Malwares, Money and Criminal Activity: The Dangerous Relationship

Malwares, Money and
Criminal/Terror Activity
The Dangerous Relationship

Pedro Bueno, SANS GCIA,GREM
pbueno@avertlabs.com
pbueno@isc.sans.org

Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD

Warming up...

“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
bombed
Pentagon.
Wily-fingered hackers had nothing to do with it.”
fingered

CNet Article called Cyberterror and professional paranoiacs - 2003


Agenda
● Introduction

● The Motivations

● The Methods Used

● What About Cyber War?

● Conclusion


Introduction
● Significant change from 4 years ago to these days
on the hacking world…
● Some years ago we had hackers “a la’ Mitnik”, or
hacking for fame looking for better raking on
(R.I.P.) Alldas.de defacement mirror
● Now, we have hackers directly involved with cyber
crime, which is also sponsored by real world
organized crime!
● Now, we have hackers directly involved with cyber
crime, which is also sponsoring real world
organized crime!


Introduction
● Money Money Money Money Money!
● Virus customized for a specific company of your
choice = $50,000 USD
● Recycled virus (modified to avoid signature
detection) = $200 USD
● 10 million email addresses = $160 USD
● Credit card number = $2~6 USD
● Credit card number with security code = $20~60
USD
● Renting a laptop which controls botnet of
5,000~10,000 computers = $100/day
Source: G
G-Data


Introduction
● Nowadays, the Cyber crime is changing the
concept of cyber terrorism:
● Cyber Terrorism as we know:
1 - “the use of information technology by terrorist
the
groups and individuals to further their agenda.
This can include use of information technology to
organize and execute attacks against networks,
computer systems and telecommunications
infrastructures, or for exchanging information or
making threats electronically. ”- NCSL
● Cyber Terrorism as we should understand:
“[1] + the use of cyber crimes to sponsor real world
terrorism activity”

Introduction


Cyber Crimes - Motivation

● Illegal Financing

● Terrorism

● Mafia Style


Motivation
● Ilegal Financing

– As any other organized crime group, like regular
organized crime or terrorism, with whatever
objective, like buying arms from illegal arm dealers,
establish a cell in a country, training and operational
actions.


Motivation
● Terrorism and Cyber terrorism

X

Myth Reality

Motivation
● While Terrorism and Cyber terrorism are two
different terms, they are highly linked to each other.
● Terrorism: the calculated use of violence (or the threat of
violence) against civilians in order to attain goals that are
political or religious
● Cyberterrorism: According to the U.S. Federal Bureau of
Investigation, cyberterrorism is any "premeditated, politically
motivated attack against information, computer systems,
computer programs, and data which results in violence
against non-combatant targets by sub
combatant sub-national groups or
clandestine agents."
● But, what about Terror acts achieved with Cyber
help?

Motivation

● Cyber <-> Terror
– 1999 – Hacking was used to obtain the AirBus A300
structural plan. Those plans were essential to the
successful hijack of the Indian AirLines airplane in
December 1999.
– 2001 – in February, a hacker was contacted to get
the structural plans of other airplanes, identical to
those used on the 9/11 attack.


Motivation
● Terrorism (cont.)
– Bali 2002 – a bombing attack on the tourist district of Kuta on
the Indonesian island of Bali. Investigations leads the
information that the attack was sponsoring by frauds involving
Credit Cards. Iman Samudra, author of the attacks, published
a book with a chapter entitled "Hacking, Why Not?"
– 2004 – A research revealed that ALL terrorists groups have
some kind of ‘virtual cell’ on Internet.
– April 2006 – 5 family members of a Jordanian person with
American citizenship, accused to be a Al Qaeda contact, were
arrested in California, for banking fraud, with identity thief.
Some of the money were transferred to an account on Ama, in
Jordanian.


Motivation
● 2003-2006 - Al Qaeda cells that put their victims
execution videos on internet had members with
Computer Science degrees from Baghdad
University.
● November 2008 – coordinated shooting and
bombing attacks in Mumbai, India. The terrorists
used handhelds with GPS to establish proper
location, Skype to get encrypted communication
over internet and Google Earth to plan and
establish the targets for the attack.


Motivation
The Mafia style
● The Amateurs…
– CardPlanet
● Uses same schema as the Italian Mafia
● Some “affiliates”:

– Mazafara (aka Network Terrorism)

– ShadowCrew

– IAACA – International Association for the Advanced of
Criminal Activity


Motivation
● The Mafia Style
● On January 2008, the famous Russian site
MP3Spack.com was banned from UK backbone
after by doing business with a web host that has
been linked to a cybercrime syndicate.
● Using webhosting of Abdallah, from a Turkish
network that have been serving malwares from
years.
● The Turkish network also had links with RBN
(Russian Business Network) that has also been
serving malwares from many years…


Motivation
The Mafia style
● The professionals…
● The Russian Boniness Network
– Russian ISP originally based on Saint Petersburg, RU (v1)
– Famous for host all kind of illegal “business”, from Child
Pornography to Malwares…
– Very (I)responsive to take downs
– Best known for their Criminal online intents…
– Has affiliate networks in different countries which help to
distribute their malicious content make harder to remove.
– Strong links with the Russian Mob…


Motivation
● The RBN (cont.)
● The ZeuS toolkit, Mpack, Storm Worm are
examples of malwares/kits linked to it.
● Went down in Nov 2007 to come back months
later…
● Now it uses different small ISPs as front end of their
activities.
● As for today, their status is Active!


Methods

● Identity Theft

● Phishing and Phishing Kits

● PWS trojans

● Virtual Money Laudering

● Botnets


Methods
● Identity Theft


Methods
● Identity Theft

– The usage of the identities of others to carry out
violations of federal criminal law
– More than 25 types of ID Theft investigated by the USSS.
– Way to obtain Driver's Licenses, bank and credit card
accounts through which terrorism financing is facilitated
– Al-Qaeda terrorist cell in Spain used stolen credit cards
Qaeda
in fictitious sales scams and for numerous other
purchases for the cell and also used stolen telephone
and credit cards for communications back to Pakistan,
Afghanistan, Lebanon, etc.


Methods
● Phishing
– Traditional
– Very common method to get personal data as SSN,
Birth Date, Family Names, as well bank data, forging
the bank webpage.
- Old, but still functional!
- “U.S. consumers lost roughly $3.2 billion to phishing
scams in 2007” – Gartner Survey


Methods - Phishing


Methods - Phishing
● Global Cyber Organized Crime
● In May 2008 FBI arrested 38 people
linked to a fraud schema, involving
U.S., Portugal, Romania, Pakistan
and Canada. ● Source: FBI

● Group “A” in Romania (mostly) run the spam with
phishy message, leading the victim to a phishing
site where they were able to get most personal
information, such as PIN, SSN, CCN…
● Group “A” send the info to Group “B” in U.S., which
manufactured their own credid,debit,gift card to be
used in the Real World!


Methods – Phishing Kits

● Created as PHP based malware ‘Kits’
● Usually developed by Russian criminals (and RBN)
● Also presents a C&C
● Examples of such kits are:
– Mpack/IcePack
– ZeuS
● Costs around $700-$1000 USD
$1000


Methods – Phishing Kits Mpack/IcePack
Kits-
● The latest version exploits the following Client Side
Vulnerabilities:
CVE-2008-2992 - buffer overflow in Adobe Acrobat and Reader in util.printf
CVE-2009-0927 - buffer overflow in Adobe Reader and Acrobat via the getIcon
CVE-2006-5198 - WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
CVE-2007-0015 - Buffer overflow in Apple QuickTime 7.1.3
MS06-006 - Firefox 1.5.x/Opera 7.x WMP plugin vuln
MS06-014 - ADODB/MDAC vuln
MS06-057 - WebViewFolderIcon ActiveX vuln
MS06-071 - XML setRequestHeader vuln
MS07-017 – ANI vuln
CVE-2007-3147 - Buffer overflow in the Yahoo! Webcam Upload ActiveX
MS05-052 - Internet Explorer COM objects vuln
MS06-024 - Vulnerability in Windows Media Player


Kits-
● Some highlights:

– Uses iFrame to determine the best attack model
– Control the machine remotely through HTTP
– Serve exploits based on country, using GeoIP
– Serve exploits based on browser type, including
MSIE, Opera and Firefox
– Allows different statistics
– Offers a Admin panel for updates, views,etc…


Kits-
● Mpack Statistics page:


Methods – Phishing Kits ZeuS
Kits-
● Another type of PHP kit
– A mix of Server side phish and client malware
– Also creates a Botnet based on Http protocol
– Also has a C&C
– Bank oriented!
– Targets US banks:
● Bank of America
● Chase
● Citibank


Kits-
● European Banks:
– Santander
– HSBC in UK
– Lloyd
– Halifax
– Barclays
– Banco Popular

● And more…
– …<insert your bank here>

Kits-
● The Zeus client is created based on a builder
application:
● Information screen, also removes it from the machine


Kits-
● The client offers some builder options:
– Can choose and modify the configuration file


Kits-
● Creates two files:
– Cfg.bin – the configuration file
– loader.exe – the actual malware


Kits-
● The Logs are encoded. However the builder
provides a way to decode the logs generated by the
client.


Methods
● PWS Trojans

– Stands for Password Stealers trojans
– Steals passwords for bank accounts, called PWS
PWS-
Bankers
– Steals password used on online games, called
PWS-OnlineGames


Methods
● PWS Trojans

● Basic PWS-Banker “Modus Operandi”:
Banker
User receives email with fake juicy message

User clicks on link

User downloads a small file and runs it

File opens an error message and closes and downloads another big file on the
background

The big file will intercept bank website access attempt and prompt fake login to
retrieve the user’s bank credentials

Trojan send email to the hacker with the bank credentials.


Methods
● PWS-Bankers
● New features:
● Targeted banking!
● Steals certificate files used by banks, like *.crt and *.key
● Modular
– Downloader
– Url List
– Redundancy!
● Grabs screenshots and records video clips
● Encrypt the data sent to the hacker


Methods
PWS Bankers trojans

● Moves about 200 million USD/year in South America
● Started with 3 major malware writers group in Brazil
● About year ago, the groups started to develop special
versions for other countries in Latin America, like Argentina
and Colombia
● Peru and Mexico has its own versions
● The money was mostly used to buy expensive cars
● Now, it is also used to sponsor real world organized
crime


Methods
● PWS-Bankers

Questions to be answered about South America schema:

•Is the money shared between Brazil and Argentina
Is
groups?

•Is the code been sold to argentinian groups or modified?
Is

•Is there brazilian organized crime acting in Argentina
Is
territory?


Methods
● PWS Bankers trojans newest feature!
DOJ NSA

SSN

http://www.avertlabs.com/research/blog/index.php/2009/05/01/a-closer-look-at-a-swine-flu-spam/
http://www.avertlabs.com/research/blog/index.php/2009/05/01/a


Bankers
Methods – PWS-Bankers


Methods – PWS Online Games Trojans
PWS OnlineGames – virtual money becomes
money in real world!

Source: SANS ISC


Methods – PWS Online Games Trojans
These trojans attempt to steal the games
credentials and steal/transfer/sell all gold (virtual
money)

100,000 Gold
Farmers world wide

$ 1.8 Billion / year
traded in virtual items.

Source: SANS ISC


Virtual Money Laundering
● Uses Online Games as a vector
● Second Life example:
– “9 million of residents are able to move about,
interact with and/or chat privately with other
residents, participate in activities and trade or buy
virtual items and/or services from other residents.
Additionally, virtual real estate may be purchased,
sold and rented and virtual casinos are plentiful.”
– BankInfo Security
– Gambling on 2nd Life was available until 2007
– Currency is Linden Dollars, which can be exchanged
by USD

Methods – Bots/Botnets
1. Scan&Exploit
machines
compromises new
machines
2. The compromised
machines join an IRC
network, controled by
a remote person
3. The remote person
can now order a
number of activities
from the compromised
machines, like a DDoS


● Boom happened in 2004/2005
– In april 2004, more than 900 bot variants

•In 2005, it raised more than
175% when compared to
2004


● Example of a bot source code, under GNU license...(GPL!)


• Easy to modify...


Methods – Bots/Botnets FAQ!

Server User parameters
Parameters


● Why?

– Profit
● Spam, Password stealers...
– Piracy
● warez, videos, books...
– Profit
● DDoS for hire!

– CyberSpace power
● Did I hear cyberwar??



● Fonte: F-Secure Weblog (http://www.f
Secure (http://www.f-secure.com/weblog)


Botnets usage...
● “...Saad Echouafni, head of a satellite communications

company, is wanted in Los Angeles, California for

allegedly hiring computer hackers to launch attacks

against his company's competitors. On August 25,

2004, Echouafni was indicted by a federal grand jury in

Los Angeles in connection with the first successful

investigation of a large-scale distributed denial of

service attack (DDOS) used for a commercial

purpose in the United States....”

● “...That business, as well as others both private and

government in the United States, were temporarily

disrupted by these attacks which resulted in losses

ranging from $200,000 to over $1 million...”

● Source: FBI



Bots
Activities


[17:11] <randomnick> .up

[17:11] <[x]12212893> [MAIN]: Uptime: 1d 8h 50m.

[17:11] <[x]55483161> [MAIN]: Uptime: 2d 8h 18m.

[17:11] <[x]32705837> [MAIN]: Uptime: 2d 6h 49m.

[17:11] <[x]66729140> [MAIN]: Uptime: 0d 4h 2m.

[17:11] <[x]62694986> [MAIN]: Uptime: 0d 7h 0m.

[17:11] <[x]77045269> [MAIN]: Uptime: 23d 8h 10m.

[17:11] <[x]10568877> [MAIN]: Uptime: 0d 8h 8m.

[17:11] <[x]43332600> [MAIN]: Uptime: 0d 5h 8m.

[17:11] <[x]38093578> [MAIN]: Uptime: 0d 9h 14m.

[17:11] <[x]59464173> [MAIN]: Uptime: 29d 9h 14m.

[17:11] <[x]59968649> [MAIN]: Uptime: 23d 8h 9m.

[17:11] <[x]29780258> [MAIN]: Uptime: 0d 6h 29m.

[17:11] <[x]70324359> [MAIN]: Uptime: 23d 8h 10m.


● Packet Dumps...


Methods – Bots/Botnets – the new generation
● StormWorm case...(aka Nuwar, postcard worm...)
– P2P based
● Say bye-bye to a central C&C!
bye

● Hard to detect on the infected machine (uses rootkit)

● Many different binaries

● Use of Fast-Flux networks

● Quite complex P2P network


● Storm worm allows:
– Pump and Dump spams (stock spams)
● “involving use of false or misleading statements to hype stocks,
which are "dumped" on the public at inflated prices.”
– Company price goes high, so it is possible to sell the
stocks at a higher price!
● Using different file formats, like PDF, DOC, Excel, plain text…
– Phishing emails that leads to sites with client side
exploits (RBN again…)
– DDoS attacks and Auto DDoS
– High-availability due Fast
availability Fast-Flux networks


● A quick highlight on Fast Flux schema:

Source: Honeynet project


● Example:
● giftapplys.cn IN A 0:89.228.78.213

giftapplys.cn IN A 0:98.14.181.131













What About Cyber Warfare?

X


● What is Cyber Warfare?
● “It can include defending information and computer
networks, deterring information attacks, as well as denying
an adversary’s ability to do the same. It can include
offensive information operations mounted against an
adversary, or even dominating information on the
battlefield.” - CSR Report for Congress
● Remember that if we think about 4th generation
warfare, the “adversary” can be a nation, state,
group:
– Israel x Hamas
– Russia x Georgia/Estonia,
– PCA (Pakistan Cyber Army) x HGM (Hindu Militant Group)

● Some highlights…

● “China has an active cyber espionage program” -USCC 2008 Annual
Report

● “Cyber and sabotage attacks on critical US economic,
energy, and transportation infrastructures might be viewed
by some adversaries as a way to circumvent US strengths
on the battlefield and attack directly US interests at home. –
Global Trends 2025: A Transformed World November 2008


What About Cyber Warfare

Of course, those are critical items and have to be taken
seriously, but do we really need to worry about high skilled
government sponsored hacker groups when so many less
sophisticated attacks are happening?


● France


● Germany


● UK


● US



● Many critical environments are still being affected
by Worms, that spreads exploiting months old
Patched vulnerabilities, open network shares with
write permission, and USB sticks

● Is it realistic to think that a significant amount of
systems were/are already owned?


…but we have AV!!!

"The agency was running desktop

malware software, but it had

not been updated for more

than three years -- even though

the agency had paid for upgrades

to newer versions that protect

against Neeris. In addition,

Microsoft has issued two

patches, one in 2006 and one in

October, to close holes in its

software exploited by Neeris."


Conclusion

● The Cyber Crime industry moves about 100 Billion
USD/year and is the most successful sector of the
organized crime…growing 40%/year
● There is no way to threat cyber crimes and real
world crimes in different ways
● Both causes billion of loses
● Both are used to sponsor illegal activities
● Both can be used to sponsor real world terror
● …and Cyber Warfare is just around the corner…


Conclusion
● May 2008
● IDG: Do you see any areas of the world that are emerging
sources of concern when it comes to cybercrime?

INTERPOL Executive Director
DirectorJean-Michel Louboutin:
Terrorism. I think the main concern for the world is terrorism,
fraud. This is very important. They use the Internet a lot. We
can have different networks of terrorism using Internet,
because it is very easy to create a site. You can create
propaganda. You can recruit. Now the main recruitment for
Afghanistan is over the Internet.
Terrorists are chatting on Internet sites. They can provide
tools for training. They can set up rendezvous. They can use
encrypted language to give orders. It is a major trend.


Remember this?

“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
bombed
Pentagon.
Wily-fingered hackers had nothing to do with it.”
fingered

CNet Article called Cyberterror and professional paranoiacs - 2003


Questions!

[The End!]

pbueno@isc.sans.org / pbueno@avertlabs.com


Malwares, Money and Criminal Activity: The Dangerous Relationship

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (13)

Destacado

Destacado (8)

Similar a Malwares, Money and Criminal Activity: The Dangerous Relationship

Similar a Malwares, Money and Criminal Activity: The Dangerous Relationship (20)

Malwares, Money and Criminal Activity: The Dangerous Relationship