NetworkSecurityAA2015/2016
CybercrimeeconomyDr.LucaAllodi
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
1
Whatisamarket
• Amarketisasystem bywhichservicesorgoodsaretradedinexchangeofacompensation
• Therecanbemanytypesofmarkets• Financialmarkets• Work/Jobpositionmarkets• ..
• Amarketplaceisavenuewherethemarketisheld• Physical(atown’ssquare)• Virtual(awebsite,achat,otherormixedmeans)• Theterms“market”and“marketplace”willbeusedinterchangeablyinthislecture
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 2
Whatarethe(cybercrime)blackmarkets• ..a“blackmarket”economy,builtaroundforprofitcybercrime,inwhichalargenumberofgeographicallydistributedactorstradeindata,knowledgeandservices[Kurtetal.2015]
→Heldinvirtualmarketplaces• OriginallyIRC• Nowmostlyweb-forums
• Tradingof• Attackingtools• Highlyefficientexploits;Vulnerabilities• Accounts,moneylaundry,CCNs..
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 3
Underground-basedmarket
• “TOR-basedmarkets”→Can’tbereachedfrom“standard”internet• →“anetworkinsidetheNetwork”• Typicallydrugsandotherillegalgoodmarkets
• “Closedmarkets”→canbereachedontheInternet• Mosttechmarketsareofthistype• Marketsareclosed,entrybyselection• Organised indifferentmarkets
• Typically“national”→Russian,chinese,brazilian• AmongmostinfluentthereareRussianmarkets
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 4
Typesofmarkets
• Low-techmarkets• “Spamadvertised”orfakegoods• Hosting,stolencredentials,..
• High-techmarkets• Cybercrimemarkets
• Attackdeliverytechnologies• Malware/specializedpayloads(Zeus,Clickbots,..)
• “Private”markets• Afewplayerssellinghigh-techmalwaretoselectedcustomers
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 5
Low-techmarket–example[Kurtetal.2015]
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 6
High-techmarkets:cybercrimeasmarketservice• Technologicalvs humanvectorsforattacks
• Weareinterestedintheformer
• Technicalcompetencesareconcentratedinanundergroundmarketforattacks• Tradeofadvancedexploitationvectors
• Vulnerabilities,exploitsandmalware• Deliverymechanisms
• Exploitandtooldeveloperssellthetechnologytomultipleclients• Cancombineseveraldifferenttechnologiestopersonalise theattack
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 7
High-techCybercrimeMarkets
• Thistechnologyistradedinunderground,closedmarkets• Wehaveinfiltratedseveral• Todayweexplorethemostprominentone
• RussianMarket• OnopenInternetbutclosedaccess
• Entry-barrierrequirescrediblebackground,russian language,andpassinganentrytest
• Infiltratedfor4+years• 1.5years“break”aswe’vebeenkickedoutofmarket
• Muchworktogetbackin• TORaccess(toavoidfiringtoomanyalarms)
Marketorganisation
• Several“themes”• [Вирусология]→Virusologia→malware,exploits,packs,…• [Доступы]→Access→FTPServers,shells,SQL-i,…• [Серверы]→Servers→VPN,proxies,VPS,hosting,…• [Социальныесети]→Socialnetworks→accounts,groups,…• [Спам]→Spam→emailing,databases,maildumps,…• [Траф]→Internettraffic→connections,iframes,…• [Финансы]→finance→bankaccounts,moneyexchange,…• [Работа]→Work→lookupforandofferjobs• [Разное]→other
Marketactivity
●
●
● ●
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
020
4060
80
Variation in no. of new goods
Year
New
pro
duct
s in
trodu
ced
in th
e m
arke
t
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
020
040
060
080
0Variation in market activity
Year
Volu
me
of d
iscu
ssio
n ar
ound
pro
duct
s
Introductionofnewgoodsinthemarket
●
●
● ●
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
020
4060
80Variation in no. of new goods
Year
New
pro
duct
s in
trodu
ced
in th
e m
arke
t
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
020
040
060
080
0
Variation in market activity
Year
Volu
me
of d
iscu
ssio
n ar
ound
pro
duct
s
Top10on“virusologia”
• Malware• Exploits• Crypto/packers• Exploitkits
ExploitKit“RIGv3”
TooltoencryptmalwareExploitKit“Neutrino”
SaleofOfficeexploits
Dropper“Nuclear”(EKit)KernelexploitsforWindows
Cryptonlineservice
Webattacksinjector
Malwarebots
Areminder:exploitkits operation
13
Popularwebsitehomepage
ExploitKit
User
Exploitkitowner
iFrame
ADs
TrafficBroker/Hacker
Buystraffic
attacks
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016)
DetailsofakitinthemarketKitsuccessrate→*successratesdependonqualityoftraffic
Malwaredelivery ratesZeusmalware:50-60%Loader:80-90%
Latestprices
Additional services
Contact
Monday– SAturdayFrom7amto5pmMoscowTime
Sellingtraffic
• Canbuytrafficfrom“trafficbrokers”• Userdoesnothavetoclickonanything• Automaticredirect
• High-qualitytrafficderivesfromselectionofconnectionbasedonrequestedcriteria• Geographicsource• Installedsoftware
Infect1Mmachines:isitworthit?Action Economiceffort(1st year)
Buyexploitkits(20% efficiency) 2000USD
Requiredconnections 5x106
Setup 50-150USD
Traffic(assuming2USD/1000 conn.) 10.000USD
Maintenance(IP/domain flux,packing..) 150USD
Updates(assuming2/yr) ~200USD
Total ~12.400USD– 12.500USD
BreakevenROI/BOT ~0.01 USD
Anotherkit
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 17
Exploits• Theexploithasafully
customisable shellcode.• Thepackageincludesa
demothatopensacommandconsolewithSYSTEMprivileges.
• Thehighdegreeofefficiencyoftheexploitreducestheriskoffailuretovirtually zero- thatis,tenconsecutivesuccessfulrunsonthesamesystem.
• Thus,itisbestused"UseAfterFree"andnot"PrayAfterFree"asithappenswithother"manufacturers".
• Exploit testedfortheseAvs
• (cantestagainstothersuponrequest)
• Price:5000USD
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 18
Malware• 1.61kb(UPX- 24kb);• 2.Multi-threadedfile
encryption;• 3.Newalgorithmbased
onAES-256usingRSA-2048
• 4.Youcansetpricesbasedoncountry
• 5.Handyticketsystem• ...• 12.Infectiondisabled
forthesecountries:AMAZBYGEKGKZMDRUTJTMUAUZ(CSI);
• …• 1.Noprice,get50%of
revenue.• 2.Absolutely donot
touchCSIcountries.• 3.Instantpayments• ....
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 19
RogueCertificates
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 20
Price:400USD
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 21
Mobilebots
Mobilebots
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 22
RealAppInjectedpage
Price:4000$lifetimeupdates
Productdemoing
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 23
Compositionofanattack
• Elementsofanattack• Userconnections• Attackdelivery• Malwareinfection• Monetisationmechanism
• Noticethatmostproductssoldinthemarketsenabletheattackertoonlyoneofthesesteps• Trafficbrokers,stolenaccounts,..à connections• Exploitkits,stand-aloneexploits,..à attackdelivery• Ransomware,bankingmalware,..à malware• CCNs,bankinginfo,..à monetisation
• Eachofthesestepscanbecombinedbytheattackertoobtainasetofcharacteristicsthatsuitsthem• TrafficfromnorthernEurope• ExploitkitforrecentIEversions• MalwarethatdoesnotinfectCSIcountries• AttackUKbankcostumers
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 24
Monetisation
• Sellingattacksforapriceisnotenoughtojustifythemarket• Itmustbepossibleto“monetise”thetradedtechnology• Severalmechanismstomonetise infectionsarepossible
• Veryhardtoestimateactualvalue(cost)ofattacksfortheattackers(victims)• Estimatesvarygreatly• Canbeusedtoqualitativelyframetheimportanceoftheseactivities
• Allthefollowingisdiscussedin [Kurtetal.2015]
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 25
“Spamvertised products”
• Spamtechniquesareusedtoadvertiseproducts• Stolenemailaccounts• Socialnetworks• Mobilephones/calls..
• Victimistrickedintobuyingsomecounterfeitgoods• Pharmaceutical/electronics/clothes..• Piratedsoftware• Pornography,gambling,…
• Estimatedvalue12-90millionUSdollars
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 26
Scareware
• Usesacombinationofsocialengineeringandmalwareinfection
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 27
• Convincesusertheyneedtobuyaproduct• FakeAV istypicalexample
• Messageconvincesusersystemisinfectedoratrisk• Typicallypayabout60$togetthesystem“cleaned”
• Commonthreatbefore2011• Estimatedvalue130millionUSD
• MarketdismantledbyblockingtransactionstoFakeAV affiliateprograms
Ransomware
• AgainmixtureSocialengineering+technicalattack
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 28
• Malwareencryptsfileonharddisk• Asksformoneytogivedecryptionkey• Usuallyinthewhereaboutsof100-200$,upto400$.
• Canyouidentifysocialengineeringtechniquesinthetextabove?• Estimatedvalue(Cryptolocker alone):~3MillionUSD
Clickfraud
• AttackerregisterswithAdNetwork• Useinfectedsystemstogenerateclicksonsourcedadvertisement• Hardtodistinguishbetweenlegitimateandfakeclick• Anomaly-basedheuristics
• Estimated20%ofallclicksaregeneratedbyautomaticbots• Detectionrateupto75%
• Estimatedvalue~20-30millionUSD
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 29
Creditcardsandbanking
• Hardtocache-outcreditcards• Howtomaintainanonimity?
• Typicallyuse“money-mules”• Victimsofsocialengineeringattacks• UsedbythevictimasaproxytocashCCvalue
• MoneymulesendoutofcountryexpensivegoodtoanonymousPOBox
• Wiretransferstocriminals
• Estimatesaredifficulttomake
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 30
MarketFairness• Amarketonlyexistswhentherearesellersthatenterthemarketsandbuyersthatexchangemoneyforproductsorservices• Imagineyourself(acriminal)tryingtosellyourproductinanewmarket• Wouldyoureallymindscammingpeople ifthereisno“punishment”youfear?• Wouldyouspendefforttimeandmoneyinmakingagoodproductifyoufeellikeanybody(e.g.thecompetition)canjustruinyoubytellingeverybodyyouareascammer?
• →Unfairmarketleadstolow-qualitytech• Thesystemneedsamechanismtoequilibrate incentives• Oneofthemainresults from[Akerloff 1970]
• Evidencethathigh-techcybercrimemarketsaddresstheseproblemswithconvincinginstruments• We’llseethreestoriestakendirectlyfromthemarkets
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 31
Trialsincybercrimemarkets:Therules(inshort)• Anybodycanreportanybodyelsefortrial• Followprovidedtemplateforfiling.Mustinclude• Nameandprofileoftheoffender• Proofofthefact
• Thereporter(accuser)andthereported(defender)enterthetrial• Thedefenderhas24hourstoshowup• Inparticularlycomplicatedcasesthedefendercanbegivenupto7days• à thisdecisionistakenbytheJudge(i.e.administrator)
• Aninvestigationfollows:• Witnessesarecalled• Evidenceofeithercases(accuserordefender)isprovided
• Administratortakesadecision:BlackListorInnocentDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 32
(1)Thedefenderdoesnotshowup• October2013• Accuserreportshehasbeenscammedfor390US$bydefender• Amoderator(“Arbiter”)advicesto
“notifythedefenderwithapersonalmessage[aboutyourreport]”
• Athirdusershowsup,reportingthat“[Contactingthedefenderis]Useless,hehasnotbeenonlineforalongtime”
• Administratorgivesthedefender48hourstoshowup• Fourdayslater(the49th hourwasSunday)theadministratorputsthedefenderintheblacklist
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 33
(2)Thedefenderlosesthetrial• July2012• Paymentof3000WMZnotreceived;• defenderisgiven12hourstoshowup
• Defendershowsupafter4hours• Bringsevidenceofpayment(verylongdiscussion)• Postslogs&screenshotsoftransaction
• Accuseranswersthatthepaymenthasneverbeenreceived• He/She accusesthedefendertohave“blocked”or“intercepted”thepayment• Witnesses onhissideshowuptosupporthisclaimsandtrustworthiness
• Admingivestwooptions• 1)Defendermustprovidefinalproofoftransactioncommit• 2)DefenderandAccuserresolvethecaseinprivate
• à afteramonthofdiscussionthedefendanthasn’tprovidedconclusiveevidenceà heendsup“intheBlack”(i.e.listedasanoffender)
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 34
(3)Thedefenderwinsthetrial• October2012• Accuserreportsafailureonthedefender’ssidetocloseatransaction• ReportsIRClogoftheirconversation• Accuserpaysdefenderwhilethelatterwasoffline• Defenderdoesnotacknowledgethepaymentanddoesnotcomebackonlineinacomfortable“timelapse”forthedefender
• Defendershowsupshortlyafter,showsthathenevercashedanything• Adminintervenesandasks
“[Accuser]pleasedomoneyback.Tobeprecise,[defender]donottouchthechecks,andmostimportantly[accuser]getthemoneybackinyourwallet.”
• Accuserstopscomplaining• Trialisclosedandthedefenderiscleanedfromanyaccusation
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 35
TheMalwareLabAnapplication example
TheMalwareLab
• Originallydevisedasaplatformtotestmalwareproductsas“softwareartifacts”• Reproducethemalwareinacontrolledenvironment• Test,analyzeandmeasurefunctionalities• Safeenv toreproducetheGalileoRCSmalwarebyHT
• Exampleofwork:wetested10exploitkitstoanswerthefollowingquestion:• HowresilientareExploitKitsagainstsoftwareupdates?
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 37
TheKitsandTheVictims• Exploitkitsspanfrom(2007-2011)
• Howwechosetheexploitkits• Releasedate• Popularity(asreportedinindustryreports)• CrimePack,Eleonore,BleedingLife,Shaman,…
• Software:mostpopularone• WindowsXP,Vista,Seven
• Allservicepacksaretreatedlikeindependentoperatingsystems• Browsers:Firefox,Internetexplorer• Plugins:Flash,AcrobatReader,Java
• 247softwareversions• spanningfrom2005to2013
• Werandomlygenerate180sw combinations(x9OperatingSystems)tobetheconfigurationswetest
• ManualTestisImpossibleà weneedanautomatedplatformDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 38
Configurationexample
• Oneconfigurationfor:WindowsXPServicePack2• Firefox1.5.0.5• Flash9.0.28.0• AcrobatReader8.0.0.0• Quicktime 7.0.4.0• Java1.5.0.7
• Oneconfigurationfor: WindowsSevenServicePack1• Firefox8.0.1.0• Flash10.3.183.10• AcrobatReader10.1.1.0• Quicktime:Noversion• Java6.27
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 39
TheexperimentalInfrastructureVICTIM1 VICTIM2 VICTIM3
MalwareDistributionServer(MDS)
Virtualizes:•XPSP0
-Conf1..180•XPSP1
-Conf1..180•XPSP2
-Conf1..180•XPSP3
-Conf1..180
• Exploitkit1• Exploitkit2• ..• Exploitkit10
Virtualizes•VistaSP0-Conf 1..180
•VistaSP1-Conf 1..180
•VistaSP2-Conf 1..180
Virtualizes•SevenSP0-Conf 1..180
•SevenSP1-Conf 1..180
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 40
Overviewoftheexperiment
0
1
2
3 4
In6yearwindow?
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 41
Theexperiment:VICTIMVICTIM1
MalwareDistributionServer(MDS)
Victim2 Victim3
VirtualBoxInterface
WindowsXPServicePack0
ControlScriptsinPython
LinuxUbuntu
Firefox Plugin1
“Installconfiguration1”1. Pushes installers, installssoftware2. Checks Install:pushbatchfileonVM3. SavesConfigurationsnapshot
Plugin2
Plugin3
Plugin4
Pushes installers, installssoftwareChecks install:pushbatchfileonVM
✓ ✓ ✓✓ ✓
SavesConfigurationsnapshot
Configuration Snapshot
“LunchagainstExploitKits”Forxin1..10:
Restore(“Configurationsnapshot”)Lunch(VM, EKIT(x))
Delete(“Configurationsnapshot”)
RestoreConfigurationSnapshotLunch(VM, EKIT(1))
Configuration Snapshot (attacked)
Lunch(VM, EKIT(x))RestoreConfigurationsnapshotDelete(“Configurationsnapshot”)
“Installconfiguration2”….“Installconfiguration180”….“End”
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 42
AssessingexploitsuccessesVICTIM1 VICTIM2 VICTIM3
MalwareDistributionServer(MDS)
GET/ExploitKit/HTTP/1.1 SendExploit
Ifexploitissuccessful->Requests“Casper”FromMDS
Set“Successful”=1InMDStableInfections
CasperThe“good-ghost-in-the-browser”malwareDr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 43
Results:Infections
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 44
Interestedinperformingsimilarexperiments?
• Couldbesubjectforaresearchprojectorathesis
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 45
Bibliography• Grier,Chris,etal."Manufacturingcompromise:theemergenceofexploit-as-a-service."Proceedingsofthe2012ACMconferenceonComputerandcommunicationssecurity.ACM,2012.• L.Allodi,M.Corradin,andF.Massacci.Then andnow:onthematurity ofthecybercrimemarkets (thelessonthat black-hat marketeers learned).IEEETrans.onEmerging Topics inComputing,PP(99),2015.• Huang,KurtThomasDannyYuxing,etal."FramingDependenciesIntroducedbyUndergroundCommoditization.”InProceedingsofWEIS2015.
Dr.LucaAllodi- NetworkSecurity- UniversityofTrento,DISI(AA2015/2016) 46