Your SlideShare is downloading. ×
0
The Grugq | COSEINC Fyodor Y | ARMORIZE
Meet the “authors”.. :)
Outline• Tools and methods• Introduction: Geeks or Gangsters?• Underground economy: what u never  knew• Future trends and ...
Интернете не нужно             ничего и дажеMy favorite quote:                   мозгов             ничего и даже         ...
Brief: ToolsAnd methodsAnd methods
Sources• Dealing with large volume of data (public  forums, bbs, manual follow up)• Mostly public data• Often: post mortem...
Intelligence Gathering• Automated and manual analysis of publicly  available data
Automation:          difficulties          difficulties• Language: complicated for automated  processing (slang, misspelli...
Ex.: What does this say?
automated translation
Slang sources• Fenya - Russian prison slang• Anglonims - English loan words• Rhyming slang - Sounds like the English word•...
Tools of trade• Mostly open-source. With custom  extensions
Tools: Nutch• Content Fetcher; extended with custom  Indexers• Changes to Spider behavior (“proper”  robots.txt handling e...
Tools: RSS feeds “eater”• A bunch of python scripts thrown together  to fetch rss feeds
Tools: SOLR• Customized Data indexing and search• Custom schema and search fields• JSON output used• Language “projection”...
Tools: Web UI/Maltego• Web UI: easier• Visualization: Maltego Custom Transforms
Overall picturesque
Maltego
Introduction:Geeks or gangsters? :)Geeks or gangsters? :)
From Russia with        love..?• What is the biggest export from Russia  except for oil, gas, and nuclear scientists..? :)
-Malware -Stuff that lives in your PC   Against your will :)
Typical export sample:• Targets MS platforms• Often - multi-component (loader, payload  functions in form of DLL etc)• Sen...
Looks familiar?
Моscow arest           (31/08/2010)Annual income: over One unlock charged at  500,000 rubles     300 rubles (10USD)  (100,...
Scale: big
“export” through  legimate sites
Which end up inGoogle blacklistGoogle blacklist
Why such spike?• Fun?• Profit!
But there’s much     more..     malware      OTHER      COOL      STUFF        :-)
That’s not a russian       hax0r
This is closer..
Russian Underground      Economy      Economy
Where is the money!• Banking credentials• Credit cards• Shops and goods• Online goods and services• Online currencies• Mon...
Disclaimer:  We don’t sell oradvertize any service   We simply look at the trades :-)
“Ликбез”   Some terminology   Some money - one wmz = one USD            terminology• WMZ - web• Drop - money mule• CC - cr...
Online currencies• Web Money (WMZ)• Yandex Money• LR (liberty reserve)
Exchange points
Credit cards Very accessible
Money washing
Drop:Another way to turn dirty cash into profit
Mass domain   theft   theft
Traffic generation    As big biz    As big biz
CostsPer 1000 Unique visitors•   AU - 300-550$•   UK - 220-300$•   IT - 200-350$•   NZ - 200-250$•   ES,DE,FR - 170-250$• ...
OtherOnline goodsOnline goods
Looks familiar?
Cards, burners
And more
Passport scans
“Business package” Pa            Includes..            Includes..Под средства любой загрязненности! For money of any state...
DDOS       Very affordableWe remove sites of affordable       Very your concurrents withDDOS attack. Fast and effective. S...
DDOS 911
Abuse resistant hosting
Malware A/V QA
Hash cracking  In cloud  In cloud
CaptchaIn cloudIn cloud
Exploit packs
With nice stats
Stats per countryClicks, loads (pwned ;), percentage)
Need to build  Botnet?
WelcomeTDS systemTDS system
Seller
Buyer
Owner
“Game” rules :)  Iframe traff.    No bot traf (ruclicks)4USD/1000 clicks   Payday - every monday
Making money togetherFake AV affiliation program
Fake AV payoutsLogin   Balance
Crimeware: thrends   And research   And research
Moving mobile• Steal a dollar from million - still a million  dollars• WAP sites spreading trojaned games are  very popular
Mobile Malware
SEO spam<*bad* word (rus)
Now - deliveredproffesionally :)
Malware through  Infected ads  Infected ads
Hidden behind login              screens  Hidden behind login              screens• Frequent in banking or other online  c...
Research• Monetization schemes• Taking over the existing ifrastructures for  forensics analysis and statistics• Hunt the h...
Hunt the hunter• Pwnkit - automated exploitkit pwner • Automated exploit kit fingerprinting • Password bruteforce • Exploi...
Misc. Case studies :)
Botnet DIY ;)• Goal: 1000000 nodes botnet• No skills required• Buy these (available on sale): • Traffic • Abuse-resistant ...
How much it costs• Traffic - 10-15KUSD (mixed) infection ratio  arond 10-20% (depending on exploit pack)• Abuse resistant ...
Conclusions• You can be victim, even if you paid for  Kaspersky and apply patches regulary :)• While malware is what you m...
What’s next?
Questions?• Fyodor.y@armorize.com
Upcoming SlideShare
Loading in...5
×

From russia final_bluehat10

216

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
216
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "From russia final_bluehat10"

  1. 1. The Grugq | COSEINC Fyodor Y | ARMORIZE
  2. 2. Meet the “authors”.. :)
  3. 3. Outline• Tools and methods• Introduction: Geeks or Gangsters?• Underground economy: what u never knew• Future trends and our research• Lining up
  4. 4. Интернете не нужно ничего и дажеMy favorite quote: мозгов ничего и даже мозгов “To make money on Internet you don’t need much, not even brain” - from online tutorial on how to make money
  5. 5. Brief: ToolsAnd methodsAnd methods
  6. 6. Sources• Dealing with large volume of data (public forums, bbs, manual follow up)• Mostly public data• Often: post mortem analysis of compromised systems
  7. 7. Intelligence Gathering• Automated and manual analysis of publicly available data
  8. 8. Automation: difficulties difficulties• Language: complicated for automated processing (slang, misspellings, multiple spellings)• Context evaluation for new items of trade requires manual analysis
  9. 9. Ex.: What does this say?
  10. 10. automated translation
  11. 11. Slang sources• Fenya - Russian prison slang• Anglonims - English loan words• Rhyming slang - Sounds like the English word• Direct translation
  12. 12. Tools of trade• Mostly open-source. With custom extensions
  13. 13. Tools: Nutch• Content Fetcher; extended with custom Indexers• Changes to Spider behavior (“proper” robots.txt handling etc)• Custom “Seeders”• Distributed Indexing (w/ hadoop)
  14. 14. Tools: RSS feeds “eater”• A bunch of python scripts thrown together to fetch rss feeds
  15. 15. Tools: SOLR• Customized Data indexing and search• Custom schema and search fields• JSON output used• Language “projection” (lingo/slang support)
  16. 16. Tools: Web UI/Maltego• Web UI: easier• Visualization: Maltego Custom Transforms
  17. 17. Overall picturesque
  18. 18. Maltego
  19. 19. Introduction:Geeks or gangsters? :)Geeks or gangsters? :)
  20. 20. From Russia with love..?• What is the biggest export from Russia except for oil, gas, and nuclear scientists..? :)
  21. 21. -Malware -Stuff that lives in your PC Against your will :)
  22. 22. Typical export sample:• Targets MS platforms• Often - multi-component (loader, payload functions in form of DLL etc)• Sensitive information collection (data, keystrokes and credential information)• Turns computer into web proxy, smtp proxy, socks etc (useful for rent, spamming etc)• May extort money from end user
  23. 23. Looks familiar?
  24. 24. Моscow arest (31/08/2010)Annual income: over One unlock charged at 500,000 rubles 300 rubles (10USD) (100,000USD) Via SMS
  25. 25. Scale: big
  26. 26. “export” through legimate sites
  27. 27. Which end up inGoogle blacklistGoogle blacklist
  28. 28. Why such spike?• Fun?• Profit!
  29. 29. But there’s much more.. malware OTHER COOL STUFF :-)
  30. 30. That’s not a russian hax0r
  31. 31. This is closer..
  32. 32. Russian Underground Economy Economy
  33. 33. Where is the money!• Banking credentials• Credit cards• Shops and goods• Online goods and services• Online currencies• Monetization via Carrier providers and more
  34. 34. Disclaimer: We don’t sell oradvertize any service We simply look at the trades :-)
  35. 35. “Ликбез” Some terminology Some money - one wmz = one USD terminology• WMZ - web• Drop - money mule• CC - creditcards• Abuse resistant - Safe to host any kind of fraudulent service• Partnerka - partnership program
  36. 36. Online currencies• Web Money (WMZ)• Yandex Money• LR (liberty reserve)
  37. 37. Exchange points
  38. 38. Credit cards Very accessible
  39. 39. Money washing
  40. 40. Drop:Another way to turn dirty cash into profit
  41. 41. Mass domain theft theft
  42. 42. Traffic generation As big biz As big biz
  43. 43. CostsPer 1000 Unique visitors• AU - 300-550$• UK - 220-300$• IT - 200-350$• NZ - 200-250$• ES,DE,FR - 170-250$• US - 100-150$• RU, UA, KZ, KG .. 10-40$
  44. 44. OtherOnline goodsOnline goods
  45. 45. Looks familiar?
  46. 46. Cards, burners
  47. 47. And more
  48. 48. Passport scans
  49. 49. “Business package” Pa Includes.. Includes..Под средства любой загрязненности! For money of any state of dirtinessВ комплект входит: Pack includes1.Банковскийакк(online доступ Online bank account access )2.АТМ картa(Дневнойлимитна снятиесредств1000$/6000$ В МЕСЯЦ-Возможноувеличениелимита +30$-) ATM card (1000/6000USD per month withdrawal limit)3.Картакодов (дляonline доступа online access passwords )4.Копия паспортадропаPassport copy of “poor john”5.Sim-ka SIM card Also can be pre-ordered on custom passport scan (25USD)
  50. 50. DDOS Very affordableWe remove sites of affordable Very your concurrents withDDOS attack. Fast and effective. Supported: Prices (in WMZ ~= USD) Discounts for bulk
  51. 51. DDOS 911
  52. 52. Abuse resistant hosting
  53. 53. Malware A/V QA
  54. 54. Hash cracking In cloud In cloud
  55. 55. CaptchaIn cloudIn cloud
  56. 56. Exploit packs
  57. 57. With nice stats
  58. 58. Stats per countryClicks, loads (pwned ;), percentage)
  59. 59. Need to build Botnet?
  60. 60. WelcomeTDS systemTDS system
  61. 61. Seller
  62. 62. Buyer
  63. 63. Owner
  64. 64. “Game” rules :) Iframe traff. No bot traf (ruclicks)4USD/1000 clicks Payday - every monday
  65. 65. Making money togetherFake AV affiliation program
  66. 66. Fake AV payoutsLogin Balance
  67. 67. Crimeware: thrends And research And research
  68. 68. Moving mobile• Steal a dollar from million - still a million dollars• WAP sites spreading trojaned games are very popular
  69. 69. Mobile Malware
  70. 70. SEO spam<*bad* word (rus)
  71. 71. Now - deliveredproffesionally :)
  72. 72. Malware through Infected ads Infected ads
  73. 73. Hidden behind login screens Hidden behind login screens• Frequent in banking or other online credential targeted attacks• Effectively prevents services like google blacklist, HA and other from identifying infections
  74. 74. Research• Monetization schemes• Taking over the existing ifrastructures for forensics analysis and statistics• Hunt the hunters
  75. 75. Hunt the hunter• Pwnkit - automated exploitkit pwner • Automated exploit kit fingerprinting • Password bruteforce • Exploiting bugs and common misconfigurations • Generates statistics on exploit pack usage :in the wild:
  76. 76. Misc. Case studies :)
  77. 77. Botnet DIY ;)• Goal: 1000000 nodes botnet• No skills required• Buy these (available on sale): • Traffic • Abuse-resistant service • Exploitpack • Botnet gear
  78. 78. How much it costs• Traffic - 10-15KUSD (mixed) infection ratio arond 10-20% (depending on exploit pack)• Abuse resistant server 300USD/month• Exploitpack 200-2000USD• Botnet gear 500- 10,000USD• = 15-20,000USD total + 1-2 months of work
  79. 79. Conclusions• You can be victim, even if you paid for Kaspersky and apply patches regulary :)• While malware is what you mostly see, cybercrime is not about malware, it is about money• Global economy - global fraud• 0day is not important.Volume is important• (Mostly) not organized crime but ecosystem
  80. 80. What’s next?
  81. 81. Questions?• Fyodor.y@armorize.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×