Crimeware (malicious trojans and bots) facilitate online financial crimes targeted at eCommerce and eBanking sites. What are the attack mechanisms and what are the identifying characteristics of these crime-net controlled bots and trojans ?
5. Botnets (networks of hijacked or zombie computers) Bypass traditional network security mechanisms Large botnets control an army of over a million nodes Sending 22 to 24 Gbps data- can throttle the Internet 3 Dutch botnet operators arrested September 2005- controlled 1.5 million machines- used them to extort money from a US company, to steal identities and distribute spyware Thr34t Krew – botherder massive DDoS attacks and warez (stolen software distributions) Criminal marketplace Spam botnets to watch in 2009 (Secureworks) Botnets
6. Bots (automated malicious software) Planted on host computers lie low without the owner’s knowledge Bot binaries (malware) help the botmaster to remotely control the hijacked nodes using remote command and control Bots immune to traditional malware defenses (use zero day or real time exploits, avoid detection through polymorphism Bots
29. Extortion 2004: bot-driven DDoS attacks against online gambling sites, used for extortion Identity theft Data Theft: confidential data useridsand passwords credit card data, Social Security Numbers sensitive files (corporate espionage, political espionage) Underground Economy Servers controlled by Botnetoperators store and distribute illegal software or credit card data Rent out botnets for spamming, distribute spyware, distributed denial of service attacks or spear phishing Online Financial Crimes controlled by CrimeNets
30. Dutch botnet operators (2005)- controlled 1.5 million machines Used for extorting money from a US company, to steal identities, distribute spyware Used Toxbot Trojan to infect the compromised machines
43. Attack Vectors: Phishing Keystroke loggers Social Engineering attacks (to open email attachments that contain crimeware) Email, the weapon of mass delivery of trojans ActiveX drive-by (on compromised or baiting websites) IM (Instant Messagin) Worm attacks (Conflicker Worm) to exploit security vulnerabilities of targeted systems Injection of crimeware to legitimate sites via cross-site scripting / web application vulnerabilities Insertion of crimeware into downloadable software Crimeware Attack Vectors
54. Trojans (54% of top malicious code – Internet Security Report) Banking Trojans (Brazil) targeting banking transactions Authenticated session hijacking vs. key stroke loggers or credentials stealing (Session riding malware to make fraudulent transactions) Can bypass SSL encryption, traditional authentication and malware defenses Trojans targeting European Banks (eg. Haxdoor and Sinowal, Zeus) use wininet.dll hooks Payloads
55. Banking trojans: Trojan monitors the system or user activity to identify when the user is banking online (Shahlberg, 2007) Hooking WinInet API fucntions Browser Helper Object Interface Window title enumeration (browser title bar contains a string in the filter list, the trojan logs the key strokes) DDE COM Interfaces Firefox Browser Extensions and Layered Service Provider Interface Capture user credentials Form grabbing Screen shots or video capture (for banks using ‘virtual keyboards’) Key stroke logging Injection of fraudulent pages or form fields Pharming Man in the Middle Attacks Attack Methods
56. Haxdoor.gh uses form grabbing techniques Use Browser Helper Objects COM Interfaces API hooking Form grabbing accesses the data before it is encrypted using SSL2 Haxdoor.ki Banking Trojan hit Swedish Banks in January 2007 – Authenticated Session Hijacking Trojan displays an error message after the user has entered the password The trojan sends the authentication information to the server managed by the attacker. The attacker logs on to the bank account and transfers money to his own account or to a hired money mule Successful against banks not using one-time passwords or stronger authentication. Haxdoor Banking Trojan
57. Cryptovirology Malware encrypts critical data on infected machines Extortionists demand money to restore data Data Theft Attacks Trial attacks start as sales promotion Followed by DDoSattcks or data theft attacks Data Aggregation for criminal purposes Attack methods --Contd
59. Organized crime Banking Trojan Gangs operational in Brazil Phishing Gangs operating from Eastern Europe Crimeware kits sold in the black market Virus writers employed by cyber underground operators to create spyware and trojans Customizable Malware/Crimeware As a Service CWaS Crimeware manufacturing: Malware developers funded to develop malware trojans/crimeware Dynamics of the cybercrime underworld (Zhuge et al, 2007) Virus writers, web site crackers, virtual assets thieves collaborate to defraud victims Malicious Websites: Phishing Crimeware map by WebSense Security labs Major attacks from websites hosted in USA, Russia and China Criminal Profiles-Cybercrime Underworld
60. Underground Economy Servers used by criminals (Symantec, 2008) Selling stolen information for identity theft Social security numbers, credit card information, passwords, personal identification numbers, email addresses, bank account information An economic model for China’s cybercrime underworld (Zhuge et al, 2007). Crimeware threat model and taxonomy (US Department of Homeland Security, 2006). Underground Cyber Economy
65. Crimeware Bibliography Dunham, K., Melnick, J. (2009). Malicious Bots: An Inside Look into the Cyber-Criminal Underground of the Internet. Auerbach Publications, Boca Raton, FL. Jakobsson, M., Ramzan, Z. (2008). Crimeware: Understanding New Attacks and Defenses, 1 ed. Addison-Wesley Professional. Emigh, A. (2006). The Crimeware Landscape: Malware, Phishing, Identity Theft and Beyond . Journal of Digital Forensic Practice, 1556-7346, Volume 1, Issue 3, 2006, Pages 245 – 260 Symantec. (2009). Internet Security Threat Report.