0nights2011

Dissecting unlawful Internet Activities

Fyodor Yarochkin

@fygraveArmorize Technologies

АГЕНДА

Observations

Case studies

Sampling goods and services

Q & A

(c) 2011 Armorize Technologies

MEET THE AUTHORS


Our environment

Honeypots (http, ftp, ssh, smtp, ...)

Sandboxes + proactive internet “browsing”

End points around the globe

Public discussion groups of interest: scrapping and indexing


Overview


What makes the news..

MALWAREBlack SEO

Fake AVMass Injections

CC abuse


MAIN ACTORS

KiddiesProfit Oriented

Crime APT


Range of players!


Kiddies: hit our honeypots daily :)


Still live in IRCBOT age


APT

• Kiddies are not very interesting. Following the APT guys is a bit more fun

APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))


APT: attack vectors – often plain silly


APT: in taiwan

• Targets: academics, post, rail, ..


APT: main characteristics

• Attacks are planned and methodological

• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)

• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)


APT Research from xecure-lab guys


Aptdeezer: apt analysis platform from xecure-lab


Businessmen are fun to study:)

Online goods

services

Traffic


How to steal a million?


Effectiveness

• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)

• New school: steal a dollar from a million people. It is still a million (and no noise).


So, where is the money?

CC cashing

Banking credentialsAds (PPC)

Mobile scam

Pharm

Pr0n

DIRECT SOURCES:

Extortions“Software”

INDIRECT SOURCES:

TRAFF Credentials Online goods& services


TRAFFIC..

• You need users to start visiting your “milking resource” to start with..


TRAF. COST

• AU - 300-550$

• UK - 220-300$

• IT - 200-350$

• NZ - 200-250$

• ES,DE,FR - 170-250$

• US - 100-150$

• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies

Case studies~


Infrastructure compromise: case study


UNDER THE HOOD


Looking into Packet fields


TRACKING THE GHOST


HYPO: ATTACK SCENARIO


RESULTED IN...

http://tools.cisco.com/security/center/viewAlert.x?alertId=17778


Compromised CAs

• How about combining this and compromised CA?


WHAT HAD HAPPENED..

Your taffic is mirrored!!

tunnel source <interface>

tunnel destination <badIP>


How were they 0wn3d?


AND MORE..


LESSON LEARNT

• The whole city compromised

• Users infected on the fly. Visiting legimate web sites

• Tricky to investigate

• Affected parties - complete denial


Other varieties ;-)


Ad ABUSE: “MALVERTISEMENT”


Introducing ad. Space hell :)

Source: razorfishmedia.com


Ad network dynamic bidding

• Ad network dynamic bidding system is asking for abuse :-)

• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)

•


MALVERT. Mechanics

iframe

redirect

iframe

redirect

iframe

Iframe to TDS(c) 2011 Armorize Technologies

Malvertisement (cont)


Malvert: agencies get 0wned

• Pulpomedia incident:


Extortions going international


Also spanish version

Credit: http://xylibox.blogspot.com/


Common characteristics

• Hosting and domain registration

Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com

Domain name: bundespol.net

Registrant Contact: Whois Privacy Protection Service Whois Agent [email protected] +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: [email protected]

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT

person: Ionut Triparemarks: SC GoldenIdeas SRL

address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti

phone: +0744885334abuse-mailbox: [email protected]

nic-hdl: IT1737-RIPEsource: RIPE # Filtered

mnt-by: GOLDENIDEAS-MNT


WAS ON THE NEWS


COMMON PATTERNS

Exploits Social tricks


“Social engineering”


Well-operated :)

• Spreads through advertisements (social engineering and exploits)

• Reboots machine until license is purchased (80USD)

• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible

to do refunds)(c) 2011 Armorize Technologies

Another attack: infrastructure


Infrastructure

Speedtest.net

Ads.ookla.com

http://35ksegugsfkfue.cx.cc(c) 2011 Armorize Technologies

TDS systems: TRAFF marketplace


COMMON TDS


TDS + verification srv


SEO:Another option

• Black SEO:


SEO USE and abuse :)

<*bad* word (rus)


SEO SERVICES


Goods and services :Sampling :)


Digital currencies

• Modern day hawalla


Amusing portals


PASSPORT COPIES


.. OR A SET

For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card


MALWARE Q/A AND HOSTING


Abuse-resistant hosting


CLOUD-cracking


AND CAPTCHA


MOBILESo far - easy to spot with

static analysis tools (android, j2me)


Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!


LEARNING POSSIBILITIES :)


Questions

l


0nights2011

Documents

armorize technologiesiframe

casestudy c

varieties c

plain silly c

ircbot age c

malvertisement cont

traffic online goodsservices

apt guys