Fyodor Yarochkin @fygrave2011.zeronights.org/files/fyodoryarochkin-dissecting... · ·...
Transcript of Fyodor Yarochkin @fygrave2011.zeronights.org/files/fyodoryarochkin-dissecting... · ·...
Dissecting unlawful Internet Activities
Fyodor Yarochkin
@fygrave
АГЕНДА
Observations
Case studies
Sampling goods and services
Q & A
MEET THE AUTHORS
Our environment
Honeypots (http, ftp, ssh, smtp, ...)
Sandboxes + proactive internet “browsing”
End points around the globe
Public discussion groups of interest: scrapping and indexing
Overview
What makes the news..
MALWAREBlack SEO
Fake AVMass Injections
CC abuse
MAIN ACTORS
KiddiesProfit Oriented
Crime APT
Range of players!
Kiddies: hit our honeypots daily :)
Still live in IRCBOT age
APT
• Kiddies are not very interesting. Following the APT guys is a bit more fun
APT – advanced persistent threat (made lots of noise after Aurora attacksBut, .. how advanced that is.. really :-))
APT: attack vectors – often plain silly
APT: in taiwan
• Targets: academics, post, rail, ..
APT: main characteristics
• Attacks are planned and methodological
• In many instances – the primary aim of an action is information gathering (i.e. javascript that collects and posts the user environment information)
• Malicious content is well-prepared (digitally signed w/ valid certificates etc etc)
APT Research from xecure-lab guys
Aptdeezer: apt analysis platform from xecure-lab
Businessmen are fun to study:)
Online goods
services
Traffic
How to steal a million?
Effectiveness
• Old school: steal it from a bank. Make a lot of noise and either get caught (or run to South America)
• New school: steal a dollar from a million people. It is still a million (and no noise).
So, where is the money?
CC cashing
Banking credentialsAds (PPC)
Mobile scam
Pharm
Pr0n
DIRECT SOURCES:
Extortions“Software”
INDIRECT SOURCES:
TRAFF Credentials Online goods& services
TRAFFIC..
• You need users to start visiting your “milking resource” to start with..
TRAF. COST
• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
Case studies~
Infrastructure compromise: case study
UNDER THE HOOD
Looking into Packet fields
TRACKING THE GHOST
HYPO: ATTACK SCENARIO
RESULTED IN...
http://tools.cisco.com/security/center/viewAlert.x?alertId=17778
Compromised CAs
• How about combining this and compromised CA?
WHAT HAD HAPPENED..
Your taffic is mirrored!!
tunnel source <interface>
tunnel destination <badIP>
How were they 0wn3d?
AND MORE..
LESSON LEARNT
• The whole city compromised
• Users infected on the fly. Visiting legimate web sites
• Tricky to investigate
• Affected parties - complete denial
Other varieties ;-)
Ad ABUSE: “MALVERTISEMENT”
Introducing ad. Space hell :)
Source: razorfishmedia.com
Ad network dynamic bidding
• Ad network dynamic bidding system is asking for abuse :-)
• Decentralized, small players feed data to bigger guys (doubleclick), verification is mostly manual, real-time content tampering is easy, automated target selection, number of mechanisms that prevent click fraud (and makes automated analysis hard!!!)
•
MALVERT. Mechanics
iframe
redirect
iframe
redirect
iframe
Iframe to TDS
Malvertisement (cont)
Malvert: agencies get 0wned
• Pulpomedia incident:
Extortions going international
Also spanish version
Credit: http://xylibox.blogspot.com/
Common characteristics
• Hosting and domain registration
Registration Service Provided By: Bizcn.comWebsite: http://www.cnobin.comWhois Server: whois.bizcn.com
Domain name: bundespol.net
Registrant Contact: Whois Privacy Protection Service Whois Agent [email protected] +86.05922577888 fax: +86.05922577111 No. 61 Wanghai Road, Xiamen Software Park xiamen fujian 361008 cn
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
person: Ionut Triparemarks: SC GoldenIdeas SRL
address: Str. Drumul Sarii, nr. 57Caddress: Sector 6, Bucuresti
phone: +0744885334abuse-mailbox: [email protected]
nic-hdl: IT1737-RIPEsource: RIPE # Filtered
mnt-by: GOLDENIDEAS-MNT
WAS ON THE NEWS
COMMON PATTERNS
Exploits Social tricks
“Social engineering”
Well-operated :)
• Spreads through advertisements (social engineering and exploits)
• Reboots machine until license is purchased (80USD)
• Provides support hotline (hosted in India)• Uses legimate payment gateways (possible
to do refunds)
Another attack: infrastructure
Infrastructure
Speedtest.net
Ads.ookla.com
http://35ksegugsfkfue.cx.cc
TDS systems: TRAFF marketplace
COMMON TDS
TDS + verification srv
SEO:Another option
• Black SEO:
SEO USE and abuse :)
<*bad* word (rus)
SEO SERVICES
Goods and services :Sampling :)
Digital currencies
• Modern day hawalla
Amusing portals
PASSPORT COPIES
.. OR A SET
For money of any state of dirtinessPack includes1. Online bank account access2.ATM card (1000/6000USD per month withdrawal limit)3. online access passwords4. Passport copy of “poor john”5. SIM card
MALWARE Q/A AND HOSTING
Abuse-resistant hosting
CLOUD-cracking
AND CAPTCHA
MOBILESo far - easy to spot with
static analysis tools (android, j2me)
Press the button “stop” as soon as Press the button “stop” as soon as possible!possible!
LEARNING POSSIBILITIES :)
Questions
l