Fyodor Yarochkin - Dissecting unlawful Internet activities

960 views

Published on

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Fyodor Yarochkin - Dissecting unlawful Internet activities

  1. 1. Dissecting unlawful Internet Activities Fyodor Yarochkin Armorize Technologies @fygrave
  2. 2. АГЕНДА Observations Case studies Sampling goods and services Q&A(c) 2011 Armorize Technologies
  3. 3. MEET THE AUTHORS(c) 2011 Armorize Technologies
  4. 4. Our environmentHoneypots (http, ftp, ssh, smtp, ...)Sandboxes + proactive internet “browsing”End points around the globePublic discussion groups of interest:scrapping and indexing (c) 2011 Armorize Technologies
  5. 5. Overview(c) 2011 Armorize Technologies
  6. 6. What makes the news.. MALWARE Black SEO Fake AV Mass InjectionsCC abuse (c) 2011 Armorize Technologies
  7. 7. MAIN ACTORS Profit OrientedKiddies Crime APT (c) 2011 Armorize Technologies
  8. 8. Range of players!(c) 2011 Armorize Technologies
  9. 9. Kiddies: hit our honeypots daily :) (c) 2011 Armorize Technologies
  10. 10. Still live in IRCBOT age (c) 2011 Armorize Technologies
  11. 11. APT• Kiddies are not very interesting. Following the APT guys is a bit more fun APT – advanced persistent threat (made lots of noise after Aurora attacks But, .. how advanced that is.. really :-)) (c) 2011 Armorize Technologies
  12. 12. APT: attack vectors – often plain silly (c) 2011 Armorize Technologies
  13. 13. APT: in taiwan• Targets: academics, post, rail, .. (c) 2011 Armorize Technologies
  14. 14. APT: main characteristics• Attacks are planned and methodological• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc) (c) 2011 Armorize Technologies
  15. 15. APT Research from xecure-lab guys (c) 2011 Armorize Technologies
  16. 16. Aptdeezer: apt analysisplatform from xecure-lab (c) 2011 Armorize Technologies
  17. 17. Businessmen are fun to study:) Traffic Online goods services (c) 2011 Armorize Technologies
  18. 18. How to steal a million? (c) 2011 Armorize Technologies
  19. 19. Effectiveness• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)• New school: steal a dollar from a million people. It is still a million (and no noise). (c) 2011 Armorize Technologies
  20. 20. So, where is the money? DIRECT SOURCES: Ads (PPC) Banking credentials Pharm CC cashing Pr0nExtortions“Software” Mobile scam INDIRECT SOURCES: TRAFF Credentials Online goods & services (c) 2011 Armorize Technologies
  21. 21. TRAFFIC..• You need users to start visiting your “milking resource” to start with.. (c) 2011 Armorize Technologies
  22. 22. TRAF. COST• AU - 300-550$• UK - 220-300$• IT - 200-350$• NZ - 200-250$• ES,DE,FR - 170-250$• US - 100-150$• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies
  23. 23. Case studies~(c) 2011 Armorize Technologies
  24. 24. Infrastructure compromise: casestudy (c) 2011 Armorize Technologies
  25. 25. UNDER THE HOOD(c) 2011 Armorize Technologies
  26. 26. Looking into Packet fields(c) 2011 Armorize Technologies
  27. 27. TRACKING THE GHOST(c) 2011 Armorize Technologies
  28. 28. HYPO: ATTACK SCENARIO(c) 2011 Armorize Technologies
  29. 29. RESULTED IN...http://tools.cisco.com/security/center/viewAlert.x?alertId=17778 (c) 2011 Armorize Technologies
  30. 30. Compromised CAs• How about combining this and compromised CA? (c) 2011 Armorize Technologies
  31. 31. WHAT HAD HAPPENED.. tunnel source <interface> tunnel destination <badIP> Your taffic is mirrored!!(c) 2011 Armorize Technologies
  32. 32. How were they 0wn3d?(c) 2011 Armorize Technologies
  33. 33. AND MORE..(c) 2011 Armorize Technologies
  34. 34. LESSON LEARNT • The whole city compromised • Users infected on the fly. Visiting legimate web sites • Tricky to investigate • Affected parties - complete denial(c) 2011 Armorize Technologies
  35. 35. Other varieties ;-)(c) 2011 Armorize Technologies
  36. 36. Ad ABUSE:“MALVERTISEMENT”(c) 2011 Armorize Technologies
  37. 37. Introducing ad. Space hell :)Source: razorfishmedia.com (c) 2011 Armorize Technologies
  38. 38. Ad network dynamic bidding• Ad network dynamic bidding system is asking for abuse :-) • Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)• (c) 2011 Armorize Technologies
  39. 39. MALVERT. Mechanicsiframe redirect iframe redirect iframe (c) 2011 Armorize Technologies Iframe to TDS
  40. 40. Malvertisement (cont) (c) 2011 Armorize Technologies
  41. 41. Malvert: agencies get 0wned• Pulpomedia incident: (c) 2011 Armorize Technologies
  42. 42. Extortions going international(c) 2011 Armorize Technologies
  43. 43. Also spanish versionCredit: http://xylibox.blogspot.com/ (c) 2011 Armorize Technologies
  44. 44. Common characteristics Registration Service Provided By: Bizcn.com Website: http://www.cnobin.com person: person: Ionut Tripa Ionut Tripa remarks: remarks: SC GoldenIdeas SRL SC GoldenIdeas SRL Whois Server: whois.bizcn.com address: address: Str. Drumul Sarii, nr. 57C Str. Drumul Sarii, nr. 57C address: address: Sector 6, Bucuresti Sector 6, Bucuresti Domain name: bundespol.net phone: phone: +0744885334 +0744885334 abuse-mailbox: goldenideas.ionut@yahoo.com abuse-mailbox: goldenideas.ionut@yahoo.com• Hosting and domain registration Registrant Contact: Whois Privacy Protection Service nic-hdl: nic-hdl: source: source: IT1737-RIPE IT1737-RIPE RIPE # Filtered RIPE # Filtered Whois Agent gmvjcxkxhs@whoisservices.cn mnt-by: mnt-by: GOLDENIDEAS-MNT GOLDENIDEAS-MNT +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn (c) 2011 Armorize Technologies
  45. 45. WAS ON THE NEWS(c) 2011 Armorize Technologies
  46. 46. COMMON PATTERNSExploits Social tricks(c) 2011 Armorize Technologies
  47. 47. “Social engineering”(c) 2011 Armorize Technologies
  48. 48. Well-operated :)• Spreads through advertisements (social engineering and exploits)• Reboots machine until license is purchased (80USD)• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible to do refunds) (c) 2011 Armorize Technologies
  49. 49. Another attack: infrastructure(c) 2011 Armorize Technologies
  50. 50. InfrastructureSpeedtest.net Ads.ookla.com http://35ksegugsfkfue.cx.cc (c) 2011 Armorize Technologies
  51. 51. TDS systems: TRAFFmarketplace(c) 2011 Armorize Technologies
  52. 52. COMMON TDS(c) 2011 Armorize Technologies
  53. 53. TDS + verification srv (c) 2011 Armorize Technologies
  54. 54. SEO:Another option• Black SEO: (c) 2011 Armorize Technologies
  55. 55. SEO USE and abuse :) <*bad* word (rus)(c) 2011 Armorize Technologies
  56. 56. SEO SERVICES(c) 2011 Armorize Technologies
  57. 57. Goods and services : Sampling :) (c) 2011 Armorize Technologies
  58. 58. Digital currencies• Modern day hawalla (c) 2011 Armorize Technologies
  59. 59. Amusing portals(c) 2011 Armorize Technologies
  60. 60. PASSPORT COPIES(c) 2011 Armorize Technologies
  61. 61. .. OR A SET For money of any state of dirtiness Pack includes 1. Online bank account access 2.ATM card (1000/6000USD per month withdrawal limit) 3. online access passwords 4. Passport copy of “poor john” 5. SIM card(c) 2011 Armorize Technologies
  62. 62. MALWARE Q/A AND HOSTING(c) 2011 Armorize Technologies
  63. 63. Abuse-resistant hosting (c) 2011 Armorize Technologies
  64. 64. CLOUD-cracking(c) 2011 Armorize Technologies
  65. 65. AND CAPTCHA(c) 2011 Armorize Technologies
  66. 66. MOBILESo far - easy to spot with static analysis tools (android, j2me) (c) 2011 Armorize Technologies
  67. 67. Press the button “stop” as soon as possible!(c) 2011 Armorize Technologies
  68. 68. LEARNING POSSIBILITIES :)(c) 2011 Armorize Technologies
  69. 69. Questions l(c) 2011 Armorize Technologies

×