9. Motivation Heute February 12, 2010 Source: Chat Interview mit “Dream Coders Team”, den Entwicklern von MPack http://www.robertlemos.com/2007/07/23/mpack-interview-chat-sessions-posted/
10. Today’s Threat Landscape February 12, 2010 Increase in malware code added from 07 - 08 500% More Malware Variations Malware is obfuscated 80% Toolkits & Obfuscation New malicious website detected 60 Seconds Web 2.0 is the Catalyst! Of all threats are financially motivated 90% Active new zombies per month 5m Attack Target Users vs. Machines
15. The Malware Toolkit Marketplace February 12, 2010 Source: McAfee Avert Labs Crimeware (Author) Description Pricing FirePack (Diel) Web Exploitation Malware Kit Note: a Chinese version exists $3000 (February 2008) $300 (April 2007) Zupacha, ZeuS and ZUnker ($ash) The ZeuStrojan is able to inject code into login webpage of financial organization to ask personal data and divert them to a remote location. Zupacha is a bot element, and Zunker a C&C. $1000 for Zupacha, $2000 for Zunker (January 2008) Adrenaline, an update of Nuclear Grabber (Corpse) Universal kit for creating tools to capture targeted banking data. Able to intercept and retransmit authentic transactions on the fly between the bank and its client. $3000 PolySploit, an update of NeoSploit (Grabarz) Web Exploitation Malware Kit, statistical engine, enhanced configuration capability, exploitation package , enhanced support and online forum for customers. 100 € El fiesta Web Based and PDF-Exploit Pack used to launch attacks and monitor them. $850 (December 2008) Turkojan RAT (AlienSoftware) A Remote Access Tool made in Turkey. Bronze edition: $99 (July 2008) Silver edition: $179 Gold edition: $249 ZoPack Web Based PDF-Exploit Pack used to launch attacks and monitor them..
20. √ Ω February 12, 2010 User ist auf seiner Bank Webseite SSL Zertifikat ist valide, Schloss wird angezeigt Torpig injiziert in den Browser ein Form, das nach zusätzlichen Informationen fragt – im selben Stil wie die Webseite
28. Anatomie eines Angriffes: Torpig botnet February 12, 2010 Alle 2 Stunden Wird ein Bot Opfer System GET / Web Server mit Sicherheitslücke 1 <iframe> 2 Mebroot drive-by-download Server GET/?gnh5 (request JS code) 3 Launches exploits gnh5.exe downloaded Installs Mebroot, injects DLL 4 Mebroot C&C server 5 TorpigDLLs injected into IE, Firefox, Outlook, Skype, IM, etc. 6 Torpig C&C server Gestohlene Daten alle 20 min hochladen 7 Config file containing bank domains, new C&C servers 300 domains for target FIs 8 Injection server URL 9 Phishing HTML 10
MJG – would like this to build out in two clicks (the future and global threat intelligence)
Here are a few examples of malware toolkits we have come across. Notice in the second row from the bottom, the different editions of the toolkit, bronze, silver and gold …Just amazing.
Last year we saw the emergence of Crimeware as a Service – bad guys renting proxies, spamming tools, botnets, etc. This feeds the anonymity as it becomes very challenging to track down who perpetrated the attack, from where, using what infrastructure.
Screenshots of KoobFace
2. Web pages on legitimate web sites are modified with hidden iFrame tagsthat cause victim’s browser to request JS code from a d-b-d server 4. This JS code launches a number of exploits against the browser or some of its components, such as ActiveX controls and plugins. If any exploit is successful, an executable is downloaded to the machine and executed. The downloaded executable acts as an installer for Mebroot. The installer injects a DLL into a file manager process such as explorer.exe, loads a kernel driver, overwrites boot records. Mebroot has no malicious capabilities per se, but acts as a platform for malicious actions. Mebroot provides the ability to manage malicious modules (install, uninstall, activate). 5. Mebroot contacts the C&C server to download malicious modules that are saved in the system32 directory. Mebroot contacts the C&C server periodically every 2 hours, to report its configuration (type and version of currently installed malicious modules) and to receive updates. 6. Mebroot C&C server distributes the Torpig DLLs, and the Mebroot platform on the user’s machine injects these DLLs into existing applications and processes, such as explorer.exe, 29 other popular apps such as browsers (IE, Firefox, Opera, etc.), email clients (Outlook, Thunderbird, etc.), IM programs (Skype, ICQ, etc.), and system programs like the command line. Now Torpig can inspect all the data handled by these programs and store interesting pieces of information like credentials, stored passwords, etc. 7. Every 20 minutes, Torpig contacts the Torpig C&C server to upload the data stolen. 8. The C&C server sends config file to the bot, that tells the bot how often it should contact the C&C server and a set of hard-coded servers to be used as backup, and a set of parameters for “man-in-the-browser” phishing attacks. The Torpigconfig file lists roughly 300 domains belonging to target banks and financial institutions. 9. Torpig uses phishing to get additional sensitive data. This happens in two steps. First when the infected machine visits one of the web sites listed in the configuration file (e.g. a banking web site), Torpig contacts the injection server. 10. The injection server specifies a phishing page on the injection server where the user should be redirected to, typically showing a form that looks very similiarto the bank’s login web page, asks the user for credit card numbers or social security numbers. In ten days, Torpig obtained credentials of over 8300 bank accounts from banks in 5 different countries. The top institutions from where credentials were stolen were: Paypal, PosteItaliane, Capital One, E*Trade, Chase. 38% of the stolen credentials were from password managers in browsers than from an actual login session. In a similar time period, over 1600 unique credit cards were harvested.