Your SlideShare is downloading. ×
Surfing with Sharks   KS ED TECH 2012
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Surfing with Sharks KS ED TECH 2012


Published on

Crimeware and the dangers of the Internet

Crimeware and the dangers of the Internet

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • You are probably asking yourself this question – I’m at an education technology conference – so why is a Security guy standing on the stage?
  • Let me answer that for you!
  • Well they all run one of these
  • If all of these components share these things in common (for the most part) where would be the best place for me to attack?Bingo – Internet components!
  • Quick show of hands – who thinks:- PC’s are the Safest?MAC’s are the Safest?Android Devices?iOS (iPhone/iPAD/iPod) Devices?Well in terms of safety while surfing the internet I would rank them as follows. Notice I didn’t say most secure. What if I asked “What is the Most Targeted?” What would that look like? You may be safer using a certain type of device but it is, in most cases, not due to a technology being more secure but really associated with it being less targeted. As use of these devices increases they will most certainly be targeted by cyber criminals.
  • Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware. These kits are sold on the black market, where prices ranging from several hundred to over a thousand dollars are paid. Nowadays, it is also quite common to rent hosted exploit kits. Because of this, it is a competitive market with lots of players and many different authors.Source: “”
  • TheBlackhole kit in particular is A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.Some kits in the wild have been seen to call and exploit windows media player as well. The most probable reason for this is the fact that windows media player updates are usually shown as “optional updates” unless included in major updates such as service packs. With newer versions of the kit come upgrades in exploits, strategy, and functionality.
  • In a normal download, you send requests and the website responds.If you send a download request, you often get a confirmation “Are you sure?” which you can visibly see as the user.So you see the download happening, as it saves to your computer.
  • In a drive-by, while you interact or view the site, the site will start an invisible download to your computer.As a user, you won’t see it and you will have no indication of it occurring. It won’t ask you for your permission and you don’t know that the website is saving something to your computer.Once it’s done, your computer is now under the hacker’s control (invisibly).
  • Visit compromisedWordPress blog – startcooking.comOnly indication of compromise is that Java starts up while visiting.Open up TaskManager and see cs8v0k.exe (Malware downloader) with garbled description.Soon that closes and efzi.exe starts up – same description – this is the malware bot.Infected! It’s that easy.
  • Unlike the beach where lifeguards will post signs if a Shark has been sited or if someone is attacked – on the Internet you generally have no idea if Sharks are lurking in your area…so you need to remember that just like in the ocean --
  • Exploit Kits are very specific to their name, they are meant to help exploit or hack users, what happens after exploitation really depends on what specific payload or malware is used after. In the wild it is very common to see info stealers combine with backdoors. This means access and information, hackers want resources weather it be information to sell for money or access to computers to use as a bot net. It is always possible that it could much more targeted such as espionage or personal reasons.The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license).The question that will be answered coming up:How do you buy it?How much does the new one cost?Where can you buy it?Any examples? Forums, etc?What can you do with it?How would you use it?
  • Visits liveblackhole site.Key is already in URL – starts removing the values in all the parameters and refreshes page – gets the main dashboard.Able to sort by date.Views hits by country, browsers, exploits, operating systems.
  • Flashback is the name of a recent piece of malware out for macs which has been reported to have infected over 600,000 Mac users. This malware was made from a flash vulnerability found to affect the Windows operating system. Malware makers reversed engineered a Windows update in February of 2012 and produced another strain of malware for Macs. What does it do? This malware will steal passwords and other information through Web browsers and other applications and send the information back to the attackers over the internet. Earlier instances of this piece of malware disguised itself as a flash update but newer versions do not require any user interaction allowing for a silent installation and infection. Apple released updates which patched against this vulnerability 2 weeks after the malwares discovery. This rise in levels of malware for macs only emphasizes the need for safe user practices for both Windows and Mac users. Spohos recently release a study showing 20% of Mac computers carried at least one type of windows malware if not more. While Windows malware may not affect Mac computers they can still spread through them to other systems. Aside from the Windows targeted malware, every 1 in 36 Macs were found to be infected with malware designed for Macs. In these statistics a point to be made would be the fact that most infections could have been prevented through proper and regular use of antivirus software and safe practices. There is a free tool available through to automatically detect and remove the Flashback malware.
  • Stopav.plugvg8, avg9, arca2009, arca2008, avast5, ESET NOD32 Antivirus 3.x/4.x, ESET Smart Security 3.x/4.x, Avira Premium Security Suite, Avira AntiVir Premium, Avira AntiVir Professional, BitDefender Antivirus 2010, McAfee AntiVirus Plus 10, Microsoft Security Essentials, DrWeb
  • This demo not yet uploaded.
  • Severa is short for “Peter Severa,” a Russian who is listed at #5 onSpamhaus‘s Register of Known Spam Operations (ROKSO). According to Spamhaus, Severa is one of the longest operating criminal spam-lords on the Internet. Severa advertises his spamming services on several invite-only cyber crime forums.
  • E-mail list of CIO’s, Presidents, COO’s, etc.Sold in 5 hours.
  • Blackhat SEO uses techniques like hidden text, invisible / off screen divs, etc.
  • So here is a quick example. What is more innocent than a crafty apple search? Well, in this google image search result five (5) of the top 14 returned results are actually links to site that will try to infect your computer if you click on the image. Google tries to protect you by putting the image in a frame and previewing it; however, the site uses specific tricks to automatically break out of the Google frame. At that point you would see a pop-up trying to convince you that your computer is infected with malware. Once infected the malware will try to convince you to purchase a removal tool and will also stage your computer for future control by the malware author.
  • Open up Bifrost again like before.Our victim checks his e-mail and sees something wrong with his Facebook account.Once he clicks the link, he’s already infected. We can turn on a keylogger and steal his password as he types it in.We have full access to his computer, if we like. Full control – just from a click.
  • This past May user “georgiabiker” of recently came across a new drive-by malware attack website that automatically downloads installation files to your phone upon browsing to the website. This new drive-by attack website lays down the foreshadowing of security trends and issues to come with android and other mobile operating systems. The drive-by attack utilized a malicious iframe injected into the website which could analyze the “User Agent” string of the users browser to see if the browsers operating system was of Android or not. Upon determining that the viewing browser was from an Android OS it would redirect users to a malicious Android installation file (APK).According to an analysis performed by Lookout Mobile Security, “Based on our current research,  NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy.” This means that this malware could be used to gain access to other devices and/or steal information. Figure 1 (Screenshots from redditor, Georgiabiker)This instance of Android drive-by malware appears to be in its early stages as it still depends on the user to install the deceivingly named malicious install file “update.apk”. As Android based malware and attacks evolve users will need to be ever more diligent. As with computers the best security practices are safe user browsing practices such as having “Unknown sources” setting disabled as well as a up to date antivirus programs.
  • Drive-by download sites are one of the largest and growing threats on the internet. Attackers can use phishing to trick users to navigating to their malicious website or even infect legitimate websites compromising users as they trustingly go by. When you become a victim of a drive-by download attack many times the infection results in backdoors to your machine, theft of information, and/or malicious access to other devices within the same network. Use these tips and tricks to stay out of the statistics and in control of your own computer and information.Drive-by downloads usually attack browser plugins, keep plugins up-to-date. When you see the java icon in the corner saying there is an update available don’t ignore it. You can use websites such as to scan plugins for updates and browsers for security issues. Keep antivirus up-to-date, sometimes it’s hard to tell if a link is malicious or a website compromised, at the least protect yourself with the latest virus signatures. Use safe browsing practices, the website isn’t going anywhere, take the time to check if you recognize the URL behind the links. You can usually see a links URL by hovering you mouse over the link. If you’re really unsure but need to visit the website you can scan the URL, websites such as the following will allow you to check if website has been reported to be an attack website: it may make browsing a bit tedious it’s a safe practice to disable JavaScript in your browser and only allow JavaScript to run on websites you trust and recognize. If you’re a Firefox user use the NoScript Add-On.
  • Transcript

    • 1. Surfing with Sharks: Why theInternet is a Dangerous Place
    • 7. Why am I here?
    • 8. Do You Use One of These?
    • 9. What Do They All Share In Common?
    • 10. So Let’s Think Like A Bad Guy
    • 11. MOST SECURE? MOST TARGETED?1 4 3 22 3 4 1
    • 12. Some DefinitionsHackers and Black HatsVulnerabilities, Exploits, and Payloads
    • 13. Exploit kits• Tools for hackers – Popular exploits packaged together with controls and add-ons• Web applications which deliver malware payloads• Many different exploit kits out there
    • 14. Blackhole exploit kit• Most popular kit on the black market• Robust stat tracking• Malware as a service – Sign up for a hosted service – Customer support• Exploits for browser plugins: – Adobe Reader – Adobe Flash – Java
    • 15. Invisibility• Exploit kits like to use “iframes”• What are “iframes”?• Like a picture frame, just mount it on a website• To hide the content just make the frame really small “0x0 pixels” small• Now the website can show malicious content from another website without anyone noticing
    • 16. Drive-by Downloads• Most exploit kits use “Drive-by Downloads”• What are drive-by downloads? – “A download that happens without a persons knowledge, often spyware, a computer virus or malware.” – Wikipedia – A download that happens in the background without you seeing it – How does this work?
    • 17. Regular Download
    • 18. Drive-By Download
    • 19. How Bad is it?• Recent Norton cybercrime report shows:• $388 billion worldwide over the past year in costs caused by cyber crime• 35% of that number was incurred by individuals and businesses from the U.S.• 141 victims per minute• Keep in mind: this was just the reported costs . For every reported event or incident there are countless others that go unreported.
    • 20. How Bad is it for businesses?In 2010 Trend Micro did a survey:• Of 130 businesses: 100% had some type of active malware• 72% had evidence of botnets• 56% had data stealing malware (eg. keyloggers)• 42% had worms (self-propagating) Things have only gotten worse.
    • 21. How Bad is it?2010 2011• 286,000,000+ New • 403,000,000+ New variants of Malware variants of malware• 45,926 Malicious Web • 55,294 Malicious web domains domains
    • 22. You ARE Not alone• It is important to know who else is in the “water”• What do they want?• Where do they lurk?• How do they catch their prey?• How can you spot them and protect yourself?
    • 23. Why me?• Would you ask a real shark “why!? ”• Online Sharks want: – Reputation – Power – Information – Money• Bottom Line - If you use the Internet, you are a target
    • 24. So who are the sharks?• Organized Crime Syndicates based in ASIA and the former USSR• Small groups of Hackers in the US, Asia, or the former USSR• Hacking has evolved into a very sophisticated industry of malware production• "Cybercrime is one of the fastest growing and lucrative industries of our time,“ - - Dave Marcus, Director of Security Research for McAfee Labs.
    • 25. Why? How?• How do hackers go about obtaining these tools?• What do they do with it?• Why would someone do this?
    • 26. Becoming a Shark
    • 27. How to become aa“hacker”How to become “shark” Victims Exploit Infection Payload
    • 28. All you really need is money!• Purchase an exploit kit• Purchase a trojan• Purchase victims? – Phishing services – Traffic services• Profit
    • 29. Victims Exploit Infection PayloadPurchasing An Exploit Kit
    • 30. Black Market Forums• Exploit kit advertisements on various black market forums• BlackHole the first exploit kit to introduce a hosted option – Let the “professionals” configure and host it for you! – The most popular option – Includes free domain and support! – Hosting spread around the world
    • 31. Black Market Forums• Payment is usually through virtual currencies like Liberty Reserve or WebMoney• User reputation and forum escrow services!
    • 32. Quality and Service• Creators of the kit funneled their revenue back into improving their product• Updated frequently with the latest vulnerabilities – November 2011 – Only a few days to add the latest Java “1-day” to the kit – “We’d never seen an exploit kit update itself to use the latest vulnerabilities that quickly.” – Bradley Anstis, M86 VP of Technical Strategy• Russian and English language support• Banner advertisements
    • 33. FEATURES• Statistical widgets – Geolocation, operating system, browser, exploit, and more!
    • 34. MAC FlashBack Trojan• Delivered by hacked WordPress blogs and social networking sites• Infected over 600,000 Mac users (1.8% of Macs)• Made from reversed engineered Windows update in February• Steals passwords and other info
    • 35. FEATURES• Vulnerability Detection – Built-in engine determines which exploit to use• Traffic redirection script based on rules • OS, Browser, Plugins, Date
    • 36. MORE FEATURES• Advanced payload and exploit obfuscation• Some examples…
    • 38. Victims Exploit Infection PayloadTROJANS AND RATS
    • 39. Trojans and RATS“Exploit kit is the gun, the payload is the ammo”• Trojans, Remote Administration Tools – Usually client / server design – Client makes outgoing calls to server• What kind of features would make a good trojan? – Info stealing – Hard to detect / remove – File downloading and execution – Computer control – RAT protection? Self-defense?
    • 40. Fake Anti-Virus• One use of the Trojan is to trick you into buying fake anti-virus
    • 41. CarBerp• Banking Trojan – Man-in-the-Middle forms grabber – Screenshots, Downloaders – Facebook scam• Carberp Trojan popular choice with BlackHole – Stopav.plug • avg9, ESET NOD32 Antivirus 3.x/4.x, McAfee AntiVirus Plus 10, Microsoft Security Essentials – Passw.plug – Miniav.plug • ZeuS, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy, SpyEye• Unlike most malware (ZeuS, SpyEye), Carberp is not marketed publicly
    • 42. ZEUS• Another banking Trojan – Man-in-the-Middle keylogger and form grabber – Only targets Windows – Costs $700 - $15,000• Estimated botnet size 3,600,000 (US only)• Cyber crime network discovered by the FBI on Oct. 1, 2010 – Stole ~$70,000,000 US• Source code leaked May 2011 – Custom versions and off-shoots released soon after
    • 43. Bifrost• Let’s take a look at the Bifrost RAT
    • 44. Victims ExploitsInfection PayloadObtaining Victims
    • 45. Obtaining Victims• We need people to visit our Blackhole Kit so we can infect them• Two methods: – Phishing / spam e-mails – Iframe Traffic Generation• Again, all you need is money!
    • 46. Obtaining Victims
    • 47. Obtaining Victims• “Phishers” are Getting Smarter
    • 48. Iframe traffic• Purchasing compromised website traffic• WordPress blogs are a prime target – One infected blog got over 150,000 hits – Pilfered FTP credentials – Plugin vulnerabilities
    • 49. How does this work?• Search Engine Poisoning / Optimization (SEO) – #1 Vector for Malware (40%)
    • 50. Search Engine Poisoning
    • 51. Obtaining victims• Two main methods: – Phishing and spam emails – Purchasing iframe traffic • SEO, Compromised websites
    • 52. Victims Exploits Infection Payloads Putting It All TogetherSURFING WITH SHARKS
    • 53. The final product• So we have our exploit toolkit, our payload, and a way of obtaining victims.• Let’s show an infection: – Firing off a phishing e-mail – Client-side exploitation – Payload delivery – Game over
    • 54. Protecting yourself
    • 55. Everyone is a Target• Windows, Mac… – Even Smartphones and Tablets! – New Drive-by attacking android smart phones discovered in May 2012
    • 56. Protecting Yourself • Attackers use tricks like phishing, SEO, and drive-by downloads • Keep your OS, plugins, and anti- virus up-to-date • Use safe browsing practices – Inspect links, be overly cautious – Not necessarily strange websites
    • 57. Other tips• Disabling or uninstalling Java, Flash• Disabling JavaScript – Mozilla Firefox NoScript
    • 58. Any Questions?