1. Malwares, Money and
Criminal/Terror Activity
The Dangerous Relationship
Pedro Bueno, SANS GCIA,GREM
pbueno@avertlabs.com
pbueno@isc.sans.org
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
2. Warming up...
“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
bombed
Pentagon.
Wily-fingered hackers had nothing to do with it.”
fingered
CNet Article called Cyberterror and professional paranoiacs - 2003
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
3. Agenda
● Introduction
● The Motivations
● The Methods Used
● What About Cyber War?
● Conclusion
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
4. Introduction
● Significant change from 4 years ago to these days
on the hacking world…
● Some years ago we had hackers “a la’ Mitnik”, or
hacking for fame looking for better raking on
(R.I.P.) Alldas.de defacement mirror
● Now, we have hackers directly involved with cyber
crime, which is also sponsored by real world
organized crime!
● Now, we have hackers directly involved with cyber
crime, which is also sponsoring real world
organized crime!
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
5. Introduction
● Money Money Money Money Money!
● Virus customized for a specific company of your
choice = $50,000 USD
● Recycled virus (modified to avoid signature
detection) = $200 USD
● 10 million email addresses = $160 USD
● Credit card number = $2~6 USD
● Credit card number with security code = $20~60
USD
● Renting a laptop which controls botnet of
5,000~10,000 computers = $100/day
Source: G
G-Data
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
6. Introduction
● Nowadays, the Cyber crime is changing the
concept of cyber terrorism:
● Cyber Terrorism as we know:
1 - “the use of information technology by terrorist
the
groups and individuals to further their agenda.
This can include use of information technology to
organize and execute attacks against networks,
computer systems and telecommunications
infrastructures, or for exchanging information or
making threats electronically. ”- NCSL
● Cyber Terrorism as we should understand:
“[1] + the use of cyber crimes to sponsor real world
terrorism activity”
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
9. Motivation
● Ilegal Financing
– As any other organized crime group, like regular
organized crime or terrorism, with whatever
objective, like buying arms from illegal arm dealers,
establish a cell in a country, training and operational
actions.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
10. Motivation
● Terrorism and Cyber terrorism
X
Myth Reality
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
11. Motivation
● While Terrorism and Cyber terrorism are two
different terms, they are highly linked to each other.
● Terrorism: the calculated use of violence (or the threat of
violence) against civilians in order to attain goals that are
political or religious
● Cyberterrorism: According to the U.S. Federal Bureau of
Investigation, cyberterrorism is any "premeditated, politically
motivated attack against information, computer systems,
computer programs, and data which results in violence
against non-combatant targets by sub
combatant sub-national groups or
clandestine agents."
● But, what about Terror acts achieved with Cyber
help?
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
12. Motivation
● Cyber <-> Terror
– 1999 – Hacking was used to obtain the AirBus A300
structural plan. Those plans were essential to the
successful hijack of the Indian AirLines airplane in
December 1999.
– 2001 – in February, a hacker was contacted to get
the structural plans of other airplanes, identical to
those used on the 9/11 attack.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
13. Motivation
● Terrorism (cont.)
– Bali 2002 – a bombing attack on the tourist district of Kuta on
the Indonesian island of Bali. Investigations leads the
information that the attack was sponsoring by frauds involving
Credit Cards. Iman Samudra, author of the attacks, published
a book with a chapter entitled "Hacking, Why Not?"
– 2004 – A research revealed that ALL terrorists groups have
some kind of ‘virtual cell’ on Internet.
– April 2006 – 5 family members of a Jordanian person with
American citizenship, accused to be a Al Qaeda contact, were
arrested in California, for banking fraud, with identity thief.
Some of the money were transferred to an account on Ama, in
Jordanian.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
14. Motivation
● 2003-2006 - Al Qaeda cells that put their victims
execution videos on internet had members with
Computer Science degrees from Baghdad
University.
● November 2008 – coordinated shooting and
bombing attacks in Mumbai, India. The terrorists
used handhelds with GPS to establish proper
location, Skype to get encrypted communication
over internet and Google Earth to plan and
establish the targets for the attack.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
15. Motivation
The Mafia style
● The Amateurs…
– CardPlanet
● Uses same schema as the Italian Mafia
● Some “affiliates”:
– Mazafara (aka Network Terrorism)
– ShadowCrew
– IAACA – International Association for the Advanced of
Criminal Activity
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
16. Motivation
● The Mafia Style
● On January 2008, the famous Russian site
MP3Spack.com was banned from UK backbone
after by doing business with a web host that has
been linked to a cybercrime syndicate.
● Using webhosting of Abdallah, from a Turkish
network that have been serving malwares from
years.
● The Turkish network also had links with RBN
(Russian Business Network) that has also been
serving malwares from many years…
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
17. Motivation
The Mafia style
● The professionals…
● The Russian Boniness Network
– Russian ISP originally based on Saint Petersburg, RU (v1)
– Famous for host all kind of illegal “business”, from Child
Pornography to Malwares…
– Very (I)responsive to take downs
– Best known for their Criminal online intents…
– Has affiliate networks in different countries which help to
distribute their malicious content make harder to remove.
– Strong links with the Russian Mob…
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
18. Motivation
● The RBN (cont.)
● The ZeuS toolkit, Mpack, Storm Worm are
examples of malwares/kits linked to it.
● Went down in Nov 2007 to come back months
later…
● Now it uses different small ISPs as front end of their
activities.
● As for today, their status is Active!
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
21. Methods
● Identity Theft
– The usage of the identities of others to carry out
violations of federal criminal law
– More than 25 types of ID Theft investigated by the USSS.
– Way to obtain Driver's Licenses, bank and credit card
accounts through which terrorism financing is facilitated
– Al-Qaeda terrorist cell in Spain used stolen credit cards
Qaeda
in fictitious sales scams and for numerous other
purchases for the cell and also used stolen telephone
and credit cards for communications back to Pakistan,
Afghanistan, Lebanon, etc.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
22. Methods
● Phishing
– Traditional
– Very common method to get personal data as SSN,
Birth Date, Family Names, as well bank data, forging
the bank webpage.
- Old, but still functional!
- “U.S. consumers lost roughly $3.2 billion to phishing
scams in 2007” – Gartner Survey
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
24. Methods - Phishing
● Global Cyber Organized Crime
● In May 2008 FBI arrested 38 people
linked to a fraud schema, involving
U.S., Portugal, Romania, Pakistan
and Canada. ● Source: FBI
● Group “A” in Romania (mostly) run the spam with
phishy message, leading the victim to a phishing
site where they were able to get most personal
information, such as PIN, SSN, CCN…
● Group “A” send the info to Group “B” in U.S., which
manufactured their own credid,debit,gift card to be
used in the Real World!
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
25. Methods – Phishing Kits
● Created as PHP based malware ‘Kits’
● Usually developed by Russian criminals (and RBN)
● Also presents a C&C
● Examples of such kits are:
– Mpack/IcePack
– ZeuS
● Costs around $700-$1000 USD
$1000
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
26. Methods – Phishing Kits Mpack/IcePack
Kits-
● The latest version exploits the following Client Side
Vulnerabilities:
CVE-2008-2992 - buffer overflow in Adobe Acrobat and Reader in util.printf
CVE-2009-0927 - buffer overflow in Adobe Reader and Acrobat via the getIcon
CVE-2006-5198 - WinZip FileView ActiveX Control Unsafe Method Exposure Vulnerability
CVE-2007-0015 - Buffer overflow in Apple QuickTime 7.1.3
MS06-006 - Firefox 1.5.x/Opera 7.x WMP plugin vuln
MS06-014 - ADODB/MDAC vuln
MS06-057 - WebViewFolderIcon ActiveX vuln
MS06-071 - XML setRequestHeader vuln
MS07-017 – ANI vuln
CVE-2007-3147 - Buffer overflow in the Yahoo! Webcam Upload ActiveX
MS05-052 - Internet Explorer COM objects vuln
MS06-024 - Vulnerability in Windows Media Player
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
27. Methods – Phishing Kits Mpack/IcePack
Kits-
● Some highlights:
– Uses iFrame to determine the best attack model
– Control the machine remotely through HTTP
– Serve exploits based on country, using GeoIP
– Serve exploits based on browser type, including
MSIE, Opera and Firefox
– Allows different statistics
– Offers a Admin panel for updates, views,etc…
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
29. Methods – Phishing Kits ZeuS
Kits-
● Another type of PHP kit
– A mix of Server side phish and client malware
– Also creates a Botnet based on Http protocol
– Also has a C&C
– Bank oriented!
– Targets US banks:
● Bank of America
● Chase
● Citibank
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
30. Methods – Phishing Kits ZeuS
Kits-
● European Banks:
– Santander
– HSBC in UK
– Lloyd
– Halifax
– Barclays
– Banco Popular
● And more…
– …<insert your bank here>
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
31. Methods – Phishing Kits ZeuS
Kits-
● The Zeus client is created based on a builder
application:
● Information screen, also removes it from the machine
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
32. Methods – Phishing Kits ZeuS
Kits-
● The client offers some builder options:
– Can choose and modify the configuration file
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
33. Methods – Phishing Kits ZeuS
Kits-
● Creates two files:
– Cfg.bin – the configuration file
– loader.exe – the actual malware
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
34. Methods – Phishing Kits ZeuS
Kits-
● The Logs are encoded. However the builder
provides a way to decode the logs generated by the
client.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
35. Methods
● PWS Trojans
– Stands for Password Stealers trojans
– Steals passwords for bank accounts, called PWS
PWS-
Bankers
– Steals password used on online games, called
PWS-OnlineGames
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
36. Methods
● PWS Trojans
● Basic PWS-Banker “Modus Operandi”:
Banker
User receives email with fake juicy message
User clicks on link
User downloads a small file and runs it
File opens an error message and closes and downloads another big file on the
background
The big file will intercept bank website access attempt and prompt fake login to
retrieve the user’s bank credentials
Trojan send email to the hacker with the bank credentials.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
37. Methods
● PWS-Bankers
● New features:
● Targeted banking!
● Steals certificate files used by banks, like *.crt and *.key
● Modular
– Downloader
– Url List
– Redundancy!
● Grabs screenshots and records video clips
● Encrypt the data sent to the hacker
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
38. Methods
PWS Bankers trojans
● Moves about 200 million USD/year in South America
● Started with 3 major malware writers group in Brazil
● About year ago, the groups started to develop special
versions for other countries in Latin America, like Argentina
and Colombia
● Peru and Mexico has its own versions
● The money was mostly used to buy expensive cars
● Now, it is also used to sponsor real world organized
crime
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
39. Methods
● PWS-Bankers
Questions to be answered about South America schema:
•Is the money shared between Brazil and Argentina
Is
groups?
•Is the code been sold to argentinian groups or modified?
Is
•Is there brazilian organized crime acting in Argentina
Is
territory?
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
42. Methods – PWS Online Games Trojans
PWS OnlineGames – virtual money becomes
money in real world!
Source: SANS ISC
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
43. Methods – PWS Online Games Trojans
These trojans attempt to steal the games
credentials and steal/transfer/sell all gold (virtual
money)
100,000 Gold
Farmers world wide
$ 1.8 Billion / year
traded in virtual items.
Source: SANS ISC
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
44. Virtual Money Laundering
● Uses Online Games as a vector
● Second Life example:
– “9 million of residents are able to move about,
interact with and/or chat privately with other
residents, participate in activities and trade or buy
virtual items and/or services from other residents.
Additionally, virtual real estate may be purchased,
sold and rented and virtual casinos are plentiful.”
– BankInfo Security
– Gambling on 2nd Life was available until 2007
– Currency is Linden Dollars, which can be exchanged
by USD
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
45. Methods – Bots/Botnets
1. Scan&Exploit
machines
compromises new
machines
2. The compromised
machines join an IRC
network, controled by
a remote person
3. The remote person
can now order a
number of activities
from the compromised
machines, like a DDoS
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
46. Methods – Bots/Botnets
● Boom happened in 2004/2005
– In april 2004, more than 900 bot variants
•In 2005, it raised more than
175% when compared to
2004
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
47. Methods – Bots/Botnets
● Example of a bot source code, under GNU license...(GPL!)
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
48. Methods – Bots/Botnets
• Easy to modify...
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
54. Botnets usage...
● “...Saad Echouafni, head of a satellite communications
company, is wanted in Los Angeles, California for
allegedly hiring computer hackers to launch attacks
against his company's competitors. On August 25,
2004, Echouafni was indicted by a federal grand jury in
Los Angeles in connection with the first successful
investigation of a large-scale distributed denial of
service attack (DDOS) used for a commercial
purpose in the United States....”
● “...That business, as well as others both private and
government in the United States, were temporarily
disrupted by these attacks which resulted in losses
ranging from $200,000 to over $1 million...”
● Source: FBI
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
60. Methods – Bots/Botnets – the new generation
● StormWorm case...(aka Nuwar, postcard worm...)
– P2P based
● Say bye-bye to a central C&C!
bye
● Hard to detect on the infected machine (uses rootkit)
● Many different binaries
● Use of Fast-Flux networks
● Quite complex P2P network
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
61. Methods – Bots/Botnets – the new generation
● Storm worm allows:
– Pump and Dump spams (stock spams)
● “involving use of false or misleading statements to hype stocks,
which are "dumped" on the public at inflated prices.”
– Company price goes high, so it is possible to sell the
stocks at a higher price!
● Using different file formats, like PDF, DOC, Excel, plain text…
– Phishing emails that leads to sites with client side
exploits (RBN again…)
– DDoS attacks and Auto DDoS
– High-availability due Fast
availability Fast-Flux networks
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
62. Methods – Bots/Botnets – the new generation
● A quick highlight on Fast Flux schema:
Source: Honeynet project
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
63. Methods – Bots/Botnets – the new generation
● Example:
● giftapplys.cn IN A 0:89.228.78.213
giftapplys.cn IN A 0:98.14.181.131
giftapplys.cn IN A 0:64.53.130.14
giftapplys.cn IN A 0:70.121.217.6
giftapplys.cn IN A 0:220.248.169.116
giftapplys.cn IN A 0:71.226.85.20
giftapplys.cn IN A 0:81.132.159.4
giftapplys.cn IN A 0:190.50.120.156
giftapplys.cn IN A 0:68.90.143.63
giftapplys.cn IN A 0:67.187.207.126
giftapplys.cn IN A 0:12.214.208.136
giftapplys.cn IN A 0:98.212.18.73
giftapplys.cn IN A 0:71.197.38.110
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
64. What About Cyber Warfare?
X
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
65. What About Cyber Warfare?
● What is Cyber Warfare?
● “It can include defending information and computer
networks, deterring information attacks, as well as denying
an adversary’s ability to do the same. It can include
offensive information operations mounted against an
adversary, or even dominating information on the
battlefield.” - CSR Report for Congress
● Remember that if we think about 4th generation
warfare, the “adversary” can be a nation, state,
group:
– Israel x Hamas
– Russia x Georgia/Estonia,
– PCA (Pakistan Cyber Army) x HGM (Hindu Militant Group)
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
66. What About Cyber Warfare?
● Some highlights…
● “China has an active cyber espionage program” -USCC 2008 Annual
Report
● “Cyber and sabotage attacks on critical US economic,
energy, and transportation infrastructures might be viewed
by some adversaries as a way to circumvent US strengths
on the battlefield and attack directly US interests at home. –
Global Trends 2025: A Transformed World November 2008
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
67. What About Cyber Warfare
Of course, those are critical items and have to be taken
seriously, but do we really need to worry about high skilled
government sponsored hacker groups when so many less
sophisticated attacks are happening?
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
68. What About Cyber Warfare?
● France
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
69. What About Cyber Warfare?
● Germany
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
70. What About Cyber Warfare?
● UK
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
71. What About Cyber Warfare?
● US
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
72. What About Cyber Warfare?
● Many critical environments are still being affected
by Worms, that spreads exploiting months old
Patched vulnerabilities, open network shares with
write permission, and USB sticks
● Is it realistic to think that a significant amount of
systems were/are already owned?
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
73. What About Cyber Warfare?
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
74. What About Cyber Warfare?
…but we have AV!!!
"The agency was running desktop
malware software, but it had
not been updated for more
than three years -- even though
the agency had paid for upgrades
to newer versions that protect
against Neeris. In addition,
Microsoft has issued two
patches, one in 2006 and one in
October, to close holes in its
software exploited by Neeris."
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
75. Conclusion
● The Cyber Crime industry moves about 100 Billion
USD/year and is the most successful sector of the
organized crime…growing 40%/year
● There is no way to threat cyber crimes and real
world crimes in different ways
● Both causes billion of loses
● Both are used to sponsor illegal activities
● Both can be used to sponsor real world terror
● …and Cyber Warfare is just around the corner…
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
76. Conclusion
● May 2008
● IDG: Do you see any areas of the world that are emerging
sources of concern when it comes to cybercrime?
INTERPOL Executive Director
DirectorJean-Michel Louboutin:
Terrorism. I think the main concern for the world is terrorism,
fraud. This is very important. They use the Internet a lot. We
can have different networks of terrorism using Internet,
because it is very easy to create a site. You can create
propaganda. You can recruit. Now the main recruitment for
Afghanistan is over the Internet.
Terrorists are chatting on Internet sites. They can provide
tools for training. They can set up rendezvous. They can use
encrypted language to give orders. It is a major trend.
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD
77. Remember this?
“Last I checked, it was physical terrorists who bombed
the Marine barracks in Lebanon, who attacked the U.S.S.
Cole, who took out the Oklahoma City federal building,
and who suicide-bombed the World Trade Center and the
bombed
Pentagon.
Wily-fingered hackers had nothing to do with it.”
fingered
CNet Article called Cyberterror and professional paranoiacs - 2003
Malwares, Money and Criminal/Terror Activity SANSFIRE 2009 – Baltimore, MD