Your SlideShare is downloading. ×
Fyodor Yarochkin - Dissecting unlawful Internet activities
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Fyodor Yarochkin - Dissecting unlawful Internet activities

644
views

Published on

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
644
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
32
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Dissecting unlawful Internet Activities Fyodor Yarochkin Armorize Technologies @fygrave
  • 2. АГЕНДА Observations Case studies Sampling goods and services Q&A(c) 2011 Armorize Technologies
  • 3. MEET THE AUTHORS(c) 2011 Armorize Technologies
  • 4. Our environmentHoneypots (http, ftp, ssh, smtp, ...)Sandboxes + proactive internet “browsing”End points around the globePublic discussion groups of interest:scrapping and indexing (c) 2011 Armorize Technologies
  • 5. Overview(c) 2011 Armorize Technologies
  • 6. What makes the news.. MALWARE Black SEO Fake AV Mass InjectionsCC abuse (c) 2011 Armorize Technologies
  • 7. MAIN ACTORS Profit OrientedKiddies Crime APT (c) 2011 Armorize Technologies
  • 8. Range of players!(c) 2011 Armorize Technologies
  • 9. Kiddies: hit our honeypots daily :) (c) 2011 Armorize Technologies
  • 10. Still live in IRCBOT age (c) 2011 Armorize Technologies
  • 11. APT• Kiddies are not very interesting. Following the APT guys is a bit more fun APT – advanced persistent threat (made lots of noise after Aurora attacks But, .. how advanced that is.. really :-)) (c) 2011 Armorize Technologies
  • 12. APT: attack vectors – often plain silly (c) 2011 Armorize Technologies
  • 13. APT: in taiwan• Targets: academics, post, rail, .. (c) 2011 Armorize Technologies
  • 14. APT: main characteristics• Attacks are planned and methodological• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc) (c) 2011 Armorize Technologies
  • 15. APT Research from xecure-lab guys (c) 2011 Armorize Technologies
  • 16. Aptdeezer: apt analysisplatform from xecure-lab (c) 2011 Armorize Technologies
  • 17. Businessmen are fun to study:) Traffic Online goods services (c) 2011 Armorize Technologies
  • 18. How to steal a million? (c) 2011 Armorize Technologies
  • 19. Effectiveness• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)• New school: steal a dollar from a million people. It is still a million (and no noise). (c) 2011 Armorize Technologies
  • 20. So, where is the money? DIRECT SOURCES: Ads (PPC) Banking credentials Pharm CC cashing Pr0nExtortions“Software” Mobile scam INDIRECT SOURCES: TRAFF Credentials Online goods & services (c) 2011 Armorize Technologies
  • 21. TRAFFIC..• You need users to start visiting your “milking resource” to start with.. (c) 2011 Armorize Technologies
  • 22. TRAF. COST• AU - 300-550$• UK - 220-300$• IT - 200-350$• NZ - 200-250$• ES,DE,FR - 170-250$• US - 100-150$• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies
  • 23. Case studies~(c) 2011 Armorize Technologies
  • 24. Infrastructure compromise: casestudy (c) 2011 Armorize Technologies
  • 25. UNDER THE HOOD(c) 2011 Armorize Technologies
  • 26. Looking into Packet fields(c) 2011 Armorize Technologies
  • 27. TRACKING THE GHOST(c) 2011 Armorize Technologies
  • 28. HYPO: ATTACK SCENARIO(c) 2011 Armorize Technologies
  • 29. RESULTED IN...http://tools.cisco.com/security/center/viewAlert.x?alertId=17778 (c) 2011 Armorize Technologies
  • 30. Compromised CAs• How about combining this and compromised CA? (c) 2011 Armorize Technologies
  • 31. WHAT HAD HAPPENED.. tunnel source <interface> tunnel destination <badIP> Your taffic is mirrored!!(c) 2011 Armorize Technologies
  • 32. How were they 0wn3d?(c) 2011 Armorize Technologies
  • 33. AND MORE..(c) 2011 Armorize Technologies
  • 34. LESSON LEARNT • The whole city compromised • Users infected on the fly. Visiting legimate web sites • Tricky to investigate • Affected parties - complete denial(c) 2011 Armorize Technologies
  • 35. Other varieties ;-)(c) 2011 Armorize Technologies
  • 36. Ad ABUSE:“MALVERTISEMENT”(c) 2011 Armorize Technologies
  • 37. Introducing ad. Space hell :)Source: razorfishmedia.com (c) 2011 Armorize Technologies
  • 38. Ad network dynamic bidding• Ad network dynamic bidding system is asking for abuse :-) • Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)• (c) 2011 Armorize Technologies
  • 39. MALVERT. Mechanicsiframe redirect iframe redirect iframe (c) 2011 Armorize Technologies Iframe to TDS
  • 40. Malvertisement (cont) (c) 2011 Armorize Technologies
  • 41. Malvert: agencies get 0wned• Pulpomedia incident: (c) 2011 Armorize Technologies
  • 42. Extortions going international(c) 2011 Armorize Technologies
  • 43. Also spanish versionCredit: http://xylibox.blogspot.com/ (c) 2011 Armorize Technologies
  • 44. Common characteristics Registration Service Provided By: Bizcn.com Website: http://www.cnobin.com person: person: Ionut Tripa Ionut Tripa remarks: remarks: SC GoldenIdeas SRL SC GoldenIdeas SRL Whois Server: whois.bizcn.com address: address: Str. Drumul Sarii, nr. 57C Str. Drumul Sarii, nr. 57C address: address: Sector 6, Bucuresti Sector 6, Bucuresti Domain name: bundespol.net phone: phone: +0744885334 +0744885334 abuse-mailbox: goldenideas.ionut@yahoo.com abuse-mailbox: goldenideas.ionut@yahoo.com• Hosting and domain registration Registrant Contact: Whois Privacy Protection Service nic-hdl: nic-hdl: source: source: IT1737-RIPE IT1737-RIPE RIPE # Filtered RIPE # Filtered Whois Agent gmvjcxkxhs@whoisservices.cn mnt-by: mnt-by: GOLDENIDEAS-MNT GOLDENIDEAS-MNT +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn (c) 2011 Armorize Technologies
  • 45. WAS ON THE NEWS(c) 2011 Armorize Technologies
  • 46. COMMON PATTERNSExploits Social tricks(c) 2011 Armorize Technologies
  • 47. “Social engineering”(c) 2011 Armorize Technologies
  • 48. Well-operated :)• Spreads through advertisements (social engineering and exploits)• Reboots machine until license is purchased (80USD)• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible to do refunds) (c) 2011 Armorize Technologies
  • 49. Another attack: infrastructure(c) 2011 Armorize Technologies
  • 50. InfrastructureSpeedtest.net Ads.ookla.com http://35ksegugsfkfue.cx.cc (c) 2011 Armorize Technologies
  • 51. TDS systems: TRAFFmarketplace(c) 2011 Armorize Technologies
  • 52. COMMON TDS(c) 2011 Armorize Technologies
  • 53. TDS + verification srv (c) 2011 Armorize Technologies
  • 54. SEO:Another option• Black SEO: (c) 2011 Armorize Technologies
  • 55. SEO USE and abuse :) <*bad* word (rus)(c) 2011 Armorize Technologies
  • 56. SEO SERVICES(c) 2011 Armorize Technologies
  • 57. Goods and services : Sampling :) (c) 2011 Armorize Technologies
  • 58. Digital currencies• Modern day hawalla (c) 2011 Armorize Technologies
  • 59. Amusing portals(c) 2011 Armorize Technologies
  • 60. PASSPORT COPIES(c) 2011 Armorize Technologies
  • 61. .. OR A SET For money of any state of dirtiness Pack includes 1. Online bank account access 2.ATM card (1000/6000USD per month withdrawal limit) 3. online access passwords 4. Passport copy of “poor john” 5. SIM card(c) 2011 Armorize Technologies
  • 62. MALWARE Q/A AND HOSTING(c) 2011 Armorize Technologies
  • 63. Abuse-resistant hosting (c) 2011 Armorize Technologies
  • 64. CLOUD-cracking(c) 2011 Armorize Technologies
  • 65. AND CAPTCHA(c) 2011 Armorize Technologies
  • 66. MOBILESo far - easy to spot with static analysis tools (android, j2me) (c) 2011 Armorize Technologies
  • 67. Press the button “stop” as soon as possible!(c) 2011 Armorize Technologies
  • 68. LEARNING POSSIBILITIES :)(c) 2011 Armorize Technologies
  • 69. Questions l(c) 2011 Armorize Technologies