Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Crimeware Fingerprinting Final


Published on

Crimeware (malicious trojans and bots) facilitate online financial crimes targeted at eCommerce and eBanking sites. What are the attack mechanisms and what are the identifying characteristics of these crime-net controlled bots and trojans ?

  • Be the first to comment

  • Be the first to like this

Crimeware Fingerprinting Final

  1. 1. Crimeware FingerprintingCharacteristics of Crimenet-Controlled Bot Behavior & The Underground Cyber Economy<br />Joseph Ponnoly<br />MBA, MSc, CGEIT, CISM, CISA, CISSP<br />
  2. 2. Botnets , Bots & Crimeware<br />Online financial crimes<br />Targets & Attack Mechanisms <br />Criminals <br />Underground Cyber Economy<br />Countermeasures<br />Understanding Crimeware <br />
  3. 3. Bots, Botnets<br />& Crimeware<br />
  4. 4. BotnetsThe No. 1 Internet Security Threat<br />
  5. 5. Botnets (networks of hijacked or zombie computers)<br />Bypass traditional network security mechanisms<br />Large botnets control an army of over a million nodes <br />Sending 22 to 24 Gbps data- can throttle the Internet<br />3 Dutch botnet operators arrested September 2005- controlled 1.5 million machines- used them to extort money from a US company, to steal identities and distribute spyware<br />Thr34t Krew – botherder<br />massive DDoS attacks and <br />warez (stolen software distributions)<br />Criminal marketplace<br />Spam botnets to watch in 2009 (Secureworks)<br />Botnets<br />
  6. 6. Bots (automated malicious software) <br />Planted on host computers lie low without the owner’s knowledge<br />Bot binaries (malware) help the botmaster to remotely control the hijacked nodes using remote command and control<br />Bots immune to traditional malware defenses (use zero day or real time exploits, avoid detection through polymorphism<br />Bots<br />
  7. 7.
  8. 8. <ul><li>Malware (Malicious code)
  9. 9. Trojans or bots (automated malicious software agents)
  10. 10. Use zeroday or real time exploits (Immune to traditional malware defenses), Avoid detection using polymorphism
  11. 11. Specifically targeted at machines
  12. 12. Facilitates online crimes
  13. 13. Controlled by Crimenets</li></ul>Spam Bots<br />Banking Trojans targeting Brazilian banks<br />What is crimeware?<br />
  14. 14. <ul><li>Mostly Use IRC (Internet Relay Chat Protocol)
  15. 15. IRC is an Internet communications protocol
  16. 16. attractive aspects for operators in the underground economy:
  17. 17. REALTIME GROUP communications,
  18. 18. requires very little bandwidth,
  19. 19. IRC client software is freely available across all operating system
  20. 20. Others: HTTP, P2P</li></ul>Communication Protocols used<br />
  21. 21. DDoS botnets for rent<br />
  22. 22. Crimes<br /><br />
  23. 23. <ul><li>Extortion
  24. 24. Identity theft
  25. 25. Distribution of spyware
  26. 26. Denial of service attacks
  27. 27. Financial crimes
  28. 28. Targeted Phishing attacks (Spear Phishing, Whaling)</li></ul>Crimeware controlled Crimes<br />
  29. 29. Extortion<br />2004: bot-driven DDoS attacks against online gambling sites, used for extortion<br />Identity theft<br />Data Theft:<br />confidential data<br />useridsand passwords<br />credit card data, Social Security Numbers<br />sensitive files (corporate espionage, political espionage)<br />Underground Economy Servers controlled by Botnetoperators store and distribute illegal software or credit card data<br />Rent out botnets for spamming, distribute spyware, distributed denial of service attacks or spear phishing<br />Online Financial Crimes controlled by CrimeNets<br />
  30. 30. Dutch botnet operators (2005)- controlled 1.5 million machines<br />Used for extorting money from a US company, to steal identities, distribute spyware<br />Used Toxbot Trojan to infect the compromised machines<br />
  31. 31. Targets<br />
  32. 32. <ul><li>Banks, Financial Institutions
  33. 33. US Banks: Email-based phishing
  34. 34. Brazilian Banks, European Banks: (Banking Trojans)
  35. 35. Online gambling
  36. 36. Online gaming
  37. 37. Trojan families (Mgania, Nilage)
  38. 38. Online advertisements
  39. 39. Online payment systems (Paypal)
  40. 40. Ecommerce sites (eBay)
  41. 41. Email-based phishing targeted PayPal, eBay and US Banks</li></ul>Crimeware Targets<br />
  42. 42. Attack <br />Mechanisms<br />
  43. 43. Attack Vectors:<br />Phishing<br />Keystroke loggers<br />Social Engineering attacks (to open email attachments that contain crimeware)<br />Email, the weapon of mass delivery of trojans<br />ActiveX drive-by (on compromised or baiting websites)<br />IM (Instant Messagin)<br />Worm attacks (Conflicker Worm) to exploit security vulnerabilities of targeted systems<br />Injection of crimeware to legitimate sites via cross-site scripting / web application vulnerabilities<br />Insertion of crimeware into downloadable software<br />Crimeware Attack Vectors<br />
  44. 44. <ul><li>Exploits:
  45. 45. Scripts and rootkits used to hide the exploits
  46. 46. Dynamic IP addresses are used to escape detection
  47. 47. Worm attacks to exploit security vulnerabilities of targeted systems
  48. 48. Injection of crimeware into legitimate websites via cross-site scripting
  49. 49. Insertion of crimeware into downloadable software
  50. 50. Propagation
  51. 51. P2P (Peer-to-Peer Networks)
  52. 52. Driveby downloads
  53. 53. Email delivery</li></ul>Crimeware Attack Vectors<br />
  54. 54. Trojans (54% of top malicious code – Internet Security Report)<br />Banking Trojans (Brazil) targeting banking transactions<br />Authenticated session hijacking vs. key stroke loggers or credentials stealing (Session riding malware to make fraudulent transactions)<br />Can bypass SSL encryption, traditional authentication and malware defenses<br />Trojans targeting European Banks (eg. Haxdoor and Sinowal, Zeus) use wininet.dll hooks<br />Payloads<br />
  55. 55. Banking trojans:<br />Trojan monitors the system or user activity to identify when the user is banking online (Shahlberg, 2007)<br />Hooking WinInet API fucntions<br />Browser Helper Object Interface<br />Window title enumeration (browser title bar contains a string in the filter list, the trojan logs the key strokes)<br />DDE<br />COM Interfaces<br />Firefox Browser Extensions and Layered Service Provider Interface<br />Capture user credentials<br />Form grabbing<br />Screen shots or video capture (for banks using ‘virtual keyboards’)<br />Key stroke logging<br />Injection of fraudulent pages or form fields<br />Pharming<br />Man in the Middle Attacks<br />Attack Methods<br />
  56. 56. uses form grabbing techniques<br />Use Browser Helper Objects<br />COM Interfaces<br />API hooking<br />Form grabbing accesses the data before it is encrypted using SSL2<br /> Banking Trojan hit Swedish Banks in January 2007 – Authenticated Session Hijacking<br />Trojan displays an error message after the user has entered the password<br />The trojan sends the authentication information to the server managed by the attacker.<br />The attacker logs on to the bank account and transfers money to his own account or to a hired money mule<br />Successful against banks not using one-time passwords or stronger authentication.<br />Haxdoor Banking Trojan<br />
  57. 57. Cryptovirology<br />Malware encrypts critical data on infected machines<br />Extortionists demand money to restore data<br />Data Theft Attacks <br />Trial attacks start as sales promotion<br />Followed by DDoSattcks or data theft attacks<br />Data Aggregation for criminal purposes<br />Attack methods --Contd<br />
  58. 58. The Criminals<br />
  59. 59. Organized crime<br />Banking Trojan Gangs operational in Brazil<br />Phishing Gangs operating from Eastern Europe <br />Crimeware kits sold in the black market<br />Virus writers employed by cyber underground operators to create spyware and trojans<br />Customizable Malware/Crimeware As a Service CWaS<br />Crimeware manufacturing:<br />Malware developers funded to develop malware trojans/crimeware<br />Dynamics of the cybercrime underworld (Zhuge et al, 2007)<br />Virus writers, web site crackers, virtual assets thieves collaborate to defraud victims<br />Malicious Websites:<br />Phishing Crimeware map by WebSense Security labs<br />Major attacks from websites hosted in USA, Russia and China<br />Criminal Profiles-Cybercrime Underworld<br />
  60. 60. Underground Economy Servers used by criminals (Symantec, 2008)<br />Selling stolen information for identity theft<br />Social security numbers, credit card information, passwords, personal identification numbers, email addresses, bank account information<br />An economic model for China’s cybercrime underworld (Zhuge et al, 2007).<br />Crimeware threat model and taxonomy (US Department of Homeland Security, 2006).<br />Underground Cyber Economy<br />
  61. 61. Goods and services available for sale on underground economy servers<br />
  62. 62.
  63. 63. Countermeasures<br />
  64. 64.
  65. 65. Crimeware Bibliography<br />Dunham, K., Melnick, J. (2009). Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet. Auerbach Publications, Boca Raton, FL.<br />Jakobsson, M., Ramzan, Z. (2008). Crimeware: Understanding New Attacks and Defenses, 1 ed. Addison-Wesley Professional.<br />Emigh, A. (2006). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond . Journal of Digital Forensic Practice, 1556-7346, Volume 1, Issue 3, 2006, Pages 245 – 260<br />Symantec. (2009). Internet Security Threat Report.<br />