The Noob Persistent
Threat
June 15, 2013
Who are we?
Allison Nixon (@nixon.nixoff)
• Security Consultant
• Pentesting, Incident response
• Host on the Pauldotcom p...
What is this Noob Persistent Threat?
• Script kiddies
o Sometimes financially motivated
o Sometimes hacking out of curiosi...
...but I don't have anything worth
stealing...
Do you have any of the following:
• Credit or Debit Card
• Bank Account
• P...
The Noob
Renaissance
2011
Discussion Topics
Beginner Hacking/Tutorials - 25%
Hacking Tools/Programs - 22%
Website/Forum Ha...
A Smattering of ServicesList of Services Offered on the Underground
Recognize
Homework Service
Ewhoring (GIRL = Guy In Real Life)
Cash for Sale
...If you can get it
Want some
credit cards?
Mattfeuter.ru Arrests
http://www.scmagazine.com/police-arrest-mattfeuter-site-operators-
break-up-200m-carder-racket/artic...
Carder Shops
• Just like any other shopping web app
o Shopping cart features
o Ticket system
• Buy credit card details, Pa...
Bootershells
Power of the Gods
Fun for all Ages
PedoStresser Rebranding
• Same Staff
• Same Paypal account
• Same font used in logo
• Crosslinked Ads to PedoStresser
Booter source code
Ragebooter
Comedy
Hour
Going
legit?
Technical Analysis of Ragebooter
-Half the functions of the site didn't work
-C&C infrastructure could be discovered
-User...
Sample
Flood Packets
POST Flood
ARME
CVE-2011-3192
Username is transmitted for no reason
X-forwarded-for information leaka...
Asylumstresser
• Another booter on the market (Deceased)
• Largely nonfunctional
o Only capable of reflected DNS and UDP f...
Asylumstresser Earnings Report
Earnings by month:
Oct-11 $26.25
Nov-11 $477.28
Dec-11 $884.69
Jan-12 $1,243.02
Feb-12 $1,6...
Asylumstresser Earnings Report
• Analysis of customer base
o Many gaming server admins
o Ironically, some of these admins ...
Additional Services
Cloudflare "resolver"
Oh, you mean the nmap
dns-brute script?
nmap --script dns-brute
www.foo.com
http...
Skype Resolver (API)
Searching for Skype resolver
"source" will generally result in
something akin to the script above.
The "api" consists of
a modified Skype
binary (cleartext
logging enabled)
located on a http
accessible server,
generally a...
twBooter (aka Bootertw)
• This one made the news several months ago
• Allegedly used by hacker 'Phobia' to ddos
krebsonsec...
twBooter (aka Bootertw)
• We were able to correlate different parts of the
database to find out:
• Which account was used
...
Jacking
• Identify gamertag
• Identify owner
• Use sites like spokeo or ssndob.ru to find
owner's details
• Call service p...
The Krebs Cycle
1. You SWAT Brian Krebs.
2. Brian Krebs finds out everything about you,
your family, and your friends.
3. ...
The Krebs Cycle
• We were informed that 'Phobia' was suspected
• Phobia left a lot of information laying around
• Youtube ...
Counter Booters?
OSINT for
Bads...
...or why I love poor
OPSEC
Maltego
is
Awesome
Abuse of Legitimate
Services
Paypal
“While we cannot share specifics on our
customers’ accounts due to our privacy policy,...
“Extralegal?”
TOP SECRET
Its like PRISM, but lame.
Tying it Together
Questions?
Allison's perfect specimen
NPTs
NPTs
NPTs
Upcoming SlideShare
Loading in …5
×

NPTs

554 views
420 views

Published on

BSides Boston and RI 2013
Video (BSides RI: http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-the-booters-stressing-the-stressors-allison-nixon-and-brandon-levene)

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
554
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

NPTs

  1. 1. The Noob Persistent Threat June 15, 2013
  2. 2. Who are we? Allison Nixon (@nixon.nixoff) • Security Consultant • Pentesting, Incident response • Host on the Pauldotcom podcast • SANS GCIA Gold certified Brandon Levene (@seraphimdomain) • Incident Handler/Incident Response for a Cloud Provider • Malware + Vuln analysis • Independent Security Researcher • SANS Certified Pentester
  3. 3. What is this Noob Persistent Threat? • Script kiddies o Sometimes financially motivated o Sometimes hacking out of curiosity o The lowest level of the criminal underground o Low technical skills o Often poor opsec o Often frequent hacking forums o Often American or EU citizens
  4. 4. ...but I don't have anything worth stealing... Do you have any of the following: • Credit or Debit Card • Bank Account • Paypal Account • Medical Records • Social Media Profile • Computer • Digital Delivery Account(s) (Steam, Origin, Xbox) http://www.rsa.com/products/consumer/whitepapers/11634_CYBRC12_WP_0112.pdf
  5. 5. The Noob Renaissance 2011 Discussion Topics Beginner Hacking/Tutorials - 25% Hacking Tools/Programs - 22% Website/Forum Hacking - 21% 2012 Discussion Topics • Beginner Hacking/Tutorials - 28% • *Hacking Methods - 5% (This is in ADDITION to Beginner content) • Hacking Tools/Programs - 21% • Website/Forum Hacking - 21% Source: http://www.imperva.com/resources/hacker_intelligence.asp
  6. 6. A Smattering of ServicesList of Services Offered on the Underground
  7. 7. Recognize
  8. 8. Homework Service
  9. 9. Ewhoring (GIRL = Guy In Real Life)
  10. 10. Cash for Sale ...If you can get it
  11. 11. Want some credit cards?
  12. 12. Mattfeuter.ru Arrests http://www.scmagazine.com/police-arrest-mattfeuter-site-operators- break-up-200m-carder-racket/article/296609/
  13. 13. Carder Shops • Just like any other shopping web app o Shopping cart features o Ticket system • Buy credit card details, Paypal accounts • Proxies are sold to bypass region limitations
  14. 14. Bootershells
  15. 15. Power of the Gods
  16. 16. Fun for all Ages
  17. 17. PedoStresser Rebranding • Same Staff • Same Paypal account • Same font used in logo • Crosslinked Ads to PedoStresser
  18. 18. Booter source code
  19. 19. Ragebooter Comedy Hour
  20. 20. Going legit?
  21. 21. Technical Analysis of Ragebooter -Half the functions of the site didn't work -C&C infrastructure could be discovered -Username transmitted within attack data for no reason
  22. 22. Sample Flood Packets POST Flood ARME CVE-2011-3192 Username is transmitted for no reason X-forwarded-for information leakage Obvious use of open proxies Most flood options resulted in no traffic
  23. 23. Asylumstresser • Another booter on the market (Deceased) • Largely nonfunctional o Only capable of reflected DNS and UDP flooding • Made thousands of dollars anyways • Accepts Paypal • Protected by Cloudflare • Run by children
  24. 24. Asylumstresser Earnings Report Earnings by month: Oct-11 $26.25 Nov-11 $477.28 Dec-11 $884.69 Jan-12 $1,243.02 Feb-12 $1,614.64 Mar-12 $1,349.52 Apr-12 $855.14 May-12 $1,438.89 Jun-12 $1,658.80 Jul-12 $1,403.94 Aug-12 $1,666.36 Sep-12 $1,812.30 Oct-12 $2,662.95 Nov-12 $3,915.85 Dec-12 $3,983.47 Jan-13 $4,109.29 Feb-13 $3,403.34 Mar-13 $2,875.81 Grand total: $35,381.54 • $23,604 earned in 2012 split between the owner and several support staff. • The database did not record any chargebacks, fraud, fees, or server costs, so the take home pay is much lower • Conclusion: get a real job
  25. 25. Asylumstresser Earnings Report • Analysis of customer base o Many gaming server admins o Ironically, some of these admins have blogged about getting DDOSed. Are they taking up arms themselves and starting a cyber-war? o Self-described gamers o Very elite hackers o I even found one connected to a police officer in Florida
  26. 26. Additional Services Cloudflare "resolver" Oh, you mean the nmap dns-brute script? nmap --script dns-brute www.foo.com http://nmap.org/nsedoc/scripts/dns- brute.html
  27. 27. Skype Resolver (API) Searching for Skype resolver "source" will generally result in something akin to the script above.
  28. 28. The "api" consists of a modified Skype binary (cleartext logging enabled) located on a http accessible server, generally a cheap VPS. Here's the script that parses the API request and pulls the results from the plaintext logs.
  29. 29. twBooter (aka Bootertw) • This one made the news several months ago • Allegedly used by hacker 'Phobia' to ddos krebsonsecurity.com while he swatted its owner • Database was leaked containing evidence of the launched attack • Database contained logs of 48,844 attacks launched in two month's time
  30. 30. twBooter (aka Bootertw) • We were able to correlate different parts of the database to find out: • Which account was used • Their IP • Their user-agent • When the attacks occurred
  31. 31. Jacking • Identify gamertag • Identify owner • Use sites like spokeo or ssndob.ru to find owner's details • Call service provider in order to reset password • ??? • Profit This technique can be used to social engineer any company and abuse their customers. Famous case: Mat Honan August 2012. "How Apple and Amazon Security Flaws Led to My Epic Hacking"
  32. 32. The Krebs Cycle 1. You SWAT Brian Krebs. 2. Brian Krebs finds out everything about you, your family, and your friends. 3. SWAT team visits your house. (optional: DDOS his website because he made you mad)
  33. 33. The Krebs Cycle • We were informed that 'Phobia' was suspected • Phobia left a lot of information laying around • Youtube channel full of bragging. "RealTeamHype" o Full of information leakage o Allowed us to find some of his friends o Profile the programs, operating systems they use o Profile them by voice o Their VPN providers • Phobia has been doxed before • E-mails can be linked to Facebook • Hackforums.net, Forumkorner profiles
  34. 34. Counter Booters?
  35. 35. OSINT for Bads... ...or why I love poor OPSEC
  36. 36. Maltego is Awesome
  37. 37. Abuse of Legitimate Services Paypal “While we cannot share specifics on our customers’ accounts due to our privacy policy, we can confirm that we will review suspicious accounts for malicious activity and work with law enforcement to ensure cyber criminals are reported properly. We take security very seriously at PayPal and we do not condone the use of our site in the sale or dissemination of tools, which have the sole purpose to attack customers and illegally take down web sites.” -Paypal (In response to Brian Krebs' article) http://krebsonsecurity.com/2013/05/ddos-services- advertise-openly-take-paypal/ Cloudflare "I do find it troubling when there are extralegal measures taken to determine what is and is not going on," he said, in an apparent reference to the investigation by Krebs, Nixon and Levene. "How far do you go with that, if someone assumes XYZ shouldn't be on the Internet? Should Google remove them from their search index?" he asked. "We believe in due process," said Prince. -Cloudflare CEO (Matthew Prince) http://www.itworld.com/it-management/357306/legitimate- online-services-enabling-ddos-attacks-hire-sites
  38. 38. “Extralegal?”
  39. 39. TOP SECRET Its like PRISM, but lame.
  40. 40. Tying it Together
  41. 41. Questions? Allison's perfect specimen

×