International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

1. Dissecting unlawful Internet
Activities
Fyodor Yarochkin
Armorize Technologies
@fygrave

2. АГЕНДА
Observations
Case studies
Sampling goods and services
Q&A
(c) 2011 Armorize Technologies

3. MEET THE AUTHORS
(c) 2011 Armorize Technologies

4. Our environment
Honeypots (http, ftp, ssh, smtp, ...)
Sandboxes + proactive internet “browsing”
End points around the globe
Public discussion groups of interest:
scrapping and indexing
(c) 2011 Armorize Technologies

5. Overview
(c) 2011 Armorize Technologies

6. What makes the news..
MALWARE
Black SEO
Fake AV
Mass Injections
CC abuse
(c) 2011 Armorize Technologies

7. MAIN ACTORS
Profit Oriented
Kiddies Crime APT
(c) 2011 Armorize Technologies

8. Range of players!
(c) 2011 Armorize Technologies

9. Kiddies: hit our honeypots daily :)
(c) 2011 Armorize Technologies

10. Still live in IRCBOT age
(c) 2011 Armorize Technologies

11. APT
• Kiddies are not very interesting.
Following the APT guys is a bit more
fun
APT – advanced persistent threat
(made lots of noise after Aurora attacks
But, .. how advanced that is.. really :-))
(c) 2011 Armorize Technologies

12. APT: attack vectors – often
plain silly
(c) 2011 Armorize Technologies

13. APT: in taiwan
• Targets: academics, post, rail, ..
(c) 2011 Armorize Technologies

14. APT: main characteristics
• Attacks are planned and methodological
• In many instances – the primary aim of an
action is information gathering (i.e.
javascript that collects and posts the user
environment information)
• Malicious content is well-prepared (digitally
signed w/ valid certificates etc etc)
(c) 2011 Armorize Technologies

15. APT Research from xecure-lab guys
(c) 2011 Armorize Technologies

16. Aptdeezer: apt analysis
platform from xecure-lab
(c) 2011 Armorize Technologies

17. Businessmen are fun to
study:)
Traffic Online goods
services
(c) 2011 Armorize Technologies

18. How to steal a million?
(c) 2011 Armorize Technologies

19. Effectiveness
• Old school: steal it from a bank. Make a lot
of noise and either get caught (or run to
South America)
• New school: steal a dollar from a million
people. It is still a million (and no noise).
(c) 2011 Armorize Technologies

20. So, where is the money?
DIRECT SOURCES:
Ads (PPC) Banking credentials
Pharm CC cashing
Pr0nExtortions
“Software” Mobile scam
INDIRECT SOURCES:
TRAFF Credentials Online goods
& services
(c) 2011 Armorize Technologies

21. TRAFFIC..
• You need users to start visiting your “milking
resource” to start with..
(c) 2011 Armorize Technologies

22. TRAF. COST
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
(c) 2011 Armorize Technologies

23. Case studies~
(c) 2011 Armorize Technologies

24. Infrastructure compromise: case
study
(c) 2011 Armorize Technologies

25. UNDER THE HOOD
(c) 2011 Armorize Technologies

26. Looking into Packet fields
(c) 2011 Armorize Technologies

27. TRACKING THE GHOST
(c) 2011 Armorize Technologies

28. HYPO: ATTACK SCENARIO
(c) 2011 Armorize Technologies

29. RESULTED IN...
http://tools.cisco.com/security/center/viewAlert.x?
alertId=17778
(c) 2011 Armorize Technologies

30. Compromised CAs
• How about combining this and
compromised CA?
(c) 2011 Armorize Technologies

31. WHAT HAD HAPPENED..
tunnel source <interface>
tunnel destination <badIP>
Your taffic is mirrored!!
(c) 2011 Armorize Technologies

32. How were they 0wn3d?
(c) 2011 Armorize Technologies

33. AND MORE..
(c) 2011 Armorize Technologies

34. LESSON LEARNT
• The whole city compromised
• Users infected on the fly. Visiting
legimate web sites
• Tricky to investigate
• Affected parties - complete denial
(c) 2011 Armorize Technologies

35. Other varieties ;-)
(c) 2011 Armorize Technologies

36. Ad ABUSE:
“MALVERTISEMENT”
(c) 2011 Armorize Technologies

37. Introducing ad. Space
hell :)
Source: razorfishmedia.com
(c) 2011 Armorize Technologies

38. Ad network dynamic
bidding
• Ad network dynamic bidding system is asking for
abuse :-)
• Decentralized, small players feed data to
bigger guys (doubleclick), verification is mostly
manual, real-time content tampering is easy,
automated target selection, number of
mechanisms that prevent click fraud (and
makes automated analysis hard!!!)
•
(c) 2011 Armorize Technologies

39. MALVERT. Mechanics
iframe
redirect
iframe
redirect
iframe
(c) 2011 Armorize Technologies Iframe to TDS

40. Malvertisement (cont)
(c) 2011 Armorize Technologies

41. Malvert: agencies get
0wned
• Pulpomedia incident:
(c) 2011 Armorize Technologies

42. Extortions going
international
(c) 2011 Armorize Technologies

43. Also spanish version
Credit: http://xylibox.blogspot.com/
(c) 2011 Armorize Technologies

44. Common characteristics
Registration Service Provided By: Bizcn.com
Website: http://www.cnobin.com person:
person: Ionut Tripa
Ionut Tripa
remarks:
remarks: SC GoldenIdeas SRL
SC GoldenIdeas SRL
Whois Server: whois.bizcn.com
address:
address: Str. Drumul Sarii, nr. 57C
Str. Drumul Sarii, nr. 57C
address:
address: Sector 6, Bucuresti
Sector 6, Bucuresti
Domain name: bundespol.net phone:
phone: +0744885334
+0744885334
abuse-mailbox: goldenideas.ionut@yahoo.com
abuse-mailbox: goldenideas.ionut@yahoo.com
• Hosting and domain registration
Registrant Contact:
Whois Privacy Protection Service
nic-hdl:
nic-hdl:
source:
source:
IT1737-RIPE
IT1737-RIPE
RIPE # Filtered
RIPE # Filtered
Whois Agent gmvjcxkxhs@whoisservices.cn mnt-by:
mnt-by: GOLDENIDEAS-MNT
GOLDENIDEAS-MNT
+86.05922577888 fax: +86.05922577111
No. 61 Wanghai Road, Xiamen Software Park
xiamen fujian 361008
cn
(c) 2011 Armorize Technologies

45. WAS ON THE NEWS
(c) 2011 Armorize Technologies

46. COMMON PATTERNS
Exploits Social tricks
(c) 2011 Armorize Technologies

47. “Social engineering”
(c) 2011 Armorize Technologies

48. Well-operated :)
• Spreads through advertisements (social
engineering and exploits)
• Reboots machine until license is purchased
(80USD)
• Provides support hotline (hosted in India)
• Uses legimate payment gateways (possible
to do refunds)
(c) 2011 Armorize Technologies

49. Another attack:
infrastructure
(c) 2011 Armorize Technologies

50. Infrastructure
Speedtest.net
Ads.ookla.com
http://35ksegugsfkfue.cx.cc
(c) 2011 Armorize Technologies

51. TDS systems: TRAFF
marketplace
(c) 2011 Armorize Technologies

52. COMMON TDS
(c) 2011 Armorize Technologies

53. TDS + verification srv
(c) 2011 Armorize Technologies

54. SEO:Another option
• Black SEO:
(c) 2011 Armorize Technologies

55. SEO USE and abuse :)
<*bad* word (rus)
(c) 2011 Armorize Technologies

56. SEO SERVICES
(c) 2011 Armorize Technologies

57. Goods and services :
Sampling :)
(c) 2011 Armorize Technologies

58. Digital currencies
• Modern day hawalla
(c) 2011 Armorize Technologies

59. Amusing portals
(c) 2011 Armorize Technologies

60. PASSPORT COPIES
(c) 2011 Armorize Technologies

61. .. OR A SET
For money of any state of dirtiness
Pack includes
1. Online bank account access
2.ATM card (1000/6000USD
per month withdrawal limit)
3. online access passwords
4. Passport copy of “poor john”
5. SIM card
(c) 2011 Armorize Technologies

62. MALWARE Q/A AND HOSTING
(c) 2011 Armorize Technologies

63. Abuse-resistant hosting
(c) 2011 Armorize Technologies

64. CLOUD-cracking
(c) 2011 Armorize Technologies

65. AND CAPTCHA
(c) 2011 Armorize Technologies

66. MOBILE
So far - easy to spot with
static analysis tools
(android, j2me)
(c) 2011 Armorize Technologies

67. Press the button “stop” as soon as
possible!
(c) 2011 Armorize Technologies

68. LEARNING POSSIBILITIES :)
(c) 2011 Armorize Technologies

69. Questions
l
(c) 2011 Armorize Technologies