Posts tagged “Cybercrime”

2010 and Beyond



The year of 2010 has been an interesting for malware researchers. From the attacks on Google through to the ShadowNet there have been many interesting cases that targeted high profile targets. However, traditional threats such as Zeus, Spyeye and fake antivirus software continue to be what most Internet users face on a daily basis. Moreover, while attacks that are motivated by politics and espionage are increasing, money continues to be the primary driving force in the malware ecosystem. Here’s my thoughts on some of the trends I’ve focused on this year that we can expect to continue into 2011.

Political motivated DoS attacks
Denial of service attacks continue to be used in order to deny access to web sites at critical times. While the attacks by Anonymous in support of Wikileaks (see Arbor’s analysis here and here) have received much media attention, the website of Wikileaks was attacked just prior to the release of leaked diplomatic cables. However, as the Berkman Center has documented, (distributed) denial of service attacks against non-governmental and independent media continue with an alarming frequency. These attacks are aimed at disabling access to key information resources at specific points in time.

My colleagues Deibert and Rohozinski argue that “[d]isabling or attacking critical information assets at key moments in time—during elections or public demonstrations, for example—may be the most effective tool for influencing political outcomes in cyberspace.” In order to achieve this level of “on demand” disruption, those behind the attacks often outsource these types of attacks to botnets for hire thus blurring the boundaries between cybercrime and politically motivated attacks. We can expect to see a continuation of politically motivated DoS attacks in 2011.

Cyber-espionage
The year of 2010 began with the attacks on Google, dubbed Operation Aurora, which dramatically increased awareness of targeted malware attacks and signified that it is acceptable, and even prudent, that companies disclose such attacks. In fact, some companies began including warnings about such attacks in their SEC filings. However, it is not just companies that are the targets of such attacks, human rights organizations and government systems are compromised as well. In April 2010, the Information Warfare Monitor and the Shadowserver Foundation released a report “Shadows in the Cloud: An investigation into cyber espionage 2.0” in which we document a targeted malware network that extracted secret, confidential and restricted documents from the Indian government and military. (While this report was a follow-up to our previous report on cyber-espionage, “Tracking GhostNet” the networks are quite separate.)

While responsibility for such attacks are often attributed to state entities, 2010 also saw a series of attacks linked to the Zeus malware that appeared a lot more like espionage than crime. After Netwitness released a report on the Kneber botnet, a Zeus-based botnet with domain names registered to hilarykneber@yahoo.com, I focused on the connections between that botnet and a series of attacks against .mil and .gov email addresses using social engineering techniques. Have criminals determined that there is a market for sensitive data? It sure seems that way to me.

Abusing the Cloud
In “Shadows in the Cloud: An investigation into cyber espionage 2.0” my co-authors and I analyzed the command and control infrastructure of a network that used a complex and tiered command and control infrastructure that leveraged Twitter, Google Groups, Blogspot, Baidu Blogs, blog.com and Yahoo! Mail in order to maintain persistent control over the compromised computers. Of course, such techniques are not new, in 2009, researchers found that Twitter, Jaiku, Tumblr, Google Groups, Google AppEngine and Facebook had all been used as the command and control structure for malware. In 2010, Sunbelt found a Twitter botnet creator and Trend Micro reports that the “Here You Have” worm used GMail accounts.

During my analysis of malware posted on the Contagio blog, I noticed that the malware used an encrypted connection to Gmail as a means of command and control. (It also used cloud storage at drivehq.com in order to have the compromised computers download additional malware components). As network defenses continue to include traffic analysis, I believe that we will continue to see a move toward using popular services, especially web mail as command and control elements. Unlike connections to well-known dynamic DNS services, connections to Gmail and other popular services do not necessarily stand out and are encrypted.

Big Money
Although there are interesting target malware attacks that appear to have political motives, money continues to be the driving force behind the bulk of malware encountered by most Internet users. Cybercrime is profitable. In 2010, the Information Warfare Monitor released a report that documented the inner workings of Koobface. Koobface is a notorious botnet that leverages social networking platforms to propagate. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install fake antivirus software and engage in click fraud. (BlackHat SEO operators monetize their operations in a similar way., see here and here.)

However, more traditional heists based on stolen banking and credit card credentials continue thanks to malware such as Zeus and SpyEye. This year, law enforcement were able to arrest individuals that used the Zeus malware to steal $70 million dollars. Often, these operations recruit money mules and pack mules to relay stolen money and goods bought with stolen credit cards. This makes it difficult to apprehend those behind these operations.

A Random Walk Through the Malware Ecosystem



The forum at darkcc.com is a location where buyers and sellers of stolen credit card information conduct exchanges. There are many forums like this that are part of the thriving market that sustain the “botnet ecosystem.” The servers that host these types of forums are typically involved in a variety of nefarious activities. This one hosts a variety of malicious software:

www.sokam .info /admnew2/Dr.exe (VT: 33/40 (82.50%)
infoshok .info /exe.php?606717496665bcba (VT: 20/40 (50.00%))
superhomelawn .com /per4d/load/load.exe (VT: 5/41 (12.20%))
senders2010 .com /sites/up.bin (zbot/zeus)
keroholek .net /tt/stat/index.php (zbot/zeus)
newdaypeace .org /npd2e/bb.php?… (oficla/sasfis)

The sites are hosted on 121.101.216.195 – SUNINFO-MDC which is located in China.

One “trusted” seller (meaning that the forum administrator had vouched for him/her) known as mrdump caught my attention. mrdump’s minimum order is now $1000 USD. In addition to advertising his/her services on the forum, mrdump included his/her website, mrdump.biz.

The site is hosted on 121.101.216.205 – SUNINFO-MDC in China and, as usual, these a fair amount of nasty stuff, mostly zeus/zbot (heroladaaw.biz, ddkom.biz, herakert.net) hosted on the same server. Another zeus/zbot command and control server found on the same server is: www.kalekets.net/tt/cfg/config.bin

There is also a BlackEnergy command and control server hosted on the same server: sinergy-dl.com. It was a fairly small botnet (total bot’s: 171, bot’s per hour: 213, bot’s per day:437, bot’s for all time:1816) and was issuing the following command “flood http kirbyservice.ru” — instructing the bots to DDoS kirbyservice.ru. Recently, the command has been changed to “die”.

One interesting find pertains to the rivalry between Zeus and SpyEye. The same server hosts www.coolparts31.tw which is a known zeus/zbot command and control server. Well it turns out that it is also a Spy Eye command and control server:

www.coolparts31.tw/S_main/bin/upload/build.exe (27/41 (65.85%))
www.coolparts31.tw/S_main/bin/upload/33.exe (VT: 10/41 (24.4%))
www.coolparts31.tw/S_main/bin/upload/server.exe (VT: 35/41 (85.37%))
www.coolparts31.tw/S_main/bin/upload/server12.exe (VT: 35/40 (87.5%))
www.coolparts31.tw/S_main/bin/upload/xServer.exe (VT: 8/40 (20%))

I recall someone (I am pretty sure it was Dancho Danchev — UPDATE: and it was here and here (thx @danchodanchev)) — reacting to this rivalry by saying that the criminals don’t really care, they’ll use any malware kit that works.

Or something like that.

Sometimes, we get sidetracked by the tools, but it’s the crime that pays.

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks



An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated Denial of Service attacks that aim to punish, disrupt and/or censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring making issues of attribution increasingly more complex. It may also indicate that there is an emerging market for sensitive information and/or politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006). In the paper Nazario dicusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inacessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Sites DDoS’d by this botnet:

flood http 195.216.243.39
flood http 208.64.123.225
flood http 213.155.12.120
flood http 217.107.35.35
flood http 217.17.158.55
flood http 217.20.163.4
flood http 62.149.24.2
flood http 72.20.34.140
flood http 80.93.54.57
flood http 82.146.43.3
flood http 89.108.126.2
flood http 94.198.51.216
flood http angusht.com
flood http angusht.com index.php
flood http angusht.com personal subscribe subscr_edit.php
flood http antiddos.org
flood http asterios.tm
flood http asterios.tm index.php
flood http asteriys.com index.php?f=stat&act=online&server=0
flood http attackers.ru
flood http bachuna.net
flood http bankunet.com
flood http barbars.ru
flood http blud.net
flood http carderfix.ru
flood http carder.info
flood http carder.info index.php
flood http carder.info,l2.theonline.ru
flood http carder.su
flood http carder.su showgroups.php
flood http ddef.ru
flood http do-finance.com
flood http fan-age.ru,l2.exsade.com,forum.exsade.com,final-zone.ru
flood http filebase.to
flood http forum.notebook812.ru
flood http forum.timesgame.ru,timesgame.ru
flood http internet-guard.net index.php
flood http kadyrov2012.com
flood http kadyrov2012.com
flood http kadyrov2012.com index
flood http karyatour.com.ua
flood http l2jfree.com
flood http la2.100nt.ru
flood http la2.timesgame.ru
flood http lineage.cn.km.ua
flood http ll2.su
flood http meridian-express.ru
flood http modcam.ru
flood http notebook812.ru
flood http notebook812.ru
flood http ohah.ru
flood http ohah.ru index.php
flood http planety-hackeram.ru
flood http portal27.ru
flood http pupsa.net
flood http rodi.ru
flood http rosban.su
flood http sever.ru
flood http slineage.ru
flood http smsdeal.ru index.php
flood http takwap.ru
flood http takwap.ru 111 XXX_DETKA
flood http takwap.ru 157 xxx ohah.ru
flood http teamsteam.ru
flood http vpotoke.com
flood http wapfan.org index.php
flood http wow.cln.ru
flood http www.2simtv.ru index.php
flood http www.angusht.com index.php
flood http www.art-taxi.ru
flood http www.glazey.ru
flood http www.ingushetiyaru.org
flood http www.notebook812.ru
flood http www.prado-club.su
flood http www.prado-club.su forum
flood http www.ripoffreport.com
flood http xaknet.ru
flood icmp forum.antichat.ru
flood syn www.ripoffreport.com 80