0nights2011

Dissecting unlawful Internet
Activities

Fyodor Yarochkin
Armorize Technologies
@fygrave

АГЕНДА

Observations

Case studies

Sampling goods and services

Q&A

(c) 2011 Armorize Technologies

MEET THE AUTHORS


Our environment

Honeypots (http, ftp, ssh, smtp, ...)

Sandboxes + proactive internet “browsing”

End points around the globe

Public discussion groups of interest:
scrapping and indexing


Overview


What makes the news..
MALWARE
Black SEO

Fake AV
Mass Injections
CC abuse


MAIN ACTORS

Profit Oriented
Kiddies Crime APT


Range of players!


Kiddies: hit our honeypots daily :)


Still live in IRCBOT age


APT
• Kiddies are not very interesting.
Following the APT guys is a bit more
fun

APT – advanced persistent threat
(made lots of noise after Aurora attacks
But, .. how advanced that is.. really :-))


APT: attack vectors – often
plain silly


APT: in taiwan

• Targets: academics, post, rail, ..


APT: main characteristics

• Attacks are planned and methodological
• In many instances – the primary aim of an
action is information gathering (i.e.
javascript that collects and posts the user
environment information)
• Malicious content is well-prepared (digitally
signed w/ valid certificates etc etc)

APT Research from xecure-lab guys


Aptdeezer: apt analysis
platform from xecure-lab


Businessmen are fun to
study:)
Traffic Online goods
services


How to steal a million?


Effectiveness

• Old school: steal it from a bank. Make a lot
of noise and either get caught (or run to
South America)
• New school: steal a dollar from a million
people. It is still a million (and no noise).


So, where is the money?
DIRECT SOURCES:
Ads (PPC) Banking credentials
Pharm CC cashing
Pr0nExtortions
“Software” Mobile scam
INDIRECT SOURCES:
TRAFF Credentials Online goods
& services

TRAFFIC..

• You need users to start visiting your “milking
resource” to start with..

TRAF. COST

• AU - 300-550$

• UK - 220-300$

• IT - 200-350$

• NZ - 200-250$

• ES,DE,FR - 170-250$

• US - 100-150$

• RU, UA, KZ, KG .. 10-40$

Case studies~


Infrastructure compromise: case
study


UNDER THE HOOD


Looking into Packet fields


TRACKING THE GHOST


HYPO: ATTACK SCENARIO


RESULTED IN...
http://tools.cisco.com/security/center/viewAlert.x?
alertId=17778


Compromised CAs

• How about combining this and
compromised CA?


WHAT HAD HAPPENED..

tunnel source <interface>

tunnel destination <badIP>

Your taffic is mirrored!!

How were they 0wn3d?


AND MORE..


LESSON LEARNT

• The whole city compromised

• Users infected on the fly. Visiting
legimate web sites
• Tricky to investigate

• Affected parties - complete denial


Other varieties ;-)


Ad ABUSE:
“MALVERTISEMENT”


Introducing ad. Space
hell :)
Source: razorfishmedia.com


Ad network dynamic
bidding
• Ad network dynamic bidding system is asking for
abuse :-)
• Decentralized, small players feed data to
bigger guys (doubleclick), verification is mostly
manual, real-time content tampering is easy,
automated target selection, number of
mechanisms that prevent click fraud (and
makes automated analysis hard!!!)
•


MALVERT. Mechanics

iframe

redirect

iframe

redirect

iframe
(c) 2011 Armorize Technologies Iframe to TDS

Malvertisement (cont)


Malvert: agencies get
0wned
• Pulpomedia incident:


Extortions going
international


Also spanish version

Credit: http://xylibox.blogspot.com/


Common characteristics

Registration Service Provided By: Bizcn.com
Website: http://www.cnobin.com person:
person: Ionut Tripa
Ionut Tripa
remarks:
remarks: SC GoldenIdeas SRL
SC GoldenIdeas SRL
Whois Server: whois.bizcn.com
address:
address: Str. Drumul Sarii, nr. 57C
Str. Drumul Sarii, nr. 57C
address:
address: Sector 6, Bucuresti
Sector 6, Bucuresti
Domain name: bundespol.net phone:
phone: +0744885334
+0744885334
abuse-mailbox: goldenideas.ionut@yahoo.com
abuse-mailbox: goldenideas.ionut@yahoo.com
• Hosting and domain registration
Registrant Contact:
Whois Privacy Protection Service
nic-hdl:
nic-hdl:
source:
source:
IT1737-RIPE
IT1737-RIPE
RIPE # Filtered
RIPE # Filtered
Whois Agent gmvjcxkxhs@whoisservices.cn mnt-by:
mnt-by: GOLDENIDEAS-MNT
GOLDENIDEAS-MNT
+86.05922577888 fax: +86.05922577111
No. 61 Wanghai Road, Xiamen Software Park
xiamen fujian 361008
cn


WAS ON THE NEWS


COMMON PATTERNS

Exploits Social tricks


“Social engineering”


Well-operated :)

• Spreads through advertisements (social
engineering and exploits)
• Reboots machine until license is purchased
(80USD)
• Provides support hotline (hosted in India)
• Uses legimate payment gateways (possible
to do refunds)

Another attack:
infrastructure


Infrastructure

Speedtest.net

Ads.ookla.com

http://35ksegugsfkfue.cx.cc

TDS systems: TRAFF
marketplace


COMMON TDS


TDS + verification srv


SEO:Another option

• Black SEO:


SEO USE and abuse :)

<*bad* word (rus)


SEO SERVICES


Goods and services :
Sampling :)


Digital currencies

• Modern day hawalla


Amusing portals


PASSPORT COPIES


.. OR A SET

For money of any state of dirtiness
Pack includes
1. Online bank account access
2.ATM card (1000/6000USD
per month withdrawal limit)
3. online access passwords
4. Passport copy of “poor john”
5. SIM card


MALWARE Q/A AND HOSTING


Abuse-resistant hosting


CLOUD-cracking


AND CAPTCHA


MOBILE
So far - easy to spot with
static analysis tools
(android, j2me)


Press the button “stop” as soon as
possible!


LEARNING POSSIBILITIES :)


Questions

l


0nights2011

Recommandé

Recommandé

Contenu connexe

Similaire à 0nights2011

Similaire à 0nights2011 (20)

Plus de F _

Plus de F _ (10)

0nights2011