Your Money or Your File!Highway robbery with Blackhole and Ransomware
Topics    • How threats work from compromised site to infection    • How crimeware kits are developed, bought and sold    ...
Join us on Twitter         Live tweeting from          @Sophos_News        Send us your thoughts            #SophosLive
The attack4
Beyond the event horizon                       ?        hcp://…5
Delivered malware6
The business behind Blackhole    Blackhole price list7
Delivered malware8
Global reach10
File encryptor11
Defending your network12
Security News/TrendsAdditional resources13
Staying ahead of the curveStaying ahead of the curve                                         US and Canada      facebook.c...
Upcoming SlideShare
Loading in …5

Your Money or Your File! Highway Robbery with Blackhole and Ransomware


Published on

Drive-by downloads—attacks that exploit a user’s browser to distribute malware and steal data—are nothing new. But today’s most popular drive-by malware, called Blackhole, is highly sophisticated. As an IT professional, you need to understand how cybercriminals use the Blackhole crimeware kit to attack your employees with rootkits and ransomware.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • This presentation is aboutcrimeware, how it gets into your networks, what it does while it’s there and why so many attackers are using it. It looks at an attack scenario that combines two of the most commonly used and technically capable pieces of crimeware, the Blackhole exploit kit and the ZeroAccess rootkit. You’ll see why these kits are so useful to the bad guys and how we can protect our networks and users. Both Blackhole and ZeroAccess are enablers in the world of malware. The attackers use them as a means to an end, not and end in itself. The ultimate goal of cybercriminal groups doesn’t change very much. They want to steal data, whether it be personal, financial or business data, or use your network resources for their own purposes such as sending spam and launching distributed denial of service attacks. The software and techniques to do this are well established and yet there are hundreds of thousands of new pieces of malware each day. Why is this? Because the big challenge that malware authors face is not their end goal, they know very well how and where to get the data that they want. Their challenge lies in getting past the security measures we put in place to keep them out. That’s where tools like Blackhole and ZeroAccess come in. Blackhole to deliver the attack, through the outer defenses and then ZeroAccess to keep it concealed on the final target computer.
  • An innocent victim’s first contact with malware will usually be via a website like the one here, a legitimate site that has been hacked, which is usually the result of either stolen updating credentials or weaknesses in the applications on the website that allow the attackers to take control.A tiny piece of code injected into the compromised site will silently load the site on the right. It’s not much to look at but that’s ok because the user will never see it. It will be loaded off screen or in a tiny frame, invisible to the user. This is the landing page for the exploit kit and this is where the exploits themselves happen. This particular page is probably trying to deliver a java exploit.The compromised sites themselves are unrelated and completely oblivious to the attack. In this case the first compromise is of a TV services company in Italy and the exploit kit has been hosted on the website of a furniture store in California.Alternatively we sometimes see an attack page embedded directly in a spam email. This avoids the need to lure victims to a compromised page. However, given the sheer number of compromised pages that we see, it’s not hard to find victims. Of the malicious websites seen in SophosLabs, almost 30% are related to the Blackhole exploit kit. The majority of these are the compromised sites that are the first contact between victims and attackers.
  • The first component of Blackhole is a javascript which directs the browser to load code from a site under the attacker’s control. This is the reconnaissance stage of Blackhole, designed to seek out the weaknesses in the PCs defenses. Typically it will use multiple different types of encoding in an attempt to make analysis and detection more difficult. The script’s purpose however, is simple. It determines which browser and plugins are available and which versions are installed. Blackhole has a variety of exploits available to use when attacking and will select those that will be effective against the installed software.As with any successful software Blackhole has evolved over time. Version one included a variety of exploits as shown here, targeting Adobe Flash, Adobe Reader, Java, and assorted other vulnerabilities. For example, after a vulnerability was disclosed in Microsoft’s XML core services it took less than two weeks for the Blackholekit to add the corresponding exploit to its arsenal. Even though the exploit was not widely used it serves as an example of the continuous improvement that exploit kit authors are involved in. Towards the end of 2012 a new version of the kit was released with a slimmed down exploit set focussingprincipally on Java exploits. More recently we have also seen a premium exploit kit from the same author as Blackhole. Known as the Cool exploit kit, this uses only unpatched exploits.A typical attack might check the version of Java that is installed. If it finds version 6 it will send one exploit, if it finds version 7 it will send a different exploit. Once the exploit is in place it will download and install a piece of malware. The key to its success is finding the weakness in the defenses. Once it has assessed the defenses it will try whichever attacks are likely to succeed. What is so striking about the success of kits like Blackholeis that they do not need to use zero day exploits to be successful. The vulnerabilities it targets are known and patches are available. The true vulnerability that these kits exploit is the overworked IT department who are too busy to find and deploy software updates.All of these attacks will have the same goal, to run a piece of malware on the target computer. It doesn’t matter to Blackhole what that malware is or does. Blackhole is just the delivery mechanism. The malware is chosen by whoever has licensed or rented Blackhole.
  • Criminals using Blackhole can choose to deliver a wide variety of threats. Analysis on these deliveries in 2012 showed that the most popular malware at the end of the delivery chain was Zbot, also known as Zeus, a Trojan used for stealing financial login details such as online banking credentials. Also popular were ransomware (which locks a user’s computer or files and demands a ransom to release them), other password stealers and some rootkits.So far we have seen three stages of the Blackholeattack:Firstly the initial contact either by email or compromised websiteSecondly the redirection to the attack site which probes for weaknessesThirdly the exploit delivery itself and the resulting malware dropFor the initial email contact a spam filter with content scanning should do the trick nicely, blocking the email due to either the obfuscated javascript content or the botnet based origination.For the web components a web filter, either at the network or endpoint level, which actively scans content should identify the probing javascript or the iframe that includes it in a compromised website. A simple reputation filter would fail in cases where a legitimate website has been compromised to host the attack.To block the exploits the best solution is to patch. Blackhole and other similar kits target mainly application vulnerabilities in Flash, Adobe Reader and Java, with a few operating system and browser vulnerabilities thrown in for good measure. All of these potential targets have mechanisms that will either automatically check for and install updates or remind you when updates become available. A common question that we are asked is how soon to deploy a patch after it is released. The answer is simply as soon as you can especially for out-of-band patches, released outside the normal schedule. Often these are expedited because the flaws they patch are being actively exploited, meaning that every day you wait to patch leaves you exposed.Maintaining consistent patching is key across the range of targets because the exploit kits are designed to locate the weak spot in your defenses. A fully patched operating system doesn’t help you if your browser’s Flash plugin is out of date. Patch assessment tools can help you to locate these weak spots for yourself and fix them before they let the bad guys in. There are, of course, occasional zero-day vulnerabilities that patching can’t help you with. As with everything else in security there is no magic bullet, just ways to reduce your risk. For zero-day vulnerabilities there may be mitigation options from the vendor concerned or Endpoint security tools can also help here, with behavior based HIPS identifying the exploit in progress or the attempt to install the malware payload.
  • We’ve discussed the technical mechanism behind Blackholebut what is the motivation behind its author? MoneyAn exploit kit is a tool used by attackers to get their software installed on a victim’s PC. As the name suggests these kits exploit security holes in the installed software to deliver their chosen payloads. Blackhole is just one piece of an interconnected underground market for malicious software. The folks who write Blackhole aren’t the ones who use it. They aren’t interested in sending spam or the other uses of botnets and malware. Their business is purely to create and sell exploit kits as a service to online criminals. The kit is developed and sold to cybercriminals in a variety of packages. As with other similar kits the criminals can license Blackhole itself for a period of 3, 6 or 12 months. However, for the truly lazy cyber criminal they can simply rent a version that is fully set up and hosted by the Blackholeauthors. Shown here is a price list for version 1.0.0 of Black Hole, translated from the original Russian. Other similar kits vary in cost and options, some including updates to the exploits over the course of a license, others charging a premium for more recent exploits, zero-days or versions that are tested against anti-malware software.The Cool exploit kit is a premium kit which uses only zero day exploits that are unpatched and not in general use. According to research by blogger Brian Krebs the Cool exploit kit costs significantly more than Blackhole. Around $10,000 dollars per month. They use the proceeds of this expensive kit to fund the buying of new exploits on the black market. An unscrupulous researcher who discovers a new security hole in popular software can choose to sell the details to exploit kit authors rather than letting the software vendor know.Once the exploits used by Cool become widely known they will be integrated into the Blackhole and other kits. The attackers are well aware that even known security holes are very effective against a world full of people who are too busy to keep their security and application patches up to date.The people behind Blackhole aren’t interested in installing stuff on your PC, they just create and sell the tools to the people who are. And they are pretty successful, an analysis of detected web threats between October 2011 and March 2012 showed that almost 30% of the detected threats were either Blackhole kits or redirects from compromised legitimate sites to Blackhole kits, showing just how prevalent this form of attack is.
  • The next stage in an attack is the actual payload at the end. This is what the people who pay to license Blackhole actually want to deliver to you and this is how they pay those licensing costs.The most visible of these is the trend towards ransomware. These attacks aim to hold your PC or your data files hostage until a ransom is paid. There are several types of ransomware but the majority of the attacks fall into one of two categories.Firstly, winlockers. As the name suggests these programs, like the one shown here, simply lock you out of Windows. All the user sees is the ransom message. The second type, known as file encryptors, encrypt your data files, documents, images, videos etc.
  • There are two mechanisms working against the victim here. The first is the simple fact that they are prevented from using their computer. This in itself might be enough to prompt some people to pay a ransom to get their computer back. After all, the lack of a computer can be a serious hindrance to life and work in the modern world. The second aspect of this attack is the social engineering put in by the criminals behind it. Rather than just lock the computer and demand a ransom they instead concoct a reason why the PC should be locked and cloak the ransom demand in the form or a fee payment or a fine.In this case it appears the FBI are fining us for some particularly nasty online behavior, accessing child pornography. This particular charge is a little extreme and is unlikely to convince many people. Other ransomware authors use charges of more common online practices such as file sharing, to ensnare their victims. So in this case both the frustration of being locked out of their PC and the threat of legal consequences encourage the victim to pay.One of the questions we are commonly asked is “why can’t we just follow the money to find the criminals?” The criminals of course know this and use less well monitored or policed payment methods. In the case of ransomware they often use online payment methods such as Ukash or MoneyPak rather than the credit card payments that were used in older fake antivirus scams. We should point out that neither Ukash nor MoneyPak are part of the scam, they are simply being used by the criminals. In fact MoneyPak keep a list of scams that their customers should beware of on their website. FBI Internet Scams are the first on the list. The ransomware itself conveniently gives the victim a list of stores where they can buy a Moneypakin order to pay the ransom.
  • Of course, if you live outside the United States the threats from the FBI and instructions to head to your local Kmart aren’t going to work very well. The ransomware authors have solved this by translating their attack to countries around the world. Each with its own local police agency named and localised payment instructions.Of course, seeing several together like this it’s obvious that they are using a template and in fact these all come from the same piece of ransomware. Rather than carry around different versions of the locking page the first stage of the attack is to identify where the victim is by looking up their IP address in a database and then downloading the corresponding message from a server controlled by the criminals.Should you pay the ransom? No.In most of these cases a security tool that offers a clean boot environment, such as a boot CD will allow anti-malware products to find and remove the ransomware. In the case of winlocker attacks your files themselves are left alone. Once the lock is removed you are able to get back to your day.
  • The second major category of Ransomware, known as file encryptors, are rather less forgiving.Instead of locking you out of the computer they leave it functioning normally but encrypt your useful data files. Any attempt to use those files is met with a message like this one. Unlike the winlocker scam there is no attempt at social engineering here. This is extortion plain and simple.The payment methods used are the same as those for the winlocker scams.Across the history of ransomware there has been a broad range of encryption used. Some authors have broken the cardinal rule of crypto and built their own encryption. Often these are simple algorithms, enough to defeat the average user but easily reversed by security vendors who often supplied free tools to undo the damage done by the malware. In response the malware authors moved to commercial encryption algorithms but even then some made implementation mistakes that allowed recovery tools to be created. For example, if they used the same encryption key for all the files on a PC then a copy of an unencrypted file along with the corresponding encrypted file can be used to reverse engineer the key for all other files.Eventually the ransomware authors came up with a method that is effectively unbreakable. Using a combination of enterprise grade algorithms such as AES 256, unique keys for each file and public key crypto to ensure that only the ransomware author can reverse the encryption.The technology used makes recovery much more complicated. For the latest ransomware file encryptors a decryption tool is just not feasible, making the only effective recovery mechanism restoring from backups.As for paying the ransom, again our advice would be not to pay. Most people who pay do not get their files back. In fact many of the malware attacks don’t even include code to reverse the encryption.
  • As with Blackhole much of the interesting action for ZeroAccess happens on the endpoint so most of the useful defenses are endpoint based.For the true rootkit versions an anti-rootkit tool or an anti-malware scanner with anti-rootkit capabilities is a must. Typically these will find the modifications in the operating system kernel and proceed to cleanup from there. Due to the nature of cleaning an infection from kernel memory a system restart can be required so keeping an eye on cleanup logs to ensure that the removal is being completed can be important.Neither Blackhole nor ZeroAccess are the end of the story of course. Both are used as delivery vehicles for other malware so an active anti-malware scanner with behavioral analysis capabilities is key for fending of whatever else the criminals are trying to install. Monitoring security console or management logs for errors can tip you off to a network incursion, remember that some versions of ZeroAccess, and other malware, will attempt to disable installed security products so a sudden rash of failure reports could be related to an infection.Perimeter or client firewalls can be used to disrupt the peer to peer communications of a botnet such as ZeroAccess, although it gets some information via HTTP, which is unlikely to be blocked, much of the P2P communication is done at high port numbers not used by common services.Blackholeand ZeroAccessare just two of the threats facing networks and are shown here as examples of the complexity of modern mass-market threats. Tailoring your defenses to a particular threat, whether Blackhole, ZeroAccess or the next big name at the expense of general security can leave you open to the many millions of other malware threats. When you design a security strategy remember that monitoring and maintenance will be key factors, without them even today’s best technology will fall to hackers tomorrow.
  • Your Money or Your File! Highway Robbery with Blackhole and Ransomware

    1. 1. Your Money or Your File!Highway robbery with Blackhole and Ransomware
    2. 2. Topics • How threats work from compromised site to infection • How crimeware kits are developed, bought and sold • The money behind exploit kits and ransomware • Protecting against these types of attacks2
    3. 3. Join us on Twitter Live tweeting from @Sophos_News Send us your thoughts #SophosLive
    4. 4. The attack4
    5. 5. Beyond the event horizon ? hcp://…5
    6. 6. Delivered malware6
    7. 7. The business behind Blackhole Blackhole price list7
    8. 8. Delivered malware8
    9. 9. Winlocker9
    10. 10. Global reach10
    11. 11. File encryptor11
    12. 12. Defending your network12
    13. 13. Security News/TrendsAdditional resources13
    14. 14. Staying ahead of the curveStaying ahead of the curve US and Canada 1-866-866-2802 Sophos on Google+ UK and Worldwide + 44 1235 55 9933 14
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.