bidding system is asking for abuse :-)
• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)
•
(c) 2011 Armorize Technologies
MALVERT. Mechanics
iframe
redirect
iframe
redirect
iframe
Iframe to TDS(c) 2011 Armorize Technologies
Malvertisement (cont)
(c) 2011 Armorize Technologies
Malvert: agencies get 0wned
• Pulpomedia incident:
(c) 2011 Armorize Technologies
Extortions going international
(c) 2011 Armorize Technologies
Also spanish version
Credit: http://xylibox.blogspot.com/
(c) 2011 Armorize Technologies
Common characteristics
• Hosting and domain registration
Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com
Domain name: bundespol.net
Registrant Contact: Whois Privacy Protection Service Whois Agent [email protected] +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
(c) 2011 Armorize Technologies
WAS ON THE NEWS
(c) 2011 Armorize Technologies
COMMON PATTERNS
Exploits Social tricks
(c) 2011 Armorize Technologies
“Social engineering”
(c) 2011 Armorize Technologies
Well-operated :)
• Spreads through advertisements (social engineering and exploits)
• Reboots machine until license is purchased (80USD)
• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible
to do refunds)(c) 2011 Armorize Technologies
Another attack: infrastructure
(c) 2011 Armorize Technologies
Infrastructure
Speedtest.net
Ads.ookla.com
http://35ksegugsfkfue.cx.cc(c) 2011 Armorize Technologies
TDS systems: TRAFF marketplace
(c) 2011 Armorize Technologies
COMMON TDS
(c) 2011 Armorize Technologies
TDS + verification srv
(c) 2011 Armorize Technologies
SEO:Another option
• Black SEO:
(c) 2011 Armorize Technologies
SEO USE and abuse :)
<*bad* word (rus)
(c) 2011 Armorize Technologies
SEO SERVICES
(c) 2011 Armorize Technologies
Goods and services :Sampling :)
(c) 2011 Armorize Technologies
Digital currencies
• Modern day hawalla
(c) 2011 Armorize Technologies
Amusing portals
(c) 2011 Armorize Technologies
PASSPORT COPIES
(c) 2011 Armorize Technologies
.. OR A SET
For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card
(c) 2011 Armorize Technologies
MALWARE Q/A AND HOSTING
(c) 2011 Armorize Technologies
Abuse-resistant hosting
(c) 2011 Armorize Technologies
CLOUD-cracking
(c) 2011 Armorize Technologies
AND CAPTCHA
(c) 2011 Armorize Technologies
MOBILESo far - easy to spot with
static analysis tools (android, j2me)
(c) 2011 Armorize Technologies
Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!
(c) 2011 Armorize Technologies
LEARNING POSSIBILITIES :)
(c) 2011 Armorize Technologies
Questions
l
(c) 2011 Armorize Technologies