Tactics, Techniques, and Procedures
Editor-in-Chief : James Graham
Executive Editors
Rick HowardRalph Thomas
Steve Winterfeld
Authors and Editors
Kellie BryanKristen Dunnesen
Jayson Jean
Eli Jellenc
Josh Lincoln
Michael Ligh
Mike La Pilla
Ryan Olson
Andrew Scholnick
Greg Sinclair
Tom Wills
Kimberly Zenz
 |
| Cyber Fraud |
Introduction
Why another book on botnets? And why a botnet book written by the researchers and friends
at iDefense? A cursory search of the subject on Amazon.com shows at least 250 books, as of this
writing (summer of 2008), published between 2003 and today. Some of them are quite good. But
none of them have captured the essence of change that has occurred during the last 5 years. To use Malcom Gladwell’s idea, the underground security community has reached a “Tipping Point” in terms of the maturity of its craft.* They may be well over the edge. No longer do white hat security experts talk about the lone hacker launching cyber attacks on the world for the sheer pleasure of it, for fun and profit, and for the recognition from their peers. White hats are more likely to discuss the professionalization of the security underground in terms of how they run their operations like a legitimate business.
Indeed, the groups that operate the successful botnets today are more like the drug cartels
that ran the illicit drug trade back in the mid-1980s. Think of that old American 1980s TV show,
Miami Vice, and you will get a sense for the structure. These new “cyber cartels” are similar in
terms of motivation and organization. They are young, they are hungry, and for the most part,
they are not overburdened with bloated bureaucracies.
They are also professional. The security researchers at iDefense have collected evidence over
the last few years that shows software quality assurance (QA) practices similar to those of legitimate businesses today. It is not uncommon to see code reviews, versioning control, and product enhancement strategies in the release of new malcode. In some cases, these cyber cartels sell their products in tiers: Tier 1 customers get the baseline product, Tier 2 customers get a slightly enhanced version, and Tier 3 customers get everything and the kitchen sink thrown in. Some cartels (see Chapter 5) even have marketing and sales divisions. Finally, there is business specialization.
No longer do white hat researchers see one individual who writes the code (botnets and
other malcode), deploys the code, manages the code, collects the stolen information, advertises the stolen information to the underground, sells the information, and launders the money through
the system. The cyber cartels have people dedicated to each of these tasks or they use third parties
(outsourcers) to do it for them.
Things have changed.
The purpose of this book, then, is twofold: to document the changes in the culture of the
situation and to describe the innovation that has resulted because of it. The term “botnet” then is
overloaded. On the one hand, botnets represent an evolving technology that has matured by leaps
at iDefense? A cursory search of the subject on Amazon.com shows at least 250 books, as of this
writing (summer of 2008), published between 2003 and today. Some of them are quite good. But
none of them have captured the essence of change that has occurred during the last 5 years. To use Malcom Gladwell’s idea, the underground security community has reached a “Tipping Point” in terms of the maturity of its craft.* They may be well over the edge. No longer do white hat security experts talk about the lone hacker launching cyber attacks on the world for the sheer pleasure of it, for fun and profit, and for the recognition from their peers. White hats are more likely to discuss the professionalization of the security underground in terms of how they run their operations like a legitimate business.
Indeed, the groups that operate the successful botnets today are more like the drug cartels
that ran the illicit drug trade back in the mid-1980s. Think of that old American 1980s TV show,
Miami Vice, and you will get a sense for the structure. These new “cyber cartels” are similar in
terms of motivation and organization. They are young, they are hungry, and for the most part,
they are not overburdened with bloated bureaucracies.
They are also professional. The security researchers at iDefense have collected evidence over
the last few years that shows software quality assurance (QA) practices similar to those of legitimate businesses today. It is not uncommon to see code reviews, versioning control, and product enhancement strategies in the release of new malcode. In some cases, these cyber cartels sell their products in tiers: Tier 1 customers get the baseline product, Tier 2 customers get a slightly enhanced version, and Tier 3 customers get everything and the kitchen sink thrown in. Some cartels (see Chapter 5) even have marketing and sales divisions. Finally, there is business specialization.
No longer do white hat researchers see one individual who writes the code (botnets and
other malcode), deploys the code, manages the code, collects the stolen information, advertises the stolen information to the underground, sells the information, and launders the money through
the system. The cyber cartels have people dedicated to each of these tasks or they use third parties
(outsourcers) to do it for them.
Things have changed.
The purpose of this book, then, is twofold: to document the changes in the culture of the
situation and to describe the innovation that has resulted because of it. The term “botnet” then is
overloaded. On the one hand, botnets represent an evolving technology that has matured by leaps
and bounds in a very short amount of time. On the other hand, botnets, by their very existence
and sheer volume, are the manifestations of well-organized underground communities that continually professionalize their rank and file.
To address this overloaded nature, this book is organized into two major parts: “Underground
Culture” and “Underground Innovation.”
“Part I: Underground Culture” consists of seven chapters that discuss both the white hats and
the black hats:
Chapter 1: Emerging Economic Models for Software Vulnerability Research — This chapter examines economic vulnerability models that exist in the market today and analyzes how they
affect vendors, end users, and vulnerability researchers.
Chapter 2: Cyber Fraud: Principles, Trends, and Mitigation Techniques — This chapter opens
with an extensive survey of the structure and dynamics of both the practice of cyber fraud
and the underground community that commits it. After outlining a conceptual model of the
structures and functions and roles of actors and organizations within this illicit marketplace,
the analysis proceeds into case studies and evidence from the recent past, all of which shed
light on how these criminals steal, package, buy, sell, and profit from the personal financial
information of consumers.
Chapter 3: The Cyber Threat Landscape in Russia and Chapter 4: The Cyber Threat Landscape in Brazil — Chapter 3 and Chapter 4 both provide a multidimensional analysis of, respectively, the Russian and Brazilian cyber threat environments, with care taken to balance
the comparative power of apt generalizations with the specific familiarity available only in
an abundance of rich detail. Thus, rather than simply cataloging the types of threats most
commonly detected in each environment, iDefense’s analyses consider the geopolitical and
socioeconomic foundations of a threat landscape, upon which are erected more specific
examinations of telecommunications infrastructure development, patterns and trends of
Internet adoption and use, profiles of specific malicious actors, threat types, and the trends
pertaining thereto. In this way, the research on Brazil and Russia demonstrates how the
specific threats and their perpetrators are at once the products, the maintainers, and the
cocreators of the threat environments in which they operate. The reader thereby comes not
only to understand that each threat environment has a specific character, but why this is so
and how it may change in the future. In addition, a critical appraisal of the responses and
countermeasures of the public and private sectors rounds out each chapter to provide insight
into the mitigating strategies that lead to success and those that prove less effective. Such is
the basis of a comprehensive assessment of any country’s cyber threat environment; on this
foundation, analyses of the malicious actors, their strategies, and their tools gain greater
relevance.
Chapter 5: The Russian Business Network: The Rise and Fall of a Criminal ISP — Following the two country studies, Chapter 5 delves into the organizational level of analysis to develop a
profile of the Russian Business Network (RBN), the most significant criminal entity in the
history of malicious cyber activity. This chapter discusses the origins, structure, development,
and operating dynamics of the RBN. Although it remains defunct, security researchers
will continue to find extensive instructional value in this chapter, especially considering
that the analysis itself — a pioneering work upon initial publication — was a key factor in
bringing about the RBN’s downfall. The work also stands as an exemplary model of a criminological profile by explaining not only the RBN’s role in the global cyber crime underground but also its connections to other criminal groups, with abundant detail regarding
the organization’s key players and their personal idiosyncrasies, and extensive discussion of
the RBN’s technical infrastructure.
Chapter 6: Banking Trojans: An Overview — This chapter discusses Trojan software that hackers design specifically to target the financial sector. Hackers use these Trojans to target specific organizations or users and to gather information about the institution. Also discussed
are the mitigation steps for this kind of malware.
Chapter 7: Inside the World of Money Mules — Chapter 7 examines a class of malicious actors that forms a critical link between the cyber underground and the legitimate economy:
“Money Mules.” Although their methods are almost entirely nontechnical, much of today’s
cyber crime could not occur without these individuals, many of whom have little idea about
the illicit origins of the money they traffic, transfer, and launder. Their ignorance, combined
with their direct access to the legitimate financial system, makes them among the most
vulnerable and therefore identifiable links in the chain of cyber crime. In developing these
insights, this analysis employs a comparative case-study methodology to instill in the reader
a sense of the core principles applicable to all money mule operations, regardless of the vast
diversity of form that they exhibit. This chapter is thus particularly useful to those researchers
tasked with pursuing, rather than simply deflecting, those behind the threats.
“Part II: Underground Innovation” consists of eight chapters:
Chapter 8: IFrame Attacks: An Examination of the Business of IFrame Exploitation — In this
chapter, the widespread exploitation of IFrame vulnerabilities, a key channel by which malicious
actors execute their attacks, is examined. The analysis presented in this chapter provides
insight into every level of the process of IFrame exploitation, from the microeconomic
incentives underlying malicious actors’ choices and market organization to the technical
details of actual IFrame exploits. The result is a robust conceptual model of the key elements
that constitute any IFrame attack, regardless of specific technical details, and the phases
through which criminal motivation develops into a concrete attack. In addition to providing
insight into why and how IFrames work, this chapter explains why IFrame exploitation has
been so extensive and so successful. This chapter concludes by applying its lessons to give
actionable advice on prevention and mitigation.
Chapter 9: Distributed Denial of Service (DDoS) Attacks: Motivations and Methods — Chapter 9 provides an overview of the evolution of distributed denial of service (DDoS) attacks and how the improvements in botnet technology are making it increasingly difficult for the security industry to effectively track and neutralize these cyber threats.
Chapter 10: The Torpig Trojan Exposed — The Torpig Trojan horse, also known as Sinowal, is discussed in this chapter. It is one of the most comprehensive phishing Trojans to date and
is complete with a master book record (MBR) rootkit.
Chapter 11: The Laqma Trojan — This chapter focuses on a Trojan that on first glance looks
unremarkable except for the use of a rootkit. But the components of the Trojan make its
behavior difficult to identify from a sandbox or automatic analysis system.
Chapter 12: Better Business Bureau (BBB): A Threat Analysis of Targeted Spear-Phishing Attacks — This chapter presents information on a new kind of Trojan that specifically targets high-level executives in the financial sector, with the purpose of collecting account credentials for their high-dollar-value commercial accounts. Traditional cyber fraud attacks have gone after the
general banking customer. These BBB attacks go after the accounts that financial institutions
use to transfer large sums of money between themselves.
Chapter 13: SilentBanker Unmuted: An In-Depth Examination of the SilentBanker Trojan
Horse — A banking Trojan that uses a variety of common techniques including cookie
stealing, form grabbing, certificate stealing, HTML injection, and HTML replacement,
which are all explained. However, SilentBanker’s primary threat comes not from its features
but rather from the overall threat of the attackers responsible for it. Every attack
since May 2007, has come from the same group of attackers, meaning that this Trojan is
not likely a freestanding toolkit for resale. This single group of attackers has added new
targets over time, with the latest target list being more than 10 times larger than their
initial list. The attackers have also managed to add new domains and frequent rebuilds
to keep this attack alive and undetected. In January 2008, the attackers launched a new
version of the Trojan with a huge set of code revisions, revealing that the project has not
reached any type of plateau.
Chapter 14: Preventing Malicious Code from “Phoning Home” — This chapter addresses the
evolutionary change of malcode that coordinates with its Command and Control server;
and how an organization might prevent the communication from occurring.
Chapter 15: Mobile Malicious Code Trends — The developing maturity of malcode designed to attack the mobile phone by reviewing the current state-of-the-art mobile malicious codes is
discussed in Chapter 15. How mobile malicious code compares to desktop malicious code
in terms of functionality and capability is reviewed.
This book uses the term “botnet” as a metaphor for the evolving changes represented by the
underground economy. By reviewing some of the technology advances over the last few months,
the organizations responsible for them, and the groups trying to track them, it is hoped that a
deeper understanding of the entire situation might be reached.
Table of Contents
Introduction...................xvii
Part I: underground culture
Chapter 1
Emerging Economic Models for Software Vulnerability Research.................3
Executive Summary.............................................................................................................. 3
Introduction......................................................................................................................... 3
Economic Vulnerability Models........................................................................................... 4
Government................................................................................................................ 4
Internal Discovery............................................................................................. 5
Contracted......................................................................................................... 5
Purchase of Externally Discovered Vulnerabilities............................................. 5
Open Market............................................................................................................. 6
Outsourced....................................................................................................... 6
Internal Discovery............................................................................................ 9
Underground............................................................................................................11
Contracted......................................................................................................11
Purchase......................................................................................................... 12
Auction............................................................................................................13
Vendors.....................................................................................................................13
Compensation.................................................................................................14
No Compensation...........................................................................................15
Impact and Implications of Economic Models....................................................................15
Government..............................................................................................................15
Open Market............................................................................................................15
Underground............................................................................................................16
Auction.....................................................................................................................17
Vendors.....................................................................................................................17
Conclusion..........................................................................................................................18
Chapter 2
Cyber Fraud: Principles, Trends, and Mitigation Techniques......................21
Executive Summary.............................................................................................................21
Cyber Fraud Model............................................................................................................ 22
Cyber Fraud Roles.................................................................................................... 22
Acquisition Techniques............................................................................................. 23
Cashing Out............................................................................................................. 23
The Model Made Real: The Carding Underground in 2007................................................25
Obtaining Financial Information............................................................................. 27
Phishing.......................................................................................................... 27
Network Intrusion........................................................................................... 27
Trojan Horses.................................................................................................. 27
“Real-World” Theft.......................................................................................... 27
Buying/Selling Stolen Financial Information............................................................ 28
Carding Forums.............................................................................................. 28
Dumps Vendors............................................................................................... 30
Noncarding-Related Forums Used for Carding................................................31
Notable Carders............................................................................................... 32
Average Prices for Stolen Data.................................................................................. 34
Comparison to Data from 2004 to 2005.................................................................. 34
Money Mule Operations: Concealing the Crime.......................................................35
Background Information on Money Mule Operations...............................................35
Increasingly Sophisticated E-Mails........................................................................... 36
Incorporation of “Rock Phish”–Style Tactics............................................................ 38
The Hong Kong Connection.................................................................................... 39
The Evolution of Cyber Fraud Techniques: Phishing and Pharming................................... 43
Phishing.................................................................................................................... 44
The Development of Phishing Techniques........................................................45
Obfuscation Techniques...................................................................................45
Fast-Flux Phishing Sites: Too Fast for Traditional Solutions............................ 46
Pharming...................................................................................................................47
How Pharming Works and How It Developed.................................................47
Domain Name System (DNS) Spoofing.......................................................... 48
DNS Cache Poisoning..................................................................................... 48
Voice-Over Internet Protocol (VoIP) Pharming............................................... 48
Drive-By Pharming................................................................................................... 48
Implications..................................................................................................... 49
Mitigation........................................................................................................51
The Evolution of Cyber Fraud Techniques: Trojans and Toolkits.........................................52
Keystroke Logging.....................................................................................................52
Form Grabbing..........................................................................................................53
Screenshots and Mouse-Event Capturing...................................................................53
Phishing and Pharming Trojans.................................................................................53
Hypertext Markup Language (HTML) Injection..................................................... 54
Protected Storage Retrieval....................................................................................... 54
Certificate Stealing................................................................................................... 54
The Evolution of Cyber Fraud Techniques: Direct Attacks...................................................55
Insider Threats...........................................................................................................55
Information Gain............................................................................................ 56
Financial Gain................................................................................................. 56
Database Timing Attacks..........................................................................................57
Laptop Theft: At Home and Abroad......................................................................... 58
The Evolution of Cyber Fraud Techniques: Pump-and-Dump.............................................59
How “Pump-and-Dump” Stock Scams Work........................................................... 60
Typical “Pump-and-Dump” Spam Activity Patterns..................................................61
VeriSign iDefense Commentary on Operation Spamalot.......................................... 62
Charging “Pump-and-Dump” Fraudsters................................................................. 62
PDFs Used in “Pump-and-Dump” Spam, Malicious E-Cards on July 4, 2007......... 63
E-Trade “Pump-and-Dump” Scam........................................................................... 66
Conclusion..........................................................................................................................67
Chapter 3
The Cyber Threat Landscape in Russia...................................69
Executive Summary............................................................................................................ 69
Background........................................................................................................................ 70
Foreign Politics of the Russian Federation................................................................ 70
Domestic Politics of the Russian Federation........................................................................76
Ethnic Tensions within the Russian Federation................................................................... 77
Economic Background....................................................................................................... 84
Macroeconomic Indicators.........................................................................................85
The Russian Information Technology Sector........................................................................85
Human Capital......................................................................................................... 86
Software.................................................................................................................... 87
IT and Communications Services....................................................................................... 88
Mobile Telephony..................................................................................................... 88
Internet Service Providers......................................................................................... 89
Internet-Specific Technologies.................................................................................. 90
Broadband....................................................................................................... 90
Wireless Internet.............................................................................................. 90
Internet Penetration and Use........................................................................... 90
The Role of Government.....................................................................................................91
Restrictions on Online Content................................................................................ 92
The Threat Landscape of the Russian Federation................................................................ 93
Motivation/Weltanschauung: Perceptions and Targets............................................. 93
The Positive Aspects of Russian Law Enforcement.............................................................. 97
Corruption......................................................................................................................... 98
Corruption among Law Enforcement..................................................................... 100
Financially Motivated Crime.............................................................................................101
Piracy and Intellectual Property Infringement.........................................................101
Cyber Crime.....................................................................................................................106
Insider Threat..........................................................................................................106
Financial Fraud........................................................................................................107
Phishing/Banking Trojans.......................................................................................108
A Shift to Malicious Code.......................................................................................112
Web Infections.........................................................................................................113
ATM Fraud..............................................................................................................115
Financial Market Manipulations.............................................................................115
“Pump-and-Dump” Scams.............................................................................115
Carding...................................................................................................................116
Data Extortion.........................................................................................................118
Distributed Denial of Service (DDoS) Attacks........................................................118
Spam........................................................................................................................121
Politically Motivated Use of Cyberspace........................................................................... 123
May 2007 Attacks on Estonia........................................................................ 124
The Russian Government: Sponsor of Politically Motivated Cyber Attacks?..................... 127
Conclusion........................................................................................................................132
Chapter 4
The Cyber Threat Landscape in Brazil.........................................135
Executive Summary...........................................................................................................135
Introduction..................................................................................................................... 136
Economics and Business Environment..............................................................................137
Corruption...............................................................................................................138
Organized Crime.....................................................................................................138
The Brazilian IT Sector.....................................................................................................140
Deregulation and Privatization of IT in the 1990s...................................................140
Internet Penetration and Use...................................................................................141
E-Government.........................................................................................................142
Human Capital and General Features of the IT Workforce.....................................143
Regulatory Environment.........................................................................................144
Addressing Cyber Crime through an Antiquated Penal Code.........................144
Data and Public Information Systems.............................................................144
Upcoming Legislative Initiatives.....................................................................145
Cyber Law Enforcement: Developed But Deeply Fractured.....................................147
Federal Law Enforcement...............................................................................147
State Law Enforcement...................................................................................148
Police and the Financial Sector.......................................................................150
Security Measures and Incident Handling in the Financial Sector.................151
The Threat Landscape........................................................................................................153
Unique Features of the Brazilian Threat Environment.............................................153
Banking Trojans......................................................................................................155
Intellectual Property Theft and Corporate Espionage..............................................159
Taxonomy of Criminal Actors and Organizations...................................................162
General Contours of Fraud Schemes...............................................................163
Connections to Organized Crime...................................................................166
International Connections.......................................................................................166
Conclusion........................................................................................................................168
Chapter 5
The Russian Business Network: The Rise and Fall of a Criminal ISP...........171
Executive Summary...........................................................................................................171
Rumors and Gossip...........................................................................................................172
Russian Business Network (RBN) as It Was.......................................................................173
Organization and Structure.....................................................................................173
Affiliated Organizations...........................................................................................175
Closed Organizations...............................................................................................176
ValueDot........................................................................................................176
SBTtel.............................................................................................................176
Credolink ISP, Online Invest Group, LLC.....................................................178
Akimon..........................................................................................................178
Nevacon Ltd...................................................................................................179
Delta Systems.................................................................................................180
Eexhost...........................................................................................................180
Too Coin........................................................................................................181
4stat.org..........................................................................................................183
The Chinese ISPs............................................................................................183
Western Express..............................................................................................183
Organizations Still in Operation..............................................................................184
Absolutee........................................................................................................184
MNS..............................................................................................................185
PeterStar.........................................................................................................186
Obit................................................................................................................186
Datapoint.......................................................................................................186
Infobox...........................................................................................................186
Luglink and Linkey........................................................................................189
RBN Activities.........................................................................................................189
RBN Domains...............................................................................................189
Rock Phish.....................................................................................................190
Metafisher.......................................................................................................192
IFrameCash....................................................................................................193
Storm Worm...................................................................................................195
Torpig.............................................................................................................195
Corpse’s Nuclear Grabber, OrderGun, and Haxdoor......................................195
Gozi................................................................................................................197
Paycheck_322082.zip.....................................................................................198
MCollect E-Mail Harvester............................................................................199
QuickTime Malicious Code and Google Adwords........................................ 200
Distributed Denial of Service Attacks.............................................................201
Pornography...................................................................................................201
The Official End of RBN........................................................................................ 202
RBN under Pressure...................................................................................... 202
Pressure from the Media................................................................................ 202
Configuration Changes and Dissolution........................................................ 203
Chapter 6
Banking Trojans: An Overview...........................................209
Executive Summary.......................................................................................................... 209
Introduction......................................................................................................................210
Stages of Attack.................................................................................................................210
Distribution.............................................................................................................211
Infection..................................................................................................................211
Information Theft....................................................................................................212
Information Sale......................................................................................................213
Real-World Fraud....................................................................................................213
Techniques and Malicious Code Evolution........................................................................213
Keystroke Logging...................................................................................................214
Form Grabbing........................................................................................................214
Screenshots and Mouse Event Capturing.................................................................214
Phishing and Pharming Trojans...............................................................................215
Hypertext Markup Language (HTML) Injection....................................................215
Protected Storage Retrieval and Saved Password Retrieval.......................................216
Certificate Stealing..................................................................................................216
Flash Cookie Stealing..............................................................................................216
Backdoor and Proxy Access......................................................................................217
Most Common Banking Malicious Software in the Wild..................................................217
Brazilian Banking Trojans.......................................................................................217
The Nanspy Banking Worm....................................................................................218
Known Trojan Toolkits...........................................................................................218
Early Favorites................................................................................................218
Pinch (Common Names: Pin, LDPinch)........................................................218
A-311 Death and Nuclear Grabber (Common Name: Haxdoor)....................219
Limbo (Common Name: NetHell).................................................................221
Agent DQ (Common Names: Metafisher, Nurech, BZub,
Cimuz, BankEm)...................................................................................... 225
Apophis (Common Name: Nuklus)............................................................... 230
VisualBreeze E-Banca/VisualBriz (Common Name: VBriz, Briz, Sters).........233
Snatch.............................................................................................................235
Power Grabber............................................................................................... 239
Zeus (Common Names: PRG, TCPWP, WSNPOEM)................................. 240
Spear-Phished Information-Stealing Trojans............................................................241
Banking Trojan Services......................................................................................... 242
Service Trojan #1 (Common Names: Torpig, Sinowal, Anserin).................... 242
Service Trojan #2 (Common Names: OrderGun, Gozi, Ursnif,
Snifula, Zlobotka)..................................................................................... 243
Unknown Trojans................................................................................................... 246
Unknown #1 (Common Names: Matryoshka, SilentBanker)........................ 246
Unknown #2 (Common Names: BankPatch, Dutch Moon)......................... 246
Unknown #3 (Common Name: DotInj)........................................................ 246
More Unknowns.............................................................................................247
Command-and-Control (C&C) Servers and Drop Sites................................................... 248
Command-and-Control and Drop Site Server Types...............................................249
HTTP/HTTPS..............................................................................................249
E-Mail............................................................................................................249
FTP................................................................................................................249
Internet Relay Chat (IRC)..............................................................................250
Proprietary Servers..........................................................................................250
Peer-to-Peer Servers.........................................................................................250
Bulletproof Hosting.................................................................................................250
Fast-Flux Hosting....................................................................................................251
Tor “Hidden Services”.............................................................................................252
Minimizing Financial Impact............................................................................................252
Server-Side Mitigation.............................................................................................253
Multifactor Authentication.............................................................................253
Server Logging to Flag Trojan Victims...........................................................253
User Protection....................................................................................................... 254
Stored Passwords........................................................................................... 254
Malicious Code Prevention.............................................................................255
Malicious Code Removal................................................................................255
Credential Recovery.................................................................................................255
Attacking Defaults..........................................................................................255
Insecure FTP and Web Servers.......................................................................256
Vulnerable C&C/Drop Site Scripts.................................................................256
Credential Processing.....................................................................................256
Future Trends....................................................................................................................257
Conclusion........................................................................................................................257
Chapter 7
Inside the World of Money Mules.....................................259
Executive Summary...........................................................................................................259
Introduction......................................................................................................................259
Cyber Fronts: Where Mule Operations Begin................................................................... 260
Recent Developments............................................................................................. 260
Increasingly Sophisticated E-mails................................................................. 260
Example of an E-mail Employment Solicitation for a Money
Mule Position............................................................................................ 262
Analysis.................................................................................................................. 263
Incorporation of “Rock Phish”-Style Tactics........................................................... 263
PhishTank.com Posting, from March 2007................................................... 264
The Hong Kong Connection......................................................................... 264
March 2007 Posting to Whitestar’s Mailing List........................................... 264
Conclusion....................................................................................................................... 278
II: Underground I Part nnovation
Chapter 8
IFrame Attacks — An Examination of the Business of IFrame Exploitation..........281
Executive Summary...........................................................................................................281
Introduction to IFrames................................................................................................... 282
What Is an IFrame?................................................................................................ 282
How Attackers Use IFrames.................................................................................... 283
IFrame Attacks with Secure Socket Layers (SSLs)................................................... 284
IFrame Attacks versus Alternatives.................................................................................... 285
Simple IFrame Attack Models................................................................................. 285
What the Attacks Look Like.......................................................................... 285
How IFrames Are Distributed.......................................................................................... 288
Hacking Web Sites and Web Servers....................................................................... 288
Banner Advertisements........................................................................................... 289
E-Mail.................................................................................................................... 289
Worms and Viruses................................................................................................. 289
What the IFrames Deliver................................................................................................ 290
Vulnerabilities in Browser Software........................................................................ 290
Vulnerabilities in Other Software........................................................................... 290
Combining the Vulnerabilities for the One-Fits-All Attack.................................... 290
Postexploitation Activities: Where Criminals Make the Real Money ................................ 290
Simple IFrame Economics................................................................................................ 292
IFrame-for-Hire Networks.......................................................................................293
The IFrame Stock Market....................................................................................... 294
Monitoring Regionally Biased Attacks with IFrame Stalker.............................................. 298
Stopping IFrame Attacks.................................................................................................. 298
Client System Mitigation........................................................................................ 300
Server-Side Mitigation............................................................................................ 300
Customer Mitigation.............................................................................................. 300
The Future of IFrame Attacks............................................................................................301
Chapter 9
Distributed Denial of Service (DDoS) Attacks: Motivations and Methods..........303
Executive Summary.......................................................................................................... 303
Introduction..................................................................................................................... 304
Definition............................................................................................................... 304
DDoS Types........................................................................................................... 304
Bandwidth Depletion Attacks........................................................................ 304
Direct Flood Attacks..................................................................................... 304
Resource Depletion Attacks........................................................................... 307
Transmission Control Protocol (TCP) SYN Flood Attack............................. 308
Recursive Hypertext Transfer Protocol (HTTP) Flood (Spidering)............... 308
PUSH and ACK Attacks................................................................................ 308
Land Attack................................................................................................... 308
DDoS Tools.............................................................................................................310
Motivations for Conducting DDoS Attacks............................................................310
DDoS as Cyber Crime.............................................................................................311
Extortion........................................................................................................311
DDoS and Phishing Attacks...........................................................................312
Business Rivalry.............................................................................................313
DDoS as Revenge....................................................................................................314
Propaganda — Hacktivism......................................................................................315
Nationalism.............................................................................................................315
Miscellaneous..........................................................................................................315
Denial of Service (DoS) and Botnets.................................................................................316
The DDoS Players....................................................................................................318
Bot Master......................................................................................................318
Stepping Stones..............................................................................................319
Handlers.........................................................................................................319
Agents/Bots/Drones/Zombies.........................................................................319
Creating a Botnet.....................................................................................................319
Recruiting an Army — The Scanning Phase...................................................319
Taking Control.............................................................................................. 320
Malicious Code Propagation......................................................................... 320
Propagation through a Central Repository.................................................... 320
Back-Chaining Propagation............................................................................321
Autonomous Propagation...............................................................................321
Controlling the Army.....................................................................................321
Recent Advancements in Botnet Control....................................................... 322
Quantifying DDoS attacks............................................................................................... 323
Bandwidth.............................................................................................................. 323
Number of Attacks................................................................................................. 323
Financial Gain.........................................................................................................324
DDoS Capabilities.................................................................................................. 326
AgoBot/PhatBot DDoS Commands.............................................................. 326
SdBot DDoS Commands...............................................................................327
The Law............................................................................................................................327
Conclusion........................................................................................................................327
Chapter 10
The Torpig Trojan Exposed.................................329
The Torpig Group, Part 1: Exploit Server and Master Boot Record Rootkit.......................329
Executive Summary.................................................................................................329
Torpig Exploitation and Installation........................................................................329
Spreading the Exploits.............................................................................................332
Torpig Trojan and Master Boot Record Trojan (MaOS)..........................................333
Analysis...................................................................................................................333
The Torpig Trojan, Part 2: Banking Trojan Fully Integrates MBR Rootkit........................ 334
Executive Summary................................................................................................ 334
Chapter 11
The Laqma Trojan......................................349
Executive Summary.......................................................................................................... 349
Background...................................................................................................................... 349
File and Network Information...........................................................................................350
Toolkit Back-End..............................................................................................................351
Current Targets.................................................................................................................354
Mitigation and Analysis.....................................................................................................354
A Deeper Look at the Laqma Banking Trojan (ID# 468080).............................................355
Executive Summary.................................................................................................355
Trojan Details..........................................................................................................355
Laqma Loader — Command-and-Control Registration/Upgrade...........................358
Laqma Grabber — Deploying the User-Mode Rootkit........................................... 360
Laqma Grabber — Persistence and Configuration Timers...................................... 362
Laqma — Attack Dispatcher.................................................................................. 364
Laqma — Attack Handlers..................................................................................... 366
Chapter 12
Better Business Bureau (BBB): A Threat Analysis of Targeted
Spear-Phishing Attacks.....................................................................369
Executive Summary.......................................................................................................... 369
Introduction......................................................................................................................370
Attack Trends: February 2007 through May 2008.............................................................371
Spear-Phishing Examples.........................................................................................373
History of Spear-Phishing Attacks...........................................................................375
Early Attacks...........................................................................................................376
Modern Spear-Phishing Crimeware.........................................................................376
Groups Using Spear-Phishing Tactics......................................................................376
Group Overview.............................................................................................376
Group A.........................................................................................................376
Tactics........................................................................................................... 377
Money Mule Operations.................................................................................379
Malicious Code Capabilities.......................................................................... 380
Command-and-Control Scripts..................................................................... 384
Spam Kits...................................................................................................... 388
Network Architecture.................................................................................... 388
Targets........................................................................................................... 390
Group B.................................................................................................................. 394
Command-and-Control Script Evolution...................................................... 394
Network Architecture.................................................................................... 399
Peeper..................................................................................................................... 399
Economic Impact of Attacks............................................................................................ 400
Focus on High-Value Banking................................................................................ 400
Future Attack Techniques..................................................................................................401
Code Signing...........................................................................................................401
High-Resolution Data Use.......................................................................................401
Targeting of Other High-Value Systems................................................................. 402
Automation of Transactions.................................................................................... 402
Mitigation........................................................................................................................ 403
Education through Testing..................................................................................... 403
Appendix A: Catalog of Attacks........................................................................................ 404
Chapter 13
SilentBanker Unmuted: An In-Depth Examination of the
SilentBanker Trojan Horse....................................................... 407
Executive Summary.......................................................................................................... 407
Introduction to SilentBanker............................................................................................ 408
The SilentBanker Trojan Dropper........................................................................... 408
Enhanced Clash Resistance.................................................................................... 409
Unpacking without a Trace......................................................................................410
Hash-Based Applications Programming Interface (API) Resolution Table...............411
API Hook Installation.............................................................................................412
Programming Oddities in Parent Determination.....................................................415
The Nefarious Browser-Only Thread.......................................................................415
Extended Functionality (API Hook Intricacies).................................................................417
Ws2_32.connect IP Replacement (a.k.a. DNS Hijack) Hook..................................417
InternetReadFile and HttpSendRequest Injection/Hijack Hooks............................418
Wininet.CommitUrlCacheEntry Cookie Retrieval Hooks......................................421
Wininet.InternetErrorDlg Basic Auth and Proxy Capture Hook............................ 423
Wininet.HttpOpenRequest Anti-Cache/Proxy Hooks........................................... 425
Wininet.HttpAddRequestHeader Acceptable Encoding Hooks.............................. 425
Ws2_32.send FTP and POP3 Credential Hook..................................................... 426
Wininet.InternetQueryDataAvailable Buffer Resize Hook..................................... 426
Advapi32.Crypt[ImportKey|DeriveKey|Genkey] Hooks........................................ 427
Kernel32.ExitProcess Un-Hook Hook.................................................................... 427
Configuration File Manifest............................................................................................. 427
Reverse Engineering the File-Encoding Algorithm................................................. 427
HTML Injection Domains and URL Substrings.................................................... 430
Mitigation........................................................................................................................ 430
Snort Signatures...................................................................................................... 430
HTML Injection Fields Posted to Server.................................................................431
Conclusion....................................................................................................................... 432
Appendix A...................................................................................................................... 433
Appendix B...................................................................................................................... 436
Chapter 14
Preventing Malicious Code from “Phoning Home”........................447
Executive Summary.......................................................................................................... 447
Outbound Channel Methods........................................................................................... 447
Utilizing Open Outbound Ports............................................................................. 448
Encryption.............................................................................................................. 448
Unusual Data Encapsulation.................................................................................. 449
Steganography........................................................................................................ 449
Mitigating Outbound Channels........................................................................................450
Intrusion Detection and Prevention Systems (IDS/IPS)...........................................450
Protocol Compliance...............................................................................................451
Endpoint Validation................................................................................................451
Anomaly Detection..................................................................................................451
Traffic Normalization..............................................................................................452
Conclusion........................................................................................................................453
Chapter 15
Mobile Malicious Code Trends.............................................455
Executive Summary...........................................................................................................455
Introduction to Mobile Communications.........................................................................456
Causes for Growth...................................................................................................456
Smaller...........................................................................................................456
Better..............................................................................................................456
Cheaper..........................................................................................................457
Mobile Phone Operating Systems............................................................................457
Bluetooth, Short Messaging Service (SMS), and Multimedia Messaging
Service (MMS) for Mobile Communications....................................................................458
Bluetooth.................................................................................................................458
Short Messaging Service..........................................................................................458
Multimedia Messaging Service................................................................................458
Development Platforms.....................................................................................................459
Binary Runtime Environment for Wireless (BREW)...............................................459
Java 2 Micro Edition (J2ME)...................................................................................459
Python.....................................................................................................................459
Micro-Browser-Based...............................................................................................459
.NET Compact....................................................................................................... 460
Linux-Based Mobile Devices................................................................................... 460
The Rise of Mobile Malicious Code................................................................................. 460
Mobile Malicious Code Summary.................................................................................... 462
Mobile Malicious Code Trend Analysis............................................................................ 462
Device Convergence......................................................................................................... 463
Personal Computer Integration........................................................................................ 463
Best Security Practices for Mobile Malicious Codes.......................................................... 463
Conclusion....................................................................................................................... 464
Sources............................................................................................................................. 464
Epilogue.............................................................................................................................465
Screenshot
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
Pages
| 476 p |
File Size
|
41,240 KB |
File Type
|
PDF format |
ISBN-13
| 978-1-4200-9127-4 (Hardcover) |
Copyright
| 2009 by Taylor & Francis Group, LLC |
●▬▬▬▬▬❂❂❂▬▬▬▬▬●
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
