Crimeware (malicious trojans and bots) facilitate online financial crimes targeted at eCommerce and eBanking sites. What are the attack mechanisms and what are the identifying characteristics of these crime-net controlled bots and trojans ?

1. Crimeware FingerprintingCharacteristics of Crimenet-Controlled Bot Behavior & The Underground Cyber Economy Joseph Ponnoly MBA, MSc, CGEIT, CISM, CISA, CISSP

2. Botnets , Bots & Crimeware Online financial crimes Targets & Attack Mechanisms Criminals Underground Cyber Economy Countermeasures Understanding Crimeware

3. Bots, Botnets & Crimeware

4. BotnetsThe No. 1 Internet Security Threat

5. Botnets (networks of hijacked or zombie computers) Bypass traditional network security mechanisms Large botnets control an army of over a million nodes Sending 22 to 24 Gbps data- can throttle the Internet 3 Dutch botnet operators arrested September 2005- controlled 1.5 million machines- used them to extort money from a US company, to steal identities and distribute spyware Thr34t Krew – botherder massive DDoS attacks and warez (stolen software distributions) Criminal marketplace Spam botnets to watch in 2009 (Secureworks) Botnets

6. Bots (automated malicious software) Planted on host computers lie low without the owner’s knowledge Bot binaries (malware) help the botmaster to remotely control the hijacked nodes using remote command and control Bots immune to traditional malware defenses (use zero day or real time exploits, avoid detection through polymorphism Bots

9. Trojans or bots (automated malicious software agents)

10. Use zeroday or real time exploits (Immune to traditional malware defenses), Avoid detection using polymorphism

11. Specifically targeted at machines

12. Facilitates online crimes

13. Controlled by CrimenetsSpam Bots Banking Trojans targeting Brazilian banks What is crimeware?

15. IRC is an Internet communications protocol

16. attractive aspects for operators in the underground economy:

17. REALTIME GROUP communications,

18. requires very little bandwidth,

19. IRC client software is freely available across all operating system

20. Others: HTTP, P2PCommunication Protocols used

21. DDoS botnets for rent

22. Crimes http://www.youtube.com/watch?v=pzKmzO_Xq3k

24. Identity theft

25. Distribution of spyware

26. Denial of service attacks

27. Financial crimes

28. Targeted Phishing attacks (Spear Phishing, Whaling)Crimeware controlled Crimes

29. Extortion 2004: bot-driven DDoS attacks against online gambling sites, used for extortion Identity theft Data Theft: confidential data useridsand passwords credit card data, Social Security Numbers sensitive files (corporate espionage, political espionage) Underground Economy Servers controlled by Botnetoperators store and distribute illegal software or credit card data Rent out botnets for spamming, distribute spyware, distributed denial of service attacks or spear phishing Online Financial Crimes controlled by CrimeNets

30. Dutch botnet operators (2005)- controlled 1.5 million machines Used for extorting money from a US company, to steal identities, distribute spyware Used Toxbot Trojan to infect the compromised machines

31. Targets

33. US Banks: Email-based phishing

34. Brazilian Banks, European Banks: (Banking Trojans)

35. Online gambling

36. Online gaming

37. Trojan families (Mgania, Nilage)

38. Online advertisements

39. Online payment systems (Paypal)

40. Ecommerce sites (eBay)

41. Email-based phishing targeted PayPal, eBay and US BanksCrimeware Targets

42. Attack Mechanisms

43. Attack Vectors: Phishing Keystroke loggers Social Engineering attacks (to open email attachments that contain crimeware) Email, the weapon of mass delivery of trojans ActiveX drive-by (on compromised or baiting websites) IM (Instant Messagin) Worm attacks (Conflicker Worm) to exploit security vulnerabilities of targeted systems Injection of crimeware to legitimate sites via cross-site scripting / web application vulnerabilities Insertion of crimeware into downloadable software Crimeware Attack Vectors

45. Scripts and rootkits used to hide the exploits

46. Dynamic IP addresses are used to escape detection

47. Worm attacks to exploit security vulnerabilities of targeted systems

48. Injection of crimeware into legitimate websites via cross-site scripting

49. Insertion of crimeware into downloadable software

50. Propagation

51. P2P (Peer-to-Peer Networks)

52. Driveby downloads

53. Email deliveryCrimeware Attack Vectors

54. Trojans (54% of top malicious code – Internet Security Report) Banking Trojans (Brazil) targeting banking transactions Authenticated session hijacking vs. key stroke loggers or credentials stealing (Session riding malware to make fraudulent transactions) Can bypass SSL encryption, traditional authentication and malware defenses Trojans targeting European Banks (eg. Haxdoor and Sinowal, Zeus) use wininet.dll hooks Payloads

55. Banking trojans: Trojan monitors the system or user activity to identify when the user is banking online (Shahlberg, 2007) Hooking WinInet API fucntions Browser Helper Object Interface Window title enumeration (browser title bar contains a string in the filter list, the trojan logs the key strokes) DDE COM Interfaces Firefox Browser Extensions and Layered Service Provider Interface Capture user credentials Form grabbing Screen shots or video capture (for banks using ‘virtual keyboards’) Key stroke logging Injection of fraudulent pages or form fields Pharming Man in the Middle Attacks Attack Methods

56. Haxdoor.gh uses form grabbing techniques Use Browser Helper Objects COM Interfaces API hooking Form grabbing accesses the data before it is encrypted using SSL2 Haxdoor.ki Banking Trojan hit Swedish Banks in January 2007 – Authenticated Session Hijacking Trojan displays an error message after the user has entered the password The trojan sends the authentication information to the server managed by the attacker. The attacker logs on to the bank account and transfers money to his own account or to a hired money mule Successful against banks not using one-time passwords or stronger authentication. Haxdoor Banking Trojan

57. Cryptovirology Malware encrypts critical data on infected machines Extortionists demand money to restore data Data Theft Attacks Trial attacks start as sales promotion Followed by DDoSattcks or data theft attacks Data Aggregation for criminal purposes Attack methods --Contd

58. The Criminals

59. Organized crime Banking Trojan Gangs operational in Brazil Phishing Gangs operating from Eastern Europe Crimeware kits sold in the black market Virus writers employed by cyber underground operators to create spyware and trojans Customizable Malware/Crimeware As a Service CWaS Crimeware manufacturing: Malware developers funded to develop malware trojans/crimeware Dynamics of the cybercrime underworld (Zhuge et al, 2007) Virus writers, web site crackers, virtual assets thieves collaborate to defraud victims Malicious Websites: Phishing Crimeware map by WebSense Security labs Major attacks from websites hosted in USA, Russia and China Criminal Profiles-Cybercrime Underworld

60. Underground Economy Servers used by criminals (Symantec, 2008) Selling stolen information for identity theft Social security numbers, credit card information, passwords, personal identification numbers, email addresses, bank account information An economic model for China’s cybercrime underworld (Zhuge et al, 2007). Crimeware threat model and taxonomy (US Department of Homeland Security, 2006). Underground Cyber Economy

61. Goods and services available for sale on underground economy servers

63. Countermeasures

65. Crimeware Bibliography Dunham, K., Melnick, J. (2009). Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet. Auerbach Publications, Boca Raton, FL. Jakobsson, M., Ramzan, Z. (2008). Crimeware: Understanding New Attacks and Defenses, 1 ed. Addison-Wesley Professional. Emigh, A. (2006). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond . Journal of Digital Forensic Practice, 1556-7346, Volume 1, Issue 3, 2006, Pages 245 – 260 Symantec. (2009). Internet Security Threat Report.