Алексей Старов - Как проводить киберраследования?
TRANSCRIPT
HOW TO DO RESEARCH IN CYBERCRIMEКак проводить исследования/расследования в области киберпреступлений
by Alex Starov
HackIT 2016
Pragmatic Security “PragSec” Lab
2
OurResearch
Security
Privacy
Cybercrime
WANTED: Cybercrime Research• Models of online crimes• Ecosystems of attackers/hackers• Financial infrastructures • Measurement studies of real
underground economies• Different aspects of fraud• Fraud prevention • Effectiveness of protection
countermeasures • Case studies of current attack
methods • Social engineering• …
3
Today we have 3 lessons① Let’s detect them / Обнаружим их…② Going undercover / Под прикрытием③ Let’s catch them / Полное разоблачение
4
LESSON #1Let’s detect them!
(based on http://securitee.org/files/webshells_www2016.pdf)
5
IDEA: We can investigate crime artifacts• What most attackers do after hacking a server?
6
Web shells / backdoors• At its simplest form, a web shell is a script that attackers upload to compromised web servers in order to remotely control them
7
Example of a Real-life PHP Shell
8
Example of a Real-life PHP Shell
9
Are web shells important?
10
Wow, attackers on Ukrainian Power Grid also used a backdoor web shell!
11
Let’s Google It: Hackers May Search for Shells12
Such attempts can be detected, though…13
https://some_our_url.com/c99.php
Daily Statistics on Captured Requests for Shells via Google Dorks
14
Our Objectives: Let’s define
• Conduct a comprehensive large-scale study of web shells, their nature and the surrounding ecosystem of hackers
• Inspect visible and invisible features of real-life malicious shells and how attackers can use them
• Find useful information for countermeasures, at least for their detection by IDS or scanners…
15
First of all: Data Collection
• Starting with a combined set of 1449 shells, we derived a unified set of more than 500 real unique shells!
• Including variations of c99, r57, WSO, B347k, NST, NCC, Crystal, etc.
16
Filtering Normalization Deobfuscation Normalization
https://www.unphp.net
SHELL FEATURESStatic & Dynamic Analysis
17
Interface Features (static taint analysis)
18
Silent Server-side Activity on 31.4% (intercepted by PHP’s runkit framework)
19
Silent Server-side Activity: Commands
20
Group Aggregated examplesMain System Info id(71), uname(41), echo $OSTYPE(23), pwd(16), whoami(13)
More System Info ls -la(7), df -h(2), uptime(2), ps aux(1), free -m(1)
Check Installed which *(4), wget -help(5), javac -version(2), perl -v(1)
Internet Usage cd /tmp, lynx | curl | GET *(8), wget | curl | lwp-download *(6)
Other actions echo abcr57(19), killall -9 host(1), crontab (1)
Silent Server-side Activity: files
21
Group # Shells Examples/var/www/html/*/* 21 write test.txt, read own PHP file/etc/* 8 named.conf, hosts, passwd, fstabhttp://* 7 send own URL, load api.php, sender.txt*.php 6 dbs.php, shell.php, errors.php, ss.php, etc./tmp/* 5 qw7_sess, shellcode.so, Ra1NXphp.ini 5 write to php.ini or ini.php.htaccess 5 write .htaccess or sym/.htaccess*.txt 5 kampret.txt, data.txt, cpaccount.txt/proc/* 4 cpuinfo, meminfo, partitions, version*.sql.gz 2 read N-Cool-073115-0850am.sql.gzOther 2 1.sh and libworker.so
Test more: Stealthiness
Hiding the code:• 20.6% with increased token count after deobfuscation• 20.8% use eval() with avg. of 15.2 calls, up to 91
Hiding the path:• 16% check HTTP User-Agent against a blacklist(61 shells give 404 if your user agent contains “Google”)• 2.3% return 404 until get proper POST/GET parameters
22
Even more: Bypassing Antivirus EnginesOriginal PHP shells:• 90% detected by at least one scanner of VirusTotal• Best scanners detect 72.5% and 67.2%
Deobfuscated shells:• Overall accuracy decreases to 88.5%• Avg. detection rate decreases from 15 to 10 scanners• E.g., one specific shell was detected by 22 and after deobfuscation – by only 2
=> Another useful finding!
23
Authentication in Shells
24
Is something wrong here?
25
Answer: Authentication Bypass
26
Simulated Register Globals Unprotected Features
Authentication Bypass – совпадение?• 52.0% provide authentication in the code
• 30.8% of authentication codes can be bypassed
ÞNo honor among thieves! The original shell-distributor injects a backdoor in the backdoor
ÞAnd finds out the location of already deployed shells via homephoning?!
27
BACKDOORS IN WEBSHELLSDeploying a Honeypot Server
28
Honeypot Architecture
29
Results on Homephoning
30
29.2% on the client-side• With an average of two domains per shell• Overall 149 domains / 108 IPs were contacted
4.8% on the server-side• 70% connect to one of the 21 domains• Located in USA, Republic of Korea, China
Client-side Homephoning Targets31
Logs We Get on the Honeypot
46.167.121.166 - -[02/Jul/2015:22:56:42 +0000] "GET /images/ftpmaster.php HTTP/1.1" 404 520 "-" "Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0"
32
Attacker’s IP addressWeb shell’s path
Attacker Connections Daily • In the 8 weeks of our experiment:
• We recorded 690 web shell access attempts from 71 unique IP addresses located in 17 countries• Top 3: Turkey, USA, and Germany
• 16.4% of homephoning shells were visited by attackers
33
USING THEIR WEAPONDetecting web shells via… the same homephoning!
34
Stale domain-based inclusions
35
2012• example.com adopts web analytics
<script src="http://analytics.com/a.js"/>
2014• Analytics goes bankrupt and allows analytics.com to expire• example.com does not update their website
2015• analytics.com is registered by an attacker!• malicious JS pushed to example.com…
(Nikiforakis et al., 2012)
Stale (expired) domains called by web shells and now registered by us!
36
Logs We Get for Stale Domains
187.99.230.117 - -[01/Jan/2016:00:19:04 +0000] "GET /logz/yaz.js HTTP/1.1" 404 507 "http://www.XXXXXXXXXXXXXXXX.ua/files/XXXXXXXXX_ca6a456dc0b461cHNAL.php" "Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0"
37
Attacker’s IP address Compromised website
Compromised Websites FoundLocal businesses and organizations:
• an order service in Iran• a travel portal in China • a software company in Russia • a shipping company in US• college website in Morocco
More critical websites:
• a hospital website in Peru• a legal consultation office in Russia
• a security services company in Vietnam
38
Victim Websites based on Server Location
39
Victim Websites taking into account TLDs
40
Victim Websites and Victim Servers
41
All Attackers Detected in Logs
42
Top 10 Targets for Attacks
43
MORE: Requests from localhost…75.151.74.150 - - [12/Dec/2015:22:46:15 +0000] "GET /yazciz/ciz.js HTTP/1.1" 404 503"http://localhost:8080/c99%20with%20pass%20ali.php" "Mozilla/5.0 (Windows NT 6.3; rv:42.0) Gecko/20100101 Firefox/42.0"
44
Участники CTF, будьте осторожны с чужими шеллами! J
Takeaway NotesIdea: исследовать артефакты веб взломов – web shells
Methods: масштабный сбор шеллов, статический и динамический анализ, установка honeypot-серверов, использование “stale domains” во благо
Tools: UnPHP, OpenWPM/Selenium, PHP’s runkit, VirusTotal’s API, MaxMind’sGeoLite2, много скриптов
Contribution:• Know your enemy – информация для сканеров и IDS• Мониторинг соответствующих “stale domains” дает возможность
быстро находить веб взломы и обезоруживать вредоносные шеллы!
45
LESSON #2Going undercover
(based on https://arxiv.org/abs/1607.06891)
46
Another source of ideas
47
Another source of ideas
48
http://securit13.libsyn.com/episode--64
Technical Support Scam
49
OK, then Our Motivation• This scam has become so prevalent that the Internet Crime Complaint Center released a Public Service Announcement in November 2014
• This type of scam costs users millions of dollars on a yearly basis…• No systematic research yet, and protection is wanted!
50
What attributes common to TSS?• Usually they block navigation with alerts• Preceded by a long redirection chain• Presence of a phone number• Scareware-like keywords
51
address
financial
message
using
virus
breachtracking
carry
communications
ancientresult
callstalkers
thefts
administrator
www
exehacked
logsservices
suspendedrestart
situation
attention
dupedcontacting
webcam
oops
passwords
registry
prevent
technicians
connection
adware
disabled
blocked
popaccess
reserved
runworm
program
frame live
warning
unknown
wrong
classified
info
attack
actions
desk
detailscomputing
inject
something
malware
calling
copyright
especially
technical
vpn
follow
harmful
response
engineering
anonymous
significant
shut
browsing
location
containing
dear
installed
visit
current
continue
causing
caused
exposed
apply
acts
useful
warriors
leaked
often
concealed
reason
tcp
theft
social
rights
firew
all
major
disk
logins
identity
removed
hard
locked
cause
viruses
password
type
deleted
fix
page
autobased
form
port
comtrick
softw
are
harmfullterms
crash
mpqr
What delivery methods they can use?• Hmm, AD NETWORKS?..
Let’s look on what websites:http://droobox.comhttp://stackovertlow.comhttp://tackoverflow.comhttp://stackkoverflow.comhttp://twwitter.comhttp://fecebook.comhttp://facbeook.com…
52
Typosquatting is a famous trick!53
We need a large-scale crawler54
Redundant Crawlers
JS Interceptor
MITM Proxy
Detector (ML)
Typosquattingdomains
Shortened URLsLinks from spam emails… More than 1000
unique scam domains and 100 phone numbers per week!
A this point, we found thousands ofPhone numbers & providers
• 8004699439 (e.g., ATL) • 8004699439 (e.g., Twillio) • 8443074809 (e.g., WilTel)• 8008704502• 8009214167• 8442035085• 8442318194• 8442338231• 8442439201• …
Scam Domains• system-checker-51.nl• system-warning.com• tfn13.in• update-softwareinfo.com• virus-alerts.in• virus-check-error.net• virus-watch.xyz• window-scan.pw• www.pcsol.co• www.security-alert404.com• …
55
THINK: What we can do useful?
56
We need to improve current blacklists!Domains
• Popular blacklists contain only 7% of TSS domains
• VirusTotal detects only 64%, by only 3.25 scanners on average
• We detect earlier
Phones• Online databases and available phone apps cover only 27.4%, with the best mobile app only 0.5% and websites almost 20% (mrnumber.com and 800notes.com)
57
Tools used so far:• Selenium/OpenWPM for large-scale crawlers• JavaScript interception• MITM Proxy for traffic dumps• Selenium for scraping• Python and R scripts for statistics and ML• VirusTotal APIs for domain checks• Android Console to simulate calls• …
58
We want more useful staff…• Don’t afraid to use your acting skills! • Again, use their weapon against them!
59
We called more than 60 phone numbers, having a prepared VM for each call
• Scammer: Thank you for calling technical support. How may I assist you?• Victim: Hi, good morning. I think I have a problem with my computer because
I was browsing the Internet and then it suddenly told me that I was infected with a virus and it asked me to call this number.
• Scammer: OK. Can you confirm for me, first of all, what Microsoft device you are using?
• Victim: I am using Windows 7. I do not know if that is what your question is.…
60
Techniques they use
• Stopped Services/Drivers• Event Viewer• Specific Virus Explained• System Information• Action Center• Fake CMD Scan• Netstat Scan
• Installed/Running Programs• Browsing History/Settings• Downloaded Scanner• Reliability/Performance• Temp folder• Registry• …
61
Gotcha! Found signs of scammer groups1) They use similar script and
methods, can handle many calls simultaneously
2) WHOIS records show similarities (some use CDNs and Cloudflare)
3) Corresponds to the clustering of domain-phone graphs, and JS
4) Used remote-access tools leak similar locations: regions of India, some from US and Costa Rica
62
Mad scientist vs. White-hat ScientistMad Scientist: doesn’t care! White Scientist: IRB approval!
63
Be careful and think of others!
What is an IRB?“The Institutional Review Board (IRB) is made up of a group of people such as scientists, doctors and some community people. The IRB looks at every protocol or research study before it is conducted on any people. Because some research studies involve risk, the IRB looks at the study to make sure the risks are justified and minimized. In addition, the IRB wants to make sure the Principal Investigator follows all the rules the federal government has set up to protect human subjects who so kindly volunteer to participate in a research study”
64
Takeaway NotesIdea sources: security news, blogs, podcasts, forums…
Methods: распределенный “crawler”, машинное обучение и другие “heuristics”, проверка “blacklists”, белая социальная инженерия
Contribution:•Определены техники, артефакты и группы скамеров•Механизм для быстрого определения доменов и телефонных номеров, используемых скамерами!
65
LESSON 3Let’s catch them
66
Collaboration with authorities is a plus!
67
Outline of the research
68
• Сотрудничая с FBI и USPIS получили доступ к серверам и другим артефактам вебсайтов, которые предлагали услуги по “reshipping scam”
• Услуга заключается в предоставлении способа монетизации денег с украденных кредитных карточек
Contribution:• Была посчитана суммарная выручка хакеров в 1.8 млрд долларов в год!• Изучена инфраструктура хакеров, их следы, а также предложены наиболее эффективные способы защиты
Steps of the fraud, let’s think together!69
Cooperation with UA cyber police① Если исследователь в области информационной безопасности (из
университета) обнаружил полезную информацию для киберполиции, к кому обратиться? Будет ли киберполициясодействовать в получении дополнительных данных?
Ответ: Если вы обнаружили информацию которая подлежит подследственности киберполиции немедленно обратитесь в Департамент киберполиции или в отделение по месту жительства или напишите электронное заявление на сайте киберполицииhttps://www.cybercrime.gov.ua/feedback5-ua Киберполиции в рамках своих полномочий будет проводить проверку.
70
Cooperation with UA cyber police (cont.)② Возможна ли обратная ситуация, т.е. аутсорсинг кибер-расследования в
университетских лабораториях? Участие киберполиции в научных исследованиях, публикациях и конференциях по защите информации?
Ответ: возможна, мы сотрудничаем с рядом аутсорсинговых компаний. В случае наличия конкретного предложения предоставьте пожалуйста конкретизированный план взаимодействий и мы его рассмотрим.
③ Если научное исследование выявило информацию, о которой для предостережения желательно уведомить граждан, поможет ли полиция распространить ее?
Ответ: Да, это входит обязанности киберполиции, а именно предупреждения преступлений.
71
Summary• LESSON 1: Мы обнаружили веб шеллы по всему миру, взломанные сайты и злоумышленников
• LESSON 2: Мы обнаружили много артефактов ложных технических поддержек и общались с мошенниками под прикрытием, т.е. “ловили на живца”
• LESSON 3: Мы сотрудничали с ФБР чтобы расследовать и предотвратить популярный способ обналичивания украденных карт
72