MJG – would like this to build out in two clicks (the future and global threat intelligence)
Here are a few examples of malware toolkits we have come across. Notice in the second row from the bottom, the different editions of the toolkit, bronze, silver and gold …Just amazing.
Last year we saw the emergence of Crimeware as a Service – bad guys renting proxies, spamming tools, botnets, etc. This feeds the anonymity as it becomes very challenging to track down who perpetrated the attack, from where, using what infrastructure.
Screenshots of KoobFace
2. Web pages on legitimate web sites are modified with hidden iFrame tagsthat cause victim’s browser to request JS code from a d-b-d server 4. This JS code launches a number of exploits against the browser or some of its components, such as ActiveX controls and plugins. If any exploit is successful, an executable is downloaded to the machine and executed. The downloaded executable acts as an installer for Mebroot. The installer injects a DLL into a file manager process such as explorer.exe, loads a kernel driver, overwrites boot records. Mebroot has no malicious capabilities per se, but acts as a platform for malicious actions. Mebroot provides the ability to manage malicious modules (install, uninstall, activate). 5. Mebroot contacts the C&C server to download malicious modules that are saved in the system32 directory. Mebroot contacts the C&C server periodically every 2 hours, to report its configuration (type and version of currently installed malicious modules) and to receive updates. 6. Mebroot C&C server distributes the Torpig DLLs, and the Mebroot platform on the user’s machine injects these DLLs into existing applications and processes, such as explorer.exe, 29 other popular apps such as browsers (IE, Firefox, Opera, etc.), email clients (Outlook, Thunderbird, etc.), IM programs (Skype, ICQ, etc.), and system programs like the command line. Now Torpig can inspect all the data handled by these programs and store interesting pieces of information like credentials, stored passwords, etc. 7. Every 20 minutes, Torpig contacts the Torpig C&C server to upload the data stolen. 8. The C&C server sends config file to the bot, that tells the bot how often it should contact the C&C server and a set of hard-coded servers to be used as backup, and a set of parameters for “man-in-the-browser” phishing attacks. The Torpigconfig file lists roughly 300 domains belonging to target banks and financial institutions. 9. Torpig uses phishing to get additional sensitive data. This happens in two steps. First when the infected machine visits one of the web sites listed in the configuration file (e.g. a banking web site), Torpig contacts the injection server. 10. The injection server specifies a phishing page on the injection server where the user should be redirected to, typically showing a form that looks very similiarto the bank’s login web page, asks the user for credit card numbers or social security numbers. In ten days, Torpig obtained credentials of over 8300 bank accounts from banks in 5 different countries. The top institutions from where credentials were stolen were: Paypal, PosteItaliane, Capital One, E*Trade, Chase. 38% of the stolen credentials were from password managers in browsers than from an actual login session. In a similar time period, over 1600 unique credit cards were harvested.
Weltweit bei den Avert Labs: <ul><li>Aktuell $zu_grosse_Zahl unterschiedliche Stücke Malware von Avert Labs identifiziert </li></ul><ul><li>Wir haben aufgehört zu zählen, die alte Methode macht keinen Sinn mehr: </li></ul><ul><li>50000+ Samples werden täglich analysiert </li></ul><ul><li>95% und mehr sind Statisch (nicht selbstreplizierend) </li></ul><ul><ul><li>Trojaner und Bots </li></ul></ul><ul><li>90% und mehr sind gepackt/verschlüsselt </li></ul><ul><ul><li>“ Runtime Packer” </li></ul></ul>February 12, 2010
Gesamtzahl Samples February 12, 2010 Quelle: AV-Test.org
Global Malware Vision <ul><li>Collections: The Great Zoo </li></ul>February 12, 2010 (Cumulative) Q1-2009: +4.2 million samples Q2-2009: +4.1 million samples
Selbstreplizierende und Statische Malware February 12, 2010
Rootkits werden die Regel, nicht die Ausnahme February 12, 2010
Motivation Heute February 12, 2010 Source: Chat Interview mit “Dream Coders Team”, den Entwicklern von MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
Today’s Threat Landscape February 12, 2010 Increase in malware code added from 07 - 08 500% More Malware Variations Malware is obfuscated 80% Toolkits & Obfuscation New malicious website detected 60 Seconds Web 2.0 is the Catalyst! Of all threats are financially motivated 90% Active new zombies per month 5m Attack Target Users vs. Machines
Öffentliche Handelsplattformen February 12, 2010
Der Untergrund Marktplatz February 12, 2010 Bank Logons <ul><li>A Washington Mutual Bank account in the U.S. with an available balance of $14,400 is priced at 600 euros ($924), while a Citibank UK account with an available balance of 10,044 pounds is priced at 850 euros ($1,310). </li></ul><ul><li>It may appear to be less dangerous to resell access to a bank account rather than to use it directly. </li></ul>
The Malware Toolkit Marketplace February 12, 2010 Source: McAfee Avert Labs Crimeware (Author) Description Pricing FirePack (Diel) Web Exploitation Malware Kit Note: a Chinese version exists $3000 (February 2008) $300 (April 2007) Zupacha, ZeuS and ZUnker ($ash) The ZeuStrojan is able to inject code into login webpage of financial organization to ask personal data and divert them to a remote location. Zupacha is a bot element, and Zunker a C&C. $1000 for Zupacha, $2000 for Zunker (January 2008) Adrenaline, an update of Nuclear Grabber (Corpse) Universal kit for creating tools to capture targeted banking data. Able to intercept and retransmit authentic transactions on the fly between the bank and its client. $3000 PolySploit, an update of NeoSploit (Grabarz) Web Exploitation Malware Kit, statistical engine, enhanced configuration capability, exploitation package , enhanced support and online forum for customers. 100 € El fiesta Web Based and PDF-Exploit Pack used to launch attacks and monitor them. $850 (December 2008) Turkojan RAT (AlienSoftware) A Remote Access Tool made in Turkey. Bronze edition: $99 (July 2008) Silver edition: $179 Gold edition: $249 ZoPack Web Based PDF-Exploit Pack used to launch attacks and monitor them..
CaaS – Crimeware as a Service February 12, 2010 Source: McAfee Avert Labs Service Description Prices Encountered Proxy Rental Botnet networks on a “Per use” (on a monthly basis) or “daily rates” (on a daily basis, over a month) plans. Daily Limit 50, Qty per Month 1500: $95 Per Use Plan, Qty per Month 1000: $69.95 Web Injection Shop HTML injection codes designed to steal information from customers of dozens of financial institutions worldwide. Each HTML injection is specifically tailored to match each bank’s specific website design. Each between $10 and $30 Spam facilities Spamming tools, mailing lists, etc. 5000/7000 emails per minute, over 1 million emails per day: $2000 per month Botnet management HTTP Command & Control facilities for ZeuSmalware. $50 per month Flooding/DDoS <ul><li>Complete paralysis of your competitor by flooding </li></ul><ul><li>his stationary or mobile phone </li></ul><ul><li>his web site </li></ul>$80 per 24h 1 hour: $20 ; 1 day: $100 Large projects: $200
√ Ω February 12, 2010 User ist auf seiner Bank Webseite SSL Zertifikat ist valide, Schloss wird angezeigt Torpig injiziert in den Browser ein Form, das nach zusätzlichen Informationen fragt – im selben Stil wie die Webseite
Email Attachments – nach wie vor häufig February 12, 2010
Spear Phishing: “ Whaling ” <ul><li>“ The United States Tax Court has received many telephone calls regarding an e-mail which purports to originate from the Court being sent by a member of the Tax Court’s practitioner bar. This message is an example of “Spear Phishing,” which is an e-mail spoofing attempt that targets a specific organization. The Tax Court is not disseminating any e-mail notice to anyone who currently has a case before this Court.” </li></ul>February 12, 2010
February 12, 2010 Web 2.0 Emails werden durch Links in Social Networks ersetzt
Koobface vorbei am Contentfilter… Nutzt Vertrauen February 12, 2010
Autorun Würmer February 12, 2010 Weitgehend ignoriert – bis Conficker kam
Autorun ist heute ein bedeutender Infektionsweg February 12, 2010
Anatomie eines Angriffes: Torpig botnet February 12, 2010 Alle 2 Stunden Wird ein Bot Opfer System GET / Web Server mit Sicherheitslücke 1 <iframe> 2 Mebroot drive-by-download Server GET/?gnh5 (request JS code) 3 Launches exploits gnh5.exe downloaded Installs Mebroot, injects DLL 4 Mebroot C&C server 5 TorpigDLLs injected into IE, Firefox, Outlook, Skype, IM, etc. 6 Torpig C&C server Gestohlene Daten alle 20 min hochladen 7 Config file containing bank domains, new C&C servers 300 domains for target FIs 8 Injection server URL 9 Phishing HTML 10
Malware / Crimeware February 12, 2010 <ul><li>URLZone </li></ul><ul><ul><li>The Trojan calls back to its command and control server for specific instructions on exactly how much to steal from the victim's bank account without raising any suspicion, and to which money mule account to send it the money. Then it forges the victim's on-screen bank statements so the person and bank don't see the unauthorized transaction. </li></ul></ul><ul><ul><li>http://vil.nai.com/vil/content/v_237377.htm (Downloader-BQZ.a) </li></ul></ul><ul><ul><li>http://www.darkreading.com/database_security/security/client/showArticle.jhtml?articleID=220300592 </li></ul></ul>This statement shows a transaction of 53.94 Euros when actually 8,571.31 Euros was removed from the account. The balance has been changed by the Trojan. ( http://www.geek.com/articles/news/malware-now-covers-its-tracks-in-bank-statements-20090930/ )
Is Your Computer Infected (by a Fake Anti-Virus) ? February 12, 2010 Q1 Q2 Q3
They Are Popular Because They Work and Look Valid February 12, 2010
People and Economy behind it February 12, 2010
Good at Crime, clueless about Security <ul><li>Goal: Tracking distribution sites </li></ul><ul><li>Discovered: Everything </li></ul><ul><ul><li>„ Product lists“ </li></ul></ul><ul><ul><li>Tech Support Calls </li></ul></ul><ul><ul><li>Project Documentation </li></ul></ul><ul><ul><li>Affiliate Lists </li></ul></ul><ul><ul><li>Sourcecode </li></ul></ul><ul><ul><li>Employee lists </li></ul></ul><ul><ul><li>And much more.... </li></ul></ul>February 12, 2010
FOCUS 09 Anatomy of a scareware company February 12, 2010 http://www.internetnews.com/security/article.php/3842936/McAfee+FOCUS+09+Anatomy+of+a+Scareware+Scam.htm Using more than 63 gigabytes of information culled from querying the company's own portal servers and other publicly available data, Dirk Kollberg, from McAfee Labs, unearthed some astonishing operational details including the following: <ul><li>Innovative Marketing used more than 34 different production servers in less than six months and used as many as six different servers at a time to infect, advertise and sell their illicit wares. </li></ul><ul><li>In one 10-day stretch, the company received more than 4 million download requests, meaning that at least 4 million people tried to buy the worthless applications. </li></ul><ul><li>Internal documents report that the URLs used to hawk the scareware are only valid for 15 minutes, making it all but impossible for federal, state or international law enforcement agencies to yank the offending URLs before they've moved on to new addresses. </li></ul><ul><li>It used multiple customer call centers, including at least one in Poland and one in India, to service unsuspecting customers calling via VoIP connections to buy, remove or question the need for the unnecessary scareware. And, believe it or not, they recorded and saved these bogus customer service calls. More incredibly, 95 percent of callers exited were "happy" when the call concluded. </li></ul><ul><li>Because they needed an extensive network of ISPs to pull off the scam, Innovative Marketing kept detailed spreadsheets with all the ISPs pertinent data including price, location and, most telling, a column that rate the ISPs "abuseability"—essentially an assessment of which ISPs would play ball and not ask questions as they went about their business. </li></ul><ul><li>The company added a whopping 4.5 million order IDs, essentially new purchases, in 11 months last year. With most of the phony applications selling for $39.95, that's more than $180 million in less than a year. </li></ul>
Fragen? Mehr Info? <ul><li>Read the Avert Labs Security Blog </li></ul><ul><ul><li>http://www.avertlabs.com/research/blog </li></ul></ul><ul><li>Listen to the AudioParasitics Podcast </li></ul><ul><ul><li>http://www.audioparasitics.com </li></ul></ul><ul><li>Read the Monthly Spam Report </li></ul><ul><ul><li>http://www.mcafee.com </li></ul></ul><ul><li>Read the McAfee Quarterly Threat Report </li></ul><ul><ul><li>http://www.mcafee.com </li></ul></ul><ul><li>Read the McAfee Security Journal </li></ul><ul><ul><li>http://www.mcafee.com </li></ul></ul><ul><li>Watch the Stop H*Commerce Series </li></ul><ul><ul><li>http://www.stophcommerce.com </li></ul></ul>February 12, 2010