This document provides an overview of how the internet can be a dangerous place due to cybercriminal activities like hacking and malware. It discusses popular exploit kits that package exploits and deliver malware payloads through drive-by downloads. Criminal tactics discussed include purchasing exploit kits, trojans, and victims in online black markets to setup infection campaigns. The document demonstrates how these campaigns work through phishing emails and compromised websites to exploit vulnerabilities and infect victims. It emphasizes that everyone is a target and provides tips to help protect yourself like keeping software updated, using safe browsing practices, and disabling plugins when possible.
2. Who am I?
WHAT MY FAMILY AND FRIENDS
THINK I DO
WHAT BEING A SECURITY PROFESSIONAL
CAN SOMETIMES FEEL LIKE
WHAT I FEEL LIKE I DO
3. DISCLAIMER: DO NOT TRY THIS
AT HOME. VISITING THE SITES
DISCUSSED IN THIS
PRESENTATION OR USING THE
CYBERCRIME TOOLS DISCUSSED
COULD BE HAZARDOUS TO YOUR
COMPUTERS HEALTH AND LEAD
TO BEING CALLED BY AN INMATE
NUMBER INSTEAD OF YOUR
NAME!
14. Exploit kits
• Tools for hackers
– Popular exploits
packaged together
with controls and
add-ons
• Web applications
which deliver
malware payloads
• Many different exploit
kits out there
15. Blackhole exploit kit
• Most popular kit on the
black market
• Robust stat tracking
• Malware as a service
– Sign up for a hosted
service
– Customer support
• Exploits for browser
plugins:
– Adobe Reader
– Adobe Flash
– Java
16. Invisibility
• Exploit kits like to use “iframes”
• What are “iframes”?
• Like a picture frame, just mount it on a website
• To hide the content just make the frame really
small
“0x0 pixels” small
• Now the website can show malicious content
from another website without anyone noticing
17. Drive-by Downloads
• Most exploit kits use “Drive-by
Downloads”
• What are drive-by downloads?
– “A download that happens without a person's knowledge,
often spyware, a computer virus or malware.” – Wikipedia
– A download that happens in the background without you
seeing it
– How does this work?
21. How Bad is it?
• Recent Norton cybercrime report shows:
• $388 billion worldwide over the past year in costs caused
by cyber crime
• 35% of that number was incurred by individuals and
businesses from the U.S.
• 141 victims per minute
• Keep in mind: this was just the reported costs . For every
reported event or incident there are countless others that
go unreported.
22. How Bad is it for businesses?
In 2010 Trend Micro did a survey:
• Of 130 businesses: 100% had some
type of active malware
• 72% had evidence of botnets
• 56% had data stealing malware (eg.
keyloggers)
• 42% had worms (self-propagating)
Things have only gotten worse.
23. How Bad is it?
2010 2011
• 286,000,000+ New • 403,000,000+ New
variants of Malware variants of malware
• 45,926 Malicious Web • 55,294 Malicious web
domains domains
24.
25. You ARE Not alone
• It is important to know who else is
in the “water”
• What do they want?
• Where do they lurk?
• How do they catch their prey?
• How can you spot them and
protect yourself?
26. Why me?
• Would you ask a real shark “why!? ”
• Online Sharks want:
– Reputation
– Power
– Information
– Money
• Bottom Line - If you use the Internet, you are a target
27. So who are the sharks?
• Organized Crime Syndicates based in ASIA and the former
USSR
• Small groups of Hackers in the US, Asia, or the former USSR
• Hacking has evolved into a very sophisticated industry of
malware production
• "Cybercrime is one of the fastest growing and lucrative
industries of our time,“ - - Dave Marcus, Director of Security
Research for McAfee Labs.
28. Why? How?
• How do hackers go
about obtaining
these tools?
• What do they do
with it?
• Why would
someone do this?
30. How to become aa“hacker”
How to become “shark”
Victims Exploit
Infection Payload
31. All you really need is money!
• Purchase an exploit kit
• Purchase a trojan
• Purchase victims?
– Phishing services
– Traffic services
• Profit
32. Victims Exploit
Infection Payload
Purchasing An Exploit Kit
33. Black Market Forums
• Exploit kit advertisements on
various black market forums
• BlackHole the first exploit kit
to introduce a hosted option
– Let the “professionals” configure
and host it for you!
– The most popular option
– Includes free domain and
support!
– Hosting spread around the world
34. Black Market Forums
• Payment is usually through virtual
currencies like Liberty Reserve or
WebMoney
• User reputation and forum escrow services!
35. Quality and Service
• Creators of the kit funneled their revenue back into
improving their product
• Updated frequently with the latest vulnerabilities
– November 2011 – Only a few days to add the latest Java “1-day” to
the kit
– “We’d never seen an exploit kit update itself to use the latest
vulnerabilities that quickly.” – Bradley Anstis, M86 VP of Technical
Strategy
• Russian and English language support
• Banner advertisements
40. MAC FlashBack Trojan
• Delivered by hacked
WordPress blogs and
social networking sites
• Infected over 600,000
Mac users (1.8% of
Macs)
• Made from reversed
engineered Windows
update in February
• Steals passwords and
other info
41. FEATURES
• Vulnerability Detection
– Built-in engine determines which exploit to use
• Traffic redirection script based on rules
• OS, Browser, Plugins, Date
45. NOW THAT YOU HAVE YOUR BLACKHOLE EXPLOIT
KIT WHAT DO YOU DO?
46. Victims Exploit
Infection Payload
TROJANS AND RATS
47. Trojans and RATS
“Exploit kit is the gun, the payload is the ammo”
• Trojans, Remote Administration Tools
– Usually client / server design
– Client makes outgoing calls to server
• What kind of features would make a good trojan?
– Info stealing
– Hard to detect / remove
– File downloading and execution
– Computer control
– RAT protection? Self-defense?
49. CarBerp
• Banking Trojan
– Man-in-the-Middle forms grabber
– Screenshots, Downloaders
– Facebook scam
• Carberp Trojan popular choice with BlackHole
– Stopav.plug
• avg9, ESET NOD32 Antivirus 3.x/4.x, McAfee AntiVirus Plus 10, Microsoft
Security Essentials
– Passw.plug
– Miniav.plug
• ZeuS, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy, SpyEye
• Unlike most malware (ZeuS, SpyEye), Carberp is not marketed
publicly
50.
51.
52.
53. ZEUS
• Another banking Trojan
– Man-in-the-Middle keylogger and form grabber
– Only targets Windows
– Costs $700 - $15,000
• Estimated botnet size 3,600,000 (US only)
• Cyber crime network discovered by the FBI on Oct. 1,
2010
– Stole ~$70,000,000 US
• Source code leaked May 2011
– Custom versions and off-shoots released soon after
60. Obtaining Victims
• We need people to visit our Blackhole Kit so
we can infect them
• Two methods:
– Phishing / spam e-mails
– Iframe Traffic Generation
• Again, all you need is money!
65. Iframe traffic
• Purchasing compromised website traffic
• WordPress blogs are a prime target
– One infected blog got over 150,000 hits
– Pilfered FTP credentials
– Plugin vulnerabilities
66.
67. How does this work?
• Search Engine Poisoning / Optimization
(SEO)
– #1 Vector for Malware (40%)
69. Obtaining victims
• Two main methods:
– Phishing and spam emails
– Purchasing iframe traffic
• SEO, Compromised websites
70. Victims Exploits
Infection Payloads
Putting It All Together
SURFING WITH SHARKS
71. The final product
• So we have our exploit toolkit, our
payload, and a way of obtaining victims.
• Let’s show an infection:
– Firing off a phishing e-mail
– Client-side exploitation
– Payload delivery
– Game over
74. Everyone is a Target
• Windows, Mac…
– Even Smartphones
and Tablets!
– New Drive-by
attacking android
smart phones
discovered in May
2012
75. Protecting Yourself
• Attackers use tricks like
phishing, SEO, and drive-by
downloads
• Keep your OS, plugins, and anti-
virus up-to-date
• Use safe browsing practices
– Inspect links, be overly
cautious
– Not necessarily strange
websites
76. Other tips
• Disabling or uninstalling Java, Flash
• Disabling JavaScript
– Mozilla Firefox NoScript
You are probably asking yourself this question – I’m at an education technology conference – so why is a Security guy standing on the stage?
Let me answer that for you!
Well they all run one of these
If all of these components share these things in common (for the most part) where would be the best place for me to attack?Bingo – Internet components!
Quick show of hands – who thinks:- PC’s are the Safest?MAC’s are the Safest?Android Devices?iOS (iPhone/iPAD/iPod) Devices?Well in terms of safety while surfing the internet I would rank them as follows. Notice I didn’t say most secure. What if I asked “What is the Most Targeted?” What would that look like? You may be safer using a certain type of device but it is, in most cases, not due to a technology being more secure but really associated with it being less targeted. As use of these devices increases they will most certainly be targeted by cyber criminals.
Exploit kits are packs containing malicious programs that are mainly used to carry out automated ‘drive-by’ attacks in order to spread malware. These kits are sold on the black market, where prices ranging from several hundred to over a thousand dollars are paid. Nowadays, it is also quite common to rent hosted exploit kits. Because of this, it is a competitive market with lots of players and many different authors.Source: “http://www.securelist.com/en/analysis/204792160/Exploit_Kits_A_Different_View”
TheBlackhole kit in particular is A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.Some kits in the wild have been seen to call and exploit windows media player as well. The most probable reason for this is the fact that windows media player updates are usually shown as “optional updates” unless included in major updates such as service packs. With newer versions of the kit come upgrades in exploits, strategy, and functionality.
In a normal download, you send requests and the website responds.If you send a download request, you often get a confirmation “Are you sure?” which you can visibly see as the user.So you see the download happening, as it saves to your computer.
In a drive-by, while you interact or view the site, the site will start an invisible download to your computer.As a user, you won’t see it and you will have no indication of it occurring. It won’t ask you for your permission and you don’t know that the website is saving something to your computer.Once it’s done, your computer is now under the hacker’s control (invisibly).
Visit compromisedWordPress blog – startcooking.comOnly indication of compromise is that Java starts up while visiting.Open up TaskManager and see cs8v0k.exe (Malware downloader) with garbled description.Soon that closes and efzi.exe starts up – same description – this is the malware bot.Infected! It’s that easy.
Unlike the beach where lifeguards will post signs if a Shark has been sited or if someone is attacked – on the Internet you generally have no idea if Sharks are lurking in your area…so you need to remember that just like in the ocean --
Exploit Kits are very specific to their name, they are meant to help exploit or hack users, what happens after exploitation really depends on what specific payload or malware is used after. In the wild it is very common to see info stealers combine with backdoors. This means access and information, hackers want resources weather it be information to sell for money or access to computers to use as a bot net. It is always possible that it could much more targeted such as espionage or personal reasons.The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license).The question that will be answered coming up:How do you buy it?How much does the new one cost?Where can you buy it?Any examples? Forums, etc?What can you do with it?How would you use it?
Visits liveblackhole site.Key is already in URL – starts removing the values in all the parameters and refreshes page – gets the main dashboard.Able to sort by date.Views hits by country, browsers, exploits, operating systems.
Flashback is the name of a recent piece of malware out for macs which has been reported to have infected over 600,000 Mac users. This malware was made from a flash vulnerability found to affect the Windows operating system. Malware makers reversed engineered a Windows update in February of 2012 and produced another strain of malware for Macs. What does it do? This malware will steal passwords and other information through Web browsers and other applications and send the information back to the attackers over the internet. Earlier instances of this piece of malware disguised itself as a flash update but newer versions do not require any user interaction allowing for a silent installation and infection. Apple released updates which patched against this vulnerability 2 weeks after the malwares discovery. This rise in levels of malware for macs only emphasizes the need for safe user practices for both Windows and Mac users. Spohos recently release a study showing 20% of Mac computers carried at least one type of windows malware if not more. While Windows malware may not affect Mac computers they can still spread through them to other systems. Aside from the Windows targeted malware, every 1 in 36 Macs were found to be infected with malware designed for Macs. In these statistics a point to be made would be the fact that most infections could have been prevented through proper and regular use of antivirus software and safe practices. There is a free tool available through f-secure.com to automatically detect and remove the Flashback malware. http://www.f-secure.com/weblog/archives/00002346.html
Stopav.plugvg8, avg9, arca2009, arca2008, avast5, ESET NOD32 Antivirus 3.x/4.x, ESET Smart Security 3.x/4.x, Avira Premium Security Suite, Avira AntiVir Premium, Avira AntiVir Professional, BitDefender Antivirus 2010, McAfee AntiVirus Plus 10, Microsoft Security Essentials, DrWeb
This demo not yet uploaded.
Severa is short for “Peter Severa,” a Russian who is listed at #5 onSpamhaus‘s Register of Known Spam Operations (ROKSO). According to Spamhaus, Severa is one of the longest operating criminal spam-lords on the Internet. Severa advertises his spamming services on several invite-only cyber crime forums.
E-mail list of CIO’s, Presidents, COO’s, etc.Sold in 5 hours.
Blackhat SEO uses techniques like hidden text, invisible / off screen divs, etc.
So here is a quick example. What is more innocent than a crafty apple search? Well, in this google image search result five (5) of the top 14 returned results are actually links to site that will try to infect your computer if you click on the image. Google tries to protect you by putting the image in a frame and previewing it; however, the site uses specific tricks to automatically break out of the Google frame. At that point you would see a pop-up trying to convince you that your computer is infected with malware. Once infected the malware will try to convince you to purchase a removal tool and will also stage your computer for future control by the malware author.
Open up Bifrost again like before.Our victim checks his e-mail and sees something wrong with his Facebook account.Once he clicks the link, he’s already infected. We can turn on a keylogger and steal his password as he types it in.We have full access to his computer, if we like. Full control – just from a click.
This past May user “georgiabiker” of Reddit.com recently came across a new drive-by malware attack website that automatically downloads installation files to your phone upon browsing to the website. This new drive-by attack website lays down the foreshadowing of security trends and issues to come with android and other mobile operating systems. The drive-by attack utilized a malicious iframe injected into the website which could analyze the “User Agent” string of the users browser to see if the browsers operating system was of Android or not. Upon determining that the viewing browser was from an Android OS it would redirect users to a malicious Android installation file (APK).According to an analysis performed by Lookout Mobile Security, “Based on our current research, NotCompatible is a new Android trojan that appears to serve as a simple TCP relay / proxy while posing as a system update. This threat does not currently appear to cause any direct harm to a target device, but could potentially be used to gain illicit access to private networks by turning an infected Android device into a proxy.” This means that this malware could be used to gain access to other devices and/or steal information. Figure 1 (Screenshots from redditor, Georgiabiker)This instance of Android drive-by malware appears to be in its early stages as it still depends on the user to install the deceivingly named malicious install file “update.apk”. As Android based malware and attacks evolve users will need to be ever more diligent. As with computers the best security practices are safe user browsing practices such as having “Unknown sources” setting disabled as well as a up to date antivirus programs.
Drive-by download sites are one of the largest and growing threats on the internet. Attackers can use phishing to trick users to navigating to their malicious website or even infect legitimate websites compromising users as they trustingly go by. When you become a victim of a drive-by download attack many times the infection results in backdoors to your machine, theft of information, and/or malicious access to other devices within the same network. Use these tips and tricks to stay out of the statistics and in control of your own computer and information.Drive-by downloads usually attack browser plugins, keep plugins up-to-date. When you see the java icon in the corner saying there is an update available don’t ignore it. You can use websites such as https://browsercheck.qualys.com/ to scan plugins for updates and browsers for security issues. Keep antivirus up-to-date, sometimes it’s hard to tell if a link is malicious or a website compromised, at the least protect yourself with the latest virus signatures. Use safe browsing practices, the website isn’t going anywhere, take the time to check if you recognize the URL behind the links. You can usually see a links URL by hovering you mouse over the link. If you’re really unsure but need to visit the website you can scan the URL, websites such as the following will allow you to check if website has been reported to be an attack website:https://www.virustotal.com/#urlhttp://www.urlvoid.com/http://www.avgthreatlabs.com/sitereportsWhile it may make browsing a bit tedious it’s a safe practice to disable JavaScript in your browser and only allow JavaScript to run on websites you trust and recognize. If you’re a Firefox user use the NoScript Add-On.