1. Surfing with Sharks: Why theInternet is a Dangerous Place

2. Who am I?WHAT MY FAMILY AND FRIENDSTHINK I DOWHAT BEING A SECURITY PROFESSIONAL CAN SOMETIMES FEEL LIKE WHAT I FEEL LIKE I DO 3. DISCLAIMER: DO NOT TRY THISAT HOME. VISITING THE SITES DISCUSSED IN THISPRESENTATION OR USING THECYBERCRIME TOOLS DISCUSSEDCOULD BE HAZARDOUS TO YOUR COMPUTERS HEALTH AND LEADTO BEING CALLED BY AN INMATE NUMBER INSTEAD OF YOURNAME! 4. AGENDATHREATLANDSCAPE 5. AGENDA CRIMINAL TACTICS & TOOLS 6. AGENDA DEMOS 7. Why am I here? 8. Do You Use One of These? 9. What Do They All Share InCommon? 10. So Lets Think Like A Bad Guy 11. MOST SECURE?MOST TARGETED?14 3 22 3 41 12. Some DefinitionsHackers and Black HatsVulnerabilities, Exploits, and Payloads 13. Exploit kits Tools for hackers Popular exploits packaged together with controls and add-ons Web applicationswhich delivermalware payloads Many different exploitkits out there 14. Blackhole exploit kit Most popular kit on theblack market Robust stat tracking Malware as a service Sign up for a hosted service Customer support Exploits for browserplugins: Adobe Reader Adobe Flash Java 15. Invisibility Exploit kits like to use iframes What are iframes? Like a picture frame, just mount it on a website To hide the content just make the frame reallysmall0x0 pixels small Now the website can show malicious contentfrom another website without anyone noticing 16. Drive-by Downloads Most exploit kits use Drive-byDownloads What are drive-by downloads? A download that happens without a persons knowledge,often spyware, a computer virus or malware. Wikipedia A download that happens in the background without youseeing it How does this work? 17. Regular Download 18. Drive-By Download 19. How Bad is it? Recent Norton cybercrime report shows: $388 billion worldwide over the past year in costs causedby cyber crime 35% of that number was incurred by individuals andbusinesses from the U.S. 141 victims per minute Keep in mind: this was just the reported costs . For everyreported event or incident there are countless others thatgo unreported. 20. How Bad is it for businesses?In 2010 Trend Micro did a survey: Of 130 businesses: 100% had some type of active malware 72% had evidence of botnets 56% had data stealing malware (eg. keyloggers) 42% had worms (self-propagating) Things have only gotten worse. 21. How Bad is it?2010 2011 286,000,000+ New 403,000,000+ Newvariants of Malwarevariants of malware 45,926 Malicious Web 55,294 Malicious webdomainsdomains 22. You ARE Not alone It is important to know who else isin the water What do they want? Where do they lurk? How do they catch their prey? How can you spot them andprotect yourself? 23. Why me? Would you ask a real shark why!? Online Sharks want: Reputation Power Information Money Bottom Line - If you use the Internet, you are a target 24. So who are the sharks? Organized Crime Syndicates based in ASIA and the formerUSSR Small groups of Hackers in the US, Asia, or the former USSR Hacking has evolved into a very sophisticated industry ofmalware production "Cybercrime is one of the fastest growing and lucrativeindustries of our time, - - Dave Marcus, Director of SecurityResearch for McAfee Labs. 25. Why? How? How do hackers goabout obtainingthese tools? What do they dowith it? Why wouldsomeone do this? 26. Becoming a Shark 27. How to become aahackerHow to become shark Victims Exploit Infection Payload 28. All you really need is money! Purchase an exploit kit Purchase a trojan Purchase victims? Phishing services Traffic services Profit 29. VictimsExploit InfectionPayloadPurchasing An Exploit Kit 30. Black Market Forums Exploit kit advertisements onvarious black market forums BlackHole the first exploit kitto introduce a hosted option Let the professionals configure and host it for you! The most popular option Includes free domain and support! Hosting spread around the world 31. Black Market Forums Payment is usually through virtualcurrencies like Liberty Reserve orWebMoney User reputation and forum escrow services! 32. Quality and Service Creators of the kit funneled their revenue back intoimproving their product Updated frequently with the latest vulnerabilities November 2011 Only a few days to add the latest Java 1-day to the kit Wed never seen an exploit kit update itself to use the latest vulnerabilities that quickly. Bradley Anstis, M86 VP of Technical Strategy Russian and English language support Banner advertisements 33. FEATURES Statistical widgets Geolocation, operating system, browser, exploit,and more! 34. MAC FlashBack Trojan Delivered by hackedWordPress blogs andsocial networking sites Infected over 600,000Mac users (1.8% ofMacs) Made from reversedengineered Windowsupdate in February Steals passwords andother info 35. FEATURES Vulnerability Detection Built-in engine determines which exploit to use Traffic redirection script based on rules OS, Browser, Plugins, Date 36. MORE FEATURES Advanced payload and exploit obfuscation Some examples 37. NOW THAT YOU HAVE YOUR BLACKHOLE EXPLOIT KIT WHAT DO YOU DO? 38. Victims Exploit Infection PayloadTROJANS AND RATS 39. Trojans and RATSExploit kit is the gun, the payload is the ammo Trojans, Remote Administration Tools Usually client / server design Client makes outgoing calls to server What kind of features would make a good trojan? Info stealing Hard to detect / remove File downloading and execution Computer control RAT protection? Self-defense? 40. Fake Anti-Virus One use of the Trojan is to trick you intobuying fake anti-virus 41. CarBerp Banking Trojan Man-in-the-Middle forms grabber Screenshots, Downloaders Facebook scam Carberp Trojan popular choice with BlackHole Stopav.plug avg9, ESET NOD32 Antivirus 3.x/4.x, McAfee AntiVirus Plus 10, Microsoft Security Essentials Passw.plug Miniav.plug ZeuS, Limbo, Barracuda, Adrenalin, MyLoader, BlackEnergy, SpyEye Unlike most malware (ZeuS, SpyEye), Carberp is not marketedpublicly 42. ZEUS Another banking Trojan Man-in-the-Middle keylogger and form grabber Only targets Windows Costs $700 - $15,000 Estimated botnet size 3,600,000 (US only) Cyber crime network discovered by the FBI on Oct. 1,2010 Stole ~$70,000,000 US Source code leaked May 2011 Custom versions and off-shoots released soon after 43. Bifrost Lets take a look at the Bifrost RAT 44. VictimsExploitsInfectionPayloadObtaining Victims 45. Obtaining Victims We need people to visit our Blackhole Kit sowe can infect them Two methods: Phishing / spam e-mails Iframe Traffic Generation Again, all you need is money! 46. Obtaining Victims 47. Obtaining Victims Phishers are Getting Smarter 48. Iframe traffic Purchasing compromised website traffic WordPress blogs are a prime target One infected blog got over 150,000 hits Pilfered FTP credentials Plugin vulnerabilities 49. How does this work? Search Engine Poisoning / Optimization(SEO) #1 Vector for Malware (40%) 50. Search Engine Poisoning 51. Obtaining victims Two main methods: Phishing and spam emails Purchasing iframe traffic SEO, Compromised websites 52. VictimsExploitsInfectionPayloads Putting It All TogetherSURFING WITH SHARKS 53. The final product So we have our exploit toolkit, ourpayload, and a way of obtaining victims. Lets show an infection: Firing off a phishing e-mail Client-side exploitation Payload delivery Game over 54. Protecting yourself 55. Everyone is a Target Windows, Mac Even Smartphonesand Tablets! New Drive-byattacking androidsmart phonesdiscovered in May2012 56. Protecting Yourself Attackers use tricks likephishing, SEO, and drive-bydownloads Keep your OS, plugins, and anti-virus up-to-date Use safe browsing practices Inspect links, be overly cautious Not necessarily strange websites 57. Other tips Disabling or uninstalling Java, Flash Disabling JavaScript Mozilla Firefox NoScript 58. Any Questions?