malware-ct by liwenting


									Security Presentation                                                                                                                                                                         02.2011

           "\x00\x00\x00\x90" # Begin SMB header: Session message
           "\x72\x00\x00\x00" # Negotiate Protocol
           "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
                                                                                                                                         (IN)SECURITY MENU
           "\x00\x26"         # normal value should be "\x00\x00"
           s = socket()
                                                                                                                                All Hostile, All The Time
                       GLOBAL                                                                                                   Meet Malware Inc.
                       INTERNET                                                                                                 Fake Fake Fake
                       (IN)$ECURITY                                                                                             ZeuS and Friends
                       Who’s In Your Wallet ?                                                                                   Defenses
       89e5     5168   2e64   6c6c   6865   6c33   3268   6b65
       726e     5168   6f75   6e74   6869   636b   4368   4765   rn..ount.ickC.Ge
       7454     66b9   6c6c   5168   3332   2e64   6877   7332   tT..ll..32.d.ws2
       5f66     b965   7451   6873   6f63   6b66   b974   6f51                2.14.11
       6873     656e   64be   1810   ae42   8d45   d450   ff16   .send...........
                                                                                                                 Global Internet Insecurity                                               2

                                              Threat Environment                                                                     Common Types of Attacks
                       Curious Hacker - golden age of hacking is over
                       Disgruntled Employee                                                                                              Organizational
                                                                                                                                         Attacks          Attackers
                       Government Sanctioned – cyberterrorist
                       Activists – 4chan, Anonymous
                       Black Hat                                                                                                                                                  Automated
                                                                                                                          Restricted Data                                          Attacks
                       Script Kiddie
                       Economic Opportuni$t - 419, financial fraud                                                                                           DoS
                                                                                                                Accidental Breaches
                                                                                                                                                              Connection Fails
                                                                                                                    In Security
                       Evil has to sleep at night, stupidity is 24/7                                                                                                  Denial of
                                                                                                                                      Viruses,                        Service (DoS)
                                                                                                                                Trojan Horses,
                                                                                                                                   and Worms
               Global Internet Insecurity                                                                  3     Global Internet Insecurity                                               4

                                            2010 Exposed Records                                                                     Physical & Cloud Access
                                                                                                               Outsourcing can provide the physical access
                       Banking/Credit/Financial                                      4,853,708                   Less physical control of computers and networks
                       Business                                                      6,626,435                   Less oversight of staff (hiring, practices)
                       Educational Facilities                                        1,598,266                   Less control over Intellectual Property (IP)
                       Government/Military                                           1,214,773                   Less control over Confidential Information (SSNs)
                       Medical/Healthcare                                            1,874,360                   Harder to detect a leak or breach
                                                                                                                 May increase risk from local employees (revenge)
                       Total          662 Incidents                                 16,167,542
                                                                                                               Clouds move data closer to the bad guys
                                                                                                                 Cloud Services – Outsource w/abstracted location
                U.S. Only – Report date 12/28/2010                                                               Cloud email, sanitation, data storage
                Source – Identity Theft Resource Center
                                                                                                                                    Reboot the Cloud!

               Global Internet Insecurity                                                                  5     Global Internet Insecurity                                               6

Caltrans                                                                                                                                                                                           1
Security Presentation                                                                                                                        02.2011

                             Supply Chain Attack - 1982                                       Supply Chain Attack 2010
                  Soviets building a Siberian Natural Gas pipeline         Stuxnet Worm Targets Iran’s Nuclear Program
                                                                           NY Times Jan 15, 2011
                  Soviets obtained Western technology                      Most sophisticated cyber weapon yet deployed
                  CIA had added extra features to pipeline software        Targeted Siemens SCADA controllers (P.L.C.) running Step 7
                                                                              Recorded normal operations data
                  Pumps & valves exceeded design limits
                                                                              Played it back to fool operators
                  Resulted in an enormous explosion                           Sent centrifuges spinning wildly out of control
                  NORAD thinks it’s the bomb                               984 nuclear centrifuges damaged
                  National Security Council then briefed by CIA            20% of Iran’s capacity
                                                                           Likely - Israeli & US operation
                                                                           Is a missile any different?

                                                                           Code now available for others
                                                                           Are we at risk?
             Global Internet Insecurity                                7    Global Internet Insecurity                                   8

                                      Certified Pre-0wn3d                            Computer Supply Chain Sources
              Digital Picture Frames – win32Mocmex.AM
              USB thumb drives – w32Fakerecy, w32.SillyFDC
              TomTom GPS devices – win32Perlovga.A Trojan, backdoor
              Seagate Hard drives – win32.AutoRun.ah
              MP3 players – worm.win32.Fujack.aa
              Apple Video iPod – RavMonE.exe virus
              Razer device drivers - Worm
              Cisco VPN Client CD – Mexican Narco Corridos MP3s
              Energizer USB Charger - Trojan                2010
              Vodaphone HTC phone – mariposa bot
              Dell Rack Server – malware
              Olympus camera – autorun worm
              IBM USB drive distributed at AusCERT - malware
                                 Creative * HP * ASUS * Toshiba

             Global Internet Insecurity                                9    Global Internet Insecurity                                  10

                                SUPPLY CHAIN ATTACKS                                                     Attack Surfaces

                  Why send malicious code over the                            Adding Internet/Networking is cheap
                  Internet if you can pre-infect computer                     Set top boxes, DVR’s, routers, cars
                  parts or consumer devices?                                  Flaws will be found
                  Can the supply chain be secured in the                      Nov 4, 2010 – holes in mobile Android apps
                  age of globalization?                                       from BofA, Chase, Wells Fargo, & TD
                                                                              Ameritrade disclosed
                  Malicious or from ‘improper digital

             Global Internet Insecurity                               11    Global Internet Insecurity                                  12

Caltrans                                                                                                                                          2
Security Presentation                                                                                                                              02.2011

                                             Sensor Networks                                  IP Enabled Smart Networks
                Video Encoders, Road Sensors, CMS, Sprinklers…                     Implemented on microcontrollers and radios
                                                                                   Cost is less than $2.00.
                                                                                   An IPv6 stack can be built in <12 Kb code
                                                                                   Stack requires < 2Kb memory
                                                                                   Server often a standard Apache Webserver

                                                                                   Default passwords

                                                                                   Safety Third

               Global Internet Insecurity                                 13   Global Internet Insecurity                                     14

           "\x00\x00\x00\x90" # Begin SMB header: Session message
           "\x72\x00\x00\x00" # Negotiate Protocol
           "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
                                                                                                    FAKE GAMBLING SITES
           "\x00\x26"         # normal value should be "\x00\x00"
                                                                                  Created using template kits
           s = socket()
                                                                                  Installs win32.GameCasino trojan

                                                                                  Active in Amazon’s web services cloud
                                                                                                     The logos mean it’s the real deal…. right?
               Global Internet Insecurity                                 15   Global Internet Insecurity                                     16

                                     FAKE GAMBLING SITES                                            FAKE SECURITY PATCH
                Who is the target audience?                                      Sources: Infected websites, e-mail attachments
                 Likes to go to casino                                           Users are accustomed to patches
                 Has credit cards                                                Fake Codecs
                    Download - Casino Software
                    Register - free account (needs a cc card)
                    Claim - Bonus Coupon
                 Play a casino game – Realtime Gaming – Not!
                 Revenue stream!
                    Charge made – rarely contested $
                    Numbers sold $

               Global Internet Insecurity                                 17   Global Internet Insecurity                                     18

Caltrans                                                                                                                                                3
Security Presentation                                                                                                                                  02.2011

                                         FAKE ALERTS                                               Hidden IFrame Injection

                                                  Site injects fake alert            Found on transportation district websites
                                                  Goal: Get user to click OK         Found on transportation vendor websites
                                                      Social Engineering               Both lack IT staff & expertise

           Global Internet Insecurity                                      19   Global Internet Insecurity                                        20

                                        FAKE ANTIVIRUS                                                        FAKEWARE
            Widespread                                                            Hundreds of variants
            Misleading results                                                    Malware is ‘kit’ based
            Hard to remove                                                        Cost: $300-$2000 USD
            Installs system tray
            Annoying frequent
            Requests payment for
            registered version
            Payment info

           Global Internet Insecurity                                      21   Global Internet Insecurity                                        22

                                          FAKEWARE                                            FAKE PASSWORD MANAGER
           Phrase themes
           Trust in Malware

                                                                                                    “All your passwords are belong to us...”
                                                                                                    Another meme, see

           Global Internet Insecurity                                      23   Global Internet Insecurity                                        24

Caltrans                                                                                                                                                    4
Security Presentation                                                                                                                            02.2011

                                           RANSOMWARE                                                                RANSOMWARE
           DatCrypt                                                                     Free repair program limited to one file
            January 2010                                                                Pay $50 - $89.95 to recover all (encrypted) files
            Encrypts                                                                    User may not realize they are paying a ransom
               Office files
            Blocks access to                                                          Recovery
            anti-malware                                                                Backups
            sites                                                                       Restore points
            Advises you to
            download file
            repair software                                                             Cracks

             (see next slide)
            Global Internet Insecurity                                           25    Global Internet Insecurity                           26

                                         FAKE PIRACY SCAM                                                           FAKE PIRACY SCAM
              First seen: April 12, 2010                                                Tax on clueless
              Claims to detect pirated files - sets wallpaper to:                       Traffic fee?
                                                                                        Fraud warning?

                                                                                         IRONY METER

            Global Internet Insecurity                                           27    Global Internet Insecurity                           28

                                         FAKE IRS NOTICE                                                FAKE EMAIL QUARANTINE

                                                                                      Fake SPAM
                                                                                        Fake bounce notice
                                                                                        All links lead to a
                                                                                        downloader trojan
                                                                                        Who from?
                                                                                        SMTP headers a
                                                                                            Not easy to find

                                          Attached file is a downloader trojan
            Global Internet Insecurity                                           29    Global Internet Insecurity                           30

Caltrans                                                                                                                                              5
Security Presentation                                                                                                                     02.2011

                                   FAKE SIRIUS NOTICE                                      FAKE SIRIUS NOTICE

            Global Internet Insecurity                         31   Global Internet Insecurity                                       32

                          FAKE PASSWORD/DELIVERY                                           FAKE LinkedIn EMAIL
           3/17/10 - Facebook Password Reset Advisory               9/28/10 Fake LinkedIn emails lead to ZeuS Trojan
             Spoofed email – “Your password changed”                  Tens of billions of messages in just one day
             Attached .zip – Supposed to be new password              One of largest attacks seen
             Contents: downloader trojan                              Looked like legitimate LinkedIn invites
                                                                      Link redirects to a Web page
             Ploy is 2+ years old
                                                                      Displays: "Please waiting .... 4 seconds"
             Same as fake:
                DHL notice
                                                                      Then redirects to Google
                WesternUnion                                          Malicious JavaScript hidden in iFrame then
                UPS notice                                               Learns what applications are running
             And it still works!!!                                       Determines if a vulnerability exists
                                                                         Drops Zeus malware onto the system

            Global Internet Insecurity                         33   Global Internet Insecurity                                       34

                       FAKEWARE CHARACTERISTICS                                                  FAKEWARE
              Modifies hosts file to divert domain references        May redirect on certain sites (looks like Google - but isn’t)
              Installs even when the user selects no or cancel       May inject extra HTML (is Google - but with extra)
              Installs w/o notification or opt-out (drive-by)
              Can't be uninstalled by Add/Remove Programs
              No uninstaller is provided
              Prevents removal of/change to its registry entries
              Silently installs or updates without user awareness
              Silently reinstalls components if they are removed
              Silently modifies/substitutes search results
              Mechanisms to thwart removal by anti-virus clients
              Silently connects to unintended sites                                              Attempts to Exploit Trust
            Global Internet Insecurity                         35   Global Internet Insecurity                                       36

Caltrans                                                                                                                                       6
Security Presentation                                                                                                                                                   02.2011

                                          FAKEWARE                                                  "\x00\x00\x00\x90" # Begin SMB header: Session message
                                                                                                    "\x72\x00\x00\x00" # Negotiate Protocol
                                                                                                    "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853

                                                                                                    "\x00\x26"         # normal value should be "\x00\x00"

             Initial infection can be a simple Browser Helper Object                                "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"

             May install fake Blue Screen of Death (BSOD)                                           s = socket()
             Server-side polymorphism – no two clients alike                                        s.close()

             May install a rootkit
             May block access to AV sites (hosts file)
             May block and alert on common sites:
                                                                                                                         MALWARE INC.
             adobe        blogger       craigslist  ebay
             facebook flickr            friendster  gamespot
              google microsoft          msn         myspace
             nytimes photobucket wikipedia          yahoo
           The malware all seems similar, almost organized …
                                                                                                                “IT’S HOW WE ROLL”
              Because it is organized

            Global Internet Insecurity                                                         37       Global Internet Insecurity                                 38

                                   MEET MALWARE INC.                                                                                     MALWARE INC.
           Malware Inc.▫Gmbh▫SA
                   Inc.▫ Gmbh▫                                                                        Criminal Organization                             Directorate
                   Société Anonyme                                                                    Russian Business Network (RBN) St. Petersburg
                                                                                                        Internet Company – web hosting, bandwidth
              Organization Chart                     PPI          Money Guy
                                                                                                        Hosting illegitimate activities more profitable
                                                                                                           Phishing, spam, malware distribution
                                                                                                           Denial of service attacks (Georgia, Azerbaijan)
                                                                                                           Identity theft data brokerage
                                               PPI Forum    Software SEO Black Hat                      “The baddest of the bad…” – VeriSign
                                                                                                        “Conduit for cybercrime” – Washington Post
                                                                                                        2007 - Partner/affiliate marketing techniques

            Global Internet Insecurity
                                                      Affiliate      Botmaster                 39       Global Internet Insecurity                                 40

                                    (PAY- PER-
                                PPI (PAY-PER-INSTALL)                                                                            (PAY- PER-
                                                                                                                             PPI (PAY-PER-INSTALL)
               PPI’s pay Affiliates to distribute a ‘toolbar’ file                                           PPI’s file is a downloader trojan
                 Past - adware
                                                                                                             Once installed the trojan uses HTTP to:
                 Present - trojan downloader
               PPI pays the Affiliate per 1,000 installs                                                       Check in with the Command & Control server
                 $140 US      $30 France     $6 Asia                                                           Upload computer info (OS, location, language)
               Western Union, Moneygram, etc. No form 1099                                                     Install Browser Helper Objects
               Confusion with Pay Per Impression – all good                                                    Download and install more malware
                                    LoudMo    Earning4U           AdscendMedia                                      • Fake AntiVirus - the PPI income!
                                    VombaCash Adsense             PinballNetwork                                    • ZeuS
                                    DigiSofts FileChip            CrazyUpload                                       • Koobface
                                                                                                                    • Rustock rootkit
                                    The PPI’s are paying out for installs…
             PPI                    What is their income from?                                            PPI
            Global Internet Insecurity                                                         41       Global Internet Insecurity                                 42

Caltrans                                                                                                                                                                     7
Security Presentation                                                                                                                                              02.2011

                                    (PAY- PER-
                                PPI (PAY-PER-INSTALL)                                                             PAY PER INSTALL FORUM
             PPI: AVProfit                                                                       Works w/developers, affiliates, tutorials for n00bs
             Pays affiliates $1K/1K                                                              Copies industry model – Forum’s are facilitators
               Installs FakeAV+ZeuS
                                                                                                 Information Clearinghouse for PPI Changes
               38% AV detection rate
                                                                                                 April 10: 372 Registered Members Online - 423 guests
               4 percent of victims pay
               Bankcard & identity stolen
                  Packaged and sold off – additional revenue
               On Feb. 28 one affiliate generated 1,482 installs
               resulting in 66 sales and $1,650 in commissions.
               On Feb 27 the affiliate drummed up 1,323 installs,
               resulting in 57 sales for a daily income of $1,425.                                 PPI Forum
                    Source: Washington Post   Results not typical

            Global Internet Insecurity                                                43        Global Internet Insecurity                                    44

                              PAY PER INSTALL FORUM                                                                 SOFTWARE DEVELOPER
             A place to buy and sell goods and services                                         Software Development & Sales
                                                                                                  Provide tools for PPI’s and Affiliates

                                                                                                                                     Code lifespan is short
                                                                                                  Software                           Constant evolution
                                                                                                                                     Updates, subscriptions
            Global Internet Insecurity                                                45        Global Internet Insecurity                                    46

                                              BINDERS                                                                        CRYPTERS
           “S-binder Pro is a powerful software binder,                                            Affiliates use Crypters to hide
           bundler and package creator, Create and                                                 malicious files from anti-virus
           distribute your software bundles with ease! S-                                          (AV) products
           binder has some fantastic features including:
                                                                                                   Crypters can make a malicious
               The ability to mass bind all files in a given
               directory, and all of its sub directories.                                          file fully undetectable (FUD)
               Icon extraction and replacement                                                     Crypters can prevent malware
               Can download additional files as needed                                             from running if its in a
               Bind any files into one .exe
               Secure binding option (files can’t unpack)”          GeckoCode Software 12/09

               “If your looking to create software bundles                                     ..but wait! You’ll also want…
               or portable applications for whatever
               reason then S-Binder Pro is the only
               solution you will ever need!”                        Software                   Software

            Global Internet Insecurity                                                47        Global Internet Insecurity                                    48

Caltrans                                                                                                                                                                8
Security Presentation                                                                                                                                                           02.2011

                                          DOWNLOADERS                                                                              DOWNLOADERS
           Silent Downloader Version 4.0
                                                                                                        Web interface to track
           Way more than just a downloader..                                                            infected computers
             Silent Downloader version 4.0, is                                                          statistics
             probably the best silent downloader                                                        An interface to make
             on the market today. This thing is
                                                                                                        the infected PC a
             feature packed, gets the job done,
                                                                                                        proxy, allowing an
             and then a whole bunch more.
                                                                                                        attacker to funnel
             Totally configurable and fully                                                             malicious network
             manageable from an easy to use web                                                         traffic through it
             based control panel – If your already
                                                                                                        Tools to download
             into Pay Per Install or Other forms of
                                                                                                        updates, additional
             network distributed marketing SD4
                                                                                                        malware, tools to
             will help you boost your revenue to
                                                                                                        infected computer
             the maximum.                                                 Software

             Global Internet Insecurity                                                         49    Global Internet Insecurity                                           50

                                  SEO AUTO-SUBMITTER                                                                           AUTO-
                                                                                                                           SEO AUTO-SUBMITTER
           XRumer Auto-submitter                                                                     XRumer Auto-submitter
             Posts to forums, guestbooks,                                                             Can recognize CAPTCHA’s
             catalogs, etc.                                                                           “Completely Automated Public
             Can avoid suspicious forum                                                               Turing test to tell Computers
             admins by first registering and                                                          and Humans Apart”
             posting “Where can I get…?”                                                              Using CAPTCHA’s it can create
             Registers another account to post                                                        new accounts
             a spam link mentioning product
             Helpful forum visitors may Google
             for product and post a link to
             help out - increasing product’s
             Google stats
             Activation key to prevent piracy!
                              “Another fine product from”
             Global Internet Insecurity                                                         51    Global Internet Insecurity                                           52

                                    Malware Marketplace                                                                            SEO BLACK HAT
                                                                                                     Search Engine Optimization Black Hat
                                                                                                       Techniques used to achieve higher search rankings
                                                                                                       Unethical SEO ‘games’ search engine algorithms
                                                                                                       Inflated rankings ‘poison’ search results
                                                                                                       Techniques used include:
                                                                                                          Keyword stuffing
                                                                                                          Link farming JCPenneys

                Symantec's Black Market exhibit at RSA 2010
             A global market exists for criminal tools/data
                                                                                                      SEO Black Hat                Includes: SEO Black Hat tax tips!
             Global Internet Insecurity                                                         53    Global Internet Insecurity                                           54

Caltrans                                                                                                                                                                             9
Security Presentation                                                                                                                                   02.2011

                                        SEO BLACK HAT                                                              SEO POISONING
                                                              SEO Black Hat                                                        SEO Black Hat

            Link farm: a group of sites and web pages                                 Cloaking: webserver hosting SEO Poisoned
            hyperlinked to each other to increase their                               misleading pages looks at two HTTP fields it gets
            PageRank in the search engines                                            from each browser visiting a page:
                                                                                         HTTP referrer: the link the browser followed
            Keyword stuffing: hackers add many extra                                     User Agent String: identifies the browser type
            pages to compromised websites (Link farms) that
            contain:                                                                  Browsers from an SEO poisoned link are redirected
              topic-related keywords and                                              to a server hosting malicious page (e.g. fake AV)
              content taken from legitimate sites and feeds                           A search-engine bot crawling the page is given the
            Search engine spiders find what appears to be                             misleading content…which appears ok
            valid content relevant to the keywords used, and                          Text-based browsers (security researchers?)
            no malware (pages appear safe – but they are not)                         are avoided, redirected to CNN

           Global Internet Insecurity                                         55      Global Internet Insecurity                                   56

                                        SEO POISONING                                                              SEO POISONING
                                                              SEO Black Hat                                                        SEO Black Hat
                                                                                       Within two days of Academy Awards – half the
            SEO poisoned news
                                                                                       links lead to sites attempting to install fake AV
            event link
                                                                                       … searches for Haiti, Chile, Michael Jackson
            Which redirects to a
            malicious page that
            injects malware or a
            fake alert message

            Obfuscated code on
            malicious page

                 Be careful of links when searching…
           Global Internet Insecurity                                         57      Global Internet Insecurity                                   58

                                Black Hat Services for Hire                                                         MONEY GUY
                                                              SEO Black Hat

                                           Darkness Botnet                            Works for PPI
                                             High Quality DoS attacks                 Hires financial staff
                                                                                      Payment Processing
                                             $50/day and up rates                     Agent
                                             Download floods                          Money Transfer Agent
                                             Server attacks                           Regional Distributor
                                                                                           Work at home!
                                           Ongoing DNS DDoS attacks
                                                                                                    Financial Manager
                                            Amplification queries                                   Prompt processing of
                                            Recursive, Root Zone                                    incoming money xfers in
                                                                                   Money Guy        real-time mode
                                            OTEC participates!                                      $$ + Social benefits ?

           Global Internet Insecurity                                         59      Global Internet Insecurity                                   60

Caltrans                                                                                                                                                    10
Security Presentation                                                                                                                                         02.2011

                                         MONEY GUY                                                                       MONEY GUY
                                                                    Money Guy                                                                Money Guy
           AKA Mule Manager, Mule Herder                                                      Clone valid job recruitment sites
                                                                                                 Resulting confusion is all good - for them
            Mules launder $ via fund transfer                                                 Fake Charity laundering site - April 2010 - shown:
            Reship purchases bought with stolen credit cards                                  Also fake Outsourcing, Brokerage, Depositing, etc.
            Mule recruitment sites                                                            Scope: April 2010 One of the tracking sites listed:
                                                                                                 762 active fraud sites
              BarwellsGroup .cn
                                                                                                 39    in progress
              NewskyAG .com                                                                      200+ archived
              Yourgoogleanalytics .us                                                              TNTC
             "During the trial period (1 month), you will be paid 2,000 USD per               Use Fast flux hosting
             month while working on average 3 hours per day, Monday-Friday,...
             The salary will be sent in the form of wire transfer directly to your            (zombie reverse DNS
             account. After the trial period your base pay salary will go up to                proxies to hide behind)
             3,500USD per month…” -BarwellsGroup

            Global Internet Insecurity                                               61     Global Internet Insecurity                                   62

                                         PPI Affiliate                                                                   BOT MASTER
            PPI Affiliate                                                                    AKA Bot Herder
              Affiliates: many script kiddies, n00bs                                             Command & Control operator for infected PC’s
              (Infect self, ISP cancels parents account, etc.)                                   May work for Affiliate or PPI
              Obtains a high value file                                                          Google's AppEngine and Amazon's EC2 used as
                 Game cracks, pirated apps (warez)                                               the master control channel sending commands
              Binds PPI ‘file’ to their file                                                     to botnets. Provides a framework for programs
                                                                                                 that handle requests from millions of computers
              Spread via seedbox - BitTorrent & eMule
                                                                                                 Facebook and Twitter accounts also used
                                                                                                 Low cost, high availability, and hard to blacklist
                 Downloaded & install? – it installs malware
                 On websites - adds code to inject trojan
                 Sends email with trojan attachment
            Global Internet Insecurity                                               63     Global Internet Insecurity                                   64

                                         BOT MASTER                                                            MALWARE INC. VICTIMS
             Social networking                                                                             Work At Home
             site serving a                                                                                 Money mules launder $ transactions
             trojan’s encrypted                                                                               Take 10% commission (will lose it)
             configuration                                                                                  Reshipping donkeys reship purchases
                                                                                                            TTL measured in days (police show up)

                                                                                                           Infected Business Users
                                                                                                             Unrecovered funds lost

                                                                                           Infected Home Computer Users
                                                                                             Get Fleeced

            Global Internet Insecurity                                               65     Global Internet Insecurity                                   66

Caltrans                                                                                                                                                          11
Security Presentation                                                                                                                                                             02.2011

           "\x00\x00\x00\x90" # Begin SMB header: Session message
           "\x72\x00\x00\x00" # Negotiate Protocol
           "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
                                                                                                                                     ZeuS Banking Toolkit
           "\x00\x26"         # normal value should be "\x00\x00"

                                                                                                              #1 choice of criminals specializing in financial fraud
           s = socket()
                                                                                                              #1 botnet in US - an est. 3.6 million PCs infected

                                                                                                              Primary use - steal financial credentials for use/sale
                                                                                                              Also targets social networks - Facebook, Twitter
                                                                                                              Linked to RBN cybercrime hub
               ZeuS TROJAN?
                WHATS UP WITH THAT?

                                                                                                                    205 ZeuS Command & Control servers were online 11/7/10

               Global Internet Insecurity                                                               67   Global Internet Insecurity                                      68

                                        ZeuS Banking Toolkit                                                                         ZeuS Banking Toolkit
                  The most established toolkit, very configurable                                              Modular pricing structure
                  Data exfiltration/C&C via RC4 encrypted HTTP post                                            Base level kit starts at $4,000 – plus options
                    Designed to go through firewalls                                                             $500 Jabber IM add-in for real time data
                  Product activation key (similar to Windows)                                                    $2,000 Firefox data field capture module
                  Polymorphic – each install has unique signature                                                $2,000 Add Windows 7 / Vista support
                  Dashboards track bots, product payment                                                         $1,500 Backconnect (proxy) module
                  Granular management, metrics with drill-down info                                              $10,000 VNC-based remote connection to client
                                                                                                                 $100,000 Zeus source code
                                                                          iframe used to download
                                                                          malicious PDF with exploits
                                                                                                                Zeus developer retiring (2011)
                                                                                                                Operation merged with SpyEye

               Global Internet Insecurity                                                               69   Global Internet Insecurity                                      70

                                        ZeuS Banking Toolkit                                                                         ZeuS Banking Toolkit
                   ZeuS trojan is ‘Man in the Browser’ MITB
                   Waits for banking transaction to occur
                   Can modify/inject data to either side
                   Bank sees transactions from authenticated user                                            Drill-down to specific host
                   User sees real bank website (and more)                                                    Shows captured bank data
                   ZeuS makes extra transaction(s) - sent to mules

                                                                                                             Injecting some harvesting code into the legitimate
                                                                                                             website is exponentially more effective at harvesting
                                                                                                             credentials than redirecting to a fake banking site
               Global Internet Insecurity                                                               71   Global Internet Insecurity                                      72

Caltrans                                                                                                                                                                              12
Security Presentation                                                                                                                            02.2011

                              Antivirus Detection Rate                                                   ZeuS Banking Toolkit
            60% of the time AV client will not detect Zeus                       Malware hosting sites are hard to shut down
                                                              Fall 2010           March 8, 2010 - 90 of 249 Zeus c&c servers
                                                                                  whacked when two ISPs were were de-peered
                                                                                  by the upstream provider (refuses their traffic)
                                                                                  Troyak regained connectivity within hours by
                                                                                  peering with a new upstream ISP.
                                                                                  Hosting offers high financial rewards/low risks:
                                                            Spring 2011           Google advisory - AS29106 (Volgahost)
                                                                                  227 sites tested
                                                                                    101 sites had infected 1,080 other sites
                                                                                    3 sites were hosting malicious drive-by’s

           Global Internet Insecurity
                                            Source:   73    Global Internet Insecurity                                 74

                                    euS Meets/Kicks
                                   ZeuS Meets/Kicks AS                                                    AS’s With a Problem

                              Panther CDNetworks                                                                           AMAZON
                                                                                   AS21844 THEPLANET


                        The Planet
                  Amazon Cloud

                                                                                   Cheap hosting                          AS26496 GODADDY
                             NOC                                                   “anyone can have a website”

           Top 10 of the Top 20 source:
           Inattentive Web Hosting Provider Meets Multilevel Malware

           Global Internet Insecurity                                      75    Global Internet Insecurity                                 76

                                        Server Farms                                                          Exploit Packs
              CPanel exploits – monoculture makes it easy                       Logon screen                     Sample statistics report
              Once in – install an Exploit Package
              Original site is still present – w/extra folders
              Kits make it point and click - anyone can do it
              Kits lower the bar – no skills needed
              Typically contain a collection of exploits to try
                 Crimepack – free and paid versions
                 SEO Sploit Pack
                 Eleonore $500-$1000
                  • 12/11 DoubleClick, MSN
                    Drive-by Ads w/malware
           Global Internet Insecurity                                      77    Global Internet Insecurity                                 78

Caltrans                                                                                                                                             13
Security Presentation                                                                                                                            02.2011

                                         Mariposa BOTnet                                                         Mariposa Website
            Mariposa another example -
             March 2010 - Mariposa botnet shut down
                     Spanish police arrest 3 alleged ringleaders
                     Jail unlikely - insufficient cyber crime laws in Spain
                Spread via P2P networks, USB drives, MSN links
                Stole account information and financial data
                Est. 12.7 million compromised Zombie hosts
                spread across 190 countries (of 203 possible)
                Found on Vodafones running Google's Android
                Botnet was rented out to groups spreading ZeuS
            Monetization is changing the malware landscape
            Global Internet Insecurity                                         79   Global Internet Insecurity                              80

                                         Koobface Worm                                                           RockYou!
                                                                                                                 RockYou! Passwords
           Koobface (Facebook anagram) targets social networks                      December 2009 - RockYou! SQL injection attack gets
            Digg accounts breached via password attacks                             a plaintext database containing the unencrypted
            ‘Trusted’ Web 2.0 svcs distribute codec malware                         usernames and passwords of 32 million users.
            Ultimate target is credit card numbers
            Same logon/password on other sites? Owned

            Global Internet Insecurity                                         81   Global Internet Insecurity                              82

                                    RockYou! Passwords                                                           Recent Breaches
              Freq.   Password                                                        2010 Kaspersky Internet Security own3d, again, from
           1. 290,729 123456                  Approx. 32M accounts total              vulnerability in 3rd-party website admin tool No shame?
           2. 79,076 12345                                                            12/10 Gawker Media (Lifehacker, Gizmodo) 1.5 M user
           3. 76,789 123456789                File is available online                accounts and email addresses stolen, passwords cracked
           4. 59,462 password                 Is interesting research                 and posted, CMS code stolen & published
           5. 49,952 iloveyou
                                                                                      12/10 DeviantART accounts stolen
           6. 33,291 princess                 Most users - password clueless
           7. 21,725 1234567                  RockYou! - amazingly clueless           12/10 McDonalds hacked, customer database stolen, your
           8. 20,901 rockyou                  A good password blacklist!              burger preference now in the wild
           9. 20,553 12345678                 Password policy rocks!                  2/11 eHarmony access and accounts compromised via
           10. 16,648   abc123                                                        SQL Injection vulnerability in a third-party CMS library

           If an attacker tried the top 100 passwords as guesses                      People use same passwords/many sites
           they would have been right 1.5M times - or 4.5% to total
                                                                                      Accounts & Passwords are the target!

            Global Internet Insecurity                                         83   Global Internet Insecurity                              84

Caltrans                                                                                                                                             14
Security Presentation                                                                                                                                     02.2011

           "\x00\x00\x00\x90" # Begin SMB header: Session message
           "\x72\x00\x00\x00" # Negotiate Protocol
           "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
                                                                                                            Follow the Money
           "\x00\x26"         # normal value should be "\x00\x00"

                                                                                          Global Distribution of victims
           s = socket()

                                ECONOMIC                                                   that paid for fake anti-virus


               Global Internet Insecurity                                 85   Global Internet Insecurity                                            86

                                                Fake Anti-Virus                                             Economic Losses
               Fakeware Business is still business                                Feb 2009 - VA. Orange Family Physicians $46,000
                 Typically charged $50 to $100                                       ZeuS found on Controller’s computer
                 Only 10% initiated chargebacks or disputed sale                  Feb 10 - N.H. Cynxsure IT Consultancy $96,419.
                                                                                  Feb 15 - N.Y. Little & King $164,000.
                   Fail to realize they were scammed
                                                                                     ZeuS found on owners computer
                   Embarrassed at being taken                                     March 22 - MO. Smile Zone Dental Practice $205,000
                   Credit card provider runaround                                 June 22 - Bullitt Co. Kentucky $415,000 - ZeuS
                   Employee owned computers are the risk                                                                       source: Washington Post

                                                                               Small-med businesses and local governments are estimated
                                                                                 to be losing $100-200K/day from trojans

                        …another layer of business activity

               Global Internet Insecurity                                 87   Global Internet Insecurity                                            88

                                              Economic Losses                                                 Monetization
             Bullitt County Kentucky - $415,000                                Malware: Its all about money…
               Zeus Trojan installed on county treasurer's PC                   Volume increasing and the quality improving
               Stole treasurer’s account/passwords                              A growing underground economy and supply chain
                  email, county bank account                                    Harvest, use what you can, sell off the rest
               ZeuS tunneled into county's bank account, logged in
                                                                                Lowered bar for who can get into cybercrime
               Changed co-signer password/e-mail address
                  used for one-time pass-phrase notices
                                                                                End user is now cybercrime’s primary target
               Created 25 fictitious county employees                           Zombie botnets can be rented, bought, and sold
                  used named of mules
               Sent wire transfers to bank, fake co-signer approved
               Funds sent to mules

               Global Internet Insecurity                                 89   Global Internet Insecurity                                            90

Caltrans                                                                                                                                                      15
Security Presentation                                                                                                                      02.2011

                                 Monetization Opportunity!

                     Home Shopping Channel for Malware
                     Malware training & support
                     Malware certification
                     Malware University
                       An example?
                       Sign up now!

               Global Internet Insecurity                                        91   Global Internet Insecurity                      92

           "\x00\x00\x00\x90" # Begin SMB header: Session message
           "\x72\x00\x00\x00" # Negotiate Protocol
           "\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
                                                                                                             MALWARE DEFENSES
           "\x00\x26"         # normal value should be "\x00\x00"
           s = socket()                                                                 Back in the ‘good old days’….

                                                                                        Malware ‘objective’ was to spread

                                                                                        Malware was noisy and easier to detect
                                                                                        Now it’s a monetized
                                Risks                                                   multi-level
                                                                                        organized criminal activity
                                Resources                                               primarily targeting
                                                                                        non-business end users
                                                                                             Good luck with that!

               Global Internet Insecurity                                        93   Global Internet Insecurity                      94

                                         WHAT CAN YOU DO?                                                Silos Decouple & Isolate
                     Keep OS patched (auto)                                           Organizations make it hard to see big picture
                     Keep Adobe, Java patched                                           Firewall logs – Network & security staff
                     Develop a password system and use it                               IDS/IPS logs – Security staff
                     Change default passwords (wireless router)                         Server logs – System admins
                     Wireless? WPA2 w/ long passphrase                                  Application logs – Application staff
                     Don’t click w/o looking - Enter links instead of clicking        Not seeing the logs
                     email attachments? High risk                                       How do you know what is targeted?
                     Use Firefox w/ secure plugins                                      Insufficient paranoia
                     Use Live CD/Live USB -                          Firewall will protect – not
                     Be Paranoid - Don’t believe - Don’t trust
                     Learn to spot the scams – awareness                              Better log & report sharing?
                     Collect ‘em! – share them internally (training)                  Inhouse training? Visibility?
                     Not a good time to have little/no IT staff (home user)
               Global Internet Insecurity                                        95   Global Internet Insecurity                      96

Caltrans                                                                                                                                       16
Security Presentation                                                                                                                                       02.2011

                                 Typical Exploit Attempt                                                                 Attempted SQL Inject
           Scripted PHP Attack Log Summary Elapsed: 11:14 sec Attempts: 93 8.5/sec
                                                                                            Look for SQL commands in HTTP logs:
           /scripts/setup.php                                                                    GET /content/dpenecalofevesub.asp
           /admin/scripts/setup.php                                                              vw=0&curyr=310&progsik=3&cal_typ_ik=2&h1=0&h2=
           /admin/pma/scripts/setup.php                                                          0&cal_eve_typ_ik=25%20And%20char(124)%2b(Select
           /admin/phpmyadmin/scripts/setup.php                                                   %20Cast(Count(1)%20as%20varchar(8000))%2Bchar(1
           /dbadmin/scripts/setup.php                                                            24)%20From%20[sysobjects]%20Where%201=1)>0|1
                                                                                                 74|800a000d|Type_mismatch:_'CInt' 80 -
                                                                                        NV32ts 500 0 0
           /phpadmin/scripts/setup.php                                                           Translation: … SELECT CAST(COUNT(1) AS
                                                                                                 VARCHAR(8000) FROM [sysobjects] WHERE…

            Global Internet Insecurity                                                97    Global Internet Insecurity                                 98

                                XKCD Exploits of a Mom                                                                      Constraints

                                                                                                 Organizational Issues
                                                                                                 Funding – Standup vs Maintenance
                                                                                                 Staffing Issues – no death marches
                                                                                                 Training Issues -
                                                                                                 Time pressure – security brought in at the end
                                                                                                 Political pressure -
                                                                                                 “It’s mission critical” –
                                                                                                 “You’re preventing me from doing my job” –
                                                                                                 Rogue projects
                                                                                                        Some low cost – no cost approaches:

            Global Internet Insecurity                                                99    Global Internet Insecurity                                100

                                         Google Hacking                                                        Google Search Examples
                 Google public-facing servers, ours, others                                site:
                 Look for sensitive information, hidden login pages, logs                     632 pdf’s – Policies, FSR’s, Special Reports
                 Look for offensive words or images                                                2660-423-0909-SRg.pdf - Confidential PMMS Report
                                                                                              24 documents reference Caltrans
                                                                                              PDF metadata (properties) shows author, source

                   site:            search site for search_term                            Other searches show workgroups, draft documents
                   file:            search for file type                                      7 page list of State CIO’s dated 1/3/11
                   link:            search within links for search_term                       ‘Procurement starvation to force outsourcing’ - nice
                   cache:           shows how page appeared – provide url         “firstname lastname“
                   intitle:         search within document <title></title>        “project name“
                   inurl:           search only within the url for search_term    bad_words

            Global Internet Insecurity                                               101    Global Internet Insecurity                                102

Caltrans                                                                                                                                                        17
Security Presentation                                                                                                                     02.2011

                                  Shodan Cloud Queries                                             Shodan Cloud Queries
                Shodan is a specialized network search engine     
                for Internet facing devices. Where Google looks             Refine results w/search parameters, including:
                at content, Shodan interrogates ports and grabs               country: 2-letter country code
                the resulting banners (e.g. the network device                hostname: full or partial host name
                responses), indexing them for searches.                       net: IP range using CIDR (ex: )
                Shodan is a search engine for cloud penetration               port: 21, 22, 23 or 80
                testing. Instead of finding an exploit that works
                on a target system, with Shodan you can take                Example searches
                any exploit, and find a system vulnerable to it.              port:80+iisstart.html
                You are not actively running scans, but rather
                asking the Shodan cloud “what do you know
                                                                              IIS+4.0 (or 5.0, 6.0)
                about this already”.
           Global Internet Insecurity                                 103   Global Internet Insecurity                              104

                                        Apache Settings                                                  Apache Settings

           ServerSignature Off                                              Use ACLs to restrict access where possible
                No trailing line user server-generated messages             Understand the implications of
           ServerTokens ProductOnly                                           Options FollowSymLinks
              Return only Apache – suppress Os, version info                  Options Indexes
              Configure HTTP default listener on IP address to
              respond with 403 and configure actual host as a vhost           AllowOverride
              bound to a FQDN/hostname - automated scanning                   UserAgent Strings
              against an IP is mitigated; someone scanning a /24 or           Proxy settings
              /16 will be unsuccessful in discovery efforts.
              In the php.ini
           ; Disable expose_php for security reasons                        Configuration settings tested, documented
           expose_php = Off                                                 Best practices – looking for a source?

           Global Internet Insecurity                                 105   Global Internet Insecurity                              106

                  Top 10 Web Application Security Risks                                                  OWASP Resources
           Open Web Application Security Project list for 2010              Cheat Sheets
                                                                              SQL Injection Prevention
           A1: Injection
                                                                              XSS (Cross Site Scripting) Prevention
           A2: Cross-Site Scripting (XSS)
           A3: Broken Authentication and Session Management
                                                                              Cryptographic Storage
           A4: Insecure Direct Object References                              Authentication
           A5: Cross-Site Request Forgery (CSRF)                              Cross-Site Request Forgery (CSRF) Prevention
           A6: Security Misconfiguration                                      Transport Layer Protection
           A7: Insecure Cryptographic Storage                               Application Security Verification Standards
           A8: Failure to Restrict URL Access
                                                                            Development Guidelines
           A9: Insufficient Transport Layer Protection
           A10: Unvalidated Redirects and Forwards                          Testing Guides

           Global Internet Insecurity                                 107   Global Internet Insecurity                              108

Caltrans                                                                                                                                      18
Security Presentation                                                                                                                                                                             02.2011

                                          Tools                                                                                 XAMPP
             BackTrack – LiveCD Tools                                                  Easy to install development/training distribution
             Paros proxy – edit/view HTTP messages                                     XAMPP 1.7.4 (Windows, Linux, OS-10, Solaris)
             BadStore                                                                    Apache 2.2.17
             Metasploit                                                                  MySQL 5.5.8
             Burpsuite                                                                   PHP 5.3.5
             Ophcrack – password ‘test’                                                  phpMyAdmin 3.3.9
             XAMPP                                                                       FileZilla FTP Server 0.9.37
                                                                                         Tomcat 7.0.3 (with mod_proxy_ajp connector)
                                                                                       Add: Mutillidae - Deliberately Vulnerable PHP
                                                                                             Scripts Implementing OWASP Top 10

           Global Internet Insecurity                                            109   Global Internet Insecurity                                                                          110

                                        HTML Input                                                                  Javascript Next?

           Global Internet Insecurity                                            111   Global Internet Insecurity                                                                          112

                                ADDITIONAL READING                                                                      DISCLAIMER
                                                                                        The information contained herein is for the sole purpose of information and education. All information
                              is subject to change without notice. The author is not responsible for errors or damages of any kind
                                                                                        resulting from use of the information contained therein. Every effort has been made to ensure the
                                                                                        accuracy of information presented as factual; however, errors may exist. Any resemblance to real
                              persons, living or dead is purely coincidental. Void where prohibited. Some assembly required. List
                                                                                        each check separately by bank number. Batteries not included. Contents may settle during shipment.
               “Ransomware rampant…”                 Use only as directed. No other warranty expressed or implied. Do not use while operating a motor
                                                                                        vehicle or heavy equipment. Beware of dog. Not recommended for children. Prerecorded for this time
               Blacklisting                         zone. First pull up, then pull down. Call toll free before digging. Driver does not carry cash. Some of
                                                                                        the trademarks mentioned in this product appear for identification purposes only. Unix is a registered
            [ignore certificate warnings]        trademark of AT&T. Do not bend, fold, spindle or mutilate. Any resemblance to actual persons, living
                                                                                        or dead, is unintentional and purely coincidental. Do not remove this disclaimer under penalty of law.
                                                 Hand wash only, tumble dry on low heat. No substitutions allowed. For a limited time only. This article
                                                                                        is void where prohibited, taxed, or otherwise restricted. Caveat emptor. Article is provided "as is"
       Browser Security Handbook          without any warranties. Reader assumes full responsibility. An equal opportunity article. No shoes, no
                                                                                        shirt, no articles. Quantities are limited while supplies last. If any defects are discovered, do not
                                                                                        attempt to read them yourself, but return to an authorized service center. Read at your own risk. Keep
                     away from sunlight. Keep away from pets and small children. Limit one-per-family please. No money
                                                                                        down. No purchase necessary. You need not be present to win. Some assembly required. Action
                                                                                        figures sold separately. No preservatives added. Slippery when wet. Safety goggles may be required
                                                                                        during use. Sealed for your protection, do not read if safety seal is broken. Call before you dig. Not
            To view your browser’s user-agent string, enter the following into the      liable for damages arising from use or misuse. For external use only. If rash, irritation, redness, or
                                                                                        swelling develops, discontinue reading. Read only with proper ventilation. Avoid extreme temperatures
            address bar: javascript:alert(navigator.userAgent)                          and store in a cool dry place. Keep away from open flames. Avoid contact with eyes and skin and
                                                                                        avoid inhaling fumes. Do not puncture, incinerate, or store above 120 degrees Fahrenheit. Do not
            To learn about user-agent string values (can also be customized!):          place near a flammable or magnetic source. No salt, MSG, artificial color or flavoring added. If
                                                                                        ingested, do not induce vomiting, and if symptoms persist, consult a physician. Warning: Pregnant
                  women, the elderly, and children should avoid prolonged exposure. May suddenly accelerate to
                                                                                        dangerous speeds. Contains a liquid core, which if exposed due to rupture should not be touched,
                                                                                        inhaled, or looked at. Do not use on concrete. Discontinue use if any of the following occurs: Itching,
                                                                                        Vertigo, Dizziness, Tingling in extremities, Loss of balance or coordination, Slurred speech, Temporary
                                                                                        blindness, Profuse Sweating, or Heart palpitations. No, I will not fix your computer.

           Global Internet Insecurity                                            113   Global Internet Insecurity                                                                          114

Caltrans                                                                                                                                                                                              19

To top