Iftach Ian Amit iamit.

org & I Am Security blog

Behind the scenes of E-Crime


Who Am I ? (iamit)
• Iftach Ian Amit

– In Hebrew it makes more sense…
• I Am Security blog (www.iamit.org/blog) • Director Security Research @ Aladdin and Finjan • Various security consulting/integration gigs in the past

– R&D – IT
• A helping hand when needed… (IAF)


Today’s Agenda
• Terminology • Past vs. Present – 10,000 feet view • Business Impact • Key Characteristics – what does it look like?
– Anti-Forensics techniques – Propagation methods

• What is the motive (what are they looking for)? • Tying it all up – what does it look like when successful. • Anything in it for us to learn from?
– Looking forward on extrusion testing methodologies


Some Terminology
• Crimeware – what we refer to as malware these days is

actually crimeware – malware with specific goals for making $$$ for the attackers.
• Attackers – not to be confused with malicious code

writers, security researchers, hackers, crackers, etc… These guys are the Gordon Gecko’s of the web security field. The buy low, and capitalize on the investment.

• Smart (often mislead) guys write the crimeware and get

paid to do so.


Federal Prosecutor: “Cybercrime Is Funding Organized Crime”

How Does e-Crime get Business Data?


The business impact of E-Crime
Criminals target sensitive business data!
Employee Data Sophisticated and Organized Criminals Financial Data

• • • • • • •

Brand damage Customer Data Financial theft Data theft Password theft Identity theft Compromised computers to steal resources Employee productivity loss


The Business Impact Of E-Crime
How much is business data worth to criminals?
Credit Cards & Bank Accounts (+PIN): ~$10-50

Product Design: $1000

Financial Report: $5000

Key Characteristics of E-Crime
Financially motivated criminals are utilizing new methods to infect PCs with crimeware that steals sensitive data Distribution models Detection Evasion

Hosted on compromised, legitimate and Web 2.0 sites all over the globe with frequent location changes

Evade signature-based detection by utilizing code obfuscation and selective delivery of malicious code

URL and Reputation-based filtering solutions will not block these sites

Anti-Virus signatures will not match today’s malicious code

Detection Evasion
• Code obfuscation
– Not the one you are used to…

• Single serve exploits
– One per customer please

• Geographical preference
– More on this later when we talk $$$…


Dynamic Code Obfuscation


Dyn. Code Obf. – the neosploit way (2.0.15)


Obfuscation and IFRAMES

Have become the main driving tools for distributing malware and malicious code in general.
– They are even signatured by AV – although the obfuscation or IFRAME itself may NOT be malicious…

Source: top 10 web threats in 2007 http://www.sophos.com/pressoffice/news/articles/2008/01/toptendec07.html


Crimeware Toolkits


A glimpse into the code
Modern toolkits are provided in their binary form, with licensing mechanisms, built in obfuscation, configuration files, user management (for supporting multiple attackers under the same kit), and DB functionality. • The snippets here are taken from a disassembly of Neosploit version 2.0.15 (first time analysis – in.cgi)


Neosploit code


Location, Location, Location
index.php //checks and saves user's IP hashed with browser //to avoid future browser's hangup function CheckAddUser() { … $rcount=@mysql_num_rows($res); if ($rcount>0) { //found data, prevent view echo ":["; exit; } else { //not found, add $query = "INSERT INTO ".$dbstats."_users VALUES ('".$ipua."')"; mysql_query($query); } settings.php: $BlockDuplicates=1; //send exploits only once $CountReferers=1; //make referrer's statistics $OnlyDefiniedCoutries=0; //send exploits only to counties in the list $CoutryList="RU US UA"; //2-letter codes ONLY! (see readme for details) Source: Mpack 0.94 source code

• Have you been to our

fine establishment before?
– You can only get the “good” stuff once…

• Where do you come


– You may not be worth the effort…


Evasive attacks – increasing the infection rates


Propagation techniques
• How did THAT code turned up on THAT site
– Anyone remembers bankofindia.com?

• Helpful HTML tags (infamous IFrames…) • And of course, greenbacks… $$$


On My Site? No way!


Way… It’s all business!
• You can get paid to put a

snippet of HTML on your site that will spur “installations” (= infections). Guaranteed high “install” rate, updated code (remember the toolkit), bypass security measures… Web sites compromised by attackers has surpassed those purposefully created by attackers” – Jan 22nd, Websense security labs.

• “The number of legitimate


And when the business is booming…
“The number of legitimate Web sites compromised by attackers has surpassed those purposefully created by attackers” Jan 22nd, Websense security labs.

“ - 75 percent of Web sites with malicious code are legitimate sites that have been compromised. This represents an almost 50 percent increase over the previous six-month period. - 60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008.” July 29th, Websense security labs.


And there’s a “no code” trick as well
• Lately (about 2 weeks ago) an already known problem

has re-surfaced again – SEO meets XSS • Some known sites were exploited for XSS vulnerabilities, and were “promoted” using SEO to show up in search results
– With the help of another issue where search pages on the sites were indexable by search engines

• The XSS dynamically added content to the page

rendered – having an Iframe/Script bring in malicious code for the unsuspecting user.


Happy neighbors…
• Groups work together, keeping

some level of cooperation. • And it’s even built into utilities on the crimeware servers!


What’s the end game?
• Holy grail of web attacks: successful installation of

crimeware Trojan (aka – rootkit+keylogger+otherstuff)


• Stolen data gets back to criminals • Criminals sort through data, categorize it and use it
– For immediate financial gain – Trading the data in the black market – Exploiting the data to get additional infections in place

Trojan User The last server we analyzed contained more than sends infected w. 200,000 stolen FTP credentials on it. credentials Trojan It had government sites, universities, and fortune 500 companies on it. Credentials used User attacked to modify content while browsing 50% of the credentials were valid… More than of websites


Keeping in control


So you wanted to hear a bit on Neosploit… • THE “Rock Star” of crimeware toolkits.

– It even pulled an Elvis on everyone, and claimed to have disappeared…

V.1. – solid exploit and simple management, single user system. No licensing. • V.2. – multiple user support (SaaS), enhanced reporting (country, referrer, Browser/OS), multiple loader configurations. License locked to IP, server validated. Database moved to flat files. • V.3. – Enhanced licensing (locked to IP+user/pass), installation only though a SOCKS proxy, Enhanced reporting on exploit ROI, Enhanced database management.



Local Crimeware Effect
• Crimeware analysis showing a sampler of how

financial crime is being performed.
• Don’t let your eyes off the ball… (the SSL icon?)




Where are we going to?
• Time for predictions:
– We are starting to see criminals exploiting (pun intended) the full potential of “Web2.0” – Tagging websites is out – nothing but real-time scanning can be used as a security measure. Tagging will shift back to productivity and acceptable use policy only – Trojans that conduct all of their communications over ‘legitimate’ channels utilizing loosely coupled Web2.0 services • Google’s Mashup editor, and Yahoo’s pipes are great examples of what can be done in terms of back-channel management of data…


Trojans 2.0 Illustrated


Old vulnerabilities – old problem
• Not necessarily – a recent study clearly shows that the

percentage of un-patched browsers is still high enough to make cybercrime as easy as it looks from this presentation.

Taken from “Understanding web browser threat: examination of vulnerable online web browser populations and the ‘insecurity iceberg’”, http://www.techzoom.net/insecurity-iceberg

From the field…
• Picture taken on Thursday October 16th at BlueHat. 2

days after the Patch Tuesday. In Microsoft. At Redmond…


So how do I use this?
• Extrusion Testing
– The ugly half-brother of pen-testing – Gaining a lot of momentum – Uses tried-and-tested methods (social engineering, passive external fingerprinting, work the CEO’s secretary rather than the security administrator…)

• Arsenal includes:
– Toolkits (told you these things are useful) – Updated exploits for recent vulnerabilities – Custom infection (you don’t want to end up being blocked by an AV when you do have a chance to get in) – not for the faint of heart. – Chutzpa (someone come up with an English phrase for it!)


Future directions of web security
• Check out our talk on insecurity of widgets and gadgets

(from DefCon 15). • Remember the Web2.0 enabled Trojans… • And of course some backlog material from the BlackHat EU 08 talk



Feel free to drop me a line at iamit@iamit.org