Iftach Ian Amit

iamit.org & I Am Security blog

Behind the scenes of E-Crime

iamit.org
Who Am I ? (iamit)

• Iftach Ian Amit

– In Hebrew it makes more sense…

• I Am Security blog (www.iamit.org/blog)

• Director Security Research @ Aladdin and Finjan

• Various security consulting/integration gigs in the past

– R&D
– IT

• A helping hand when needed… (IAF)

iamit.org
Today’s Agenda

• Terminology
• Past vs. Present – 10,000 feet view
• Business Impact
• Key Characteristics – what does it look like?
– Anti-Forensics techniques
– Propagation methods
• What is the motive (what are they looking for)?
• Tying it all up – what does it look like when successful.
• Anything in it for us to learn from?
– Looking forward on extrusion testing methodologies

iamit.org
Some Terminology

• Crimeware – what we refer to as malware these days is

actually crimeware – malware with specific goals for
making $$$ for the attackers.

• Attackers – not to be confused with malicious code

writers, security researchers, hackers, crackers, etc…
These guys are the Gordon Gecko’s of the web security
field. The buy low, and capitalize on the investment.

• Smart (often mislead) guys write the crimeware and get

paid to do so.

iamit.org
 Federal Prosecutor: “Cybercrime Is Funding
Organized Crime”
How Does e-Crime get Business Data?

iamit.org
The business impact of E-Crime

Criminals target sensitive business data!

Employee
Data

Sophisticated
and Organized Financial
Criminals Data

• Brand damage Customer

• Financial theft Data

• Data theft
• Password theft
• Identity theft
• Compromised computers to steal resources
• Employee productivity loss

iamit.org
The Business Impact Of E-Crime

How much is business data worth to criminals?

Credit Cards &
Bank Accounts
(+PIN): ~$10-50

Product Design: Financial Report:

$1000 $5000
iamit.org
Key Characteristics of E-Crime

Financially motivated criminals are utilizing new methods to infect

PCs with crimeware that steals sensitive data

Distribution models Detection Evasion

Hosted on compromised, legitimate and Evade signature-based detection by
Web 2.0 sites all over the globe utilizing code obfuscation and
with frequent location changes selective delivery of malicious code

URL and Reputation-based Anti-Virus signatures will not

filtering solutions will not block match today’s malicious code
these sites

iamit.org
Detection Evasion

• Code obfuscation
– Not the one you are used to…

• Single serve exploits

– One per customer please

• Geographical preference
– More on this later when we talk $$$…

iamit.org
Dynamic Code Obfuscation

iamit.org
Dyn. Code Obf. – the neosploit way (2.0.15)

iamit.org
Obfuscation and IFRAMES

• Have become the main driving tools for distributing

malware and malicious code in general.
– They are even signatured by AV – although the obfuscation or
IFRAME itself may NOT be malicious…

Source: top 10 web threats in 2007

http://www.sophos.com/pressoffice/news/articles/2008/01/toptendec07.html

iamit.org
Crimeware Toolkits

iamit.org
A glimpse into the code

• Modern toolkits are

provided in their binary
form, with licensing
mechanisms, built in
obfuscation, configuration
files, user management
(for supporting multiple
attackers under the same
kit), and DB functionality.
• The snippets here are
taken from a disassembly
of Neosploit version 2.0.15
(first time analysis – in.cgi)

iamit.org
Neosploit code

iamit.org
Location, Location, Location

index.php
• Have you been to our //checks and saves user's IP hashed with browser
//to avoid future browser's hangup
fine establishment function CheckAddUser() {
…
before? $rcount=@mysql_num_rows($res);
if ($rcount>0) {
– You can only get the //found data, prevent view
echo ":[";
“good” stuff once… exit;
} else {
//not found, add
$query = "INSERT INTO ".$dbstats."_users
VALUES ('".$ipua."')";
mysql_query($query);
}

settings.php:
• Where do you come $BlockDuplicates=1; //send exploits only once
$CountReferers=1; //make referrer's statistics
from? $OnlyDefiniedCoutries=0; //send exploits only to counties in
the list

– You may not be worth $CoutryList="RU US UA"; //2-letter codes ONLY! (see readme
for details)
the effort… Source: Mpack 0.94 source code

iamit.org
Evasive attacks – increasing the infection
rates

iamit.org
Propagation techniques

• How did THAT code turned up on THAT site

– Anyone remembers bankofindia.com?

• Helpful HTML tags (infamous IFrames…)

• And of course, greenbacks… $$$

iamit.org
On My Site? No way!

iamit.org
 Way… It’s all business!

• You can get paid to put a

snippet of HTML on your site
that will spur “installations” (=
infections). Guaranteed high
“install” rate, updated code
(remember the toolkit),
bypass security measures…

• “The number of legitimate

Web sites compromised by
attackers has surpassed
those purposefully created
by attackers” – Jan 22nd,
Websense security labs.

iamit.org
And when the business is booming…

“The number of legitimate Web sites compromised

by attackers has surpassed those purposefully
created by attackers”
Jan 22nd, Websense security labs.

“ - 75 percent of Web sites with malicious code are

legitimate sites that have been compromised. This
represents an almost 50 percent increase over the
previous six-month period.
- 60 percent of the top 100 most popular Web sites
have either hosted or been involved in malicious
activity in the first half of 2008.”
July 29th, Websense security labs.

iamit.org
And there’s a “no code” trick as well

• Lately (about 2 weeks ago) an already known problem

has re-surfaced again – SEO meets XSS
• Some known sites were exploited for XSS vulnerabilities,
and were “promoted” using SEO to show up in search
results
– With the help of another issue where search pages on the sites
were indexable by search engines
• The XSS dynamically added content to the page
rendered – having an Iframe/Script bring in malicious
code for the unsuspecting user.

iamit.org
 Happy neighbors…

• Groups work together, keeping

some level of cooperation.
• And it’s even built into utilities
on the crimeware servers!

iamit.org
 What’s the end game?

• Holy grail of web attacks: successful installation of

crimeware Trojan (aka – rootkit+keylogger+otherstuff)

iamit.org
 Full-Circle

• Stolen data gets back to criminals

• Criminals sort through data, categorize it and use it
– For immediate financial gain
– Trading the data in the black market
– Exploiting the data to get additional infections in place

User Trojan
The last server we analyzed contained more than
infected w. sends
200,000 stolen FTP credentials on it.
Trojan credentials
It had government sites, universities, and fortune 500
companies on it. Credentials used
User attacked
to modify content
while browsing
More than 50% of the credentials were valid…
of websites

iamit.org
Keeping in control

iamit.org
Neosploit

• So you wanted to hear a bit on Neosploit…

• THE “Rock Star” of crimeware toolkits.
– It even pulled an Elvis on everyone, and claimed to have
disappeared…

• V.1. – solid exploit and simple management, single user

system. No licensing.
• V.2. – multiple user support (SaaS), enhanced reporting
(country, referrer, Browser/OS), multiple loader configurations.
License locked to IP, server validated. Database moved to flat
files.
• V.3. – Enhanced licensing (locked to IP+user/pass),
installation only though a SOCKS proxy, Enhanced reporting
on exploit ROI, Enhanced database management.

iamit.org
iamit.org
Local Crimeware Effect

• Crimeware analysis showing a sampler of how

financial crime is being performed.

• Don’t let your eyes off the ball… (the SSL icon?)

iamit.org
Play-by-play…

iamit.org
Where are we going to?

• Time for predictions:

– We are starting to see criminals exploiting (pun intended) the full

potential of “Web2.0”

– Tagging websites is out – nothing but real-time scanning can be

used as a security measure. Tagging will shift back to
productivity and acceptable use policy only

– Trojans that conduct all of their communications over ‘legitimate’

channels utilizing loosely coupled Web2.0 services

• Google’s Mashup editor, and Yahoo’s pipes are great

examples of what can be done in terms of back-channel
management of data…

iamit.org
Trojans 2.0 Illustrated

iamit.org
 Old vulnerabilities – old problem

• Not necessarily – a recent study clearly shows that the

percentage of un-patched browsers is still high enough
to make cybercrime as easy as it looks from this
presentation.

Taken from “Understanding web browser threat: examination of vulnerable online web browser populations
and the ‘insecurity iceberg’”, http://www.techzoom.net/insecurity-iceberg

iamit.org
From the field…

• Picture taken on Thursday October 16th at BlueHat. 2

days after the Patch Tuesday. In Microsoft. At
Redmond…

iamit.org
So how do I use this?

• Extrusion Testing
– The ugly half-brother of pen-testing
– Gaining a lot of momentum
– Uses tried-and-tested methods (social engineering, passive
external fingerprinting, work the CEO’s secretary rather than the
security administrator…)

• Arsenal includes:
– Toolkits (told you these things are useful)
– Updated exploits for recent vulnerabilities
– Custom infection (you don’t want to end up being blocked by an
AV when you do have a chance to get in) – not for the faint of
heart.
– Chutzpa (someone come up with an English phrase for it!)

iamit.org
Future directions of web security

• Check out our talk on insecurity of widgets and gadgets

(from DefCon 15).
• Remember the Web2.0 enabled Trojans…
• And of course some backlog material from the BlackHat
EU 08 talk

iamit.org
Q&A

Feel free to drop me a line at

iamit@iamit.org

iamit.org