09-NetSec Cybercrime economy - UniTrento Instant payments • .... Dr. Luca Allodi - Network Security -University of Trento, DISI (AA 2015/2016) 19. ... • Money mule send out of

NetworkSecurityAA2015/2016

CybercrimeeconomyDr.LucaAllodi

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)

1

Whatisamarket

• Amarketisasystem bywhichservicesorgoodsaretradedinexchangeofacompensation

• Therecanbemanytypesofmarkets• Financialmarkets• Work/Jobpositionmarkets• ..

• Amarketplaceisavenuewherethemarketisheld• Physical(atown’ssquare)• Virtual(awebsite,achat,otherormixedmeans)• Theterms“market”and“marketplace”willbeusedinterchangeablyinthislecture

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2

Whatarethe(cybercrime)blackmarkets• ..a“blackmarket”economy,builtaroundforprofitcybercrime,inwhichalargenumberofgeographicallydistributedactorstradeindata,knowledgeandservices[Kurtetal.2015]

→Heldinvirtualmarketplaces• OriginallyIRC• Nowmostlyweb-forums

• Tradingof• Attackingtools• Highlyefficientexploits;Vulnerabilities• Accounts,moneylaundry,CCNs..


Underground-basedmarket

• “TOR-basedmarkets”→Can’tbereachedfrom“standard”internet• →“anetworkinsidetheNetwork”• Typicallydrugsandotherillegalgoodmarkets

• “Closedmarkets”→canbereachedontheInternet• Mosttechmarketsareofthistype• Marketsareclosed,entrybyselection• Organised indifferentmarkets

• Typically“national”→Russian,chinese,brazilian• AmongmostinfluentthereareRussianmarkets


Typesofmarkets

• Low-techmarkets• “Spamadvertised”orfakegoods• Hosting,stolencredentials,..

• High-techmarkets• Cybercrimemarkets

• Attackdeliverytechnologies• Malware/specializedpayloads(Zeus,Clickbots,..)

• “Private”markets• Afewplayerssellinghigh-techmalwaretoselectedcustomers


Low-techmarket–example[Kurtetal.2015]


High-techmarkets:cybercrimeasmarketservice• Technologicalvs humanvectorsforattacks

• Weareinterestedintheformer

• Technicalcompetencesareconcentratedinanundergroundmarketforattacks• Tradeofadvancedexploitationvectors

• Vulnerabilities,exploitsandmalware• Deliverymechanisms

• Exploitandtooldeveloperssellthetechnologytomultipleclients• Cancombineseveraldifferenttechnologiestopersonalise theattack


High-techCybercrimeMarkets

• Thistechnologyistradedinunderground,closedmarkets• Wehaveinfiltratedseveral• Todayweexplorethemostprominentone

• RussianMarket• OnopenInternetbutclosedaccess

• Entry-barrierrequirescrediblebackground,russian language,andpassinganentrytest

• Infiltratedfor4+years• 1.5years“break”aswe’vebeenkickedoutofmarket

• Muchworktogetbackin• TORaccess(toavoidfiringtoomanyalarms)

Marketorganisation

• Several“themes”• [Вирусология]→Virusologia→malware,exploits,packs,…• [Доступы]→Access→FTPServers,shells,SQL-i,…• [Серверы]→Servers→VPN,proxies,VPS,hosting,…• [Социальныесети]→Socialnetworks→accounts,groups,…• [Спам]→Spam→emailing,databases,maildumps,…• [Траф]→Internettraffic→connections,iframes,…• [Финансы]→finance→bankaccounts,moneyexchange,…• [Работа]→Work→lookupforandofferjobs• [Разное]→other

Marketactivity

●

●

● ●

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

020

4060

80

Variation in no. of new goods

Year

New

pro

duct

s in

trodu

ced

in th

e m

arke

t

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

020

040

060

080

0Variation in market activity

Year

Volu

me

of d

iscu

ssio

n ar

ound

pro

duct

s

Introductionofnewgoodsinthemarket

●

●

● ●

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

020

4060

80Variation in no. of new goods

Year

New

pro

duct

s in

trodu

ced

in th

e m

arke

t

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

020

040

060

080

0

Variation in market activity

Year

Volu

me

of d

iscu

ssio

n ar

ound

pro

duct

s

Top10on“virusologia”

• Malware• Exploits• Crypto/packers• Exploitkits

ExploitKit“RIGv3”

TooltoencryptmalwareExploitKit“Neutrino”

SaleofOfficeexploits

Dropper“Nuclear”(EKit)KernelexploitsforWindows

Cryptonlineservice

Webattacksinjector

Malwarebots

Areminder:exploitkits operation

13

Popularwebsitehomepage

ExploitKit

User

Exploitkitowner

iFrame

ADs

TrafficBroker/Hacker

Buystraffic

attacks

Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)

DetailsofakitinthemarketKitsuccessrate→*successratesdependonqualityoftraffic

Malwaredelivery ratesZeusmalware:50-60%Loader:80-90%

Latestprices

Additional services

Contact

Monday– SAturdayFrom7amto5pmMoscowTime

Sellingtraffic

• Canbuytrafficfrom“trafficbrokers”• Userdoesnothavetoclickonanything• Automaticredirect

• High-qualitytrafficderivesfromselectionofconnectionbasedonrequestedcriteria• Geographicsource• Installedsoftware

Infect1Mmachines:isitworthit?Action Economiceffort(1st year)

Buyexploitkits(20% efficiency) 2000USD

Requiredconnections 5x106

Setup 50-150USD

Traffic(assuming2USD/1000 conn.) 10.000USD

Maintenance(IP/domain flux,packing..) 150USD

Updates(assuming2/yr) ~200USD

Total ~12.400USD– 12.500USD

BreakevenROI/BOT ~0.01 USD

Anotherkit


Exploits• Theexploithasafully

customisable shellcode.• Thepackageincludesa

demothatopensacommandconsolewithSYSTEMprivileges.

• Thehighdegreeofefficiencyoftheexploitreducestheriskoffailuretovirtually zero- thatis,tenconsecutivesuccessfulrunsonthesamesystem.

• Thus,itisbestused"UseAfterFree"andnot"PrayAfterFree"asithappenswithother"manufacturers".

• Exploit testedfortheseAvs

• (cantestagainstothersuponrequest)

• Price:5000USD


Malware• 1.61kb(UPX- 24kb);• 2.Multi-threadedfile

encryption;• 3.Newalgorithmbased

onAES-256usingRSA-2048

• 4.Youcansetpricesbasedoncountry

• 5.Handyticketsystem• ...• 12.Infectiondisabled

forthesecountries:AMAZBYGEKGKZMDRUTJTMUAUZ(CSI);

• …• 1.Noprice,get50%of

revenue.• 2.Absolutely donot

touchCSIcountries.• 3.Instantpayments• ....


RogueCertificates


Price:400USD


Mobilebots

Mobilebots


RealAppInjectedpage

Price:4000$lifetimeupdates

Productdemoing


Compositionofanattack

• Elementsofanattack• Userconnections• Attackdelivery• Malwareinfection• Monetisationmechanism

• Noticethatmostproductssoldinthemarketsenabletheattackertoonlyoneofthesesteps• Trafficbrokers,stolenaccounts,..à connections• Exploitkits,stand-aloneexploits,..à attackdelivery• Ransomware,bankingmalware,..à malware• CCNs,bankinginfo,..à monetisation

• Eachofthesestepscanbecombinedbytheattackertoobtainasetofcharacteristicsthatsuitsthem• TrafficfromnorthernEurope• ExploitkitforrecentIEversions• MalwarethatdoesnotinfectCSIcountries• AttackUKbankcostumers


Monetisation

• Sellingattacksforapriceisnotenoughtojustifythemarket• Itmustbepossibleto“monetise”thetradedtechnology• Severalmechanismstomonetise infectionsarepossible

• Veryhardtoestimateactualvalue(cost)ofattacksfortheattackers(victims)• Estimatesvarygreatly• Canbeusedtoqualitativelyframetheimportanceoftheseactivities

• Allthefollowingisdiscussedin [Kurtetal.2015]


“Spamvertised products”

• Spamtechniquesareusedtoadvertiseproducts• Stolenemailaccounts• Socialnetworks• Mobilephones/calls..

• Victimistrickedintobuyingsomecounterfeitgoods• Pharmaceutical/electronics/clothes..• Piratedsoftware• Pornography,gambling,…

• Estimatedvalue12-90millionUSdollars


Scareware

• Usesacombinationofsocialengineeringandmalwareinfection


• Convincesusertheyneedtobuyaproduct• FakeAV istypicalexample

• Messageconvincesusersystemisinfectedoratrisk• Typicallypayabout60$togetthesystem“cleaned”

• Commonthreatbefore2011• Estimatedvalue130millionUSD

• MarketdismantledbyblockingtransactionstoFakeAV affiliateprograms

Ransomware

• AgainmixtureSocialengineering+technicalattack


• Malwareencryptsfileonharddisk• Asksformoneytogivedecryptionkey• Usuallyinthewhereaboutsof100-200$,upto400$.

• Canyouidentifysocialengineeringtechniquesinthetextabove?• Estimatedvalue(Cryptolocker alone):~3MillionUSD

Clickfraud

• AttackerregisterswithAdNetwork• Useinfectedsystemstogenerateclicksonsourcedadvertisement• Hardtodistinguishbetweenlegitimateandfakeclick• Anomaly-basedheuristics

• Estimated20%ofallclicksaregeneratedbyautomaticbots• Detectionrateupto75%

• Estimatedvalue~20-30millionUSD


Creditcardsandbanking

• Hardtocache-outcreditcards• Howtomaintainanonimity?

• Typicallyuse“money-mules”• Victimsofsocialengineeringattacks• UsedbythevictimasaproxytocashCCvalue

• MoneymulesendoutofcountryexpensivegoodtoanonymousPOBox

• Wiretransferstocriminals

• Estimatesaredifficulttomake


MarketFairness• Amarketonlyexistswhentherearesellersthatenterthemarketsandbuyersthatexchangemoneyforproductsorservices• Imagineyourself(acriminal)tryingtosellyourproductinanewmarket• Wouldyoureallymindscammingpeople ifthereisno“punishment”youfear?• Wouldyouspendefforttimeandmoneyinmakingagoodproductifyoufeellikeanybody(e.g.thecompetition)canjustruinyoubytellingeverybodyyouareascammer?

• →Unfairmarketleadstolow-qualitytech• Thesystemneedsamechanismtoequilibrate incentives• Oneofthemainresults from[Akerloff 1970]

• Evidencethathigh-techcybercrimemarketsaddresstheseproblemswithconvincinginstruments• We’llseethreestoriestakendirectlyfromthemarkets


Trialsincybercrimemarkets:Therules(inshort)• Anybodycanreportanybodyelsefortrial• Followprovidedtemplateforfiling.Mustinclude• Nameandprofileoftheoffender• Proofofthefact

• Thereporter(accuser)andthereported(defender)enterthetrial• Thedefenderhas24hourstoshowup• Inparticularlycomplicatedcasesthedefendercanbegivenupto7days• à thisdecisionistakenbytheJudge(i.e.administrator)

• Aninvestigationfollows:• Witnessesarecalled• Evidenceofeithercases(accuserordefender)isprovided

• Administratortakesadecision:BlackListorInnocentDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32

(1)Thedefenderdoesnotshowup• October2013• Accuserreportshehasbeenscammedfor390US$bydefender• Amoderator(“Arbiter”)advicesto

“notifythedefenderwithapersonalmessage[aboutyourreport]”

• Athirdusershowsup,reportingthat“[Contactingthedefenderis]Useless,hehasnotbeenonlineforalongtime”

• Administratorgivesthedefender48hourstoshowup• Fourdayslater(the49th hourwasSunday)theadministratorputsthedefenderintheblacklist


(2)Thedefenderlosesthetrial• July2012• Paymentof3000WMZnotreceived;• defenderisgiven12hourstoshowup

• Defendershowsupafter4hours• Bringsevidenceofpayment(verylongdiscussion)• Postslogs&screenshotsoftransaction

• Accuseranswersthatthepaymenthasneverbeenreceived• He/She accusesthedefendertohave“blocked”or“intercepted”thepayment• Witnesses onhissideshowuptosupporthisclaimsandtrustworthiness

• Admingivestwooptions• 1)Defendermustprovidefinalproofoftransactioncommit• 2)DefenderandAccuserresolvethecaseinprivate

• à afteramonthofdiscussionthedefendanthasn’tprovidedconclusiveevidenceà heendsup“intheBlack”(i.e.listedasanoffender)


(3)Thedefenderwinsthetrial• October2012• Accuserreportsafailureonthedefender’ssidetocloseatransaction• ReportsIRClogoftheirconversation• Accuserpaysdefenderwhilethelatterwasoffline• Defenderdoesnotacknowledgethepaymentanddoesnotcomebackonlineinacomfortable“timelapse”forthedefender

• Defendershowsupshortlyafter,showsthathenevercashedanything• Adminintervenesandasks

“[Accuser]pleasedomoneyback.Tobeprecise,[defender]donottouchthechecks,andmostimportantly[accuser]getthemoneybackinyourwallet.”

• Accuserstopscomplaining• Trialisclosedandthedefenderiscleanedfromanyaccusation


TheMalwareLabAnapplication example

TheMalwareLab

• Originallydevisedasaplatformtotestmalwareproductsas“softwareartifacts”• Reproducethemalwareinacontrolledenvironment• Test,analyzeandmeasurefunctionalities• Safeenv toreproducetheGalileoRCSmalwarebyHT

• Exampleofwork:wetested10exploitkitstoanswerthefollowingquestion:• HowresilientareExploitKitsagainstsoftwareupdates?


TheKitsandTheVictims• Exploitkitsspanfrom(2007-2011)

• Howwechosetheexploitkits• Releasedate• Popularity(asreportedinindustryreports)• CrimePack,Eleonore,BleedingLife,Shaman,…

• Software:mostpopularone• WindowsXP,Vista,Seven

• Allservicepacksaretreatedlikeindependentoperatingsystems• Browsers:Firefox,Internetexplorer• Plugins:Flash,AcrobatReader,Java

• 247softwareversions• spanningfrom2005to2013

• Werandomlygenerate180sw combinations(x9OperatingSystems)tobetheconfigurationswetest

• ManualTestisImpossibleà weneedanautomatedplatformDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 38

Configurationexample

• Oneconfigurationfor:WindowsXPServicePack2• Firefox1.5.0.5• Flash9.0.28.0• AcrobatReader8.0.0.0• Quicktime 7.0.4.0• Java1.5.0.7

• Oneconfigurationfor: WindowsSevenServicePack1• Firefox8.0.1.0• Flash10.3.183.10• AcrobatReader10.1.1.0• Quicktime:Noversion• Java6.27


TheexperimentalInfrastructureVICTIM1 VICTIM2 VICTIM3

MalwareDistributionServer(MDS)

Virtualizes:•XPSP0

-Conf1..180•XPSP1

-Conf1..180•XPSP2

-Conf1..180•XPSP3

-Conf1..180

• Exploitkit1• Exploitkit2• ..• Exploitkit10

Virtualizes•VistaSP0-Conf 1..180

•VistaSP1-Conf 1..180

•VistaSP2-Conf 1..180

Virtualizes•SevenSP0-Conf 1..180

•SevenSP1-Conf 1..180


Overviewoftheexperiment

0

1

2

3 4

In6yearwindow?


Theexperiment:VICTIMVICTIM1


Victim2 Victim3

VirtualBoxInterface

WindowsXPServicePack0

ControlScriptsinPython

LinuxUbuntu

Firefox Plugin1

“Installconfiguration1”1. Pushes installers, installssoftware2. Checks Install:pushbatchfileonVM3. SavesConfigurationsnapshot

Plugin2

Plugin3

Plugin4

Pushes installers, installssoftwareChecks install:pushbatchfileonVM

✓ ✓ ✓✓ ✓

SavesConfigurationsnapshot

Configuration Snapshot

“LunchagainstExploitKits”Forxin1..10:

Restore(“Configurationsnapshot”)Lunch(VM, EKIT(x))

Delete(“Configurationsnapshot”)

RestoreConfigurationSnapshotLunch(VM, EKIT(1))

Configuration Snapshot (attacked)

Lunch(VM, EKIT(x))RestoreConfigurationsnapshotDelete(“Configurationsnapshot”)

“Installconfiguration2”….“Installconfiguration180”….“End”


AssessingexploitsuccessesVICTIM1 VICTIM2 VICTIM3


GET/ExploitKit/HTTP/1.1 SendExploit

Ifexploitissuccessful->Requests“Casper”FromMDS

Set“Successful”=1InMDStableInfections

CasperThe“good-ghost-in-the-browser”malwareDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 43

Results:Infections


Interestedinperformingsimilarexperiments?

• Couldbesubjectforaresearchprojectorathesis


Bibliography• Grier,Chris,etal."Manufacturingcompromise:theemergenceofexploit-as-a-service."Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.ACM,2012.• L.Allodi,M.Corradin,andF.Massacci.Then andnow:onthematurity ofthecybercrimemarkets (thelessonthat black-hat marketeers learned).IEEETrans.onEmerging Topics inComputing,PP(99),2015.• Huang,KurtThomasDannyYuxing,etal."FramingDependenciesIntroducedbyUndergroundCommoditization.”InProceedingsofWEIS2015.


Documents

09-NetSec Cybercrime economy - UniTrento Instant payments • .... Dr. Luca Allodi - Network Security -University of Trento, DISI (AA 2015/2016) 19. ... • Money mule send out of