0nights2011
description
Transcript of 0nights2011
![Page 1: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/1.jpg)
Dissecting unlawful Internet Activities
Fyodor Yarochkin
@fygraveArmorize Technologies
![Page 2: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/2.jpg)
АГЕНДА
Observations
Case studies
Sampling goods and services
Q & A
(c) 2011 Armorize Technologies
![Page 3: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/3.jpg)
MEET THE AUTHORS
(c) 2011 Armorize Technologies
![Page 4: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/4.jpg)
Our environment
Honeypots (http, ftp, ssh, smtp, ...)
Sandboxes + proactive internet “browsing”
End points around the globe
Public discussion groups of interest: scrapping and indexing
(c) 2011 Armorize Technologies
![Page 5: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/5.jpg)
Overview
(c) 2011 Armorize Technologies
![Page 6: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/6.jpg)
What makes the news..
MALWAREBlack SEO
Fake AVMass Injections
CC abuse
(c) 2011 Armorize Technologies
![Page 7: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/7.jpg)
MAIN ACTORS
KiddiesProfit Oriented
Crime APT
(c) 2011 Armorize Technologies
![Page 8: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/8.jpg)
Range of players!
(c) 2011 Armorize Technologies
![Page 9: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/9.jpg)
Kiddies: hit our honeypots daily :)
(c) 2011 Armorize Technologies
![Page 10: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/10.jpg)
Still live in IRCBOT age
(c) 2011 Armorize Technologies
![Page 11: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/11.jpg)
APT
• Kiddies are not very interesting. Following the APT guys is a bit more fun
APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))
(c) 2011 Armorize Technologies
![Page 12: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/12.jpg)
APT: attack vectors – often plain silly
(c) 2011 Armorize Technologies
![Page 13: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/13.jpg)
APT: in taiwan
• Targets: academics, post, rail, ..
(c) 2011 Armorize Technologies
![Page 14: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/14.jpg)
APT: main characteristics
• Attacks are planned and methodological
• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)
• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)
(c) 2011 Armorize Technologies
![Page 15: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/15.jpg)
APT Research from xecure-lab guys
(c) 2011 Armorize Technologies
![Page 16: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/16.jpg)
Aptdeezer: apt analysis platform from xecure-lab
(c) 2011 Armorize Technologies
![Page 17: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/17.jpg)
Businessmen are fun to study:)
Online goods
services
Traffic
(c) 2011 Armorize Technologies
![Page 18: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/18.jpg)
How to steal a million?
(c) 2011 Armorize Technologies
![Page 19: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/19.jpg)
Effectiveness
• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)
• New school: steal a dollar from a million people. It is still a million (and no noise).
(c) 2011 Armorize Technologies
![Page 20: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/20.jpg)
So, where is the money?
CC cashing
Banking credentialsAds (PPC)
Mobile scam
Pharm
Pr0n
DIRECT SOURCES:
Extortions“Software”
INDIRECT SOURCES:
TRAFF Credentials Online goods& services
(c) 2011 Armorize Technologies
![Page 21: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/21.jpg)
TRAFFIC..
• You need users to start visiting your “milking resource” to start with..
(c) 2011 Armorize Technologies
![Page 22: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/22.jpg)
TRAF. COST
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$(c) 2011 Armorize Technologies
![Page 23: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/23.jpg)
Case studies~
(c) 2011 Armorize Technologies
![Page 24: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/24.jpg)
Infrastructure compromise: case study
(c) 2011 Armorize Technologies
![Page 25: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/25.jpg)
UNDER THE HOOD
(c) 2011 Armorize Technologies
![Page 26: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/26.jpg)
Looking into Packet fields
(c) 2011 Armorize Technologies
![Page 27: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/27.jpg)
TRACKING THE GHOST
(c) 2011 Armorize Technologies
![Page 28: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/28.jpg)
HYPO: ATTACK SCENARIO
(c) 2011 Armorize Technologies
![Page 29: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/29.jpg)
RESULTED IN...
http://tools.cisco.com/security/center/viewAlert.x?alertId=17778
(c) 2011 Armorize Technologies
![Page 30: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/30.jpg)
Compromised CAs
• How about combining this and compromised CA?
(c) 2011 Armorize Technologies
![Page 31: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/31.jpg)
WHAT HAD HAPPENED..
Your taffic is mirrored!!
tunnel source <interface>
tunnel destination <badIP>
(c) 2011 Armorize Technologies
![Page 32: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/32.jpg)
How were they 0wn3d?
(c) 2011 Armorize Technologies
![Page 33: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/33.jpg)
AND MORE..
(c) 2011 Armorize Technologies
![Page 34: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/34.jpg)
LESSON LEARNT
• The whole city compromised
• Users infected on the fly. Visiting legimate web sites
• Tricky to investigate
• Affected parties - complete denial
(c) 2011 Armorize Technologies
![Page 35: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/35.jpg)
Other varieties ;-)
(c) 2011 Armorize Technologies
![Page 36: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/36.jpg)
Ad ABUSE: “MALVERTISEMENT”
(c) 2011 Armorize Technologies
![Page 37: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/37.jpg)
Introducing ad. Space hell :)
Source: razorfishmedia.com
(c) 2011 Armorize Technologies
![Page 38: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/38.jpg)
Ad network dynamic bidding
• Ad network dynamic bidding system is asking for abuse :-)
• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)
•
(c) 2011 Armorize Technologies
![Page 39: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/39.jpg)
MALVERT. Mechanics
iframe
redirect
iframe
redirect
iframe
Iframe to TDS(c) 2011 Armorize Technologies
![Page 40: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/40.jpg)
Malvertisement (cont)
(c) 2011 Armorize Technologies
![Page 41: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/41.jpg)
Malvert: agencies get 0wned
• Pulpomedia incident:
(c) 2011 Armorize Technologies
![Page 42: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/42.jpg)
Extortions going international
(c) 2011 Armorize Technologies
![Page 43: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/43.jpg)
Also spanish version
Credit: http://xylibox.blogspot.com/
(c) 2011 Armorize Technologies
![Page 44: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/44.jpg)
Common characteristics
• Hosting and domain registration
Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com
Domain name: bundespol.net
Registrant Contact: Whois Privacy Protection Service Whois Agent [email protected] +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
(c) 2011 Armorize Technologies
![Page 45: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/45.jpg)
WAS ON THE NEWS
(c) 2011 Armorize Technologies
![Page 46: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/46.jpg)
COMMON PATTERNS
Exploits Social tricks
(c) 2011 Armorize Technologies
![Page 47: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/47.jpg)
“Social engineering”
(c) 2011 Armorize Technologies
![Page 48: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/48.jpg)
Well-operated :)
• Spreads through advertisements (social engineering and exploits)
• Reboots machine until license is purchased (80USD)
• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible
to do refunds)(c) 2011 Armorize Technologies
![Page 49: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/49.jpg)
Another attack: infrastructure
(c) 2011 Armorize Technologies
![Page 50: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/50.jpg)
Infrastructure
Speedtest.net
Ads.ookla.com
http://35ksegugsfkfue.cx.cc(c) 2011 Armorize Technologies
![Page 51: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/51.jpg)
TDS systems: TRAFF marketplace
(c) 2011 Armorize Technologies
![Page 52: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/52.jpg)
COMMON TDS
(c) 2011 Armorize Technologies
![Page 53: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/53.jpg)
TDS + verification srv
(c) 2011 Armorize Technologies
![Page 54: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/54.jpg)
SEO:Another option
• Black SEO:
(c) 2011 Armorize Technologies
![Page 55: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/55.jpg)
SEO USE and abuse :)
<*bad* word (rus)
(c) 2011 Armorize Technologies
![Page 56: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/56.jpg)
SEO SERVICES
(c) 2011 Armorize Technologies
![Page 57: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/57.jpg)
Goods and services :Sampling :)
(c) 2011 Armorize Technologies
![Page 58: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/58.jpg)
Digital currencies
• Modern day hawalla
(c) 2011 Armorize Technologies
![Page 59: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/59.jpg)
Amusing portals
(c) 2011 Armorize Technologies
![Page 60: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/60.jpg)
PASSPORT COPIES
(c) 2011 Armorize Technologies
![Page 61: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/61.jpg)
.. OR A SET
For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card
(c) 2011 Armorize Technologies
![Page 62: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/62.jpg)
MALWARE Q/A AND HOSTING
(c) 2011 Armorize Technologies
![Page 63: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/63.jpg)
Abuse-resistant hosting
(c) 2011 Armorize Technologies
![Page 64: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/64.jpg)
CLOUD-cracking
(c) 2011 Armorize Technologies
![Page 65: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/65.jpg)
AND CAPTCHA
(c) 2011 Armorize Technologies
![Page 66: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/66.jpg)
MOBILESo far - easy to spot with
static analysis tools (android, j2me)
(c) 2011 Armorize Technologies
![Page 67: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/67.jpg)
Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!
(c) 2011 Armorize Technologies
![Page 68: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/68.jpg)
LEARNING POSSIBILITIES :)
(c) 2011 Armorize Technologies
![Page 69: 0nights2011](https://reader033.fdocuments.in/reader033/viewer/2022061223/54c68f854a7959bc708b456b/html5/thumbnails/69.jpg)
Questions
l
(c) 2011 Armorize Technologies